Merge 062464175e into f230f2ce0e

Merge pull request #486 from telemt/code-of-conduct
Create CODE_OF_CONDUCT.md
2026-05-23 12:11:44 +03:00 · 2026-03-19 01:13:48 +03:00 · 2026-03-19 00:59:50 +03:00 · 2026-03-19 00:59:37 +03:00 · 2026-03-19 00:43:14 +03:00 · 2026-03-19 00:36:02 +03:00
24 changed files with 2384 additions and 595 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,8 @@
 .git
 .github
 target
 .kilocode
 cache
 tlsfront
 *.tar
 *.tar.gz
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,163 @@
 # TELEMT Code of Conduct
 ## 1. Purpose
 Telemt exists to solve technical problems.
 It is not a platform for ideology, politics, or personal agendas.
 All interaction here is defined by systems, constraints, and outcomes.
 Technology has consequences.
 Responsibility is inherent.
 > **Zweck bestimmt die Form.**
 > Purpose defines form.
 ---
 ## 2. Principles
 * **Technical over emotional**
  Arguments are grounded in data, logs, reproducible cases, or clear reasoning.
 * **Clarity over noise**
  Communication is structured, concise, and relevant.
 * **Independence**
  Telemt does not represent any state, ideology, or organization.
 * **Open participation**
  Access is open. Standards are not.
 * **Responsibility over capability**
  Capability does not justify careless use.
 * **Cooperation over friction**
  Progress is achieved through coordination and mutual support.
 > **Fakten sind nicht verhandelbar.**
 > Facts are not negotiable.
 ---
 ## 3. Expected Behavior
 Participants are expected to:
 * Communicate directly and respectfully
 * Support claims with evidence
 * Stay within technical scope
 * Accept critique and provide it constructively
 * Reduce noise, duplication, and ambiguity
 * Help others reach correct and reproducible outcomes
 * Act in a way that improves the system as a whole
 > **Wer behauptet, belegt.**
 > Whoever claims, proves.
 ---
 ## 4. Unacceptable Behavior
 The following is not allowed:
 * Personal attacks, insults, harassment, intimidation
 * Political discourse, propaganda, ideological conflict
 * Off-topic or disruptive discussion
 * Spam, flooding, or repeated low-quality input
 * Misinformation presented as fact
 * Attempts to degrade or destabilize Telemt
 * Use of Telemt or its space to enable harm
 > **Störung ist kein Beitrag.**
 > Disruption is not contribution.
 ---
 ## 5. Security and Misuse
 Telemt is intended for lawful and responsible use.
 * Do not use it to plan, coordinate, or execute harm
 * Do not publish vulnerabilities without responsible disclosure
 * Report security issues privately where possible
 Security is both technical and behavioral.
 > **Verantwortung endet nicht am Code.**
 > Responsibility does not end at the code.
 ---
 ## 6. Scope
 This Code of Conduct applies to all official spaces:
 * Source repositories (issues, pull requests, discussions)
 * Documentation
 * Communication channels associated with Telemt
 ---
 ## 7. Enforcement
 Maintainers may act to preserve the integrity of Telemt:
 * Remove content
 * Lock discussions
 * Reject contributions
 * Restrict or ban participants
 Actions are taken to maintain function, continuity, and signal quality.
 > **Ordnung ist Voraussetzung der Funktion.**
 > Order is the precondition of function.
 ---
 ## 8. Maintainer Authority
 Maintainers have final authority in interpretation and enforcement.
 Authority exists to ensure continuity, consistency, and technical direction.
 ---
 ## 9. Final
 Telemt is built on discipline, structure, and shared intent.
 Signal over noise.
 Facts over opinion.
 Systems over rhetoric.
 Work here is collective.
 Outcomes are shared.
 Responsibility is distributed.
 > **Ordnung ist Voraussetzung der Freiheit.**
 If you contribute — contribute with precision.
 If you speak — speak with substance.
 If you engage — engage constructively.
 ---
 ## 10. After All
 Systems outlive intentions.
 What is built will be used.
 What is released will propagate.
 What is maintained will define the future state.
 There is no neutral infrastructure.
 > **Jedes System trägt Verantwortung.**
 > Every system carries responsibility.
 Stability requires discipline.
 Freedom requires structure.
 In the end, the system reflects its contributors.
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,6 +2,16 @@
 # It is not intended for manual editing.
 version = 4
 [[package]]
 name = "aead"
 version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
 dependencies = [
 "crypto-common",
 "generic-array",
 ]
 [[package]]
 name = "aes"
 version = "0.8.4"
@@ -13,6 +23,20 @@ dependencies = [
 "cpufeatures",
 ]
 [[package]]
 name = "aes-gcm"
 version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1"
 dependencies = [
 "aead",
 "aes",
 "cipher",
 "ctr",
 "ghash",
 "subtle",
 ]
 [[package]]
 name = "aho-corasick"
 version = "1.1.4"
@@ -55,6 +79,27 @@ version = "1.0.101"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea"
 [[package]]
 name = "arc-swap"
 version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f9f3647c145568cec02c42054e07bdf9a5a698e15b466fb2341bfc393cd24aa5"
 dependencies = [
 "rustversion",
 ]
 [[package]]
 name = "arrayref"
 version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb"
 [[package]]
 name = "arrayvec"
 version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 [[package]]
 name = "asn1-rs"
 version = "0.5.2"
@@ -94,6 +139,17 @@ dependencies = [
 "syn 1.0.109",
 ]
 [[package]]
 name = "async-trait"
 version = "0.1.89"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.114",
 ]
 [[package]]
 name = "atomic-waker"
 version = "1.1.2"
@@ -112,6 +168,12 @@ version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 [[package]]
 name = "base64ct"
 version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
 [[package]]
 name = "bit-set"
 version = "0.8.0"
@@ -139,6 +201,20 @@ version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
 [[package]]
 name = "blake3"
 version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d"
 dependencies = [
 "arrayref",
 "arrayvec",
 "cc",
 "cfg-if",
 "constant_time_eq",
 "cpufeatures",
 ]
 [[package]]
 name = "block-buffer"
 version = "0.10.4"
@@ -163,6 +239,12 @@ version = "3.19.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510"
 [[package]]
 name = "byte_string"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "11aade7a05aa8c3a351cedc44c3fc45806430543382fcc4743a9b757a2a0b4ed"
 [[package]]
 name = "bytes"
 version = "1.11.1"
@@ -212,6 +294,30 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 [[package]]
 name = "chacha20"
 version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
 dependencies = [
 "cfg-if",
 "cipher",
 "cpufeatures",
 ]
 [[package]]
 name = "chacha20poly1305"
 version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35"
 dependencies = [
 "aead",
 "chacha20",
 "cipher",
 "poly1305",
 "zeroize",
 ]
 [[package]]
 name = "chrono"
 version = "0.4.43"
@@ -261,6 +367,7 @@ checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
 dependencies = [
 "crypto-common",
 "inout",
 "zeroize",
 ]
 [[package]]
@@ -288,6 +395,18 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
 [[package]]
 name = "const-oid"
 version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
 [[package]]
 name = "constant_time_eq"
 version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b"
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -357,6 +476,12 @@ dependencies = [
 "itertools",
 ]
 [[package]]
 name = "critical-section"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "790eea4361631c5e7d22598ecd5723ff611904e3344ce8720784c93e3d83d40b"
 [[package]]
 name = "crossbeam-channel"
 version = "0.5.15"
@@ -413,6 +538,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
 "generic-array",
 "rand_core 0.6.4",
 "typenum",
 ]
@@ -444,6 +570,16 @@ version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea"
 [[package]]
 name = "der"
 version = "0.7.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
 "const-oid",
 "zeroize",
 ]
 [[package]]
 name = "der-parser"
 version = "8.2.0"
@@ -489,12 +625,54 @@ dependencies = [
 "syn 2.0.114",
 ]
 [[package]]
 name = "dynosaur"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a12303417f378f29ba12cb12fc78a9df0d8e16ccb1ad94abf04d48d96bdda532"
 dependencies = [
 "dynosaur_derive",
 ]
 [[package]]
 name = "dynosaur_derive"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b0713d5c1d52e774c5cd7bb8b043d7c0fc4f921abfb678556140bfbe6ab2364"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.114",
 ]
 [[package]]
 name = "ed25519"
 version = "2.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
 dependencies = [
 "pkcs8",
 "signature",
 ]
 [[package]]
 name = "either"
 version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
 [[package]]
 name = "enum-as-inner"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
 dependencies = [
 "heck",
 "proc-macro2",
 "quote",
 "syn 2.0.114",
 ]
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -709,6 +887,16 @@ dependencies = [
 "wasip3",
 ]
 [[package]]
 name = "ghash"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
 dependencies = [
 "opaque-debug",
 "polyval",
 ]
 [[package]]
 name = "h2"
 version = "0.4.13"
@@ -783,6 +971,61 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 [[package]]
 name = "hickory-proto"
 version = "0.25.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8a6fe56c0038198998a6f217ca4e7ef3a5e51f46163bd6dd60b5c71ca6c6502"
 dependencies = [
 "async-trait",
 "cfg-if",
 "data-encoding",
 "enum-as-inner",
 "futures-channel",
 "futures-io",
 "futures-util",
 "idna",
 "ipnet",
 "once_cell",
 "rand",
 "ring",
 "thiserror 2.0.18",
 "tinyvec",
 "tokio",
 "tracing",
 "url",
 ]
 [[package]]
 name = "hickory-resolver"
 version = "0.25.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dc62a9a99b0bfb44d2ab95a7208ac952d31060efc16241c87eaf36406fecf87a"
 dependencies = [
 "cfg-if",
 "futures-util",
 "hickory-proto",
 "ipconfig",
 "moka",
 "once_cell",
 "parking_lot",
 "rand",
 "resolv-conf",
 "smallvec",
 "thiserror 2.0.18",
 "tokio",
 "tracing",
 ]
 [[package]]
 name = "hkdf"
 version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
 dependencies = [
 "hmac",
 ]
 [[package]]
 name = "hmac"
 version = "0.12.1"
@@ -1055,6 +1298,17 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "inotify"
 version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bd5b3eaf1a28b758ac0faa5a4254e8ab2705605496f1b1f3fbbc3988ad73d199"
 dependencies = [
 "bitflags 2.10.0",
 "inotify-sys",
 "libc",
 ]
 [[package]]
 name = "inotify-sys"
 version = "0.1.5"
@@ -1074,6 +1328,18 @@ dependencies = [
 "generic-array",
 ]
 [[package]]
 name = "ipconfig"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b58db92f96b720de98181bbbe63c831e87005ab460c1bf306eb2622b4707997f"
 dependencies = [
 "socket2 0.5.10",
 "widestring",
 "windows-sys 0.48.0",
 "winreg",
 ]
 [[package]]
 name = "ipnet"
 version = "2.11.0"
@@ -1226,6 +1492,12 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
 [[package]]
 name = "lru_time_cache"
 version = "0.11.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9106e1d747ffd48e6be5bb2d97fa706ed25b144fbee4d5c02eae110cd8d6badd"
 [[package]]
 name = "matchers"
 version = "0.2.0"
@@ -1285,10 +1557,28 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
 dependencies = [
 "libc",
 "log",
 "wasi",
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "moka"
 version = "0.12.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "85f8024e1c8e71c778968af91d43700ce1d11b219d127d79fb2934153b82b42b"
 dependencies = [
 "crossbeam-channel",
 "crossbeam-epoch",
 "crossbeam-utils",
 "equivalent",
 "parking_lot",
 "portable-atomic",
 "smallvec",
 "tagptr",
 "uuid",
 ]
 [[package]]
 name = "nix"
 version = "0.28.0"
@@ -1322,7 +1612,7 @@ dependencies = [
 "crossbeam-channel",
 "filetime",
 "fsevent-sys",
- "inotify",
+ "inotify 0.9.6",
 "kqueue",
 "libc",
 "log",
@@ -1331,6 +1621,33 @@ dependencies = [
 "windows-sys 0.48.0",
 ]
 [[package]]
 name = "notify"
 version = "8.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3"
 dependencies = [
 "bitflags 2.10.0",
 "fsevent-sys",
 "inotify 0.11.1",
 "kqueue",
 "libc",
 "log",
 "mio 1.1.1",
 "notify-types",
 "walkdir",
 "windows-sys 0.60.2",
 ]
 [[package]]
 name = "notify-types"
 version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42b8cfee0e339a0337359f3c88165702ac6e600dc01c0cc9579a92d62b08477a"
 dependencies = [
 "bitflags 2.10.0",
 ]
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -1388,6 +1705,10 @@ name = "once_cell"
 version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 dependencies = [
 "critical-section",
 "portable-atomic",
 ]
 [[package]]
 name = "oorandom"
@@ -1395,6 +1716,12 @@ version = "11.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
 [[package]]
 name = "opaque-debug"
 version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 [[package]]
 name = "parking_lot"
 version = "0.12.5"
@@ -1424,6 +1751,26 @@ version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 [[package]]
 name = "pin-project"
 version = "1.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517"
 dependencies = [
 "pin-project-internal",
 ]
 [[package]]
 name = "pin-project-internal"
 version = "1.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.114",
 ]
 [[package]]
 name = "pin-project-lite"
 version = "0.2.16"
@@ -1436,6 +1783,16 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 [[package]]
 name = "pkcs8"
 version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
 dependencies = [
 "der",
 "spki",
 ]
 [[package]]
 name = "plotters"
 version = "0.3.7"
@@ -1464,6 +1821,35 @@ dependencies = [
 "plotters-backend",
 ]
 [[package]]
 name = "poly1305"
 version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
 dependencies = [
 "cpufeatures",
 "opaque-debug",
 "universal-hash",
 ]
 [[package]]
 name = "polyval"
 version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
 dependencies = [
 "cfg-if",
 "cpufeatures",
 "opaque-debug",
 "universal-hash",
 ]
 [[package]]
 name = "portable-atomic"
 version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 [[package]]
 name = "potential_utf"
 version = "0.1.4"
@@ -1609,7 +1995,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
 "rand_chacha",
- "rand_core",
+ "rand_core 0.9.5",
 ]
 [[package]]
@@ -1619,7 +2005,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
 dependencies = [
 "ppv-lite86",
- "rand_core",
+ "rand_core 0.9.5",
 ]
 [[package]]
 name = "rand_core"
 version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
 dependencies = [
 "getrandom 0.2.17",
 ]
 [[package]]
@@ -1637,7 +2032,7 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "513962919efc330f829edb2535844d1b912b0fbe2ca165d613e4e8788bb05a5a"
 dependencies = [
- "rand_core",
+ "rand_core 0.9.5",
 ]
 [[package]]
@@ -1745,6 +2140,12 @@ dependencies = [
 "webpki-roots 1.0.6",
 ]
 [[package]]
 name = "resolv-conf"
 version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e061d1b48cb8d38042de4ae0a7a6401009d6143dc80d2e2d6f31f0bdd6470c7"
 [[package]]
 name = "ring"
 version = "0.17.14"
@@ -1759,6 +2160,19 @@ dependencies = [
 "windows-sys 0.52.0",
 ]
 [[package]]
 name = "ring-compat"
 version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ccce7bae150b815f0811db41b8312fcb74bffa4cab9cee5429ee00f356dd5bd4"
 dependencies = [
 "aead",
 "ed25519",
 "generic-array",
 "pkcs8",
 "ring",
 ]
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -1870,12 +2284,33 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 [[package]]
 name = "sealed"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "22f968c5ea23d555e670b449c1c5e7b2fc399fdaec1d304a17cd48e288abc107"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.114",
 ]
 [[package]]
 name = "semver"
 version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 [[package]]
 name = "sendfd"
 version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b183bfd5b1bc64ab0c1ef3ee06b008a9ef1b68a7d3a99ba566fbfe7a7c6d745b"
 dependencies = [
 "libc",
 "tokio",
 ]
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -1962,6 +2397,64 @@ dependencies = [
 "digest",
 ]
 [[package]]
 name = "shadowsocks"
 version = "1.24.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "482831bf9d55acf3c98e211b6c852c3dfdf1d1b0d23fdf1d887c5a4b2acad4e4"
 dependencies = [
 "aes",
 "arc-swap",
 "base64",
 "blake3",
 "byte_string",
 "bytes",
 "cfg-if",
 "dynosaur",
 "futures",
 "hickory-resolver",
 "libc",
 "log",
 "lru_time_cache",
 "notify 8.2.0",
 "percent-encoding",
 "pin-project",
 "rand",
 "sealed",
 "sendfd",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "shadowsocks-crypto",
 "socket2 0.6.2",
 "spin",
 "thiserror 2.0.18",
 "tokio",
 "tokio-tfo",
 "trait-variant",
 "url",
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "shadowsocks-crypto"
 version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d038a3d17586f1c1ab3c1c3b9e4d5ef8fba98fb3890ad740c8487038b2e2ca5"
 dependencies = [
 "aes",
 "aes-gcm",
 "blake3",
 "bytes",
 "cfg-if",
 "chacha20poly1305",
 "hkdf",
 "md-5",
 "rand",
 "ring-compat",
 "sha1",
 ]
 [[package]]
 name = "sharded-slab"
 version = "0.1.7"
@@ -1987,6 +2480,12 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "signature"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
 [[package]]
 name = "slab"
 version = "0.4.12"
@@ -2019,6 +2518,25 @@ dependencies = [
 "windows-sys 0.60.2",
 ]
 [[package]]
 name = "spin"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d5fe4ccb98d9c292d56fec89a5e07da7fc4cf0dc11e156b41793132775d3e591"
 dependencies = [
 "lock_api",
 ]
 [[package]]
 name = "spki"
 version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
 dependencies = [
 "base64ct",
 "der",
 ]
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.1"
@@ -2085,9 +2603,15 @@ dependencies = [
 "syn 2.0.114",
 ]
 [[package]]
 name = "tagptr"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
 [[package]]
 name = "telemt"
-version = "3.3.19"
+version = "3.3.20"
 dependencies = [
 "aes",
 "anyhow",
@@ -2113,7 +2637,7 @@ dependencies = [
 "lru",
 "md-5",
 "nix",
- "notify",
+ "notify 6.1.1",
 "num-bigint",
 "num-traits",
 "parking_lot",
@@ -2126,6 +2650,7 @@ dependencies = [
 "serde_json",
 "sha1",
 "sha2",
 "shadowsocks",
 "socket2 0.5.10",
 "thiserror 2.0.18",
 "tokio",
@@ -2330,6 +2855,23 @@ dependencies = [
 "tokio-stream",
 ]
 [[package]]
 name = "tokio-tfo"
 version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6ad2c3b3bb958ad992354a7ebc468fc0f7cdc9af4997bf4d3fd3cb28bad36dc"
 dependencies = [
 "cfg-if",
 "futures",
 "libc",
 "log",
 "once_cell",
 "pin-project",
 "socket2 0.6.2",
 "tokio",
 "windows-sys 0.60.2",
 ]
 [[package]]
 name = "tokio-util"
 version = "0.7.18"
@@ -2494,6 +3036,17 @@ dependencies = [
 "tracing-log",
 ]
 [[package]]
 name = "trait-variant"
 version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "70977707304198400eb4835a78f6a9f928bf41bba420deb8fdb175cd965d77a7"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.114",
 ]
 [[package]]
 name = "try-lock"
 version = "0.2.5"
@@ -2524,6 +3077,16 @@ version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 [[package]]
 name = "universal-hash"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
 dependencies = [
 "crypto-common",
 "subtle",
 ]
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -2548,6 +3111,17 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 [[package]]
 name = "uuid"
 version = "1.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
 dependencies = [
 "getrandom 0.4.1",
 "js-sys",
 "wasm-bindgen",
 ]
 [[package]]
 name = "valuable"
 version = "0.1.1"
@@ -2743,6 +3317,12 @@ dependencies = [
 "rustls-pki-types",
 ]
 [[package]]
 name = "widestring"
 version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72069c3113ab32ab29e5584db3c6ec55d416895e60715417b5b883a357c3e471"
 [[package]]
 name = "winapi-util"
 version = "0.1.11"
@@ -3042,6 +3622,16 @@ dependencies = [
 "memchr",
 ]
 [[package]]
 name = "winreg"
 version = "0.50.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
 dependencies = [
 "cfg-if",
 "windows-sys 0.48.0",
 ]
 [[package]]
 name = "wit-bindgen"
 version = "0.51.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -26,6 +26,7 @@ zeroize = { version = "1.8", features = ["derive"] }
 # Network
 socket2 = { version = "0.5", features = ["all"] }
 nix = { version = "0.28", default-features = false, features = ["net"] }
 shadowsocks = { version = "1.24", features = ["aead-cipher-2022"] }
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
--- a/docs/API.md
+++ b/docs/API.md
@@ -497,13 +497,14 @@ Note: the request contract is defined, but the corresponding route currently ret
 | `direct_total` | `usize` | Direct-route upstream entries. |
 | `socks4_total` | `usize` | SOCKS4 upstream entries. |
 | `socks5_total` | `usize` | SOCKS5 upstream entries. |
 | `shadowsocks_total` | `usize` | Shadowsocks upstream entries. |
 #### `RuntimeUpstreamQualityUpstreamData`
 | Field | Type | Description |
 | --- | --- | --- |
 | `upstream_id` | `usize` | Runtime upstream index. |
-| `route_kind` | `string` | `direct`, `socks4`, `socks5`. |
+| `route_kind` | `string` | `direct`, `socks4`, `socks5`, `shadowsocks`. |
-| `address` | `string` | Upstream address (`direct` literal for direct route kind). |
+| `address` | `string` | Upstream address (`direct` literal for direct route kind, `host:port` only for proxied upstreams). |
 | `weight` | `u16` | Selection weight. |
 | `scopes` | `string` | Configured scope selector. |
 | `healthy` | `bool` | Current health flag. |
@@ -757,13 +758,14 @@ Note: the request contract is defined, but the corresponding route currently ret
 | `direct_total` | `usize` | Number of direct upstream entries. |
 | `socks4_total` | `usize` | Number of SOCKS4 upstream entries. |
 | `socks5_total` | `usize` | Number of SOCKS5 upstream entries. |
 | `shadowsocks_total` | `usize` | Number of Shadowsocks upstream entries. |
 #### `UpstreamStatus`
 | Field | Type | Description |
 | --- | --- | --- |
 | `upstream_id` | `usize` | Runtime upstream index. |
-| `route_kind` | `string` | Upstream route kind: `direct`, `socks4`, `socks5`. |
+| `route_kind` | `string` | Upstream route kind: `direct`, `socks4`, `socks5`, `shadowsocks`. |
-| `address` | `string` | Upstream address (`direct` for direct route kind). Authentication fields are intentionally omitted. |
+| `address` | `string` | Upstream address (`direct` for direct route kind, `host:port` for Shadowsocks). Authentication fields are intentionally omitted. |
 | `weight` | `u16` | Selection weight. |
 | `scopes` | `string` | Configured scope selector string. |
 | `healthy` | `bool` | Current health flag. |
--- a/docs/CONFIG_PARAMS.en.md
+++ b/docs/CONFIG_PARAMS.en.md
@@ -8,282 +8,287 @@ This document lists all configuration keys accepted by `config.toml`.
