Merge pull request #677 from xaosproxy/feat/rst-on-close

feat: add configurable RST-on-close mode for client sockets
Merge pull request #678 from avbor/main
2026-06-19 01:11:09 +03:00 · 2026-04-11 10:35:16 +03:00 · 2026-04-11 10:34:05 +03:00 · 2026-04-10 20:37:09 +03:00 · 2026-04-10 20:34:43 +03:00 · 2026-04-10 15:49:29 +03:00
108 changed files with 20776 additions and 2916 deletions
@@ -0,0 +1,16 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+polar: # Replace with a single Polar username
+buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
+thanks_dev: # Replace with a single thanks.dev username
+custom:
+  - https://nowpayments.io/donation?api_key=2bf1afd2-abc2-49f9-a012-f1e715b37223
@@ -0,0 +1,126 @@
+# Architecture Directives
+
+> Companion to `Agents.md`. These are **activation directives**, not tutorials.
+> You already know these patterns — apply them. When making any structural or
+> design decision, run the relevant section below as a checklist.
+
+---
+
+## 1. Active Principles (always on)
+
+Apply these on every non-trivial change. No exceptions.
+
+- **SRP** — one reason to change per component. If you can't name the responsibility in one noun phrase, split it.
+- **OCP** — extend by adding, not by modifying. New variants/impls over patching existing logic.
+- **ISP** — traits stay minimal. More than ~5 methods is a split signal.
+- **DIP** — high-level modules depend on traits, not concrete types. Infrastructure implements domain traits; it does not own domain logic.
+- **DRY** — one authoritative source per piece of knowledge. Copies are bugs that haven't diverged yet.
+- **YAGNI** — generic parameters, extension hooks, and pluggable strategies require an *existing* concrete use case, not a hypothetical one.
+- **KISS** — two equivalent designs: choose the one with fewer concepts. Justify complexity; never assume it.
+
+---
+
+## 2. Layered Architecture
+
+Dependencies point **inward only**: `Presentation → Application → Domain ← Infrastructure`.
+
+- Domain layer: zero I/O. No network, no filesystem, no async runtime imports.
+- Infrastructure: implements domain traits at the boundary. Never leaks SDK/wire types inward.
+- Anti-Corruption Layer (ACL): all third-party and external-protocol types are translated here. If the external format changes, only the ACL changes.
+- Presentation: translates wire/HTTP representations to domain types and back. Nothing else.
+
+---
+
+## 3. Design Pattern Selection
+
+Apply the right pattern. Do not invent a new abstraction when a named pattern fits.
+
+| Situation | Pattern to apply |
+|---|---|
+| Struct with 3+ optional/dependent fields | **Builder** — `build()` returns `Result`, never panics |
+| Cross-cutting behavior (logging, retry, metrics) on a trait impl | **Decorator** — implements same trait, delegates all calls |
+| Subsystem with multiple internal components | **Façade** — single public entry point, internals are `pub(crate)` |
+| Swappable algorithm or policy | **Strategy** — trait injection; generics for compile-time, `dyn` for runtime |
+| Component notifying decoupled consumers | **Observer** — typed channels (`broadcast`, `watch`), not callback `Vec<Box<dyn Fn>>` |
+| Exclusive mutable state serving concurrent callers | **Actor** — `mpsc` command channel + `oneshot` reply; no lock needed on state |
+| Finite state with invalid transition prevention | **Typestate** — distinct types per state; invalid ops are compile errors |
+| Fixed process skeleton with overridable steps | **Template Method** — defaulted trait method calls required hooks |
+| Request pipeline with independent handlers | **Chain/Middleware** — generic compile-time chain for hot paths, `dyn` for runtime assembly |
+| Hiding a concrete type behind a trait | **Factory Function** — returns `Box<dyn Trait>` or `impl Trait` |
+
+---
+
+## 4. Data Modeling Rules
+
+- **Make illegal states unrepresentable.** Type system enforces invariants; runtime validation is a second line, not the first.
+- **Newtype every primitive** that carries domain meaning. `SessionId(u64)` ≠ `UserId(u64)` — the compiler enforces it.
+- **Enums over booleans** for any parameter or field with two or more named states.
+- **Typed error enums** with named variants carrying full diagnostic context. `anyhow` is application-layer only; never in library code.
+- **Domain types carry no I/O concerns.** No `serde`, no codec, no DB derives on domain structs. Conversions via `From`/`TryFrom` at layer boundaries.
+
+---
+
+## 5. Concurrency Rules
+
+- Prefer message-passing over shared memory. Shared state is a fallback.
+- All channels must be **bounded**. Document the bound's rationale inline.
+- Never hold a lock across an `await` unless atomicity explicitly requires it — document why.
+- Document lock acquisition order wherever two locks are taken together.
+- Every `async fn` is cancellation-safe unless explicitly documented otherwise. Mutate shared state *after* the `await` that may be cancelled, not before.
+- High-read/low-write state: use `arc-swap` or `watch` for lock-free reads.
+
+---
+
+## 6. Error Handling Rules
+
+- Errors translated at every layer boundary — low-level errors never surface unmodified.
+- Add context at the propagation site: what operation failed and where.
+- No `unwrap()`/`expect()` in production paths without a comment proving `None`/`Err` is impossible.
+- Panics are only permitted in: tests, startup/init unrecoverable failure, and `unreachable!()` with an invariant comment.
+
+---
+
+## 7. API Design Rules
+
+- **CQS**: functions that return data must not mutate; functions that mutate return only `Result`.
+- **Least surprise**: a function does exactly what its name implies. Side effects are documented.
+- **Idempotency**: `close()`, `shutdown()`, `unregister()` called twice must not panic or error.
+- **Fallibility at the type level**: failure → `Result<T, E>`. No sentinel values.
+- **Minimal public surface**: default to `pub(crate)`. Mark `pub` only deliberate API. Re-export through a single surface in `mod.rs`.
+
+---
+
+## 8. Performance Rules (hot paths)
+
+- Annotate hot-path functions with `// HOT PATH: <throughput requirement>`.
+- Zero allocations per operation in hot paths after initialization. Preallocate in constructors, reuse buffers.
+- Pass `&[u8]` / `Bytes` slices — not `Vec<u8>`. Use `BytesMut` for reusable mutable buffers.
+- No `String` formatting in hot paths. No logging without a rate-limit or sampling gate.
+- Any allocation in a hot path gets a comment: `// ALLOC: <reason and size>`.
+
+---
+
+## 9. Testing Rules
+
+- Bug fixes require a regression test that is **red before the fix, green after**. Name it after the bug.
+- Property tests for: codec round-trips, state machine invariants, cryptographic protocol correctness.
+- No shared mutable state between tests. Each test constructs its own environment.
+- Test doubles hierarchy (simplest first): Fake → Stub → Spy → Mock. Mocks couple to implementation, not behavior — use sparingly.
+
+---
+
+## 10. Pre-Change Checklist
+
+Run this before proposing or implementing any structural decision:
+
+- [ ] Responsibility nameable in one noun phrase?
+- [ ] Layer dependencies point inward only?
+- [ ] Invalid states unrepresentable in the type system?
+- [ ] State transitions gated through a single interface?
+- [ ] All channels bounded?
+- [ ] No locks held across `await` (or documented)?
+- [ ] Errors typed and translated at layer boundaries?
+- [ ] No panics in production paths without invariant proof?
+- [ ] Hot paths annotated and allocation-free?
+- [ ] Public surface minimal — only deliberate API marked `pub`?
+- [ ] Correct pattern chosen from Section 3 table?
@@ -36,4 +36,10 @@ jobs:
            ${{ runner.os }}-cargo-

      - name: Build Release
-        run: cargo build --release --verbose
+        run: cargo build --release --verbose
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: telemt
+          path: target/release/telemt
@@ -151,6 +151,14 @@ jobs:
          mkdir -p dist
          cp "target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}" dist/telemt

+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
+            STRIP_BIN=aarch64-linux-gnu-strip
+          else
+            STRIP_BIN=strip
+          fi
+
+          "${STRIP_BIN}" dist/telemt
+
          cd dist
          tar -czf "${{ matrix.asset }}.tar.gz" \
            --owner=0 --group=0 --numeric-owner \
@@ -279,6 +287,14 @@ jobs:
          mkdir -p dist
          cp "target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}" dist/telemt

+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            STRIP_BIN=aarch64-linux-musl-strip
+          else
+            STRIP_BIN=strip
+          fi
+
+          "${STRIP_BIN}" dist/telemt
+
          cd dist
          tar -czf "${{ matrix.asset }}.tar.gz" \
            --owner=0 --group=0 --numeric-owner \
@@ -1,58 +0,0 @@
-# Architect Mode Rules for Telemt
-
-## Architecture Overview
-
-```mermaid
-graph TB
-    subgraph Entry
-        Client[Clients] --> Listener[TCP/Unix Listener]
-    end
-    
-    subgraph Proxy Layer
-        Listener --> ClientHandler[ClientHandler]
-        ClientHandler --> Handshake[Handshake Validator]
-        Handshake --> |Valid| Relay[Relay Layer]
-        Handshake --> |Invalid| Masking[Masking/TLS Fronting]
-    end
-    
-    subgraph Transport
-        Relay --> MiddleProxy[Middle-End Proxy Pool]
-        Relay --> DirectRelay[Direct DC Relay]
-        MiddleProxy --> TelegramDC[Telegram DCs]
-        DirectRelay --> TelegramDC
-    end
-```
-
-## Module Dependencies
- [`src/main.rs`](src/main.rs) - Entry point, spawns all async tasks
- [`src/config/`](src/config/) - Configuration loading with auto-migration
- [`src/error.rs`](src/error.rs) - Error types, must be used by all modules
- [`src/crypto/`](src/crypto/) - AES, SHA, random number generation
- [`src/protocol/`](src/protocol/) - MTProto constants, frame encoding, obfuscation
- [`src/stream/`](src/stream/) - Stream wrappers, buffer pool, frame codecs
- [`src/proxy/`](src/proxy/) - Client handling, handshake, relay logic
- [`src/transport/`](src/transport/) - Upstream management, middle-proxy, SOCKS support
- [`src/stats/`](src/stats/) - Statistics and replay protection
- [`src/ip_tracker.rs`](src/ip_tracker.rs) - Per-user IP tracking
-
-## Key Architectural Constraints
-
-### Middle-End Proxy Mode
- Requires public IP on interface OR 1:1 NAT with STUN probing
- Uses separate `proxy-secret` from Telegram (NOT user secrets)
- Falls back to direct mode automatically on STUN mismatch
-
-### TLS Fronting
- Invalid handshakes are transparently proxied to `mask_host`
- This is critical for DPI evasion - do not change this behavior
- `mask_unix_sock` and `mask_host` are mutually exclusive
-
-### Stream Architecture
- Buffer pool is shared globally via Arc - prevents allocation storms
- Frame codecs implement tokio-util Encoder/Decoder traits
- State machine in [`src/stream/state.rs`](src/stream/state.rs) manages stream transitions
-
-### Configuration Migration
- [`ProxyConfig::load()`](src/config/mod.rs:641) mutates config in-place
- New fields must have sensible defaults
- DC203 override is auto-injected for CDN/media support
@@ -1,23 +0,0 @@
-# Code Mode Rules for Telemt
-
-## Error Handling
- Always use [`ProxyError`](src/error.rs:168) from [`src/error.rs`](src/error.rs) for proxy operations
- [`HandshakeResult<T,R,W>`](src/error.rs:292) returns streams on bad client - these MUST be returned for masking, never dropped
- Use [`Recoverable`](src/error.rs:110) trait to check if errors are retryable
-
-## Configuration Changes
- [`ProxyConfig::load()`](src/config/mod.rs:641) auto-mutates config - new fields should have defaults
- DC203 override is auto-injected if missing - do not remove this behavior
- When adding config fields, add migration logic in [`ProxyConfig::load()`](src/config/mod.rs:641)
-
-## Crypto Code
- [`SecureRandom`](src/crypto/random.rs) from [`src/crypto/random.rs`](src/crypto/random.rs) must be used for all crypto operations
- Never use `rand::thread_rng()` directly - use the shared `Arc<SecureRandom>`
-
-## Stream Handling
- Buffer pool [`BufferPool`](src/stream/buffer_pool.rs) is shared via Arc - always use it instead of allocating
- Frame codecs in [`src/stream/frame_codec.rs`](src/stream/frame_codec.rs) implement tokio-util's Encoder/Decoder traits
-
-## Testing
- Tests are inline in modules using `#[cfg(test)]`
- Use `cargo test --lib <module_name>` to run tests for specific modules
@@ -1,27 +0,0 @@
-# Debug Mode Rules for Telemt
-
-## Logging
- `RUST_LOG` environment variable takes absolute priority over all config log levels
- Log levels: `trace`, `debug`, `info`, `warn`, `error`
- Use `RUST_LOG=debug cargo run` for detailed operational logs
- Use `RUST_LOG=trace cargo run` for full protocol-level debugging
-
-## Middle-End Proxy Debugging
- Set `ME_DIAG=1` environment variable for high-precision cryptography diagnostics
- STUN probe results are logged at startup - check for mismatch between local and reflected IP
- If Middle-End fails, check `proxy_secret_path` points to valid file from https://core.telegram.org/getProxySecret
-
-## Connection Issues
- DC connectivity is logged at startup with RTT measurements
- If DC ping fails, check `dc_overrides` for custom addresses
- Use `prefer_ipv6=false` in config if IPv6 is unreliable
-
-## TLS Fronting Issues
- Invalid handshakes are proxied to `mask_host` - check this host is reachable
- `mask_unix_sock` and `mask_host` are mutually exclusive - only one can be set
- If `mask_unix_sock` is set, socket must exist before connections arrive
-
-## Common Errors
- `ReplayAttack` - client replayed a handshake nonce, potential attack
- `TimeSkew` - client clock is off, can disable with `ignore_time_skew=true`
- `TgHandshakeTimeout` - upstream DC connection failed, check network
@@ -3,50 +3,39 @@
 ## Purpose

 **Telemt exists to solve technical problems.**
+- Telemt is open to contributors who want to learn, improve and build meaningful systems together.
+- It is a place for building, testing, reasoning, documenting, and improving systems.
+- Discussions that advance this work are in scope, discussions that divert it are not.
+- Technology has consequences, responsibility is inherent.

-Telemt is open to contributors who want to learn, improve and build meaningful systems together.
+> **Absicht bestimmt die Form**

-It is a place for building, testing, reasoning, documenting, and improving systems.
-
-Discussions that advance this work are in scope. Discussions that divert it are not.
-
-Technology has consequences. Responsibility is inherent.
-
-> **Zweck bestimmt die Form.**
-
-> Purpose defines form.
+> Design follows intent

 ---

 ## Principles

 * **Technical over emotional**
-
-  Arguments are grounded in data, logs, reproducible cases, or clear reasoning.
+  - Arguments are grounded in data, logs, reproducible cases, or clear reasoning.

 * **Clarity over noise**
-
-  Communication is structured, concise, and relevant.
+  - Communication is structured, concise, and relevant.

 * **Openness with standards**
-
-  Participation is open. The work remains disciplined.
+  - Participation is open. The work remains disciplined.

 * **Independence of judgment**
-
-  Claims are evaluated on technical merit, not affiliation or posture.
+  - Claims are evaluated on technical merit, not affiliation or posture.

 * **Responsibility over capability**
-
-  Capability does not justify careless use.
+  - Capability does not justify careless use.

 * **Cooperation over friction**
-
-  Progress depends on coordination, mutual support, and honest review.
+  - Progress depends on coordination, mutual support, and honest review.

 * **Good intent, rigorous method**
-
-  Assume good intent, but require rigor.
+  - Assume good intent, but require rigor.

 > **Aussagen gelten nach ihrer Begründung.**

@@ -68,7 +57,9 @@ Participants are expected to:

 Precision is learned.

-New contributors are welcome. They are expected to grow into these standards. Existing contributors are expected to make that growth possible.
+- New contributors are welcome
+- They are expected to grow into these standards
+- Existing contributors are expected to make that growth possible

 > **Wer behauptet, belegt.**

@@ -112,7 +103,7 @@ Security is both technical and behavioral.

 ---

-## 6. Openness
+## Openness

 Telemt is open to contributors of different backgrounds, experience levels, and working styles.

@@ -148,10 +139,9 @@ Judgment should be exercised with restraint, consistency, and institutional resp

 All decisions are expected to serve the durability, clarity, and integrity of Telemt.

-> **Ordnung ist Voraussetzung der Funktion.**
-
-> Order is the precondition of function.
+> **Klarheit vor Zustimmung - Bestand vor Beifall**

+> Clarity above approval - substantiality before success
 ---

 ## Enforcement
@@ -171,42 +161,41 @@ Actions are taken to maintain function, continuity, and signal quality.

 ## Final

-Telemt is built on discipline, structure, and shared intent.
- Signal over noise.
- Facts over opinion.
- Systems over rhetoric.
+**Telemt is built on discipline, structure, and shared intent**
+- Signal over noise
+- Facts over opinion
+- Systems over rhetoric
+- Work is collective
+- Outcomes are shared
+- Responsibility is distributed
+- Precision is learned
+- Rigor is expected
+- Help is part of the work

- Work is collective.
- Outcomes are shared.
- Responsibility is distributed.
+> **Ordnung ist Voraussetzung der Freiheit**

- Precision is learned.
- Rigor is expected.
- Help is part of the work.
-
-> **Ordnung ist Voraussetzung der Freiheit.**
-
- If you contribute — contribute with care.
- If you speak — speak with substance.
- If you engage — engage constructively.
+- If you contribute — contribute with care
+- If you speak — speak with substance
+- If you engage — engage constructively

 ---

 ## After All

-Systems outlive intentions.
- What is built will be used.
- What is released will propagate.
- What is maintained will define the future state.
+Systems outlive intentions
+- What is built will be used
+- What is released will propagate
+- What is maintained will define the future state

-There is no neutral infrastructure, only infrastructure shaped well or poorly.
+There is no neutral infrastructure, only infrastructure shaped well or poorly

-> **Jedes System trägt Verantwortung.**
+> **Ordnung → Umsetzung → Ergebnis**

-> Every system carries responsibility.
+> Order → Implementation → Result

- Stability requires discipline.
- Freedom requires structure.
- Trust requires honesty.
+- Stability requires discipline
+- Freedom requires structure
+- Trust requires honesty
+
+In the end: the system reflects its contributors

-In the end: the system reflects its contributors.
@@ -183,9 +183,9 @@ dependencies = [

 [[package]]
 name = "aws-lc-sys"
-version = "0.39.0"
+version = "0.39.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
+checksum = "83a25cf98105baa966497416dbd42565ce3a8cf8dbfd59803ec9ad46f3126399"
 dependencies = [
 "cc",
 "cmake",
@@ -234,16 +234,16 @@ checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"

 [[package]]
 name = "blake3"
-version = "1.8.3"
+version = "1.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d"
+checksum = "4d2d5991425dfd0785aed03aedcf0b321d61975c9b5b3689c774a2610ae0b51e"
 dependencies = [
 "arrayref",
 "arrayvec",
 "cc",
 "cfg-if",
 "constant_time_eq",
- "cpufeatures 0.2.17",
+ "cpufeatures 0.3.0",
 ]

 [[package]]
@@ -299,9 +299,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.57"
+version = "1.2.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
+checksum = "e1e928d4b69e3077709075a938a05ffbedfa53a84c8f766efbf8220bb1ff60e1"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -441,9 +441,9 @@ checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"

 [[package]]
 name = "cmake"
-version = "0.1.57"
+version = "0.1.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d"
+checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678"
 dependencies = [
 "cc",
 ]
@@ -1191,9 +1191,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"

 [[package]]
 name = "hyper"
-version = "1.8.1"
+version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
+checksum = "6299f016b246a94207e63da54dbe807655bf9e00044f73ded42c3ac5305fbcca"
 dependencies = [
 "atomic-waker",
 "bytes",
@@ -1206,7 +1206,6 @@ dependencies = [
 "httpdate",
 "itoa",
 "pin-project-lite",
- "pin-utils",
 "smallvec",
 "tokio",
 "want",
@@ -1245,7 +1244,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2 0.6.3",
+ "socket2",
 "tokio",
 "tower-service",
 "tracing",
@@ -1277,12 +1276,13 @@ dependencies = [

 [[package]]
 name = "icu_collections"
-version = "2.1.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+checksum = "2984d1cd16c883d7935b9e07e44071dca8d917fd52ecc02c04d5fa0b5a3f191c"
 dependencies = [
 "displaydoc",
 "potential_utf",
+ "utf8_iter",
 "yoke",
 "zerofrom",
 "zerovec",
@@ -1290,9 +1290,9 @@ dependencies = [

 [[package]]
 name = "icu_locale_core"
-version = "2.1.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+checksum = "92219b62b3e2b4d88ac5119f8904c10f8f61bf7e95b640d25ba3075e6cac2c29"
 dependencies = [
 "displaydoc",
 "litemap",
@@ -1303,9 +1303,9 @@ dependencies = [

 [[package]]
 name = "icu_normalizer"
-version = "2.1.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+checksum = "c56e5ee99d6e3d33bd91c5d85458b6005a22140021cc324cea84dd0e72cff3b4"
 dependencies = [
 "icu_collections",
 "icu_normalizer_data",
@@ -1317,15 +1317,15 @@ dependencies = [

 [[package]]
 name = "icu_normalizer_data"
-version = "2.1.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+checksum = "da3be0ae77ea334f4da67c12f149704f19f81d1adf7c51cf482943e84a2bad38"

 [[package]]
 name = "icu_properties"
-version = "2.1.2"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+checksum = "bee3b67d0ea5c2cca5003417989af8996f8604e34fb9ddf96208a033901e70de"
 dependencies = [
 "icu_collections",
 "icu_locale_core",
@@ -1337,15 +1337,15 @@ dependencies = [

 [[package]]
 name = "icu_properties_data"
-version = "2.1.2"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+checksum = "8e2bbb201e0c04f7b4b3e14382af113e17ba4f63e2c9d2ee626b720cbce54a14"

 [[package]]
 name = "icu_provider"
-version = "2.1.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+checksum = "139c4cf31c8b5f33d7e199446eff9c1e02decfc2f0eec2c8d71f65befa45b421"
 dependencies = [
 "displaydoc",
 "icu_locale_core",
@@ -1427,14 +1427,15 @@ dependencies = [

 [[package]]
 name = "ipconfig"
-version = "0.3.2"
+version = "0.3.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b58db92f96b720de98181bbbe63c831e87005ab460c1bf306eb2622b4707997f"
+checksum = "4d40460c0ce33d6ce4b0630ad68ff63d6661961c48b6dba35e5a4d81cfb48222"
 dependencies = [
- "socket2 0.5.10",
+ "socket2",
 "widestring",
- "windows-sys 0.48.0",
- "winreg",
+ "windows-registry",
+ "windows-result",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -1454,9 +1455,9 @@ dependencies = [

 [[package]]
 name = "iri-string"
-version = "0.7.11"
+version = "0.7.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
+checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
 dependencies = [
 "memchr",
 "serde",
@@ -1533,10 +1534,12 @@ dependencies = [

 [[package]]
 name = "js-sys"
-version = "0.3.91"
+version = "0.3.94"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9"
 dependencies = [
+ "cfg-if",
+ "futures-util",
 "once_cell",
 "wasm-bindgen",
 ]
@@ -1575,9 +1578,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"

 [[package]]
 name = "libc"
-version = "0.2.183"
+version = "0.2.184"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
+checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af"

 [[package]]
 name = "linux-raw-sys"
@@ -1587,9 +1590,9 @@ checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"

 [[package]]
 name = "litemap"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+checksum = "92daf443525c4cce67b150400bc2316076100ce0b3686209eb8cf3c31612e6f0"

 [[package]]
 name = "lock_api"
@@ -1669,9 +1672,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"

 [[package]]
 name = "mio"
-version = "1.1.1"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
 dependencies = [
 "libc",
 "log",
@@ -1767,9 +1770,9 @@ dependencies = [

 [[package]]
 name = "num-conv"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"

 [[package]]
 name = "num-integer"
@@ -1891,12 +1894,6 @@ version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"

-[[package]]
-name = "pin-utils"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
-
 [[package]]
 name = "pkcs8"
 version = "0.10.2"
@@ -1966,9 +1963,9 @@ checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"

 [[package]]
 name = "potential_utf"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+checksum = "0103b1cef7ec0cf76490e969665504990193874ea05c85ff9bab8b911d0a0564"
 dependencies = [
 "zerovec",
 ]
@@ -2009,9 +2006,9 @@ dependencies = [

 [[package]]
 name = "proptest"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37566cb3fdacef14c0737f9546df7cfeadbfbc9fef10991038bf5015d0c80532"
+checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
 dependencies = [
 "bit-set",
 "bit-vec",
@@ -2045,7 +2042,7 @@ dependencies = [
 "quinn-udp",
 "rustc-hash",
 "rustls",
- "socket2 0.6.3",
+ "socket2",
 "thiserror 2.0.18",
 "tokio",
 "tracing",
@@ -2083,7 +2080,7 @@ dependencies = [
 "cfg_aliases",
 "libc",
 "once_cell",
- "socket2 0.6.3",
+ "socket2",
 "tracing",
 "windows-sys 0.60.2",
 ]
@@ -2301,9 +2298,9 @@ dependencies = [

 [[package]]
 name = "rustc-hash"
-version = "2.1.1"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"

 [[package]]
 name = "rustc_version"
@@ -2555,9 +2552,9 @@ dependencies = [

 [[package]]
 name = "serde_spanned"
-version = "1.0.4"
+version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
+checksum = "6662b5879511e06e8999a8a235d848113e942c9124f211511b16466ee2995f26"
 dependencies = [
 "serde_core",
 ]
@@ -2625,7 +2622,7 @@ dependencies = [
 "serde_json",
 "serde_urlencoded",
 "shadowsocks-crypto",
- "socket2 0.6.3",
+ "socket2",
 "spin",
 "thiserror 2.0.18",
 "tokio",
@@ -2697,16 +2694,6 @@ version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"

-[[package]]
-name = "socket2"
-version = "0.5.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
-dependencies = [
- "libc",
- "windows-sys 0.52.0",
-]
-
 [[package]]
 name = "socket2"
 version = "0.6.3"
@@ -2793,7 +2780,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"

 [[package]]
 name = "telemt"
-version = "3.3.35"
+version = "3.3.39"
 dependencies = [
 "aes",
 "anyhow",
@@ -2834,7 +2821,7 @@ dependencies = [
 "sha1",
 "sha2",
 "shadowsocks",
- "socket2 0.6.3",
+ "socket2",
 "static_assertions",
 "subtle",
 "thiserror 2.0.18",
@@ -2948,9 +2935,9 @@ dependencies = [

 [[package]]
 name = "tinystr"
-version = "0.8.2"
+version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+checksum = "c8323304221c2a851516f22236c5722a72eaa19749016521d6dff0824447d96d"
 dependencies = [
 "displaydoc",
 "zerovec",
@@ -2993,7 +2980,7 @@ dependencies = [
 "parking_lot",
 "pin-project-lite",
 "signal-hook-registry",
- "socket2 0.6.3",
+ "socket2",
 "tokio-macros",
 "tracing",
 "windows-sys 0.61.2",
@@ -3054,7 +3041,7 @@ dependencies = [
 "log",
 "once_cell",
 "pin-project",
- "socket2 0.6.3",
+ "socket2",
 "tokio",
 "windows-sys 0.60.2",
 ]
@@ -3078,9 +3065,9 @@ dependencies = [

 [[package]]
 name = "toml"
-version = "1.0.7+spec-1.1.0"
+version = "1.1.2+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd28d57d8a6f6e458bc0b8784f8fdcc4b99a437936056fa122cb234f18656a96"
+checksum = "81f3d15e84cbcd896376e6730314d59fb5a87f31e4b038454184435cd57defee"
 dependencies = [
 "indexmap",
 "serde_core",
@@ -3093,27 +3080,27 @@ dependencies = [

 [[package]]
 name = "toml_datetime"
-version = "1.0.1+spec-1.1.0"
+version = "1.1.1+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b320e741db58cac564e26c607d3cc1fdc4a88fd36c879568c07856ed83ff3e9"
+checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7"
 dependencies = [
 "serde_core",
 ]

 [[package]]
 name = "toml_parser"
-version = "1.0.10+spec-1.1.0"
+version = "1.1.2+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
+checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
 dependencies = [
 "winnow",
 ]

 [[package]]
 name = "toml_writer"
-version = "1.0.7+spec-1.1.0"
+version = "1.1.1+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"
+checksum = "756daf9b1013ebe47a8776667b466417e2d4c5679d441c26230efd9ef78692db"

 [[package]]
 name = "tower"
@@ -3310,9 +3297,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"

 [[package]]
 name = "uuid"
-version = "1.22.0"
+version = "1.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
+checksum = "5ac8b6f42ead25368cf5b098aeb3dc8a1a2c05a3eee8a9a1a68c640edbfc79d9"
 dependencies = [
 "getrandom 0.4.2",
 "js-sys",
@@ -3385,9 +3372,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen"
-version = "0.2.114"
+version = "0.2.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
+checksum = "0551fc1bb415591e3372d0bc4780db7e587d84e2a7e79da121051c5c4b89d0b0"
 dependencies = [
 "cfg-if",
 "once_cell",
@@ -3398,23 +3385,19 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.64"
+version = "0.4.67"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
+checksum = "03623de6905b7206edd0a75f69f747f134b7f0a2323392d664448bf2d3c5d87e"
 dependencies = [
- "cfg-if",
- "futures-util",
 "js-sys",
- "once_cell",
 "wasm-bindgen",
- "web-sys",
 ]

 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.114"
+version = "0.2.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
+checksum = "7fbdf9a35adf44786aecd5ff89b4563a90325f9da0923236f6104e603c7e86be"
 dependencies = [
 "quote",
 "wasm-bindgen-macro-support",
@@ -3422,9 +3405,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.114"
+version = "0.2.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
+checksum = "dca9693ef2bab6d4e6707234500350d8dad079eb508dca05530c85dc3a529ff2"
 dependencies = [
 "bumpalo",
 "proc-macro2",
@@ -3435,9 +3418,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.114"
+version = "0.2.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
+checksum = "39129a682a6d2d841b6c429d0c51e5cb0ed1a03829d8b3d1e69a011e62cb3d3b"
 dependencies = [
 "unicode-ident",
 ]
@@ -3478,9 +3461,9 @@ dependencies = [

 [[package]]
 name = "web-sys"
-version = "0.3.91"
+version = "0.3.94"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
+checksum = "cd70027e39b12f0849461e08ffc50b9cd7688d942c1c8e3c7b22273236b4dd0a"
 dependencies = [
 "js-sys",
 "wasm-bindgen",
@@ -3592,6 +3575,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"

+[[package]]
+name = "windows-registry"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
+dependencies = [
+ "windows-link",
+ "windows-result",
+ "windows-strings",
+]
+
 [[package]]
 name = "windows-result"
 version = "0.4.1"
@@ -3619,15 +3613,6 @@ dependencies = [
 "windows-targets 0.42.2",
 ]

-[[package]]
-name = "windows-sys"
-version = "0.48.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
-dependencies = [
- "windows-targets 0.48.5",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -3670,21 +3655,6 @@ dependencies = [
 "windows_x86_64_msvc 0.42.2",
 ]

-[[package]]
-name = "windows-targets"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
-dependencies = [
- "windows_aarch64_gnullvm 0.48.5",
- "windows_aarch64_msvc 0.48.5",
- "windows_i686_gnu 0.48.5",
- "windows_i686_msvc 0.48.5",
- "windows_x86_64_gnu 0.48.5",
- "windows_x86_64_gnullvm 0.48.5",
- "windows_x86_64_msvc 0.48.5",
-]
-
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -3724,12 +3694,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"

-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
-
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -3748,12 +3712,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"

-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
-
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -3772,12 +3730,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"

-[[package]]
-name = "windows_i686_gnu"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
-
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -3808,12 +3760,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"

-[[package]]
-name = "windows_i686_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
-
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -3832,12 +3778,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"

-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
-
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -3856,12 +3796,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"

-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
-
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -3880,12 +3814,6 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"

-[[package]]
-name = "windows_x86_64_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
-
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -3900,19 +3828,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"

 [[package]]
 name = "winnow"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
-
-[[package]]
-name = "winreg"
-version = "0.50.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
-dependencies = [
- "cfg-if",
- "windows-sys 0.48.0",
-]
+checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5"

 [[package]]
 name = "wit-bindgen"
@@ -4039,9 +3957,9 @@ dependencies = [

 [[package]]
 name = "yoke"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca"
 dependencies = [
 "stable_deref_trait",
 "yoke-derive",
@@ -4050,9 +3968,9 @@ dependencies = [

 [[package]]
 name = "yoke-derive"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+checksum = "de844c262c8848816172cef550288e7dc6c7b7814b4ee56b3e1553f275f1858e"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -4062,18 +3980,18 @@ dependencies = [

 [[package]]
 name = "zerocopy"
-version = "0.8.47"
+version = "0.8.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
+checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
 dependencies = [
 "zerocopy-derive",
 ]

 [[package]]
 name = "zerocopy-derive"
-version = "0.8.47"
+version = "0.8.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
+checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -4082,18 +4000,18 @@ dependencies = [

 [[package]]
 name = "zerofrom"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df"
 dependencies = [
 "zerofrom-derive",
 ]

 [[package]]
 name = "zerofrom-derive"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+checksum = "11532158c46691caf0f2593ea8358fed6bbf68a0315e80aae9bd41fbade684a1"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -4123,9 +4041,9 @@ dependencies = [

 [[package]]
 name = "zerotrie"
-version = "0.2.3"
+version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+checksum = "0f9152d31db0792fa83f70fb2f83148effb5c1f5b8c7686c3459e361d9bc20bf"
 dependencies = [
 "displaydoc",
 "yoke",
@@ -4134,9 +4052,9 @@ dependencies = [

 [[package]]
 name = "zerovec"
-version = "0.11.5"
+version = "0.11.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+checksum = "90f911cbc359ab6af17377d242225f4d75119aec87ea711a880987b18cd7b239"
 dependencies = [
 "yoke",
 "zerofrom",
@@ -4145,9 +4063,9 @@ dependencies = [

 [[package]]
 name = "zerovec-derive"
-version = "0.11.2"
+version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+checksum = "625dc425cab0dca6dc3c3319506e6593dcb08a9f387ea3b284dbd52a92c40555"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.3.36"
+version = "3.3.39"
 edition = "2024"

 [features]
@@ -1,4 +1,4 @@
-###### TELEMT Public License 3 ######
+######## TELEMT LICENSE 3.3 #########
 ##### Copyright (c) 2026 Telemt #####

 Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -14,11 +14,15 @@ are preserved and complied with.
 The canonical version of this License is the English version.
 Official translations are provided for informational purposes only
 and for convenience, and do not have legal force. In case of any
-discrepancy, the English version of this License shall prevail.
-Available versions:
- English in Markdown: docs/LICENSE/LICENSE.md
- German: docs/LICENSE/LICENSE.de.md
- Russian: docs/LICENSE/LICENSE.ru.md
+discrepancy, the English version of this License shall prevail
+
+/----------------------------------------------------------\
+| Language    | Location                                   |
+|-------------|--------------------------------------------|
+| English     | docs/LICENSE/TELEMT-LICENSE.en.md          |
+| German      | docs/LICENSE/TELEMT-LICENSE.de.md          |
+| Russian     | docs/LICENSE/TELEMT-LICENSE.ru.md          |
+\----------------------------------------------------------/

 ### License Versioning Policy

@@ -1,182 +1,54 @@
 # Telemt - MTProxy on Rust + Tokio

+![Latest Release](https://img.shields.io/github/v/release/telemt/telemt?color=neon) ![Stars](https://img.shields.io/github/stars/telemt/telemt?style=social) ![Forks](https://img.shields.io/github/forks/telemt/telemt?style=social) [![Telegram](https://img.shields.io/badge/Telegram-Chat-24a1de?logo=telegram&logoColor=24a1de)](https://t.me/telemtrs)
+
 ***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***

-[**Telemt Chat in Telegram**](https://t.me/telemtrs)
+> [!NOTE]
+>
+> Fixed TLS ClientHello is now available in official clients for Desktop / Android / iOS
+>
+> To work with EE-MTProxy, please update your client!

-**Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as:
- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md)
- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md)
- Anti-Replay on Sliding Window
- Prometheus-format Metrics
- TLS-Fronting and TCP-Splicing for masking from "prying" eyes
+<p align="center">
+  <a href="https://t.me/telemtrs">
+    <img src="/docs/assets/telegram_button.svg" width="150"/>
+  </a>
+</p>

-⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
+**Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements

-⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
+### One-command Install and Update
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+- [Quick Start Guide](docs/Quick_start/QUICK_START_GUIDE.en.md)
+- [Инструкция по быстрому запуску](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+
+Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](docs/FAQ.en.md#recognizability-for-dpi-and-crawler)
+
+Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual

 - Full support for all official MTProto proxy modes:
-  - Classic
-  - Secure - with `dd` prefix
-  - Fake TLS - with `ee` prefix + SNI fronting
- Replay attack protection
- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
- Graceful shutdown on Ctrl+C
- Extensive logging via `trace` and `debug` with `RUST_LOG` method
-
-# GOTO
- [Quick Start Guide](#quick-start-guide)
- [FAQ](#faq)
-  - [Recognizability for DPI and crawler](#recognizability-for-dpi-and-crawler)
-    - [Client WITH secret-key accesses the MTProxy resource:](#client-with-secret-key-accesses-the-mtproxy-resource)
-    - [Client WITHOUT secret-key gets transparent access to the specified resource:](#client-without-secret-key-gets-transparent-access-to-the-specified-resource)
-  - [Telegram Calls via MTProxy](#telegram-calls-via-mtproxy)
-  - [How does DPI see MTProxy TLS?](#how-does-dpi-see-mtproxy-tls)
-  - [Whitelist on IP](#whitelist-on-ip)
-  - [Too many open files](#too-many-open-files)
- [Build](#build)
- [Why Rust?](#why-rust)
- [Issues](#issues)
- [Roadmap](#roadmap)
-
-
-## Quick Start Guide
- [Quick Start Guide RU](docs/QUICK_START_GUIDE.ru.md)
- [Quick Start Guide EN](docs/QUICK_START_GUIDE.en.md)
+  - Classic;
+  - Secure - with `dd` prefix;
+  - Fake TLS - with `ee` prefix + SNI fronting;
+- Replay attack protection;
+- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪;
+- Configurable keepalives + timeouts + IPv6 and "Fast Mode";
+- Graceful shutdown on Ctrl+C;
+- Extensive logging via `trace` and `debug` with `RUST_LOG` method.