 ## Top-level keys
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| include | `String` (special directive) | Includes another TOML file with `include = "relative/or/absolute/path.toml"`; includes are processed recursively before parsing. |
+| include | `String` (special directive) | `null` | — | Includes another TOML file with `include = "relative/or/absolute/path.toml"`; includes are processed recursively before parsing. |
-| show_link | `"*" \| String[]` | Legacy top-level link visibility selector (`"*"` for all users or explicit usernames list). |
+| show_link | `"*" \| String[]` | `[]` (`ShowLink::None`) | — | Legacy top-level link visibility selector (`"*"` for all users or explicit usernames list). |
-| dc_overrides | `Map<String, String[]>` | Overrides DC endpoints for non-standard DCs; key is DC id string, value is `ip:port` list. |
+| dc_overrides | `Map<String, String[]>` | `{}` | — | Overrides DC endpoints for non-standard DCs; key is DC id string, value is `ip:port` list. |
-| default_dc | `u8` | Default DC index used for unmapped non-standard DCs. |
+| default_dc | `u8 \| null` | `null` (effective fallback: `2` in ME routing) | — | Default DC index used for unmapped non-standard DCs. |
 ## [general]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| data_path | `String` | Optional runtime data directory path. |
+| data_path | `String \| null` | `null` | — | Optional runtime data directory path. |
-| prefer_ipv6 | `bool` | Prefer IPv6 where applicable in runtime logic. |
+| prefer_ipv6 | `bool` | `false` | — | Prefer IPv6 where applicable in runtime logic. |
-| fast_mode | `bool` | Enables fast-path optimizations for traffic processing. |
+| fast_mode | `bool` | `true` | — | Enables fast-path optimizations for traffic processing. |
-| use_middle_proxy | `bool` | Enables Middle Proxy mode. |
+| use_middle_proxy | `bool` | `true` | none | Enables ME transport mode; if `false`, runtime falls back to direct DC routing. |
-| proxy_secret_path | `String` | Path to proxy secret binary; can be auto-downloaded if absent. |
+| proxy_secret_path | `String \| null` | `"proxy-secret"` | Path may be `null`. | Path to Telegram infrastructure proxy-secret file used by ME handshake logic. |
-| proxy_config_v4_cache_path | `String` | Optional cache path for raw `getProxyConfig` (IPv4) snapshot. |
+| proxy_config_v4_cache_path | `String \| null` | `"cache/proxy-config-v4.txt"` | — | Optional cache path for raw `getProxyConfig` (IPv4) snapshot. |
-| proxy_config_v6_cache_path | `String` | Optional cache path for raw `getProxyConfigV6` (IPv6) snapshot. |
+| proxy_config_v6_cache_path | `String \| null` | `"cache/proxy-config-v6.txt"` | — | Optional cache path for raw `getProxyConfigV6` (IPv6) snapshot. |
-| ad_tag | `String` | Global fallback ad tag (32 hex characters). |
+| ad_tag | `String \| null` | `null` | — | Global fallback ad tag (32 hex characters). |
-| middle_proxy_nat_ip | `IpAddr` | Explicit public IP override for NAT environments. |
+| middle_proxy_nat_ip | `IpAddr \| null` | `null` | Must be a valid IP when set. | Manual public NAT IP override used as ME address material when set. |
-| middle_proxy_nat_probe | `bool` | Enables NAT probing for Middle Proxy KDF/public address discovery. |
+| middle_proxy_nat_probe | `bool` | `true` | Auto-forced to `true` when `use_middle_proxy = true`. | Enables ME NAT probing; runtime may force it on when ME mode is active. |
-| middle_proxy_nat_stun | `String` | Deprecated legacy single STUN server for NAT probing. |
+| middle_proxy_nat_stun | `String \| null` | `null` | Deprecated. Use `network.stun_servers`. | Deprecated legacy single STUN server for NAT probing. |
-| middle_proxy_nat_stun_servers | `String[]` | Deprecated legacy STUN list for NAT probing fallback. |
+| middle_proxy_nat_stun_servers | `String[]` | `[]` | Deprecated. Use `network.stun_servers`. | Deprecated legacy STUN list for NAT probing fallback. |
-| stun_nat_probe_concurrency | `usize` | Maximum concurrent STUN probes during NAT detection. |
+| stun_nat_probe_concurrency | `usize` | `8` | Must be `> 0`. | Maximum number of parallel STUN probes during NAT/public endpoint discovery. |
-| middle_proxy_pool_size | `usize` | Target size of active Middle Proxy writer pool. |
+| middle_proxy_pool_size | `usize` | `8` | none | Target size of active ME writer pool. |
-| middle_proxy_warm_standby | `usize` | Number of warm standby Middle-End connections. |
+| middle_proxy_warm_standby | `usize` | `16` | none | Reserved compatibility field in current runtime revision. |
-| me_init_retry_attempts | `u32` | Startup retries for ME pool initialization (`0` means unlimited). |
+| me_init_retry_attempts | `u32` | `0` | `0..=1_000_000`. | Startup retries for ME pool initialization (`0` means unlimited). |
-| me2dc_fallback | `bool` | Allows fallback from ME mode to direct DC when ME startup fails. |
+| me2dc_fallback | `bool` | `true` | — | Allows fallback from ME mode to direct DC when ME startup fails. |
-| me_keepalive_enabled | `bool` | Enables ME keepalive padding frames. |
+| me_keepalive_enabled | `bool` | `true` | none | Enables periodic ME keepalive/ping traffic. |
-| me_keepalive_interval_secs | `u64` | Keepalive interval in seconds. |
+| me_keepalive_interval_secs | `u64` | `8` | none | Base ME keepalive interval in seconds. |
-| me_keepalive_jitter_secs | `u64` | Keepalive jitter in seconds. |
+| me_keepalive_jitter_secs | `u64` | `2` | none | Keepalive jitter in seconds to reduce synchronized bursts. |
-| me_keepalive_payload_random | `bool` | Randomizes keepalive payload bytes instead of zero payload. |
+| me_keepalive_payload_random | `bool` | `true` | none | Randomizes keepalive payload bytes instead of fixed zero payload. |
-| rpc_proxy_req_every | `u64` | Interval for service `RPC_PROXY_REQ` activity signals (`0` disables). |
+| rpc_proxy_req_every | `u64` | `0` | `0` or `10..=300`. | Interval for service `RPC_PROXY_REQ` activity signals (`0` disables). |
-| me_writer_cmd_channel_capacity | `usize` | Capacity of per-writer command channel. |
+| me_writer_cmd_channel_capacity | `usize` | `4096` | Must be `> 0`. | Capacity of per-writer command channel. |
-| me_route_channel_capacity | `usize` | Capacity of per-connection ME response route channel. |
+| me_route_channel_capacity | `usize` | `768` | Must be `> 0`. | Capacity of per-connection ME response route channel. |
-| me_c2me_channel_capacity | `usize` | Capacity of per-client command queue (client reader -> ME sender). |
+| me_c2me_channel_capacity | `usize` | `1024` | Must be `> 0`. | Capacity of per-client command queue (client reader -> ME sender). |
-| me_reader_route_data_wait_ms | `u64` | Bounded wait for routing ME DATA to per-connection queue (`0` = no wait). |
+| me_reader_route_data_wait_ms | `u64` | `2` | `0..=20`. | Bounded wait for routing ME DATA to per-connection queue (`0` = no wait). |
-| me_d2c_flush_batch_max_frames | `usize` | Max ME->client frames coalesced before flush. |
+| me_d2c_flush_batch_max_frames | `usize` | `32` | `1..=512`. | Max ME->client frames coalesced before flush. |
-| me_d2c_flush_batch_max_bytes | `usize` | Max ME->client payload bytes coalesced before flush. |
+| me_d2c_flush_batch_max_bytes | `usize` | `131072` | `4096..=2_097_152`. | Max ME->client payload bytes coalesced before flush. |
-| me_d2c_flush_batch_max_delay_us | `u64` | Max microsecond wait for coalescing more ME->client frames (`0` disables timed coalescing). |
+| me_d2c_flush_batch_max_delay_us | `u64` | `500` | `0..=5000`. | Max microsecond wait for coalescing more ME->client frames (`0` disables timed coalescing). |
-| me_d2c_ack_flush_immediate | `bool` | Flushes client writer immediately after quick-ack write. |
+| me_d2c_ack_flush_immediate | `bool` | `true` | — | Flushes client writer immediately after quick-ack write. |
-| direct_relay_copy_buf_c2s_bytes | `usize` | Copy buffer size for client->DC direction in direct relay. |
+| direct_relay_copy_buf_c2s_bytes | `usize` | `65536` | `4096..=1_048_576`. | Copy buffer size for client->DC direction in direct relay. |
-| direct_relay_copy_buf_s2c_bytes | `usize` | Copy buffer size for DC->client direction in direct relay. |
+| direct_relay_copy_buf_s2c_bytes | `usize` | `262144` | `8192..=2_097_152`. | Copy buffer size for DC->client direction in direct relay. |
-| crypto_pending_buffer | `usize` | Max pending ciphertext buffer per client writer (bytes). |
+| crypto_pending_buffer | `usize` | `262144` | — | Max pending ciphertext buffer per client writer (bytes). |
-| max_client_frame | `usize` | Maximum allowed client MTProto frame size (bytes). |
+| max_client_frame | `usize` | `16777216` | — | Maximum allowed client MTProto frame size (bytes). |
-| desync_all_full | `bool` | Emits full crypto-desync forensic logs for every event. |
+| desync_all_full | `bool` | `false` | — | Emits full crypto-desync forensic logs for every event. |
-| beobachten | `bool` | Enables per-IP forensic observation buckets. |
+| beobachten | `bool` | `true` | — | Enables per-IP forensic observation buckets. |
-| beobachten_minutes | `u64` | Retention window (minutes) for per-IP observation buckets. |
+| beobachten_minutes | `u64` | `10` | Must be `> 0`. | Retention window (minutes) for per-IP observation buckets. |
-| beobachten_flush_secs | `u64` | Snapshot flush interval (seconds) for observation output file. |
+| beobachten_flush_secs | `u64` | `15` | Must be `> 0`. | Snapshot flush interval (seconds) for observation output file. |
-| beobachten_file | `String` | Observation snapshot output file path. |
+| beobachten_file | `String` | `"cache/beobachten.txt"` | — | Observation snapshot output file path. |
-| hardswap | `bool` | Enables hard-swap generation switching for ME pool updates. |
+| hardswap | `bool` | `true` | none | Enables generation-based ME hardswap strategy. |
-| me_warmup_stagger_enabled | `bool` | Enables staggered warmup for extra ME writers. |
+| me_warmup_stagger_enabled | `bool` | `true` | none | Staggers extra ME warmup dials to avoid connection spikes. |
-| me_warmup_step_delay_ms | `u64` | Base delay between warmup connections (ms). |
+| me_warmup_step_delay_ms | `u64` | `500` | none | Base delay in milliseconds between warmup dial steps. |
-| me_warmup_step_jitter_ms | `u64` | Jitter for warmup delay (ms). |
+| me_warmup_step_jitter_ms | `u64` | `300` | none | Additional random delay in milliseconds for warmup steps. |
-| me_reconnect_max_concurrent_per_dc | `u32` | Max concurrent reconnect attempts per DC. |
+| me_reconnect_max_concurrent_per_dc | `u32` | `8` | none | Limits concurrent reconnect workers per DC during health recovery. |
-| me_reconnect_backoff_base_ms | `u64` | Base reconnect backoff in ms. |
+| me_reconnect_backoff_base_ms | `u64` | `500` | none | Initial reconnect backoff in milliseconds. |
-| me_reconnect_backoff_cap_ms | `u64` | Cap reconnect backoff in ms. |
+| me_reconnect_backoff_cap_ms | `u64` | `30000` | none | Maximum reconnect backoff cap in milliseconds. |
-| me_reconnect_fast_retry_count | `u32` | Number of fast retry attempts before backoff. |
+| me_reconnect_fast_retry_count | `u32` | `16` | none | Immediate retry budget before long backoff behavior applies. |
-| me_single_endpoint_shadow_writers | `u8` | Additional reserve writers for one-endpoint DC groups. |
+| me_single_endpoint_shadow_writers | `u8` | `2` | `0..=32`. | Additional reserve writers for one-endpoint DC groups. |
-| me_single_endpoint_outage_mode_enabled | `bool` | Enables aggressive outage recovery for one-endpoint DC groups. |
+| me_single_endpoint_outage_mode_enabled | `bool` | `true` | — | Enables aggressive outage recovery for one-endpoint DC groups. |
-| me_single_endpoint_outage_disable_quarantine | `bool` | Ignores endpoint quarantine in one-endpoint outage mode. |
+| me_single_endpoint_outage_disable_quarantine | `bool` | `true` | — | Ignores endpoint quarantine in one-endpoint outage mode. |
-| me_single_endpoint_outage_backoff_min_ms | `u64` | Minimum reconnect backoff in outage mode (ms). |
+| me_single_endpoint_outage_backoff_min_ms | `u64` | `250` | Must be `> 0`; also `<= me_single_endpoint_outage_backoff_max_ms`. | Minimum reconnect backoff in outage mode (ms). |
-| me_single_endpoint_outage_backoff_max_ms | `u64` | Maximum reconnect backoff in outage mode (ms). |
+| me_single_endpoint_outage_backoff_max_ms | `u64` | `3000` | Must be `> 0`; also `>= me_single_endpoint_outage_backoff_min_ms`. | Maximum reconnect backoff in outage mode (ms). |
-| me_single_endpoint_shadow_rotate_every_secs | `u64` | Periodic shadow writer rotation interval (`0` disables). |
+| me_single_endpoint_shadow_rotate_every_secs | `u64` | `900` | — | Periodic shadow writer rotation interval (`0` disables). |
-| me_floor_mode | `"static" \| "adaptive"` | Writer floor policy mode. |
+| me_floor_mode | `"static" \| "adaptive"` | `"adaptive"` | — | Writer floor policy mode. |
-| me_adaptive_floor_idle_secs | `u64` | Idle time before adaptive floor may reduce one-endpoint target. |
+| me_adaptive_floor_idle_secs | `u64` | `90` | — | Idle time before adaptive floor may reduce one-endpoint target. |
-| me_adaptive_floor_min_writers_single_endpoint | `u8` | Minimum adaptive writer target for one-endpoint DC groups. |
+| me_adaptive_floor_min_writers_single_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for one-endpoint DC groups. |
-| me_adaptive_floor_min_writers_multi_endpoint | `u8` | Minimum adaptive writer target for multi-endpoint DC groups. |
+| me_adaptive_floor_min_writers_multi_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for multi-endpoint DC groups. |
-| me_adaptive_floor_recover_grace_secs | `u64` | Grace period to hold static floor after activity. |
+| me_adaptive_floor_recover_grace_secs | `u64` | `180` | — | Grace period to hold static floor after activity. |
-| me_adaptive_floor_writers_per_core_total | `u16` | Global writer budget per logical CPU core in adaptive mode. |
+| me_adaptive_floor_writers_per_core_total | `u16` | `48` | Must be `> 0`. | Global writer budget per logical CPU core in adaptive mode. |
-| me_adaptive_floor_cpu_cores_override | `u16` | Manual CPU core count override (`0` uses auto-detection). |
+| me_adaptive_floor_cpu_cores_override | `u16` | `0` | — | Manual CPU core count override (`0` uses auto-detection). |
-| me_adaptive_floor_max_extra_writers_single_per_core | `u16` | Per-core max extra writers above base floor for one-endpoint DCs. |
+| me_adaptive_floor_max_extra_writers_single_per_core | `u16` | `1` | — | Per-core max extra writers above base floor for one-endpoint DCs. |
-| me_adaptive_floor_max_extra_writers_multi_per_core | `u16` | Per-core max extra writers above base floor for multi-endpoint DCs. |
+| me_adaptive_floor_max_extra_writers_multi_per_core | `u16` | `2` | — | Per-core max extra writers above base floor for multi-endpoint DCs. |
-| me_adaptive_floor_max_active_writers_per_core | `u16` | Hard cap for active ME writers per logical CPU core. |
+| me_adaptive_floor_max_active_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for active ME writers per logical CPU core. |
-| me_adaptive_floor_max_warm_writers_per_core | `u16` | Hard cap for warm ME writers per logical CPU core. |
+| me_adaptive_floor_max_warm_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for warm ME writers per logical CPU core. |
-| me_adaptive_floor_max_active_writers_global | `u32` | Hard global cap for active ME writers. |
+| me_adaptive_floor_max_active_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for active ME writers. |
-| me_adaptive_floor_max_warm_writers_global | `u32` | Hard global cap for warm ME writers. |
+| me_adaptive_floor_max_warm_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for warm ME writers. |
-| upstream_connect_retry_attempts | `u32` | Connect attempts for selected upstream before error/fallback. |
+| upstream_connect_retry_attempts | `u32` | `2` | Must be `> 0`. | Connect attempts for selected upstream before error/fallback. |
-| upstream_connect_retry_backoff_ms | `u64` | Delay between upstream connect attempts (ms). |
+| upstream_connect_retry_backoff_ms | `u64` | `100` | — | Delay between upstream connect attempts (ms). |
-| upstream_connect_budget_ms | `u64` | Total wall-clock budget for one upstream connect request (ms). |
+| upstream_connect_budget_ms | `u64` | `3000` | Must be `> 0`. | Total wall-clock budget for one upstream connect request (ms). |
-| upstream_unhealthy_fail_threshold | `u32` | Consecutive failed requests before upstream is marked unhealthy. |
+| upstream_unhealthy_fail_threshold | `u32` | `5` | Must be `> 0`. | Consecutive failed requests before upstream is marked unhealthy. |
-| upstream_connect_failfast_hard_errors | `bool` | Skips additional retries for hard non-transient connect errors. |
+| upstream_connect_failfast_hard_errors | `bool` | `false` | — | Skips additional retries for hard non-transient connect errors. |
-| stun_iface_mismatch_ignore | `bool` | Ignores STUN/interface mismatch and keeps Middle Proxy mode. |
+| stun_iface_mismatch_ignore | `bool` | `false` | none | Reserved compatibility flag in current runtime revision. |
-| unknown_dc_log_path | `String` | File path for unknown-DC request logging (`null` disables file path). |
+| unknown_dc_log_path | `String \| null` | `"unknown-dc.txt"` | — | File path for unknown-DC request logging (`null` disables file path). |
-| unknown_dc_file_log_enabled | `bool` | Enables unknown-DC file logging. |
+| unknown_dc_file_log_enabled | `bool` | `false` | — | Enables unknown-DC file logging. |
-| log_level | `"debug" \| "verbose" \| "normal" \| "silent"` | Runtime logging verbosity. |
+| log_level | `"debug" \| "verbose" \| "normal" \| "silent"` | `"normal"` | — | Runtime logging verbosity. |
-| disable_colors | `bool` | Disables ANSI colors in logs. |
+| disable_colors | `bool` | `false` | — | Disables ANSI colors in logs. |
-| me_socks_kdf_policy | `"strict" \| "compat"` | SOCKS-bound KDF fallback policy for ME handshake. |
+| me_socks_kdf_policy | `"strict" \| "compat"` | `"strict"` | — | SOCKS-bound KDF fallback policy for ME handshake. |
-| me_route_backpressure_base_timeout_ms | `u64` | Base backpressure timeout for route-channel send (ms). |
+| me_route_backpressure_base_timeout_ms | `u64` | `25` | Must be `> 0`. | Base backpressure timeout for route-channel send (ms). |
-| me_route_backpressure_high_timeout_ms | `u64` | High backpressure timeout when queue occupancy exceeds watermark (ms). |
+| me_route_backpressure_high_timeout_ms | `u64` | `120` | Must be `>= me_route_backpressure_base_timeout_ms`. | High backpressure timeout when queue occupancy exceeds watermark (ms). |
-| me_route_backpressure_high_watermark_pct | `u8` | Queue occupancy threshold (%) for high timeout mode. |
+| me_route_backpressure_high_watermark_pct | `u8` | `80` | `1..=100`. | Queue occupancy threshold (%) for high timeout mode. |
-| me_health_interval_ms_unhealthy | `u64` | Health monitor interval while writer coverage is degraded (ms). |
+| me_health_interval_ms_unhealthy | `u64` | `1000` | Must be `> 0`. | Health monitor interval while writer coverage is degraded (ms). |
-| me_health_interval_ms_healthy | `u64` | Health monitor interval while writer coverage is healthy (ms). |
+| me_health_interval_ms_healthy | `u64` | `3000` | Must be `> 0`. | Health monitor interval while writer coverage is healthy (ms). |
-| me_admission_poll_ms | `u64` | Poll interval for conditional-admission checks (ms). |
+| me_admission_poll_ms | `u64` | `1000` | Must be `> 0`. | Poll interval for conditional-admission checks (ms). |
-| me_warn_rate_limit_ms | `u64` | Cooldown for repetitive ME warning logs (ms). |
+| me_warn_rate_limit_ms | `u64` | `5000` | Must be `> 0`. | Cooldown for repetitive ME warning logs (ms). |
-| me_route_no_writer_mode | `"async_recovery_failfast" \| "inline_recovery_legacy" \| "hybrid_async_persistent"` | Route behavior when no writer is immediately available. |
+| me_route_no_writer_mode | `"async_recovery_failfast" \| "inline_recovery_legacy" \| "hybrid_async_persistent"` | `"hybrid_async_persistent"` | — | Route behavior when no writer is immediately available. |
-| me_route_no_writer_wait_ms | `u64` | Max wait in async-recovery failfast mode (ms). |
+| me_route_no_writer_wait_ms | `u64` | `250` | `10..=5000`. | Max wait in async-recovery failfast mode (ms). |
-| me_route_inline_recovery_attempts | `u32` | Inline recovery attempts in legacy mode. |
+| me_route_inline_recovery_attempts | `u32` | `3` | Must be `> 0`. | Inline recovery attempts in legacy mode. |
-| me_route_inline_recovery_wait_ms | `u64` | Max inline recovery wait in legacy mode (ms). |
+| me_route_inline_recovery_wait_ms | `u64` | `3000` | `10..=30000`. | Max inline recovery wait in legacy mode (ms). |
-| fast_mode_min_tls_record | `usize` | Minimum TLS record size when fast-mode coalescing is enabled (`0` disables). |
+| fast_mode_min_tls_record | `usize` | `0` | — | Minimum TLS record size when fast-mode coalescing is enabled (`0` disables). |
-| update_every | `u64` | Unified interval for config/secret updater tasks. |
+| update_every | `u64 \| null` | `300` | If set: must be `> 0`; if `null`: legacy fallback path is used. | Unified refresh interval for ME config and proxy-secret updater tasks. |
-| me_reinit_every_secs | `u64` | Periodic ME pool reinitialization interval (seconds). |
+| me_reinit_every_secs | `u64` | `900` | Must be `> 0`. | Periodic interval for zero-downtime ME reinit cycle. |
-| me_hardswap_warmup_delay_min_ms | `u64` | Minimum delay between hardswap warmup connects (ms). |
+| me_hardswap_warmup_delay_min_ms | `u64` | `1000` | Must be `<= me_hardswap_warmup_delay_max_ms`. | Lower bound for hardswap warmup dial spacing. |
-| me_hardswap_warmup_delay_max_ms | `u64` | Maximum delay between hardswap warmup connects (ms). |
+| me_hardswap_warmup_delay_max_ms | `u64` | `2000` | Must be `> 0`. | Upper bound for hardswap warmup dial spacing. |
-| me_hardswap_warmup_extra_passes | `u8` | Additional warmup passes per hardswap cycle. |
+| me_hardswap_warmup_extra_passes | `u8` | `3` | Must be within `[0, 10]`. | Additional warmup passes after the base pass in one hardswap cycle. |
-| me_hardswap_warmup_pass_backoff_base_ms | `u64` | Base backoff between hardswap warmup passes (ms). |
+| me_hardswap_warmup_pass_backoff_base_ms | `u64` | `500` | Must be `> 0`. | Base backoff between extra hardswap warmup passes. |
-| me_config_stable_snapshots | `u8` | Number of identical config snapshots required before apply. |
+| me_config_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical ME config snapshots required before apply. |
-| me_config_apply_cooldown_secs | `u64` | Cooldown between applied ME map updates (seconds). |
+| me_config_apply_cooldown_secs | `u64` | `300` | none | Cooldown between applied ME endpoint-map updates. |
-| me_snapshot_require_http_2xx | `bool` | Requires 2xx HTTP responses for applying config snapshots. |
+| me_snapshot_require_http_2xx | `bool` | `true` | — | Requires 2xx HTTP responses for applying config snapshots. |
-| me_snapshot_reject_empty_map | `bool` | Rejects empty config snapshots. |
+| me_snapshot_reject_empty_map | `bool` | `true` | — | Rejects empty config snapshots. |
-| me_snapshot_min_proxy_for_lines | `u32` | Minimum parsed `proxy_for` rows required to accept snapshot. |
+| me_snapshot_min_proxy_for_lines | `u32` | `1` | Must be `> 0`. | Minimum parsed `proxy_for` rows required to accept snapshot. |
-| proxy_secret_stable_snapshots | `u8` | Number of identical secret snapshots required before runtime rotation. |
+| proxy_secret_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical proxy-secret snapshots required before rotation. |
-| proxy_secret_rotate_runtime | `bool` | Enables runtime proxy-secret rotation from remote source. |
+| proxy_secret_rotate_runtime | `bool` | `true` | none | Enables runtime proxy-secret rotation from updater snapshots. |
-| me_secret_atomic_snapshot | `bool` | Keeps selector and secret bytes from the same snapshot atomically. |
+| me_secret_atomic_snapshot | `bool` | `true` | — | Keeps selector and secret bytes from the same snapshot atomically. |
-| proxy_secret_len_max | `usize` | Maximum allowed proxy-secret length (bytes). |
+| proxy_secret_len_max | `usize` | `256` | Must be within `[32, 4096]`. | Upper length limit for accepted proxy-secret bytes. |
-| me_pool_drain_ttl_secs | `u64` | Drain TTL for stale ME writers after endpoint-map changes (seconds). |
+| me_pool_drain_ttl_secs | `u64` | `90` | none | Time window where stale writers remain fallback-eligible after map change. |
-| me_pool_drain_threshold | `u64` | Max draining stale writers before batch force-close (`0` disables threshold cleanup). |
+| me_pool_drain_threshold | `u64` | `128` | — | Max draining stale writers before batch force-close (`0` disables threshold cleanup). |
-| me_bind_stale_mode | `"never" \| "ttl" \| "always"` | Policy for new binds on stale draining writers. |
+| me_pool_drain_soft_evict_enabled | `bool` | `true` | — | Enables gradual soft-eviction of stale writers during drain/reinit instead of immediate hard close. |
-| me_bind_stale_ttl_secs | `u64` | TTL for stale bind allowance when stale mode is `ttl`. |
+| me_pool_drain_soft_evict_grace_secs | `u64` | `30` | `0..=3600`. | Grace period before stale writers become soft-evict candidates. |
-| me_pool_min_fresh_ratio | `f32` | Minimum desired-DC fresh coverage ratio before draining stale writers. |
+| me_pool_drain_soft_evict_per_writer | `u8` | `1` | `1..=16`. | Maximum stale routes soft-evicted per writer in one eviction pass. |
-| me_reinit_drain_timeout_secs | `u64` | Force-close timeout for stale writers after endpoint-map changes (`0` disables force-close). |
+| me_pool_drain_soft_evict_budget_per_core | `u16` | `8` | `1..=64`. | Per-core budget limiting aggregate soft-eviction work per pass. |
-| proxy_secret_auto_reload_secs | `u64` | Deprecated legacy secret reload interval (fallback when `update_every` is not set). |
+| me_pool_drain_soft_evict_cooldown_ms | `u64` | `5000` | Must be `> 0`. | Cooldown between consecutive soft-eviction passes (ms). |
-| proxy_config_auto_reload_secs | `u64` | Deprecated legacy config reload interval (fallback when `update_every` is not set). |
+| me_bind_stale_mode | `"never" \| "ttl" \| "always"` | `"ttl"` | — | Policy for new binds on stale draining writers. |
-| me_reinit_singleflight | `bool` | Serializes ME reinit cycles across trigger sources. |
+| me_bind_stale_ttl_secs | `u64` | `90` | — | TTL for stale bind allowance when stale mode is `ttl`. |
-| me_reinit_trigger_channel | `usize` | Trigger queue capacity for reinit scheduler. |
+| me_pool_min_fresh_ratio | `f32` | `0.8` | Must be within `[0.0, 1.0]`. | Minimum fresh desired-DC coverage ratio before stale writers are drained. |
-| me_reinit_coalesce_window_ms | `u64` | Trigger coalescing window before starting reinit (ms). |
+| me_reinit_drain_timeout_secs | `u64` | `120` | `0` disables force-close; if `> 0` and `< me_pool_drain_ttl_secs`, runtime bumps it to TTL. | Force-close timeout for draining stale writers (`0` keeps indefinite draining). |
-| me_deterministic_writer_sort | `bool` | Enables deterministic candidate sort for writer binding path. |
+| proxy_secret_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy secret reload interval (fallback when `update_every` is not set). |
-| me_writer_pick_mode | `"sorted_rr" \| "p2c"` | Writer selection mode for route bind path. |
+| proxy_config_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy config reload interval (fallback when `update_every` is not set). |
-| me_writer_pick_sample_size | `u8` | Number of candidates sampled by picker in `p2c` mode. |
+| me_reinit_singleflight | `bool` | `true` | — | Serializes ME reinit cycles across trigger sources. |
-| ntp_check | `bool` | Enables NTP drift check at startup. |
+| me_reinit_trigger_channel | `usize` | `64` | Must be `> 0`. | Trigger queue capacity for reinit scheduler. |
-| ntp_servers | `String[]` | NTP servers used for drift check. |
+| me_reinit_coalesce_window_ms | `u64` | `200` | — | Trigger coalescing window before starting reinit (ms). |
-| auto_degradation_enabled | `bool` | Enables automatic degradation from ME to direct DC. |
+| me_deterministic_writer_sort | `bool` | `true` | — | Enables deterministic candidate sort for writer binding path. |
-| degradation_min_unavailable_dc_groups | `u8` | Minimum unavailable ME DC groups required before degrading. |
+| me_writer_pick_mode | `"sorted_rr" \| "p2c"` | `"p2c"` | — | Writer selection mode for route bind path. |
 | me_writer_pick_sample_size | `u8` | `3` | `2..=4`. | Number of candidates sampled by picker in `p2c` mode. |
 | ntp_check | `bool` | `true` | — | Enables NTP drift check at startup. |
 | ntp_servers | `String[]` | `["pool.ntp.org"]` | — | NTP servers used for drift check. |
 | auto_degradation_enabled | `bool` | `true` | none | Reserved compatibility flag in current runtime revision. |
 | degradation_min_unavailable_dc_groups | `u8` | `2` | none | Reserved compatibility threshold in current runtime revision. |
 ## [general.modes]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| classic | `bool` | Enables classic MTProxy mode. |
+| classic | `bool` | `false` | — | Enables classic MTProxy mode. |
-| secure | `bool` | Enables secure mode. |
+| secure | `bool` | `false` | — | Enables secure mode. |
-| tls | `bool` | Enables TLS mode. |
+| tls | `bool` | `true` | — | Enables TLS mode. |
 ## [general.links]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| show | `"*" \| String[]` | Selects users whose tg:// links are shown at startup. |
+| show | `"*" \| String[]` | `"*"` | — | Selects users whose tg:// links are shown at startup. |
-| public_host | `String` | Public hostname/IP override for generated tg:// links. |
+| public_host | `String \| null` | `null` | — | Public hostname/IP override for generated tg:// links. |
-| public_port | `u16` | Public port override for generated tg:// links. |
+| public_port | `u16 \| null` | `null` | — | Public port override for generated tg:// links. |
 ## [general.telemetry]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| core_enabled | `bool` | Enables core hot-path telemetry counters. |
+| core_enabled | `bool` | `true` | — | Enables core hot-path telemetry counters. |
-| user_enabled | `bool` | Enables per-user telemetry counters. |
+| user_enabled | `bool` | `true` | — | Enables per-user telemetry counters. |
-| me_level | `"silent" \| "normal" \| "debug"` | Middle-End telemetry verbosity level. |
+| me_level | `"silent" \| "normal" \| "debug"` | `"normal"` | — | Middle-End telemetry verbosity level. |
 ## [network]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| ipv4 | `bool` | Enables IPv4 networking. |
+| ipv4 | `bool` | `true` | — | Enables IPv4 networking. |
-| ipv6 | `bool` | Enables/disables IPv6 (`null` = auto-detect availability). |
+| ipv6 | `bool` | `false` | — | Enables/disables IPv6 when set |
-| prefer | `u8` | Preferred IP family for selection (`4` or `6`). |
+| prefer | `u8` | `4` | Must be `4` or `6`. | Preferred IP family for selection (`4` or `6`). |
-| multipath | `bool` | Enables multipath behavior where supported. |
+| multipath | `bool` | `false` | — | Enables multipath behavior where supported. |
-| stun_use | `bool` | Global switch for STUN probing. |
+| stun_use | `bool` | `true` | none | Global STUN switch; when `false`, STUN probing path is disabled. |
-| stun_servers | `String[]` | STUN server list for public IP detection. |
+| stun_servers | `String[]` | Built-in STUN list (13 hosts) | Deduplicated; empty values are removed. | Primary STUN server list for NAT/public endpoint discovery. |
-| stun_tcp_fallback | `bool` | Enables TCP STUN fallback when UDP STUN is blocked. |
+| stun_tcp_fallback | `bool` | `true` | none | Enables TCP fallback for STUN when UDP path is blocked. |
-| http_ip_detect_urls | `String[]` | HTTP endpoints used as fallback public IP detectors. |
+| http_ip_detect_urls | `String[]` | `["https://ifconfig.me/ip", "https://api.ipify.org"]` | none | HTTP fallback endpoints for public IP detection when STUN is unavailable. |
-| cache_public_ip_path | `String` | File path for caching detected public IP. |
+| cache_public_ip_path | `String` | `"cache/public_ip.txt"` | — | File path for caching detected public IP. |
-| dns_overrides | `String[]` | Runtime DNS overrides in `host:port:ip` format. |
+| dns_overrides | `String[]` | `[]` | Must match `host:port:ip`; IPv6 must be bracketed. | Runtime DNS overrides in `host:port:ip` format. |
 ## [server]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| port | `u16` | Main proxy listen port. |
+| port | `u16` | `443` | — | Main proxy listen port. |
-| listen_addr_ipv4 | `String` | IPv4 bind address for TCP listener. |
+| listen_addr_ipv4 | `String \| null` | `"0.0.0.0"` | — | IPv4 bind address for TCP listener. |
-| listen_addr_ipv6 | `String` | IPv6 bind address for TCP listener. |
+| listen_addr_ipv6 | `String \| null` | `"::"` | — | IPv6 bind address for TCP listener. |
-| listen_unix_sock | `String` | Unix socket path for listener. |
+| listen_unix_sock | `String \| null` | `null` | — | Unix socket path for listener. |
-| listen_unix_sock_perm | `String` | Unix socket permissions in octal string (e.g., `"0666"`). |
+| listen_unix_sock_perm | `String \| null` | `null` | — | Unix socket permissions in octal string (e.g., `"0666"`). |
-| listen_tcp | `bool` | Explicit TCP listener enable/disable override. |
+| listen_tcp | `bool \| null` | `null` (auto) | — | Explicit TCP listener enable/disable override. |
-| proxy_protocol | `bool` | Enables HAProxy PROXY protocol parsing on incoming client connections. |
+| proxy_protocol | `bool` | `false` | — | Enables HAProxy PROXY protocol parsing on incoming client connections. |
-| proxy_protocol_header_timeout_ms | `u64` | Timeout for PROXY protocol header read/parse (ms). |
+| proxy_protocol_header_timeout_ms | `u64` | `500` | Must be `> 0`. | Timeout for PROXY protocol header read/parse (ms). |
-| metrics_port | `u16` | Metrics endpoint port (enables metrics listener). |
+| metrics_port | `u16 \| null` | `null` | — | Metrics endpoint port (enables metrics listener). |
-| metrics_listen | `String` | Full metrics bind address (`IP:PORT`), overrides `metrics_port`. |
+| metrics_listen | `String \| null` | `null` | — | Full metrics bind address (`IP:PORT`), overrides `metrics_port`. |
-| metrics_whitelist | `IpNetwork[]` | CIDR whitelist for metrics endpoint access. |
+| metrics_whitelist | `IpNetwork[]` | `["127.0.0.1/32", "::1/128"]` | — | CIDR whitelist for metrics endpoint access. |
-| max_connections | `u32` | Max concurrent client connections (`0` = unlimited). |
+| max_connections | `u32` | `10000` | — | Max concurrent client connections (`0` = unlimited). |
 ## [server.api]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| enabled | `bool` | Enables control-plane REST API. |
+| enabled | `bool` | `true` | — | Enables control-plane REST API. |
-| listen | `String` | API bind address in `IP:PORT` format. |
+| listen | `String` | `"0.0.0.0:9091"` | Must be valid `IP:PORT`. | API bind address in `IP:PORT` format. |
-| whitelist | `IpNetwork[]` | CIDR whitelist allowed to access API. |
+| whitelist | `IpNetwork[]` | `["127.0.0.0/8"]` | — | CIDR whitelist allowed to access API. |
-| auth_header | `String` | Exact expected `Authorization` header value (empty = disabled). |
+| auth_header | `String` | `""` | — | Exact expected `Authorization` header value (empty = disabled). |
-| request_body_limit_bytes | `usize` | Maximum accepted HTTP request body size. |
+| request_body_limit_bytes | `usize` | `65536` | Must be `> 0`. | Maximum accepted HTTP request body size. |
-| minimal_runtime_enabled | `bool` | Enables minimal runtime snapshots endpoint logic. |
+| minimal_runtime_enabled | `bool` | `true` | — | Enables minimal runtime snapshots endpoint logic. |
-| minimal_runtime_cache_ttl_ms | `u64` | Cache TTL for minimal runtime snapshots (ms; `0` disables cache). |
+| minimal_runtime_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for minimal runtime snapshots (ms; `0` disables cache). |
-| runtime_edge_enabled | `bool` | Enables runtime edge endpoints. |
+| runtime_edge_enabled | `bool` | `false` | — | Enables runtime edge endpoints. |
-| runtime_edge_cache_ttl_ms | `u64` | Cache TTL for runtime edge aggregation payloads (ms). |
+| runtime_edge_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for runtime edge aggregation payloads (ms). |
-| runtime_edge_top_n | `usize` | Top-N size for edge connection leaderboard. |
+| runtime_edge_top_n | `usize` | `10` | `1..=1000`. | Top-N size for edge connection leaderboard. |
-| runtime_edge_events_capacity | `usize` | Ring-buffer capacity for runtime edge events. |
+| runtime_edge_events_capacity | `usize` | `256` | `16..=4096`. | Ring-buffer capacity for runtime edge events. |
-| read_only | `bool` | Rejects mutating API endpoints when enabled. |
+| read_only | `bool` | `false` | — | Rejects mutating API endpoints when enabled. |
 ## [[server.listeners]]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| ip | `IpAddr` | Listener bind IP. |
+| ip | `IpAddr` | — | — | Listener bind IP. |
-| announce | `String` | Public IP/domain announced in proxy links (priority over `announce_ip`). |
+| announce | `String \| null` | — | — | Public IP/domain announced in proxy links (priority over `announce_ip`). |
-| announce_ip | `IpAddr` | Deprecated legacy announce IP (migrated to `announce` if needed). |
+| announce_ip | `IpAddr \| null` | — | — | Deprecated legacy announce IP (migrated to `announce` if needed). |
-| proxy_protocol | `bool` | Per-listener override for PROXY protocol enable flag. |
+| proxy_protocol | `bool \| null` | `null` | — | Per-listener override for PROXY protocol enable flag. |
-| reuse_allow | `bool` | Enables `SO_REUSEPORT` for multi-instance bind sharing. |
+| reuse_allow | `bool` | `false` | — | Enables `SO_REUSEPORT` for multi-instance bind sharing. |
 ## [timeouts]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| client_handshake | `u64` | Client handshake timeout. |
+| client_handshake | `u64` | `30` | — | Client handshake timeout. |
-| tg_connect | `u64` | Upstream Telegram connect timeout. |
+| tg_connect | `u64` | `10` | — | Upstream Telegram connect timeout. |
-| client_keepalive | `u64` | Client keepalive timeout. |
+| client_keepalive | `u64` | `15` | — | Client keepalive timeout. |
-| client_ack | `u64` | Client ACK timeout. |
+| client_ack | `u64` | `90` | — | Client ACK timeout. |
-| me_one_retry | `u8` | Quick ME reconnect attempts for single-address DC. |
+| me_one_retry | `u8` | `12` | none | Fast reconnect attempts budget for single-endpoint DC scenarios. |
-| me_one_timeout_ms | `u64` | Timeout per quick attempt for single-address DC (ms). |
+| me_one_timeout_ms | `u64` | `1200` | none | Timeout in milliseconds for each quick single-endpoint reconnect attempt. |
 ## [censorship]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| tls_domain | `String` | Primary TLS domain used in fake TLS handshake profile. |
+| tls_domain | `String` | `"petrovich.ru"` | — | Primary TLS domain used in fake TLS handshake profile. |
-| tls_domains | `String[]` | Additional TLS domains for generating multiple links. |
+| tls_domains | `String[]` | `[]` | — | Additional TLS domains for generating multiple links. |
-| mask | `bool` | Enables masking/fronting relay mode. |
+| mask | `bool` | `true` | — | Enables masking/fronting relay mode. |
-| mask_host | `String` | Upstream mask host for TLS fronting relay. |
+| mask_host | `String \| null` | `null` | — | Upstream mask host for TLS fronting relay. |
-| mask_port | `u16` | Upstream mask port for TLS fronting relay. |
+| mask_port | `u16` | `443` | — | Upstream mask port for TLS fronting relay. |
-| mask_unix_sock | `String` | Unix socket path for mask backend instead of TCP host/port. |
+| mask_unix_sock | `String \| null` | `null` | — | Unix socket path for mask backend instead of TCP host/port. |
-| fake_cert_len | `usize` | Length of synthetic certificate payload when emulation data is unavailable. |
+| fake_cert_len | `usize` | `2048` | — | Length of synthetic certificate payload when emulation data is unavailable. |
-| tls_emulation | `bool` | Enables certificate/TLS behavior emulation from cached real fronts. |
+| tls_emulation | `bool` | `true` | — | Enables certificate/TLS behavior emulation from cached real fronts. |
-| tls_front_dir | `String` | Directory path for TLS front cache storage. |
+| tls_front_dir | `String` | `"tlsfront"` | — | Directory path for TLS front cache storage. |
-| server_hello_delay_min_ms | `u64` | Minimum server_hello delay for anti-fingerprint behavior (ms). |
+| server_hello_delay_min_ms | `u64` | `0` | — | Minimum server_hello delay for anti-fingerprint behavior (ms). |
-| server_hello_delay_max_ms | `u64` | Maximum server_hello delay for anti-fingerprint behavior (ms). |
+| server_hello_delay_max_ms | `u64` | `0` | — | Maximum server_hello delay for anti-fingerprint behavior (ms). |
-| tls_new_session_tickets | `u8` | Number of `NewSessionTicket` messages to emit after handshake. |
+| tls_new_session_tickets | `u8` | `0` | — | Number of `NewSessionTicket` messages to emit after handshake. |
-| tls_full_cert_ttl_secs | `u64` | TTL for sending full cert payload per (domain, client IP) tuple. |
+| tls_full_cert_ttl_secs | `u64` | `90` | — | TTL for sending full cert payload per (domain, client IP) tuple. |
-| alpn_enforce | `bool` | Enforces ALPN echo behavior based on client preference. |
+| alpn_enforce | `bool` | `true` | — | Enforces ALPN echo behavior based on client preference. |
-| mask_proxy_protocol | `u8` | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
+| mask_proxy_protocol | `u8` | `0` | — | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
 ## [access]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | TOML shape example | Description |
-|---|---|---|
+|---|---|---|---|---|---|
-| users | `Map<String, String>` | Username -> 32-hex secret mapping. |
+| users | `Map<String, String>` | `{"default": "000…000"}` | Secret must be 32 hex characters. | `[access.users]`<br>`user = "32-hex secret"`<br>`user2 = "32-hex secret"` | User credentials map used for client authentication. |
-| user_ad_tags | `Map<String, String>` | Per-user ad tags (32 hex chars). |
+| user_ad_tags | `Map<String, String>` | `{}` | Every value must be exactly 32 hex characters. | `[access.user_ad_tags]`<br>`user = "32-hex ad_tag"` | Per-user ad tags used as override over `general.ad_tag`. |
-| user_max_tcp_conns | `Map<String, usize>` | Per-user maximum concurrent TCP connections. |
+| user_max_tcp_conns | `Map<String, usize>` | `{}` | — | `[access.user_max_tcp_conns]`<br>`user = 500` | Per-user maximum concurrent TCP connections. |
-| user_expirations | `Map<String, DateTime<Utc>>` | Per-user account expiration timestamps. |
+| user_expirations | `Map<String, DateTime<Utc>>` | `{}` | Timestamp must be valid RFC3339/ISO-8601 datetime. | `[access.user_expirations]`<br>`user = "2026-12-31T23:59:59Z"` | Per-user account expiration timestamps. |
-| user_data_quota | `Map<String, u64>` | Per-user data quota limits. |
+| user_data_quota | `Map<String, u64>` | `{}` | — | `[access.user_data_quota]`<br>`user = 1073741824` | Per-user traffic quota in bytes. |
-| user_max_unique_ips | `Map<String, usize>` | Per-user unique source IP limits. |
+| user_max_unique_ips | `Map<String, usize>` | `{}` | — | `[access.user_max_unique_ips]`<br>`user = 16` | Per-user unique source IP limits. |
-| user_max_unique_ips_global_each | `usize` | Global fallback per-user unique IP limit when no per-user override exists. |
+| user_max_unique_ips_global_each | `usize` | `0` | — | `user_max_unique_ips_global_each = 0` | Global fallback used when `[access.user_max_unique_ips]` has no per-user override. |
-| user_max_unique_ips_mode | `"active_window" \| "time_window" \| "combined"` | Unique source IP limit accounting mode. |
+| user_max_unique_ips_mode | `"active_window" \| "time_window" \| "combined"` | `"active_window"` | — | `user_max_unique_ips_mode = "active_window"` | Unique source IP limit accounting mode. |
-| user_max_unique_ips_window_secs | `u64` | Recent-window size for unique IP accounting (seconds). |
+| user_max_unique_ips_window_secs | `u64` | `30` | Must be `> 0`. | `user_max_unique_ips_window_secs = 30` | Window size (seconds) used by unique-IP accounting modes that use time windows. |
-| replay_check_len | `usize` | Replay check storage length. |
+| replay_check_len | `usize` | `65536` | — | `replay_check_len = 65536` | Replay-protection storage length. |
-| replay_window_secs | `u64` | Replay protection time window in seconds. |
+| replay_window_secs | `u64` | `1800` | — | `replay_window_secs = 1800` | Replay-protection window in seconds. |
-| ignore_time_skew | `bool` | Ignores client/server timestamp skew in replay validation. |
+| ignore_time_skew | `bool` | `false` | — | `ignore_time_skew = false` | Disables client/server timestamp skew checks in replay validation when enabled. |
 ## [[upstreams]]
-| Parameter | Type | Description |
+| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|
+|---|---|---|---|---|
-| type | `"direct" \| "socks4" \| "socks5"` | Upstream transport type selector. |
+| type | `"direct" \| "socks4" \| "socks5"` | — | Required field. | Upstream transport type selector. |
-| weight | `u16` | Weighted selection coefficient for this upstream. |
+| weight | `u16` | `1` | none | Base weight used by weighted-random upstream selection. |
-| enabled | `bool` | Enables/disables this upstream entry. |
+| enabled | `bool` | `true` | none | Disabled entries are excluded from upstream selection at runtime. |
-| scopes | `String` | Comma-separated scope tags for routing. |
+| scopes | `String` | `""` | none | Comma-separated scope tags used for request-level upstream filtering. |
-| interface | `String` | Optional outgoing interface name (`direct`, `socks4`, `socks5`). |
+| interface | `String \| null` | `null` | Optional; type-specific runtime rules apply. | Optional outbound interface/local bind hint (supported with type-specific rules). |
-| bind_addresses | `String[]` | Optional source bind addresses for `direct` upstream. |
+| bind_addresses | `String[] \| null` | `null` | Applies to `type = "direct"`. | Optional explicit local source bind addresses for `type = "direct"`. |
-| address | `String` | Upstream proxy address (`host:port`) for SOCKS upstreams. |
+| address | `String` | — | Required for `type = "socks4"` and `type = "socks5"`. | SOCKS server endpoint (`host:port` or `ip:port`) for SOCKS upstream types. |
-| user_id | `String` | SOCKS4 user ID (only for `type = "socks4"`). |
+| user_id | `String \| null` | `null` | Only for `type = "socks4"`. | SOCKS4 CONNECT user ID (`type = "socks4"` only). |
-| username | `String` | SOCKS5 username (only for `type = "socks5"`). |
+| username | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 username (`type = "socks5"` only). |
-| password | `String` | SOCKS5 password (only for `type = "socks5"`). |
+| password | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 password (`type = "socks5"` only). |
--- a/docs/FAQ.en.md
+++ b/docs/FAQ.en.md
@@ -120,3 +120,17 @@ password = "pass"          # Password for Auth on SOCKS-server
 weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
 #### Shadowsocks as Upstream
 Requires `use_middle_proxy = false`.