 ## FAQ
-
 - [FAQ RU](docs/FAQ.ru.md)
 - [FAQ EN](docs/FAQ.en.md)

-### Recognizability for DPI and crawler
-Since version 1.1.0.0, we have debugged masking perfectly: for all clients without "presenting" a key, 
-we transparently direct traffic to the target host!
-
- We consider this a breakthrough aspect, which has no stable analogues today
- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
- Here is our evidence:
-    - 212.220.88.77 - "dummy" host, running `telemt`
-    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
-    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
-      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
-      - Crawlers completely satisfied receiving responses from `mask_host`
-  #### Client WITH secret-key accesses the MTProxy resource:
-  
-  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
-  
-  #### Client WITHOUT secret-key gets transparent access to the specified resource:
-    - with trusted certificate
-    - with original handshake
-    - with full request-response way
-    - with low-latency overhead
-```bash
-root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
-* Added petrovich.ru:443:212.220.88.77 to DNS cache
-* Hostname petrovich.ru was found in DNS cache
-*   Trying 212.220.88.77:443...
-* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
-* ALPN: offers h2,http/1.1
-* TLSv1.3 (OUT), TLS handshake, Client hello (1):
-*  CAfile: /etc/ssl/certs/ca-certificates.crt
-*  CApath: /etc/ssl/certs
-* TLSv1.3 (IN), TLS handshake, Server hello (2):
-* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-* TLSv1.3 (IN), TLS handshake, Certificate (11):
-* TLSv1.3 (IN), TLS handshake, CERT verify (15):
-* TLSv1.3 (IN), TLS handshake, Finished (20):
-* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-* TLSv1.3 (OUT), TLS handshake, Finished (20):
-* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-* ALPN: server did not agree on a protocol. Uses default.
-* Server certificate:
-*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
-*  start date: Jan 28 11:21:01 2025 GMT
-*  expire date: Mar  1 11:21:00 2026 GMT
-*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
-*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
-*  SSL certificate verify ok.
-* using HTTP/1.x
-> HEAD / HTTP/1.1
-> Host: petrovich.ru
-> User-Agent: curl/7.88.1
-> Accept: */*
-> 
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* old SSL session ID is stale, removing
-< HTTP/1.1 200 OK
-HTTP/1.1 200 OK
-< Server: Variti/0.9.3a
-Server: Variti/0.9.3a
-< Date: Thu, 01 Jan 2026 00:0000 GMT
-Date: Thu, 01 Jan 2026 00:0000 GMT
-< Access-Control-Allow-Origin: *
-Access-Control-Allow-Origin: *
-< Content-Type: text/html
-Content-Type: text/html
-< Cache-Control: no-store
-Cache-Control: no-store
-< Expires: Thu, 01 Jan 2026 00:0000 GMT
-Expires: Thu, 01 Jan 2026 00:0000 GMT
-< Pragma: no-cache
-Pragma: no-cache
-< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-< Content-Type: text/html
-Content-Type: text/html
-< Content-Length: 31253
-Content-Length: 31253
-< Connection: keep-alive
-Connection: keep-alive
-< Keep-Alive: timeout=60
-Keep-Alive: timeout=60
-
-< 
-* Connection #0 to host petrovich.ru left intact
-
-```
- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
-  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
-### Telegram Calls via MTProxy
- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
-### How does DPI see MTProxy TLS?
- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
- the SNI you specify sends both the client and the server;
- ALPN is similar to HTTP 1.1/2;
- high entropy, which is normal for AES-encrypted traffic;
-### Whitelist on IP
- MTProxy cannot work when there is: 
-  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
-  - OR all TCP traffic is blocked
-  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
-  - OR all TLS traffic is blocked
-  - OR specified port is blocked: use 443 to make it "like real"
-  - OR provided SNI is blocked: use "officially approved"/innocuous name
- like most protocols on the Internet; 
- these situations are observed:
-  - in China behind the Great Firewall
-  - in Russia on mobile networks, less in wired networks
-  - in Iran during "activity"
-### Too many open files
- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
-```yaml
-ulimits:
-  nofile:
-    soft: 65536
-    hard: 65536
-```
- **System-wide** (optional): add to `/etc/security/limits.conf`:
-```
-*       soft    nofile  1048576
-*       hard    nofile  1048576
-root    soft    nofile  1048576
-root    hard    nofile  1048576
-```
-
+# Learn more about Telemt
+- [Our Architecture](docs/Architecture)
+- [All Config Options](docs/Config_params)
+- [How to build your own Telemt?](#build)
+- [Running on BSD](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md)
+- [Why Rust?](#why-rust)

 ## Build
 ```bash
@@ -187,9 +59,8 @@ cd telemt
 # Starting Release Build
 cargo build --release

-# Low-RAM devices (1 GB, e.g. NanoPi Neo3 / Raspberry Pi Zero 2):
-# release profile uses lto = "thin" to reduce peak linker memory.
-# If your custom toolchain overrides profiles, avoid enabling fat LTO.
+# Current release profile uses lto = "fat" for maximum optimization (see Cargo.toml).
+# On low-RAM systems (~1 GB) you can override it to "thin".

 # Move to /bin
 mv ./target/release/telemt /bin
@@ -199,12 +70,6 @@ chmod +x /bin/telemt
 telemt config.toml
 ```

-### OpenBSD
- Build and service setup guide: [OpenBSD Guide (EN)](docs/OPENBSD.en.md)
- Example rc.d script: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd)
- Status: OpenBSD sandbox hardening with `pledge(2)` and `unveil(2)` is not implemented yet.
-
-
 ## Why Rust?
 - Long-running reliability and idempotent behavior
 - Rust's deterministic resource management - RAII 
@@ -212,23 +77,26 @@ telemt config.toml
 - Memory safety and reduced attack surface
 - Tokio's asynchronous architecture

-## Issues
- ✅ [SOCKS5 as Upstream](https://github.com/telemt/telemt/issues/1) -> added Upstream Management
- ✅ [iOS - Media Upload Hanging-in-Loop](https://github.com/telemt/telemt/issues/2)
+## Support Telemt

-## Roadmap
- Public IP in links
- Config Reload-on-fly
- Bind to device or IP for outbound/inbound connections
- Adtag Support per SNI / Secret
- Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
- Zero-copy, minimal allocs on hotpath
- DC Healthchecks + global fallback
- No global mutable state
- Client isolation + Fair Bandwidth
- Backpressure-aware IO
- "Secret Policy" - SNI / Secret Routing :D
- Multi-upstream Balancer and Failover
- Strict FSM per handshake
- Session-based Antireplay with Sliding window, non-broking reconnects
- Web Control: statistic, state of health, latency, client experience...
+Telemt is free, open-source, and built in personal time.
+If it helps you — consider supporting continued development.
+
+Any cryptocurrency (BTC, ETH, USDT, 350+ coins):
+
+<p align="center">
+  <a href="https://nowpayments.io/donation?api_key=2bf1afd2-abc2-49f9-a012-f1e715b37223" target="_blank" rel="noreferrer noopener">
+    <img src="https://nowpayments.io/images/embeds/donation-button-white.svg" alt="Cryptocurrency & Bitcoin donation button by NOWPayments" height="80">
+  </a>
+</p>
+
+Monero (XMR) directly:
+
+```
+8Bk4tZEYPQWSypeD2hrUXG2rKbAKF16GqEN942ZdAP5cFdSqW6h4DwkP5cJMAdszzuPeHeHZPTyjWWFwzeFdjuci3ktfMoB
+```
+
+All donations go toward infrastructure, development, and research.
+
+
+![telemt_scheme](docs/assets/telemt.png)
@@ -0,0 +1,90 @@
+# Telemt — MTProxy на Rust + Tokio
+
+![Latest Release](https://img.shields.io/github/v/release/telemt/telemt?color=neon) ![Stars](https://img.shields.io/github/stars/telemt/telemt?style=social) ![Forks](https://img.shields.io/github/forks/telemt/telemt?style=social) [![Telegram](https://img.shields.io/badge/Telegram-Chat-24a1de?logo=telegram&logoColor=24a1de)](https://t.me/telemtrs)
+
+***Решает проблемы раньше, чем другие узнают об их существовании***
+
+> [!NOTE]
+>
+> Исправленный TLS ClientHello доступен в Telegram для настольных ПК, Android и iOS.
+> 
+> Пожалуйста, обновите клиентское приложение для работы с EE-MTProxy.
+
+<p align="center">
+  <a href="https://t.me/telemtrs">
+    <img src="/docs/assets/telegram_button.svg" width="150"/>
+  </a>
+</p>
+
+**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust. Он полностью реализует официальный алгоритм прокси Telegram и добавляет множество улучшений для продакшена:
+
+## Установка и обновление одной командой
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+
+- [Инструкция по быстрому запуску](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide](docs/Quick_start/QUICK_START_GUIDE.en.md)
+
+Реализация **TLS-fronting** максимально приближена к поведению реального HTTPS-трафика (подробнее - [FAQ](docs/FAQ.ru.md#распознаваемость-для-dpi-и-сканеров)).
+
+***Middle-End Pool*** оптимизирован для высокой производительности.
+
+- Поддержка всех режимов MTProto proxy:
+  - Classic;
+  - Secure (префикс `dd`);
+  - Fake TLS (префикс `ee` + SNI fronting);
+- Защита от replay-атак;
+- Маскировка трафика (перенаправление неизвестных подключений на реальные сайты);
+- Настраиваемые keepalive, таймауты, IPv6 и «быстрый режим»;
+- Корректное завершение работы (Ctrl+C);
+- Подробное логирование через `trace` и `debug`.
+
+# Подробнее о Telemt
+- [FAQ](#faq)
+- [Архитектура](docs/Architecture)
+- [Параметры конфигурационного файла](docs/Config_params)
+- [Сборка](#build)
+- [Установка на BSD](#%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-%D0%BD%D0%B0-bsd)
+- [Почему Rust?](#why-rust)
+
+## FAQ
+- [FAQ RU](docs/FAQ.ru.md)
+- [FAQ EN](docs/FAQ.en.md)
+
+## Сборка
+
+```bash
+# Клонируйте репозиторий
+git clone https://github.com/telemt/telemt 
+# Смените каталог на telemt
+cd telemt
+# Начните процесс сборки
+cargo build --release
+
+# Устройства с небольшим объёмом оперативной памяти (1 ГБ, например NanoPi Neo3 / Raspberry Pi Zero 2):
+# В текущем release-профиле используется lto = "fat" для максимальной оптимизации (см. Cargo.toml).
+# На системах с малым объёмом RAM (~1 ГБ) можно переопределить это значение на "thin".
+
+# Перейдите в каталог /bin
+mv ./target/release/telemt /bin
+# Сделайте файл исполняемым
+chmod +x /bin/telemt
+# Запустите!
+telemt config.toml
+```
+
+## Установка на BSD
+- Руководство по сборке и настройке на английском языке [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md);
+- Пример rc.d скрипта: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd);
+- Поддержка sandbox с `pledge(2)` и `unveil(2)` пока не реализована.
+
+## Почему Rust?
+- Надёжность для долгоживущих процессов;
+- Детерминированное управление ресурсами (RAII);
+- Отсутствие сборщика мусора;
+- Безопасность памяти;
+- Асинхронная архитектура Tokio.
+
+![telemt_scheme](docs/assets/telemt.png)
@@ -9,11 +9,11 @@ services:
      - "127.0.0.1:9090:9090"
      - "127.0.0.1:9091:9091"
    # Allow caching 'proxy-secret' in read-only container
-    working_dir: /run/telemt
+    working_dir: /etc/telemt
    volumes:
-      - ./config.toml:/run/telemt/config.toml:ro
+      - ./config.toml:/etc/telemt/config.toml:ro
    tmpfs:
-      - /run/telemt:rw,mode=1777,size=1m
+      - /etc/telemt:rw,mode=1777,size=4m
    environment:
      - RUST_LOG=info
    # Uncomment this line if you want to use host network for IPv6, but bridge is default and usually better
@@ -21,11 +21,12 @@ services:
    cap_drop:
      - ALL
    cap_add:
-      - NET_BIND_SERVICE   # allow binding to port 443
+      - NET_BIND_SERVICE
+      - NET_ADMIN
    read_only: true
    security_opt:
      - no-new-privileges:true
    ulimits:
      nofile:
        soft: 65536
-        hard: 65536
+        hard: 262144
@@ -0,0 +1,141 @@
+# High-Load Configuration & Tuning Guide
+When deploying Telemt under high-traffic load (tens or hundreds of thousands of concurrent connections), the standard OS network stack limits can lead to packet drops, high CPU context switching, and connection failures. This guide covers Linux kernel tuning, hardware configuration, and architecture optimizations required to prepare the server for high-load scenarios.
+
+---
+## 1. System Limits & File Descriptors
+Every TCP connection requires a file descriptor. At 100k connections, standard Linux limits (often 1024 or 65535) will be exhausted immediately.
+### System-Wide Limits (`sysctl`)
+Increase the global file descriptor limit in `/etc/sysctl.conf`:
+```ini
+fs.file-max = 2097152
+fs.nr_open = 2097152
+```
+### User-Level Limits (`limits.conf`)
+Edit `/etc/security/limits.conf` to allow the telemt (or proxy) user to allocate them:
+```conf
+* soft nofile 1048576
+* hard nofile 1048576
+root soft nofile 1048576
+root hard nofile 1048576
+```
+### Systemd / Docker Overrides
+If using **Systemd**, add to your `telemt.service`:
+```ini
+[Service]
+LimitNOFILE=1048576
+LimitNPROC=65535
+TasksMax=infinity
+```
+If using **Docker**, configure `ulimits` in `docker-compose.yaml`:
+```yaml
+services:
+  telemt:
+    ulimits:
+      nofile:
+        soft: 1048576
+        hard: 1048576
+```
+
+---
+## 2. Kernel Network Stack Tuning (`sysctl`)
+Create a dedicated file `/etc/sysctl.d/99-telemt-highload.conf` and apply it via `sysctl -p /etc/sysctl.d/99-telemt-highload.conf`.
+### 2.1 Connection Queues & SYN Flood Protection
+Increase the size of accept queues to absorb sudden connection spikes (bursts) and mitigate SYN floods:
+```ini
+net.core.somaxconn = 65535
+net.core.netdev_max_backlog = 65535
+net.ipv4.tcp_max_syn_backlog = 65535
+net.ipv4.tcp_syncookies = 1
+```
+### 2.2 Port Exhaustion & TIME-WAIT Sockets
+High churn rates lead to ephemeral port exhaustion. Expand the range and rapidly recycle closed sockets:
+```ini
+net.ipv4.ip_local_port_range = 10000 65535
+net.ipv4.tcp_fin_timeout = 15
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_max_tw_buckets = 2000000
+```
+### 2.3 TCP Keepalive (Aggressive Dead Connection Culling)
+By default, Linux keeps silent, dropped connections open for over 2 hours. This consumes memory at scale. Configure the system to detect and drop them in < 5 minutes:
+```ini
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_intvl = 30
+net.ipv4.tcp_keepalive_probes = 5
+```
+### 2.4 TCP Buffers & Congestion Control
+Optimize memory usage per socket and switch to BBR (Bottleneck Bandwidth and Round-trip propagation time) to improve latency on lossy networks:
+```ini
+# Core buffer sizes
+net.core.rmem_default = 262144
+net.core.wmem_default = 262144
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+# TCP specific buffers (min, default, max)
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+# Enable BBR
+net.core.default_qdisc = fq
+net.ipv4.tcp_congestion_control = bbr
+```
+
+---
+## 3. Conntrack (Netfilter) Tuning
+If your server uses `iptables`, `ufw`, or `firewalld`, the Linux kernel tracks every connection state in a table (`nf_conntrack`). When this table fills up, Linux drops new packets.
+Check your current limit and usage:
+```bash
+sysctl net.netfilter.nf_conntrack_max
+sysctl net.netfilter.nf_conntrack_count
+```
+If it gets close to the limit, tune it up, and reduce the time established connections linger in the tracker:
+```ini
+# In /etc/sysctl.d/99-telemt-highload.conf
+net.netfilter.nf_conntrack_max = 2097152
+# Reduce timeout from default 5 days to 1 hour
+net.netfilter.nf_conntrack_tcp_timeout_established = 3600
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 12
+```
+*Note: Depending on your OS, you may need to run `modprobe nf_conntrack` before setting these parameters.*
+
+---
+## 4. Multi-Tier Architecture: HAProxy Setup
+For massive traffic loads, buffering Telemt behind a reverse proxy like HAProxy can help absorb connection spikes and handle basic TCP connections before handing them off.
+### HAProxy High-Load `haproxy.cfg`
+```haproxy
+global
+    # Disable detailed logging under load
+    log stdout format raw local0 err
+    # maxconn 250000
+    
+    # Buffer tuning
+    tune.bufsize 16384
+    tune.maxaccept 64
+defaults
+    log     global
+    mode    tcp
+    option  clitcpka
+    option  srvtcpka
+    timeout connect 5s
+    timeout client  1h
+    timeout server  1h
+    # Quick purge for dead peers
+    timeout client-fin 10s
+    timeout server-fin 10s
+frontend proxy_in
+    bind *:443
+    maxconn 250000
+    option tcp-smart-accept
+    default_backend telemt_backend
+backend telemt_backend
+    option tcp-smart-connect
+    # Send-Proxy-V2 to preserve Client IP for Telemt's internal logic
+    server telemt_core 10.10.10.1:443 maxconn 250000 send-proxy-v2 check inter 5s
+```
+**Important**: Telemt must be configured to process the `PROXY` protocol on port `443` for this chain to work and preserve client IPs.
+
+---
+## 5. Diagnostics & Monitoring
+When operating under load, these commands are useful for diagnostics:
+* **Checking dropped connections (Queues full)**: `netstat -s | grep "times the listen queue of a socket overflowed"`
+* **Checking Conntrack drops**: `dmesg | grep conntrack`
+* **Checking File Descriptor usage**: `cat /proc/sys/fs/file-nr`
+* **Real-time connection states**: `ss -s` (Avoid using `netstat` on heavy loads).
@@ -0,0 +1,139 @@
+# Руководство по High-Load конфигурации и тюнингу
+При развертывании Telemt под высокой нагрузкой (десятки и сотни тысяч одновременных подключений), стандартные ограничения сетевого стека ОС могут приводить к потерям пакетов, переключениям контекста CPU и отказам в соединениях. В данном руководстве описана настройка ядра Linux, системных лимитов и аппаратной конфигурации для работы в подобных сценариях.
+
+---
+## 1. Системные лимиты и файловые дескрипторы
+Каждое TCP-сосоединение требует файлового дескриптора. При 100 тысячах соединений стандартные лимиты Linux (зачастую 1024 или 65535) будут исчерпаны немедленно.
+### Общесистемные лимиты (`sysctl`)
+Увеличьте глобальный лимит файловых дескрипторов в `/etc/sysctl.conf`:
+```ini
+fs.file-max = 2097152
+fs.nr_open = 2097152
+```
+### На уровне пользователя (`limits.conf`)
+Отредактируйте `/etc/security/limits.conf`, чтобы разрешить пользователю (от которого запущен telemt) резервировать дескрипторы:
+```conf
+* soft nofile 1048576
+* hard nofile 1048576
+root soft nofile 1048576
+root hard nofile 1048576
+```
+### Переопределения для Systemd / Docker
+Если используется **Systemd**, добавьте в ваш `telemt.service`:
+```ini
+[Service]
+LimitNOFILE=1048576
+LimitNPROC=65535
+TasksMax=infinity
+```
+Если используется **Docker**, задайте `ulimits` в `docker-compose.yaml`:
+```yaml
+services:
+  telemt:
+    ulimits:
+      nofile:
+        soft: 1048576
+        hard: 1048576
+```
+
+---
+## 2. Тонкая настройка сетевого стека ядра (`sysctl`)
+Создайте выделенный файл `/etc/sysctl.d/99-telemt-highload.conf` и примените его через `sysctl -p /etc/sysctl.d/99-telemt-highload.conf`.
+### 2.1 Очереди соединений и защита от SYN-флуда
+Увеличьте размеры очередей, чтобы поглощать внезапные всплески соединений и смягчить атаки типа SYN flood:
+```ini
+net.core.somaxconn = 65535
+net.core.netdev_max_backlog = 65535
+net.ipv4.tcp_max_syn_backlog = 65535
+net.ipv4.tcp_syncookies = 1
+```
+### 2.2 Исчерпание портов и TIME-WAIT сокеты
+Высокая текучесть приводит к нехватке временных (ephemeral) портов. Расширьте диапазон портов и позвольте ядру быстро переиспользовать закрытые сокеты:
+```ini
+net.ipv4.ip_local_port_range = 10000 65535
+net.ipv4.tcp_fin_timeout = 15
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_max_tw_buckets = 2000000
+```
+### 2.3 TCP Keepalive (Агрессивная очистка мертвых соединений)
+По умолчанию Linux держит "оборванные" TCP-сессии более 2 часов. Задайте параметры для обнаружения и сброса мертвых соединений за менее чем 5 минут:
+```ini
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_intvl = 30
+net.ipv4.tcp_keepalive_probes = 5
+```
+### 2.4 Буферы TCP и управление перегрузками (Congestion Control)
+Оптимизируйте использование памяти на сокет и переключитесь на алгоритм BBR (Bottleneck Bandwidth and Round-trip propagation time) для улучшения задержки на плохих сетях:
+```ini
+# Размеры буферов ядра (по умолчанию и макс)
+net.core.rmem_default = 262144
+net.core.wmem_default = 262144
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+# Специфичные TCP буферы (min, default, max)
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+# Включение BBR
+net.core.default_qdisc = fq
+net.ipv4.tcp_congestion_control = bbr
+```
+
+---
+## 3. Тюнинг Conntrack (Netfilter)
+Если ваш сервер использует `iptables`, `ufw` или `firewalld`, ядро вынуждено отслеживать каждое соединение в таблице состояний (`nf_conntrack`). Когда эта таблица переполняется, Linux отбрасывает новые пакеты без уведомления приложения.
+Проверьте текущие лимиты и использование:
+```bash
+sysctl net.netfilter.nf_conntrack_max
+sysctl net.netfilter.nf_conntrack_count
+```
+Если вы близки к пределу, увеличьте таблицу и заставьте ядро быстрее удалять установленные соединения. Добавьте в `/etc/sysctl.d/99-telemt-highload.conf`:
+```ini
+net.netfilter.nf_conntrack_max = 2097152
+# Снижаем таймаут с дефолтных 5 дней до 1 часа
+net.netfilter.nf_conntrack_tcp_timeout_established = 3600
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 12
+```
+*Внимание: в зависимости от ОС, вам может потребоваться выполнить `modprobe nf_conntrack` перед установкой этих параметров.*
+
+---
+## 4. Архитектура: Развертывание за HAProxy
+Для максимальных нагрузок выставление Telemt напрямую в интернет менее эффективно, чем использование оптимизированного L4-балансировщика. HAProxy эффективен в поглощении TCP атак, обработке рукопожатий и сглаживании всплесков подключений.
+### Оптимизация `haproxy.cfg` для High-Load
+```haproxy
+global
+    # Отключить детальные логи соединений под нагрузкой
+    log stdout format raw local0 err
+    maxconn 250000
+    # Тюнинг буферов и приема сокетов
+    tune.bufsize 16384
+    tune.maxaccept 64
+defaults
+    log     global
+    mode    tcp
+    option  clitcpka
+    option  srvtcpka
+    timeout connect 5s
+    timeout client  1h
+    timeout server  1h
+    # Быстрая очистка мертвых пиров
+    timeout client-fin 10s
+    timeout server-fin 10s
+frontend proxy_in
+    bind *:443
+    maxconn 250000
+    option tcp-smart-accept
+    default_backend telemt_backend
+backend telemt_backend
+    option tcp-smart-connect
+    # Send-Proxy-V2 обязателен для сохранения IP клиента внутри внутренней логики Telemt
+    server telemt_core 10.10.10.1:443 maxconn 250000 send-proxy-v2 check inter 5s
+```
+**Важно**: Telemt должен быть настроен на обработку протокола `PROXY` на порту `443`, чтобы получать оригинальные IP-адреса клиентов.
+
+---
+## 5. Диагностика
+Команды для выявления узких мест:
+* **Проверка дропов TCP (переполнение очередей)**: `netstat -s | grep "times the listen queue of a socket overflowed"`
+* **Контроль отбрасывания пакетов Conntrack**: `dmesg | grep conntrack`
+* **Проверка использования файловых дескрипторов**: `cat /proc/sys/fs/file-nr`
+* **Отображение состояния сокетов**: `ss -s` (Избегайте использования `netstat` под высокой нагрузкой).
@@ -1,448 +0,0 @@
-# Telemt Config Parameters Reference
-
-This document lists all configuration keys accepted by `config.toml`.
-
-> [!WARNING]
-> 
-> The configuration parameters detailed in this document are intended for advanced users and fine-tuning purposes. Modifying these settings without a clear understanding of their function may lead to application instability or other unexpected behavior. Please proceed with caution and at your own risk.
-
-## Top-level keys
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| include | `String` (special directive) | `null` | — | Includes another TOML file with `include = "relative/or/absolute/path.toml"`; includes are processed recursively before parsing. |
-| show_link | `"*" \| String[]` | `[]` (`ShowLink::None`) | — | Legacy top-level link visibility selector (`"*"` for all users or explicit usernames list). |
-| dc_overrides | `Map<String, String[]>` | `{}` | — | Overrides DC endpoints for non-standard DCs; key is DC id string, value is `ip:port` list. |
-| default_dc | `u8 \| null` | `null` (effective fallback: `2` in ME routing) | — | Default DC index used for unmapped non-standard DCs. |
-
-## [general]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| data_path | `String \| null` | `null` | — | Optional runtime data directory path. |
-| prefer_ipv6 | `bool` | `false` | Deprecated. Use `network.prefer`. | Deprecated legacy IPv6 preference flag migrated to `network.prefer`. |
-| fast_mode | `bool` | `true` | — | Enables fast-path optimizations for traffic processing. |
-| use_middle_proxy | `bool` | `true` | none | Enables ME transport mode; if `false`, runtime falls back to direct DC routing. |
-| proxy_secret_path | `String \| null` | `"proxy-secret"` | Path may be `null`. | Path to Telegram infrastructure proxy-secret file used by ME handshake logic. |
-| proxy_config_v4_cache_path | `String \| null` | `"cache/proxy-config-v4.txt"` | — | Optional cache path for raw `getProxyConfig` (IPv4) snapshot. |
-| proxy_config_v6_cache_path | `String \| null` | `"cache/proxy-config-v6.txt"` | — | Optional cache path for raw `getProxyConfigV6` (IPv6) snapshot. |
-| ad_tag | `String \| null` | `null` | — | Global fallback ad tag (32 hex characters). |
-| middle_proxy_nat_ip | `IpAddr \| null` | `null` | Must be a valid IP when set. | Manual public NAT IP override used as ME address material when set. |
-| middle_proxy_nat_probe | `bool` | `true` | Auto-forced to `true` when `use_middle_proxy = true`. | Enables ME NAT probing; runtime may force it on when ME mode is active. |
-| middle_proxy_nat_stun | `String \| null` | `null` | Deprecated. Use `network.stun_servers`. | Deprecated legacy single STUN server for NAT probing. |
-| middle_proxy_nat_stun_servers | `String[]` | `[]` | Deprecated. Use `network.stun_servers`. | Deprecated legacy STUN list for NAT probing fallback. |
-| stun_nat_probe_concurrency | `usize` | `8` | Must be `> 0`. | Maximum number of parallel STUN probes during NAT/public endpoint discovery. |
-| middle_proxy_pool_size | `usize` | `8` | none | Target size of active ME writer pool. |
-| middle_proxy_warm_standby | `usize` | `16` | none | Reserved compatibility field in current runtime revision. |
-| me_init_retry_attempts | `u32` | `0` | `0..=1_000_000`. | Startup retries for ME pool initialization (`0` means unlimited). |
-| me2dc_fallback | `bool` | `true` | — | Allows fallback from ME mode to direct DC when ME startup fails. |
-| me_keepalive_enabled | `bool` | `true` | none | Enables periodic ME keepalive/ping traffic. |
-| me_keepalive_interval_secs | `u64` | `8` | none | Base ME keepalive interval in seconds. |
-| me_keepalive_jitter_secs | `u64` | `2` | none | Keepalive jitter in seconds to reduce synchronized bursts. |
-| me_keepalive_payload_random | `bool` | `true` | none | Randomizes keepalive payload bytes instead of fixed zero payload. |
-| rpc_proxy_req_every | `u64` | `0` | `0` or `10..=300`. | Interval for service `RPC_PROXY_REQ` activity signals (`0` disables). |
-| me_writer_cmd_channel_capacity | `usize` | `4096` | Must be `> 0`. | Capacity of per-writer command channel. |
-| me_route_channel_capacity | `usize` | `768` | Must be `> 0`. | Capacity of per-connection ME response route channel. |
-| me_c2me_channel_capacity | `usize` | `1024` | Must be `> 0`. | Capacity of per-client command queue (client reader -> ME sender). |
-| me_c2me_send_timeout_ms | `u64` | `4000` | `0..=60000`. | Maximum wait for enqueueing client->ME commands when the per-client queue is full (`0` keeps legacy unbounded wait). |
-| me_reader_route_data_wait_ms | `u64` | `2` | `0..=20`. | Bounded wait for routing ME DATA to per-connection queue (`0` = no wait). |
-| me_d2c_flush_batch_max_frames | `usize` | `32` | `1..=512`. | Max ME->client frames coalesced before flush. |
-| me_d2c_flush_batch_max_bytes | `usize` | `131072` | `4096..=2_097_152`. | Max ME->client payload bytes coalesced before flush. |
-| me_d2c_flush_batch_max_delay_us | `u64` | `500` | `0..=5000`. | Max microsecond wait for coalescing more ME->client frames (`0` disables timed coalescing). |
-| me_d2c_ack_flush_immediate | `bool` | `true` | — | Flushes client writer immediately after quick-ack write. |
-| me_quota_soft_overshoot_bytes | `u64` | `65536` | `0..=16_777_216`. | Extra per-route quota allowance (bytes) tolerated before writer-side quota enforcement drops route data. |
-| me_d2c_frame_buf_shrink_threshold_bytes | `usize` | `262144` | `4096..=16_777_216`. | Threshold for shrinking oversized ME->client frame-aggregation buffers after flush. |
-| direct_relay_copy_buf_c2s_bytes | `usize` | `65536` | `4096..=1_048_576`. | Copy buffer size for client->DC direction in direct relay. |
-| direct_relay_copy_buf_s2c_bytes | `usize` | `262144` | `8192..=2_097_152`. | Copy buffer size for DC->client direction in direct relay. |
-| crypto_pending_buffer | `usize` | `262144` | — | Max pending ciphertext buffer per client writer (bytes). |
-| max_client_frame | `usize` | `16777216` | — | Maximum allowed client MTProto frame size (bytes). |
-| desync_all_full | `bool` | `false` | — | Emits full crypto-desync forensic logs for every event. |
-| beobachten | `bool` | `true` | — | Enables per-IP forensic observation buckets. |
-| beobachten_minutes | `u64` | `10` | Must be `> 0`. | Retention window (minutes) for per-IP observation buckets. |
-| beobachten_flush_secs | `u64` | `15` | Must be `> 0`. | Snapshot flush interval (seconds) for observation output file. |
-| beobachten_file | `String` | `"cache/beobachten.txt"` | — | Observation snapshot output file path. |
-| hardswap | `bool` | `true` | none | Enables generation-based ME hardswap strategy. |
-| me_warmup_stagger_enabled | `bool` | `true` | none | Staggers extra ME warmup dials to avoid connection spikes. |
-| me_warmup_step_delay_ms | `u64` | `500` | none | Base delay in milliseconds between warmup dial steps. |
-| me_warmup_step_jitter_ms | `u64` | `300` | none | Additional random delay in milliseconds for warmup steps. |
-| me_reconnect_max_concurrent_per_dc | `u32` | `8` | none | Limits concurrent reconnect workers per DC during health recovery. |
-| me_reconnect_backoff_base_ms | `u64` | `500` | none | Initial reconnect backoff in milliseconds. |
-| me_reconnect_backoff_cap_ms | `u64` | `30000` | none | Maximum reconnect backoff cap in milliseconds. |
-| me_reconnect_fast_retry_count | `u32` | `16` | none | Immediate retry budget before long backoff behavior applies. |
-| me_single_endpoint_shadow_writers | `u8` | `2` | `0..=32`. | Additional reserve writers for one-endpoint DC groups. |
-| me_single_endpoint_outage_mode_enabled | `bool` | `true` | — | Enables aggressive outage recovery for one-endpoint DC groups. |
-| me_single_endpoint_outage_disable_quarantine | `bool` | `true` | — | Ignores endpoint quarantine in one-endpoint outage mode. |
-| me_single_endpoint_outage_backoff_min_ms | `u64` | `250` | Must be `> 0`; also `<= me_single_endpoint_outage_backoff_max_ms`. | Minimum reconnect backoff in outage mode (ms). |
-| me_single_endpoint_outage_backoff_max_ms | `u64` | `3000` | Must be `> 0`; also `>= me_single_endpoint_outage_backoff_min_ms`. | Maximum reconnect backoff in outage mode (ms). |
-| me_single_endpoint_shadow_rotate_every_secs | `u64` | `900` | — | Periodic shadow writer rotation interval (`0` disables). |
-| me_floor_mode | `"static" \| "adaptive"` | `"adaptive"` | — | Writer floor policy mode. |
-| me_adaptive_floor_idle_secs | `u64` | `90` | — | Idle time before adaptive floor may reduce one-endpoint target. |
-| me_adaptive_floor_min_writers_single_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for one-endpoint DC groups. |
-| me_adaptive_floor_min_writers_multi_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for multi-endpoint DC groups. |
-| me_adaptive_floor_recover_grace_secs | `u64` | `180` | — | Grace period to hold static floor after activity. |
-| me_adaptive_floor_writers_per_core_total | `u16` | `48` | Must be `> 0`. | Global writer budget per logical CPU core in adaptive mode. |
-| me_adaptive_floor_cpu_cores_override | `u16` | `0` | — | Manual CPU core count override (`0` uses auto-detection). |
-| me_adaptive_floor_max_extra_writers_single_per_core | `u16` | `1` | — | Per-core max extra writers above base floor for one-endpoint DCs. |
-| me_adaptive_floor_max_extra_writers_multi_per_core | `u16` | `2` | — | Per-core max extra writers above base floor for multi-endpoint DCs. |
-| me_adaptive_floor_max_active_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for active ME writers per logical CPU core. |
-| me_adaptive_floor_max_warm_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for warm ME writers per logical CPU core. |
-| me_adaptive_floor_max_active_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for active ME writers. |
-| me_adaptive_floor_max_warm_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for warm ME writers. |
-| upstream_connect_retry_attempts | `u32` | `2` | Must be `> 0`. | Connect attempts for selected upstream before error/fallback. |
-| upstream_connect_retry_backoff_ms | `u64` | `100` | — | Delay between upstream connect attempts (ms). |
-| upstream_connect_budget_ms | `u64` | `3000` | Must be `> 0`. | Total wall-clock budget for one upstream connect request (ms). |
-| tg_connect | `u64` | `10` | Must be `> 0`. | Per-attempt upstream TCP connect timeout to Telegram DC (seconds). |
-| upstream_unhealthy_fail_threshold | `u32` | `5` | Must be `> 0`. | Consecutive failed requests before upstream is marked unhealthy. |
-| upstream_connect_failfast_hard_errors | `bool` | `false` | — | Skips additional retries for hard non-transient connect errors. |
-| stun_iface_mismatch_ignore | `bool` | `false` | none | Reserved compatibility flag in current runtime revision. |
-| unknown_dc_log_path | `String \| null` | `"unknown-dc.txt"` | — | File path for unknown-DC request logging (`null` disables file path). |
-| unknown_dc_file_log_enabled | `bool` | `false` | — | Enables unknown-DC file logging. |
-| log_level | `"debug" \| "verbose" \| "normal" \| "silent"` | `"normal"` | — | Runtime logging verbosity. |
-| disable_colors | `bool` | `false` | — | Disables ANSI colors in logs. |
-| me_socks_kdf_policy | `"strict" \| "compat"` | `"strict"` | — | SOCKS-bound KDF fallback policy for ME handshake. |
-| me_route_backpressure_base_timeout_ms | `u64` | `25` | Must be `> 0`. | Base backpressure timeout for route-channel send (ms). |
-| me_route_backpressure_high_timeout_ms | `u64` | `120` | Must be `>= me_route_backpressure_base_timeout_ms`. | High backpressure timeout when queue occupancy exceeds watermark (ms). |
-| me_route_backpressure_high_watermark_pct | `u8` | `80` | `1..=100`. | Queue occupancy threshold (%) for high timeout mode. |
-| me_health_interval_ms_unhealthy | `u64` | `1000` | Must be `> 0`. | Health monitor interval while writer coverage is degraded (ms). |
-| me_health_interval_ms_healthy | `u64` | `3000` | Must be `> 0`. | Health monitor interval while writer coverage is healthy (ms). |
-| me_admission_poll_ms | `u64` | `1000` | Must be `> 0`. | Poll interval for conditional-admission checks (ms). |
-| me_warn_rate_limit_ms | `u64` | `5000` | Must be `> 0`. | Cooldown for repetitive ME warning logs (ms). |
-| me_route_no_writer_mode | `"async_recovery_failfast" \| "inline_recovery_legacy" \| "hybrid_async_persistent"` | `"hybrid_async_persistent"` | — | Route behavior when no writer is immediately available. |
-| me_route_no_writer_wait_ms | `u64` | `250` | `10..=5000`. | Max wait in async-recovery failfast mode (ms). |
-| me_route_hybrid_max_wait_ms | `u64` | `3000` | `50..=60000`. | Maximum cumulative wait in hybrid no-writer mode before failfast fallback (ms). |
-| me_route_blocking_send_timeout_ms | `u64` | `250` | `0..=5000`. | Maximum wait for blocking route-channel send fallback (`0` keeps legacy unbounded wait). |
-| me_route_inline_recovery_attempts | `u32` | `3` | Must be `> 0`. | Inline recovery attempts in legacy mode. |
-| me_route_inline_recovery_wait_ms | `u64` | `3000` | `10..=30000`. | Max inline recovery wait in legacy mode (ms). |
-| fast_mode_min_tls_record | `usize` | `0` | — | Minimum TLS record size when fast-mode coalescing is enabled (`0` disables). |
-| update_every | `u64 \| null` | `300` | If set: must be `> 0`; if `null`: legacy fallback path is used. | Unified refresh interval for ME config and proxy-secret updater tasks. |
-| me_reinit_every_secs | `u64` | `900` | Must be `> 0`. | Periodic interval for zero-downtime ME reinit cycle. |
-| me_hardswap_warmup_delay_min_ms | `u64` | `1000` | Must be `<= me_hardswap_warmup_delay_max_ms`. | Lower bound for hardswap warmup dial spacing. |
-| me_hardswap_warmup_delay_max_ms | `u64` | `2000` | Must be `> 0`. | Upper bound for hardswap warmup dial spacing. |
-| me_hardswap_warmup_extra_passes | `u8` | `3` | Must be within `[0, 10]`. | Additional warmup passes after the base pass in one hardswap cycle. |
-| me_hardswap_warmup_pass_backoff_base_ms | `u64` | `500` | Must be `> 0`. | Base backoff between extra hardswap warmup passes. |
-| me_config_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical ME config snapshots required before apply. |
-| me_config_apply_cooldown_secs | `u64` | `300` | none | Cooldown between applied ME endpoint-map updates. |
-| me_snapshot_require_http_2xx | `bool` | `true` | — | Requires 2xx HTTP responses for applying config snapshots. |
-| me_snapshot_reject_empty_map | `bool` | `true` | — | Rejects empty config snapshots. |
-| me_snapshot_min_proxy_for_lines | `u32` | `1` | Must be `> 0`. | Minimum parsed `proxy_for` rows required to accept snapshot. |
-| proxy_secret_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical proxy-secret snapshots required before rotation. |
-| proxy_secret_rotate_runtime | `bool` | `true` | none | Enables runtime proxy-secret rotation from updater snapshots. |
-| me_secret_atomic_snapshot | `bool` | `true` | — | Keeps selector and secret bytes from the same snapshot atomically. |
-| proxy_secret_len_max | `usize` | `256` | Must be within `[32, 4096]`. | Upper length limit for accepted proxy-secret bytes. |
-| me_pool_drain_ttl_secs | `u64` | `90` | none | Time window where stale writers remain fallback-eligible after map change. |
-| me_instadrain | `bool` | `false` | — | Forces draining stale writers to be removed on the next cleanup tick, bypassing TTL/deadline waiting. |
-| me_pool_drain_threshold | `u64` | `128` | — | Max draining stale writers before batch force-close (`0` disables threshold cleanup). |
-| me_pool_drain_soft_evict_enabled | `bool` | `true` | — | Enables gradual soft-eviction of stale writers during drain/reinit instead of immediate hard close. |
-| me_pool_drain_soft_evict_grace_secs | `u64` | `30` | `0..=3600`. | Grace period before stale writers become soft-evict candidates. |
-| me_pool_drain_soft_evict_per_writer | `u8` | `1` | `1..=16`. | Maximum stale routes soft-evicted per writer in one eviction pass. |
-| me_pool_drain_soft_evict_budget_per_core | `u16` | `8` | `1..=64`. | Per-core budget limiting aggregate soft-eviction work per pass. |
-| me_pool_drain_soft_evict_cooldown_ms | `u64` | `5000` | Must be `> 0`. | Cooldown between consecutive soft-eviction passes (ms). |
-| me_bind_stale_mode | `"never" \| "ttl" \| "always"` | `"ttl"` | — | Policy for new binds on stale draining writers. |
-| me_bind_stale_ttl_secs | `u64` | `90` | — | TTL for stale bind allowance when stale mode is `ttl`. |
-| me_pool_min_fresh_ratio | `f32` | `0.8` | Must be within `[0.0, 1.0]`. | Minimum fresh desired-DC coverage ratio before stale writers are drained. |
-| me_reinit_drain_timeout_secs | `u64` | `120` | `0` disables force-close; if `> 0` and `< me_pool_drain_ttl_secs`, runtime bumps it to TTL. | Force-close timeout for draining stale writers (`0` keeps indefinite draining). |
-| proxy_secret_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy secret reload interval (fallback when `update_every` is not set). |
-| proxy_config_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy config reload interval (fallback when `update_every` is not set). |
-| me_reinit_singleflight | `bool` | `true` | — | Serializes ME reinit cycles across trigger sources. |
-| me_reinit_trigger_channel | `usize` | `64` | Must be `> 0`. | Trigger queue capacity for reinit scheduler. |
-| me_reinit_coalesce_window_ms | `u64` | `200` | — | Trigger coalescing window before starting reinit (ms). |
-| me_deterministic_writer_sort | `bool` | `true` | — | Enables deterministic candidate sort for writer binding path. |
-| me_writer_pick_mode | `"sorted_rr" \| "p2c"` | `"p2c"` | — | Writer selection mode for route bind path. |
-| me_writer_pick_sample_size | `u8` | `3` | `2..=4`. | Number of candidates sampled by picker in `p2c` mode. |
-| ntp_check | `bool` | `true` | — | Enables NTP drift check at startup. |
-| ntp_servers | `String[]` | `["pool.ntp.org"]` | — | NTP servers used for drift check. |
-| auto_degradation_enabled | `bool` | `true` | none | Reserved compatibility flag in current runtime revision. |
-| degradation_min_unavailable_dc_groups | `u8` | `2` | none | Reserved compatibility threshold in current runtime revision. |
-
-## [general.modes]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| classic | `bool` | `false` | — | Enables classic MTProxy mode. |
-| secure | `bool` | `false` | — | Enables secure mode. |
-| tls | `bool` | `true` | — | Enables TLS mode. |
-
-## [general.links]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| show | `"*" \| String[]` | `"*"` | — | Selects users whose tg:// links are shown at startup. |
-| public_host | `String \| null` | `null` | — | Public hostname/IP override for generated tg:// links. |
-| public_port | `u16 \| null` | `null` | — | Public port override for generated tg:// links. |
-
-## [general.telemetry]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| core_enabled | `bool` | `true` | — | Enables core hot-path telemetry counters. |
-| user_enabled | `bool` | `true` | — | Enables per-user telemetry counters. |
-| me_level | `"silent" \| "normal" \| "debug"` | `"normal"` | — | Middle-End telemetry verbosity level. |
-
-## [network]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| ipv4 | `bool` | `true` | — | Enables IPv4 networking. |
-| ipv6 | `bool` | `false` | — | Enables/disables IPv6 when set |
-| prefer | `u8` | `4` | Must be `4` or `6`. | Preferred IP family for selection (`4` or `6`). |
-| multipath | `bool` | `false` | — | Enables multipath behavior where supported. |
-| stun_use | `bool` | `true` | none | Global STUN switch; when `false`, STUN probing path is disabled. |
-| stun_servers | `String[]` | Built-in STUN list (13 hosts) | Deduplicated; empty values are removed. | Primary STUN server list for NAT/public endpoint discovery. |
-| stun_tcp_fallback | `bool` | `true` | none | Enables TCP fallback for STUN when UDP path is blocked. |
-| http_ip_detect_urls | `String[]` | `["https://ifconfig.me/ip", "https://api.ipify.org"]` | none | HTTP fallback endpoints for public IP detection when STUN is unavailable. |
-| cache_public_ip_path | `String` | `"cache/public_ip.txt"` | — | File path for caching detected public IP. |
-| dns_overrides | `String[]` | `[]` | Must match `host:port:ip`; IPv6 must be bracketed. | Runtime DNS overrides in `host:port:ip` format. |
-
-## [server]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| port | `u16` | `443` | — | Main proxy listen port. |
-| listen_addr_ipv4 | `String \| null` | `"0.0.0.0"` | — | IPv4 bind address for TCP listener. |
-| listen_addr_ipv6 | `String \| null` | `"::"` | — | IPv6 bind address for TCP listener. |
-| listen_unix_sock | `String \| null` | `null` | — | Unix socket path for listener. |
-| listen_unix_sock_perm | `String \| null` | `null` | — | Unix socket permissions in octal string (e.g., `"0666"`). |
-| listen_tcp | `bool \| null` | `null` (auto) | — | Explicit TCP listener enable/disable override. |
-| proxy_protocol | `bool` | `false` | — | Enables HAProxy PROXY protocol parsing on incoming client connections. |
-| proxy_protocol_header_timeout_ms | `u64` | `500` | Must be `> 0`. | Timeout for PROXY protocol header read/parse (ms). |
-| proxy_protocol_trusted_cidrs | `IpNetwork[]` | `[]` | — | When non-empty, only connections from these proxy source CIDRs are allowed to provide PROXY protocol headers. If empty, PROXY headers are rejected by default (security hardening). |
-| metrics_port | `u16 \| null` | `null` | — | Metrics endpoint port (enables metrics listener). |
-| metrics_listen | `String \| null` | `null` | — | Full metrics bind address (`IP:PORT`), overrides `metrics_port`. |
-| metrics_whitelist | `IpNetwork[]` | `["127.0.0.1/32", "::1/128"]` | — | CIDR whitelist for metrics endpoint access. |
-| max_connections | `u32` | `10000` | — | Max concurrent client connections (`0` = unlimited). |
-| accept_permit_timeout_ms | `u64` | `250` | `0..=60000`. | Maximum wait for acquiring a connection-slot permit before the accepted connection is dropped (`0` keeps legacy unbounded wait). |
-
-Note: When `server.proxy_protocol` is enabled, incoming PROXY protocol headers are parsed from the first bytes of the connection and the client source address is replaced with `src_addr` from the header. For security, the peer source IP (the direct connection address) is verified against `server.proxy_protocol_trusted_cidrs`; if this list is empty, PROXY headers are rejected and the connection is considered untrusted. 
-
-## [server.api]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| enabled | `bool` | `true` | — | Enables control-plane REST API. |
-| listen | `String` | `"0.0.0.0:9091"` | Must be valid `IP:PORT`. | API bind address in `IP:PORT` format. |
-| whitelist | `IpNetwork[]` | `["127.0.0.0/8"]` | — | CIDR whitelist allowed to access API. |
-| auth_header | `String` | `""` | — | Exact expected `Authorization` header value (empty = disabled). |
-| request_body_limit_bytes | `usize` | `65536` | Must be `> 0`. | Maximum accepted HTTP request body size. |
-| minimal_runtime_enabled | `bool` | `true` | — | Enables minimal runtime snapshots endpoint logic. |
-| minimal_runtime_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for minimal runtime snapshots (ms; `0` disables cache). |
-| runtime_edge_enabled | `bool` | `false` | — | Enables runtime edge endpoints. |
-| runtime_edge_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for runtime edge aggregation payloads (ms). |
-| runtime_edge_top_n | `usize` | `10` | `1..=1000`. | Top-N size for edge connection leaderboard. |
-| runtime_edge_events_capacity | `usize` | `256` | `16..=4096`. | Ring-buffer capacity for runtime edge events. |
-| read_only | `bool` | `false` | — | Rejects mutating API endpoints when enabled. |
-
-## [[server.listeners]]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| ip | `IpAddr` | — | — | Listener bind IP. |
-| announce | `String \| null` | — | — | Public IP/domain announced in proxy links (priority over `announce_ip`). |
-| announce_ip | `IpAddr \| null` | — | Deprecated. Use `announce`. | Deprecated legacy announce IP (migrated to `announce` if needed). |
-| proxy_protocol | `bool \| null` | `null` | — | Per-listener override for PROXY protocol enable flag. |
-| reuse_allow | `bool` | `false` | — | Enables `SO_REUSEPORT` for multi-instance bind sharing. |
-
-## [timeouts]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| client_handshake | `u64` | `30` | — | Client handshake timeout. |
-| relay_idle_policy_v2_enabled | `bool` | `true` | — | Enables soft/hard middle-relay client idle policy. |
-| relay_client_idle_soft_secs | `u64` | `120` | Must be `> 0`; must be `<= relay_client_idle_hard_secs`. | Soft idle threshold for middle-relay client uplink inactivity (seconds). |
-| relay_client_idle_hard_secs | `u64` | `360` | Must be `> 0`; must be `>= relay_client_idle_soft_secs`. | Hard idle threshold for middle-relay client uplink inactivity (seconds). |
-| relay_idle_grace_after_downstream_activity_secs | `u64` | `30` | Must be `<= relay_client_idle_hard_secs`. | Extra hard-idle grace after recent downstream activity (seconds). |
-| client_keepalive | `u64` | `15` | — | Client keepalive timeout. |
-| client_ack | `u64` | `90` | — | Client ACK timeout. |
-| me_one_retry | `u8` | `12` | none | Fast reconnect attempts budget for single-endpoint DC scenarios. |
-| me_one_timeout_ms | `u64` | `1200` | none | Timeout in milliseconds for each quick single-endpoint reconnect attempt. |
-
-## [censorship]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| tls_domain | `String` | `"petrovich.ru"` | — | Primary TLS domain used in fake TLS handshake profile. |
-| tls_domains | `String[]` | `[]` | — | Additional TLS domains for generating multiple links. |
-| unknown_sni_action | `"drop" \| "mask"` | `"drop"` | — | Action for TLS ClientHello with unknown/non-configured SNI. |
-| tls_fetch_scope | `String` | `""` | Value is trimmed during load; empty keeps default upstream routing behavior. | Upstream scope tag used for TLS-front metadata fetches. |
-| tls_fetch | `Table` | built-in defaults | See `[censorship.tls_fetch]` section below. | TLS-front metadata fetch strategy settings. |
-| mask | `bool` | `true` | — | Enables masking/fronting relay mode. |
-| mask_host | `String \| null` | `null` | — | Upstream mask host for TLS fronting relay. |
-| mask_port | `u16` | `443` | — | Upstream mask port for TLS fronting relay. |
-| mask_unix_sock | `String \| null` | `null` | — | Unix socket path for mask backend instead of TCP host/port. |
-| fake_cert_len | `usize` | `2048` | — | Length of synthetic certificate payload when emulation data is unavailable. |
-| tls_emulation | `bool` | `true` | — | Enables certificate/TLS behavior emulation from cached real fronts. |
-| tls_front_dir | `String` | `"tlsfront"` | — | Directory path for TLS front cache storage. |
-| server_hello_delay_min_ms | `u64` | `0` | — | Minimum server_hello delay for anti-fingerprint behavior (ms). |
-| server_hello_delay_max_ms | `u64` | `0` | — | Maximum server_hello delay for anti-fingerprint behavior (ms). |
-| tls_new_session_tickets | `u8` | `0` | — | Number of `NewSessionTicket` messages to emit after handshake. |
-| tls_full_cert_ttl_secs | `u64` | `90` | — | TTL for sending full cert payload per (domain, client IP) tuple. |
-| alpn_enforce | `bool` | `true` | — | Enforces ALPN echo behavior based on client preference. |
-| mask_proxy_protocol | `u8` | `0` | — | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
-| mask_shape_hardening | `bool` | `true` | — | Enables client->mask shape-channel hardening by applying controlled tail padding to bucket boundaries on mask relay shutdown. |
-| mask_shape_hardening_aggressive_mode | `bool` | `false` | Requires `mask_shape_hardening = true`. | Opt-in aggressive shaping profile: allows shaping on backend-silent non-EOF paths and switches above-cap blur to strictly positive random tail. |
-| mask_shape_bucket_floor_bytes | `usize` | `512` | Must be `> 0`; should be `<= mask_shape_bucket_cap_bytes`. | Minimum bucket size used by shape-channel hardening. |
-| mask_shape_bucket_cap_bytes | `usize` | `4096` | Must be `>= mask_shape_bucket_floor_bytes`. | Maximum bucket size used by shape-channel hardening; traffic above cap is not padded further. |
-| mask_shape_above_cap_blur | `bool` | `false` | Requires `mask_shape_hardening = true`; requires `mask_shape_above_cap_blur_max_bytes > 0`. | Adds bounded randomized tail bytes even when forwarded size already exceeds cap. |
-| mask_shape_above_cap_blur_max_bytes | `usize` | `512` | Must be `<= 1048576`; must be `> 0` when `mask_shape_above_cap_blur = true`. | Maximum randomized extra bytes appended above cap. |
-| mask_relay_max_bytes | `usize` | `5242880` | Must be `> 0`; must be `<= 67108864`. | Maximum relayed bytes per direction on unauthenticated masking fallback path. |
-| mask_classifier_prefetch_timeout_ms | `u64` | `5` | Must be within `[5, 50]`. | Timeout budget (ms) for extending fragmented initial classifier window on masking fallback. |
-| mask_timing_normalization_enabled | `bool` | `false` | Requires `mask_timing_normalization_floor_ms > 0`; requires `ceiling >= floor`. | Enables timing envelope normalization on masking outcomes. |
-| mask_timing_normalization_floor_ms | `u64` | `0` | Must be `> 0` when timing normalization is enabled; must be `<= ceiling`. | Lower bound (ms) for masking outcome normalization target. |
-| mask_timing_normalization_ceiling_ms | `u64` | `0` | Must be `>= floor`; must be `<= 60000`. | Upper bound (ms) for masking outcome normalization target. |
-
-## [censorship.tls_fetch]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| profiles | `("modern_chrome_like" \| "modern_firefox_like" \| "compat_tls12" \| "legacy_minimal")[]` | `["modern_chrome_like", "modern_firefox_like", "compat_tls12", "legacy_minimal"]` | Empty list falls back to defaults; values are deduplicated preserving order. | Ordered ClientHello profile fallback chain for TLS-front metadata fetch. |
-| strict_route | `bool` | `true` | — | Fails closed on upstream-route connect errors instead of falling back to direct TCP when route is configured. |
-| attempt_timeout_ms | `u64` | `5000` | Must be `> 0`. | Timeout budget per one TLS-fetch profile attempt (ms). |
-| total_budget_ms | `u64` | `15000` | Must be `> 0`. | Total wall-clock budget across all TLS-fetch attempts (ms). |
-| grease_enabled | `bool` | `false` | — | Enables GREASE-style random values in selected ClientHello extensions for fetch traffic. |
-| deterministic | `bool` | `false` | — | Enables deterministic ClientHello randomness for debugging/tests. |
-| profile_cache_ttl_secs | `u64` | `600` | `0` disables cache. | TTL for winner-profile cache entries used by TLS fetch path. |
-
-### Shape-channel hardening notes (`[censorship]`)
-
-These parameters are designed to reduce one specific fingerprint source during masking: the exact number of bytes sent from proxy to `mask_host` for invalid or probing traffic.
-
-Without hardening, a censor can often correlate probe input length with backend-observed length very precisely (for example: `5 + body_sent` on early TLS reject paths). That creates a length-based classifier signal.
-
-When `mask_shape_hardening = true`, Telemt pads the **client->mask** stream tail to a bucket boundary at relay shutdown:
-
- Total bytes sent to mask are first measured.
- A bucket is selected using powers of two starting from `mask_shape_bucket_floor_bytes`.
- Padding is added only if total bytes are below `mask_shape_bucket_cap_bytes`.
- If bytes already exceed cap, no extra padding is added.
-
-This means multiple nearby probe sizes collapse into the same backend-observed size class, making active classification harder.
-
-What each parameter changes in practice:
-
- `mask_shape_hardening`
-	Enables or disables this entire length-shaping stage on the fallback path.
-	When `false`, backend-observed length stays close to the real forwarded probe length.
-	When `true`, clean relay shutdown can append random padding bytes to move the total into a bucket.
-
- `mask_shape_bucket_floor_bytes`
-	Sets the first bucket boundary used for small probes.
-	Example: with floor `512`, a malformed probe that would otherwise forward `37` bytes can be expanded to `512` bytes on clean EOF.
-	Larger floor values hide very small probes better, but increase egress cost.
-
- `mask_shape_bucket_cap_bytes`
-	Sets the largest bucket Telemt will pad up to with bucket logic.
-	Example: with cap `4096`, a forwarded total of `1800` bytes may be padded to `2048` or `4096` depending on the bucket ladder, but a total already above `4096` will not be bucket-padded further.
-	Larger cap values increase the range over which size classes are collapsed, but also increase worst-case overhead.
-
- Clean EOF matters in conservative mode
-	In the default profile, shape padding is intentionally conservative: it is applied on clean relay shutdown, not on every timeout/drip path.
-	This avoids introducing new timeout-tail artifacts that some backends or tests interpret as a separate fingerprint.
-
-Practical trade-offs:
-
- Better anti-fingerprinting on size/shape channel.
- Slightly higher egress overhead for small probes due to padding.
- Behavior is intentionally conservative and enabled by default.
-
-Recommended starting profile:
-
- `mask_shape_hardening = true` (default)
- `mask_shape_bucket_floor_bytes = 512`
- `mask_shape_bucket_cap_bytes = 4096`
-
-### Aggressive mode notes (`[censorship]`)
-
-`mask_shape_hardening_aggressive_mode` is an opt-in profile for higher anti-classifier pressure.
-
- Default is `false` to preserve conservative timeout/no-tail behavior.
- Requires `mask_shape_hardening = true`.
- When enabled, backend-silent non-EOF masking paths may be shaped.
- When enabled together with above-cap blur, the random extra tail uses `[1, max]` instead of `[0, max]`.
-
-What changes when aggressive mode is enabled:
-
- Backend-silent timeout paths can be shaped
-	In default mode, a client that keeps the socket half-open and times out will usually not receive shape padding on that path.
-	In aggressive mode, Telemt may still shape that backend-silent session if no backend bytes were returned.
-	This is specifically aimed at active probes that try to avoid EOF in order to preserve an exact backend-observed length.
-
- Above-cap blur always adds at least one byte
-	In default mode, above-cap blur may choose `0`, so some oversized probes still land on their exact base forwarded length.
-	In aggressive mode, that exact-base sample is removed by construction.
-
- Tradeoff
-	Aggressive mode improves resistance to active length classifiers, but it is more opinionated and less conservative.
-	If your deployment prioritizes strict compatibility with timeout/no-tail semantics, leave it disabled.
-	If your threat model includes repeated active probing by a censor, this mode is the stronger profile.
-
-Use this mode only when your threat model prioritizes classifier resistance over strict compatibility with conservative masking semantics.
-
-### Above-cap blur notes (`[censorship]`)
-
-`mask_shape_above_cap_blur` adds a second-stage blur for very large probes that are already above `mask_shape_bucket_cap_bytes`.
-
- A random tail in `[0, mask_shape_above_cap_blur_max_bytes]` is appended in default mode.
- In aggressive mode, the random tail becomes strictly positive: `[1, mask_shape_above_cap_blur_max_bytes]`.
- This reduces exact-size leakage above cap at bounded overhead.
- Keep `mask_shape_above_cap_blur_max_bytes` conservative to avoid unnecessary egress growth.
-
-Operational meaning:
-
- Without above-cap blur
-	A probe that forwards `5005` bytes will still look like `5005` bytes to the backend if it is already above cap.
-
- With above-cap blur enabled
-	That same probe may look like any value in a bounded window above its base length.
-	Example with `mask_shape_above_cap_blur_max_bytes = 64`:
-	backend-observed size becomes `5005..5069` in default mode, or `5006..5069` in aggressive mode.
-
- Choosing `mask_shape_above_cap_blur_max_bytes`
-	Small values reduce cost but preserve more separability between far-apart oversized classes.
-	Larger values blur oversized classes more aggressively, but add more egress overhead and more output variance.
-
-### Timing normalization envelope notes (`[censorship]`)
-
-`mask_timing_normalization_enabled` smooths timing differences between masking outcomes by applying a target duration envelope.
-
- A random target is selected in `[mask_timing_normalization_floor_ms, mask_timing_normalization_ceiling_ms]`.
- Fast paths are delayed up to the selected target.
- Slow paths are not forced to finish by the ceiling (the envelope is best-effort shaping, not truncation).
-
-Recommended starting profile for timing shaping:
-
- `mask_timing_normalization_enabled = true`
- `mask_timing_normalization_floor_ms = 180`
- `mask_timing_normalization_ceiling_ms = 320`
-
-If your backend or network is very bandwidth-constrained, reduce cap first. If probes are still too distinguishable in your environment, increase floor gradually.
-
-## [access]
-
-| Parameter | Type | Default | Constraints / validation | TOML shape example | Description |
-|---|---|---|---|---|---|
-| users | `Map<String, String>` | `{"default": "000…000"}` | Secret must be 32 hex characters. | `[access.users]`<br>`user = "32-hex secret"`<br>`user2 = "32-hex secret"` | User credentials map used for client authentication. |
-| user_ad_tags | `Map<String, String>` | `{}` | Every value must be exactly 32 hex characters. | `[access.user_ad_tags]`<br>`user = "32-hex ad_tag"` | Per-user ad tags used as override over `general.ad_tag`. |
-| user_max_tcp_conns | `Map<String, usize>` | `{}` | — | `[access.user_max_tcp_conns]`<br>`user = 500` | Per-user maximum concurrent TCP connections. |
-| user_expirations | `Map<String, DateTime<Utc>>` | `{}` | Timestamp must be valid RFC3339/ISO-8601 datetime. | `[access.user_expirations]`<br>`user = "2026-12-31T23:59:59Z"` | Per-user account expiration timestamps. |
-| user_data_quota | `Map<String, u64>` | `{}` | — | `[access.user_data_quota]`<br>`user = 1073741824` | Per-user traffic quota in bytes. |
-| user_max_unique_ips | `Map<String, usize>` | `{}` | — | `[access.user_max_unique_ips]`<br>`user = 16` | Per-user unique source IP limits. |
-| user_max_unique_ips_global_each | `usize` | `0` | — | `user_max_unique_ips_global_each = 0` | Global fallback used when `[access.user_max_unique_ips]` has no per-user override. |
-| user_max_unique_ips_mode | `"active_window" \| "time_window" \| "combined"` | `"active_window"` | — | `user_max_unique_ips_mode = "active_window"` | Unique source IP limit accounting mode. |
-| user_max_unique_ips_window_secs | `u64` | `30` | Must be `> 0`. | `user_max_unique_ips_window_secs = 30` | Window size (seconds) used by unique-IP accounting modes that use time windows. |
-| replay_check_len | `usize` | `65536` | — | `replay_check_len = 65536` | Replay-protection storage length. |
-| replay_window_secs | `u64` | `1800` | — | `replay_window_secs = 1800` | Replay-protection window in seconds. |
-| ignore_time_skew | `bool` | `false` | — | `ignore_time_skew = false` | Disables client/server timestamp skew checks in replay validation when enabled. |
-
-## [[upstreams]]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| type | `"direct" \| "socks4" \| "socks5"` | — | Required field. | Upstream transport type selector. |
-| weight | `u16` | `1` | none | Base weight used by weighted-random upstream selection. |
-| enabled | `bool` | `true` | none | Disabled entries are excluded from upstream selection at runtime. |
-| scopes | `String` | `""` | none | Comma-separated scope tags used for request-level upstream filtering. |
-| interface | `String \| null` | `null` | Optional; type-specific runtime rules apply. | Optional outbound interface/local bind hint (supported with type-specific rules). |
-| bind_addresses | `String[] \| null` | `null` | Applies to `type = "direct"`. | Optional explicit local source bind addresses for `type = "direct"`. |
-| address | `String` | — | Required for `type = "socks4"` and `type = "socks5"`. | SOCKS server endpoint (`host:port` or `ip:port`) for SOCKS upstream types. |
-| user_id | `String \| null` | `null` | Only for `type = "socks4"`. | SOCKS4 CONNECT user ID (`type = "socks4"` only). |
-| username | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 username (`type = "socks5"` only). |
-| password | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 password (`type = "socks5"` only). |
@@ -1,5 +1,4 @@
 ## How to set up a "proxy sponsor" channel and statistics via the @MTProxybot
-
 1. Go to the @MTProxybot.
 2. Enter the `/newproxy` command.
 3. Send your server's IP address and port. For example: `1.2.3.4:443`.
@@ -32,13 +31,130 @@ use_middle_proxy = true
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
+## Recognizability for DPI and crawler