 ```toml
 [general]
 use_middle_proxy = false
 [[upstreams]]
 type = "shadowsocks"
 url = "ss://2022-blake3-aes-256-gcm:BASE64_KEY@1.2.3.4:8388"
 weight = 1
 enabled = true
 ```
--- a/docs/FAQ.ru.md
+++ b/docs/FAQ.ru.md
@@ -121,3 +121,16 @@ weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
 #### Shadowsocks как Upstream
 Требует `use_middle_proxy = false`.
 ```toml
 [general]
 use_middle_proxy = false
 [[upstreams]]
 type = "shadowsocks"
 url = "ss://2022-blake3-aes-256-gcm:BASE64_KEY@1.2.3.4:8388"
 weight = 1
 enabled = true
 ```
--- a/docs/TUNING.de.md
+++ b/docs/TUNING.de.md
@@ -82,7 +82,7 @@ Die unten angegebenen `Default`-Werte sind Code-Defaults (bei fehlendem Schlüss
 | Feld | Gilt für | Typ | Pflicht | Default | Bedeutung |
 |---|---|---|---|---|---|
-| `[[upstreams]].type` | alle Upstreams | `"direct" \| "socks4" \| "socks5"` | ja | n/a | Upstream-Transporttyp. |
+| `[[upstreams]].type` | alle Upstreams | `"direct" \| "socks4" \| "socks5" \| "shadowsocks"` | ja | n/a | Upstream-Transporttyp. |
 | `[[upstreams]].weight` | alle Upstreams | `u16` | nein | `1` | Basisgewicht für weighted-random Auswahl. |
 | `[[upstreams]].enabled` | alle Upstreams | `bool` | nein | `true` | Deaktivierte Einträge werden beim Start ignoriert. |
 | `[[upstreams]].scopes` | alle Upstreams | `String` | nein | `""` | Komma-separierte Scope-Tags für Request-Routing. |
@@ -95,6 +95,8 @@ Die unten angegebenen `Default`-Werte sind Code-Defaults (bei fehlendem Schlüss
 | `interface` | `socks5` | `Option<String>` | nein | `null` | Wird nur genutzt, wenn `address` als `ip:port` angegeben ist. |
 | `username` | `socks5` | `Option<String>` | nein | `null` | SOCKS5 Benutzername. |
 | `password` | `socks5` | `Option<String>` | nein | `null` | SOCKS5 Passwort. |
 | `url` | `shadowsocks` | `String` | ja | n/a | Shadowsocks-SIP002-URL (`ss://...`). In Runtime-APIs wird nur `host:port` offengelegt. |
 | `interface` | `shadowsocks` | `Option<String>` | nein | `null` | Optionales ausgehendes Bind-Interface oder lokale Literal-IP. |
 ### Runtime-Regeln (wichtig)
@@ -115,6 +117,7 @@ Die unten angegebenen `Default`-Werte sind Code-Defaults (bei fehlendem Schlüss
 8. Im ME-Modus wird der gewählte Upstream auch für den ME-TCP-Dial-Pfad verwendet.
 9. Im ME-Modus ist bei `direct` mit bind/interface die STUN-Reflection bind-aware für KDF-Adressmaterial.
 10. Im ME-Modus werden bei SOCKS-Upstream `BND.ADDR/BND.PORT` für KDF verwendet, wenn gültig/öffentlich und gleiche IP-Familie.
 11. `shadowsocks`-Upstreams erfordern `general.use_middle_proxy = false`. Mit aktiviertem ME-Modus schlägt das Laden der Config sofort fehl.
 ## Upstream-Konfigurationsbeispiele
@@ -150,7 +153,20 @@ weight = 2
 enabled = true
 ```
-### Beispiel 4: Gemischte Upstreams mit Scopes
+### Beispiel 4: Shadowsocks-Upstream
 ```toml
 [general]
 use_middle_proxy = false
 [[upstreams]]
 type = "shadowsocks"
 url = "ss://2022-blake3-aes-256-gcm:BASE64_KEY@198.51.100.50:8388"
 weight = 2
 enabled = true
 ```
 ### Beispiel 5: Gemischte Upstreams mit Scopes
 ```toml
 [[upstreams]]
--- a/docs/TUNING.en.md
+++ b/docs/TUNING.en.md
@@ -82,7 +82,7 @@ Defaults below are code defaults (used when a key is omitted), not necessarily v
 | Field | Applies to | Type | Required | Default | Meaning |
 |---|---|---|---|---|---|
-| `[[upstreams]].type` | all upstreams | `"direct" \| "socks4" \| "socks5"` | yes | n/a | Upstream transport type. |
+| `[[upstreams]].type` | all upstreams | `"direct" \| "socks4" \| "socks5" \| "shadowsocks"` | yes | n/a | Upstream transport type. |
 | `[[upstreams]].weight` | all upstreams | `u16` | no | `1` | Base weight for weighted-random selection. |
 | `[[upstreams]].enabled` | all upstreams | `bool` | no | `true` | Disabled entries are ignored at startup. |
 | `[[upstreams]].scopes` | all upstreams | `String` | no | `""` | Comma-separated scope tags for request-level routing. |
@@ -95,6 +95,8 @@ Defaults below are code defaults (used when a key is omitted), not necessarily v
 | `interface` | `socks5` | `Option<String>` | no | `null` | Used only for SOCKS server `ip:port` dial path. |
 | `username` | `socks5` | `Option<String>` | no | `null` | SOCKS5 username auth. |
 | `password` | `socks5` | `Option<String>` | no | `null` | SOCKS5 password auth. |
 | `url` | `shadowsocks` | `String` | yes | n/a | Shadowsocks SIP002 URL (`ss://...`). Only `host:port` is exposed in runtime APIs. |
 | `interface` | `shadowsocks` | `Option<String>` | no | `null` | Optional outgoing bind interface or literal local IP. |
 ### Runtime rules (important)
@@ -115,6 +117,7 @@ Defaults below are code defaults (used when a key is omitted), not necessarily v
 8. In ME mode, the selected upstream is also used for ME TCP dial path.
 9. In ME mode for `direct` upstream with bind/interface, STUN reflection logic is bind-aware for KDF source material.
 10. In ME mode for SOCKS upstream, SOCKS `BND.ADDR/BND.PORT` is used for KDF when it is valid/public for the same family.
 11. `shadowsocks` upstreams require `general.use_middle_proxy = false`. Config load fails fast if ME mode is enabled.
 ## Upstream Configuration Examples
@@ -150,7 +153,20 @@ weight = 2
 enabled = true
 ```
-### Example 4: Mixed upstreams with scopes
+### Example 4: Shadowsocks upstream
 ```toml
 [general]
 use_middle_proxy = false
 [[upstreams]]
 type = "shadowsocks"
 url = "ss://2022-blake3-aes-256-gcm:BASE64_KEY@198.51.100.50:8388"
 weight = 2
 enabled = true
 ```
 ### Example 5: Mixed upstreams with scopes
 ```toml
 [[upstreams]]
--- a/docs/TUNING.ru.md
+++ b/docs/TUNING.ru.md
@@ -82,7 +82,7 @@
 | Поле | Применимость | Тип | Обязательно | Default | Назначение |
 |---|---|---|---|---|---|
-| `[[upstreams]].type` | все upstream | `"direct" \| "socks4" \| "socks5"` | да | n/a | Тип upstream транспорта. |
+| `[[upstreams]].type` | все upstream | `"direct" \| "socks4" \| "socks5" \| "shadowsocks"` | да | n/a | Тип upstream транспорта. |
 | `[[upstreams]].weight` | все upstream | `u16` | нет | `1` | Базовый вес в weighted-random выборе. |
 | `[[upstreams]].enabled` | все upstream | `bool` | нет | `true` | Выключенные записи игнорируются на старте. |
 | `[[upstreams]].scopes` | все upstream | `String` | нет | `""` | Список scope-токенов через запятую для маршрутизации. |
@@ -95,6 +95,8 @@
 | `interface` | `socks5` | `Option<String>` | нет | `null` | Используется только если `address` задан как `ip:port`. |
 | `username` | `socks5` | `Option<String>` | нет | `null` | Логин SOCKS5 auth. |
 | `password` | `socks5` | `Option<String>` | нет | `null` | Пароль SOCKS5 auth. |
 | `url` | `shadowsocks` | `String` | да | n/a | Shadowsocks SIP002 URL (`ss://...`). В runtime API раскрывается только `host:port`. |
 | `interface` | `shadowsocks` | `Option<String>` | нет | `null` | Необязательный исходящий bind-интерфейс или literal локальный IP. |
 ### Runtime-правила
@@ -115,6 +117,7 @@
 8. В ME-режиме выбранный upstream также используется для ME TCP dial path.
 9. В ME-режиме для `direct` upstream с bind/interface STUN-рефлексия выполняется bind-aware для KDF материала.
 10. В ME-режиме для SOCKS upstream используются `BND.ADDR/BND.PORT` для KDF, если адрес валиден/публичен и соответствует IP family.
 11. `shadowsocks` upstream требует `general.use_middle_proxy = false`. При включенном ME-режиме конфиг отклоняется при загрузке.
 ## Примеры конфигурации Upstreams
@@ -150,7 +153,20 @@ weight = 2
 enabled = true
 ```
-### Пример 4: смешанные upstream с scopes
+### Пример 4: Shadowsocks upstream
 ```toml
 [general]
 use_middle_proxy = false
 [[upstreams]]
 type = "shadowsocks"
 url = "ss://2022-blake3-aes-256-gcm:BASE64_KEY@198.51.100.50:8388"
 weight = 2
 enabled = true
 ```
 ### Пример 5: смешанные upstream с scopes
 ```toml
 [[upstreams]]
--- a/install.sh
+++ b/install.sh
@@ -1,115 +1,525 @@
 #!/bin/sh
 set -eu
 # --- Global Configurations ---
 REPO="${REPO:-telemt/telemt}"
 BIN_NAME="${BIN_NAME:-telemt}"
-VERSION="${1:-${VERSION:-latest}}"
+INSTALL_DIR="${INSTALL_DIR:-/bin}"
-INSTALL_DIR="${INSTALL_DIR:-/usr/local/bin}"
+CONFIG_DIR="${CONFIG_DIR:-/etc/telemt}"
 CONFIG_FILE="${CONFIG_FILE:-${CONFIG_DIR}/telemt.toml}"
 WORK_DIR="${WORK_DIR:-/opt/telemt}"
 SERVICE_NAME="telemt"
 TEMP_DIR=""
 SUDO=""
-say() {
+# --- Argument Parsing ---
-    printf '%s\n' "$*"
+ACTION="install"
-}
+TARGET_VERSION="${VERSION:-latest}"
-die() {
+while [ $# -gt 0 ]; do
-    printf 'Error: %s\n' "$*" >&2
+    case "$1" in
-    exit 1
+        -h|--help)
-}
+            ACTION="help"
-
+            shift
-need_cmd() {
+            ;;
-    command -v "$1" >/dev/null 2>&1 || die "required command not found: $1"
+        uninstall|--uninstall)
-}
+            [ "$ACTION" != "purge" ] && ACTION="uninstall"
-
+            shift
-detect_os() {
+            ;;
-    os="$(uname -s)"
+        --purge)
-    case "$os" in
+            ACTION="purge"
-        Linux) printf 'linux\n' ;;
+            shift
-        OpenBSD) printf 'openbsd\n' ;;
+            ;;
-        *) printf '%s\n' "$os" ;;
+        install|--install)
            ACTION="install"
            shift
            ;;
        -*)
            printf '[ERROR] Unknown option: %s\n' "$1" >&2
            exit 1
            ;;
        *)
            if [ "$ACTION" = "install" ]; then
                TARGET_VERSION="$1"
            fi
            shift
            ;;
    esac
 done
 # --- Core Functions ---
 say() { printf '[INFO] %s\n' "$*"; }
 die() { printf '[ERROR] %s\n' "$*" >&2; exit 1; }
 cleanup() {
    if [ -n "${TEMP_DIR:-}" ] && [ -d "$TEMP_DIR" ]; then
        rm -rf -- "$TEMP_DIR"
    fi
 }
 trap cleanup EXIT INT TERM
 show_help() {
    say "Usage: $0 [version | install | uninstall | --purge | --help]"
    say "  version      Install specific version (e.g. 1.0.0, default: latest)"
    say "  uninstall    Remove the binary and service (keeps config)"
    say "  --purge      Remove everything including configuration"
    exit 0
 }
 user_exists() {
    if command -v getent >/dev/null 2>&1; then
        getent passwd "$1" >/dev/null 2>&1
    else
        grep -q "^${1}:" /etc/passwd 2>/dev/null
    fi
 }
 group_exists() {
    if command -v getent >/dev/null 2>&1; then
        getent group "$1" >/dev/null 2>&1
    else
        grep -q "^${1}:" /etc/group 2>/dev/null
    fi
 }
 verify_common() {
    [ -z "$BIN_NAME" ] && die "BIN_NAME cannot be empty."
    [ -z "$INSTALL_DIR" ] && die "INSTALL_DIR cannot be empty."
    [ -z "$CONFIG_DIR" ] && die "CONFIG_DIR cannot be empty."
    if [ "$(id -u)" -eq 0 ]; then
        SUDO=""
    else
        if ! command -v sudo >/dev/null 2>&1; then
            die "This script requires root or sudo. Neither found."
        fi
        SUDO="sudo"
        say "sudo is available. Caching credentials..."
        if ! sudo -v; then
            die "Failed to cache sudo credentials"
        fi
    fi
    case "${INSTALL_DIR}${CONFIG_DIR}${WORK_DIR}" in
        *[!a-zA-Z0-9_./-]*)
            die "Invalid characters in path variables. Only alphanumeric, _, ., -, and / are allowed."
            ;;
    esac
    case "$BIN_NAME" in
        *[!a-zA-Z0-9_-]*) die "Invalid characters in BIN_NAME: $BIN_NAME" ;;
    esac
    for path in "$CONFIG_DIR" "$WORK_DIR"; do
        check_path="$path"
        while [ "$check_path" != "/" ] && [ "${check_path%"/"}" != "$check_path" ]; do
            check_path="${check_path%"/"}"
        done
        [ -z "$check_path" ] && check_path="/"
        case "$check_path" in
            /|/bin|/sbin|/usr|/usr/bin|/usr/local|/etc|/opt|/var|/home|/root|/tmp)
                die "Safety check failed: '$path' is a critical system directory."
                ;;
        esac
    done
    for cmd in uname grep find rm chown chmod mv head mktemp; do
        command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
    done
 }
 verify_install_deps() {
    if ! command -v curl >/dev/null 2>&1 && ! command -v wget >/dev/null 2>&1; then
        die "Neither curl nor wget is installed."
    fi
    command -v tar >/dev/null 2>&1 || die "Required command not found: tar"
    command -v gzip >/dev/null 2>&1 || die "Required command not found: gzip"
    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "Need cp or install"
    if ! command -v setcap >/dev/null 2>&1; then
        say "setcap is missing. Installing required capability tools..."
        if command -v apk >/dev/null 2>&1; then
            $SUDO apk add --no-cache libcap || die "Failed to install libcap"
        elif command -v apt-get >/dev/null 2>&1; then
            $SUDO apt-get update -qq && $SUDO apt-get install -y -qq libcap2-bin || die "Failed to install libcap2-bin"
        elif command -v dnf >/dev/null 2>&1 || command -v yum >/dev/null 2>&1; then
            $SUDO ${YUM_CMD:-yum} install -y -q libcap || die "Failed to install libcap"
        else
            die "Cannot install 'setcap'. Package manager not found. Please install libcap manually."
        fi
    fi
 }
 detect_arch() {
-    arch="$(uname -m)"
+    sys_arch="$(uname -m)"
-    case "$arch" in
+    case "$sys_arch" in
-        x86_64|amd64) printf 'x86_64\n' ;;
+        x86_64|amd64) echo "x86_64" ;;
-        aarch64|arm64) printf 'aarch64\n' ;;
+        aarch64|arm64) echo "aarch64" ;;
-        *) die "unsupported architecture: $arch" ;;
+        *) die "Unsupported architecture: $sys_arch" ;;
    esac
 }
 detect_libc() {
-    case "$(ldd --version 2>&1 || true)" in
+    if command -v ldd >/dev/null 2>&1 && ldd --version 2>&1 | grep -qi musl; then
-        *musl*) printf 'musl\n' ;;
+        echo "musl"; return 0
-        *) printf 'gnu\n' ;;
+    fi
-    esac
+
    if grep -q '^ID=alpine' /etc/os-release 2>/dev/null || grep -q '^ID="alpine"' /etc/os-release 2>/dev/null; then
        echo "musl"; return 0
    fi
    for f in /lib/ld-musl-*.so.* /lib64/ld-musl-*.so.*; do
        if [ -e "$f" ]; then
            echo "musl"; return 0
        fi
    done
    echo "gnu"
 }
-fetch_to_stdout() {
+fetch_file() {
-    url="$1"
+    fetch_url="$1"
    fetch_out="$2"
    if command -v curl >/dev/null 2>&1; then
-        curl -fsSL "$url"
+        curl -fsSL "$fetch_url" -o "$fetch_out" || return 1
    elif command -v wget >/dev/null 2>&1; then
-        wget -qO- "$url"
+        wget -qO "$fetch_out" "$fetch_url" || return 1
    else
-        die "neither curl nor wget is installed"
+        die "curl or wget required"
    fi
 }
 ensure_user_group() {
    nologin_bin="/bin/false"
    cmd_nologin="$(command -v nologin 2>/dev/null || true)"
    if [ -n "$cmd_nologin" ] && [ -x "$cmd_nologin" ]; then
        nologin_bin="$cmd_nologin"
    else
        for bin in /sbin/nologin /usr/sbin/nologin; do
            if [ -x "$bin" ]; then
                nologin_bin="$bin"
                break
            fi
        done
    fi
    if ! group_exists telemt; then
        if command -v groupadd >/dev/null 2>&1; then
            $SUDO groupadd -r telemt || die "Failed to create group via groupadd"
        elif command -v addgroup >/dev/null 2>&1; then
            $SUDO addgroup -S telemt || die "Failed to create group via addgroup"
        else
            die "Cannot create group: neither groupadd nor addgroup found"
        fi
    fi
    if ! user_exists telemt; then
        if command -v useradd >/dev/null 2>&1; then
            $SUDO useradd -r -g telemt -d "$WORK_DIR" -s "$nologin_bin" -c "Telemt Proxy" telemt || die "Failed to create user via useradd"
        elif command -v adduser >/dev/null 2>&1; then
            $SUDO adduser -S -D -H -h "$WORK_DIR" -s "$nologin_bin" -G telemt telemt || die "Failed to create user via adduser"
        else
            die "Cannot create user: neither useradd nor adduser found"
        fi
    fi
 }
 setup_dirs() {
    say "Setting up directories..."