-## Why do you need a middle proxy (ME)
+On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS, 
+based on the ECH extension and the ordering of cipher suites, 
+as well as an overall unique JA3/JA4 fingerprint 
+that does not occur in modern browsers: 
+we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
+
+- We consider this a breakthrough aspect, which has no stable analogues today
+- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
+- Here is our evidence:
+    - 212.220.88.77 - "dummy" host, running `telemt`
+    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
+    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
+      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
+      - Crawlers completely satisfied receiving responses from `mask_host`
+  ### Client WITH secret-key accesses the MTProxy resource:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  ### Client WITHOUT secret-key gets transparent access to the specified resource:
+    - with trusted certificate
+    - with original handshake
+    - with full request-response way
+    - with low-latency overhead
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
+  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
+
+
+## F.A.Q.
+
+### Telegram Calls via MTProxy
+- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
+
+### How does DPI see MTProxy TLS?
+- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
+- the SNI you specify sends both the client and the server;
+- ALPN is similar to HTTP 1.1/2;
+- high entropy, which is normal for AES-encrypted traffic;
+
+### Whitelist on IP
+- MTProxy cannot work when there is: 
+  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
+  - OR all TCP traffic is blocked
+  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
+  - OR all TLS traffic is blocked
+  - OR specified port is blocked: use 443 to make it "like real"
+  - OR provided SNI is blocked: use "officially approved"/innocuous name
+- like most protocols on the Internet; 
+- these situations are observed:
+  - in China behind the Great Firewall
+  - in Russia on mobile networks, less in wired networks
+  - in Iran during "activity"
+
+### Why do you need a middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167

-
-## How many people can use one link
-
+### How many people can use one link
 By default, an unlimited number of people can use a single link.  
 However, you can limit the number of unique IP addresses for each user:
 ```toml
@@ -47,8 +163,7 @@ hello = 1
 ```
 This parameter sets the maximum number of unique IP addresses from which a single link can be used simultaneously. If the first user disconnects, a second one can connect. At the same time, multiple users can connect from a single IP address simultaneously (for example, devices on the same Wi-Fi network).

-## How to create multiple different links
-
+### How to create multiple different links
 1. Generate the required number of secrets using the command: `openssl rand -hex 16`.
 2. Open the configuration file: `nano /etc/telemt/telemt.toml`.
 3. Add new users to the `[access.users]` section:
@@ -64,7 +179,7 @@ user3 = "00000000000000000000000000000003"
 curl -s http://127.0.0.1:9091/v1/users | jq
 ```

-## "Unknown TLS SNI" error
+### "Unknown TLS SNI" error
 Usually, this error occurs if you have changed the `tls_domain` parameter, but users continue to connect using old links with the previous domain.

 If you need to allow connections with any domains (ignoring SNI mismatches), add the following parameters:
@@ -73,7 +188,7 @@ If you need to allow connections with any domains (ignoring SNI mismatches), add
 unknown_sni_action = "mask"
 ```

-## How to view metrics
+### How to view metrics

 1. Open the configuration file: `nano /etc/telemt/telemt.toml`.
 2. Add the following parameters:
@@ -87,6 +202,25 @@ metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
 > [!WARNING]
 > The value `"0.0.0.0/0"` in `metrics_whitelist` opens access to metrics from any IP address. It is recommended to replace it with your personal IP, for example: `"1.2.3.4/32"`.

+### Too many open files
+- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
+- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
+- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
+```yaml
+ulimits:
+  nofile:
+    soft: 65536
+    hard: 65536
+```
+- **System-wide** (optional): add to `/etc/security/limits.conf`:
+```
+*       soft    nofile  1048576
+*       hard    nofile  1048576
+root    soft    nofile  1048576
+root    hard    nofile  1048576
+```
+
+
 ## Additional parameters

 ### Domain in the link instead of IP
@@ -32,11 +32,145 @@ use_middle_proxy = true
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
+## Распознаваемость для DPI и сканеров
+
+1 апреля 2026 года нам стало известно о методе обнаружения MTProxy Fake-TLS, основанном на расширении ECH и порядке набора шифров, 
+а также об общем уникальном отпечатке JA3/JA4, который не встречается в современных браузерах: мы уже отправили первоначальные изменения разработчикам Telegram Desktop и работаем над обновлениями для других клиентов.
+
+- Мы считаем это прорывом, которому на сегодняшний день нет стабильных аналогов;
+- Исходя из этого: если `telemt` настроен правильно, **режим TLS полностью идентичен реальному «рукопожатию» + обмену данными** с указанным хостом;
+- Вот наши доказательства:
+    - 212.220.88.77 — «фиктивный» хост, на котором запущен `telemt`;
+    - `petrovich.ru` — хост с `tls` + `masking`, в HEX: `706574726f766963682e7275`;
+    - **Без MITM + без поддельных сертификатов/шифрования** = чистое прозрачное *TCP Splice* к «лучшему» исходному серверу: MTProxy или tls/mask-host:
+      - DPI видит легитимный HTTPS к `tls_host`, включая *достоверную цепочку доверия* и энтропию;
+      - Краулеры полностью удовлетворены получением ответов от `mask_host`.
+ 
+  ### Клиент С секретным ключом получает доступ к ресурсу MTProxy:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  ### Клиент БЕЗ секретного ключа получает прозрачный доступ к указанному ресурсу:
+    - с доверенным сертификатом;
+    - с исходным «рукопожатием»;
+    - с полным циклом запрос-ответ;
+    - с низкой задержкой.
+
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- Мы поставили перед собой задачу, не сдавались и не просто «бились в пустоту»: теперь у нас есть что вам показать.
+- Не верите нам на слово? — Это прекрасно, и мы уважаем ваше решение: вы можете собрать свой собственный `telemt` или скачать готовую сборку и проверить её прямо сейчас.
+
+### Звонки в Telegram через MTProxy
+- Архитектура Telegram **НЕ поддерживает звонки через MTProxy**, а только через SOCKS5, который невозможно замаскировать
+
+### Как DPI распознает TLS-соединение MTProxy?
+- DPI распознает MTProxy в режиме Fake TLS (ee) как TLS 1.3
+- указанный вами SNI отправляется как клиентом, так и сервером;
+- ALPN аналогичен HTTP 1.1/2;
+- высокая энтропия, что нормально для трафика, зашифрованного AES;
+
+### Белый список по IP
+- MTProxy не может работать, если: 
+  - отсутствует IP-связь с целевым хостом: российский белый список в мобильных сетях — «Белый список»;
+  - ИЛИ весь TCP-трафик заблокирован;
+  - ИЛИ трафик с высокой энтропией/зашифрованный трафик заблокирован: контент-фильтры в университетах и критически важной инфраструктуре;
+  - ИЛИ весь TLS-трафик заблокирован;
+  - ИЛИ заблокирован указанный порт: используйте 443, чтобы сделать его «как настоящий»;
+  - ИЛИ заблокирован предоставленный SNI: используйте «официально одобренное»/безобидное имя;
+- как и большинство протоколов в Интернете; 
+- такие ситуации наблюдаются:
+  - в Китае за Великим файрволом;
+  - в России в мобильных сетях, реже в проводных сетях;
+  - в Иране во время «активности».
+

 ## Зачем нужен middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167


+## Что такое dd и ee в контексте MTProxy?
+
+Это два разных режима работы прокси. Понять, какой режим используется, можно взглянув на начало секрета — там будет dd или ee, вот пример:
+tg://proxy?server=s1.dimasssss.space&port=443&secret=eebe3007e927acd147dde12bee8b1a7c9364726976652e676f6f676c652e636f6d
+
+dd — режим с мусорным трафиком, обфускацией данных, похожий на shadowsocks. У такого трафика есть заметный паттерн, который DPI умеют распознавать и впоследствии блокировать. Использовать этот режим на текущий момент не рекомендуется.
+
+ee — режим маскировки под существующий домен (FakeTLS), словно вы сёрфите в интернете через браузер. На текущий момент не попадает под блокировку.
+
+### Где эти режимы настраиваются?
+
+```toml
+В конфиге telemt.toml в разделе [general.modes]:
+classic = false # классический режим, давно стал бесполезным
+secure = false # переменная dd-режима
+tls = true # переменная ee-режима
+```
+
 ## Сколько человек может пользоваться одной ссылкой

 По умолчанию одной ссылкой может пользоваться неограниченное число людей.  
@@ -104,7 +238,7 @@ max_connections = 10000    # 0 - без ограничений, 10000 - по у
 ```

 ### Upstream Manager
-Для настройки исходящих подключений (апстримов) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
+Для настройки исходящих подключений (Upstreams) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:

 #### Привязка к исходящему IP-адресу
 ```toml
@@ -119,20 +253,20 @@ interface = "192.168.1.100" # Замените на ваш исходящий IP
 - Без авторизации:
 ```toml
 [[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-weight = 1                 # Set Weight for Scenarios
+type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234"   # адрес сервера SOCKS
+weight = 1                 # вес
 enabled = true
 ```

 - С авторизацией:
 ```toml
 [[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-username = "user"          # Username for Auth on SOCKS-server
-password = "pass"          # Password for Auth on SOCKS-server
-weight = 1                 # Set Weight for Scenarios
+type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234"   # адрес сервера SOCKS
+username = "user"          # имя пользователя
+password = "pass"          # пароль
+weight = 1                 # вес
 enabled = true
 ```

@@ -1,92 +0,0 @@
-# Öffentliche TELEMT-Lizenz 3
-
-***Alle Rechte vorbehalten (c) 2026 Telemt***
-
-Hiermit wird jeder Person, die eine Kopie dieser Software und der dazugehörigen Dokumentation (nachfolgend "Software") erhält, unentgeltlich die Erlaubnis erteilt, die Software ohne Einschränkungen zu nutzen, einschließlich des Rechts, die Software zu verwenden, zu vervielfältigen, zu ändern, abgeleitete Werke zu erstellen, zu verbinden, zu veröffentlichen, zu verbreiten, zu unterlizenzieren und/oder Kopien der Software zu verkaufen sowie diese Rechte auch denjenigen einzuräumen, denen die Software zur Verfügung gestellt wird, vorausgesetzt, dass sämtliche Urheberrechtshinweise sowie die Bedingungen und Bestimmungen dieser Lizenz eingehalten werden.
-
-### Begriffsbestimmungen
-
-Für die Zwecke dieser Lizenz gelten die folgenden Definitionen:
-
-**"Software" (Software)** — die Telemt-Software einschließlich Quellcode, Dokumentation und sämtlicher zugehöriger Dateien, die unter den Bedingungen dieser Lizenz verbreitet werden.
-
-**"Contributor" (Contributor)** — jede natürliche oder juristische Person, die Code, Patches, Dokumentation oder andere Materialien eingereicht hat, die von den Maintainers des Projekts angenommen und in die Software aufgenommen wurden.
-
-**"Beitrag" (Contribution)** — jedes urheberrechtlich geschützte Werk, das bewusst zur Aufnahme in die Software eingereicht wurde.
-
-**"Modifizierte Version" (Modified Version)** — jede Version der Software, die gegenüber der ursprünglichen Software geändert, angepasst, erweitert oder anderweitig modifiziert wurde.
-
-**"Maintainers" (Maintainers)** — natürliche oder juristische Personen, die für das offizielle Telemt-Projekt und dessen offizielle Veröffentlichungen verantwortlich sind.
-
-### 1 Urheberrechtshinweis (Attribution)
-
-Bei der Weitergabe der Software, sowohl in Form des Quellcodes als auch in binärer Form, MÜSSEN folgende Elemente erhalten bleiben:
-
- der oben genannte Urheberrechtshinweis;
- der vollständige Text dieser Lizenz;
- sämtliche bestehenden Hinweise auf Urheberschaft.
-
-### 2 Hinweis auf Modifikationen
-
-Wenn Änderungen an der Software vorgenommen werden, MUSS die Person, die diese Änderungen vorgenommen hat, eindeutig darauf hinweisen, dass die Software modifiziert wurde, und eine kurze Beschreibung der vorgenommenen Änderungen beifügen.
-
-Modifizierte Versionen der Software DÜRFEN NICHT als die originale Version von Telemt dargestellt werden.
-
-### 3 Marken und Bezeichnungen
-
-Diese Lizenz GEWÄHRT KEINE Rechte zur Nutzung der Bezeichnung **"Telemt"**, des Telemt-Logos oder sonstiger Marken, Kennzeichen oder Branding-Elemente von Telemt.
-
-Weiterverbreitete oder modifizierte Versionen der Software DÜRFEN die Bezeichnung Telemt nicht in einer Weise verwenden, die bei Nutzern den Eindruck eines offiziellen Ursprungs oder einer Billigung durch das Telemt-Projekt erwecken könnte, sofern hierfür keine ausdrückliche Genehmigung der Maintainers vorliegt.
-
-Die Verwendung der Bezeichnung **Telemt** zur Beschreibung einer modifizierten Version der Software ist nur zulässig, wenn diese Version eindeutig als modifiziert oder inoffiziell gekennzeichnet ist.
-
-Jegliche Verbreitung, die Nutzer vernünftigerweise darüber täuschen könnte, dass es sich um eine offizielle Veröffentlichung von Telemt handelt, ist untersagt.
-
-### 4 Transparenz bei der Verbreitung von Binärversionen
-
-Im Falle der Verbreitung kompilierter Binärversionen der Software wird der Verbreiter HIERMIT ERMUTIGT (encouraged), soweit dies vernünftigerweise möglich ist, Zugang zum entsprechenden Quellcode sowie zu den Build-Anweisungen bereitzustellen.
-
-Diese Praxis trägt zur Transparenz bei und ermöglicht es Empfängern, die Integrität und Reproduzierbarkeit der verbreiteten Builds zu überprüfen.
-
-## 5 Gewährung einer Patentlizenz und Beendigung von Rechten
-
-Jeder Contributor gewährt den Empfängern der Software eine unbefristete, weltweite, nicht-exklusive, unentgeltliche, lizenzgebührenfreie und unwiderrufliche Patentlizenz für:
-
- die Herstellung,
- die Beauftragung der Herstellung,
- die Nutzung,
- das Anbieten zum Verkauf,
- den Verkauf,
- den Import,
- sowie jede sonstige Verbreitung der Software.
-
-Diese Patentlizenz erstreckt sich ausschließlich auf solche Patentansprüche, die notwendigerweise durch den jeweiligen Beitrag des Contributors allein oder in Kombination mit der Software verletzt würden.
-
-Leitet eine Person ein Patentverfahren ein oder beteiligt sich daran, einschließlich Gegenklagen oder Kreuzklagen, mit der Behauptung, dass die Software oder ein darin enthaltener Beitrag ein Patent verletzt, **erlöschen sämtliche durch diese Lizenz gewährten Rechte für diese Person unmittelbar mit Einreichung der Klage**.
-
-Darüber hinaus erlöschen alle durch diese Lizenz gewährten Rechte **automatisch**, wenn eine Person ein gerichtliches Verfahren einleitet, in dem behauptet wird, dass die Software selbst ein Patent oder andere Rechte des geistigen Eigentums verletzt.
-
-### 6 Beteiligung und Beiträge zur Entwicklung
-
-Sofern ein Contributor nicht ausdrücklich etwas anderes erklärt, gilt jeder Beitrag, der bewusst zur Aufnahme in die Software eingereicht wird, als unter den Bedingungen dieser Lizenz lizenziert.
-
-Durch die Einreichung eines Beitrags gewährt der Contributor den Maintainers des Telemt-Projekts sowie allen Empfängern der Software die in dieser Lizenz beschriebenen Rechte in Bezug auf diesen Beitrag.
-
-### 7 Urheberhinweis bei Netzwerk- und Servicenutzung
-
-Wird die Software zur Bereitstellung eines öffentlich zugänglichen Netzwerkdienstes verwendet, MUSS der Betreiber dieses Dienstes einen Hinweis auf die Urheberschaft von Telemt an mindestens einer der folgenden Stellen anbringen:
-
-* in der Servicedokumentation;
-* in der Dienstbeschreibung;
-* auf einer Seite "Über" oder einer vergleichbaren Informationsseite;
-* in anderen für Nutzer zugänglichen Materialien, die in angemessenem Zusammenhang mit dem Dienst stehen.
-
-Ein solcher Hinweis DARF NICHT den Eindruck erwecken, dass der Dienst vom Telemt-Projekt oder dessen Maintainers unterstützt oder offiziell gebilligt wird.
-
-### 8 Haftungsausschluss und salvatorische Klausel
-
-DIE SOFTWARE WIRD "WIE BESEHEN" BEREITGESTELLT, OHNE JEGLICHE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG, EINSCHLIESSLICH, ABER NICHT BESCHRÄNKT AUF GEWÄHRLEISTUNGEN DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN.
-
-IN KEINEM FALL HAFTEN DIE AUTOREN ODER RECHTEINHABER FÜR IRGENDWELCHE ANSPRÜCHE, SCHÄDEN ODER SONSTIGE HAFTUNG, DIE AUS VERTRAG, UNERLAUBTER HANDLUNG ODER AUF ANDERE WEISE AUS DER SOFTWARE ODER DER NUTZUNG DER SOFTWARE ENTSTEHEN.
-
-SOLLTE EINE BESTIMMUNG DIESER LIZENZ ALS UNWIRKSAM ODER NICHT DURCHSETZBAR ANGESEHEN WERDEN, IST DIESE BESTIMMUNG SO AUSZULEGEN, DASS SIE DEM URSPRÜNGLICHEN WILLEN DER PARTEIEN MÖGLICHST NAHEKOMMT; DIE ÜBRIGEN BESTIMMUNGEN BLEIBEN DAVON UNBERÜHRT UND IN VOLLER WIRKUNG.
@@ -1,143 +0,0 @@
-###### TELEMT Public License 3 ######
-##### Copyright (c) 2026 Telemt #####
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this Software and associated documentation files (the "Software"),
-to use, reproduce, modify, prepare derivative works of, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to permit
-persons to whom the Software is furnished to do so, provided that all
-copyright notices, license terms, and conditions set forth in this License
-are preserved and complied with.
-
-### Official Translations
-
-The canonical version of this License is the English version.
-
-Official translations are provided for informational purposes only
-and for convenience, and do not have legal force. In case of any
-discrepancy, the English version of this License shall prevail.
-
-Available versions:
- English in Markdown: docs/LICENSE/LICENSE.md
- German: docs/LICENSE/LICENSE.de.md
- Russian: docs/LICENSE/LICENSE.ru.md
-
-### Definitions
-
-For the purposes of this License:
-
-"Software" means the Telemt software, including source code, documentation,
-and any associated files distributed under this License.
-
-"Contributor" means any person or entity that submits code, patches,
-documentation, or other contributions to the Software that are accepted
-into the Software by the maintainers.
-
-"Contribution" means any work of authorship intentionally submitted
-to the Software for inclusion in the Software.
-
-"Modified Version" means any version of the Software that has been
-changed, adapted, extended, or otherwise modified from the original
-Software.
-
-"Maintainers" means the individuals or entities responsible for
-the official Telemt project and its releases.
-
-#### 1 Attribution
-
-Redistributions of the Software, in source or binary form, MUST RETAIN the
-above copyright notice, this license text, and any existing attribution
-notices.
-
-#### 2 Modification Notice
-
-If you modify the Software, you MUST clearly state that the Software has been
-modified and include a brief description of the changes made.
-
-Modified versions MUST NOT be presented as the original Telemt.
-
-#### 3 Trademark and Branding
-
-This license DOES NOT grant permission to use the name "Telemt", 
-the Telemt logo, or any Telemt trademarks or branding.
-
-Redistributed or modified versions of the Software MAY NOT use the Telemt
-name in a way that suggests endorsement or official origin without explicit
-permission from the Telemt maintainers.
-
-Use of the name "Telemt" to describe a modified version of the Software
-is permitted only if the modified version is clearly identified as a
-modified or unofficial version.
-
-Any distribution that could reasonably confuse users into believing that
-the software is an official Telemt release is prohibited.
-
-#### 4 Binary Distribution Transparency
-
-If you distribute compiled binaries of the Software,
-you are ENCOURAGED to provide access to the corresponding
-source code and build instructions where reasonably possible.
-
-This helps preserve transparency and allows recipients to verify the
-integrity and reproducibility of distributed builds.
-
-#### 5 Patent Grant and Defensive Termination Clause
-
-Each contributor grants you a perpetual, worldwide, non-exclusive,
-no-charge, royalty-free, irrevocable patent license to make, have made,
-use, offer to sell, sell, import, and otherwise transfer the Software.
-
-This patent license applies only to those patent claims necessarily
-infringed by the contributor’s contribution alone or by combination of
-their contribution with the Software.
-
-If you initiate or participate in any patent litigation, including
-cross-claims or counterclaims, alleging that the Software or any
-contribution incorporated within the Software constitutes patent
-infringement, then **all rights granted to you under this license shall
-terminate immediately** as of the date such litigation is filed.
-
-Additionally, if you initiate legal action alleging that the
-Software itself infringes your patent or other intellectual
-property rights, then all rights granted to you under this
-license SHALL TERMINATE automatically.
-
-#### 6 Contributions
-
-Unless you explicitly state otherwise, any Contribution intentionally
-submitted for inclusion in the Software shall be licensed under the terms
-of this License.
-
-By submitting a Contribution, you grant the Telemt maintainers and all
-recipients of the Software the rights described in this License with
-respect to that Contribution.
-
-#### 7 Network Use Attribution
-
-If the Software is used to provide a publicly accessible network service,
-the operator of such service MUST provide attribution to Telemt in at least
-one of the following locations:
-
- service documentation
- service description
- an "About" or similar informational page
- other user-visible materials reasonably associated with the service
-
-Such attribution MUST NOT imply endorsement by the Telemt project or its
-maintainers.
-
-#### 8 Disclaimer of Warranty and Severability Clause
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
-USE OR OTHER DEALINGS IN THE SOFTWARE
-
-IF ANY PROVISION OF THIS LICENSE IS HELD TO BE INVALID OR UNENFORCEABLE,
-SUCH PROVISION SHALL BE INTERPRETED TO REFLECT THE ORIGINAL INTENT
-OF THE PARTIES AS CLOSELY AS POSSIBLE, AND THE REMAINING PROVISIONS
-SHALL REMAIN IN FULL FORCE AND EFFECT
@@ -1,90 +0,0 @@
-# Публичная лицензия TELEMT 3
-
-***Все права защищёны (c) 2026 Telemt***
-
-Настоящим любому лицу, получившему копию данного программного обеспечения и сопутствующей документации (далее — "Программное обеспечение"), безвозмездно предоставляется разрешение использовать Программное обеспечение без ограничений, включая право использовать, воспроизводить, изменять, создавать производные произведения, объединять, публиковать, распространять, сублицензировать и (или) продавать копии Программного обеспечения, а также предоставлять такие права лицам, которым предоставляется Программное обеспечение, при условии соблюдения всех уведомлений об авторских правах, условий и положений настоящей Лицензии.
-
-### Определения
-
-Для целей настоящей Лицензии применяются следующие определения:
-
-**"Программное обеспечение" (Software)** — программное обеспечение Telemt, включая исходный код, документацию и любые связанные файлы, распространяемые на условиях настоящей Лицензии.
-
-**"Контрибьютор" (Contributor)** — любое физическое или юридическое лицо, направившее код, исправления (патчи), документацию или иные материалы, которые были приняты мейнтейнерами проекта и включены в состав Программного обеспечения.
-
-**"Вклад" (Contribution)** — любое произведение авторского права, намеренно представленное для включения в состав Программного обеспечения.
-
-**"Модифицированная версия" (Modified Version)** — любая версия Программного обеспечения, которая была изменена, адаптирована, расширена или иным образом модифицирована по сравнению с исходным Программным обеспечением.
-
-**"Мейнтейнеры" (Maintainers)** — физические или юридические лица, ответственные за официальный проект Telemt и его официальные релизы.
-
-### 1 Указание авторства
-
-При распространении Программного обеспечения, как в форме исходного кода, так и в бинарной форме, ДОЛЖНЫ СОХРАНЯТЬСЯ:
-
- указанное выше уведомление об авторских правах;
- текст настоящей Лицензии;
- любые существующие уведомления об авторстве.
-
-### 2 Уведомление о модификации
-
-В случае внесения изменений в Программное обеспечение лицо, осуществившее такие изменения, ОБЯЗАНО явно указать, что Программное обеспечение было модифицировано, а также включить краткое описание внесённых изменений.
-
-Модифицированные версии Программного обеспечения НЕ ДОЛЖНЫ представляться как оригинальная версия Telemt.
-
-### 3 Товарные знаки и обозначения
-
-Настоящая Лицензия НЕ ПРЕДОСТАВЛЯЕТ права использовать наименование **"Telemt"**, логотип Telemt, а также любые товарные знаки, фирменные обозначения или элементы бренда Telemt.
-
-Распространяемые или модифицированные версии Программного обеспечения НЕ ДОЛЖНЫ использовать наименование Telemt таким образом, который может создавать у пользователей впечатление официального происхождения либо одобрения со стороны проекта Telemt без явного разрешения мейнтейнеров проекта.
-
-Использование наименования **Telemt** для описания модифицированной версии Программного обеспечения допускается только при условии, что такая версия ясно обозначена как модифицированная или неофициальная.
-
-Запрещается любое распространение, которое может разумно вводить пользователей в заблуждение относительно того, что программное обеспечение является официальным релизом Telemt.
-
-### 4 Прозрачность распространения бинарных версий
-
-В случае распространения скомпилированных бинарных версий Программного обеспечения распространитель НАСТОЯЩИМ ПОБУЖДАЕТСЯ предоставлять доступ к соответствующему исходному коду и инструкциям по сборке, если это разумно возможно.
-
-Такая практика способствует прозрачности распространения и позволяет получателям проверять целостность и воспроизводимость распространяемых сборок.
-
-### 5 Предоставление патентной лицензии и прекращение прав
-
-Каждый контрибьютор предоставляет получателям Программного обеспечения бессрочную, всемирную, неисключительную, безвозмездную, не требующую выплаты роялти и безотзывную патентную лицензию на:
-
- изготовление,
- поручение изготовления,
- использование,
- предложение к продаже,
- продажу,
- импорт,
- и иное распространение Программного обеспечения.
-
-Такая патентная лицензия распространяется исключительно на те патентные требования, которые неизбежно нарушаются соответствующим вкладом контрибьютора как таковым либо его сочетанием с Программным обеспечением.
-
-Если лицо инициирует либо участвует в каком-либо судебном разбирательстве по патентному спору, включая встречные или перекрёстные иски, утверждая, что Программное обеспечение либо любой вклад, включённый в него, нарушает патент, **все права, предоставленные такому лицу настоящей Лицензией, немедленно прекращаются** с даты подачи соответствующего иска.
-
-Кроме того, если лицо инициирует судебное разбирательство, утверждая, что само Программное обеспечение нарушает его патентные либо иные права интеллектуальной собственности, все права, предоставленные настоящей Лицензией, **автоматически прекращаются**.
-
-### 6 Участие и вклад в разработку
-
-Если контрибьютор явно не указал иное, любой Вклад, намеренно представленный для включения в Программное обеспечение, считается лицензированным на условиях настоящей Лицензии.
-Путём предоставления Вклада контрибьютор предоставляет мейнтейнером проекта Telemt и всем получателям Программного обеспечения права, предусмотренные настоящей Лицензией, в отношении такого Вклада.
-
-### 7 Указание авторства при сетевом и сервисном использовании
-
-В случае использования Программного обеспечения для предоставления публично доступного сетевого сервиса оператор такого сервиса ОБЯЗАН обеспечить указание авторства Telemt как минимум в одном из следующих мест:
- документация сервиса;
- описание сервиса;
- страница "О программе" или аналогичная информационная страница;
- иные материалы, доступные пользователям и разумно связанные с данным сервисом.
-
-Такое указание авторства НЕ ДОЛЖНО создавать впечатление одобрения или официальной поддержки со стороны проекта Telemt либо его мейнтейнеров.
-
-### 8 Отказ от гарантий и делимость положений
-
-ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ ПРЕДОСТАВЛЯЕТСЯ "КАК ЕСТЬ", БЕЗ КАКИХ-ЛИБО ГАРАНТИЙ, ЯВНЫХ ИЛИ ПОДРАЗУМЕВАЕМЫХ, ВКЛЮЧАЯ, НО НЕ ОГРАНИЧИВАЯСЬ ГАРАНТИЯМИ КОММЕРЧЕСКОЙ ПРИГОДНОСТИ, ПРИГОДНОСТИ ДЛЯ КОНКРЕТНОЙ ЦЕЛИ И НЕНАРУШЕНИЯ ПРАВ.
-
-НИ ПРИ КАКИХ ОБСТОЯТЕЛЬСТВАХ АВТОРЫ ИЛИ ПРАВООБЛАДАТЕЛИ НЕ НЕСУТ ОТВЕТСТВЕННОСТИ ПО КАКИМ-ЛИБО ТРЕБОВАНИЯМ, УБЫТКАМ ИЛИ ИНОЙ ОТВЕТСТВЕННОСТИ, ВОЗНИКАЮЩЕЙ В РЕЗУЛЬТАТЕ ДОГОВОРА, ДЕЛИКТА ИЛИ ИНЫМ ОБРАЗОМ, СВЯЗАННЫМ С ПРОГРАММНЫМ ОБЕСПЕЧЕНИЕМ ИЛИ ЕГО ИСПОЛЬЗОВАНИЕМ.
-
-В СЛУЧАЕ ЕСЛИ КАКОЕ-ЛИБО ПОЛОЖЕНИЕ НАСТОЯЩЕЙ ЛИЦЕНЗИИ ПРИЗНАЁТСЯ НЕДЕЙСТВИТЕЛЬНЫМ ИЛИ НЕПРИМЕНИМЫМ, ТАКОЕ ПОЛОЖЕНИЕ ПОДЛЕЖИТ ТОЛКОВАНИЮ МАКСИМАЛЬНО БЛИЗКО К ИСХОДНОМУ НАМЕРЕНИЮ СТОРОН, ПРИ ЭТОМ ОСТАЛЬНЫЕ ПОЛОЖЕНИЯ СОХРАНЯЮТ ПОЛНУЮ ЮРИДИЧЕСКУЮ СИЛУ.
@@ -0,0 +1,120 @@
+# TELEMT License 3.3
+
+***Copyright (c) 2026 Telemt***
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this Software and associated documentation files (the "Software"), to use, reproduce, modify, prepare derivative works of, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that all copyright notices, license terms, and conditions set forth in this License are preserved and complied with.
+
+### Official Translations
+
+The canonical version of this License is the English version.
+Official translations are provided for informational purposes only and for convenience, and do not have legal force. In case of any discrepancy, the English version of this License shall prevail.
+
+| Language    | Location |
+|-------------|----------|
+| English     | [docs/LICENSE/TELEMT-LICENSE.en.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.en.md)|
+| German      | [docs/LICENSE/TELEMT-LICENSE.de.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.de.md)|
+| Russian     | [docs/LICENSE/TELEMT-LICENSE.ru.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.ru.md)|
+
+### License Versioning Policy
+
+This License is version 3.3 of the TELEMT License.
+Each version of the Software is licensed under the License that accompanies its corresponding source code distribution.
+
+Future versions of the Software may be distributed under a different version of the TELEMT Public License or under a different license, as determined by the Telemt maintainers.
+
+Any such change of license applies only to the versions of the Software distributed with the new license and SHALL NOT retroactively affect any previously released versions of the Software.
+
+Recipients of the Software are granted rights only under the License provided with the version of the Software they received.
+
+Redistributions of the Software, including Modified Versions, MUST preserve the copyright notices, license text, and conditions of this License for all portions of the Software derived from Telemt.
+
+Additional terms or licenses may be applied to modifications or additional code added by a redistributor, provided that such terms do not restrict or alter the rights granted under this License for the original Telemt Software.
+
+Nothing in this section limits the rights granted under this License for versions of the Software already released.
+
+### Definitions
+
+For the purposes of this License:
+
+**"Software"** means the Telemt software, including source code, documentation, and any associated files distributed under this License.
+
+**"Contributor"** means any person or entity that submits code, patches, documentation, or other contributions to the Software that are accepted into the Software by the maintainers.
+
+**"Contribution"** means any work of authorship intentionally submitted to the Software for inclusion in the Software.
+
+**"Modified Version"** means any version of the Software that has been changed, adapted, extended, or otherwise modified from the original Software.
+
+**"Maintainers"** means the individuals or entities responsible for the official Telemt project and its releases.
+
+### 1 Attribution
+
+Redistributions of the Software, in source or binary form, MUST RETAIN:
+
+- the above copyright notice;
+- this license text;
+- any existing attribution notices.
+
+### 2 Modification Notice
+
+If you modify the Software, you MUST clearly state that the Software has been modified and include a brief description of the changes made.
+
+Modified versions MUST NOT be presented as the original Telemt.
+
+### 3 Trademark and Branding
+
+This license DOES NOT grant permission to use the name "Telemt", the Telemt logo, or any Telemt trademarks or branding.
+
+Redistributed or modified versions of the Software MAY NOT use the Telemt name in a way that suggests endorsement or official origin without explicit permission from the Telemt maintainers.
+
+Use of the name "Telemt" to describe a modified version of the Software is permitted only if the modified version is clearly identified as a modified or unofficial version.
+
+Any distribution that could reasonably confuse users into believing that the software is an official Telemt release is prohibited.
+
+### 4 Binary Distribution Transparency
+
+If you distribute compiled binaries of the Software, you are ENCOURAGED to provide access to the corresponding source code and build instructions where reasonably possible.
+
+This helps preserve transparency and allows recipients to verify the integrity and reproducibility of distributed builds.
+
+### 5 Patent Grant and Defensive Termination Clause
+
+Each contributor grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable patent license to:
+
+- make,
+- have made,
+- use,
+- offer to sell,
+- sell,
+- import,
+- and otherwise transfer the Software.
+
+This patent license applies only to those patent claims necessarily infringed by the contributor’s contribution alone or by combination of their contribution with the Software.
+
+If you initiate or participate in any patent litigation, including cross-claims or counterclaims, alleging that the Software or any contribution incorporated within the Software constitutes patent infringement, then **all rights granted to you under this license shall terminate immediately** as of the date such litigation is filed.
+
+Additionally, if you initiate legal action alleging that the Software itself infringes your patent or other intellectual property rights, then all rights granted to you under this license SHALL TERMINATE automatically.
+
+### 6 Contributions
+
+Unless you explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Software shall be licensed under the terms of this License.
+
+By submitting a Contribution, you grant the Telemt maintainers and all recipients of the Software the rights described in this License with respect to that Contribution.
+
+### 7 Network Use Attribution
+
+If the Software is used to provide a publicly accessible network service, the operator of such service SHOULD provide attribution to Telemt in at least one of the following locations:
+
+- service documentation;
+- service description;
+- an "About" or similar informational page;
+- other user-visible materials reasonably associated with the service.
+
+Such attribution MUST NOT imply endorsement by the Telemt project or its maintainers.
+
+### 8 Disclaimer of Warranty and Severability Clause
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+IF ANY PROVISION OF THIS LICENSE IS HELD TO BE INVALID OR UNENFORCEABLE, SUCH PROVISION SHALL BE INTERPRETED TO REFLECT THE ORIGINAL INTENT OF THE PARTIES AS CLOSELY AS POSSIBLE, AND THE REMAINING PROVISIONS SHALL REMAIN IN FULL FORCE AND EFFECT.
@@ -0,0 +1,120 @@
+# TELEMT Лицензия 3.3
+
+***Copyright (c) 2026 Telemt***
+
+Настоящим безвозмездно предоставляется разрешение любому лицу, получившему копию данного программного обеспечения и сопутствующей документации (далее — "Программное обеспечение"), использовать, воспроизводить, изменять, создавать производные произведения, объединять, публиковать, распространять, сублицензировать и/или продавать копии Программного обеспечения, а также разрешать лицам, которым предоставляется Программное обеспечение, осуществлять указанные действия при условии соблюдения и сохранения всех уведомлений об авторском праве, условий и положений настоящей Лицензии.
+
+### Официальные переводы
+
+Канонической версией настоящей Лицензии является версия на английском языке.  
+Официальные переводы предоставляются исключительно в информационных целях и для удобства и не имеют юридической силы. В случае любых расхождений приоритет имеет английская версия.
+
+| Язык       | Расположение |
+|------------|--------------|
+| Русский    | [docs/LICENSE/TELEMT-LICENSE.ru.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.ru.md)|
+| Английский | [docs/LICENSE/TELEMT-LICENSE.en.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.en.md)|
+| Немецкий   | [docs/LICENSE/TELEMT-LICENSE.de.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.de.md)|
+
+### Политика версионирования лицензии
+
+Настоящая Лицензия является версией 3.3 Лицензии TELEMT.  
+Каждая версия Программного обеспечения лицензируется в соответствии с Лицензией, сопровождающей соответствующее распространение исходного кода.
+
+Будущие версии Программного обеспечения могут распространяться в соответствии с иной версией Лицензии TELEMT Public License либо под иной лицензией, определяемой мейнтейнерами Telemt.
+
+Любое такое изменение лицензии применяется исключительно к версиям Программного обеспечения, распространяемым с новой лицензией, и НЕ распространяется ретроактивно на ранее выпущенные версии Программного обеспечения.
+
+Получатели Программного обеспечения приобретают права исключительно в соответствии с Лицензией, предоставленной вместе с полученной ими версией Программного обеспечения.
+
+При распространении Программного обеспечения, включая Модифицированные версии, ОБЯЗАТЕЛЬНО сохранение уведомлений об авторском праве, текста лицензии и условий настоящей Лицензии в отношении всех частей Программного обеспечения, производных от Telemt.
+
+Дополнительные условия или лицензии могут применяться к модификациям или дополнительному коду, добавленному распространителем, при условии, что такие условия не ограничивают и не изменяют права, предоставленные настоящей Лицензией в отношении оригинального Программного обеспечения Telemt.
+
+Ничто в настоящем разделе не ограничивает права, предоставленные настоящей Лицензией в отношении уже выпущенных версий Программного обеспечения.
+
+### Определения
+
+Для целей настоящей Лицензии:
+
+**"Программное обеспечение"** означает программное обеспечение Telemt, включая исходный код, документацию и любые сопутствующие файлы, распространяемые в соответствии с настоящей Лицензией.
+
+**"Контрибьютор"** означает любое физическое или юридическое лицо, которое предоставляет код, исправления, документацию или иные материалы в качестве вклада в Программное обеспечение, принятые мейнтейнерами для включения в Программное обеспечение.
+
+**"Вклад"** означает любое произведение, сознательно представленное для включения в Программное обеспечение.
+
+**"Модифицированная версия"** означает любую версию Программного обеспечения, которая была изменена, адаптирована, расширена или иным образом модифицирована по сравнению с оригинальным Программным обеспечением.
+
+**"Мейнтейнеры"** означает физических или юридических лиц, ответственных за официальный проект Telemt и его релизы.
+
+### 1. Атрибуция
+
+При распространении Программного обеспечения, как в виде исходного кода, так и в бинарной форме, ОБЯЗАТЕЛЬНО СОХРАНЕНИЕ:
+
+- указанного выше уведомления об авторском праве;
+- текста настоящей Лицензии;
+- всех существующих уведомлений об атрибуции.
+
+### 2. Уведомление о модификациях
+
+В случае внесения изменений в Программное обеспечение вы ОБЯЗАНЫ явно указать факт модификации Программного обеспечения и включить краткое описание внесённых изменений.
+
+Модифицированные версии НЕ ДОЛЖНЫ представляться как оригинальное Программное обеспечение Telemt.
+
+### 3. Товарные знаки и брендинг
+
+Настоящая Лицензия НЕ предоставляет право на использование наименования "Telemt", логотипа Telemt или любых товарных знаков и элементов брендинга Telemt.
+
+Распространяемые или модифицированные версии Программного обеспечения НЕ МОГУТ использовать наименование Telemt таким образом, который может создавать впечатление одобрения или официального происхождения без явного разрешения мейнтейнеров Telemt.
+
+Использование наименования "Telemt" для описания модифицированной версии Программного обеспечения допускается только при условии, что такая версия чётко обозначена как модифицированная или неофициальная.
+
+Запрещается любое распространение, способное разумно ввести пользователей в заблуждение относительно того, что программное обеспечение является официальным релизом Telemt.
+
+### 4. Прозрачность распространения бинарных файлов
+
+В случае распространения скомпилированных бинарных файлов Программного обеспечения рекомендуется (ENCOURAGED) предоставлять доступ к соответствующему исходному коду и инструкциям по сборке, если это разумно возможно.
+
+Это способствует обеспечению прозрачности и позволяет получателям проверять целостность и воспроизводимость распространяемых сборок.
+
+### 5. Патентная лицензия и условие защитного прекращения
+
+Каждый контрибьютор предоставляет вам бессрочную, всемирную, неисключительную, безвозмездную, без лицензионных отчислений, безотзывную патентную лицензию на:
+
+- изготовление,
+- поручение изготовления,
+- использование,
+- предложение к продаже,
+- продажу,
+- импорт,
+- а также иные формы передачи Программного обеспечения.
+
+Данная патентная лицензия распространяется исключительно на те патентные притязания, которые неизбежно нарушаются вкладом контрибьютора отдельно либо в сочетании его вклада с Программным обеспечением.
+
+Если вы инициируете или участвуете в любом патентном судебном разбирательстве, включая встречные иски или требования, утверждая, что Программное обеспечение или любой Вклад, включённый в Программное обеспечение, нарушает патент, то **все предоставленные вам настоящей Лицензией права немедленно прекращаются** с даты подачи такого иска.
+
+Дополнительно, если вы инициируете судебное разбирательство, утверждая, что само Программное обеспечение нарушает ваш патент или иные права интеллектуальной собственности, все права, предоставленные вам настоящей Лицензией, ПРЕКРАЩАЮТСЯ автоматически.
+
+### 6. Вклады
+
+Если вы прямо не указали иное, любой Вклад, сознательно представленный для включения в Программное обеспечение, лицензируется на условиях настоящей Лицензии.
+
+Предоставляя Вклад, вы предоставляете мейнтейнерам Telemt и всем получателям Программного обеспечения права, предусмотренные настоящей Лицензией, в отношении такого Вклада.
+
+### 7. Атрибуция при сетевом использовании
+
+Если Программное обеспечение используется для предоставления общедоступного сетевого сервиса, оператор такого сервиса ДОЛЖЕН (SHOULD) обеспечить указание атрибуции Telemt как минимум в одном из следующих мест:
+
+- документация сервиса;
+- описание сервиса;
+- раздел "О программе" или аналогичная информационная страница;
+- иные материалы, доступные пользователю и разумно связанные с сервисом.
+
+Такая атрибуция НЕ ДОЛЖНА подразумевать одобрение со стороны проекта Telemt или его мейнтейнеров.
+
+### 8. Отказ от гарантий и оговорка о делимости
+
+ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ ПРЕДОСТАВЛЯЕТСЯ "КАК ЕСТЬ", БЕЗ КАКИХ-ЛИБО ГАРАНТИЙ, ЯВНЫХ ИЛИ ПОДРАЗУМЕВАЕМЫХ, ВКЛЮЧАЯ, В ЧАСТНОСТИ, ГАРАНТИИ ТОВАРНОЙ ПРИГОДНОСТИ, СООТВЕТСТВИЯ ОПРЕДЕЛЁННОЙ ЦЕЛИ И ОТСУТСТВИЯ НАРУШЕНИЙ ПРАВ.
+
+НИ ПРИ КАКИХ ОБСТОЯТЕЛЬСТВАХ АВТОРЫ ИЛИ ПРАВООБЛАДАТЕЛИ НЕ НЕСУТ ОТВЕТСТВЕННОСТИ ПО КАКИМ-ЛИБО ТРЕБОВАНИЯМ, УБЫТКАМ ИЛИ ИНОЙ ОТВЕТСТВЕННОСТИ, ВОЗНИКАЮЩИМ В РАМКАХ ДОГОВОРА, ДЕЛИКТА ИЛИ ИНЫМ ОБРАЗОМ, ИЗ, В СВЯЗИ С ИЛИ В РЕЗУЛЬТАТЕ ИСПОЛЬЗОВАНИЯ ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ ИЛИ ИНЫХ ДЕЙСТВИЙ С НИМ.
+
+ЕСЛИ ЛЮБОЕ ПОЛОЖЕНИЕ НАСТОЯЩЕЙ ЛИЦЕНЗИИ ПРИЗНАЁТСЯ НЕДЕЙСТВИТЕЛЬНЫМ ИЛИ НЕПРИМЕНИМЫМ, ТАКОЕ ПОЛОЖЕНИЕ ПОДЛЕЖИТ ТОЛКОВАНИЮ МАКСИМАЛЬНО БЛИЗКО К ИСХОДНОМУ НАМЕРЕНИЮ СТОРОН, А ОСТАЛЬНЫЕ ПОЛОЖЕНИЯ СОХРАНЯЮТ ПОЛНУЮ СИЛУ И ДЕЙСТВИЕ.
@@ -1,3 +1,19 @@
+# Very quick start
+
+### One-command installation / update on re-run
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+### Installing a specific version
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- 3.3.39
+```
+
+### Uninstall with full cleanup
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- purge
+```
+
 # Telemt via Systemd

 ## Installation
@@ -62,28 +78,60 @@ nano /etc/telemt/telemt.toml
 Insert your configuration:

 ```toml
+### Telemt Based Config.toml
+# We believe that these settings are sufficient for most scenarios 
+# where cutting-egde methods and parameters or special solutions are not needed
+
 # === General Settings ===
 [general]
+use_middle_proxy = true
+# Global ad_tag fallback when user has no per-user tag in [access.user_ad_tags]
 # ad_tag = "00000000000000000000000000000000"
-use_middle_proxy = false
+# Per-user ad_tag in [access.user_ad_tags] (32 hex from @MTProxybot)
+
+# === Log Level ===
+# Log level: debug | verbose | normal | silent
+# Can be overridden with --silent or --log-level CLI flags
+# RUST_LOG env var takes absolute priority over all of these
+log_level = "normal"

 [general.modes]
 classic = false
 secure = false
 tls = true

+[general.links]
+show = "*"
+# show = ["alice", "bob"] # Only show links for alice and bob
+# show = "*"              # Show links for all users
+# public_host = "proxy.example.com"  # Host (IP or domain) for tg:// links
+# public_port = 443                  # Port for tg:// links (default: server.port)
+
+# === Server Binding ===
 [server]
 port = 443
+# proxy_protocol = false           # Enable if behind HAProxy/nginx with PROXY protocol
+# metrics_port = 9090
+# metrics_listen = "0.0.0.0:9090"  # Listen address for metrics (overrides metrics_port)
+# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]

 [server.api]
 enabled = true
-# listen = "127.0.0.1:9091"
-# whitelist = ["127.0.0.1/32"]
-# read_only = true
+listen = "0.0.0.0:9091"
+whitelist = ["127.0.0.0/8"]
+minimal_runtime_enabled = false
+minimal_runtime_cache_ttl_ms = 1000
+
+# Listen on multiple interfaces/IPs - IPv4
+[[server.listeners]]
+ip = "0.0.0.0"

 # === Anti-Censorship & Masking ===
 [censorship]
 tls_domain = "petrovich.ru"
+mask = true
+tls_emulation = true        # Fetch real cert lengths and emulate TLS records
+tls_front_dir = "tlsfront"   # Cache directory for TLS emulation

 [access.users]
 # format: "username" = "32_hex_chars_secret"
@@ -128,8 +176,8 @@ WorkingDirectory=/opt/telemt
 ExecStart=/bin/telemt /etc/telemt/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true

 [Install]
@@ -150,7 +198,7 @@ systemctl daemon-reload

 **7.** To get the link(s), enter:
 ```bash
-curl -s http://127.0.0.1:9091/v1/users | jq
+curl -s http://127.0.0.1:9091/v1/users | jq -r '.data[] | "[\(.username)]", (.links.classic[]? | "classic: \(.)"), (.links.secure[]? | "secure: \(.)"), (.links.tls[]? | "tls: \(.)"), ""'
 ```

 > Any number of people can use one link.
@@ -1,4 +1,20 @@
-# Telemt через Systemd
+# Очень быстрый старт
+
+### Установка одной командой / обновление при повторном запуске
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+### Установка нужной версии
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- 3.3.39
+```
+
+### Удаление с полной очисткой
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- purge
+```
+
+# Telemt через Systemd вручную

 ## Установка

@@ -62,31 +78,63 @@ nano /etc/telemt/telemt.toml
 Вставьте свою конфигурацию

 ```toml
-# === General Settings ===
+### Конфигурационный файл на основе Telemt
+# Мы полагаем, что этих настроек достаточно для большинства сценариев, 
+# где не требуются передовые методы, параметры или специальные решения
+
+# === Общие настройки ===
 [general]
+use_middle_proxy = true
+# Глобальный ad_tag, если у пользователя нет индивидуального тега в [access.user_ad_tags]
 # ad_tag = "00000000000000000000000000000000"
-use_middle_proxy = false
+# Индивидуальный ad_tag в [access.user_ad_tags] (32 шестнадцатеричных символа от @MTProxybot)
+
+# === Уровень логирования ===
+# Уровень логирования: debug | verbose | normal | silent
+# Можно переопределить с помощью флагов командной строки --silent или --log-level
+# Переменная окружения RUST_LOG имеет абсолютный приоритет над всеми этими настройками
+log_level = "normal"

 [general.modes]
 classic = false
 secure = false
 tls = true

+[general.links]
+show = "*"
+# show = ["alice", "bob"] # Показывать ссылки только для alice и bob
+# show = "*"              # Показывать ссылки для всех пользователей
+# public_host = "proxy.example.com"  # Хост (IP-адрес или домен) для ссылок tg://
+# public_port = 443                  # Порт для ссылок tg:// (по умолчанию: server.port)
+
+# === Привязка сервера ===
 [server]
 port = 443
+# proxy_protocol = false           # Включите, если сервер находится за HAProxy/nginx с протоколом PROXY
+# metrics_port = 9090
+# metrics_listen = "0.0.0.0:9090"  # Адрес прослушивания для метрик (переопределяет metrics_port)
+# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]

 [server.api]
 enabled = true
-# listen = "127.0.0.1:9091"
-# whitelist = ["127.0.0.1/32"]
-# read_only = true
+listen = "0.0.0.0:9091"
+whitelist = ["127.0.0.0/8"]
+minimal_runtime_enabled = false
+minimal_runtime_cache_ttl_ms = 1000

-# === Anti-Censorship & Masking ===
+# Прослушивание на нескольких интерфейсах/IP-адресах - IPv4
+[[server.listeners]]
+ip = "0.0.0.0"
+
+# === Обход блокировок и маскировка ===
 [censorship]
 tls_domain = "petrovich.ru"
+mask = true
+tls_emulation = true        # Получить реальную длину сертификата и эмулировать запись TLS
+tls_front_dir = "tlsfront"   # Директория кэша для эмуляции TLS