    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" || die "Failed to create directories"
    $SUDO chown telemt:telemt "$WORK_DIR" || die "Failed to set owner on WORK_DIR"
    $SUDO chmod 750 "$WORK_DIR" || die "Failed to set permissions on WORK_DIR"
 }
 stop_service() {
    say "Stopping service if running..."
    if command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]; then
        $SUDO systemctl stop "$SERVICE_NAME" 2>/dev/null || true
    elif command -v rc-service >/dev/null 2>&1; then
        $SUDO rc-service "$SERVICE_NAME" stop 2>/dev/null || true
    fi
 }
 install_binary() {
-    src="$1"
+    bin_src="$1"
-    dst="$2"
+    bin_dst="$2"
-    if [ -w "$INSTALL_DIR" ] || { [ ! -e "$INSTALL_DIR" ] && [ -w "$(dirname "$INSTALL_DIR")" ]; }; then
+    $SUDO mkdir -p "$INSTALL_DIR" || die "Failed to create install directory"
-        mkdir -p "$INSTALL_DIR"
+    if command -v install >/dev/null 2>&1; then
-        install -m 0755 "$src" "$dst"
+        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "Failed to install binary"
    elif command -v sudo >/dev/null 2>&1; then
        sudo mkdir -p "$INSTALL_DIR"
        sudo install -m 0755 "$src" "$dst"
    else
-        die "cannot write to $INSTALL_DIR and sudo is not available"
+        $SUDO rm -f "$bin_dst"
        $SUDO cp "$bin_src" "$bin_dst" || die "Failed to copy binary"
        $SUDO chmod 0755 "$bin_dst" || die "Failed to set permissions"
    fi
    if [ ! -x "$bin_dst" ]; then
        die "Failed to install binary or it is not executable: $bin_dst"
    fi
    say "Granting network bind capabilities to bind port 443..."
    if ! $SUDO setcap cap_net_bind_service=+ep "$bin_dst" 2>/dev/null; then
        say "[WARNING] Failed to apply setcap. The service will NOT be able to open port 443!"
        say "[WARNING] This usually happens inside unprivileged Docker/LXC containers."
    fi
 }
-need_cmd uname
+generate_secret() {
-need_cmd tar
+    if command -v openssl >/dev/null 2>&1; then
-need_cmd mktemp
+        secret="$(openssl rand -hex 16 2>/dev/null)" && [ -n "$secret" ] && { echo "$secret"; return 0; }
-need_cmd grep
+    fi
-need_cmd install
+    if command -v xxd >/dev/null 2>&1; then
        secret="$(dd if=/dev/urandom bs=1 count=16 2>/dev/null | xxd -p | tr -d '\n')" && [ -n "$secret" ] && { echo "$secret"; return 0; }
    fi
    secret="$(dd if=/dev/urandom bs=1 count=16 2>/dev/null | od -An -tx1 | tr -d ' \n')" && [ -n "$secret" ] && { echo "$secret"; return 0; }
    return 1
 }
-ARCH="$(detect_arch)"
+generate_config_content() {
-OS="$(detect_os)"
+    cat <<EOF
 [general]
 use_middle_proxy = false
-if [ "$OS" != "linux" ]; then
+[general.modes]
-    case "$OS" in
+classic = false
-        openbsd)
+secure = false
-            die "install.sh installs only Linux release artifacts. On OpenBSD, build from source (see docs/OPENBSD.en.md)."
+tls = true
            ;;
        *)
            die "unsupported operating system for install.sh: $OS"
            ;;
    esac
 fi
-LIBC="$(detect_libc)"
+[server]
 port = 443
-case "$VERSION" in
+[server.api]
-    latest)
+enabled = true
-        URL="https://github.com/$REPO/releases/latest/download/${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+listen = "127.0.0.1:9091"
 whitelist = ["127.0.0.1/32"]
 [censorship]
 tls_domain = "petrovich.ru"
 [access.users]
 hello = "$1"
 EOF
 }
 install_config() {
    config_exists=0
    if [ -n "$SUDO" ]; then
        $SUDO sh -c "[ -f '$CONFIG_FILE' ]" 2>/dev/null && config_exists=1 || true
    else
        [ -f "$CONFIG_FILE" ] && config_exists=1 || true
    fi
    if [ "$config_exists" -eq 1 ]; then
        say "Config already exists, skipping generation."
        return 0
    fi
    toml_secret="$(generate_secret)" || die "Failed to generate secret"
    say "Creating config at $CONFIG_FILE..."
    tmp_conf="$(mktemp "${TEMP_DIR:-/tmp}/telemt_conf.XXXXXX")" || die "Failed to create temp config"
    generate_config_content "$toml_secret" > "$tmp_conf" || die "Failed to write temp config"
    $SUDO mv "$tmp_conf" "$CONFIG_FILE" || die "Failed to install config file"
    $SUDO chown root:telemt "$CONFIG_FILE" || die "Failed to set owner"
    $SUDO chmod 640 "$CONFIG_FILE" || die "Failed to set config permissions"
    say "Secret for user 'hello': $toml_secret"
 }
 generate_systemd_content() {
    cat <<EOF
 [Unit]
 Description=Telemt Proxy Service
 After=network-online.target
 [Service]
 Type=simple
 User=telemt
 Group=telemt
 WorkingDirectory=$WORK_DIR
 ExecStart=${INSTALL_DIR}/${BIN_NAME} ${CONFIG_FILE}
 Restart=on-failure
 LimitNOFILE=65536
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
 }
 generate_openrc_content() {
    cat <<EOF
 #!/sbin/openrc-run
 name="$SERVICE_NAME"
 description="Telemt Proxy Service"
 command="${INSTALL_DIR}/${BIN_NAME}"
 command_args="${CONFIG_FILE}"
 command_background=true
 command_user="telemt:telemt"
 pidfile="/run/\${RC_SVCNAME}.pid"
 directory="${WORK_DIR}"
 rc_ulimit="-n 65536"
 depend() { need net; use logger; }
 EOF
 }
 install_service() {
    if command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]; then
        say "Installing systemd service..."
        tmp_svc="$(mktemp "${TEMP_DIR:-/tmp}/${SERVICE_NAME}.service.XXXXXX")" || die "Failed to create temp service"
        generate_systemd_content > "$tmp_svc" || die "Failed to generate service content"
        $SUDO mv "$tmp_svc" "/etc/systemd/system/${SERVICE_NAME}.service" || die "Failed to move service file"
        $SUDO chown root:root "/etc/systemd/system/${SERVICE_NAME}.service"
        $SUDO chmod 644 "/etc/systemd/system/${SERVICE_NAME}.service"
        $SUDO systemctl daemon-reload || die "Failed to reload systemd"
        $SUDO systemctl enable "$SERVICE_NAME" || die "Failed to enable service"
        $SUDO systemctl start "$SERVICE_NAME" || die "Failed to start service"
    elif command -v rc-update >/dev/null 2>&1; then
        say "Installing OpenRC service..."
        tmp_svc="$(mktemp "${TEMP_DIR:-/tmp}/${SERVICE_NAME}.init.XXXXXX")" || die "Failed to create temp file"
        generate_openrc_content > "$tmp_svc" || die "Failed to generate init content"
        $SUDO mv "$tmp_svc" "/etc/init.d/${SERVICE_NAME}" || die "Failed to move service file"
        $SUDO chown root:root "/etc/init.d/${SERVICE_NAME}"
        $SUDO chmod 0755 "/etc/init.d/${SERVICE_NAME}"
        $SUDO rc-update add "$SERVICE_NAME" default 2>/dev/null || die "Failed to register service"
        $SUDO rc-service "$SERVICE_NAME" start 2>/dev/null || die "Failed to start OpenRC service"
    else
        say "No service manager found. You can start it manually with:"
        if [ -n "$SUDO" ]; then
            say "  sudo -u telemt ${INSTALL_DIR}/${BIN_NAME} ${CONFIG_FILE}"
        else
            say "  su -s /bin/sh telemt -c '${INSTALL_DIR}/${BIN_NAME} ${CONFIG_FILE}'"
        fi
    fi
 }
 kill_user_procs() {
    say "Ensuring $BIN_NAME processes are killed..."
    if pkill_cmd="$(command -v pkill 2>/dev/null)"; then
        $SUDO "$pkill_cmd" -u telemt "$BIN_NAME" 2>/dev/null || true
        sleep 1
        $SUDO "$pkill_cmd" -9 -u telemt "$BIN_NAME" 2>/dev/null || true
    elif killall_cmd="$(command -v killall 2>/dev/null)"; then
        $SUDO "$killall_cmd" "$BIN_NAME" 2>/dev/null || true
        sleep 1
        $SUDO "$killall_cmd" -9 "$BIN_NAME" 2>/dev/null || true
    fi
 }
 uninstall() {
    purge_data=0
    [ "$ACTION" = "purge" ] && purge_data=1
    say "Uninstalling $BIN_NAME..."
    stop_service
    if command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]; then
        $SUDO systemctl disable "$SERVICE_NAME" 2>/dev/null || true
        $SUDO rm -f "/etc/systemd/system/${SERVICE_NAME}.service"
        $SUDO systemctl daemon-reload || true
    elif command -v rc-update >/dev/null 2>&1; then
        $SUDO rc-update del "$SERVICE_NAME" 2>/dev/null || true
        $SUDO rm -f "/etc/init.d/${SERVICE_NAME}"
    fi
    kill_user_procs
    $SUDO rm -f "${INSTALL_DIR}/${BIN_NAME}"
    $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
    $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
    if [ "$purge_data" -eq 1 ]; then
        say "Purging configuration and data..."
        $SUDO rm -rf "$CONFIG_DIR" "$WORK_DIR"
    else
        say "Note: Configuration in $CONFIG_DIR was kept. Run with '--purge' to remove it."
    fi
    say "Uninstallation complete."
    exit 0
 }
 # ============================================================================
 # Main Entry Point
 # ============================================================================
 case "$ACTION" in
    help)
        show_help
        ;;
-    *)
+    uninstall|purge)
-        URL="https://github.com/$REPO/releases/download/${VERSION}/${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+        verify_common
        uninstall
        ;;
    install)
        say "Starting installation..."
        verify_common
        verify_install_deps
        ARCH="$(detect_arch)"
        LIBC="$(detect_libc)"
        say "Detected system: $ARCH-linux-$LIBC"
        FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
        FILE_NAME="$(printf '%s' "$FILE_NAME" | tr -d ' \t\n\r')"
        if [ "$TARGET_VERSION" = "latest" ]; then
            DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
        else
            DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
        fi
        TEMP_DIR="$(mktemp -d)" || die "Failed to create temp directory"
        if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
            die "Temp directory creation failed"
        fi
        say "Downloading from $DL_URL..."
        fetch_file "$DL_URL" "${TEMP_DIR}/archive.tar.gz" || die "Download failed (check version or network)"
        gzip -dc "${TEMP_DIR}/archive.tar.gz" | tar -xf - -C "$TEMP_DIR" || die "Extraction failed"
        EXTRACTED_BIN="$(find "$TEMP_DIR" -type f -name "$BIN_NAME" -print 2>/dev/null | head -n 1)"
        [ -z "$EXTRACTED_BIN" ] && die "Binary '$BIN_NAME' not found in archive"
        ensure_user_group
        setup_dirs
        stop_service
        say "Installing binary..."
        install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
        install_config
        install_service
        say ""
        say "============================================="
        say "Installation complete!"
        say "============================================="
        if command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]; then
            say "To check the logs, run:"
            say "  journalctl -u $SERVICE_NAME -f"
            say ""
        fi
        say "To get user connection links, run:"
        if command -v jq >/dev/null 2>&1; then
            say "  curl -s http://127.0.0.1:9091/v1/users | jq -r '.data[] | \"User: \\(.username)\\n\\(.links.tls[0] // empty)\"'"
        else
            say "  curl -s http://127.0.0.1:9091/v1/users"
            say "  (Note: Install 'jq' package to see the links nicely formatted)"
        fi
        ;;
 esac
 TMPDIR="$(mktemp -d)"
 trap 'rm -rf "$TMPDIR"' EXIT INT TERM
 say "Installing $BIN_NAME ($VERSION) for $ARCH-linux-$LIBC..."
 fetch_to_stdout "$URL" | tar -xzf - -C "$TMPDIR"
 [ -f "$TMPDIR/$BIN_NAME" ] || die "archive did not contain $BIN_NAME"
 install_binary "$TMPDIR/$BIN_NAME" "$INSTALL_DIR/$BIN_NAME"
 say "Installed: $INSTALL_DIR/$BIN_NAME"
 "$INSTALL_DIR/$BIN_NAME" --version 2>/dev/null || true
--- a/src/api/model.rs
+++ b/src/api/model.rs
@@ -134,6 +134,7 @@ pub(super) struct UpstreamSummaryData {
    pub(super) direct_total: usize,
    pub(super) socks4_total: usize,
    pub(super) socks5_total: usize,
    pub(super) shadowsocks_total: usize,
 }
 #[derive(Serialize, Clone)]
--- a/src/api/runtime_min.rs
+++ b/src/api/runtime_min.rs
@@ -159,6 +159,7 @@ pub(super) struct RuntimeUpstreamQualitySummaryData {
    pub(super) direct_total: usize,
    pub(super) socks4_total: usize,
    pub(super) socks5_total: usize,
    pub(super) shadowsocks_total: usize,
 }
 #[derive(Serialize)]
@@ -406,7 +407,9 @@ pub(super) async fn build_runtime_upstream_quality_data(
        connect_attempt_total: shared.stats.get_upstream_connect_attempt_total(),
        connect_success_total: shared.stats.get_upstream_connect_success_total(),
        connect_fail_total: shared.stats.get_upstream_connect_fail_total(),
-        connect_failfast_hard_error_total: shared.stats.get_upstream_connect_failfast_hard_error_total(),
+        connect_failfast_hard_error_total: shared
            .stats
            .get_upstream_connect_failfast_hard_error_total(),
    };
    let Some(snapshot) = shared.upstream_manager.try_api_snapshot() else {
@@ -446,6 +449,7 @@ pub(super) async fn build_runtime_upstream_quality_data(
            direct_total: snapshot.summary.direct_total,
            socks4_total: snapshot.summary.socks4_total,
            socks5_total: snapshot.summary.socks5_total,
            shadowsocks_total: snapshot.summary.shadowsocks_total,
        }),
        upstreams: Some(
            snapshot
@@ -457,6 +461,7 @@ pub(super) async fn build_runtime_upstream_quality_data(
                        crate::transport::UpstreamRouteKind::Direct => "direct",
                        crate::transport::UpstreamRouteKind::Socks4 => "socks4",
                        crate::transport::UpstreamRouteKind::Socks5 => "socks5",
                        crate::transport::UpstreamRouteKind::Shadowsocks => "shadowsocks",
                    },
                    address: upstream.address,
                    weight: upstream.weight,
@@ -476,7 +481,9 @@ pub(super) async fn build_runtime_upstream_quality_data(
                                crate::transport::upstream::IpPreference::PreferV6 => "prefer_v6",
                                crate::transport::upstream::IpPreference::PreferV4 => "prefer_v4",
                                crate::transport::upstream::IpPreference::BothWork => "both_work",
-                                crate::transport::upstream::IpPreference::Unavailable => "unavailable",
+                                crate::transport::upstream::IpPreference::Unavailable => {
                                    "unavailable"
                                }
                            },
                        })
                        .collect(),
@@ -514,14 +521,18 @@ pub(super) async fn build_runtime_nat_stun_data(shared: &ApiShared) -> RuntimeNa
                live_total: snapshot.live_servers.len(),
            },
            reflection: RuntimeNatStunReflectionBlockData {
-                v4: snapshot.reflection_v4.map(|entry| RuntimeNatStunReflectionData {
+                v4: snapshot
-                    addr: entry.addr.to_string(),
+                    .reflection_v4
-                    age_secs: entry.age_secs,
+                    .map(|entry| RuntimeNatStunReflectionData {
-                }),
+                        addr: entry.addr.to_string(),
-                v6: snapshot.reflection_v6.map(|entry| RuntimeNatStunReflectionData {
+                        age_secs: entry.age_secs,
-                    addr: entry.addr.to_string(),
+                    }),
-                    age_secs: entry.age_secs,
+                v6: snapshot
-                }),
+                    .reflection_v6
                    .map(|entry| RuntimeNatStunReflectionData {
                        addr: entry.addr.to_string(),
                        age_secs: entry.age_secs,
                    }),
            },
            stun_backoff_remaining_ms: snapshot.stun_backoff_remaining_ms,
        }),
--- a/src/api/runtime_selftest.rs
+++ b/src/api/runtime_selftest.rs
@@ -1,5 +1,5 @@
 use std::net::IpAddr;
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::sync::{Mutex, OnceLock};
 use std::time::{SystemTime, UNIX_EPOCH};
@@ -7,8 +7,8 @@ use serde::Serialize;
 use crate::config::{ProxyConfig, UpstreamType};
 use crate::network::probe::{detect_interface_ipv4, detect_interface_ipv6, is_bogon};
 use crate::transport::middle_proxy::{bnd_snapshot, timeskew_snapshot, upstream_bnd_snapshots};
 use crate::transport::UpstreamRouteKind;
 use crate::transport::middle_proxy::{bnd_snapshot, timeskew_snapshot, upstream_bnd_snapshots};
 use super::ApiShared;
@@ -262,8 +262,8 @@ fn update_kdf_ewma(now_epoch_secs: u64, total_errors: u64) -> f64 {
    let delta_errors = total_errors.saturating_sub(guard.last_total_errors);
    let instant_rate_per_min = (delta_errors as f64) * 60.0 / (dt_secs as f64);
    let alpha = 1.0 - f64::exp(-(dt_secs as f64) / KDF_EWMA_TAU_SECS);
-    guard.ewma_errors_per_min = guard.ewma_errors_per_min
+    guard.ewma_errors_per_min =
-        + alpha * (instant_rate_per_min - guard.ewma_errors_per_min);
+        guard.ewma_errors_per_min + alpha * (instant_rate_per_min - guard.ewma_errors_per_min);
    guard.last_epoch_secs = now_epoch_secs;
    guard.last_total_errors = total_errors;
    guard.ewma_errors_per_min
@@ -284,6 +284,7 @@ fn map_route_kind(value: UpstreamRouteKind) -> &'static str {
        UpstreamRouteKind::Direct => "direct",
        UpstreamRouteKind::Socks4 => "socks4",
        UpstreamRouteKind::Socks5 => "socks5",
        UpstreamRouteKind::Shadowsocks => "shadowsocks",
    }
 }
--- a/src/api/runtime_stats.rs
+++ b/src/api/runtime_stats.rs
@@ -2,8 +2,8 @@ use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use crate::config::ApiConfig;
 use crate::stats::Stats;
 use crate::transport::upstream::IpPreference;
 use crate::transport::UpstreamRouteKind;
 use crate::transport::upstream::IpPreference;
 use super::ApiShared;
 use super::model::{
@@ -138,7 +138,8 @@ fn build_zero_upstream_data(stats: &Stats) -> ZeroUpstreamData {
            .get_upstream_connect_duration_success_bucket_501_1000ms(),
        connect_duration_success_bucket_gt_1000ms: stats
            .get_upstream_connect_duration_success_bucket_gt_1000ms(),
-        connect_duration_fail_bucket_le_100ms: stats.get_upstream_connect_duration_fail_bucket_le_100ms(),
+        connect_duration_fail_bucket_le_100ms: stats
            .get_upstream_connect_duration_fail_bucket_le_100ms(),
        connect_duration_fail_bucket_101_500ms: stats
            .get_upstream_connect_duration_fail_bucket_101_500ms(),
        connect_duration_fail_bucket_501_1000ms: stats
@@ -180,6 +181,7 @@ pub(super) fn build_upstreams_data(shared: &ApiShared, api_cfg: &ApiConfig) -> U
        direct_total: snapshot.summary.direct_total,
        socks4_total: snapshot.summary.socks4_total,
        socks5_total: snapshot.summary.socks5_total,
        shadowsocks_total: snapshot.summary.shadowsocks_total,
    };
    let upstreams = snapshot
        .upstreams
@@ -395,8 +397,7 @@ async fn get_minimal_payload_cached(
        adaptive_floor_min_writers_multi_endpoint: runtime
            .adaptive_floor_min_writers_multi_endpoint,
        adaptive_floor_recover_grace_secs: runtime.adaptive_floor_recover_grace_secs,
-        adaptive_floor_writers_per_core_total: runtime
+        adaptive_floor_writers_per_core_total: runtime.adaptive_floor_writers_per_core_total,
            .adaptive_floor_writers_per_core_total,
        adaptive_floor_cpu_cores_override: runtime.adaptive_floor_cpu_cores_override,
        adaptive_floor_max_extra_writers_single_per_core: runtime
            .adaptive_floor_max_extra_writers_single_per_core,
@@ -404,12 +405,9 @@ async fn get_minimal_payload_cached(
            .adaptive_floor_max_extra_writers_multi_per_core,
        adaptive_floor_max_active_writers_per_core: runtime
            .adaptive_floor_max_active_writers_per_core,
-        adaptive_floor_max_warm_writers_per_core: runtime
+        adaptive_floor_max_warm_writers_per_core: runtime.adaptive_floor_max_warm_writers_per_core,
-            .adaptive_floor_max_warm_writers_per_core,
+        adaptive_floor_max_active_writers_global: runtime.adaptive_floor_max_active_writers_global,
-        adaptive_floor_max_active_writers_global: runtime
+        adaptive_floor_max_warm_writers_global: runtime.adaptive_floor_max_warm_writers_global,
            .adaptive_floor_max_active_writers_global,
        adaptive_floor_max_warm_writers_global: runtime
            .adaptive_floor_max_warm_writers_global,
        adaptive_floor_cpu_cores_detected: runtime.adaptive_floor_cpu_cores_detected,
        adaptive_floor_cpu_cores_effective: runtime.adaptive_floor_cpu_cores_effective,
        adaptive_floor_global_cap_raw: runtime.adaptive_floor_global_cap_raw,
@@ -527,6 +525,7 @@ fn map_route_kind(value: UpstreamRouteKind) -> &'static str {
        UpstreamRouteKind::Direct => "direct",
        UpstreamRouteKind::Socks4 => "socks4",
        UpstreamRouteKind::Socks5 => "socks5",
        UpstreamRouteKind::Shadowsocks => "shadowsocks",
    }
 }
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -6,8 +6,9 @@ use std::net::{IpAddr, SocketAddr};
 use std::path::{Path, PathBuf};
 use rand::Rng;
 use serde::{Deserialize, Serialize};
 use shadowsocks::config::ServerConfig as ShadowsocksServerConfig;
 use tracing::warn;
 use serde::{Serialize, Deserialize};
 use crate::error::{ProxyError, Result};
@@ -122,13 +123,37 @@ fn sanitize_ad_tag(ad_tag: &mut Option<String>) {
    };
    if !is_valid_ad_tag(tag) {
-        warn!(
+        warn!("Invalid general.ad_tag value, expected exactly 32 hex chars; ad_tag is disabled");
            "Invalid general.ad_tag value, expected exactly 32 hex chars; ad_tag is disabled"
        );
        *ad_tag = None;
    }
 }
 fn validate_upstreams(config: &ProxyConfig) -> Result<()> {
    let has_enabled_shadowsocks = config.upstreams.iter().any(|upstream| {
        upstream.enabled && matches!(upstream.upstream_type, UpstreamType::Shadowsocks { .. })
    });
    if has_enabled_shadowsocks && config.general.use_middle_proxy {
        return Err(ProxyError::Config(
            "shadowsocks upstreams require general.use_middle_proxy = false".to_string(),
        ));
    }
    for upstream in &config.upstreams {
        if let UpstreamType::Shadowsocks { url, .. } = &upstream.upstream_type {
            let parsed = ShadowsocksServerConfig::from_url(url)
                .map_err(|error| ProxyError::Config(format!("invalid shadowsocks url: {error}")))?;
            if parsed.plugin().is_some() {
                return Err(ProxyError::Config(
                    "shadowsocks plugins are not supported".to_string(),
                ));
            }
        }
    }
    Ok(())
 }
 // ============= Main Config =============
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
@@ -180,7 +205,8 @@ impl ProxyConfig {
    pub(crate) fn load_with_metadata<P: AsRef<Path>>(path: P) -> Result<LoadedConfig> {
        let path = path.as_ref();
-        let content = std::fs::read_to_string(path).map_err(|e| ProxyError::Config(e.to_string()))?;
+        let content =
            std::fs::read_to_string(path).map_err(|e| ProxyError::Config(e.to_string()))?;
        let base_dir = path.parent().unwrap_or(Path::new("."));
        let mut source_files = BTreeSet::new();
        source_files.insert(normalize_config_path(path));
@@ -207,15 +233,17 @@ impl ProxyConfig {
            .map(|table| table.contains_key("stun_servers"))
            .unwrap_or(false);
-        let mut config: ProxyConfig =
+        let mut config: ProxyConfig = parsed_toml
-            parsed_toml.try_into().map_err(|e| ProxyError::Config(e.to_string()))?;
+            .try_into()
            .map_err(|e| ProxyError::Config(e.to_string()))?;
        if !update_every_is_explicit && (legacy_secret_is_explicit || legacy_config_is_explicit) {
            config.general.update_every = None;
        }
        let legacy_nat_stun = config.general.middle_proxy_nat_stun.take();
-        let legacy_nat_stun_servers = std::mem::take(&mut config.general.middle_proxy_nat_stun_servers);
+        let legacy_nat_stun_servers =
            std::mem::take(&mut config.general.middle_proxy_nat_stun_servers);
        let legacy_nat_stun_used = legacy_nat_stun.is_some() || !legacy_nat_stun_servers.is_empty();
        if stun_servers_is_explicit {
            let mut explicit_stun_servers = Vec::new();
@@ -225,7 +253,9 @@ impl ProxyConfig {
            config.network.stun_servers = explicit_stun_servers;
            if legacy_nat_stun_used {
-                warn!("general.middle_proxy_nat_stun and general.middle_proxy_nat_stun_servers are ignored because network.stun_servers is explicitly set");
+                warn!(
                    "general.middle_proxy_nat_stun and general.middle_proxy_nat_stun_servers are ignored because network.stun_servers is explicitly set"
                );
            }
        } else {
            // Keep the default STUN pool unless network.stun_servers is explicitly overridden.