 [access.users]
-# format: "username" = "32_hex_chars_secret"
+# формат: "имя_пользователя" = "секрет_из_32_шестнадцатеричных_символов"
 hello = "00000000000000000000000000000000"
 ```

@@ -128,8 +176,8 @@ WorkingDirectory=/opt/telemt
 ExecStart=/bin/telemt /etc/telemt/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true

 [Install]
@@ -150,7 +198,7 @@ systemctl daemon-reload

 **7.** Для получения ссылки/ссылок введите 
 ```bash
-curl -s http://127.0.0.1:9091/v1/users | jq
+curl -s http://127.0.0.1:9091/v1/users | jq -r '.data[] | "[\(.username)]", (.links.classic[]? | "classic: \(.)"), (.links.secure[]? | "secure: \(.)"), (.links.tls[]? | "tls: \(.)"), ""'
 ```
 > Одной ссылкой может пользоваться сколько угодно человек.

@@ -163,7 +163,7 @@ PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
 ---

 ## Step 2. Installing telemt on Server B (conditionally Netherlands)
-Installation and configuration are described [here](https://github.com/telemt/telemt/blob/main/docs/QUICK_START_GUIDE.ru.md) or [here](https://gitlab.com/An0nX/telemt-docker#-quick-start-docker-compose).\
+Installation and configuration are described [here](https://github.com/telemt/telemt/blob/main/docs/Quick_start/QUICK_START_GUIDE.en.md) or [here](https://gitlab.com/An0nX/telemt-docker#-quick-start-docker-compose).\
 It is assumed that telemt expects connections on port `443\tcp`.

 In the telemt config, you must enable the `Proxy` protocol and restrict connections to it only through the tunnel.
@@ -166,7 +166,7 @@ PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.

 ## Шаг 2. Установка telemt на Сервере B (_условно Нидерланды_)

-Установка и настройка описаны [здесь](https://github.com/telemt/telemt/blob/main/docs/QUICK_START_GUIDE.ru.md) или [здесь](https://gitlab.com/An0nX/telemt-docker#-quick-start-docker-compose).\
+Установка и настройка описаны [здесь](https://github.com/telemt/telemt/blob/main/docs/Quick_start/QUICK_START_GUIDE.ru.md) или [здесь](https://gitlab.com/An0nX/telemt-docker#-quick-start-docker-compose).\
 Подразумевается что telemt ожидает подключения на порту `443\tcp`.

 В конфиге telemt необходимо включить протокол `Proxy` и ограничить подключения к нему только через туннель.
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 150 30" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;"><path d="M150,15c0,8.279 -6.721,15 -15,15l-120,0c-8.279,0 -15,-6.721 -15,-15c0,-8.279 6.721,-15 15,-15l120,0c8.279,0 15,6.721 15,15Z" style="fill:#24a1ed;"/><g transform="matrix(20.833333,0,0,20.833333,111.464184,22.329305)"></g><text x="39.666px" y="22.329px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:20.833px;fill:#fff;">Join us!</text></svg>
@@ -8,31 +8,257 @@ CONFIG_DIR="${CONFIG_DIR:-/etc/telemt}"
 CONFIG_FILE="${CONFIG_FILE:-${CONFIG_DIR}/telemt.toml}"
 WORK_DIR="${WORK_DIR:-/opt/telemt}"
 TLS_DOMAIN="${TLS_DOMAIN:-petrovich.ru}"
+SERVER_PORT="${SERVER_PORT:-443}"
+USER_SECRET=""
+AD_TAG=""
 SERVICE_NAME="telemt"
 TEMP_DIR=""
 SUDO=""
 CONFIG_PARENT_DIR=""
 SERVICE_START_FAILED=0

+PORT_PROVIDED=0
+SECRET_PROVIDED=0
+AD_TAG_PROVIDED=0
+DOMAIN_PROVIDED=0
+LANG_PROVIDED=0
+
 ACTION="install"
 TARGET_VERSION="${VERSION:-latest}"
+LANG_CHOICE="en"
+
+set_language() {
+    case "$1" in
+        ru)
+            L_ERR_DOMAIN_REQ="требует аргумент (домен)."
+            L_ERR_PORT_REQ="требует аргумент (порт)."
+            L_ERR_PORT_NUM="Порт должен быть числом."
+            L_ERR_PORT_RANGE="Порт должен быть от 1 до 65535."
+            L_ERR_SECRET_REQ="требует аргумент (секрет)."
+            L_ERR_SECRET_HEX="Секрет должен содержать только HEX символы."
+            L_ERR_SECRET_LEN="Секрет должен состоять ровно из 32 символов."
+            L_ERR_ADTAG_REQ="требует аргумент (ad_tag)."
+            L_ERR_UNKNOWN_OPT="Неизвестная опция:"
+            L_WARN_EXTRA_ARG="Игнорируется лишний аргумент:"
+            L_ERR_REQ_ARG="требует аргумент (1, 2, en или ru)."
+            L_ERR_EMPTY_VAR="не может быть пустым."
+            L_ERR_INV_VER="Недопустимые символы в версии."
+            L_ERR_INV_BIN="Недопустимые символы в BIN_NAME."
+            L_ERR_ROOT="Для работы скрипта требуются права root или sudo."
+            L_ERR_SUDO_TTY="sudo требует пароль, но терминал (TTY) не обнаружен."
+            L_ERR_DIR_CHECK="Ошибка: конфиг является директорией."
+            L_ERR_CMD_NOT_FOUND="Необходимая команда не найдена:"
+            L_ERR_NO_DL_TOOL="Не установлен curl или wget."
+            L_ERR_NO_CP_TOOL="Необходима утилита cp или install."
+            L_WARN_NO_NET_TOOL="Утилиты сети не найдены. Проверка порта пропущена."
+            L_INFO_PORT_IGNORE="Порт занят текущим процессом телеметрии. Игнорируем."
+            L_ERR_PORT_IN_USE="Порт уже занят другим процессом:"
+            L_ERR_PORT_FREE="Освободите порт или укажите другой и попробуйте снова."
+            L_ERR_UNSUP_ARCH="Неподдерживаемая архитектура:"
+            L_ERR_CREATE_GRP="Не удалось создать группу"
+            L_ERR_CREATE_USR="Не удалось создать пользователя"
+            L_ERR_MKDIR="Не удалось создать директории"
+            L_ERR_INSTALL_DIR="не является директорией."
+            L_ERR_BIN_INSTALL="Не удалось установить бинарный файл"
+            L_ERR_BIN_COPY="Не удалось скопировать бинарный файл"
+            L_ERR_BIN_EXEC="Бинарный файл не исполняемый."
+            L_ERR_GEN_SEC="Не удалось сгенерировать секрет."
+            L_INFO_CONF_EXISTS="Конфиг уже существует. Обновление параметров..."
+            L_INFO_UPD_PORT="Обновлен порт:"
+            L_INFO_UPD_SEC="Обновлен секрет для пользователя 'hello'"
+            L_INFO_UPD_DOM="Обновлен tls_domain:"
+            L_INFO_UPD_TAG="Обновлен ad_tag"
+            L_ERR_CONF_INST="Не удалось установить конфиг"
+            L_INFO_CONF_OK="Конфиг успешно создан."
+            L_INFO_CONF_SEC="Настроен секрет для пользователя 'hello':"
+            L_WARN_SVC_FAIL="Не удалось запустить службу"
+            L_INFO_MANUAL_START="Менеджер служб не найден. Запустите вручную:"
+            L_INFO_UNINST_START="Начинается удаление"
+            L_U_STAGE_1=">>> Этап 1: Остановка служб"
+            L_U_STAGE_2=">>> Этап 2: Удаление конфигурации службы"
+            L_U_STAGE_3=">>> Этап 3: Завершение процессов пользователя"
+            L_U_STAGE_4=">>> Этап 4: Удаление бинарного файла"
+            L_U_STAGE_5=">>> Этап 5: Полная очистка (конфиг, данные, пользователь)"
+            L_INFO_KEEP_CONF="Примечание: Конфигурация сохранена. Используйте 'purge' для очистки."
+            L_INFO_I_START="Начинается установка"
+            L_I_STAGE_1=">>> Этап 1: Проверка окружения и зависимостей"
+            L_I_STAGE_1_5=">>> Этап 1.5: Интерактивная настройка"
+            L_I_PROMPT_DOM="\nПожалуйста, укажите домен TLS\nНажмите Enter, чтобы оставить по умолчанию [%s]: "
+            L_WARN_NO_TTY="Интерактивный режим недоступен (нет TTY). Используется:"
+            L_I_STAGE_2=">>> Этап 2: Загрузка архива"
+            L_ERR_TMP_DIR="Не удалось создать временную директорию"
+            L_ERR_TMP_INV="Временная директория недействительна"
+            L_INFO_FALLBACK="Сборка x86_64-v3 не найдена, откат к стандартной x86_64..."
+            L_ERR_DL_FAIL="Ошибка загрузки архива"
+            L_I_STAGE_3=">>> Этап 3: Распаковка архива"
+            L_ERR_EXTRACT="Ошибка распаковки архива."
+            L_ERR_BIN_NOT_FOUND="Бинарный файл не найден в архиве"
+            L_I_STAGE_4=">>> Этап 4: Настройка окружения (Юзер, Группа, Папки)"
+            L_I_STAGE_5=">>> Этап 5: Установка бинарного файла"
+            L_I_STAGE_6=">>> Этап 6: Генерация/Обновление конфигурации"
+            L_I_STAGE_7=">>> Этап 7: Установка и запуск службы"
+            L_OUT_WARN_H="УСТАНОВКА ЗАВЕРШЕНА С ПРЕДУПРЕЖДЕНИЯМИ"
+            L_OUT_WARN_D="Служба установлена, но не запустилась.\nПожалуйста, проверьте логи.\n"
+            L_OUT_SUCC_H="УСТАНОВКА УСПЕШНО ЗАВЕРШЕНА"
+            L_OUT_UNINST_H="УДАЛЕНИЕ ЗАВЕРШЕНО"
+            L_OUT_LINK="Ваша ссылка для подключения к Telegram Proxy:\n"
+            ;;
+        *)
+            L_ERR_DOMAIN_REQ="requires a domain argument."
+            L_ERR_PORT_REQ="requires a port argument."
+            L_ERR_PORT_NUM="Port must be a valid number."
+            L_ERR_PORT_RANGE="Port must be between 1 and 65535."
+            L_ERR_SECRET_REQ="requires a secret argument."
+            L_ERR_SECRET_HEX="Secret must contain only hex characters."
+            L_ERR_SECRET_LEN="Secret must be exactly 32 chars."
+            L_ERR_ADTAG_REQ="requires an ad_tag argument."
+            L_ERR_UNKNOWN_OPT="Unknown option:"
+            L_WARN_EXTRA_ARG="Ignoring extra argument:"
+            L_ERR_REQ_ARG="requires an argument (1, 2, en, ru)."
+            L_ERR_EMPTY_VAR="cannot be empty."
+            L_ERR_INV_VER="Invalid characters in version."
+            L_ERR_INV_BIN="Invalid characters in BIN_NAME."
+            L_ERR_ROOT="This script requires root or sudo."
+            L_ERR_SUDO_TTY="sudo requires a password, but no TTY detected."
+            L_ERR_DIR_CHECK="Safety check failed: Config is a directory."
+            L_ERR_CMD_NOT_FOUND="Required command not found:"
+            L_ERR_NO_DL_TOOL="Neither curl nor wget is installed."
+            L_ERR_NO_CP_TOOL="Need cp or install."
+            L_WARN_NO_NET_TOOL="Network tools not found. Skipping port check."
+            L_INFO_PORT_IGNORE="Port is in use by telemt. Ignoring as it will be restarted."
+            L_ERR_PORT_IN_USE="Port is already in use by another process:"
+            L_ERR_PORT_FREE="Please free the port or change it and try again."
+            L_ERR_UNSUP_ARCH="Unsupported architecture:"
+            L_ERR_CREATE_GRP="Cannot create group"
+            L_ERR_CREATE_USR="Cannot create user"
+            L_ERR_MKDIR="Failed to create directories"
+            L_ERR_INSTALL_DIR="is not a directory."
+            L_ERR_BIN_INSTALL="Failed to install binary"
+            L_ERR_BIN_COPY="Failed to copy binary"
+            L_ERR_BIN_EXEC="Binary not executable."
+            L_ERR_GEN_SEC="Failed to generate secret."
+            L_INFO_CONF_EXISTS="Config already exists. Updating parameters..."
+            L_INFO_UPD_PORT="Updated port:"
+            L_INFO_UPD_SEC="Updated secret for user 'hello'"
+            L_INFO_UPD_DOM="Updated tls_domain:"
+            L_INFO_UPD_TAG="Updated ad_tag"
+            L_ERR_CONF_INST="Failed to install config"
+            L_INFO_CONF_OK="Config created successfully."
+            L_INFO_CONF_SEC="Configured secret for user 'hello':"
+            L_WARN_SVC_FAIL="Failed to start service"
+            L_INFO_MANUAL_START="Service manager not found. Start manually:"
+            L_INFO_UNINST_START="Starting uninstallation of"
+            L_U_STAGE_1=">>> Stage 1: Stopping services"
+            L_U_STAGE_2=">>> Stage 2: Removing service configuration"
+            L_U_STAGE_3=">>> Stage 3: Terminating user processes"
+            L_U_STAGE_4=">>> Stage 4: Removing binary"
+            L_U_STAGE_5=">>> Stage 5: Purging configuration, data, and user"
+            L_INFO_KEEP_CONF="Note: Configuration kept. Run with 'purge' to remove completely."
+            L_INFO_I_START="Starting installation of"
+            L_I_STAGE_1=">>> Stage 1: Verifying environment and dependencies"
+            L_I_STAGE_1_5=">>> Stage 1.5: Interactive Setup"
+            L_I_PROMPT_DOM="\nPlease specify the TLS Domain\nPress Enter to keep default [%s]: "
+            L_WARN_NO_TTY="Interactive mode unavailable (no TTY). Using:"
+            L_I_STAGE_2=">>> Stage 2: Downloading archive"
+            L_ERR_TMP_DIR="Temp directory creation failed"
+            L_ERR_TMP_INV="Temp directory is invalid or was not created"
+            L_INFO_FALLBACK="x86_64-v3 build not found, falling back to standard x86_64..."
+            L_ERR_DL_FAIL="Download failed"
+            L_I_STAGE_3=">>> Stage 3: Extracting archive"
+            L_ERR_EXTRACT="Extraction failed."
+            L_ERR_BIN_NOT_FOUND="Binary not found in archive"
+            L_I_STAGE_4=">>> Stage 4: Setting up environment (User, Group, Directories)"
+            L_I_STAGE_5=">>> Stage 5: Installing binary"
+            L_I_STAGE_6=">>> Stage 6: Generating/Updating configuration"
+            L_I_STAGE_7=">>> Stage 7: Installing and starting service"
+            L_OUT_WARN_H="INSTALLATION COMPLETED WITH WARNINGS"
+            L_OUT_WARN_D="The service was installed but failed to start.\nPlease check the logs to determine the issue.\n"
+            L_OUT_SUCC_H="INSTALLATION SUCCESS"
+            L_OUT_UNINST_H="UNINSTALLATION COMPLETE"
+            L_OUT_LINK="Your Telegram Proxy connection link:\n"
+            ;;
+    esac
+}
+
+set_language "$LANG_CHOICE"

 while [ $# -gt 0 ]; do
    case "$1" in
        -h|--help) ACTION="help"; shift ;;
+        -l|--lang)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_REQ_ARG" >&2; exit 1
+            fi
+            case "$2" in
+                ru|2) LANG_CHOICE="ru"; set_language "$LANG_CHOICE"; LANG_PROVIDED=1 ;;
+                en|1) LANG_CHOICE="en"; set_language "$LANG_CHOICE"; LANG_PROVIDED=1 ;;
+                *) printf '[ERROR] %s %s\n' "$1" "$L_ERR_REQ_ARG" >&2; exit 1 ;;
+            esac
+            shift 2 ;;
+        -d|--domain)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_DOMAIN_REQ" >&2; exit 1
+            fi
+            TLS_DOMAIN="$2"; DOMAIN_PROVIDED=1; shift 2 ;;
+        -p|--port)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_PORT_REQ" >&2; exit 1
+            fi
+            case "$2" in
+                *[!0-9]*) printf '[ERROR] %s\n' "$L_ERR_PORT_NUM" >&2; exit 1 ;;
+            esac
+            port_num="$(printf '%s\n' "$2" | sed 's/^0*//')"
+            [ -z "$port_num" ] && port_num="0"
+            if [ "${#port_num}" -gt 5 ] || [ "$port_num" -lt 1 ] || [ "$port_num" -gt 65535 ]; then
+                printf '[ERROR] %s\n' "$L_ERR_PORT_RANGE" >&2; exit 1
+            fi
+            SERVER_PORT="$port_num"; PORT_PROVIDED=1; shift 2 ;;
+        -s|--secret)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_SECRET_REQ" >&2; exit 1
+            fi
+            case "$2" in
+                *[!0-9a-fA-F]*) printf '[ERROR] %s\n' "$L_ERR_SECRET_HEX" >&2; exit 1 ;;
+            esac
+            if [ "${#2}" -ne 32 ]; then
+                printf '[ERROR] %s\n' "$L_ERR_SECRET_LEN" >&2; exit 1
+            fi
+            USER_SECRET="$2"; SECRET_PROVIDED=1; shift 2 ;;
+        -a|--ad-tag|--ad_tag)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_ADTAG_REQ" >&2; exit 1
+            fi
+            AD_TAG="$2"; AD_TAG_PROVIDED=1; shift 2 ;;
        uninstall|--uninstall)
            if [ "$ACTION" != "purge" ]; then ACTION="uninstall"; fi
            shift ;;
        purge|--purge) ACTION="purge"; shift ;;
        install|--install) ACTION="install"; shift ;;
-        -*) printf '[ERROR] Unknown option: %s\n' "$1" >&2; exit 1 ;;
+        -*) printf '[ERROR] %s %s\n' "$L_ERR_UNKNOWN_OPT" "$1" >&2; exit 1 ;;
        *)
            if [ "$ACTION" = "install" ]; then TARGET_VERSION="$1"
-            else printf '[WARNING] Ignoring extra argument: %s\n' "$1" >&2; fi
+            else printf '[WARNING] %s %s\n' "$L_WARN_EXTRA_ARG" "$1" >&2; fi
            shift ;;
    esac
 done

+if [ "$ACTION" != "help" ] && [ "$LANG_PROVIDED" -eq 0 ]; then
+    if [ -t 0 ] || [ -c /dev/tty ]; then
+        printf "\nSelect language / Выберите язык:\n"
+        printf "  1) English (default)\n"
+        printf "  2) Русский\n"
+        printf "Your choice / Ваш выбор [1/2]: "
+        read -r input_lang </dev/tty || input_lang=""
+        case "$input_lang" in
+            2) LANG_CHOICE="ru" ;;
+            *) LANG_CHOICE="en" ;;
+        esac
+    else
+        LANG_CHOICE="en"
+    fi
+    set_language "$LANG_CHOICE"
+fi
+
 say() {
    if [ "$#" -eq 0 ] || [ -z "${1:-}" ]; then
        printf '\n'
@@ -52,11 +278,33 @@ cleanup() {
 trap cleanup EXIT INT TERM

 show_help() {
-    say "Usage: $0 [ <version> | install | uninstall | purge | --help ]"
-    say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
-    say "  install      Install the latest version"
-    say "  uninstall    Remove the binary and service (keeps config and user)"
-    say "  purge        Remove everything including configuration, data, and user"
+    if [ "$LANG_CHOICE" = "ru" ]; then
+        say "Использование: $0 [ <версия> | install | uninstall | purge ] [ опции ]"
+        say "  <версия>     Установить конкретную версию (например, 3.3.15, по умолчанию: latest)"
+        say "  install      Установить последнюю версию"
+        say "  uninstall    Удалить бинарный файл и службу"
+        say "  purge        Полностью удалить вместе с конфигурацией, данными и пользователем"
+        say ""
+        say "Опции:"
+        say "  -d, --domain Указать домен TLS (по умолчанию: petrovich.ru)"
+        say "  -p, --port   Указать порт сервера (по умолчанию: 443)"
+        say "  -s, --secret Указать секрет пользователя (32 hex символа)"
+        say "  -a, --ad-tag Указать ad_tag"
+        say "  -l, --lang   Выбрать язык вывода (1/en или 2/ru)"
+    else
+        say "Usage: $0 [ <version> | install | uninstall | purge ] [ options ]"
+        say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
+        say "  install      Install the latest version"
+        say "  uninstall    Remove the binary and service"
+        say "  purge        Remove everything including configuration, data, and user"
+        say ""
+        say "Options:"
+        say "  -d, --domain Set TLS domain (default: petrovich.ru)"
+        say "  -p, --port   Set server port (default: 443)"
+        say "  -s, --secret Set specific user secret (32 hex characters)"
+        say "  -a, --ad-tag Set ad_tag"
+        say "  -l, --lang   Set output language (1/en or 2/ru)"
+    fi
    exit 0
 }

@@ -73,13 +321,13 @@ get_realpath() {
    path_in="$1"
    case "$path_in" in /*) ;; *) path_in="$(pwd)/$path_in" ;; esac

-    if command -v realpath >/dev/null 2>&1; then 
+    if command -v realpath >/dev/null 2>&1; then
        if realpath_out="$(realpath -m "$path_in" 2>/dev/null)"; then
            printf '%s\n' "$realpath_out"
            return
        fi
    fi
-    
+
    if command -v readlink >/dev/null 2>&1; then
        resolved_path="$(readlink -f "$path_in" 2>/dev/null || true)"
        if [ -n "$resolved_path" ]; then
@@ -112,18 +360,22 @@ get_svc_mgr() {
    else echo "none"; fi
 }

+is_config_exists() {
+    if [ -n "$SUDO" ]; then
+        $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"
+    else
+        [ -f "$CONFIG_FILE" ]
+    fi
+}
+
 verify_common() {
-    [ -n "$BIN_NAME" ] || die "BIN_NAME cannot be empty."
-    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR cannot be empty."
-    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR cannot be empty."
-    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE cannot be empty."
+    [ -n "$BIN_NAME" ] || die "BIN_NAME $L_ERR_EMPTY_VAR"
+    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR $L_ERR_EMPTY_VAR"
+    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR $L_ERR_EMPTY_VAR"
+    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE $L_ERR_EMPTY_VAR"

-    case "${INSTALL_DIR}${CONFIG_DIR}${WORK_DIR}${CONFIG_FILE}" in
-        *[!a-zA-Z0-9_./-]*) die "Invalid characters in paths. Only alphanumeric, _, ., -, and / allowed." ;;
-    esac
-
-    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "Invalid characters in version." ;; esac
-    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "Invalid characters in BIN_NAME." ;; esac
+    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "$L_ERR_INV_VER" ;; esac
+    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "$L_ERR_INV_BIN" ;; esac

    INSTALL_DIR="$(get_realpath "$INSTALL_DIR")"
    CONFIG_DIR="$(get_realpath "$CONFIG_DIR")"
@@ -137,64 +389,83 @@ verify_common() {
    if [ "$(id -u)" -eq 0 ]; then
        SUDO=""
    else
-        command -v sudo >/dev/null 2>&1 || die "This script requires root or sudo. Neither found."
+        command -v sudo >/dev/null 2>&1 || die "$L_ERR_ROOT"
        SUDO="sudo"
        if ! sudo -n true 2>/dev/null; then
            if ! [ -t 0 ]; then
-                die "sudo requires a password, but no TTY detected. Aborting to prevent hang."
+                die "$L_ERR_SUDO_TTY"
            fi
        fi
    fi

    if [ -n "$SUDO" ]; then
        if $SUDO sh -c '[ -d "$1" ]' _ "$CONFIG_FILE"; then
-            die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
+            die "$L_ERR_DIR_CHECK"
        fi
    elif [ -d "$CONFIG_FILE" ]; then
-        die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
+        die "$L_ERR_DIR_CHECK"
    fi

-    for path in "$CONFIG_DIR" "$CONFIG_PARENT_DIR" "$WORK_DIR"; do
-        check_path="$(get_realpath "$path")"
-        case "$check_path" in
-            /|/bin|/sbin|/usr|/usr/bin|/usr/sbin|/usr/local|/usr/local/bin|/usr/local/sbin|/usr/local/etc|/usr/local/share|/etc|/var|/var/lib|/var/log|/var/run|/home|/root|/tmp|/lib|/lib64|/opt|/run|/boot|/dev|/sys|/proc)
-                die "Safety check failed: '$path' (resolved to '$check_path') is a critical system directory." ;;
-        esac
-    done
-
-    check_install_dir="$(get_realpath "$INSTALL_DIR")"
-    case "$check_install_dir" in
-        /|/etc|/var|/home|/root|/tmp|/usr|/usr/local|/opt|/boot|/dev|/sys|/proc|/run)
-            die "Safety check failed: INSTALL_DIR '$INSTALL_DIR' is a critical system directory." ;;
-    esac
-
-    for cmd in id uname grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip rmdir; do
-        command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
+    for cmd in id uname awk grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip; do
+        command -v "$cmd" >/dev/null 2>&1 || die "$L_ERR_CMD_NOT_FOUND $cmd"
    done
 }

 verify_install_deps() {
-    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "Neither curl nor wget is installed."
-    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "Need cp or install"
+    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "$L_ERR_NO_DL_TOOL"
+    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "$L_ERR_NO_CP_TOOL"

    if ! command -v setcap >/dev/null 2>&1; then
        if command -v apk >/dev/null 2>&1; then
-            $SUDO apk add --no-cache libcap-utils >/dev/null 2>&1 || $SUDO apk add --no-cache libcap >/dev/null 2>&1 || true
+            $SUDO apk add --no-cache libcap-utils libcap >/dev/null 2>&1 || true
        elif command -v apt-get >/dev/null 2>&1; then
-            $SUDO apt-get update -q >/dev/null 2>&1 || true
-            $SUDO apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
+            $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin >/dev/null 2>&1 || {
+                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get update -q >/dev/null 2>&1 || true
+                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
+            }
        elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap >/dev/null 2>&1 || true
        elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap >/dev/null 2>&1 || true
        fi
    fi
 }

+check_port_availability() {
+    port_info=""
+
+    if command -v ss >/dev/null 2>&1; then
+        port_info=$($SUDO ss -tulnp 2>/dev/null | grep -E ":${SERVER_PORT}([[:space:]]|$)" || true)
+    elif command -v netstat >/dev/null 2>&1; then
+        port_info=$($SUDO netstat -tulnp 2>/dev/null | grep -E ":${SERVER_PORT}([[:space:]]|$)" || true)
+    elif command -v lsof >/dev/null 2>&1; then
+        port_info=$($SUDO lsof -i :${SERVER_PORT} 2>/dev/null | grep LISTEN || true)
+    else
+        say "[WARNING] $L_WARN_NO_NET_TOOL"
+        return 0
+    fi
+
+    if [ -n "$port_info" ]; then
+        if printf '%s\n' "$port_info" | grep -q "${BIN_NAME}"; then
+            say "  -> $L_INFO_PORT_IGNORE"
+        else
+            say "[ERROR] $L_ERR_PORT_IN_USE $SERVER_PORT:"
+            printf '  %s\n' "$port_info"
+            die "$L_ERR_PORT_FREE"
+        fi
+    fi
+}
+
 detect_arch() {
    sys_arch="$(uname -m)"
    case "$sys_arch" in
-        x86_64|amd64) echo "x86_64" ;;
+        x86_64|amd64)
+            if [ -r /proc/cpuinfo ] && grep -q "avx2" /proc/cpuinfo 2>/dev/null && grep -q "bmi2" /proc/cpuinfo 2>/dev/null; then
+                echo "x86_64-v3"
+            else
+                echo "x86_64"
+            fi
+            ;;
        aarch64|arm64) echo "aarch64" ;;
-        *) die "Unsupported architecture: $sys_arch" ;;
+        *) die "$L_ERR_UNSUP_ARCH $sys_arch" ;;
    esac
 }

@@ -218,7 +489,7 @@ ensure_user_group() {
    if ! check_os_entity group telemt; then
        if command -v groupadd >/dev/null 2>&1; then $SUDO groupadd -r telemt
        elif command -v addgroup >/dev/null 2>&1; then $SUDO addgroup -S telemt
-        else die "Cannot create group"; fi
+        else die "$L_ERR_CREATE_GRP" ; fi
    fi

    if ! check_os_entity passwd telemt; then
@@ -230,16 +501,16 @@ ensure_user_group() {
            else
                $SUDO adduser --system --home "$WORK_DIR" --shell "$nologin_bin" --no-create-home --ingroup telemt --disabled-password telemt
            fi
-        else die "Cannot create user"; fi
+        else die "$L_ERR_CREATE_USR"; fi
    fi
 }

 setup_dirs() {
-    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "Failed to create directories"
-    
+    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "$L_ERR_MKDIR"
+
    $SUDO chown telemt:telemt "$WORK_DIR" && $SUDO chmod 750 "$WORK_DIR"
-    $SUDO chown root:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
-    
+    $SUDO chown telemt:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
+
    if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
        $SUDO chown root:telemt "$CONFIG_PARENT_DIR" && $SUDO chmod 750 "$CONFIG_PARENT_DIR"
    fi
@@ -257,21 +528,23 @@ stop_service() {
 install_binary() {
    bin_src="$1"; bin_dst="$2"
    if [ -e "$INSTALL_DIR" ] && [ ! -d "$INSTALL_DIR" ]; then
-        die "'$INSTALL_DIR' is not a directory."
+        die "'$INSTALL_DIR' $L_ERR_INSTALL_DIR"
    fi

-    $SUDO mkdir -p "$INSTALL_DIR" || die "Failed to create install directory"
+    $SUDO mkdir -p "$INSTALL_DIR" || die "$L_ERR_MKDIR"
+    
+    $SUDO rm -f "$bin_dst" 2>/dev/null || true
+
    if command -v install >/dev/null 2>&1; then
-        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "Failed to install binary"
+        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "$L_ERR_BIN_INSTALL"
    else
-        $SUDO rm -f "$bin_dst" 2>/dev/null || true
-        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "Failed to copy binary"
+        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "$L_ERR_BIN_COPY"
    fi

-    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "Binary not executable: $bin_dst"
+    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "$L_ERR_BIN_EXEC $bin_dst"

    if command -v setcap >/dev/null 2>&1; then
-        $SUDO setcap cap_net_bind_service=+ep "$bin_dst" 2>/dev/null || true
+        $SUDO setcap cap_net_bind_service,cap_net_admin=+ep "$bin_dst" 2>/dev/null || true
    fi
 }

@@ -287,11 +560,20 @@ generate_secret() {
 }

 generate_config_content() {
+    conf_secret="$1"
+    conf_tag="$2"
    escaped_tls_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"

    cat <<EOF
 [general]
-use_middle_proxy = false
+use_middle_proxy = true
+EOF
+
+    if [ -n "$conf_tag" ]; then
+        echo "ad_tag = \"${conf_tag}\""
+    fi
+
+    cat <<EOF

 [general.modes]
 classic = false
@@ -299,7 +581,7 @@ secure = false
 tls = true

 [server]
-port = 443
+port = ${SERVER_PORT}

 [server.api]
 enabled = true
@@ -310,28 +592,65 @@ whitelist = ["127.0.0.1/32"]
 tls_domain = "${escaped_tls_domain}"

 [access.users]
-hello = "$1"
+hello = "${conf_secret}"
 EOF
 }

 install_config() {
-    if [ -n "$SUDO" ]; then
-        if $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"; then
-            say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
-            return 0
-        fi
-    elif [ -f "$CONFIG_FILE" ]; then
-        say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
+    if is_config_exists; then
+        say "  -> $L_INFO_CONF_EXISTS"
+
+        tmp_conf="${TEMP_DIR}/config.tmp"
+        $SUDO cat "$CONFIG_FILE" > "$tmp_conf"
+        
+        escaped_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
+
+        awk -v port="$SERVER_PORT" -v secret="$USER_SECRET" -v domain="$escaped_domain" -v ad_tag="$AD_TAG" \
+            -v flag_p="$PORT_PROVIDED" -v flag_s="$SECRET_PROVIDED" -v flag_d="$DOMAIN_PROVIDED" -v flag_a="$AD_TAG_PROVIDED" '
+        BEGIN { ad_tag_handled = 0 }
+        
+        flag_p == "1" && /^[ \t]*port[ \t]*=/ { print "port = " port; next }
+        flag_s == "1" && /^[ \t]*hello[ \t]*=/ { print "hello = \"" secret "\""; next }
+        flag_d == "1" && /^[ \t]*tls_domain[ \t]*=/ { print "tls_domain = \"" domain "\""; next }
+        
+        flag_a == "1" && /^[ \t]*ad_tag[ \t]*=/ { 
+            if (!ad_tag_handled) { 
+                print "ad_tag = \"" ad_tag "\""; 
+                ad_tag_handled = 1; 
+            } 
+            next 
+        }
+        flag_a == "1" && /^\[general\]/ { 
+            print; 
+            if (!ad_tag_handled) { 
+                print "ad_tag = \"" ad_tag "\""; 
+                ad_tag_handled = 1; 
+            } 
+            next 
+        }
+        
+        { print }
+        ' "$tmp_conf" > "${tmp_conf}.new" && mv "${tmp_conf}.new" "$tmp_conf"
+
+        [ "$PORT_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_PORT $SERVER_PORT"
+        [ "$SECRET_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_SEC"
+        [ "$DOMAIN_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_DOM $TLS_DOMAIN"
+        [ "$AD_TAG_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_TAG"
+
+        write_root "$CONFIG_FILE" < "$tmp_conf"
+        rm -f "$tmp_conf"
        return 0
    fi

-    toml_secret="$(generate_secret)" || die "Failed to generate secret."
+    if [ -z "$USER_SECRET" ]; then
+        USER_SECRET="$(generate_secret)" || die "$L_ERR_GEN_SEC"
+    fi

-    generate_config_content "$toml_secret" | write_root "$CONFIG_FILE" || die "Failed to install config"
+    generate_config_content "$USER_SECRET" "$AD_TAG" | write_root "$CONFIG_FILE" || die "$L_ERR_CONF_INST"
    $SUDO chown root:telemt "$CONFIG_FILE" && $SUDO chmod 640 "$CONFIG_FILE"

-    say "  -> Config created successfully."
-    say "  -> Generated secret for default user 'hello': $toml_secret"
+    say "  -> $L_INFO_CONF_OK"
+    say "  -> $L_INFO_CONF_SEC $USER_SECRET"
 }

 generate_systemd_content() {
@@ -348,9 +667,10 @@ Group=telemt
 WorkingDirectory=$WORK_DIR
 ExecStart="${INSTALL_DIR}/${BIN_NAME}" "${CONFIG_FILE}"
 Restart=on-failure
+RestartSec=5
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN

 [Install]
 WantedBy=multi-user.target
@@ -381,9 +701,9 @@ install_service() {

        $SUDO systemctl daemon-reload || true
        $SUDO systemctl enable "$SERVICE_NAME" || true
-        
+
        if ! $SUDO systemctl start "$SERVICE_NAME"; then
-            say "[WARNING] Failed to start service"
+            say "[WARNING] $L_WARN_SVC_FAIL"
            SERVICE_START_FAILED=1
        fi
    elif [ "$svc" = "openrc" ]; then
@@ -391,17 +711,17 @@ install_service() {
        $SUDO chown root:root "/etc/init.d/${SERVICE_NAME}" && $SUDO chmod 0755 "/etc/init.d/${SERVICE_NAME}"

        $SUDO rc-update add "$SERVICE_NAME" default 2>/dev/null || true
-        
+
        if ! $SUDO rc-service "$SERVICE_NAME" start 2>/dev/null; then
-            say "[WARNING] Failed to start service"
+            say "[WARNING] $L_WARN_SVC_FAIL"
            SERVICE_START_FAILED=1
        fi
    else
        cmd="\"${INSTALL_DIR}/${BIN_NAME}\" \"${CONFIG_FILE}\""
-        if [ -n "$SUDO" ]; then 
-            say "  -> Service manager not found. Start manually: sudo -u telemt $cmd"
-        else 
-            say "  -> Service manager not found. Start manually: su -s /bin/sh telemt -c '$cmd'"
+        if [ -n "$SUDO" ]; then
+            say "  -> $L_INFO_MANUAL_START sudo -u telemt $cmd"
+        else
+            say "  -> $L_INFO_MANUAL_START su -s /bin/sh telemt -c '$cmd'"
        fi
    fi
 }
@@ -415,9 +735,10 @@ kill_user_procs() {
        if command -v pgrep >/dev/null 2>&1; then
            pids="$(pgrep -u telemt 2>/dev/null || true)"
        else
-            pids="$(ps -u telemt -o pid= 2>/dev/null || true)"
+            pids="$(ps -ef 2>/dev/null | awk '$1=="telemt"{print $2}' || true)"
+            [ -z "$pids" ] && pids="$(ps 2>/dev/null | awk '$2=="telemt"{print $1}' || true)"
        fi
-        
+
        if [ -n "$pids" ]; then
            for pid in $pids; do
                case "$pid" in ''|*[!0-9]*) continue ;; *) $SUDO kill "$pid" 2>/dev/null || true ;; esac
@@ -431,12 +752,12 @@ kill_user_procs() {
 }

 uninstall() {
-    say "Starting uninstallation of $BIN_NAME..."
+    say "$L_INFO_UNINST_START $BIN_NAME..."

-    say ">>> Stage 1: Stopping services"
+    say "$L_U_STAGE_1"
    stop_service

-    say ">>> Stage 2: Removing service configuration"
+    say "$L_U_STAGE_2"
    svc="$(get_svc_mgr)"
    if [ "$svc" = "systemd" ]; then
        $SUDO systemctl disable "$SERVICE_NAME" 2>/dev/null || true
@@ -447,27 +768,30 @@ uninstall() {
        $SUDO rm -f "/etc/init.d/${SERVICE_NAME}"
    fi

-    say ">>> Stage 3: Terminating user processes"
+    say "$L_U_STAGE_3"
    kill_user_procs

-    say ">>> Stage 4: Removing binary"
+    say "$L_U_STAGE_4"
    $SUDO rm -f "${INSTALL_DIR}/${BIN_NAME}"

    if [ "$ACTION" = "purge" ]; then
-        say ">>> Stage 5: Purging configuration, data, and user"
+        say "$L_U_STAGE_5"
        $SUDO rm -rf "$CONFIG_DIR" "$WORK_DIR"
        $SUDO rm -f "$CONFIG_FILE"
-        if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
-            $SUDO rmdir "$CONFIG_PARENT_DIR" 2>/dev/null || true
+        
+        if check_os_entity passwd telemt; then
+            $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
+        fi
+        
+        if check_os_entity group telemt; then
+            $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
        fi
-        $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
-        $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
    else
-        say "Note: Configuration and user kept. Run with 'purge' to remove completely."
+        say "$L_INFO_KEEP_CONF"
    fi
-    
+
    printf '\n====================================================================\n'
-    printf '                    UNINSTALLATION COMPLETE\n'
+    printf '                    %s\n' "$L_OUT_UNINST_H"
    printf '====================================================================\n\n'
    exit 0
 }
@@ -476,81 +800,126 @@ case "$ACTION" in
    help) show_help ;;
    uninstall|purge) verify_common; uninstall ;;
    install)
-        say "Starting installation of $BIN_NAME (Version: $TARGET_VERSION)"
+        say "$L_INFO_I_START $BIN_NAME (Version: $TARGET_VERSION)"

-        say ">>> Stage 1: Verifying environment and dependencies"
-        verify_common; verify_install_deps
+        say "$L_I_STAGE_1"
+        verify_common
+        verify_install_deps

-        if [ "$TARGET_VERSION" != "latest" ]; then 
+        if is_config_exists; then
+            ext_port="$($SUDO awk -F'=' '/^[ \t]*port[ \t]*=/ {gsub(/[^0-9]/, "", $2); print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+            if [ -n "$ext_port" ] && [ "$PORT_PROVIDED" -eq 0 ]; then
+                SERVER_PORT="$ext_port"
+            fi
+
+            ext_secret="$($SUDO awk -F'"' '/^[ \t]*hello[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+            if [ -n "$ext_secret" ] && [ "$SECRET_PROVIDED" -eq 0 ]; then
+                USER_SECRET="$ext_secret"
+            fi
+
+            ext_domain="$($SUDO awk -F'"' '/^[ \t]*tls_domain[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+            if [ -n "$ext_domain" ] && [ "$DOMAIN_PROVIDED" -eq 0 ]; then
+                TLS_DOMAIN="$ext_domain"
+            fi
+        fi
+
+        check_port_availability
+
+        if [ "$DOMAIN_PROVIDED" -eq 0 ]; then
+            say "$L_I_STAGE_1_5"
+            if [ -t 0 ] || [ -c /dev/tty ]; then
+                printf "$L_I_PROMPT_DOM" "$TLS_DOMAIN"
+                read -r input_domain </dev/tty || input_domain=""
+                if [ -n "$input_domain" ]; then
+                    TLS_DOMAIN="$input_domain"
+                fi
+            else
+                say "[WARNING] $L_WARN_NO_TTY $TLS_DOMAIN"
+            fi
+            DOMAIN_PROVIDED=1
+        fi
+
+        if [ "$TARGET_VERSION" != "latest" ]; then
            TARGET_VERSION="${TARGET_VERSION#v}"
        fi
-        
+
        ARCH="$(detect_arch)"; LIBC="$(detect_libc)"
        FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
-        
+
        if [ "$TARGET_VERSION" = "latest" ]; then
            DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
-        else 
+        else
            DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
        fi

-        say ">>> Stage 2: Downloading archive"
-        TEMP_DIR="$(mktemp -d)" || die "Temp directory creation failed"
+        say "$L_I_STAGE_2"
+        TEMP_DIR="$(mktemp -d)" || die "$L_ERR_TMP_DIR"
        if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
-            die "Temp directory is invalid or was not created"
+            die "$L_ERR_TMP_INV"
        fi

-        fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "Download failed"
+        if ! fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}"; then
+            if [ "$ARCH" = "x86_64-v3" ]; then
+                say "  -> $L_INFO_FALLBACK"
+                ARCH="x86_64"
+                FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+                if [ "$TARGET_VERSION" = "latest" ]; then
+                    DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
+                else
+                    DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
+                fi
+                fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "$L_ERR_DL_FAIL"
+            else
+                die "$L_ERR_DL_FAIL"
+            fi
+        fi

-        say ">>> Stage 3: Extracting archive"
+        say "$L_I_STAGE_3"
        if ! gzip -dc "${TEMP_DIR}/${FILE_NAME}" | tar -xf - -C "$TEMP_DIR" 2>/dev/null; then
-            die "Extraction failed (downloaded archive might be invalid or 404)."
+            die "$L_ERR_EXTRACT"
        fi

        EXTRACTED_BIN="$(find "$TEMP_DIR" -type f -name "$BIN_NAME" -print 2>/dev/null | head -n 1 || true)"
-        [ -n "$EXTRACTED_BIN" ] || die "Binary '$BIN_NAME' not found in archive"
+        [ -n "$EXTRACTED_BIN" ] || die "$L_ERR_BIN_NOT_FOUND"

-        say ">>> Stage 4: Setting up environment (User, Group, Directories)"
+        say "$L_I_STAGE_4"
        ensure_user_group; setup_dirs; stop_service
-        
-        say ">>> Stage 5: Installing binary"
+
+        say "$L_I_STAGE_5"
        install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
-        
-        say ">>> Stage 6: Generating configuration"
+
+        say "$L_I_STAGE_6"
        install_config
-        
-        say ">>> Stage 7: Installing and starting service"
+
+        say "$L_I_STAGE_7"
        install_service

        if [ "${SERVICE_START_FAILED:-0}" -eq 1 ]; then
            printf '\n====================================================================\n'
-            printf '               INSTALLATION COMPLETED WITH WARNINGS\n'
+            printf '               %s\n' "$L_OUT_WARN_H"
            printf '====================================================================\n\n'
-            printf 'The service was installed but failed to start automatically.\n'
-            printf 'Please check the logs to determine the issue.\n\n'
+            printf '%b' "$L_OUT_WARN_D"
        else
            printf '\n====================================================================\n'
-            printf '                      INSTALLATION SUCCESS\n'
+            printf '                      %s\n' "$L_OUT_SUCC_H"
            printf '====================================================================\n\n'
        fi
+
+        SERVER_IP=""
+        if command -v curl >/dev/null 2>&1; then SERVER_IP="$(curl -s4 -m 3 ifconfig.me 2>/dev/null || curl -s4 -m 3 api.ipify.org 2>/dev/null || true)"
+        elif command -v wget >/dev/null 2>&1; then SERVER_IP="$(wget -qO- -T 3 ifconfig.me 2>/dev/null || wget -qO- -T 3 api.ipify.org 2>/dev/null || true)"; fi
+        [ -z "$SERVER_IP" ] && SERVER_IP="<YOUR_SERVER_IP>"
        
-        svc="$(get_svc_mgr)"
-        if [ "$svc" = "systemd" ]; then
-            printf 'To check the status of your proxy service, run:\n'
-            printf '  systemctl status %s\n\n' "$SERVICE_NAME"
-        elif [ "$svc" = "openrc" ]; then
-            printf 'To check the status of your proxy service, run:\n'
-            printf '  rc-service %s status\n\n' "$SERVICE_NAME"
-        fi
-        
-        printf 'To get your user connection links (for Telegram), run:\n'
-        if command -v jq >/dev/null 2>&1; then
-            printf '  curl -s http://127.0.0.1:9091/v1/users | jq -r '\''.data[] | "User: \\(.username)\\n\\(.links.tls[0] // empty)\\n"'\''\n'
-        else
-            printf '  curl -s http://127.0.0.1:9091/v1/users\n'
-            printf '  (Tip: Install '\''jq'\'' for a much cleaner output)\n'
-        fi
-        
-        printf '\n====================================================================\n'
+        if command -v xxd >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | xxd -p | tr -d '\n')"
+        elif command -v hexdump >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | hexdump -v -e '/1 "%02x"')"
+        elif command -v od >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | od -A n -t x1 | tr -d ' \n')"
+        else HEX_DOMAIN=""; fi
+
+        CLIENT_SECRET="ee${USER_SECRET}${HEX_DOMAIN}"
+
+        printf '%b\n' "$L_OUT_LINK"
+        printf '  tg://proxy?server=%s&port=%s&secret=%s\n\n' "$SERVER_IP" "$SERVER_PORT" "$CLIENT_SECRET"
+
+        printf '====================================================================\n'
        ;;
 esac
@@ -81,10 +81,21 @@ pub(super) struct ZeroCoreData {
    pub(super) connections_total: u64,
    pub(super) connections_bad_total: u64,
    pub(super) handshake_timeouts_total: u64,
+    pub(super) accept_permit_timeout_total: u64,
    pub(super) configured_users: usize,
    pub(super) telemetry_core_enabled: bool,
    pub(super) telemetry_user_enabled: bool,
    pub(super) telemetry_me_level: String,
+    pub(super) conntrack_control_enabled: bool,
+    pub(super) conntrack_control_available: bool,
+    pub(super) conntrack_pressure_active: bool,
+    pub(super) conntrack_event_queue_depth: u64,
+    pub(super) conntrack_rule_apply_ok: bool,
+    pub(super) conntrack_delete_attempt_total: u64,
+    pub(super) conntrack_delete_success_total: u64,
+    pub(super) conntrack_delete_not_found_total: u64,
+    pub(super) conntrack_delete_error_total: u64,
+    pub(super) conntrack_close_event_drop_total: u64,
 }

 #[derive(Serialize, Clone)]
@@ -39,10 +39,21 @@ pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> Zer
            connections_total: stats.get_connects_all(),
            connections_bad_total: stats.get_connects_bad(),
            handshake_timeouts_total: stats.get_handshake_timeouts(),
+            accept_permit_timeout_total: stats.get_accept_permit_timeout_total(),
            configured_users,
            telemetry_core_enabled: telemetry.core_enabled,
            telemetry_user_enabled: telemetry.user_enabled,
            telemetry_me_level: telemetry.me_level.to_string(),
+            conntrack_control_enabled: stats.get_conntrack_control_enabled(),
+            conntrack_control_available: stats.get_conntrack_control_available(),
+            conntrack_pressure_active: stats.get_conntrack_pressure_active(),
+            conntrack_event_queue_depth: stats.get_conntrack_event_queue_depth(),
+            conntrack_rule_apply_ok: stats.get_conntrack_rule_apply_ok(),
+            conntrack_delete_attempt_total: stats.get_conntrack_delete_attempt_total(),
+            conntrack_delete_success_total: stats.get_conntrack_delete_success_total(),
+            conntrack_delete_not_found_total: stats.get_conntrack_delete_not_found_total(),
+            conntrack_delete_error_total: stats.get_conntrack_delete_error_total(),
+            conntrack_close_event_drop_total: stats.get_conntrack_close_event_drop_total(),
        },
        upstream: build_zero_upstream_data(stats),
        middle_proxy: ZeroMiddleProxyData {
@@ -48,6 +48,10 @@ const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_BUDGET_PER_CORE: u16 = 16;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_COOLDOWN_MS: u64 = 1000;
 const DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS: u64 = 30;
 const DEFAULT_ACCEPT_PERMIT_TIMEOUT_MS: u64 = 250;
+const DEFAULT_CONNTRACK_CONTROL_ENABLED: bool = true;
+const DEFAULT_CONNTRACK_PRESSURE_HIGH_WATERMARK_PCT: u8 = 85;
+const DEFAULT_CONNTRACK_PRESSURE_LOW_WATERMARK_PCT: u8 = 70;
+const DEFAULT_CONNTRACK_DELETE_BUDGET_PER_SEC: u64 = 4096;
 const DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS: u32 = 2;
 const DEFAULT_UPSTREAM_UNHEALTHY_FAIL_THRESHOLD: u32 = 5;
 const DEFAULT_UPSTREAM_CONNECT_BUDGET_MS: u64 = 3000;
@@ -96,7 +100,7 @@ pub(crate) fn default_fake_cert_len() -> usize {
 }

 pub(crate) fn default_tls_front_dir() -> String {
-    "tlsfront".to_string()
+    "/etc/telemt/tlsfront".to_string()
 }

 pub(crate) fn default_replay_check_len() -> usize {
@@ -221,6 +225,22 @@ pub(crate) fn default_accept_permit_timeout_ms() -> u64 {
    DEFAULT_ACCEPT_PERMIT_TIMEOUT_MS
 }

+pub(crate) fn default_conntrack_control_enabled() -> bool {
+    DEFAULT_CONNTRACK_CONTROL_ENABLED
+}
+
+pub(crate) fn default_conntrack_pressure_high_watermark_pct() -> u8 {
+    DEFAULT_CONNTRACK_PRESSURE_HIGH_WATERMARK_PCT
+}
+
+pub(crate) fn default_conntrack_pressure_low_watermark_pct() -> u8 {
+    DEFAULT_CONNTRACK_PRESSURE_LOW_WATERMARK_PCT
+}
+
+pub(crate) fn default_conntrack_delete_budget_per_sec() -> u64 {
+    DEFAULT_CONNTRACK_DELETE_BUDGET_PER_SEC
+}
+
 pub(crate) fn default_prefer_4() -> u8 {
    4
 }
@@ -282,7 +302,7 @@ pub(crate) fn default_me2dc_fallback() -> bool {
 }

 pub(crate) fn default_me2dc_fast() -> bool {
-    false
+    true
 }

 pub(crate) fn default_keepalive_interval() -> u64 {
@@ -538,7 +558,7 @@ pub(crate) fn default_beobachten_flush_secs() -> u64 {
 }

 pub(crate) fn default_beobachten_file() -> String {
-    "cache/beobachten.txt".to_string()
+    "/etc/telemt/beobachten.txt".to_string()
 }

 pub(crate) fn default_tls_new_session_tickets() -> u8 {
@@ -540,6 +540,10 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
    cfg.access.user_max_unique_ips_mode = new.access.user_max_unique_ips_mode;
    cfg.access.user_max_unique_ips_window_secs = new.access.user_max_unique_ips_window_secs;

+    if cfg.rebuild_runtime_user_auth().is_err() {
+        cfg.runtime_user_auth = None;
+    }
+
    cfg
 }

@@ -4,6 +4,7 @@ use std::collections::{BTreeSet, HashMap, HashSet};
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::net::{IpAddr, SocketAddr};
 use std::path::{Path, PathBuf};
+use std::sync::Arc;

 use rand::RngExt;
 use serde::{Deserialize, Serialize};
@@ -15,6 +16,13 @@ use crate::error::{ProxyError, Result};
 use super::defaults::*;
 use super::types::*;

+const ACCESS_SECRET_BYTES: usize = 16;
+const MAX_ME_WRITER_CMD_CHANNEL_CAPACITY: usize = 16_384;
+const MAX_ME_ROUTE_CHANNEL_CAPACITY: usize = 8_192;
+const MAX_ME_C2ME_CHANNEL_CAPACITY: usize = 8_192;
+const MIN_MAX_CLIENT_FRAME_BYTES: usize = 4 * 1024;
+const MAX_MAX_CLIENT_FRAME_BYTES: usize = 16 * 1024 * 1024;
+
 #[derive(Debug, Clone)]
 pub(crate) struct LoadedConfig {
    pub(crate) config: ProxyConfig,
@@ -22,6 +30,111 @@ pub(crate) struct LoadedConfig {
    pub(crate) rendered_hash: u64,
 }

+/// Precomputed, immutable user authentication data used by handshake hot paths.
+#[derive(Debug, Clone, Default)]
+pub(crate) struct UserAuthSnapshot {
+    entries: Vec<UserAuthEntry>,
+    by_name: HashMap<String, u32>,
+    sni_index: HashMap<u64, Vec<u32>>,
+    sni_initial_index: HashMap<u8, Vec<u32>>,
+}
+
+#[derive(Debug, Clone)]
+pub(crate) struct UserAuthEntry {
+    pub(crate) user: String,
+    pub(crate) secret: [u8; ACCESS_SECRET_BYTES],
+}
+
+impl UserAuthSnapshot {
+    fn from_users(users: &HashMap<String, String>) -> Result<Self> {
+        let mut entries = Vec::with_capacity(users.len());
+        let mut by_name = HashMap::with_capacity(users.len());
+        let mut sni_index = HashMap::with_capacity(users.len());
+        let mut sni_initial_index = HashMap::with_capacity(users.len());
+
+        for (user, secret_hex) in users {
+            let decoded = hex::decode(secret_hex).map_err(|_| ProxyError::InvalidSecret {
+                user: user.clone(),
+                reason: "Must be 32 hex characters".to_string(),
+            })?;
+            if decoded.len() != ACCESS_SECRET_BYTES {
+                return Err(ProxyError::InvalidSecret {
+                    user: user.clone(),
+                    reason: "Must be 32 hex characters".to_string(),
+                });
+            }
+
+            let user_id = u32::try_from(entries.len()).map_err(|_| {
+                ProxyError::Config("Too many users for runtime auth snapshot".to_string())
+            })?;
+
+            let mut secret = [0u8; ACCESS_SECRET_BYTES];
+            secret.copy_from_slice(&decoded);
+            entries.push(UserAuthEntry {
+                user: user.clone(),
+                secret,
+            });
+            by_name.insert(user.clone(), user_id);
+            sni_index
+                .entry(Self::sni_lookup_hash(user))
+                .or_insert_with(Vec::new)
+                .push(user_id);
+            if let Some(initial) = user
+                .as_bytes()
+                .first()
+                .map(|byte| byte.to_ascii_lowercase())
+            {
+                sni_initial_index
+                    .entry(initial)
+                    .or_insert_with(Vec::new)
+                    .push(user_id);
+            }
+        }
+
+        Ok(Self {
+            entries,
+            by_name,
+            sni_index,
+            sni_initial_index,
+        })
+    }
+
+    pub(crate) fn entries(&self) -> &[UserAuthEntry] {
+        &self.entries
+    }
+
+    pub(crate) fn user_id_by_name(&self, user: &str) -> Option<u32> {
+        self.by_name.get(user).copied()
+    }
+
+    pub(crate) fn entry_by_id(&self, user_id: u32) -> Option<&UserAuthEntry> {
+        let idx = usize::try_from(user_id).ok()?;
+        self.entries.get(idx)
+    }
+
+    pub(crate) fn sni_candidates(&self, sni: &str) -> Option<&[u32]> {
+        self.sni_index
+            .get(&Self::sni_lookup_hash(sni))
+            .map(Vec::as_slice)
+    }
+
+    pub(crate) fn sni_initial_candidates(&self, sni: &str) -> Option<&[u32]> {
+        let initial = sni
+            .as_bytes()
+            .first()
+            .map(|byte| byte.to_ascii_lowercase())?;
+        self.sni_initial_index.get(&initial).map(Vec::as_slice)
+    }
+
+    fn sni_lookup_hash(value: &str) -> u64 {
+        let mut hasher = DefaultHasher::new();
+        for byte in value.bytes() {
+            hasher.write_u8(byte.to_ascii_lowercase());
+        }
+        hasher.finish()
+    }
+}
+
 fn normalize_config_path(path: &Path) -> PathBuf {
    path.canonicalize().unwrap_or_else(|_| {
        if path.is_absolute() {
@@ -196,6 +309,10 @@ pub struct ProxyConfig {
    /// If not set, defaults to 2 (matching Telegram's official `default 2;` in proxy-multi.conf).
    #[serde(default)]
    pub default_dc: Option<u8>,
+
+    /// Precomputed authentication snapshot for handshake hot paths.
+    #[serde(skip)]
+    pub(crate) runtime_user_auth: Option<Arc<UserAuthSnapshot>>,
 }

 impl ProxyConfig {
@@ -514,18 +631,41 @@ impl ProxyConfig {
                "general.me_writer_cmd_channel_capacity must be > 0".to_string(),
            ));
        }
+        if config.general.me_writer_cmd_channel_capacity > MAX_ME_WRITER_CMD_CHANNEL_CAPACITY {
+            return Err(ProxyError::Config(format!(
+                "general.me_writer_cmd_channel_capacity must be within [1, {MAX_ME_WRITER_CMD_CHANNEL_CAPACITY}]"
+            )));
+        }

        if config.general.me_route_channel_capacity == 0 {
            return Err(ProxyError::Config(
                "general.me_route_channel_capacity must be > 0".to_string(),
            ));
        }
+        if config.general.me_route_channel_capacity > MAX_ME_ROUTE_CHANNEL_CAPACITY {
+            return Err(ProxyError::Config(format!(
+                "general.me_route_channel_capacity must be within [1, {MAX_ME_ROUTE_CHANNEL_CAPACITY}]"
+            )));
+        }

        if config.general.me_c2me_channel_capacity == 0 {
            return Err(ProxyError::Config(
                "general.me_c2me_channel_capacity must be > 0".to_string(),
            ));
        }
+        if config.general.me_c2me_channel_capacity > MAX_ME_C2ME_CHANNEL_CAPACITY {
+            return Err(ProxyError::Config(format!(
+                "general.me_c2me_channel_capacity must be within [1, {MAX_ME_C2ME_CHANNEL_CAPACITY}]"
+            )));
+        }
+
+        if !(MIN_MAX_CLIENT_FRAME_BYTES..=MAX_MAX_CLIENT_FRAME_BYTES)
+            .contains(&config.general.max_client_frame)
+        {
+            return Err(ProxyError::Config(format!(
+                "general.max_client_frame must be within [{MIN_MAX_CLIENT_FRAME_BYTES}, {MAX_MAX_CLIENT_FRAME_BYTES}]"
+            )));
+        }

        if config.general.me_c2me_send_timeout_ms > 60_000 {
            return Err(ProxyError::Config(
@@ -922,6 +1062,43 @@ impl ProxyConfig {
            ));
        }

+        if config.server.conntrack_control.pressure_high_watermark_pct == 0
+            || config.server.conntrack_control.pressure_high_watermark_pct > 100
+        {
+            return Err(ProxyError::Config(
+                "server.conntrack_control.pressure_high_watermark_pct must be within [1, 100]"
+                    .to_string(),
+            ));
+        }
+
+        if config.server.conntrack_control.pressure_low_watermark_pct
+            >= config.server.conntrack_control.pressure_high_watermark_pct
+        {
+            return Err(ProxyError::Config(
+                "server.conntrack_control.pressure_low_watermark_pct must be < pressure_high_watermark_pct"
+                    .to_string(),
+            ));
+        }
+
+        if config.server.conntrack_control.delete_budget_per_sec == 0 {
+            return Err(ProxyError::Config(
+                "server.conntrack_control.delete_budget_per_sec must be > 0".to_string(),
+            ));
+        }
+
+        if matches!(config.server.conntrack_control.mode, ConntrackMode::Hybrid)
+            && config
+                .server
+                .conntrack_control
+                .hybrid_listener_ips
+                .is_empty()
+        {
+            return Err(ProxyError::Config(
+                "server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid"
+                    .to_string(),
+            ));
+        }
+
        if config.general.effective_me_pool_force_close_secs() > 0
            && config.general.effective_me_pool_force_close_secs()
                < config.general.me_pool_drain_ttl_secs
@@ -1127,6 +1304,7 @@ impl ProxyConfig {
            .or_insert_with(|| vec!["91.105.192.100:443".to_string()]);

        validate_upstreams(&config)?;
+        config.rebuild_runtime_user_auth()?;

        Ok(LoadedConfig {
            config,
@@ -1135,6 +1313,16 @@ impl ProxyConfig {
        })
    }

+    pub(crate) fn rebuild_runtime_user_auth(&mut self) -> Result<()> {
+        let snapshot = UserAuthSnapshot::from_users(&self.access.users)?;
+        self.runtime_user_auth = Some(Arc::new(snapshot));
+        Ok(())
+    }
+
+    pub(crate) fn runtime_user_auth(&self) -> Option<&UserAuthSnapshot> {
+        self.runtime_user_auth.as_deref()
+    }
+
    pub fn validate(&self) -> Result<()> {
        if self.access.users.is_empty() {
            return Err(ProxyError::Config("No users configured".to_string()));
@@ -1186,6 +1374,10 @@ mod load_mask_shape_security_tests;
 #[path = "tests/load_mask_classifier_prefetch_timeout_security_tests.rs"]
 mod load_mask_classifier_prefetch_timeout_security_tests;

+#[cfg(test)]
+#[path = "tests/load_memory_envelope_tests.rs"]
+mod load_memory_envelope_tests;
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -1327,6 +1519,31 @@ mod tests {
            cfg.server.api.runtime_edge_events_capacity,
            default_api_runtime_edge_events_capacity()
        );
+        assert_eq!(
+            cfg.server.conntrack_control.inline_conntrack_control,
+            default_conntrack_control_enabled()
+        );
+        assert_eq!(cfg.server.conntrack_control.mode, ConntrackMode::default());
+        assert_eq!(
+            cfg.server.conntrack_control.backend,
+            ConntrackBackend::default()
+        );
+        assert_eq!(
+            cfg.server.conntrack_control.profile,
+            ConntrackPressureProfile::default()
+        );
+        assert_eq!(
+            cfg.server.conntrack_control.pressure_high_watermark_pct,
+            default_conntrack_pressure_high_watermark_pct()
+        );
+        assert_eq!(
+            cfg.server.conntrack_control.pressure_low_watermark_pct,
+            default_conntrack_pressure_low_watermark_pct()
+        );
+        assert_eq!(
+            cfg.server.conntrack_control.delete_budget_per_sec,
+            default_conntrack_delete_budget_per_sec()
+        );
        assert_eq!(cfg.access.users, default_access_users());
        assert_eq!(
            cfg.access.user_max_tcp_conns_global_each,
@@ -1472,6 +1689,31 @@ mod tests {
            server.api.runtime_edge_events_capacity,
            default_api_runtime_edge_events_capacity()
        );
+        assert_eq!(
+            server.conntrack_control.inline_conntrack_control,
+            default_conntrack_control_enabled()
+        );
+        assert_eq!(server.conntrack_control.mode, ConntrackMode::default());
+        assert_eq!(
+            server.conntrack_control.backend,
+            ConntrackBackend::default()
+        );
+        assert_eq!(
+            server.conntrack_control.profile,
+            ConntrackPressureProfile::default()
+        );
+        assert_eq!(
+            server.conntrack_control.pressure_high_watermark_pct,
+            default_conntrack_pressure_high_watermark_pct()
+        );
+        assert_eq!(
+            server.conntrack_control.pressure_low_watermark_pct,
+            default_conntrack_pressure_low_watermark_pct()
+        );
+        assert_eq!(
+            server.conntrack_control.delete_budget_per_sec,
+            default_conntrack_delete_budget_per_sec()
+        );

        let access = AccessConfig::default();
        assert_eq!(access.users, default_access_users());
@@ -1548,6 +1790,22 @@ mod tests {
            cfg_mask.censorship.unknown_sni_action,
            UnknownSniAction::Mask
        );
+
+        let cfg_accept: ProxyConfig = toml::from_str(
+            r#"
+            [server]
+            [general]
+            [network]
+            [access]
+            [censorship]
+            unknown_sni_action = "accept"
+            "#,
+        )
+        .unwrap();
+        assert_eq!(
+            cfg_accept.censorship.unknown_sni_action,
+            UnknownSniAction::Accept
+        );
    }

    #[test]
@@ -2404,6 +2662,118 @@ mod tests {
        let _ = std::fs::remove_file(path);
    }

+    #[test]
+    fn conntrack_pressure_high_watermark_out_of_range_is_rejected() {
+        let toml = r#"
+            [server.conntrack_control]
+            pressure_high_watermark_pct = 0
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_conntrack_high_watermark_invalid_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains(
+            "server.conntrack_control.pressure_high_watermark_pct must be within [1, 100]"
+        ));
+        let _ = std::fs::remove_file(path);
+    }
+
+    #[test]
+    fn conntrack_pressure_low_watermark_must_be_below_high() {
+        let toml = r#"
+            [server.conntrack_control]
+            pressure_high_watermark_pct = 50
+            pressure_low_watermark_pct = 50
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_conntrack_low_watermark_invalid_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(
+            err.contains(
+                "server.conntrack_control.pressure_low_watermark_pct must be < pressure_high_watermark_pct"
+            )
+        );
+        let _ = std::fs::remove_file(path);
+    }
+
+    #[test]
+    fn conntrack_delete_budget_zero_is_rejected() {
+        let toml = r#"
+            [server.conntrack_control]
+            delete_budget_per_sec = 0
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_conntrack_delete_budget_invalid_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains("server.conntrack_control.delete_budget_per_sec must be > 0"));
+        let _ = std::fs::remove_file(path);
+    }
+
+    #[test]
+    fn conntrack_hybrid_mode_requires_listener_allow_list() {
+        let toml = r#"
+            [server.conntrack_control]
+            mode = "hybrid"
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_conntrack_hybrid_requires_ips_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains(
+            "server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid"
+        ));
+        let _ = std::fs::remove_file(path);
+    }
+
+    #[test]
+    fn conntrack_profile_is_loaded_from_config() {
+        let toml = r#"
+            [server.conntrack_control]
+            profile = "aggressive"
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_conntrack_profile_parse_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let cfg = ProxyConfig::load(&path).unwrap();
+        assert_eq!(
+            cfg.server.conntrack_control.profile,
+            ConntrackPressureProfile::Aggressive
+        );
+        let _ = std::fs::remove_file(path);
+    }
+
    #[test]
    fn force_close_default_matches_drain_ttl() {
        let toml = r#"
@@ -0,0 +1,117 @@
+use super::*;
+use std::fs;
+use std::path::PathBuf;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+fn write_temp_config(contents: &str) -> PathBuf {
+    let nonce = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .expect("system time must be after unix epoch")
+        .as_nanos();
+    let path = std::env::temp_dir().join(format!("telemt-load-memory-envelope-{nonce}.toml"));
+    fs::write(&path, contents).expect("temp config write must succeed");
+    path
+}
+
+fn remove_temp_config(path: &PathBuf) {
+    let _ = fs::remove_file(path);
+}
+
+#[test]
+fn load_rejects_writer_cmd_capacity_above_upper_bound() {
+    let path = write_temp_config(
+        r#"
+[general]
+me_writer_cmd_channel_capacity = 16385
+"#,
+    );
+
+    let err =
+        ProxyConfig::load(&path).expect_err("writer command capacity above hard cap must fail");
+    let msg = err.to_string();
+    assert!(
+        msg.contains("general.me_writer_cmd_channel_capacity must be within [1, 16384]"),
+        "error must explain writer command capacity hard cap, got: {msg}"
+    );
+
+    remove_temp_config(&path);
+}
+
+#[test]
+fn load_rejects_route_channel_capacity_above_upper_bound() {
+    let path = write_temp_config(
+        r#"
+[general]
+me_route_channel_capacity = 8193
+"#,
+    );
+
+    let err =
+        ProxyConfig::load(&path).expect_err("route channel capacity above hard cap must fail");
+    let msg = err.to_string();
+    assert!(
+        msg.contains("general.me_route_channel_capacity must be within [1, 8192]"),
+        "error must explain route channel hard cap, got: {msg}"
+    );
+
+    remove_temp_config(&path);
+}
+
+#[test]
+fn load_rejects_c2me_channel_capacity_above_upper_bound() {
+    let path = write_temp_config(
+        r#"
+[general]
+me_c2me_channel_capacity = 8193
+"#,
+    );
+
+    let err = ProxyConfig::load(&path).expect_err("c2me channel capacity above hard cap must fail");
+    let msg = err.to_string();
+    assert!(
+        msg.contains("general.me_c2me_channel_capacity must be within [1, 8192]"),
+        "error must explain c2me channel hard cap, got: {msg}"
+    );
+
+    remove_temp_config(&path);
+}
+
+#[test]
+fn load_rejects_max_client_frame_above_upper_bound() {
+    let path = write_temp_config(
+        r#"
+[general]
+max_client_frame = 16777217
+"#,
+    );
+
+    let err = ProxyConfig::load(&path).expect_err("max_client_frame above hard cap must fail");
+    let msg = err.to_string();
+    assert!(
+        msg.contains("general.max_client_frame must be within [4096, 16777216]"),
+        "error must explain max_client_frame hard cap, got: {msg}"
+    );
+
+    remove_temp_config(&path);
+}
+
+#[test]
+fn load_accepts_memory_limits_at_hard_upper_bounds() {
+    let path = write_temp_config(
+        r#"
+[general]
+me_writer_cmd_channel_capacity = 16384
+me_route_channel_capacity = 8192
+me_c2me_channel_capacity = 8192
+max_client_frame = 16777216
+"#,
+    );
+
+    let cfg = ProxyConfig::load(&path).expect("hard upper bound values must be accepted");
+    assert_eq!(cfg.general.me_writer_cmd_channel_capacity, 16384);
+    assert_eq!(cfg.general.me_route_channel_capacity, 8192);
+    assert_eq!(cfg.general.me_c2me_channel_capacity, 8192);
+    assert_eq!(cfg.general.max_client_frame, 16 * 1024 * 1024);
+
+    remove_temp_config(&path);
+}
@@ -159,6 +159,21 @@ impl MeBindStaleMode {
    }
 }

+/// RST-on-close mode for accepted client sockets.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum RstOnCloseMode {
+    /// Normal FIN on all closes (default, no behaviour change).
+    #[default]
+    Off,
+    /// SO_LINGER(0) on accept; cleared after successful auth.
+    /// Pre-handshake failures (scanners, DPI, timeouts) send RST;
+    /// authenticated relay sessions close gracefully with FIN.
+    Errors,
+    /// SO_LINGER(0) on accept, never cleared — all closes send RST.
+    Always,
+}
+
 /// Middle-End writer floor policy mode.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
 #[serde(rename_all = "lowercase")]
@@ -925,6 +940,14 @@ pub struct GeneralConfig {
    /// Minimum unavailable ME DC groups before degrading.
    #[serde(default = "default_degradation_min_unavailable_dc_groups")]
    pub degradation_min_unavailable_dc_groups: u8,
+
+    /// RST-on-close mode for accepted client sockets.
+    /// `off`    — normal FIN on all closes (default).
+    /// `errors` — SO_LINGER(0) on accept, cleared after successful auth;
+    ///            pre-handshake failures send RST, relayed sessions close gracefully.
+    /// `always` — SO_LINGER(0) on accept, never cleared; all closes send RST.
+    #[serde(default)]
+    pub rst_on_close: RstOnCloseMode,
 }

 impl Default for GeneralConfig {
@@ -1086,6 +1109,7 @@ impl Default for GeneralConfig {
            ntp_servers: default_ntp_servers(),
            auto_degradation_enabled: default_true(),
            degradation_min_unavailable_dc_groups: default_degradation_min_unavailable_dc_groups(),
+            rst_on_close: RstOnCloseMode::default(),
        }
    }
 }
@@ -1216,6 +1240,118 @@ impl Default for ApiConfig {
    }
 }

+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum ConntrackMode {
+    #[default]
+    Tracked,
+    Notrack,
+    Hybrid,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum ConntrackBackend {
+    #[default]
+    Auto,
+    Nftables,
+    Iptables,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum ConntrackPressureProfile {
+    Conservative,
+    #[default]
+    Balanced,
+    Aggressive,
+}
+
+impl ConntrackPressureProfile {
+    pub fn client_first_byte_idle_cap_secs(self) -> u64 {
+        match self {
+            Self::Conservative => 30,
+            Self::Balanced => 20,
+            Self::Aggressive => 10,
+        }
+    }
+
+    pub fn direct_activity_timeout_secs(self) -> u64 {
+        match self {
+            Self::Conservative => 180,
+            Self::Balanced => 120,
+            Self::Aggressive => 60,
+        }
+    }
+
+    pub fn middle_soft_idle_cap_secs(self) -> u64 {
+        match self {
+            Self::Conservative => 60,
+            Self::Balanced => 30,
+            Self::Aggressive => 20,
+        }
+    }
+
+    pub fn middle_hard_idle_cap_secs(self) -> u64 {
+        match self {
+            Self::Conservative => 180,
+            Self::Balanced => 90,
+            Self::Aggressive => 60,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ConntrackControlConfig {
+    /// Enables runtime conntrack-control worker for pressure mitigation.
+    #[serde(default = "default_conntrack_control_enabled")]
+    pub inline_conntrack_control: bool,
+
+    /// Conntrack mode for listener ingress traffic.
+    #[serde(default)]
+    pub mode: ConntrackMode,
+
+    /// Netfilter backend used to reconcile notrack rules.
+    #[serde(default)]
+    pub backend: ConntrackBackend,
+
+    /// Pressure profile for timeout caps under resource saturation.
+    #[serde(default)]
+    pub profile: ConntrackPressureProfile,
+
+    /// Listener IP allow-list for hybrid mode.
+    /// Ignored in tracked/notrack mode.
+    #[serde(default)]
+    pub hybrid_listener_ips: Vec<IpAddr>,
+
+    /// Pressure high watermark as percentage.
+    #[serde(default = "default_conntrack_pressure_high_watermark_pct")]
+    pub pressure_high_watermark_pct: u8,
+
+    /// Pressure low watermark as percentage.
+    #[serde(default = "default_conntrack_pressure_low_watermark_pct")]
+    pub pressure_low_watermark_pct: u8,
+
+    /// Maximum conntrack delete operations per second.
+    #[serde(default = "default_conntrack_delete_budget_per_sec")]
+    pub delete_budget_per_sec: u64,
+}
+
+impl Default for ConntrackControlConfig {
+    fn default() -> Self {
+        Self {
+            inline_conntrack_control: default_conntrack_control_enabled(),
+            mode: ConntrackMode::default(),
+            backend: ConntrackBackend::default(),
+            profile: ConntrackPressureProfile::default(),
+            hybrid_listener_ips: Vec::new(),
+            pressure_high_watermark_pct: default_conntrack_pressure_high_watermark_pct(),
+            pressure_low_watermark_pct: default_conntrack_pressure_low_watermark_pct(),
+            delete_budget_per_sec: default_conntrack_delete_budget_per_sec(),
+        }
+    }
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerConfig {
    #[serde(default = "default_port")]
@@ -1291,6 +1427,10 @@ pub struct ServerConfig {
    /// `0` keeps legacy unbounded wait behavior.
    #[serde(default = "default_accept_permit_timeout_ms")]
    pub accept_permit_timeout_ms: u64,
+
+    /// Runtime conntrack control and pressure policy.
+    #[serde(default)]
+    pub conntrack_control: ConntrackControlConfig,
 }

 impl Default for ServerConfig {
@@ -1313,6 +1453,7 @@ impl Default for ServerConfig {
            listen_backlog: default_listen_backlog(),
            max_connections: default_server_max_connections(),
            accept_permit_timeout_ms: default_accept_permit_timeout_ms(),
+            conntrack_control: ConntrackControlConfig::default(),
        }
    }
 }
@@ -1385,6 +1526,7 @@ pub enum UnknownSniAction {
    #[default]
    Drop,
    Mask,
+    Accept,
 }

 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
@@ -0,0 +1,755 @@
+use std::collections::BTreeSet;
+use std::net::IpAddr;
+use std::path::PathBuf;
+use std::sync::Arc;
+use std::time::Duration;
+
+use tokio::io::AsyncWriteExt;
+use tokio::process::Command;
+use tokio::sync::{mpsc, watch};
+use tracing::{debug, info, warn};
+
+use crate::config::{ConntrackBackend, ConntrackMode, ProxyConfig};
+use crate::proxy::middle_relay::note_global_relay_pressure;
+use crate::proxy::shared_state::{ConntrackCloseEvent, ConntrackCloseReason, ProxySharedState};
+use crate::stats::Stats;
+
+const CONNTRACK_EVENT_QUEUE_CAPACITY: usize = 32_768;
+const PRESSURE_RELEASE_TICKS: u8 = 3;
+const PRESSURE_SAMPLE_INTERVAL: Duration = Duration::from_secs(1);
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+enum NetfilterBackend {
+    Nftables,
+    Iptables,
+}
+
+#[derive(Clone, Copy)]
+struct PressureSample {
+    conn_pct: Option<u8>,
+    fd_pct: Option<u8>,
+    accept_timeout_delta: u64,
+    me_queue_pressure_delta: u64,
+}
+
+struct PressureState {
+    active: bool,
+    low_streak: u8,
+    prev_accept_timeout_total: u64,
+    prev_me_queue_pressure_total: u64,
+}
+
+impl PressureState {
+    fn new(stats: &Stats) -> Self {
+        Self {
+            active: false,
+            low_streak: 0,
+            prev_accept_timeout_total: stats.get_accept_permit_timeout_total(),
+            prev_me_queue_pressure_total: stats.get_me_c2me_send_full_total(),
+        }
+    }
+}
+
+pub(crate) fn spawn_conntrack_controller(
+    config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    stats: Arc<Stats>,
+    shared: Arc<ProxySharedState>,
+) {
+    if !cfg!(target_os = "linux") {
+        let enabled = config_rx
+            .borrow()
+            .server
+            .conntrack_control
+            .inline_conntrack_control;
+        stats.set_conntrack_control_enabled(enabled);
+        stats.set_conntrack_control_available(false);
+        stats.set_conntrack_pressure_active(false);
+        stats.set_conntrack_event_queue_depth(0);
+        stats.set_conntrack_rule_apply_ok(false);
+        shared.disable_conntrack_close_sender();
+        shared.set_conntrack_pressure_active(false);
+        if enabled {
+            warn!(
+                "conntrack control is configured but unsupported on this OS; disabling runtime worker"
+            );
+        }
+        return;
+    }
+
+    let (tx, rx) = mpsc::channel(CONNTRACK_EVENT_QUEUE_CAPACITY);
+    shared.set_conntrack_close_sender(tx);
+    tokio::spawn(async move {
+        run_conntrack_controller(config_rx, stats, shared, rx).await;
+    });
+}
+
+async fn run_conntrack_controller(
+    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
+    stats: Arc<Stats>,
+    shared: Arc<ProxySharedState>,
+    mut close_rx: mpsc::Receiver<ConntrackCloseEvent>,
+) {
+    let mut cfg = config_rx.borrow().clone();
+    let mut pressure_state = PressureState::new(stats.as_ref());
+    let mut delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
+    let mut backend = pick_backend(cfg.server.conntrack_control.backend);
+
+    apply_runtime_state(
+        stats.as_ref(),
+        shared.as_ref(),
+        &cfg,
+        backend.is_some(),
+        false,
+    );
+    reconcile_rules(&cfg, backend, stats.as_ref()).await;
+
+    loop {
+        tokio::select! {
+            changed = config_rx.changed() => {
+                if changed.is_err() {
+                    break;
+                }
+                cfg = config_rx.borrow_and_update().clone();
+                backend = pick_backend(cfg.server.conntrack_control.backend);
+                delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
+                apply_runtime_state(stats.as_ref(), shared.as_ref(), &cfg, backend.is_some(), pressure_state.active);
+                reconcile_rules(&cfg, backend, stats.as_ref()).await;
+            }
+            event = close_rx.recv() => {
+                let Some(event) = event else {
+                    break;
+                };
+                stats.set_conntrack_event_queue_depth(close_rx.len() as u64);
+                if !cfg.server.conntrack_control.inline_conntrack_control {
+                    continue;
+                }
+                if !pressure_state.active {
+                    continue;
+                }
+                if !matches!(event.reason, ConntrackCloseReason::Timeout | ConntrackCloseReason::Pressure | ConntrackCloseReason::Reset) {
+                    continue;
+                }
+                if delete_budget_tokens == 0 {
+                    continue;
+                }
+                stats.increment_conntrack_delete_attempt_total();
+                match delete_conntrack_entry(event).await {
+                    DeleteOutcome::Deleted => {
+                        delete_budget_tokens = delete_budget_tokens.saturating_sub(1);
+                        stats.increment_conntrack_delete_success_total();
+                    }
+                    DeleteOutcome::NotFound => {
+                        delete_budget_tokens = delete_budget_tokens.saturating_sub(1);
+                        stats.increment_conntrack_delete_not_found_total();
+                    }
+                    DeleteOutcome::Error => {
+                        delete_budget_tokens = delete_budget_tokens.saturating_sub(1);
+                        stats.increment_conntrack_delete_error_total();
+                    }
+                }
+            }
+            _ = tokio::time::sleep(PRESSURE_SAMPLE_INTERVAL) => {
+                delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
+                stats.set_conntrack_event_queue_depth(close_rx.len() as u64);
+                let sample = collect_pressure_sample(stats.as_ref(), &cfg, &mut pressure_state);
+                update_pressure_state(
+                    stats.as_ref(),
+                    shared.as_ref(),
+                    &cfg,
+                    &sample,
+                    &mut pressure_state,
+                );
+                if pressure_state.active {
+                    note_global_relay_pressure(shared.as_ref());
+                }
+            }
+        }
+    }
+
+    shared.disable_conntrack_close_sender();
+    shared.set_conntrack_pressure_active(false);
+    stats.set_conntrack_pressure_active(false);
+}
+
+fn apply_runtime_state(
+    stats: &Stats,
+    shared: &ProxySharedState,
+    cfg: &ProxyConfig,
+    backend_available: bool,
+    pressure_active: bool,
+) {
+    let enabled = cfg.server.conntrack_control.inline_conntrack_control;
+    let available = enabled && backend_available && has_cap_net_admin();
+    if enabled && !available {
+        warn!(
+            "conntrack control enabled but unavailable (missing CAP_NET_ADMIN or backend binaries)"
+        );
+    }
+    stats.set_conntrack_control_enabled(enabled);
+    stats.set_conntrack_control_available(available);
+    shared.set_conntrack_pressure_active(enabled && pressure_active);
+    stats.set_conntrack_pressure_active(enabled && pressure_active);
+}
+
+fn collect_pressure_sample(
+    stats: &Stats,
+    cfg: &ProxyConfig,
+    state: &mut PressureState,
+) -> PressureSample {
+    let current_connections = stats.get_current_connections_total();
+    let conn_pct = if cfg.server.max_connections == 0 {
+        None
+    } else {
+        Some(
+            ((current_connections.saturating_mul(100)) / u64::from(cfg.server.max_connections))
+                .min(100) as u8,
+        )
+    };
+
+    let fd_pct = fd_usage_pct();
+
+    let accept_total = stats.get_accept_permit_timeout_total();
+    let accept_delta = accept_total.saturating_sub(state.prev_accept_timeout_total);
+    state.prev_accept_timeout_total = accept_total;
+
+    let me_total = stats.get_me_c2me_send_full_total();
+    let me_delta = me_total.saturating_sub(state.prev_me_queue_pressure_total);
+    state.prev_me_queue_pressure_total = me_total;
+
+    PressureSample {
+        conn_pct,
+        fd_pct,
+        accept_timeout_delta: accept_delta,
+        me_queue_pressure_delta: me_delta,
+    }
+}
+
+fn update_pressure_state(
+    stats: &Stats,
+    shared: &ProxySharedState,
+    cfg: &ProxyConfig,
+    sample: &PressureSample,
+    state: &mut PressureState,
+) {
+    if !cfg.server.conntrack_control.inline_conntrack_control {
+        if state.active {
+            state.active = false;
+            state.low_streak = 0;
+            shared.set_conntrack_pressure_active(false);
+            stats.set_conntrack_pressure_active(false);
+            info!("Conntrack pressure mode deactivated (feature disabled)");
+        }
+        return;
+    }
+
+    let high = cfg.server.conntrack_control.pressure_high_watermark_pct;
+    let low = cfg.server.conntrack_control.pressure_low_watermark_pct;
+
+    let high_hit = sample.conn_pct.is_some_and(|v| v >= high)
+        || sample.fd_pct.is_some_and(|v| v >= high)
+        || sample.accept_timeout_delta > 0
+        || sample.me_queue_pressure_delta > 0;
+
+    let low_clear = sample.conn_pct.is_none_or(|v| v <= low)
+        && sample.fd_pct.is_none_or(|v| v <= low)
+        && sample.accept_timeout_delta == 0
+        && sample.me_queue_pressure_delta == 0;
+
+    if !state.active && high_hit {
+        state.active = true;
+        state.low_streak = 0;
+        shared.set_conntrack_pressure_active(true);
+        stats.set_conntrack_pressure_active(true);
+        info!(
+            conn_pct = ?sample.conn_pct,
+            fd_pct = ?sample.fd_pct,
+            accept_timeout_delta = sample.accept_timeout_delta,
+            me_queue_pressure_delta = sample.me_queue_pressure_delta,
+            "Conntrack pressure mode activated"
+        );
+        return;
+    }
+
+    if state.active && low_clear {
+        state.low_streak = state.low_streak.saturating_add(1);
+        if state.low_streak >= PRESSURE_RELEASE_TICKS {
+            state.active = false;
+            state.low_streak = 0;
+            shared.set_conntrack_pressure_active(false);
+            stats.set_conntrack_pressure_active(false);
+            info!("Conntrack pressure mode deactivated");
+        }
+        return;
+    }
+
+    state.low_streak = 0;
+}
+
+async fn reconcile_rules(cfg: &ProxyConfig, backend: Option<NetfilterBackend>, stats: &Stats) {
+    if !cfg.server.conntrack_control.inline_conntrack_control {
+        clear_notrack_rules_all_backends().await;
+        stats.set_conntrack_rule_apply_ok(true);
+        return;
+    }
+
+    if !has_cap_net_admin() {
+        stats.set_conntrack_rule_apply_ok(false);
+        return;
+    }
+
+    let Some(backend) = backend else {
+        stats.set_conntrack_rule_apply_ok(false);
+        return;
+    };
+
+    let apply_result = match backend {
+        NetfilterBackend::Nftables => apply_nft_rules(cfg).await,
+        NetfilterBackend::Iptables => apply_iptables_rules(cfg).await,
+    };
+
+    if let Err(error) = apply_result {
+        warn!(error = %error, "Failed to reconcile conntrack/notrack rules");
+        stats.set_conntrack_rule_apply_ok(false);
+    } else {
+        stats.set_conntrack_rule_apply_ok(true);
+    }
+}
+
+fn pick_backend(configured: ConntrackBackend) -> Option<NetfilterBackend> {
+    match configured {
+        ConntrackBackend::Auto => {
+            if command_exists("nft") {
+                Some(NetfilterBackend::Nftables)
+            } else if command_exists("iptables") {
+                Some(NetfilterBackend::Iptables)
+            } else {
+                None
+            }
+        }
+        ConntrackBackend::Nftables => command_exists("nft").then_some(NetfilterBackend::Nftables),
+        ConntrackBackend::Iptables => {
+            command_exists("iptables").then_some(NetfilterBackend::Iptables)
+        }
+    }
+}
+
+fn command_exists(binary: &str) -> bool {
+    let Some(path_var) = std::env::var_os("PATH") else {
+        return false;
+    };
+    std::env::split_paths(&path_var).any(|dir| {
+        let candidate: PathBuf = dir.join(binary);
+        candidate.exists() && candidate.is_file()
+    })
+}
+
+fn notrack_targets(cfg: &ProxyConfig) -> (Vec<Option<IpAddr>>, Vec<Option<IpAddr>>) {
+    let mode = cfg.server.conntrack_control.mode;
+    let mut v4_targets: BTreeSet<Option<IpAddr>> = BTreeSet::new();
+    let mut v6_targets: BTreeSet<Option<IpAddr>> = BTreeSet::new();
+
+    match mode {
+        ConntrackMode::Tracked => {}
+        ConntrackMode::Notrack => {
+            if cfg.server.listeners.is_empty() {
+                if let Some(ipv4) = cfg
+                    .server
+                    .listen_addr_ipv4
+                    .as_ref()
+                    .and_then(|s| s.parse::<IpAddr>().ok())
+                {
+                    if ipv4.is_unspecified() {
+                        v4_targets.insert(None);
+                    } else {
+                        v4_targets.insert(Some(ipv4));
+                    }
+                }
+                if let Some(ipv6) = cfg
+                    .server
+                    .listen_addr_ipv6
+                    .as_ref()
+                    .and_then(|s| s.parse::<IpAddr>().ok())
+                {
+                    if ipv6.is_unspecified() {
+                        v6_targets.insert(None);
+                    } else {
+                        v6_targets.insert(Some(ipv6));
+                    }
+                }
+            } else {
+                for listener in &cfg.server.listeners {
+                    if listener.ip.is_ipv4() {
+                        if listener.ip.is_unspecified() {
+                            v4_targets.insert(None);
+                        } else {
+                            v4_targets.insert(Some(listener.ip));
+                        }
+                    } else if listener.ip.is_unspecified() {
+                        v6_targets.insert(None);
+                    } else {
+                        v6_targets.insert(Some(listener.ip));
+                    }
+                }
+            }
+        }
+        ConntrackMode::Hybrid => {
+            for ip in &cfg.server.conntrack_control.hybrid_listener_ips {
+                if ip.is_ipv4() {
+                    v4_targets.insert(Some(*ip));
+                } else {
+                    v6_targets.insert(Some(*ip));
+                }
+            }
+        }
+    }
+
+    (
+        v4_targets.into_iter().collect(),
+        v6_targets.into_iter().collect(),
+    )
+}
+
+async fn apply_nft_rules(cfg: &ProxyConfig) -> Result<(), String> {
+    let _ = run_command(
+        "nft",
+        &["delete", "table", "inet", "telemt_conntrack"],
+        None,
+    )
+    .await;
+    if matches!(cfg.server.conntrack_control.mode, ConntrackMode::Tracked) {
+        return Ok(());
+    }
+
+    let (v4_targets, v6_targets) = notrack_targets(cfg);
+    let mut rules = Vec::new();
+    for ip in v4_targets {
+        let rule = if let Some(ip) = ip {
+            format!("tcp dport {} ip daddr {} notrack", cfg.server.port, ip)
+        } else {
+            format!("tcp dport {} notrack", cfg.server.port)
+        };
+        rules.push(rule);
+    }
+    for ip in v6_targets {
+        let rule = if let Some(ip) = ip {
+            format!("tcp dport {} ip6 daddr {} notrack", cfg.server.port, ip)
+        } else {
+            format!("tcp dport {} notrack", cfg.server.port)
+        };
+        rules.push(rule);
+    }
+
+    let rule_blob = if rules.is_empty() {
+        String::new()
+    } else {
+        format!("    {}\n", rules.join("\n    "))
+    };
+    let script = format!(
+        "table inet telemt_conntrack {{\n  chain preraw {{\n    type filter hook prerouting priority raw; policy accept;\n{rule_blob}  }}\n}}\n"
+    );
+    run_command("nft", &["-f", "-"], Some(script)).await
+}
+
+async fn apply_iptables_rules(cfg: &ProxyConfig) -> Result<(), String> {
+    apply_iptables_rules_for_binary("iptables", cfg, true).await?;
+    apply_iptables_rules_for_binary("ip6tables", cfg, false).await?;
+    Ok(())
+}
+
+async fn apply_iptables_rules_for_binary(
+    binary: &str,
+    cfg: &ProxyConfig,
+    ipv4: bool,
+) -> Result<(), String> {
+    if !command_exists(binary) {
+        return Ok(());
+    }
+    let chain = "TELEMT_NOTRACK";
+    let _ = run_command(
+        binary,
+        &["-t", "raw", "-D", "PREROUTING", "-j", chain],
+        None,
+    )
+    .await;
+    let _ = run_command(binary, &["-t", "raw", "-F", chain], None).await;
+    let _ = run_command(binary, &["-t", "raw", "-X", chain], None).await;
+
+    if matches!(cfg.server.conntrack_control.mode, ConntrackMode::Tracked) {
+        return Ok(());
+    }
+
+    run_command(binary, &["-t", "raw", "-N", chain], None).await?;
+    run_command(binary, &["-t", "raw", "-F", chain], None).await?;
+    if run_command(
+        binary,
+        &["-t", "raw", "-C", "PREROUTING", "-j", chain],
+        None,
+    )
+    .await
+    .is_err()
+    {
+        run_command(
+            binary,
+            &["-t", "raw", "-I", "PREROUTING", "1", "-j", chain],
+            None,
+        )
+        .await?;
+    }
+
+    let (v4_targets, v6_targets) = notrack_targets(cfg);
+    let selected = if ipv4 { v4_targets } else { v6_targets };
+    for ip in selected {
+        let mut args = vec![
+            "-t".to_string(),
+            "raw".to_string(),
+            "-A".to_string(),
+            chain.to_string(),
+            "-p".to_string(),
+            "tcp".to_string(),
+            "--dport".to_string(),
+            cfg.server.port.to_string(),
+        ];
+        if let Some(ip) = ip {
+            args.push("-d".to_string());
+            args.push(ip.to_string());
+        }
+        args.push("-j".to_string());