@@ -240,7 +270,9 @@ impl ProxyConfig {
            config.network.stun_servers = unified_stun_servers;
            if legacy_nat_stun_used {
-                warn!("general.middle_proxy_nat_stun and general.middle_proxy_nat_stun_servers are deprecated; use network.stun_servers");
+                warn!(
                    "general.middle_proxy_nat_stun and general.middle_proxy_nat_stun_servers are deprecated; use network.stun_servers"
                );
            }
        }
@@ -378,13 +410,15 @@ impl ProxyConfig {
        if !(4096..=1024 * 1024).contains(&config.general.direct_relay_copy_buf_c2s_bytes) {
            return Err(ProxyError::Config(
-                "general.direct_relay_copy_buf_c2s_bytes must be within [4096, 1048576]".to_string(),
+                "general.direct_relay_copy_buf_c2s_bytes must be within [4096, 1048576]"
                    .to_string(),
            ));
        }
        if !(8192..=2 * 1024 * 1024).contains(&config.general.direct_relay_copy_buf_s2c_bytes) {
            return Err(ProxyError::Config(
-                "general.direct_relay_copy_buf_s2c_bytes must be within [8192, 2097152]".to_string(),
+                "general.direct_relay_copy_buf_s2c_bytes must be within [8192, 2097152]"
                    .to_string(),
            ));
        }
@@ -623,7 +657,8 @@ impl ProxyConfig {
        if !(1..=100).contains(&config.general.me_route_backpressure_high_watermark_pct) {
            return Err(ProxyError::Config(
-                "general.me_route_backpressure_high_watermark_pct must be within [1, 100]".to_string(),
+                "general.me_route_backpressure_high_watermark_pct must be within [1, 100]"
                    .to_string(),
            ));
        }
@@ -803,11 +838,15 @@ impl ProxyConfig {
        crate::network::dns_overrides::validate_entries(&config.network.dns_overrides)?;
        if config.general.use_middle_proxy && config.network.ipv6 == Some(true) {
-            warn!("IPv6 with Middle Proxy is experimental and may cause KDF address mismatch; consider disabling IPv6 or ME");
+            warn!(
                "IPv6 with Middle Proxy is experimental and may cause KDF address mismatch; consider disabling IPv6 or ME"
            );
        }
        // Random fake_cert_len only when default is in use.
-        if !config.censorship.tls_emulation && config.censorship.fake_cert_len == default_fake_cert_len() {
+        if !config.censorship.tls_emulation
            && config.censorship.fake_cert_len == default_fake_cert_len()
        {
            config.censorship.fake_cert_len = rand::rng().gen_range(1024..4096);
        }
@@ -817,8 +856,7 @@ impl ProxyConfig {
        let listen_tcp = config.server.listen_tcp.unwrap_or_else(|| {
            if config.server.listen_unix_sock.is_some() {
                // Unix socket present: TCP only if user explicitly set addresses or listeners.
-                config.server.listen_addr_ipv4.is_some()
+                config.server.listen_addr_ipv4.is_some() || !config.server.listeners.is_empty()
                    || !config.server.listeners.is_empty()
            } else {
                true
            }
@@ -826,7 +864,9 @@ impl ProxyConfig {
        // Migration: Populate listeners if empty (skip when listen_tcp = false).
        if config.server.listeners.is_empty() && listen_tcp {
-            let ipv4_str = config.server.listen_addr_ipv4
+            let ipv4_str = config
                .server
                .listen_addr_ipv4
                .as_deref()
                .unwrap_or("0.0.0.0");
            if let Ok(ipv4) = ipv4_str.parse::<IpAddr>() {
@@ -868,7 +908,10 @@ impl ProxyConfig {
        // Migration: Populate upstreams if empty (Default Direct).
        if config.upstreams.is_empty() {
            config.upstreams.push(UpstreamConfig {
-                upstream_type: UpstreamType::Direct { interface: None, bind_addresses: None },
+                upstream_type: UpstreamType::Direct {
                    interface: None,
                    bind_addresses: None,
                },
                weight: 1,
                enabled: true,
                scopes: String::new(),
@@ -882,6 +925,8 @@ impl ProxyConfig {
            .entry("203".to_string())
            .or_insert_with(|| vec!["91.105.192.100:443".to_string()]);
        validate_upstreams(&config)?;
        Ok(LoadedConfig {
            config,
            source_files: source_files.into_iter().collect(),
@@ -928,6 +973,9 @@ impl ProxyConfig {
 mod tests {
    use super::*;
    const TEST_SHADOWSOCKS_URL: &str =
        "ss://2022-blake3-aes-256-gcm:MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDE=@127.0.0.1:8388";
    #[test]
    fn serde_defaults_remain_unchanged_for_present_sections() {
        let toml = r#"
@@ -957,10 +1005,7 @@ mod tests {
            cfg.general.me_init_retry_attempts,
            default_me_init_retry_attempts()
        );
-        assert_eq!(
+        assert_eq!(cfg.general.me2dc_fallback, default_me2dc_fallback());
            cfg.general.me2dc_fallback,
            default_me2dc_fallback()
        );
        assert_eq!(
            cfg.general.proxy_config_v4_cache_path,
            default_proxy_config_v4_cache_path()
@@ -1269,11 +1314,12 @@ mod tests {
        let path = dir.join("telemt_dc_override_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
-        assert!(cfg
+        assert!(
-            .dc_overrides
+            cfg.dc_overrides
-            .get("203")
+                .get("203")
-            .map(|v| v.contains(&"91.105.192.100:443".to_string()))
+                .map(|v| v.contains(&"91.105.192.100:443".to_string()))
-            .unwrap_or(false));
+                .unwrap_or(false)
        );
        let _ = std::fs::remove_file(path);
    }
@@ -1460,11 +1506,9 @@ mod tests {
        let path = dir.join("telemt_me_adaptive_floor_min_writers_out_of_range_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(
+        assert!(err.contains(
-            err.contains(
+            "general.me_adaptive_floor_min_writers_single_endpoint must be within [1, 32]"
-                "general.me_adaptive_floor_min_writers_single_endpoint must be within [1, 32]"
+        ));
            )
        );
        let _ = std::fs::remove_file(path);
    }
@@ -2050,6 +2094,124 @@ mod tests {
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn shadowsocks_upstream_url_loads_successfully() {
        let toml = format!(
            r#"
            [general]
            use_middle_proxy = false
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
            [[upstreams]]
            type = "shadowsocks"
            url = "{url}"
            interface = "127.0.0.2"
            "#,
            url = TEST_SHADOWSOCKS_URL,
        );
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_shadowsocks_valid_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert!(matches!(
            &cfg.upstreams[0].upstream_type,
            UpstreamType::Shadowsocks { url, interface }
                if url == TEST_SHADOWSOCKS_URL && interface.as_deref() == Some("127.0.0.2")
        ));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn shadowsocks_requires_direct_mode() {
        let toml = format!(
            r#"
            [general]
            use_middle_proxy = true
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
            [[upstreams]]
            type = "shadowsocks"
            url = "{url}"
            "#,
            url = TEST_SHADOWSOCKS_URL,
        );
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_shadowsocks_me_reject_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("shadowsocks upstreams require general.use_middle_proxy = false"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn invalid_shadowsocks_url_is_rejected() {
        let toml = r#"
            [general]
            use_middle_proxy = false
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
            [[upstreams]]
            type = "shadowsocks"
            url = "not-a-valid-ss-url"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_shadowsocks_invalid_url_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("invalid shadowsocks url"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn shadowsocks_plugins_are_rejected() {
        let toml = format!(
            r#"
            [general]
            use_middle_proxy = false
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
            [[upstreams]]
            type = "shadowsocks"
            url = "{url}?plugin=obfs-local%3Bobfs%3Dhttp"
            "#,
            url = TEST_SHADOWSOCKS_URL,
        );
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_shadowsocks_plugin_reject_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("shadowsocks plugins are not supported"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn invalid_user_ad_tag_reports_access_user_ad_tags_key() {
        let toml = r#"
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -951,24 +951,38 @@ impl Default for GeneralConfig {
            me_reconnect_backoff_cap_ms: default_reconnect_backoff_cap_ms(),
            me_reconnect_fast_retry_count: default_me_reconnect_fast_retry_count(),
            me_single_endpoint_shadow_writers: default_me_single_endpoint_shadow_writers(),
-            me_single_endpoint_outage_mode_enabled: default_me_single_endpoint_outage_mode_enabled(),
+            me_single_endpoint_outage_mode_enabled: default_me_single_endpoint_outage_mode_enabled(
-            me_single_endpoint_outage_disable_quarantine: default_me_single_endpoint_outage_disable_quarantine(),
+            ),
-            me_single_endpoint_outage_backoff_min_ms: default_me_single_endpoint_outage_backoff_min_ms(),
+            me_single_endpoint_outage_disable_quarantine:
-            me_single_endpoint_outage_backoff_max_ms: default_me_single_endpoint_outage_backoff_max_ms(),
+                default_me_single_endpoint_outage_disable_quarantine(),
-            me_single_endpoint_shadow_rotate_every_secs: default_me_single_endpoint_shadow_rotate_every_secs(),
+            me_single_endpoint_outage_backoff_min_ms:
                default_me_single_endpoint_outage_backoff_min_ms(),
            me_single_endpoint_outage_backoff_max_ms:
                default_me_single_endpoint_outage_backoff_max_ms(),
            me_single_endpoint_shadow_rotate_every_secs:
                default_me_single_endpoint_shadow_rotate_every_secs(),
            me_floor_mode: MeFloorMode::default(),
            me_adaptive_floor_idle_secs: default_me_adaptive_floor_idle_secs(),
-            me_adaptive_floor_min_writers_single_endpoint: default_me_adaptive_floor_min_writers_single_endpoint(),
+            me_adaptive_floor_min_writers_single_endpoint:
-            me_adaptive_floor_min_writers_multi_endpoint: default_me_adaptive_floor_min_writers_multi_endpoint(),
+                default_me_adaptive_floor_min_writers_single_endpoint(),
            me_adaptive_floor_min_writers_multi_endpoint:
                default_me_adaptive_floor_min_writers_multi_endpoint(),
            me_adaptive_floor_recover_grace_secs: default_me_adaptive_floor_recover_grace_secs(),
-            me_adaptive_floor_writers_per_core_total: default_me_adaptive_floor_writers_per_core_total(),
+            me_adaptive_floor_writers_per_core_total:
                default_me_adaptive_floor_writers_per_core_total(),
            me_adaptive_floor_cpu_cores_override: default_me_adaptive_floor_cpu_cores_override(),
-            me_adaptive_floor_max_extra_writers_single_per_core: default_me_adaptive_floor_max_extra_writers_single_per_core(),
+            me_adaptive_floor_max_extra_writers_single_per_core:
-            me_adaptive_floor_max_extra_writers_multi_per_core: default_me_adaptive_floor_max_extra_writers_multi_per_core(),
+                default_me_adaptive_floor_max_extra_writers_single_per_core(),
-            me_adaptive_floor_max_active_writers_per_core: default_me_adaptive_floor_max_active_writers_per_core(),
+            me_adaptive_floor_max_extra_writers_multi_per_core:
-            me_adaptive_floor_max_warm_writers_per_core: default_me_adaptive_floor_max_warm_writers_per_core(),
+                default_me_adaptive_floor_max_extra_writers_multi_per_core(),
-            me_adaptive_floor_max_active_writers_global: default_me_adaptive_floor_max_active_writers_global(),
+            me_adaptive_floor_max_active_writers_per_core:
-            me_adaptive_floor_max_warm_writers_global: default_me_adaptive_floor_max_warm_writers_global(),
+                default_me_adaptive_floor_max_active_writers_per_core(),
            me_adaptive_floor_max_warm_writers_per_core:
                default_me_adaptive_floor_max_warm_writers_per_core(),
            me_adaptive_floor_max_active_writers_global:
                default_me_adaptive_floor_max_active_writers_global(),
            me_adaptive_floor_max_warm_writers_global:
                default_me_adaptive_floor_max_warm_writers_global(),
            upstream_connect_retry_attempts: default_upstream_connect_retry_attempts(),
            upstream_connect_retry_backoff_ms: default_upstream_connect_retry_backoff_ms(),
            upstream_connect_budget_ms: default_upstream_connect_budget_ms(),
@@ -983,7 +997,8 @@ impl Default for GeneralConfig {
            me_socks_kdf_policy: MeSocksKdfPolicy::Strict,
            me_route_backpressure_base_timeout_ms: default_me_route_backpressure_base_timeout_ms(),
            me_route_backpressure_high_timeout_ms: default_me_route_backpressure_high_timeout_ms(),
-            me_route_backpressure_high_watermark_pct: default_me_route_backpressure_high_watermark_pct(),
+            me_route_backpressure_high_watermark_pct:
                default_me_route_backpressure_high_watermark_pct(),
            me_health_interval_ms_unhealthy: default_me_health_interval_ms_unhealthy(),
            me_health_interval_ms_healthy: default_me_health_interval_ms_healthy(),
            me_admission_poll_ms: default_me_admission_poll_ms(),
@@ -1009,7 +1024,8 @@ impl Default for GeneralConfig {
            me_hardswap_warmup_delay_min_ms: default_me_hardswap_warmup_delay_min_ms(),
            me_hardswap_warmup_delay_max_ms: default_me_hardswap_warmup_delay_max_ms(),
            me_hardswap_warmup_extra_passes: default_me_hardswap_warmup_extra_passes(),
-            me_hardswap_warmup_pass_backoff_base_ms: default_me_hardswap_warmup_pass_backoff_base_ms(),
+            me_hardswap_warmup_pass_backoff_base_ms:
                default_me_hardswap_warmup_pass_backoff_base_ms(),
            me_config_stable_snapshots: default_me_config_stable_snapshots(),
            me_config_apply_cooldown_secs: default_me_config_apply_cooldown_secs(),
            me_snapshot_require_http_2xx: default_me_snapshot_require_http_2xx(),
@@ -1052,8 +1068,10 @@ impl GeneralConfig {
    /// Resolve the active updater interval for ME infrastructure refresh tasks.
    /// `update_every` has priority, otherwise legacy proxy_*_auto_reload_secs are used.
    pub fn effective_update_every_secs(&self) -> u64 {
-        self.update_every
+        self.update_every.unwrap_or_else(|| {
-            .unwrap_or_else(|| self.proxy_secret_auto_reload_secs.min(self.proxy_config_auto_reload_secs))
+            self.proxy_secret_auto_reload_secs
                .min(self.proxy_config_auto_reload_secs)
        })
    }
    /// Resolve periodic zero-downtime reinit interval for ME writers.
@@ -1460,6 +1478,11 @@ pub enum UpstreamType {
        #[serde(default)]
        password: Option<String>,
    },
    Shadowsocks {
        url: String,
        #[serde(default)]
        interface: Option<String>,
    },
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -1540,7 +1563,10 @@ impl ShowLink {
 }
 impl Serialize for ShowLink {
-    fn serialize<S: serde::Serializer>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error> {
+    fn serialize<S: serde::Serializer>(
        &self,
        serializer: S,
    ) -> std::result::Result<S::Ok, S::Error> {
        match self {
            ShowLink::None => Vec::<String>::new().serialize(serializer),
            ShowLink::All => serializer.serialize_str("*"),
@@ -1550,7 +1576,9 @@ impl Serialize for ShowLink {
 }
 impl<'de> Deserialize<'de> for ShowLink {
-    fn deserialize<D: serde::Deserializer<'de>>(deserializer: D) -> std::result::Result<Self, D::Error> {
+    fn deserialize<D: serde::Deserializer<'de>>(
        deserializer: D,
    ) -> std::result::Result<Self, D::Error> {
        use serde::de;
        struct ShowLinkVisitor;
@@ -1566,14 +1594,14 @@ impl<'de> Deserialize<'de> for ShowLink {
                if v == "*" {
                    Ok(ShowLink::All)
                } else {
-                    Err(de::Error::invalid_value(
+                    Err(de::Error::invalid_value(de::Unexpected::Str(v), &r#""*""#))
                        de::Unexpected::Str(v),
                        &r#""*""#,
                    ))
                }
            }
-            fn visit_seq<A: de::SeqAccess<'de>>(self, mut seq: A) -> std::result::Result<ShowLink, A::Error> {
+            fn visit_seq<A: de::SeqAccess<'de>>(
                self,
                mut seq: A,
            ) -> std::result::Result<ShowLink, A::Error> {
                let mut names = Vec::new();
                while let Some(name) = seq.next_element::<String>()? {
                    names.push(name);
--- a/src/proxy/direct_relay.rs
+++ b/src/proxy/direct_relay.rs
@@ -3,8 +3,7 @@ use std::io::Write;
 use std::net::SocketAddr;
 use std::sync::Arc;
-use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
+use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, ReadHalf, WriteHalf, split};
 use tokio::net::TcpStream;
 use tokio::sync::watch;
 use tracing::{debug, info, warn};
@@ -15,7 +14,7 @@ use crate::protocol::constants::*;
 use crate::proxy::handshake::{HandshakeSuccess, encrypt_tg_nonce_with_ciphers, generate_tg_nonce};
 use crate::proxy::relay::relay_bidirectional;
 use crate::proxy::route_mode::{
-    RelayRouteMode, RouteCutoverState, ROUTE_SWITCH_ERROR_MSG, affected_cutover_state,
+    ROUTE_SWITCH_ERROR_MSG, RelayRouteMode, RouteCutoverState, affected_cutover_state,
    cutover_stagger_delay,
 };
 use crate::proxy::adaptive_buffers;
@@ -56,7 +55,11 @@ where
    );
    let tg_stream = upstream_manager
-        .connect(dc_addr, Some(success.dc_idx), user.strip_prefix("scope_").filter(|s| !s.is_empty()))
+        .connect(
            dc_addr,
            Some(success.dc_idx),
            user.strip_prefix("scope_").filter(|s| !s.is_empty()),
        )
        .await?;
    debug!(peer = %success.peer, dc_addr = %dc_addr, "Connected, performing TG handshake");
@@ -93,11 +96,9 @@ where
    );
    tokio::pin!(relay_result);
    let relay_result = loop {
-        if let Some(cutover) = affected_cutover_state(
+        if let Some(cutover) =
-            &route_rx,
+            affected_cutover_state(&route_rx, RelayRouteMode::Direct, route_snapshot.generation)
-            RelayRouteMode::Direct,
+        {
            route_snapshot.generation,
        ) {
            let delay = cutover_stagger_delay(session_id, cutover.generation);
            warn!(
                user = %user,
@@ -148,7 +149,9 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
        for addr_str in addrs {
            match addr_str.parse::<SocketAddr>() {
                Ok(addr) => parsed.push(addr),
-                Err(_) => warn!(dc_idx = dc_idx, addr_str = %addr_str, "Invalid DC override address in config, ignoring"),
+                Err(_) => {
                    warn!(dc_idx = dc_idx, addr_str = %addr_str, "Invalid DC override address in config, ignoring")
                }
            }
        }
@@ -170,7 +173,10 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
    // Unknown DC requested by client without override: log and fall back.