+        args.push("CT".to_string());
+        args.push("--notrack".to_string());
+        let arg_refs: Vec<&str> = args.iter().map(String::as_str).collect();
+        run_command(binary, &arg_refs, None).await?;
+    }
+    Ok(())
+}
+
+async fn clear_notrack_rules_all_backends() {
+    let _ = run_command(
+        "nft",
+        &["delete", "table", "inet", "telemt_conntrack"],
+        None,
+    )
+    .await;
+    let _ = run_command(
+        "iptables",
+        &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"],
+        None,
+    )
+    .await;
+    let _ = run_command("iptables", &["-t", "raw", "-F", "TELEMT_NOTRACK"], None).await;
+    let _ = run_command("iptables", &["-t", "raw", "-X", "TELEMT_NOTRACK"], None).await;
+    let _ = run_command(
+        "ip6tables",
+        &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"],
+        None,
+    )
+    .await;
+    let _ = run_command("ip6tables", &["-t", "raw", "-F", "TELEMT_NOTRACK"], None).await;
+    let _ = run_command("ip6tables", &["-t", "raw", "-X", "TELEMT_NOTRACK"], None).await;
+}
+
+enum DeleteOutcome {
+    Deleted,
+    NotFound,
+    Error,
+}
+
+async fn delete_conntrack_entry(event: ConntrackCloseEvent) -> DeleteOutcome {
+    if !command_exists("conntrack") {
+        return DeleteOutcome::Error;
+    }
+    let args = vec![
+        "-D".to_string(),
+        "-p".to_string(),
+        "tcp".to_string(),
+        "-s".to_string(),
+        event.src.ip().to_string(),
+        "--sport".to_string(),
+        event.src.port().to_string(),
+        "-d".to_string(),
+        event.dst.ip().to_string(),
+        "--dport".to_string(),
+        event.dst.port().to_string(),
+    ];
+    let arg_refs: Vec<&str> = args.iter().map(String::as_str).collect();
+    match run_command("conntrack", &arg_refs, None).await {
+        Ok(()) => DeleteOutcome::Deleted,
+        Err(error) => {
+            if error.contains("0 flow entries have been deleted") {
+                DeleteOutcome::NotFound
+            } else {
+                debug!(error = %error, "conntrack delete failed");
+                DeleteOutcome::Error
+            }
+        }
+    }
+}
+
+async fn run_command(binary: &str, args: &[&str], stdin: Option<String>) -> Result<(), String> {
+    if !command_exists(binary) {
+        return Err(format!("{binary} is not available"));
+    }
+    let mut command = Command::new(binary);
+    command.args(args);
+    if stdin.is_some() {
+        command.stdin(std::process::Stdio::piped());
+    }
+    command.stdout(std::process::Stdio::null());
+    command.stderr(std::process::Stdio::piped());
+    let mut child = command
+        .spawn()
+        .map_err(|e| format!("spawn {binary} failed: {e}"))?;
+    if let Some(blob) = stdin
+        && let Some(mut writer) = child.stdin.take()
+    {
+        writer
+            .write_all(blob.as_bytes())
+            .await
+            .map_err(|e| format!("stdin write {binary} failed: {e}"))?;
+    }
+    let output = child
+        .wait_with_output()
+        .await
+        .map_err(|e| format!("wait {binary} failed: {e}"))?;
+    if output.status.success() {
+        return Ok(());
+    }
+    let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();
+    Err(if stderr.is_empty() {
+        format!("{binary} exited with status {}", output.status)
+    } else {
+        stderr
+    })
+}
+
+fn fd_usage_pct() -> Option<u8> {
+    let soft_limit = nofile_soft_limit()?;
+    if soft_limit == 0 {
+        return None;
+    }
+    let fd_count = std::fs::read_dir("/proc/self/fd").ok()?.count() as u64;
+    Some(((fd_count.saturating_mul(100)) / soft_limit).min(100) as u8)
+}
+
+fn nofile_soft_limit() -> Option<u64> {
+    #[cfg(target_os = "linux")]
+    {
+        let mut lim = libc::rlimit {
+            rlim_cur: 0,
+            rlim_max: 0,
+        };
+        let rc = unsafe { libc::getrlimit(libc::RLIMIT_NOFILE, &mut lim) };
+        if rc != 0 {
+            return None;
+        }
+        return Some(lim.rlim_cur);
+    }
+    #[cfg(not(target_os = "linux"))]
+    {
+        None
+    }
+}
+
+fn has_cap_net_admin() -> bool {
+    #[cfg(target_os = "linux")]
+    {
+        let Ok(status) = std::fs::read_to_string("/proc/self/status") else {
+            return false;
+        };
+        for line in status.lines() {
+            if let Some(raw) = line.strip_prefix("CapEff:") {
+                let caps = raw.trim();
+                if let Ok(bits) = u64::from_str_radix(caps, 16) {
+                    const CAP_NET_ADMIN_BIT: u64 = 12;
+                    return (bits & (1u64 << CAP_NET_ADMIN_BIT)) != 0;
+                }
+            }
+        }
+        false
+    }
+    #[cfg(not(target_os = "linux"))]
+    {
+        false
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::config::ProxyConfig;
+
+    #[test]
+    fn pressure_activates_on_accept_timeout_spike() {
+        let stats = Stats::new();
+        let shared = ProxySharedState::new();
+        let mut cfg = ProxyConfig::default();
+        cfg.server.conntrack_control.inline_conntrack_control = true;
+        let mut state = PressureState::new(&stats);
+        let sample = PressureSample {
+            conn_pct: Some(10),
+            fd_pct: Some(10),
+            accept_timeout_delta: 1,
+            me_queue_pressure_delta: 0,
+        };
+
+        update_pressure_state(&stats, shared.as_ref(), &cfg, &sample, &mut state);
+
+        assert!(state.active);
+        assert!(shared.conntrack_pressure_active());
+        assert!(stats.get_conntrack_pressure_active());
+    }
+
+    #[test]
+    fn pressure_releases_after_hysteresis_window() {
+        let stats = Stats::new();
+        let shared = ProxySharedState::new();
+        let mut cfg = ProxyConfig::default();
+        cfg.server.conntrack_control.inline_conntrack_control = true;
+        let mut state = PressureState::new(&stats);
+
+        let high_sample = PressureSample {
+            conn_pct: Some(95),
+            fd_pct: Some(95),
+            accept_timeout_delta: 0,
+            me_queue_pressure_delta: 0,
+        };
+        update_pressure_state(&stats, shared.as_ref(), &cfg, &high_sample, &mut state);
+        assert!(state.active);
+
+        let low_sample = PressureSample {
+            conn_pct: Some(10),
+            fd_pct: Some(10),
+            accept_timeout_delta: 0,
+            me_queue_pressure_delta: 0,
+        };
+        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
+        assert!(state.active);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
+        assert!(state.active);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
+
+        assert!(!state.active);
+        assert!(!shared.conntrack_pressure_active());
+        assert!(!stats.get_conntrack_pressure_active());
+    }
+
+    #[test]
+    fn pressure_does_not_activate_when_disabled() {
+        let stats = Stats::new();
+        let shared = ProxySharedState::new();
+        let mut cfg = ProxyConfig::default();
+        cfg.server.conntrack_control.inline_conntrack_control = false;
+        let mut state = PressureState::new(&stats);
+        let sample = PressureSample {
+            conn_pct: Some(100),
+            fd_pct: Some(100),
+            accept_timeout_delta: 10,
+            me_queue_pressure_delta: 10,
+        };
+
+        update_pressure_state(&stats, shared.as_ref(), &cfg, &sample, &mut state);
+
+        assert!(!state.active);
+        assert!(!shared.conntrack_pressure_active());
+        assert!(!stats.get_conntrack_pressure_active());
+    }
+}
@@ -339,31 +339,35 @@ fn is_process_running(pid: i32) -> bool {

 /// Drops privileges to the specified user and group.
 ///
-/// This should be called after binding privileged ports but before
-/// entering the main event loop.
-pub fn drop_privileges(user: Option<&str>, group: Option<&str>) -> Result<(), DaemonError> {
-    // Look up group first (need to do this while still root)
+/// This should be called after binding privileged ports but before entering
+/// the main event loop.
+pub fn drop_privileges(
+    user: Option<&str>,
+    group: Option<&str>,
+    pid_file: Option<&PidFile>,
+) -> Result<(), DaemonError> {
    let target_gid = if let Some(group_name) = group {
        Some(lookup_group(group_name)?)
    } else if let Some(user_name) = user {
-        // If no group specified but user is, use user's primary group
        Some(lookup_user_primary_gid(user_name)?)
    } else {
        None
    };

-    // Look up user
    let target_uid = if let Some(user_name) = user {
        Some(lookup_user(user_name)?)
    } else {
        None
    };

-    // Drop privileges: set GID first, then UID
-    // (Setting UID first would prevent us from setting GID)
+    if (target_uid.is_some() || target_gid.is_some())
+        && let Some(file) = pid_file.and_then(|pid| pid.file.as_ref())
+    {
+        unistd::fchown(file, target_uid, target_gid).map_err(DaemonError::PrivilegeDrop)?;
+    }
+
    if let Some(gid) = target_gid {
        unistd::setgid(gid).map_err(DaemonError::PrivilegeDrop)?;
-        // Also set supplementary groups to just this one
        unistd::setgroups(&[gid]).map_err(DaemonError::PrivilegeDrop)?;
        info!(gid = gid.as_raw(), "Dropped group privileges");
    }
@@ -371,6 +375,38 @@ pub fn drop_privileges(user: Option<&str>, group: Option<&str>) -> Result<(), Da
    if let Some(uid) = target_uid {
        unistd::setuid(uid).map_err(DaemonError::PrivilegeDrop)?;
        info!(uid = uid.as_raw(), "Dropped user privileges");
+
+        if uid.as_raw() != 0
+            && let Some(pid) = pid_file
+        {
+            let parent = pid.path.parent().unwrap_or(Path::new("."));
+            let probe_path = parent.join(format!(
+                ".telemt_pid_probe_{}_{}",
+                std::process::id(),
+                getpid().as_raw()
+            ));
+            OpenOptions::new()
+                .write(true)
+                .create_new(true)
+                .mode(0o600)
+                .open(&probe_path)
+                .map_err(|e| {
+                    DaemonError::PidFile(format!(
+                        "cannot create probe in PID directory {} as uid {} (pid cleanup will fail): {}",
+                        parent.display(),
+                        uid.as_raw(),
+                        e
+                    ))
+                })?;
+            fs::remove_file(&probe_path).map_err(|e| {
+                DaemonError::PidFile(format!(
+                    "cannot remove probe in PID directory {} as uid {} (pid cleanup will fail): {}",
+                    parent.display(),
+                    uid.as_raw(),
+                    e
+                ))
+            })?;
+        }
    }

    Ok(())
@@ -88,8 +88,10 @@ pub fn init_logging(
            // Use a custom fmt layer that writes to syslog
            let fmt_layer = fmt::Layer::default()
                .with_ansi(false)
-                .with_target(true)
-                .with_writer(SyslogWriter::new);
+                .with_target(false)
+                .with_level(false)
+                .without_time()
+                .with_writer(SyslogMakeWriter::new());

            tracing_subscriber::registry()
                .with(filter_layer)
@@ -137,12 +139,17 @@ pub fn init_logging(

 /// Syslog writer for tracing.
 #[cfg(unix)]
+#[derive(Clone, Copy)]
+struct SyslogMakeWriter;
+
+#[cfg(unix)]
+#[derive(Clone, Copy)]
 struct SyslogWriter {
-    _private: (),
+    priority: libc::c_int,
 }

 #[cfg(unix)]
-impl SyslogWriter {
+impl SyslogMakeWriter {
    fn new() -> Self {
        // Open syslog connection on first use
        static INIT: std::sync::Once = std::sync::Once::new();
@@ -153,7 +160,18 @@ impl SyslogWriter {
                libc::openlog(ident, libc::LOG_PID | libc::LOG_NDELAY, libc::LOG_DAEMON);
            }
        });
-        Self { _private: () }
+        Self
+    }
+}
+
+#[cfg(unix)]
+fn syslog_priority_for_level(level: &tracing::Level) -> libc::c_int {
+    match *level {
+        tracing::Level::ERROR => libc::LOG_ERR,
+        tracing::Level::WARN => libc::LOG_WARNING,
+        tracing::Level::INFO => libc::LOG_INFO,
+        tracing::Level::DEBUG => libc::LOG_DEBUG,
+        tracing::Level::TRACE => libc::LOG_DEBUG,
    }
 }

@@ -168,26 +186,13 @@ impl std::io::Write for SyslogWriter {
            return Ok(buf.len());
        }

-        // Determine priority based on log level in the message
-        let priority = if msg.contains(" ERROR ") || msg.contains(" error ") {
-            libc::LOG_ERR
-        } else if msg.contains(" WARN ") || msg.contains(" warn ") {
-            libc::LOG_WARNING
-        } else if msg.contains(" INFO ") || msg.contains(" info ") {
-            libc::LOG_INFO
-        } else if msg.contains(" DEBUG ") || msg.contains(" debug ") {
-            libc::LOG_DEBUG
-        } else {
-            libc::LOG_INFO
-        };
-
        // Write to syslog
        let c_msg = std::ffi::CString::new(msg.as_bytes())
            .unwrap_or_else(|_| std::ffi::CString::new("(invalid utf8)").unwrap());

        unsafe {
            libc::syslog(
-                priority,
+                self.priority,
                b"%s\0".as_ptr() as *const libc::c_char,
                c_msg.as_ptr(),
            );
@@ -202,11 +207,19 @@ impl std::io::Write for SyslogWriter {
 }

 #[cfg(unix)]
-impl<'a> tracing_subscriber::fmt::MakeWriter<'a> for SyslogWriter {
+impl<'a> tracing_subscriber::fmt::MakeWriter<'a> for SyslogMakeWriter {
    type Writer = SyslogWriter;

    fn make_writer(&'a self) -> Self::Writer {
-        SyslogWriter::new()
+        SyslogWriter {
+            priority: libc::LOG_INFO,
+        }
+    }
+
+    fn make_writer_for(&'a self, meta: &tracing::Metadata<'_>) -> Self::Writer {
+        SyslogWriter {
+            priority: syslog_priority_for_level(meta.level()),
+        }
    }
 }

@@ -302,4 +315,29 @@ mod tests {
            LogDestination::Syslog
        ));
    }
+
+    #[cfg(unix)]
+    #[test]
+    fn test_syslog_priority_for_level_mapping() {
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::ERROR),
+            libc::LOG_ERR
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::WARN),
+            libc::LOG_WARNING
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::INFO),
+            libc::LOG_INFO
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::DEBUG),
+            libc::LOG_DEBUG
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::TRACE),
+            libc::LOG_DEBUG
+        );
+    }
 }
@@ -18,19 +18,38 @@ use crate::transport::middle_proxy::{
 pub(crate) fn resolve_runtime_config_path(
    config_path_cli: &str,
    startup_cwd: &std::path::Path,
+    config_path_explicit: bool,
 ) -> PathBuf {
-    let raw = PathBuf::from(config_path_cli);
-    let absolute = if raw.is_absolute() {
-        raw
-    } else {
-        startup_cwd.join(raw)
-    };
-    absolute.canonicalize().unwrap_or(absolute)
+    if config_path_explicit {
+        let raw = PathBuf::from(config_path_cli);
+        let absolute = if raw.is_absolute() {
+            raw
+        } else {
+            startup_cwd.join(raw)
+        };
+        return absolute.canonicalize().unwrap_or(absolute);
+    }
+
+    let etc_telemt = std::path::Path::new("/etc/telemt");
+    let candidates = [
+        startup_cwd.join("config.toml"),
+        startup_cwd.join("telemt.toml"),
+        etc_telemt.join("telemt.toml"),
+        etc_telemt.join("config.toml"),
+    ];
+    for candidate in candidates {
+        if candidate.is_file() {
+            return candidate.canonicalize().unwrap_or(candidate);
+        }
+    }
+
+    startup_cwd.join("config.toml")
 }

 /// Parsed CLI arguments.
 pub(crate) struct CliArgs {
    pub config_path: String,
+    pub config_path_explicit: bool,
    pub data_path: Option<PathBuf>,
    pub silent: bool,
    pub log_level: Option<String>,
@@ -39,6 +58,7 @@ pub(crate) struct CliArgs {

 pub(crate) fn parse_cli() -> CliArgs {
    let mut config_path = "config.toml".to_string();
+    let mut config_path_explicit = false;
    let mut data_path: Option<PathBuf> = None;
    let mut silent = false;
    let mut log_level: Option<String> = None;
@@ -74,6 +94,20 @@ pub(crate) fn parse_cli() -> CliArgs {
                    s.trim_start_matches("--data-path=").to_string(),
                ));
            }
+            "--working-dir" => {
+                i += 1;
+                if i < args.len() {
+                    data_path = Some(PathBuf::from(args[i].clone()));
+                } else {
+                    eprintln!("Missing value for --working-dir");
+                    std::process::exit(0);
+                }
+            }
+            s if s.starts_with("--working-dir=") => {
+                data_path = Some(PathBuf::from(
+                    s.trim_start_matches("--working-dir=").to_string(),
+                ));
+            }
            "--silent" | "-s" => {
                silent = true;
            }
@@ -111,13 +145,11 @@ pub(crate) fn parse_cli() -> CliArgs {
                    i += 1;
                }
            }
-            s if s.starts_with("--working-dir") => {
-                if !s.contains('=') {
-                    i += 1;
-                }
-            }
            s if !s.starts_with('-') => {
-                config_path = s.to_string();
+                if !matches!(s, "run" | "start" | "stop" | "reload" | "status") {
+                    config_path = s.to_string();
+                    config_path_explicit = true;
+                }
            }
            other => {
                eprintln!("Unknown option: {}", other);
@@ -128,6 +160,7 @@ pub(crate) fn parse_cli() -> CliArgs {

    CliArgs {
        config_path,
+        config_path_explicit,
        data_path,
        silent,
        log_level,
@@ -152,6 +185,7 @@ fn print_help() {
    eprintln!(
        "  --data-path <DIR>       Set data directory (absolute path; overrides config value)"
    );
+    eprintln!("  --working-dir <DIR>     Alias for --data-path");
    eprintln!("  --silent, -s            Suppress info logs");
    eprintln!("  --log-level <LEVEL>     debug|verbose|normal|silent");
    eprintln!("  --help, -h              Show this help");
@@ -210,7 +244,7 @@ mod tests {
        let target = startup_cwd.join("config.toml");
        std::fs::write(&target, " ").unwrap();

-        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd);
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, true);
        assert_eq!(resolved, target.canonicalize().unwrap());

        let _ = std::fs::remove_file(&target);
@@ -226,11 +260,45 @@ mod tests {
        let startup_cwd = std::env::temp_dir().join(format!("telemt_cfg_path_missing_{nonce}"));
        std::fs::create_dir_all(&startup_cwd).unwrap();

-        let resolved = resolve_runtime_config_path("missing.toml", &startup_cwd);
+        let resolved = resolve_runtime_config_path("missing.toml", &startup_cwd, true);
        assert_eq!(resolved, startup_cwd.join("missing.toml"));

        let _ = std::fs::remove_dir(&startup_cwd);
    }
+
+    #[test]
+    fn resolve_runtime_config_path_uses_startup_candidates_when_not_explicit() {
+        let nonce = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let startup_cwd =
+            std::env::temp_dir().join(format!("telemt_cfg_startup_candidates_{nonce}"));
+        std::fs::create_dir_all(&startup_cwd).unwrap();
+        let telemt = startup_cwd.join("telemt.toml");
+        std::fs::write(&telemt, " ").unwrap();
+
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, false);
+        assert_eq!(resolved, telemt.canonicalize().unwrap());
+
+        let _ = std::fs::remove_file(&telemt);
+        let _ = std::fs::remove_dir(&startup_cwd);
+    }
+
+    #[test]
+    fn resolve_runtime_config_path_defaults_to_startup_config_when_none_found() {
+        let nonce = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let startup_cwd = std::env::temp_dir().join(format!("telemt_cfg_startup_default_{nonce}"));
+        std::fs::create_dir_all(&startup_cwd).unwrap();
+
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, false);
+        assert_eq!(resolved, startup_cwd.join("config.toml"));
+
+        let _ = std::fs::remove_dir(&startup_cwd);
+    }
 }

 pub(crate) fn print_proxy_links(host: &str, port: u16, config: &ProxyConfig) {
@@ -9,17 +9,19 @@ use tokio::net::UnixListener;
 use tokio::sync::{Semaphore, watch};
 use tracing::{debug, error, info, warn};

-use crate::config::ProxyConfig;
+use crate::config::{ProxyConfig, RstOnCloseMode};
 use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::proxy::ClientHandler;
 use crate::proxy::route_mode::{ROUTE_SWITCH_ERROR_MSG, RouteRuntimeController};
+use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::{COMPONENT_LISTENERS_BIND, StartupTracker};
 use crate::stats::beobachten::BeobachtenStore;
 use crate::stats::{ReplayChecker, Stats};
 use crate::stream::BufferPool;
 use crate::tls_front::TlsFrontCache;
 use crate::transport::middle_proxy::MePool;
+use crate::transport::socket::set_linger_zero;
 use crate::transport::{ListenOptions, UpstreamManager, create_listener, find_listener_processes};

 use super::helpers::{is_expected_handshake_eof, print_proxy_links};
@@ -49,6 +51,7 @@ pub(crate) async fn bind_listeners(
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    beobachten: Arc<BeobachtenStore>,
+    shared: Arc<ProxySharedState>,
    max_connections: Arc<Semaphore>,
 ) -> Result<BoundListeners, Box<dyn Error>> {
    startup_tracker
@@ -224,6 +227,7 @@ pub(crate) async fn bind_listeners(
        let tls_cache = tls_cache.clone();
        let ip_tracker = ip_tracker.clone();
        let beobachten = beobachten.clone();
+        let shared = shared.clone();
        let max_connections_unix = max_connections.clone();

        tokio::spawn(async move {
@@ -259,6 +263,7 @@ pub(crate) async fn bind_listeners(
                                    break;
                                }
                                Err(_) => {
+                                    stats.increment_accept_permit_timeout_total();
                                    debug!(
                                        timeout_ms = accept_permit_timeout_ms,
                                        "Dropping accepted unix connection: permit wait timeout"
@@ -284,11 +289,12 @@ pub(crate) async fn bind_listeners(
                        let tls_cache = tls_cache.clone();
                        let ip_tracker = ip_tracker.clone();
                        let beobachten = beobachten.clone();
+                        let shared = shared.clone();
                        let proxy_protocol_enabled = config.server.proxy_protocol;

                        tokio::spawn(async move {
                            let _permit = permit;
-                            if let Err(e) = crate::proxy::client::handle_client_stream(
+                            if let Err(e) = crate::proxy::client::handle_client_stream_with_shared(
                                stream,
                                fake_peer,
                                config,
@@ -302,6 +308,7 @@ pub(crate) async fn bind_listeners(
                                tls_cache,
                                ip_tracker,
                                beobachten,
+                                shared,
                                proxy_protocol_enabled,
                            )
                            .await
@@ -351,6 +358,7 @@ pub(crate) fn spawn_tcp_accept_loops(
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    beobachten: Arc<BeobachtenStore>,
+    shared: Arc<ProxySharedState>,
    max_connections: Arc<Semaphore>,
 ) {
    for (listener, listener_proxy_protocol) in listeners {
@@ -366,12 +374,22 @@ pub(crate) fn spawn_tcp_accept_loops(
        let tls_cache = tls_cache.clone();
        let ip_tracker = ip_tracker.clone();
        let beobachten = beobachten.clone();
+        let shared = shared.clone();
        let max_connections_tcp = max_connections.clone();

        tokio::spawn(async move {
            loop {
                match listener.accept().await {
                    Ok((stream, peer_addr)) => {
+                        let rst_mode = config_rx.borrow().general.rst_on_close;
+                        #[cfg(unix)]
+                        let raw_fd = {
+                            use std::os::unix::io::AsRawFd;
+                            stream.as_raw_fd()
+                        };
+                        if matches!(rst_mode, RstOnCloseMode::Errors | RstOnCloseMode::Always) {
+                            let _ = set_linger_zero(&stream);
+                        }
                        if !*admission_rx_tcp.borrow() {
                            debug!(peer = %peer_addr, "Admission gate closed, dropping connection");
                            drop(stream);
@@ -400,6 +418,7 @@ pub(crate) fn spawn_tcp_accept_loops(
                                    break;
                                }
                                Err(_) => {
+                                    stats.increment_accept_permit_timeout_total();
                                    debug!(
                                        peer = %peer_addr,
                                        timeout_ms = accept_permit_timeout_ms,
@@ -421,13 +440,14 @@ pub(crate) fn spawn_tcp_accept_loops(
                        let tls_cache = tls_cache.clone();
                        let ip_tracker = ip_tracker.clone();
                        let beobachten = beobachten.clone();
+                        let shared = shared.clone();
                        let proxy_protocol_enabled = listener_proxy_protocol;
                        let real_peer_report = Arc::new(std::sync::Mutex::new(None));
                        let real_peer_report_for_handler = real_peer_report.clone();

                        tokio::spawn(async move {
                            let _permit = permit;
-                            if let Err(e) = ClientHandler::new(
+                            if let Err(e) = ClientHandler::new_with_shared(
                                stream,
                                peer_addr,
                                config,
@@ -441,8 +461,12 @@ pub(crate) fn spawn_tcp_accept_loops(
                                tls_cache,
                                ip_tracker,
                                beobachten,
+                                shared,
                                proxy_protocol_enabled,
                                real_peer_report_for_handler,
+                                #[cfg(unix)]
+                                raw_fd,
+                                rst_mode,
                            )
                            .run()
                            .await
@@ -29,10 +29,12 @@ use tracing_subscriber::{EnvFilter, fmt, prelude::*, reload};

 use crate::api;
 use crate::config::{LogLevel, ProxyConfig};
+use crate::conntrack_control;
 use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::network::probe::{decide_network_capabilities, log_probe_result, run_probe};
 use crate::proxy::route_mode::{RelayRouteMode, RouteRuntimeController};
+use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::{
    COMPONENT_API_BOOTSTRAP, COMPONENT_CONFIG_LOAD, COMPONENT_ME_POOL_CONSTRUCT,
    COMPONENT_ME_POOL_INIT_STAGE1, COMPONENT_ME_PROXY_CONFIG_V4, COMPONENT_ME_PROXY_CONFIG_V6,
@@ -110,6 +112,7 @@ async fn run_inner(
        .await;
    let cli_args = parse_cli();
    let config_path_cli = cli_args.config_path;
+    let config_path_explicit = cli_args.config_path_explicit;
    let data_path = cli_args.data_path;
    let cli_silent = cli_args.silent;
    let cli_log_level = cli_args.log_level;
@@ -121,7 +124,8 @@ async fn run_inner(
            std::process::exit(1);
        }
    };
-    let config_path = resolve_runtime_config_path(&config_path_cli, &startup_cwd);
+    let mut config_path =
+        resolve_runtime_config_path(&config_path_cli, &startup_cwd, config_path_explicit);

    let mut config = match ProxyConfig::load(&config_path) {
        Ok(c) => c,
@@ -131,11 +135,99 @@ async fn run_inner(
                std::process::exit(1);
            } else {
                let default = ProxyConfig::default();
-                std::fs::write(&config_path, toml::to_string_pretty(&default).unwrap()).unwrap();
-                eprintln!(
-                    "[telemt] Created default config at {}",
-                    config_path.display()
-                );
+
+                let serialized =
+                    match toml::to_string_pretty(&default).or_else(|_| toml::to_string(&default)) {
+                        Ok(value) => Some(value),
+                        Err(serialize_error) => {
+                            eprintln!(
+                                "[telemt] Warning: failed to serialize default config: {}",
+                                serialize_error
+                            );
+                            None
+                        }
+                    };
+
+                if config_path_explicit {
+                    if let Some(serialized) = serialized.as_ref() {
+                        if let Err(write_error) = std::fs::write(&config_path, serialized) {
+                            eprintln!(
+                                "[telemt] Error: failed to create explicit config at {}: {}",
+                                config_path.display(),
+                                write_error
+                            );
+                            std::process::exit(1);
+                        }
+                        eprintln!(
+                            "[telemt] Created default config at {}",
+                            config_path.display()
+                        );
+                    } else {
+                        eprintln!(
+                            "[telemt] Warning: running with in-memory default config without writing to disk"
+                        );
+                    }
+                } else {
+                    let system_dir = std::path::Path::new("/etc/telemt");
+                    let system_config_path = system_dir.join("telemt.toml");
+                    let startup_config_path = startup_cwd.join("config.toml");
+                    let mut persisted = false;
+
+                    if let Some(serialized) = serialized.as_ref() {
+                        match std::fs::create_dir_all(system_dir) {
+                            Ok(()) => match std::fs::write(&system_config_path, serialized) {
+                                Ok(()) => {
+                                    config_path = system_config_path;
+                                    eprintln!(
+                                        "[telemt] Created default config at {}",
+                                        config_path.display()
+                                    );
+                                    persisted = true;
+                                }
+                                Err(write_error) => {
+                                    eprintln!(
+                                        "[telemt] Warning: failed to write default config at {}: {}",
+                                        system_config_path.display(),
+                                        write_error
+                                    );
+                                }
+                            },
+                            Err(create_error) => {
+                                eprintln!(
+                                    "[telemt] Warning: failed to create {}: {}",
+                                    system_dir.display(),
+                                    create_error
+                                );
+                            }
+                        }
+
+                        if !persisted {
+                            match std::fs::write(&startup_config_path, serialized) {
+                                Ok(()) => {
+                                    config_path = startup_config_path;
+                                    eprintln!(
+                                        "[telemt] Created default config at {}",
+                                        config_path.display()
+                                    );
+                                    persisted = true;
+                                }
+                                Err(write_error) => {
+                                    eprintln!(
+                                        "[telemt] Warning: failed to write default config at {}: {}",
+                                        startup_config_path.display(),
+                                        write_error
+                                    );
+                                }
+                            }
+                        }
+                    }
+
+                    if !persisted {
+                        eprintln!(
+                            "[telemt] Warning: running with in-memory default config without writing to disk"
+                        );
+                    }
+                }
                default
            }
        }
@@ -631,6 +723,12 @@ async fn run_inner(
    )
    .await;
    let _admission_tx_hold = admission_tx;
+    let shared_state = ProxySharedState::new();
+    conntrack_control::spawn_conntrack_controller(
+        config_rx.clone(),
+        stats.clone(),
+        shared_state.clone(),
+    );

    let bound = listeners::bind_listeners(
        &config,
@@ -651,6 +749,7 @@ async fn run_inner(
        tls_cache.clone(),
        ip_tracker.clone(),
        beobachten.clone(),
+        shared_state.clone(),
        max_connections.clone(),
    )
    .await?;
@@ -664,7 +763,11 @@ async fn run_inner(

    // Drop privileges after binding sockets (which may require root for port < 1024)
    if daemon_opts.user.is_some() || daemon_opts.group.is_some() {
-        if let Err(e) = drop_privileges(daemon_opts.user.as_deref(), daemon_opts.group.as_deref()) {
+        if let Err(e) = drop_privileges(
+            daemon_opts.user.as_deref(),
+            daemon_opts.group.as_deref(),
+            _pid_file.as_ref(),
+        ) {
            error!(error = %e, "Failed to drop privileges");
            std::process::exit(1);
        }
@@ -683,6 +786,7 @@ async fn run_inner(
        &startup_tracker,
        stats.clone(),
        beobachten.clone(),
+        shared_state.clone(),
        ip_tracker.clone(),
        config_rx.clone(),
    )
@@ -707,6 +811,7 @@ async fn run_inner(
        tls_cache.clone(),
        ip_tracker.clone(),
        beobachten.clone(),
+        shared_state,
        max_connections.clone(),
    );

@@ -13,6 +13,7 @@ use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::metrics;
 use crate::network::probe::NetworkProbe;
+use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::{
    COMPONENT_CONFIG_WATCHER_START, COMPONENT_METRICS_START, COMPONENT_RUNTIME_READY,
    StartupTracker,
@@ -287,6 +288,7 @@ pub(crate) async fn spawn_metrics_if_configured(
    startup_tracker: &Arc<StartupTracker>,
    stats: Arc<Stats>,
    beobachten: Arc<BeobachtenStore>,
+    shared_state: Arc<ProxySharedState>,
    ip_tracker: Arc<UserIpTracker>,
    config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
@@ -320,6 +322,7 @@ pub(crate) async fn spawn_metrics_if_configured(
            .await;
        let stats = stats.clone();
        let beobachten = beobachten.clone();
+        let shared_state = shared_state.clone();
        let config_rx_metrics = config_rx.clone();
        let ip_tracker_metrics = ip_tracker.clone();
        let whitelist = config.server.metrics_whitelist.clone();
@@ -331,6 +334,7 @@ pub(crate) async fn spawn_metrics_if_configured(
                listen_backlog,
                stats,
                beobachten,
+                shared_state,
                ip_tracker_metrics,
                config_rx_metrics,
                whitelist,
@@ -3,6 +3,7 @@
 mod api;
 mod cli;
 mod config;
+mod conntrack_control;
 mod crypto;
 #[cfg(unix)]
 mod daemon;
@@ -15,6 +15,7 @@ use tracing::{debug, info, warn};

 use crate::config::ProxyConfig;
 use crate::ip_tracker::UserIpTracker;
+use crate::proxy::shared_state::ProxySharedState;
 use crate::stats::Stats;
 use crate::stats::beobachten::BeobachtenStore;
 use crate::transport::{ListenOptions, create_listener};
@@ -25,6 +26,7 @@ pub async fn serve(
    listen_backlog: u32,
    stats: Arc<Stats>,
    beobachten: Arc<BeobachtenStore>,
+    shared_state: Arc<ProxySharedState>,
    ip_tracker: Arc<UserIpTracker>,
    config_rx: tokio::sync::watch::Receiver<Arc<ProxyConfig>>,
    whitelist: Vec<IpNetwork>,
@@ -45,7 +47,13 @@ pub async fn serve(
            Ok(listener) => {
                info!("Metrics endpoint: http://{}/metrics and /beobachten", addr);
                serve_listener(
-                    listener, stats, beobachten, ip_tracker, config_rx, whitelist,
+                    listener,
+                    stats,
+                    beobachten,
+                    shared_state,
+                    ip_tracker,
+                    config_rx,
+                    whitelist,
                )
                .await;
            }
@@ -94,13 +102,20 @@ pub async fn serve(
        }
        (Some(listener), None) | (None, Some(listener)) => {
            serve_listener(
-                listener, stats, beobachten, ip_tracker, config_rx, whitelist,
+                listener,
+                stats,
+                beobachten,
+                shared_state,
+                ip_tracker,
+                config_rx,
+                whitelist,
            )
            .await;
        }
        (Some(listener4), Some(listener6)) => {
            let stats_v6 = stats.clone();
            let beobachten_v6 = beobachten.clone();
+            let shared_state_v6 = shared_state.clone();
            let ip_tracker_v6 = ip_tracker.clone();
            let config_rx_v6 = config_rx.clone();
            let whitelist_v6 = whitelist.clone();
@@ -109,6 +124,7 @@ pub async fn serve(
                    listener6,
                    stats_v6,
                    beobachten_v6,
+                    shared_state_v6,
                    ip_tracker_v6,
                    config_rx_v6,
                    whitelist_v6,
@@ -116,7 +132,13 @@ pub async fn serve(
                .await;
            });
            serve_listener(
-                listener4, stats, beobachten, ip_tracker, config_rx, whitelist,
+                listener4,
+                stats,
+                beobachten,
+                shared_state,
+                ip_tracker,
+                config_rx,
+                whitelist,
            )
            .await;
        }
@@ -142,6 +164,7 @@ async fn serve_listener(
    listener: TcpListener,
    stats: Arc<Stats>,
    beobachten: Arc<BeobachtenStore>,
+    shared_state: Arc<ProxySharedState>,
    ip_tracker: Arc<UserIpTracker>,
    config_rx: tokio::sync::watch::Receiver<Arc<ProxyConfig>>,
    whitelist: Arc<Vec<IpNetwork>>,
@@ -162,15 +185,27 @@ async fn serve_listener(

        let stats = stats.clone();
        let beobachten = beobachten.clone();
+        let shared_state = shared_state.clone();
        let ip_tracker = ip_tracker.clone();
        let config_rx_conn = config_rx.clone();
        tokio::spawn(async move {
            let svc = service_fn(move |req| {
                let stats = stats.clone();
                let beobachten = beobachten.clone();
+                let shared_state = shared_state.clone();
                let ip_tracker = ip_tracker.clone();
                let config = config_rx_conn.borrow().clone();
-                async move { handle(req, &stats, &beobachten, &ip_tracker, &config).await }
+                async move {
+                    handle(
+                        req,
+                        &stats,
+                        &beobachten,
+                        &shared_state,
+                        &ip_tracker,
+                        &config,
+                    )
+                    .await
+                }
            });
            if let Err(e) = http1::Builder::new()
                .serve_connection(hyper_util::rt::TokioIo::new(stream), svc)
@@ -186,11 +221,12 @@ async fn handle<B>(
    req: Request<B>,
    stats: &Stats,
    beobachten: &BeobachtenStore,
+    shared_state: &ProxySharedState,
    ip_tracker: &UserIpTracker,
    config: &ProxyConfig,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
    if req.uri().path() == "/metrics" {
-        let body = render_metrics(stats, config, ip_tracker).await;
+        let body = render_metrics(stats, shared_state, config, ip_tracker).await;
        let resp = Response::builder()
            .status(StatusCode::OK)
            .header("content-type", "text/plain; version=0.0.4; charset=utf-8")
@@ -225,7 +261,12 @@ fn render_beobachten(beobachten: &BeobachtenStore, config: &ProxyConfig) -> Stri
    beobachten.snapshot_text(ttl)
 }

-async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIpTracker) -> String {
+async fn render_metrics(
+    stats: &Stats,
+    shared_state: &ProxySharedState,
+    config: &ProxyConfig,
+    ip_tracker: &UserIpTracker,
+) -> String {
    use std::fmt::Write;
    let mut out = String::with_capacity(4096);
    let telemetry = stats.telemetry_policy();
@@ -234,6 +275,17 @@ async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIp
    let me_allows_normal = telemetry.me_level.allows_normal();
    let me_allows_debug = telemetry.me_level.allows_debug();

+    let _ = writeln!(
+        out,
+        "# HELP telemt_build_info Build information for the running telemt binary"
+    );
+    let _ = writeln!(out, "# TYPE telemt_build_info gauge");
+    let _ = writeln!(
+        out,
+        "telemt_build_info{{version=\"{}\"}} 1",
+        env!("CARGO_PKG_VERSION")
+    );
+
    let _ = writeln!(out, "# HELP telemt_uptime_seconds Proxy uptime");
    let _ = writeln!(out, "# TYPE telemt_uptime_seconds gauge");
    let _ = writeln!(out, "telemt_uptime_seconds {:.1}", stats.uptime_secs());
@@ -359,6 +411,170 @@ async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIp
        }
    );

+    let _ = writeln!(
+        out,
+        "# HELP telemt_auth_expensive_checks_total Expensive authentication candidate checks executed during handshake validation"
+    );
+    let _ = writeln!(out, "# TYPE telemt_auth_expensive_checks_total counter");
+    let _ = writeln!(
+        out,
+        "telemt_auth_expensive_checks_total {}",
+        if core_enabled {
+            shared_state
+                .handshake
+                .auth_expensive_checks_total
+                .load(std::sync::atomic::Ordering::Relaxed)
+        } else {
+            0
+        }
+    );
+
+    let _ = writeln!(
+        out,
+        "# HELP telemt_auth_budget_exhausted_total Handshake validations that hit authentication candidate budget limits"
+    );
+    let _ = writeln!(out, "# TYPE telemt_auth_budget_exhausted_total counter");
+    let _ = writeln!(
+        out,
+        "telemt_auth_budget_exhausted_total {}",
+        if core_enabled {
+            shared_state
+                .handshake
+                .auth_budget_exhausted_total
+                .load(std::sync::atomic::Ordering::Relaxed)
+        } else {
+            0
+        }
+    );
+
+    let _ = writeln!(
+        out,
+        "# HELP telemt_accept_permit_timeout_total Accepted connections dropped due to permit wait timeout"
+    );
+    let _ = writeln!(out, "# TYPE telemt_accept_permit_timeout_total counter");
+    let _ = writeln!(
+        out,
+        "telemt_accept_permit_timeout_total {}",
+        if core_enabled {
+            stats.get_accept_permit_timeout_total()
+        } else {
+            0
+        }
+    );
+
+    let _ = writeln!(
+        out,
+        "# HELP telemt_conntrack_control_state Runtime conntrack control state flags"
+    );
+    let _ = writeln!(out, "# TYPE telemt_conntrack_control_state gauge");
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_control_state{{flag=\"enabled\"}} {}",
+        if stats.get_conntrack_control_enabled() {
+            1
+        } else {
+            0
+        }
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_control_state{{flag=\"available\"}} {}",
+        if stats.get_conntrack_control_available() {
+            1
+        } else {
+            0
+        }
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_control_state{{flag=\"pressure_active\"}} {}",
+        if stats.get_conntrack_pressure_active() {
+            1
+        } else {
+            0
+        }
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_control_state{{flag=\"rule_apply_ok\"}} {}",
+        if stats.get_conntrack_rule_apply_ok() {
+            1