    if !config.dc_overrides.contains_key(&dc_key) {
-        warn!(dc_idx = dc_idx, "Requested non-standard DC with no override; falling back to default cluster");
+        warn!(
            dc_idx = dc_idx,
            "Requested non-standard DC with no override; falling back to default cluster"
        );
        if config.general.unknown_dc_file_log_enabled
            && let Some(path) = &config.general.unknown_dc_log_path
            && let Ok(handle) = tokio::runtime::Handle::try_current()
@@ -204,15 +210,15 @@ fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
    ))
 }
-async fn do_tg_handshake_static(
+async fn do_tg_handshake_static<S>(
-    mut stream: TcpStream,
+    mut stream: S,
    success: &HandshakeSuccess,
    config: &ProxyConfig,
    rng: &SecureRandom,
-) -> Result<(
+) -> Result<(CryptoReader<ReadHalf<S>>, CryptoWriter<WriteHalf<S>>)>
-    CryptoReader<tokio::net::tcp::OwnedReadHalf>,
+where
-    CryptoWriter<tokio::net::tcp::OwnedWriteHalf>,
+    S: AsyncRead + AsyncWrite + Unpin,
-)> {
+{
    let (nonce, _tg_enc_key, _tg_enc_iv, _tg_dec_key, _tg_dec_iv) = generate_tg_nonce(
        success.proto_tag,
        success.dc_idx,
@@ -235,7 +241,7 @@ async fn do_tg_handshake_static(
    stream.write_all(&encrypted_nonce).await?;
    stream.flush().await?;
-    let (read_half, write_half) = stream.into_split();
+    let (read_half, write_half) = split(stream);
    let max_pending = config.general.crypto_pending_buffer;
    Ok((
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -7,33 +7,29 @@ use tokio::net::TcpStream;
 #[cfg(unix)]
 use tokio::net::UnixStream;
 use tokio::time::timeout;
 use tokio_rustls::client::TlsStream;
 use tokio_rustls::TlsConnector;
 use tokio_rustls::client::TlsStream;
 use tracing::{debug, warn};
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::client::ClientConfig;
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use rustls::{DigitallySignedStruct, Error as RustlsError};
 use x509_parser::prelude::FromDer;
 use x509_parser::certificate::X509Certificate;
 use x509_parser::prelude::FromDer;
 use crate::crypto::SecureRandom;
 use crate::network::dns_overrides::resolve_socket_addr;
 use crate::protocol::constants::{
    TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
 };
 use crate::transport::proxy_protocol::{ProxyProtocolV1Builder, ProxyProtocolV2Builder};
 use crate::tls_front::types::{
-    ParsedCertificateInfo,
+    ParsedCertificateInfo, ParsedServerHello, TlsBehaviorProfile, TlsCertPayload, TlsExtension,
-    ParsedServerHello,
+    TlsFetchResult, TlsProfileSource,
    TlsBehaviorProfile,
    TlsCertPayload,
    TlsExtension,
    TlsFetchResult,
    TlsProfileSource,
 };
 use crate::transport::UpstreamStream;
 use crate::transport::proxy_protocol::{ProxyProtocolV1Builder, ProxyProtocolV2Builder};
 /// No-op verifier: accept any certificate (we only need lengths and metadata).
 #[derive(Debug)]
@@ -144,21 +140,27 @@ fn build_client_hello(sni: &str, rng: &SecureRandom) -> Vec<u8> {
    exts.extend_from_slice(&0x000au16.to_be_bytes());
    exts.extend_from_slice(&((2 + groups.len() * 2) as u16).to_be_bytes());
    exts.extend_from_slice(&(groups.len() as u16 * 2).to_be_bytes());
-    for g in groups { exts.extend_from_slice(&g.to_be_bytes()); }
+    for g in groups {
        exts.extend_from_slice(&g.to_be_bytes());
    }
    // signature_algorithms
    let sig_algs: [u16; 4] = [0x0804, 0x0805, 0x0403, 0x0503]; // rsa_pss_rsae_sha256/384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256
    exts.extend_from_slice(&0x000du16.to_be_bytes());
    exts.extend_from_slice(&((2 + sig_algs.len() * 2) as u16).to_be_bytes());
    exts.extend_from_slice(&(sig_algs.len() as u16 * 2).to_be_bytes());
-    for a in sig_algs { exts.extend_from_slice(&a.to_be_bytes()); }
+    for a in sig_algs {
        exts.extend_from_slice(&a.to_be_bytes());
    }
    // supported_versions (TLS1.3 + TLS1.2)
    let versions: [u16; 2] = [0x0304, 0x0303];
    exts.extend_from_slice(&0x002bu16.to_be_bytes());
    exts.extend_from_slice(&((1 + versions.len() * 2) as u16).to_be_bytes());
    exts.push((versions.len() * 2) as u8);
-    for v in versions { exts.extend_from_slice(&v.to_be_bytes()); }
+    for v in versions {
        exts.extend_from_slice(&v.to_be_bytes());
    }
    // key_share (x25519)
    let key = gen_key_share(rng);
@@ -273,7 +275,10 @@ fn parse_server_hello(body: &[u8]) -> Option<ParsedServerHello> {
        pos += 4;
        let data = body.get(pos..pos + elen)?.to_vec();
        pos += elen;
-        extensions.push(TlsExtension { ext_type: etype, data });
+        extensions.push(TlsExtension {
            ext_type: etype,
            data,
        });
    }
    Some(ParsedServerHello {
@@ -394,7 +399,7 @@ async fn connect_tcp_with_upstream(
    port: u16,
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
-) -> Result<TcpStream> {
+) -> Result<UpstreamStream> {
    if let Some(manager) = upstream {
        if let Some(addr) = resolve_socket_addr(host, port) {
            match manager.connect(addr, None, None).await {
@@ -408,23 +413,25 @@ async fn connect_tcp_with_upstream(
                    );
                }
            }
-        } else if let Ok(mut addrs) = tokio::net::lookup_host((host, port)).await {
+        } else if let Ok(mut addrs) = tokio::net::lookup_host((host, port)).await
-            if let Some(addr) = addrs.find(|a| a.is_ipv4()) {
+            && let Some(addr) = addrs.find(|a| a.is_ipv4())
-                match manager.connect(addr, None, None).await {
+        {
-                    Ok(stream) => return Ok(stream),
+            match manager.connect(addr, None, None).await {
-                    Err(e) => {
+                Ok(stream) => return Ok(stream),
-                        warn!(
+                Err(e) => {
-                            host = %host,
+                    warn!(
-                            port = port,
+                        host = %host,
-                            error = %e,
+                        port = port,
-                            "Upstream connect failed, using direct connect"
+                        error = %e,
-                        );
+                        "Upstream connect failed, using direct connect"
-                    }
+                    );
                }
            }
        }
    }
-    connect_with_dns_override(host, port, connect_timeout).await
+    Ok(UpstreamStream::Tcp(
        connect_with_dns_override(host, port, connect_timeout).await?,
    ))
 }
 fn encode_tls13_certificate_message(cert_chain_der: &[Vec<u8>]) -> Option<Vec<u8>> {
@@ -443,9 +450,7 @@ fn encode_tls13_certificate_message(cert_chain_der: &[Vec<u8>]) -> Option<Vec<u8
    }
    // Certificate = context_len(1) + certificate_list_len(3) + entries
-    let body_len = 1usize
+    let body_len = 1usize.checked_add(3)?.checked_add(certificate_list.len())?;
        .checked_add(3)?
        .checked_add(certificate_list.len())?;
    let mut message = Vec::with_capacity(4 + body_len);
    message.push(0x0b); // HandshakeType::certificate
@@ -549,7 +554,8 @@ async fn fetch_via_raw_tls(
                    sock = %sock_path,
                    "Raw TLS fetch using mask unix socket"
                );
-                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, proxy_protocol).await;
+                return fetch_via_raw_tls_stream(stream, sni, connect_timeout, proxy_protocol)
                    .await;
            }
            Ok(Err(e)) => {
                warn!(
@@ -616,12 +622,13 @@ where
        .map(|slice| slice.to_vec())
        .unwrap_or_default();
    let cert_chain_der: Vec<Vec<u8>> = certs.iter().map(|c| c.as_ref().to_vec()).collect();
-    let cert_payload = encode_tls13_certificate_message(&cert_chain_der).map(|certificate_message| {
+    let cert_payload =
-        TlsCertPayload {
+        encode_tls13_certificate_message(&cert_chain_der).map(|certificate_message| {
-            cert_chain_der: cert_chain_der.clone(),
+            TlsCertPayload {
-            certificate_message,
+                cert_chain_der: cert_chain_der.clone(),
-        }
+                certificate_message,
-    });
+            }
        });
    let total_cert_len = cert_payload
        .as_ref()
--- a/src/transport/middle_proxy/ping.rs
+++ b/src/transport/middle_proxy/ping.rs
@@ -7,6 +7,7 @@ use tokio::net::UdpSocket;
 use crate::config::{UpstreamConfig, UpstreamType};
 use crate::crypto::SecureRandom;
 use crate::error::ProxyError;
 use crate::transport::shadowsocks::sanitize_shadowsocks_url;
 use crate::transport::{UpstreamEgressInfo, UpstreamRouteKind};
 use super::MePool;
@@ -40,7 +41,11 @@ pub fn format_sample_line(sample: &MePingSample) -> String {
    let sign = if sample.dc >= 0 { "+" } else { "-" };
    let addr = format!("{}:{}", sample.addr.ip(), sample.addr.port());
-    match (sample.connect_ms, sample.handshake_ms.as_ref(), sample.error.as_ref()) {
+    match (
        sample.connect_ms,
        sample.handshake_ms.as_ref(),
        sample.error.as_ref(),
    ) {
        (Some(conn), Some(hs), None) => format!(
            "     {sign} {addr}\tPing: {:.0} ms / RPC: {:.0} ms / OK",
            conn, hs
@@ -121,6 +126,7 @@ fn route_from_egress(egress: Option<UpstreamEgressInfo>) -> Option<String> {
                None => route,
            })
        }
        UpstreamRouteKind::Shadowsocks => Some("shadowsocks".to_string()),
    }
 }
@@ -232,6 +238,9 @@ pub async fn format_me_route(
            }
            UpstreamType::Socks4 { address, .. } => format!("socks4://{address}"),
            UpstreamType::Socks5 { address, .. } => format!("socks5://{address}"),
            UpstreamType::Shadowsocks { url, .. } => sanitize_shadowsocks_url(url)
                .map(|address| format!("shadowsocks://{address}"))
                .unwrap_or_else(|_| "shadowsocks://invalid".to_string()),
        };
    }
@@ -254,6 +263,12 @@ pub async fn format_me_route(
    if has_socks5 {
        kinds.push("socks5");
    }
    if enabled_upstreams
        .iter()
        .any(|u| matches!(u.upstream_type, UpstreamType::Shadowsocks { .. }))
    {
        kinds.push("shadowsocks");
    }
    format!("mixed upstreams ({})", kinds.join(", "))
 }
@@ -335,7 +350,10 @@ pub async fn run_me_ping(pool: &Arc<MePool>, rng: &SecureRandom) -> Vec<MePingRe
                Ok((stream, conn_rtt, upstream_egress)) => {
                    connect_ms = Some(conn_rtt);
                    route = route_from_egress(upstream_egress);
-                    match pool.handshake_only(stream, addr, upstream_egress, rng).await {
+                    match pool
                        .handshake_only(stream, addr, upstream_egress, rng)
                        .await
                    {
                        Ok(hs) => {
                            handshake_ms = Some(hs.handshake_ms);
                            // drop halves to close
--- a/src/transport/mod.rs
+++ b/src/transport/mod.rs
@@ -2,6 +2,7 @@
 pub mod pool;
 pub mod proxy_protocol;
 pub mod shadowsocks;
 pub mod socket;
 pub mod socks;
 pub mod upstream;
@@ -14,5 +15,8 @@ pub use socket::*;
 #[allow(unused_imports)]
 pub use socks::*;
 #[allow(unused_imports)]
-pub use upstream::{DcPingResult, StartupPingResult, UpstreamEgressInfo, UpstreamManager, UpstreamRouteKind};
+pub use upstream::{
    DcPingResult, StartupPingResult, UpstreamEgressInfo, UpstreamManager, UpstreamRouteKind,
    UpstreamStream,
 };
 pub mod middle_proxy;
--- a/src/transport/shadowsocks.rs
+++ b/src/transport/shadowsocks.rs
@@ -0,0 +1,60 @@
 use std::net::{IpAddr, SocketAddr};
 use std::time::Duration;
 use shadowsocks::{
    ProxyClientStream,
    config::{ServerConfig, ServerType},
    context::Context,
    net::ConnectOpts,
 };
 use crate::error::{ProxyError, Result};
 pub(crate) type ShadowsocksStream = ProxyClientStream<shadowsocks::net::TcpStream>;
 fn parse_server_config(url: &str, connect_timeout: Duration) -> Result<ServerConfig> {
    let mut config = ServerConfig::from_url(url)
        .map_err(|error| ProxyError::Config(format!("invalid shadowsocks url: {error}")))?;
    if config.plugin().is_some() {
        return Err(ProxyError::Config(
            "shadowsocks plugins are not supported".to_string(),
        ));
    }
    config.set_timeout(connect_timeout);
    Ok(config)
 }
 pub(crate) fn sanitize_shadowsocks_url(url: &str) -> Result<String> {
    Ok(parse_server_config(url, Duration::from_secs(1))?
        .addr()
        .to_string())
 }
 fn connect_opts_for_interface(interface: &Option<String>) -> ConnectOpts {
    let mut opts = ConnectOpts::default();
    if let Some(interface) = interface {
        if let Ok(ip) = interface.parse::<IpAddr>() {
            opts.bind_local_addr = Some(SocketAddr::new(ip, 0));
        } else {
            opts.bind_interface = Some(interface.clone());
        }
    }
    opts
 }
 pub(crate) async fn connect_shadowsocks(
    url: &str,
    interface: &Option<String>,
    target: SocketAddr,
    connect_timeout: Duration,
 ) -> Result<ShadowsocksStream> {
    let config = parse_server_config(url, connect_timeout)?;
    let context = Context::new_shared(ServerType::Local);
    let opts = connect_opts_for_interface(interface);
    ProxyClientStream::connect_with_opts(context, &config, target, &opts)
        .await
        .map_err(ProxyError::Io)
 }
--- a/src/transport/upstream.rs
+++ b/src/transport/upstream.rs
@@ -4,22 +4,28 @@
 #![allow(deprecated)]
 use rand::Rng;
 use std::collections::{BTreeSet, HashMap};
-use std::net::{SocketAddr, IpAddr};
+use std::net::{IpAddr, SocketAddr};
 use std::pin::Pin;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, AtomicUsize, Ordering};
 use std::task::{Context, Poll};
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use tokio::net::TcpStream;
 use tokio::sync::RwLock;
 use tokio::time::Instant;
-use rand::Rng;
+use tracing::{debug, info, trace, warn};
 use tracing::{debug, warn, info, trace};
 use crate::config::{UpstreamConfig, UpstreamType};
-use crate::error::{Result, ProxyError};
+use crate::error::{ProxyError, Result};
 use crate::network::dns_overrides::{resolve_socket_addr, split_host_port};
-use crate::protocol::constants::{TG_DATACENTERS_V4, TG_DATACENTERS_V6, TG_DATACENTER_PORT};
+use crate::protocol::constants::{TG_DATACENTER_PORT, TG_DATACENTERS_V4, TG_DATACENTERS_V6};
 use crate::stats::Stats;
 use crate::transport::shadowsocks::{
    ShadowsocksStream, connect_shadowsocks, sanitize_shadowsocks_url,
 };
 use crate::transport::socket::{create_outgoing_socket_bound, resolve_interface_ip};
 use crate::transport::socks::{connect_socks4, connect_socks5};
@@ -47,7 +53,10 @@ struct LatencyEma {
 impl LatencyEma {
    const fn new(alpha: f64) -> Self {
-        Self { value_ms: None, alpha }
+        Self {
            value_ms: None,
            alpha,
        }
    }
    fn update(&mut self, sample_ms: f64) {
@@ -131,11 +140,17 @@ impl UpstreamState {
            return Some(ms);
        }
-        let (sum, count) = self.dc_latency.iter()
+        let (sum, count) = self
            .dc_latency
            .iter()
            .filter_map(|l| l.get())
            .fold((0.0, 0u32), |(s, c), v| (s + v, c + 1));
-        if count > 0 { Some(sum / count as f64) } else { None }
+        if count > 0 {
            Some(sum / count as f64)
        } else {
            None
        }
    }
 }
@@ -158,11 +173,78 @@ pub struct StartupPingResult {
    pub both_available: bool,
 }
 pub enum UpstreamStream {
    Tcp(TcpStream),
    Shadowsocks(Box<ShadowsocksStream>),
 }
 impl std::fmt::Debug for UpstreamStream {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Tcp(_) => f.write_str("UpstreamStream::Tcp(..)"),
            Self::Shadowsocks(_) => f.write_str("UpstreamStream::Shadowsocks(..)"),
        }
    }
 }
 impl UpstreamStream {
    pub fn into_tcp(self) -> Result<TcpStream> {
        match self {
            Self::Tcp(stream) => Ok(stream),
            Self::Shadowsocks(_) => Err(ProxyError::Config(
                "shadowsocks upstreams are not supported when general.use_middle_proxy = true"
                    .to_string(),
            )),
        }
    }
 }
 impl AsyncRead for UpstreamStream {
    fn poll_read(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &mut ReadBuf<'_>,
    ) -> Poll<std::io::Result<()>> {
        match self.get_mut() {
            Self::Tcp(stream) => Pin::new(stream).poll_read(cx, buf),
            Self::Shadowsocks(stream) => Pin::new(stream.as_mut()).poll_read(cx, buf),
        }
    }
 }
 impl AsyncWrite for UpstreamStream {
    fn poll_write(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &[u8],
    ) -> Poll<std::io::Result<usize>> {
        match self.get_mut() {
            Self::Tcp(stream) => Pin::new(stream).poll_write(cx, buf),
            Self::Shadowsocks(stream) => Pin::new(stream.as_mut()).poll_write(cx, buf),
        }
    }
    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
        match self.get_mut() {
            Self::Tcp(stream) => Pin::new(stream).poll_flush(cx),
            Self::Shadowsocks(stream) => Pin::new(stream.as_mut()).poll_flush(cx),
        }
    }
    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
        match self.get_mut() {
            Self::Tcp(stream) => Pin::new(stream).poll_shutdown(cx),
            Self::Shadowsocks(stream) => Pin::new(stream.as_mut()).poll_shutdown(cx),
        }
    }
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum UpstreamRouteKind {
    Direct,
    Socks4,
    Socks5,
    Shadowsocks,
 }
 #[derive(Debug, Clone)]
@@ -194,6 +276,7 @@ pub struct UpstreamApiSummarySnapshot {
    pub direct_total: usize,
    pub socks4_total: usize,
    pub socks5_total: usize,
    pub shadowsocks_total: usize,
 }
 #[derive(Debug, Clone)]
@@ -253,7 +336,8 @@ impl UpstreamManager {
        connect_failfast_hard_errors: bool,
        stats: Arc<Stats>,
    ) -> Self {
-        let states = configs.into_iter()
+        let states = configs
            .into_iter()
            .filter(|c| c.enabled)
            .map(UpstreamState::new)
            .collect();
@@ -311,20 +395,13 @@ impl UpstreamManager {
                summary.unhealthy_total += 1;
            }
-            let (route_kind, address) = match &upstream.config.upstream_type {
+            let (route_kind, address) = Self::describe_upstream(&upstream.config.upstream_type);
-                UpstreamType::Direct { .. } => {
+            match route_kind {
-                    summary.direct_total += 1;
+                UpstreamRouteKind::Direct => summary.direct_total += 1,
-                    (UpstreamRouteKind::Direct, "direct".to_string())
+                UpstreamRouteKind::Socks4 => summary.socks4_total += 1,
-                }
+                UpstreamRouteKind::Socks5 => summary.socks5_total += 1,
-                UpstreamType::Socks4 { address, .. } => {
+                UpstreamRouteKind::Shadowsocks => summary.shadowsocks_total += 1,
-                    summary.socks4_total += 1;
+            }
                    (UpstreamRouteKind::Socks4, address.clone())
                }
                UpstreamType::Socks5 { address, .. } => {
                    summary.socks5_total += 1;
                    (UpstreamRouteKind::Socks5, address.clone())
                }
            };
            let mut dc = Vec::with_capacity(NUM_DCS);
            for dc_idx in 0..NUM_DCS {
@@ -352,6 +429,18 @@ impl UpstreamManager {
        Some(UpstreamApiSnapshot { summary, upstreams })
    }
    fn describe_upstream(upstream_type: &UpstreamType) -> (UpstreamRouteKind, String) {
        match upstream_type {
            UpstreamType::Direct { .. } => (UpstreamRouteKind::Direct, "direct".to_string()),
            UpstreamType::Socks4 { address, .. } => (UpstreamRouteKind::Socks4, address.clone()),
            UpstreamType::Socks5 { address, .. } => (UpstreamRouteKind::Socks5, address.clone()),
            UpstreamType::Shadowsocks { url, .. } => (
                UpstreamRouteKind::Shadowsocks,
                sanitize_shadowsocks_url(url).unwrap_or_else(|_| "invalid".to_string()),
            ),
        }
    }
    pub fn api_policy_snapshot(&self) -> UpstreamApiPolicySnapshot {
        UpstreamApiPolicySnapshot {
            connect_retry_attempts: self.connect_retry_attempts,
@@ -539,44 +628,44 @@ impl UpstreamManager {
        // Scope filter:
        //   If scope is set: only scoped and matched items
        //   If scope is not set: only unscoped items
-        let filtered_upstreams : Vec<usize> = upstreams.iter()
+        let filtered_upstreams: Vec<usize> = upstreams
            .iter()
            .enumerate()
            .filter(|(_, u)| {
-                scope.map_or(
+                scope.map_or(u.config.scopes.is_empty(), |req_scope| {
-                    u.config.scopes.is_empty(),
+                    u.config
-                    |req_scope| {
+                        .scopes
-                        u.config.scopes
+                        .split(',')
-                            .split(',')
+                        .map(str::trim)
-                            .map(str::trim)
+                        .any(|s| s == req_scope)
-                            .any(|s| s == req_scope)
+                })
                    }
                )
            })
            .map(|(i, _)| i)
            .collect();
        // Healthy filter
-        let healthy: Vec<usize> = filtered_upstreams.iter()
+        let healthy: Vec<usize> = filtered_upstreams
            .iter()
            .filter(|&&i| upstreams[i].healthy)
            .copied()
            .collect();
        if filtered_upstreams.is_empty() {
-            if Self::should_emit_warn(
+            if Self::should_emit_warn(self.no_upstreams_warn_epoch_ms.as_ref(), 5_000) {
-                self.no_upstreams_warn_epoch_ms.as_ref(),
+                warn!(
-                5_000,
+                    scope = scope,
-            ) {
+                    "No upstreams available! Using first (direct?)"
-                warn!(scope = scope, "No upstreams available! Using first (direct?)");
+                );
            }
            return None;
        }
        if healthy.is_empty() {
-            if Self::should_emit_warn(
+            if Self::should_emit_warn(self.no_healthy_warn_epoch_ms.as_ref(), 5_000) {
-                self.no_healthy_warn_epoch_ms.as_ref(),
+                warn!(
-                5_000,
+                    scope = scope,
-            ) {
+                    "No healthy upstreams available! Using random."
-                warn!(scope = scope, "No healthy upstreams available! Using random.");
+                );
            }
            return Some(filtered_upstreams[rand::rng().gen_range(0..filtered_upstreams.len())]);
        }
@@ -585,14 +674,18 @@ impl UpstreamManager {
            return Some(healthy[0]);
        }
-        let weights: Vec<(usize, f64)> = healthy.iter().map(|&i| {
+        let weights: Vec<(usize, f64)> = healthy
-            let base = upstreams[i].config.weight as f64;
+            .iter()
-            let latency_factor = upstreams[i].effective_latency(dc_idx)
+            .map(|&i| {
-                .map(|ms| if ms > 1.0 { 1000.0 / ms } else { 1000.0 })
+                let base = upstreams[i].config.weight as f64;
-                .unwrap_or(1.0);
+                let latency_factor = upstreams[i]
                    .effective_latency(dc_idx)
                    .map(|ms| if ms > 1.0 { 1000.0 / ms } else { 1000.0 })
                    .unwrap_or(1.0);
-            (i, base * latency_factor)
+                (i, base * latency_factor)
-        }).collect();
+            })
            .collect();
        let total: f64 = weights.iter().map(|(_, w)| w).sum();
@@ -620,8 +713,34 @@ impl UpstreamManager {
    }
    /// Connect to target through a selected upstream.
-    pub async fn connect(&self, target: SocketAddr, dc_idx: Option<i16>, scope: Option<&str>) -> Result<TcpStream> {
+    pub async fn connect(
-        let (stream, _) = self.connect_with_details(target, dc_idx, scope).await?;
+        &self,
        target: SocketAddr,
        dc_idx: Option<i16>,
        scope: Option<&str>,
    ) -> Result<UpstreamStream> {
        let idx = self
            .select_upstream(dc_idx, scope)
            .await
            .ok_or_else(|| ProxyError::Config("No upstreams available".to_string()))?;
        let mut upstream = {
            let guard = self.upstreams.read().await;
            guard[idx].config.clone()
        };
        if let Some(s) = scope {
            upstream.selected_scope = s.to_string();
        }
        let bind_rr = {
            let guard = self.upstreams.read().await;
            guard.get(idx).map(|u| u.bind_rr.clone())
        };
        let (stream, _) = self
            .connect_selected_upstream(idx, upstream, target, dc_idx, bind_rr)
            .await?;
        Ok(stream)
    }
@@ -632,7 +751,9 @@ impl UpstreamManager {
        dc_idx: Option<i16>,
        scope: Option<&str>,
    ) -> Result<(TcpStream, UpstreamEgressInfo)> {
-        let idx = self.select_upstream(dc_idx, scope).await
+        let idx = self
            .select_upstream(dc_idx, scope)
            .await
            .ok_or_else(|| ProxyError::Config("No upstreams available".to_string()))?;
        let mut upstream = {
@@ -650,6 +771,20 @@ impl UpstreamManager {
            guard.get(idx).map(|u| u.bind_rr.clone())
        };
        let (stream, egress) = self
            .connect_selected_upstream(idx, upstream, target, dc_idx, bind_rr)
            .await?;
        Ok((stream.into_tcp()?, egress))
    }
    async fn connect_selected_upstream(
        &self,
        idx: usize,
        upstream: UpstreamConfig,
        target: SocketAddr,
        dc_idx: Option<i16>,
        bind_rr: Option<Arc<AtomicUsize>>,
    ) -> Result<(UpstreamStream, UpstreamEgressInfo)> {
        let connect_started_at = Instant::now();
        let mut last_error: Option<ProxyError> = None;
        let mut attempts_used = 0u32;
@@ -662,8 +797,8 @@ impl UpstreamManager {
                break;
            }
            let remaining_budget = self.connect_budget.saturating_sub(elapsed);
-            let attempt_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS)
+            let attempt_timeout =
-                .min(remaining_budget);
+                Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS).min(remaining_budget);
            if attempt_timeout.is_zero() {
                last_error = Some(ProxyError::ConnectionTimeout {
                    addr: target.to_string(),
@@ -786,9 +921,12 @@ impl UpstreamManager {
        target: SocketAddr,
        bind_rr: Option<Arc<AtomicUsize>>,
        connect_timeout: Duration,
-    ) -> Result<(TcpStream, UpstreamEgressInfo)> {
+    ) -> Result<(UpstreamStream, UpstreamEgressInfo)> {
        match &config.upstream_type {
-            UpstreamType::Direct { interface, bind_addresses } => {
+            UpstreamType::Direct {
                interface,
                bind_addresses,
            } => {
                let bind_ip = Self::resolve_bind_address(
                    interface,
                    bind_addresses,
@@ -796,9 +934,7 @@ impl UpstreamManager {
                    bind_rr.as_deref(),
                    true,
                );
-                if bind_ip.is_none()
+                if bind_ip.is_none() && bind_addresses.as_ref().is_some_and(|v| !v.is_empty()) {
                    && bind_addresses.as_ref().is_some_and(|v| !v.is_empty())
                {
                    return Err(ProxyError::Config(format!(
                        "No valid bind_addresses for target family {target}"
                    )));
@@ -813,8 +949,10 @@ impl UpstreamManager {
                socket.set_nonblocking(true)?;
                match socket.connect(&target.into()) {
-                    Ok(()) => {},
+                    Ok(()) => {}
-                    Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
+                    Err(err)
                        if err.raw_os_error() == Some(libc::EINPROGRESS)
                            || err.kind() == std::io::ErrorKind::WouldBlock => {}
                    Err(err) => return Err(ProxyError::Io(err)),
                }
@@ -836,7 +974,7 @@ impl UpstreamManager {
                let local_addr = stream.local_addr().ok();
                Ok((
-                    stream,
+                    UpstreamStream::Tcp(stream),
                    UpstreamEgressInfo {
                        upstream_id,
                        route_kind: UpstreamRouteKind::Direct,
@@ -846,8 +984,12 @@ impl UpstreamManager {
                        socks_proxy_addr: None,
                    },
                ))
-            },
+            }
-            UpstreamType::Socks4 { address, interface, user_id } => {
+            UpstreamType::Socks4 {
                address,
                interface,
                user_id,
            } => {
                // Try to parse as SocketAddr first (IP:port), otherwise treat as hostname:port
                let mut stream = if let Ok(proxy_addr) = address.parse::<SocketAddr>() {
                    // IP:port format - use socket with optional interface binding
@@ -863,8 +1005,10 @@ impl UpstreamManager {
                    socket.set_nonblocking(true)?;
                    match socket.connect(&proxy_addr.into()) {
-                        Ok(()) => {},
+                        Ok(()) => {}
-                        Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
+                        Err(err)
                            if err.raw_os_error() == Some(libc::EINPROGRESS)
                                || err.kind() == std::io::ErrorKind::WouldBlock => {}
                        Err(err) => return Err(ProxyError::Io(err)),
                    }
@@ -888,14 +1032,16 @@ impl UpstreamManager {
                    // Hostname:port format - use tokio DNS resolution
                    // Note: interface binding is not supported for hostnames
                    if interface.is_some() {
-                        warn!("SOCKS4 interface binding is not supported for hostname addresses, ignoring");
+                        warn!(
                            "SOCKS4 interface binding is not supported for hostname addresses, ignoring"
                        );
                    }
                    Self::connect_hostname_with_dns_override(address, connect_timeout).await?
                };
                // replace socks user_id with config.selected_scope, if set
-                let scope: Option<&str> = Some(config.selected_scope.as_str())
+                let scope: Option<&str> =
-                    .filter(|s| !s.is_empty());
+                    Some(config.selected_scope.as_str()).filter(|s| !s.is_empty());
                let _user_id: Option<&str> = scope.or(user_id.as_deref());
                let bound = match tokio::time::timeout(
@@ -915,7 +1061,7 @@ impl UpstreamManager {
                let local_addr = stream.local_addr().ok();
                let socks_proxy_addr = stream.peer_addr().ok();
                Ok((
-                    stream,
+                    UpstreamStream::Tcp(stream),
                    UpstreamEgressInfo {
                        upstream_id,
                        route_kind: UpstreamRouteKind::Socks4,
@@ -925,8 +1071,13 @@ impl UpstreamManager {
                        socks_proxy_addr,
                    },
                ))
-            },
+            }
-            UpstreamType::Socks5 { address, interface, username, password } => {
+            UpstreamType::Socks5 {
                address,
                interface,
                username,
                password,
            } => {
                // Try to parse as SocketAddr first (IP:port), otherwise treat as hostname:port
                let mut stream = if let Ok(proxy_addr) = address.parse::<SocketAddr>() {
                    // IP:port format - use socket with optional interface binding
@@ -942,8 +1093,10 @@ impl UpstreamManager {
                    socket.set_nonblocking(true)?;
                    match socket.connect(&proxy_addr.into()) {
-                        Ok(()) => {},
+                        Ok(()) => {}
-                        Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
+                        Err(err)
                            if err.raw_os_error() == Some(libc::EINPROGRESS)
                                || err.kind() == std::io::ErrorKind::WouldBlock => {}
                        Err(err) => return Err(ProxyError::Io(err)),
                    }
@@ -967,15 +1120,17 @@ impl UpstreamManager {
                    // Hostname:port format - use tokio DNS resolution
                    // Note: interface binding is not supported for hostnames
                    if interface.is_some() {
-                        warn!("SOCKS5 interface binding is not supported for hostname addresses, ignoring");
+                        warn!(
                            "SOCKS5 interface binding is not supported for hostname addresses, ignoring"
                        );
                    }
                    Self::connect_hostname_with_dns_override(address, connect_timeout).await?
                };
                debug!(config = ?config, "Socks5 connection");
                // replace socks user:pass with config.selected_scope, if set
-                let scope: Option<&str> = Some(config.selected_scope.as_str())
+                let scope: Option<&str> =
-                    .filter(|s| !s.is_empty());
+                    Some(config.selected_scope.as_str()).filter(|s| !s.is_empty());
                let _username: Option<&str> = scope.or(username.as_deref());
                let _password: Option<&str> = scope.or(password.as_deref());
@@ -996,7 +1151,7 @@ impl UpstreamManager {
                let local_addr = stream.local_addr().ok();
                let socks_proxy_addr = stream.peer_addr().ok();
                Ok((
-                    stream,
+                    UpstreamStream::Tcp(stream),
                    UpstreamEgressInfo {
                        upstream_id,
                        route_kind: UpstreamRouteKind::Socks5,
@@ -1006,7 +1161,22 @@ impl UpstreamManager {
                        socks_proxy_addr,
                    },
                ))
-            },
+            }
            UpstreamType::Shadowsocks { url, interface } => {
                let stream = connect_shadowsocks(url, interface, target, connect_timeout).await?;
                let local_addr = stream.get_ref().local_addr().ok();
                    Ok((
                        UpstreamStream::Shadowsocks(Box::new(stream)),
                        UpstreamEgressInfo {
                        upstream_id,
                        route_kind: UpstreamRouteKind::Shadowsocks,
                        local_addr,
                        direct_bind_ip: None,
                        socks_bound_addr: None,
                        socks_proxy_addr: None,
                    },
                ))
            }
        }
    }
@@ -1023,7 +1193,9 @@ impl UpstreamManager {
    ) -> Vec<StartupPingResult> {
        let upstreams: Vec<(usize, UpstreamConfig, Arc<AtomicUsize>)> = {
            let guard = self.upstreams.read().await;
-            guard.iter().enumerate()
+            guard
                .iter()
                .enumerate()
                .map(|(i, u)| (i, u.config.clone(), u.bind_rr.clone()))
                .collect()
        };
@@ -1051,6 +1223,11 @@ impl UpstreamManager {
                }
                UpstreamType::Socks4 { address, .. } => format!("socks4://{}", address),
                UpstreamType::Socks5 { address, .. } => format!("socks5://{}", address),
                UpstreamType::Shadowsocks { url, .. } => {
                    let address =
                        sanitize_shadowsocks_url(url).unwrap_or_else(|_| "invalid".to_string());
                    format!("shadowsocks://{address}")
                }
            };
            let mut v6_results = Vec::with_capacity(NUM_DCS);
@@ -1061,8 +1238,14 @@ impl UpstreamManager {
                    let result = tokio::time::timeout(
                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                        self.ping_single_dc(*upstream_idx, upstream_config, Some(bind_rr.clone()), addr_v6)
+                        self.ping_single_dc(
-                    ).await;
+                            *upstream_idx,
                            upstream_config,
                            Some(bind_rr.clone()),
                            addr_v6,
                        ),
                    )
                    .await;
                    let ping_result = match result {
                        Ok(Ok(rtt_ms)) => {
@@ -1112,8 +1295,14 @@ impl UpstreamManager {
                    let result = tokio::time::timeout(
                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                        self.ping_single_dc(*upstream_idx, upstream_config, Some(bind_rr.clone()), addr_v4)
+                        self.ping_single_dc(
-                    ).await;
+                            *upstream_idx,
                            upstream_config,
                            Some(bind_rr.clone()),
                            addr_v4,
                        ),
                    )
                    .await;
                    let ping_result = match result {
                        Ok(Ok(rtt_ms)) => {
@@ -1162,7 +1351,7 @@ impl UpstreamManager {
                    Err(_) => {
                        warn!(dc = %dc_key, "Invalid dc_overrides key, skipping");
                        continue;
-                    },
+                    }
                    _ => continue,
                };
                let dc_idx = dc_num as usize;
@@ -1175,8 +1364,14 @@ impl UpstreamManager {
                            }
                            let result = tokio::time::timeout(
                                Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                                self.ping_single_dc(*upstream_idx, upstream_config, Some(bind_rr.clone()), addr)
+                                self.ping_single_dc(
-                            ).await;
+                                    *upstream_idx,
                                    upstream_config,
                                    Some(bind_rr.clone()),
                                    addr,
                                ),
                            )
                            .await;
                            let ping_result = match result {
                                Ok(Ok(rtt_ms)) => DcPingResult {
@@ -1205,7 +1400,9 @@ impl UpstreamManager {
                                v4_results.push(ping_result);
                            }
                        }
-                        Err(_) => warn!(dc = %dc_idx, addr = %addr_str, "Invalid dc_overrides address, skipping"),
+                        Err(_) => {
                            warn!(dc = %dc_idx, addr = %addr_str, "Invalid dc_overrides address, skipping")
                        }
                    }
                }
            }
@@ -1381,12 +1578,8 @@ impl UpstreamManager {
        ipv6_enabled: bool,
        dc_overrides: HashMap<String, Vec<String>>,
    ) {
-        let groups = Self::build_health_check_groups(
+        let groups =
-            prefer_ipv6,
+            Self::build_health_check_groups(prefer_ipv6, ipv4_enabled, ipv6_enabled, &dc_overrides);
            ipv4_enabled,
            ipv6_enabled,
            &dc_overrides,
        );
        let required_healthy_groups = Self::required_healthy_group_count(groups.len());
        let mut endpoint_rotation: HashMap<(usize, i16, bool), usize> = HashMap::new();
@@ -1416,13 +1609,16 @@ impl UpstreamManager {
                    let mut group_ok = false;
                    let mut group_rtt_ms = None;
-                    for (is_primary, endpoints) in [(true, &group.primary), (false, &group.fallback)] {
+                    for (is_primary, endpoints) in
                        [(true, &group.primary), (false, &group.fallback)]
                    {
                        if endpoints.is_empty() {
                            continue;
                        }
                        let rotation_key = (i, group.dc_idx, is_primary);
-                        let start_idx = *endpoint_rotation.entry(rotation_key).or_insert(0) % endpoints.len();
+                        let start_idx =
                            *endpoint_rotation.entry(rotation_key).or_insert(0) % endpoints.len();
                        let mut next_idx = (start_idx + 1) % endpoints.len();
                        for step in 0..endpoints.len() {
@@ -1544,8 +1740,7 @@ impl UpstreamManager {
            return None;
        }
-        UpstreamState::dc_array_idx(dc_idx)
+        UpstreamState::dc_array_idx(dc_idx).map(|idx| guard[0].dc_ip_pref[idx])
            .map(|idx| guard[0].dc_ip_pref[idx])
    }
    /// Get preferred DC address based on config preference
@@ -1566,6 +1761,12 @@ impl UpstreamManager {
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::sync::Arc;
    use crate::stats::Stats;
    const TEST_SHADOWSOCKS_URL: &str =
        "ss://2022-blake3-aes-256-gcm:MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDE=@127.0.0.1:8388";
    #[test]
    fn required_healthy_group_count_applies_three_group_threshold() {
@@ -1596,15 +1797,18 @@ mod tests {
        assert!(dc2.primary.iter().all(|addr| addr.is_ipv6()));
        assert!(dc2.fallback.iter().all(|addr| addr.is_ipv4()));
-        assert!(dc2
+        assert!(
-            .primary
+            dc2.primary
-            .contains(&"[2001:db8::10]:443".parse::<SocketAddr>().unwrap()));
+                .contains(&"[2001:db8::10]:443".parse::<SocketAddr>().unwrap())
-        assert!(dc2
+        );
-            .fallback
+        assert!(
-            .contains(&"203.0.113.10:443".parse::<SocketAddr>().unwrap()));
+            dc2.fallback
-        assert!(dc2
+                .contains(&"203.0.113.10:443".parse::<SocketAddr>().unwrap())
-            .fallback
+        );
-            .contains(&"203.0.113.11:443".parse::<SocketAddr>().unwrap()));
+        assert!(
            dc2.fallback
                .contains(&"203.0.113.11:443".parse::<SocketAddr>().unwrap())
        );
    }
    #[test]
@@ -1626,12 +1830,14 @@ mod tests {
            .expect("override-only dc group must be present");
        assert_eq!(dc9.primary.len(), 2);
-        assert!(dc9
+        assert!(
-            .primary
+            dc9.primary
-            .contains(&"198.51.100.1:443".parse::<SocketAddr>().unwrap()));
+                .contains(&"198.51.100.1:443".parse::<SocketAddr>().unwrap())
-        assert!(dc9
+        );
-            .primary
+        assert!(
-            .contains(&"198.51.100.2:443".parse::<SocketAddr>().unwrap()));
+            dc9.primary
                .contains(&"198.51.100.2:443".parse::<SocketAddr>().unwrap())
        );
        assert!(dc9.fallback.is_empty());
    }
@@ -1678,4 +1884,36 @@ mod tests {
        assert_eq!(bind, None);
    }
    #[test]
    fn api_snapshot_reports_shadowsocks_as_sanitized_route() {
        let manager = UpstreamManager::new(
            vec![UpstreamConfig {
                upstream_type: UpstreamType::Shadowsocks {
                    url: TEST_SHADOWSOCKS_URL.to_string(),
                    interface: None,
                },
                weight: 2,
                enabled: true,
                scopes: String::new(),
                selected_scope: String::new(),
            }],
            1,
            100,
            1000,
            1,
            false,
            Arc::new(Stats::new()),
        );
        let snapshot = manager.try_api_snapshot().expect("snapshot");
        assert_eq!(snapshot.summary.configured_total, 1);
        assert_eq!(snapshot.summary.shadowsocks_total, 1);
        assert_eq!(snapshot.upstreams.len(), 1);
        assert_eq!(
            snapshot.upstreams[0].route_kind,
            UpstreamRouteKind::Shadowsocks
        );
        assert_eq!(snapshot.upstreams[0].address, "127.0.0.1:8388");
    }
 }
Author	SHA1	Message	Date
Maxim Myalin	8c884fe891	Merge `062464175e` into `f230f2ce0e`	2026-03-19 01:13:48 +03:00
Alexey	f230f2ce0e	Merge pull request #486 from telemt/code-of-conduct Create CODE_OF_CONDUCT.md	2026-03-19 00:59:50 +03:00
Alexey	bdac6e3480	Create CODE_OF_CONDUCT.md	2026-03-19 00:59:37 +03:00
Alexey	a4e9746dc7	Merge pull request #485 from Dimasssss/patch-3 Update install.sh	2026-03-19 00:43:14 +03:00
Dimasssss	c47495d671	Update install.sh Вернул старый функционал + добавил новый: - Вернул автоматическое создание конфига с секретом - Вернул автоматическое создание службы - Добавил удаление службы и telemt через `install.sh uninstall` - Полное удаление вместе с конфигом через `install.sh --purge` - Добавил установку нужной версии `install.sh 3.3.15`	2026-03-19 00:36:02 +03:00
Alexey	5ae3a90d5e	Merge pull request #483 from Dimasssss/patch-1 Update CONFIG_PARAMS.en.md	2026-03-18 23:02:33 +03:00
Dimasssss	1935455256	Update CONFIG_PARAMS.en.md	2026-03-18 18:20:23 +03:00
Maxim Myalin	062464175e	Merge branch 'main' into feat/shadowsocks-upstream	2026-03-18 12:38:23 +03:00
Maxim Myalin	a5983c17d3	Add Docker build context ignore file	2026-03-18 12:36:48 +03:00
Maxim Myalin	def42f0baa	Add Shadowsocks upstream support	2026-03-18 12:36:44 +03:00