+        } else {
+            0
+        }
+    );
+
+    let _ = writeln!(
+        out,
+        "# HELP telemt_conntrack_event_queue_depth Pending close events in conntrack control queue"
+    );
+    let _ = writeln!(out, "# TYPE telemt_conntrack_event_queue_depth gauge");
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_event_queue_depth {}",
+        stats.get_conntrack_event_queue_depth()
+    );
+
+    let _ = writeln!(
+        out,
+        "# HELP telemt_conntrack_delete_total Conntrack delete attempts by outcome"
+    );
+    let _ = writeln!(out, "# TYPE telemt_conntrack_delete_total counter");
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_delete_total{{result=\"attempt\"}} {}",
+        if core_enabled {
+            stats.get_conntrack_delete_attempt_total()
+        } else {
+            0
+        }
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_delete_total{{result=\"success\"}} {}",
+        if core_enabled {
+            stats.get_conntrack_delete_success_total()
+        } else {
+            0
+        }
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_delete_total{{result=\"not_found\"}} {}",
+        if core_enabled {
+            stats.get_conntrack_delete_not_found_total()
+        } else {
+            0
+        }
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_delete_total{{result=\"error\"}} {}",
+        if core_enabled {
+            stats.get_conntrack_delete_error_total()
+        } else {
+            0
+        }
+    );
+
+    let _ = writeln!(
+        out,
+        "# HELP telemt_conntrack_close_event_drop_total Dropped conntrack close events due to queue pressure or unavailable sender"
+    );
+    let _ = writeln!(
+        out,
+        "# TYPE telemt_conntrack_close_event_drop_total counter"
+    );
+    let _ = writeln!(
+        out,
+        "telemt_conntrack_close_event_drop_total {}",
+        if core_enabled {
+            stats.get_conntrack_close_event_drop_total()
+        } else {
+            0
+        }
+    );
+
    let _ = writeln!(
        out,
        "# HELP telemt_upstream_connect_attempt_total Upstream connect attempts across all requests"
@@ -2719,6 +2935,7 @@ mod tests {
    #[tokio::test]
    async fn test_render_metrics_format() {
        let stats = Arc::new(Stats::new());
+        let shared_state = ProxySharedState::new();
        let tracker = UserIpTracker::new();
        let mut config = ProxyConfig::default();
        config
@@ -2730,6 +2947,14 @@ mod tests {
        stats.increment_connects_all();
        stats.increment_connects_bad();
        stats.increment_handshake_timeouts();
+        shared_state
+            .handshake
+            .auth_expensive_checks_total
+            .fetch_add(9, std::sync::atomic::Ordering::Relaxed);
+        shared_state
+            .handshake
+            .auth_budget_exhausted_total
+            .fetch_add(2, std::sync::atomic::Ordering::Relaxed);
        stats.increment_upstream_connect_attempt_total();
        stats.increment_upstream_connect_attempt_total();
        stats.increment_upstream_connect_success_total();
@@ -2773,11 +2998,17 @@ mod tests {
            .await
            .unwrap();

-        let output = render_metrics(&stats, &config, &tracker).await;
+        let output = render_metrics(&stats, shared_state.as_ref(), &config, &tracker).await;

+        assert!(output.contains(&format!(
+            "telemt_build_info{{version=\"{}\"}} 1",
+            env!("CARGO_PKG_VERSION")
+        )));
        assert!(output.contains("telemt_connections_total 2"));
        assert!(output.contains("telemt_connections_bad_total 1"));
        assert!(output.contains("telemt_handshake_timeouts_total 1"));
+        assert!(output.contains("telemt_auth_expensive_checks_total 9"));
+        assert!(output.contains("telemt_auth_budget_exhausted_total 2"));
        assert!(output.contains("telemt_upstream_connect_attempt_total 2"));
        assert!(output.contains("telemt_upstream_connect_success_total 1"));
        assert!(output.contains("telemt_upstream_connect_fail_total 1"));
@@ -2832,12 +3063,15 @@ mod tests {
    #[tokio::test]
    async fn test_render_empty_stats() {
        let stats = Stats::new();
+        let shared_state = ProxySharedState::new();
        let tracker = UserIpTracker::new();
        let config = ProxyConfig::default();
-        let output = render_metrics(&stats, &config, &tracker).await;
+        let output = render_metrics(&stats, &shared_state, &config, &tracker).await;
        assert!(output.contains("telemt_connections_total 0"));
        assert!(output.contains("telemt_connections_bad_total 0"));
        assert!(output.contains("telemt_handshake_timeouts_total 0"));
+        assert!(output.contains("telemt_auth_expensive_checks_total 0"));
+        assert!(output.contains("telemt_auth_budget_exhausted_total 0"));
        assert!(output.contains("telemt_user_unique_ips_current{user="));
        assert!(output.contains("telemt_user_unique_ips_recent_window{user="));
    }
@@ -2845,6 +3079,7 @@ mod tests {
    #[tokio::test]
    async fn test_render_uses_global_each_unique_ip_limit() {
        let stats = Stats::new();
+        let shared_state = ProxySharedState::new();
        stats.increment_user_connects("alice");
        stats.increment_user_curr_connects("alice");
        let tracker = UserIpTracker::new();
@@ -2855,7 +3090,7 @@ mod tests {
        let mut config = ProxyConfig::default();
        config.access.user_max_unique_ips_global_each = 2;

-        let output = render_metrics(&stats, &config, &tracker).await;
+        let output = render_metrics(&stats, &shared_state, &config, &tracker).await;

        assert!(output.contains("telemt_user_unique_ips_limit{user=\"alice\"} 2"));
        assert!(output.contains("telemt_user_unique_ips_utilization{user=\"alice\"} 0.500000"));
@@ -2864,13 +3099,16 @@ mod tests {
    #[tokio::test]
    async fn test_render_has_type_annotations() {
        let stats = Stats::new();
+        let shared_state = ProxySharedState::new();
        let tracker = UserIpTracker::new();
        let config = ProxyConfig::default();
-        let output = render_metrics(&stats, &config, &tracker).await;
+        let output = render_metrics(&stats, &shared_state, &config, &tracker).await;
        assert!(output.contains("# TYPE telemt_uptime_seconds gauge"));
        assert!(output.contains("# TYPE telemt_connections_total counter"));
        assert!(output.contains("# TYPE telemt_connections_bad_total counter"));
        assert!(output.contains("# TYPE telemt_handshake_timeouts_total counter"));
+        assert!(output.contains("# TYPE telemt_auth_expensive_checks_total counter"));
+        assert!(output.contains("# TYPE telemt_auth_budget_exhausted_total counter"));
        assert!(output.contains("# TYPE telemt_upstream_connect_attempt_total counter"));
        assert!(output.contains("# TYPE telemt_me_rpc_proxy_req_signal_sent_total counter"));
        assert!(output.contains("# TYPE telemt_me_idle_close_by_peer_total counter"));
@@ -2907,6 +3145,7 @@ mod tests {
    async fn test_endpoint_integration() {
        let stats = Arc::new(Stats::new());
        let beobachten = Arc::new(BeobachtenStore::new());
+        let shared_state = ProxySharedState::new();
        let tracker = UserIpTracker::new();
        let mut config = ProxyConfig::default();
        stats.increment_connects_all();
@@ -2914,9 +3153,16 @@ mod tests {
        stats.increment_connects_all();

        let req = Request::builder().uri("/metrics").body(()).unwrap();
-        let resp = handle(req, &stats, &beobachten, &tracker, &config)
-            .await
-            .unwrap();
+        let resp = handle(
+            req,
+            &stats,
+            &beobachten,
+            shared_state.as_ref(),
+            &tracker,
+            &config,
+        )
+        .await
+        .unwrap();
        assert_eq!(resp.status(), StatusCode::OK);
        let body = resp.into_body().collect().await.unwrap().to_bytes();
        assert!(
@@ -2924,6 +3170,14 @@ mod tests {
                .unwrap()
                .contains("telemt_connections_total 3")
        );
+        assert!(
+            std::str::from_utf8(body.as_ref())
+                .unwrap()
+                .contains(&format!(
+                    "telemt_build_info{{version=\"{}\"}} 1",
+                    env!("CARGO_PKG_VERSION")
+                ))
+        );

        config.general.beobachten = true;
        config.general.beobachten_minutes = 10;
@@ -2933,9 +3187,16 @@ mod tests {
            Duration::from_secs(600),
        );
        let req_beob = Request::builder().uri("/beobachten").body(()).unwrap();
-        let resp_beob = handle(req_beob, &stats, &beobachten, &tracker, &config)
-            .await
-            .unwrap();
+        let resp_beob = handle(
+            req_beob,
+            &stats,
+            &beobachten,
+            shared_state.as_ref(),
+            &tracker,
+            &config,
+        )
+        .await
+        .unwrap();
        assert_eq!(resp_beob.status(), StatusCode::OK);
        let body_beob = resp_beob.into_body().collect().await.unwrap().to_bytes();
        let beob_text = std::str::from_utf8(body_beob.as_ref()).unwrap();
@@ -2943,9 +3204,16 @@ mod tests {
        assert!(beob_text.contains("203.0.113.10-1"));

        let req404 = Request::builder().uri("/other").body(()).unwrap();
-        let resp404 = handle(req404, &stats, &beobachten, &tracker, &config)
-            .await
-            .unwrap();
+        let resp404 = handle(
+            req404,
+            &stats,
+            &beobachten,
+            shared_state.as_ref(),
+            &tracker,
+            &config,
+        )
+        .await
+        .unwrap();
        assert_eq!(resp404.status(), StatusCode::NOT_FOUND);
    }
 }
@@ -24,6 +24,8 @@ const DIRECT_S2C_CAP_BYTES: usize = 512 * 1024;
 const ME_FRAMES_CAP: usize = 96;
 const ME_BYTES_CAP: usize = 384 * 1024;
 const ME_DELAY_MIN_US: u64 = 150;
+const MAX_USER_PROFILES_ENTRIES: usize = 50_000;
+const MAX_USER_KEY_BYTES: usize = 512;

 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
 pub enum AdaptiveTier {
@@ -234,32 +236,50 @@ fn profiles() -> &'static DashMap<String, UserAdaptiveProfile> {
 }

 pub fn seed_tier_for_user(user: &str) -> AdaptiveTier {
+    if user.len() > MAX_USER_KEY_BYTES {
+        return AdaptiveTier::Base;
+    }
    let now = Instant::now();
    if let Some(entry) = profiles().get(user) {
-        let value = entry.value();
-        if now.duration_since(value.seen_at) <= PROFILE_TTL {
+        let value = *entry.value();
+        drop(entry);
+        if now.saturating_duration_since(value.seen_at) <= PROFILE_TTL {
            return value.tier;
        }
+        profiles().remove_if(user, |_, v| {
+            now.saturating_duration_since(v.seen_at) > PROFILE_TTL
+        });
    }
    AdaptiveTier::Base
 }

 pub fn record_user_tier(user: &str, tier: AdaptiveTier) {
-    let now = Instant::now();
-    if let Some(mut entry) = profiles().get_mut(user) {
-        let existing = *entry;
-        let effective = if now.duration_since(existing.seen_at) > PROFILE_TTL {
-            tier
-        } else {
-            max(existing.tier, tier)
-        };
-        *entry = UserAdaptiveProfile {
-            tier: effective,
-            seen_at: now,
-        };
+    if user.len() > MAX_USER_KEY_BYTES {
        return;
    }
-    profiles().insert(user.to_string(), UserAdaptiveProfile { tier, seen_at: now });
+    let now = Instant::now();
+    let mut was_vacant = false;
+    match profiles().entry(user.to_string()) {
+        dashmap::mapref::entry::Entry::Occupied(mut entry) => {
+            let existing = *entry.get();
+            let effective = if now.saturating_duration_since(existing.seen_at) > PROFILE_TTL {
+                tier
+            } else {
+                max(existing.tier, tier)
+            };
+            entry.insert(UserAdaptiveProfile {
+                tier: effective,
+                seen_at: now,
+            });
+        }
+        dashmap::mapref::entry::Entry::Vacant(slot) => {
+            slot.insert(UserAdaptiveProfile { tier, seen_at: now });
+            was_vacant = true;
+        }
+    }
+    if was_vacant && profiles().len() > MAX_USER_PROFILES_ENTRIES {
+        profiles().retain(|_, v| now.saturating_duration_since(v.seen_at) <= PROFILE_TTL);
+    }
 }

 pub fn direct_copy_buffers_for_tier(
@@ -310,6 +330,14 @@ fn scale(base: usize, numerator: usize, denominator: usize, cap: usize) -> usize
    scaled.min(cap).max(1)
 }

+#[cfg(test)]
+#[path = "tests/adaptive_buffers_security_tests.rs"]
+mod adaptive_buffers_security_tests;
+
+#[cfg(test)]
+#[path = "tests/adaptive_buffers_record_race_security_tests.rs"]
+mod adaptive_buffers_record_race_security_tests;
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -80,11 +80,16 @@ use crate::transport::middle_proxy::MePool;
 use crate::transport::socket::normalize_ip;
 use crate::transport::{UpstreamManager, configure_client_socket, parse_proxy_protocol};

-use crate::proxy::direct_relay::handle_via_direct;
-use crate::proxy::handshake::{HandshakeSuccess, handle_mtproto_handshake, handle_tls_handshake};
+use crate::proxy::direct_relay::handle_via_direct_with_shared;
+use crate::proxy::handshake::{
+    HandshakeSuccess, handle_mtproto_handshake_with_shared, handle_tls_handshake_with_shared,
+};
+#[cfg(test)]
+use crate::proxy::handshake::{handle_mtproto_handshake, handle_tls_handshake};
 use crate::proxy::masking::handle_bad_client;
 use crate::proxy::middle_relay::handle_via_middle_proxy;
 use crate::proxy::route_mode::{RelayRouteMode, RouteRuntimeController};
+use crate::proxy::shared_state::ProxySharedState;

 fn beobachten_ttl(config: &ProxyConfig) -> Duration {
    const BEOBACHTEN_TTL_MAX_MINUTES: u64 = 24 * 60;
@@ -186,6 +191,24 @@ fn handshake_timeout_with_mask_grace(config: &ProxyConfig) -> Duration {
    }
 }

+fn effective_client_first_byte_idle_secs(config: &ProxyConfig, shared: &ProxySharedState) -> u64 {
+    let idle_secs = config.timeouts.client_first_byte_idle_secs;
+    if idle_secs == 0 {
+        return 0;
+    }
+    if shared.conntrack_pressure_active() {
+        idle_secs.min(
+            config
+                .server
+                .conntrack_control
+                .profile
+                .client_first_byte_idle_cap_secs(),
+        )
+    } else {
+        idle_secs
+    }
+}
+
 const MASK_CLASSIFIER_PREFETCH_WINDOW: usize = 16;
 #[cfg(test)]
 const MASK_CLASSIFIER_PREFETCH_TIMEOUT: Duration = Duration::from_millis(5);
@@ -342,7 +365,48 @@ fn synthetic_local_addr(port: u16) -> SocketAddr {
    SocketAddr::from(([0, 0, 0, 0], port))
 }

+#[cfg(test)]
 pub async fn handle_client_stream<S>(
+    stream: S,
+    peer: SocketAddr,
+    config: Arc<ProxyConfig>,
+    stats: Arc<Stats>,
+    upstream_manager: Arc<UpstreamManager>,
+    replay_checker: Arc<ReplayChecker>,
+    buffer_pool: Arc<BufferPool>,
+    rng: Arc<SecureRandom>,
+    me_pool: Option<Arc<MePool>>,
+    route_runtime: Arc<RouteRuntimeController>,
+    tls_cache: Option<Arc<TlsFrontCache>>,
+    ip_tracker: Arc<UserIpTracker>,
+    beobachten: Arc<BeobachtenStore>,
+    proxy_protocol_enabled: bool,
+) -> Result<()>
+where
+    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
+{
+    handle_client_stream_with_shared(
+        stream,
+        peer,
+        config,
+        stats,
+        upstream_manager,
+        replay_checker,
+        buffer_pool,
+        rng,
+        me_pool,
+        route_runtime,
+        tls_cache,
+        ip_tracker,
+        beobachten,
+        ProxySharedState::new(),
+        proxy_protocol_enabled,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn handle_client_stream_with_shared<S>(
    mut stream: S,
    peer: SocketAddr,
    config: Arc<ProxyConfig>,
@@ -356,6 +420,7 @@ pub async fn handle_client_stream<S>(
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    beobachten: Arc<BeobachtenStore>,
+    shared: Arc<ProxySharedState>,
    proxy_protocol_enabled: bool,
 ) -> Result<()>
 where
@@ -416,10 +481,11 @@ where

    debug!(peer = %real_peer, "New connection (generic stream)");

-    let first_byte = if config.timeouts.client_first_byte_idle_secs == 0 {
+    let first_byte_idle_secs = effective_client_first_byte_idle_secs(&config, shared.as_ref());
+    let first_byte = if first_byte_idle_secs == 0 {
        None
    } else {
-        let idle_timeout = Duration::from_secs(config.timeouts.client_first_byte_idle_secs);
+        let idle_timeout = Duration::from_secs(first_byte_idle_secs);
        let mut first_byte = [0u8; 1];
        match timeout(idle_timeout, stream.read(&mut first_byte)).await {
            Ok(Ok(0)) => {
@@ -455,7 +521,7 @@ where
            Err(_) => {
                debug!(
                    peer = %real_peer,
-                    idle_secs = config.timeouts.client_first_byte_idle_secs,
+                    idle_secs = first_byte_idle_secs,
                    "Closing idle pooled connection before first client byte"
                );
                return Ok(());
@@ -550,9 +616,10 @@ where

            let (read_half, write_half) = tokio::io::split(stream);

-            let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
+            let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake_with_shared(
                &handshake, read_half, write_half, real_peer,
                &config, &replay_checker, &rng, tls_cache.clone(),
+                shared.as_ref(),
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
@@ -578,9 +645,10 @@ where
            let mtproto_handshake: [u8; HANDSHAKE_LEN] = mtproto_data[..].try_into()
                .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;

-            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
+            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
                &mtproto_handshake, tls_reader, tls_writer, real_peer,
                &config, &replay_checker, true, Some(tls_user.as_str()),
+                shared.as_ref(),
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
@@ -614,11 +682,12 @@ where
            };

            Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-                RunningClientHandler::handle_authenticated_static(
+                RunningClientHandler::handle_authenticated_static_with_shared(
                    crypto_reader, crypto_writer, success,
                    upstream_manager, stats, config, buffer_pool, rng, me_pool,
                    route_runtime.clone(),
                    local_addr, real_peer, ip_tracker.clone(),
+                    shared.clone(),
                ),
            )))
        } else {
@@ -644,9 +713,10 @@ where

            let (read_half, write_half) = tokio::io::split(stream);

-            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
+            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
                &handshake, read_half, write_half, real_peer,
                &config, &replay_checker, false, None,
+                shared.as_ref(),
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
@@ -665,7 +735,7 @@ where
            };

            Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-                RunningClientHandler::handle_authenticated_static(
+                RunningClientHandler::handle_authenticated_static_with_shared(
                    crypto_reader,
                    crypto_writer,
                    success,
@@ -679,6 +749,7 @@ where
                    local_addr,
                    real_peer,
                    ip_tracker.clone(),
+                    shared.clone(),
                )
            )))
        }
@@ -731,10 +802,15 @@ pub struct RunningClientHandler {
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    beobachten: Arc<BeobachtenStore>,
+    shared: Arc<ProxySharedState>,
    proxy_protocol_enabled: bool,
+    #[cfg(unix)]
+    raw_fd: std::os::unix::io::RawFd,
+    rst_on_close: crate::config::RstOnCloseMode,
 }

 impl ClientHandler {
+    #[cfg(test)]
    pub fn new(
        stream: TcpStream,
        peer: SocketAddr,
@@ -751,6 +827,55 @@ impl ClientHandler {
        beobachten: Arc<BeobachtenStore>,
        proxy_protocol_enabled: bool,
        real_peer_report: Arc<std::sync::Mutex<Option<SocketAddr>>>,
+    ) -> RunningClientHandler {
+        #[cfg(unix)]
+        let raw_fd = {
+            use std::os::unix::io::AsRawFd;
+            stream.as_raw_fd()
+        };
+        Self::new_with_shared(
+            stream,
+            peer,
+            config,
+            stats,
+            upstream_manager,
+            replay_checker,
+            buffer_pool,
+            rng,
+            me_pool,
+            route_runtime,
+            tls_cache,
+            ip_tracker,
+            beobachten,
+            ProxySharedState::new(),
+            proxy_protocol_enabled,
+            real_peer_report,
+            #[cfg(unix)]
+            raw_fd,
+            crate::config::RstOnCloseMode::Off,
+        )
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    pub fn new_with_shared(
+        stream: TcpStream,
+        peer: SocketAddr,
+        config: Arc<ProxyConfig>,
+        stats: Arc<Stats>,
+        upstream_manager: Arc<UpstreamManager>,
+        replay_checker: Arc<ReplayChecker>,
+        buffer_pool: Arc<BufferPool>,
+        rng: Arc<SecureRandom>,
+        me_pool: Option<Arc<MePool>>,
+        route_runtime: Arc<RouteRuntimeController>,
+        tls_cache: Option<Arc<TlsFrontCache>>,
+        ip_tracker: Arc<UserIpTracker>,
+        beobachten: Arc<BeobachtenStore>,
+        shared: Arc<ProxySharedState>,
+        proxy_protocol_enabled: bool,
+        real_peer_report: Arc<std::sync::Mutex<Option<SocketAddr>>>,
+        #[cfg(unix)] raw_fd: std::os::unix::io::RawFd,
+        rst_on_close: crate::config::RstOnCloseMode,
    ) -> RunningClientHandler {
        let normalized_peer = normalize_ip(peer);
        RunningClientHandler {
@@ -769,7 +894,11 @@ impl ClientHandler {
            tls_cache,
            ip_tracker,
            beobachten,
+            shared,
            proxy_protocol_enabled,
+            #[cfg(unix)]
+            raw_fd,
+            rst_on_close,
        }
    }
 }
@@ -788,6 +917,10 @@ impl RunningClientHandler {
            debug!(peer = %peer, error = %e, "Failed to configure client socket");
        }

+        #[cfg(unix)]
+        let raw_fd = self.raw_fd;
+        let rst_on_close = self.rst_on_close;
+
        let outcome = match self.do_handshake().await? {
            Some(outcome) => outcome,
            None => return Ok(()),
@@ -795,7 +928,14 @@ impl RunningClientHandler {

        // Phase 2: relay (WITHOUT handshake timeout — relay has its own activity timeouts)
        match outcome {
-            HandshakeOutcome::NeedsRelay(fut) | HandshakeOutcome::NeedsMasking(fut) => fut.await,
+            HandshakeOutcome::NeedsRelay(fut) => {
+                #[cfg(unix)]
+                if matches!(rst_on_close, crate::config::RstOnCloseMode::Errors) {
+                    let _ = crate::transport::socket::clear_linger_fd(raw_fd);
+                }
+                fut.await
+            }
+            HandshakeOutcome::NeedsMasking(fut) => fut.await,
        }
    }

@@ -874,11 +1014,12 @@ impl RunningClientHandler {
            }
        }

-        let first_byte = if self.config.timeouts.client_first_byte_idle_secs == 0 {
+        let first_byte_idle_secs =
+            effective_client_first_byte_idle_secs(&self.config, self.shared.as_ref());
+        let first_byte = if first_byte_idle_secs == 0 {
            None
        } else {
-            let idle_timeout =
-                Duration::from_secs(self.config.timeouts.client_first_byte_idle_secs);
+            let idle_timeout = Duration::from_secs(first_byte_idle_secs);
            let mut first_byte = [0u8; 1];
            match timeout(idle_timeout, self.stream.read(&mut first_byte)).await {
                Ok(Ok(0)) => {
@@ -914,7 +1055,7 @@ impl RunningClientHandler {
                Err(_) => {
                    debug!(
                        peer = %self.peer,
-                        idle_secs = self.config.timeouts.client_first_byte_idle_secs,
+                        idle_secs = first_byte_idle_secs,
                        "Closing idle pooled connection before first client byte"
                    );
                    return Ok(None);
@@ -1058,7 +1199,7 @@ impl RunningClientHandler {

        let (read_half, write_half) = self.stream.into_split();

-        let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
+        let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake_with_shared(
            &handshake,
            read_half,
            write_half,
@@ -1067,6 +1208,7 @@ impl RunningClientHandler {
            &replay_checker,
            &self.rng,
            self.tls_cache.clone(),
+            self.shared.as_ref(),
        )
        .await
        {
@@ -1095,7 +1237,7 @@ impl RunningClientHandler {
            .try_into()
            .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;

-        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
+        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
            &mtproto_handshake,
            tls_reader,
            tls_writer,
@@ -1104,6 +1246,7 @@ impl RunningClientHandler {
            &replay_checker,
            true,
            Some(tls_user.as_str()),
+            self.shared.as_ref(),
        )
        .await
        {
@@ -1140,7 +1283,7 @@ impl RunningClientHandler {
        };

        Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-            Self::handle_authenticated_static(
+            Self::handle_authenticated_static_with_shared(
                crypto_reader,
                crypto_writer,
                success,
@@ -1154,6 +1297,7 @@ impl RunningClientHandler {
                local_addr,
                peer,
                self.ip_tracker,
+                self.shared,
            ),
        )))
    }
@@ -1192,7 +1336,7 @@ impl RunningClientHandler {

        let (read_half, write_half) = self.stream.into_split();

-        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
+        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
            &handshake,
            read_half,
            write_half,
@@ -1201,6 +1345,7 @@ impl RunningClientHandler {
            &replay_checker,
            false,
            None,
+            self.shared.as_ref(),
        )
        .await
        {
@@ -1221,7 +1366,7 @@ impl RunningClientHandler {
        };

        Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-            Self::handle_authenticated_static(
+            Self::handle_authenticated_static_with_shared(
                crypto_reader,
                crypto_writer,
                success,
@@ -1235,6 +1380,7 @@ impl RunningClientHandler {
                local_addr,
                peer,
                self.ip_tracker,
+                self.shared,
            ),
        )))
    }
@@ -1243,6 +1389,7 @@ impl RunningClientHandler {
    /// Two modes:
    ///   - Direct: TCP relay to TG DC (existing behavior)  
    ///   - Middle Proxy: RPC multiplex through ME pool (new — supports CDN DCs)
+    #[cfg(test)]
    async fn handle_authenticated_static<R, W>(
        client_reader: CryptoReader<R>,
        client_writer: CryptoWriter<W>,
@@ -1258,6 +1405,45 @@ impl RunningClientHandler {
        peer_addr: SocketAddr,
        ip_tracker: Arc<UserIpTracker>,
    ) -> Result<()>
+    where
+        R: AsyncRead + Unpin + Send + 'static,
+        W: AsyncWrite + Unpin + Send + 'static,
+    {
+        Self::handle_authenticated_static_with_shared(
+            client_reader,
+            client_writer,
+            success,
+            upstream_manager,
+            stats,
+            config,
+            buffer_pool,
+            rng,
+            me_pool,
+            route_runtime,
+            local_addr,
+            peer_addr,
+            ip_tracker,
+            ProxySharedState::new(),
+        )
+        .await
+    }
+
+    async fn handle_authenticated_static_with_shared<R, W>(
+        client_reader: CryptoReader<R>,
+        client_writer: CryptoWriter<W>,
+        success: HandshakeSuccess,
+        upstream_manager: Arc<UpstreamManager>,
+        stats: Arc<Stats>,
+        config: Arc<ProxyConfig>,
+        buffer_pool: Arc<BufferPool>,
+        rng: Arc<SecureRandom>,
+        me_pool: Option<Arc<MePool>>,
+        route_runtime: Arc<RouteRuntimeController>,
+        local_addr: SocketAddr,
+        peer_addr: SocketAddr,
+        ip_tracker: Arc<UserIpTracker>,
+        shared: Arc<ProxySharedState>,
+    ) -> Result<()>
    where
        R: AsyncRead + Unpin + Send + 'static,
        W: AsyncWrite + Unpin + Send + 'static,
@@ -1299,11 +1485,12 @@ impl RunningClientHandler {
                    route_runtime.subscribe(),
                    route_snapshot,
                    session_id,
+                    shared.clone(),
                )
                .await
            } else {
                warn!("use_middle_proxy=true but MePool not initialized, falling back to direct");
-                handle_via_direct(
+                handle_via_direct_with_shared(
                    client_reader,
                    client_writer,
                    success,
@@ -1315,12 +1502,14 @@ impl RunningClientHandler {
                    route_runtime.subscribe(),
                    route_snapshot,
                    session_id,
+                    local_addr,
+                    shared.clone(),
                )
                .await
            }
        } else {
            // Direct mode (original behavior)
-            handle_via_direct(
+            handle_via_direct_with_shared(
                client_reader,
                client_writer,
                success,
@@ -1332,6 +1521,8 @@ impl RunningClientHandler {
                route_runtime.subscribe(),
                route_snapshot,
                session_id,
+                local_addr,
+                shared.clone(),
            )
            .await
        };
@@ -6,6 +6,7 @@ use std::net::SocketAddr;
 use std::path::{Component, Path, PathBuf};
 use std::sync::Arc;
 use std::sync::{Mutex, OnceLock};
+use std::time::Duration;

 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, ReadHalf, WriteHalf, split};
 use tokio::sync::watch;
@@ -16,11 +17,13 @@ use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
 use crate::proxy::handshake::{HandshakeSuccess, encrypt_tg_nonce_with_ciphers, generate_tg_nonce};
-use crate::proxy::relay::relay_bidirectional;
 use crate::proxy::route_mode::{
    ROUTE_SWITCH_ERROR_MSG, RelayRouteMode, RouteCutoverState, affected_cutover_state,
    cutover_stagger_delay,
 };
+use crate::proxy::shared_state::{
+    ConntrackCloseEvent, ConntrackClosePublishResult, ConntrackCloseReason, ProxySharedState,
+};
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::UpstreamManager;
@@ -225,7 +228,43 @@ fn unknown_dc_test_lock() -> &'static Mutex<()> {
    TEST_LOCK.get_or_init(|| Mutex::new(()))
 }

+#[allow(dead_code)]
 pub(crate) async fn handle_via_direct<R, W>(
+    client_reader: CryptoReader<R>,
+    client_writer: CryptoWriter<W>,
+    success: HandshakeSuccess,
+    upstream_manager: Arc<UpstreamManager>,
+    stats: Arc<Stats>,
+    config: Arc<ProxyConfig>,
+    buffer_pool: Arc<BufferPool>,
+    rng: Arc<SecureRandom>,
+    route_rx: watch::Receiver<RouteCutoverState>,
+    route_snapshot: RouteCutoverState,
+    session_id: u64,
+) -> Result<()>
+where
+    R: AsyncRead + Unpin + Send + 'static,
+    W: AsyncWrite + Unpin + Send + 'static,
+{
+    handle_via_direct_with_shared(
+        client_reader,
+        client_writer,
+        success,
+        upstream_manager,
+        stats,
+        config.clone(),
+        buffer_pool,
+        rng,
+        route_rx,
+        route_snapshot,
+        session_id,
+        SocketAddr::from(([0, 0, 0, 0], config.server.port)),
+        ProxySharedState::new(),
+    )
+    .await
+}
+
+pub(crate) async fn handle_via_direct_with_shared<R, W>(
    client_reader: CryptoReader<R>,
    client_writer: CryptoWriter<W>,
    success: HandshakeSuccess,
@@ -237,6 +276,8 @@ pub(crate) async fn handle_via_direct<R, W>(
    mut route_rx: watch::Receiver<RouteCutoverState>,
    route_snapshot: RouteCutoverState,
    session_id: u64,
+    local_addr: SocketAddr,
+    shared: Arc<ProxySharedState>,
 ) -> Result<()>
 where
    R: AsyncRead + Unpin + Send + 'static,
@@ -277,7 +318,18 @@ where
    let _direct_connection_lease = stats.acquire_direct_connection_lease();

    let buffer_pool_trim = Arc::clone(&buffer_pool);
-    let relay_result = relay_bidirectional(
+    let relay_activity_timeout = if shared.conntrack_pressure_active() {
+        Duration::from_secs(
+            config
+                .server
+                .conntrack_control
+                .profile
+                .direct_activity_timeout_secs(),
+        )
+    } else {
+        Duration::from_secs(1800)
+    };
+    let relay_result = crate::proxy::relay::relay_bidirectional_with_activity_timeout(
        client_reader,
        client_writer,
        tg_reader,
@@ -288,6 +340,7 @@ where
        Arc::clone(&stats),
        config.access.user_data_quota.get(user).copied(),
        buffer_pool,
+        relay_activity_timeout,
    );
    tokio::pin!(relay_result);
    let relay_result = loop {
@@ -329,9 +382,52 @@ where
        pool_snapshot.allocated,
        pool_snapshot.allocated.saturating_sub(pool_snapshot.pooled),
    );
+
+    let close_reason = classify_conntrack_close_reason(&relay_result);
+    let publish_result = shared.publish_conntrack_close_event(ConntrackCloseEvent {
+        src: success.peer,
+        dst: local_addr,
+        reason: close_reason,
+    });
+    if !matches!(
+        publish_result,
+        ConntrackClosePublishResult::Sent | ConntrackClosePublishResult::Disabled
+    ) {
+        stats.increment_conntrack_close_event_drop_total();
+    }
+
    relay_result
 }

+fn classify_conntrack_close_reason(result: &Result<()>) -> ConntrackCloseReason {
+    match result {
+        Ok(()) => ConntrackCloseReason::NormalEof,
+        Err(crate::error::ProxyError::Io(error))
+            if matches!(error.kind(), std::io::ErrorKind::TimedOut) =>
+        {
+            ConntrackCloseReason::Timeout
+        }
+        Err(crate::error::ProxyError::Io(error))
+            if matches!(
+                error.kind(),
+                std::io::ErrorKind::ConnectionReset
+                    | std::io::ErrorKind::ConnectionAborted
+                    | std::io::ErrorKind::BrokenPipe
+                    | std::io::ErrorKind::NotConnected
+                    | std::io::ErrorKind::UnexpectedEof
+            ) =>
+        {
+            ConntrackCloseReason::Reset
+        }
+        Err(crate::error::ProxyError::Proxy(message))
+            if message.contains("pressure") || message.contains("evicted") =>
+        {
+            ConntrackCloseReason::Pressure
+        }
+        Err(_) => ConntrackCloseReason::Other,
+    }
+}
+
 fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
    let prefer_v6 = config.network.prefer == 6 && config.network.ipv6.unwrap_or(true);
    let datacenters = if prefer_v6 {
@@ -249,6 +249,43 @@ async fn wait_mask_connect_budget(started: Instant) {
    }
 }

+// Log-normal sample bounded to [floor, ceiling]. Median = sqrt(floor * ceiling).
+// Implements Box-Muller transform for standard normal sampling — no external
+// dependency on rand_distr (which is incompatible with rand 0.10).
+// sigma is chosen so ~99% of raw samples land inside [floor, ceiling] before clamp.
+// When floor > ceiling (misconfiguration), returns ceiling (the smaller value).
+// When floor == ceiling, returns that value. When both are 0, returns 0.
+pub(crate) fn sample_lognormal_percentile_bounded(
+    floor: u64,
+    ceiling: u64,
+    rng: &mut impl Rng,
+) -> u64 {
+    if ceiling == 0 && floor == 0 {
+        return 0;
+    }
+    if floor > ceiling {
+        return ceiling;
+    }
+    if floor == ceiling {
+        return floor;
+    }
+    let floor_f = floor.max(1) as f64;
+    let ceiling_f = ceiling.max(1) as f64;
+    let mu = (floor_f.ln() + ceiling_f.ln()) / 2.0;
+    // 4.65 ≈ 2 * 2.326 (double-sided z-score for 99th percentile)
+    let sigma = ((ceiling_f / floor_f).ln() / 4.65).max(0.01);
+    // Box-Muller transform: two uniform samples → one standard normal sample
+    let u1: f64 = rng.random_range(f64::MIN_POSITIVE..1.0);
+    let u2: f64 = rng.random_range(0.0_f64..std::f64::consts::TAU);
+    let normal_sample = (-2.0_f64 * u1.ln()).sqrt() * u2.cos();
+    let raw = (mu + sigma * normal_sample).exp();
+    if raw.is_finite() {
+        (raw as u64).clamp(floor, ceiling)
+    } else {
+        ((floor_f * ceiling_f).sqrt()) as u64
+    }
+}
+
 fn mask_outcome_target_budget(config: &ProxyConfig) -> Duration {
    if config.censorship.mask_timing_normalization_enabled {
        let floor = config.censorship.mask_timing_normalization_floor_ms;
@@ -257,14 +294,18 @@ fn mask_outcome_target_budget(config: &ProxyConfig) -> Duration {
            if ceiling == 0 {
                return Duration::from_millis(0);
            }
+            // floor=0 stays uniform: log-normal cannot model distribution anchored at zero
            let mut rng = rand::rng();
            return Duration::from_millis(rng.random_range(0..=ceiling));
        }
        if ceiling > floor {
            let mut rng = rand::rng();
-            return Duration::from_millis(rng.random_range(floor..=ceiling));
+            return Duration::from_millis(sample_lognormal_percentile_bounded(
+                floor, ceiling, &mut rng,
+            ));
        }
-        return Duration::from_millis(floor);
+        // ceiling <= floor: use the larger value (fail-closed: preserve longer delay)
+        return Duration::from_millis(floor.max(ceiling));
    }

    MASK_TIMEOUT
@@ -1003,3 +1044,11 @@ mod masking_padding_timeout_adversarial_tests;
 #[cfg(all(test, feature = "redteam_offline_expected_fail"))]
 #[path = "tests/masking_offline_target_redteam_expected_fail_tests.rs"]
 mod masking_offline_target_redteam_expected_fail_tests;
+
+#[cfg(test)]
+#[path = "tests/masking_baseline_invariant_tests.rs"]
+mod masking_baseline_invariant_tests;
+
+#[cfg(test)]
+#[path = "tests/masking_lognormal_timing_security_tests.rs"]
+mod masking_lognormal_timing_security_tests;
@@ -67,6 +67,7 @@ pub mod middle_relay;
 pub mod relay;
 pub mod route_mode;
 pub mod session_eviction;
+pub mod shared_state;

 pub use client::ClientHandler;
 #[allow(unused_imports)]
@@ -75,3 +76,15 @@ pub use handshake::*;
 pub use masking::*;
 #[allow(unused_imports)]
 pub use relay::*;
+
+#[cfg(test)]
+#[path = "tests/test_harness_common.rs"]
+mod test_harness_common;
+
+#[cfg(test)]
+#[path = "tests/proxy_shared_state_isolation_tests.rs"]
+mod proxy_shared_state_isolation_tests;
+
+#[cfg(test)]
+#[path = "tests/proxy_shared_state_parallel_execution_tests.rs"]
+mod proxy_shared_state_parallel_execution_tests;
@@ -70,6 +70,7 @@ use tracing::{debug, trace, warn};
 ///
 /// iOS keeps Telegram connections alive in background for up to 30 minutes.
 /// Closing earlier causes unnecessary reconnects and handshake overhead.
+#[allow(dead_code)]
 const ACTIVITY_TIMEOUT: Duration = Duration::from_secs(1800);

 /// Watchdog check interval — also used for periodic rate logging.
@@ -269,6 +270,8 @@ const QUOTA_NEAR_LIMIT_BYTES: u64 = 64 * 1024;
 const QUOTA_LARGE_CHARGE_BYTES: u64 = 16 * 1024;
 const QUOTA_ADAPTIVE_INTERVAL_MIN_BYTES: u64 = 4 * 1024;
 const QUOTA_ADAPTIVE_INTERVAL_MAX_BYTES: u64 = 64 * 1024;
+const QUOTA_RESERVE_SPIN_RETRIES: usize = 64;
+const QUOTA_RESERVE_MAX_ROUNDS: usize = 8;

 #[inline]
 fn quota_adaptive_interval_bytes(remaining_before: u64) -> u64 {
@@ -313,6 +316,56 @@ impl<S: AsyncRead + Unpin> AsyncRead for StatsIo<S> {
                if n > 0 {
                    let n_to_charge = n as u64;

+                    if let (Some(limit), Some(remaining)) = (this.quota_limit, remaining_before) {
+                        let mut reserved_total = None;
+                        let mut reserve_rounds = 0usize;
+                        while reserved_total.is_none() {
+                            let mut saw_contention = false;
+                            for _ in 0..QUOTA_RESERVE_SPIN_RETRIES {
+                                match this.user_stats.quota_try_reserve(n_to_charge, limit) {
+                                    Ok(total) => {
+                                        reserved_total = Some(total);
+                                        break;
+                                    }
+                                    Err(crate::stats::QuotaReserveError::LimitExceeded) => {
+                                        this.quota_exceeded.store(true, Ordering::Release);
+                                        buf.set_filled(before);
+                                        return Poll::Ready(Err(quota_io_error()));
+                                    }
+                                    Err(crate::stats::QuotaReserveError::Contended) => {
+                                        saw_contention = true;
+                                    }
+                                }
+                            }
+                            if reserved_total.is_none() {
+                                reserve_rounds = reserve_rounds.saturating_add(1);
+                                if reserve_rounds >= QUOTA_RESERVE_MAX_ROUNDS {
+                                    this.quota_exceeded.store(true, Ordering::Release);
+                                    buf.set_filled(before);
+                                    return Poll::Ready(Err(quota_io_error()));
+                                }
+                                if saw_contention {
+                                    std::thread::yield_now();
+                                }
+                            }
+                        }
+
+                        if should_immediate_quota_check(remaining, n_to_charge) {
+                            this.quota_bytes_since_check = 0;
+                        } else {
+                            this.quota_bytes_since_check =
+                                this.quota_bytes_since_check.saturating_add(n_to_charge);
+                            let interval = quota_adaptive_interval_bytes(remaining);
+                            if this.quota_bytes_since_check >= interval {
+                                this.quota_bytes_since_check = 0;
+                            }
+                        }
+
+                        if reserved_total.unwrap_or(0) >= limit {
+                            this.quota_exceeded.store(true, Ordering::Release);
+                        }
+                    }
+
                    // C→S: client sent data
                    this.counters
                        .c2s_bytes
@@ -325,27 +378,6 @@ impl<S: AsyncRead + Unpin> AsyncRead for StatsIo<S> {
                    this.stats
                        .increment_user_msgs_from_handle(this.user_stats.as_ref());

-                    if let (Some(limit), Some(remaining)) = (this.quota_limit, remaining_before) {
-                        this.stats
-                            .quota_charge_post_write(this.user_stats.as_ref(), n_to_charge);
-                        if should_immediate_quota_check(remaining, n_to_charge) {
-                            this.quota_bytes_since_check = 0;
-                            if this.user_stats.quota_used() >= limit {
-                                this.quota_exceeded.store(true, Ordering::Release);
-                            }
-                        } else {
-                            this.quota_bytes_since_check =
-                                this.quota_bytes_since_check.saturating_add(n_to_charge);
-                            let interval = quota_adaptive_interval_bytes(remaining);
-                            if this.quota_bytes_since_check >= interval {
-                                this.quota_bytes_since_check = 0;
-                                if this.user_stats.quota_used() >= limit {
-                                    this.quota_exceeded.store(true, Ordering::Release);
-                                }
-                            }
-                        }
-                    }
-
                    trace!(user = %this.user, bytes = n, "C->S");
                }
                Poll::Ready(Ok(()))
@@ -367,18 +399,79 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
        }

        let mut remaining_before = None;
+        let mut reserved_bytes = 0u64;
+        let mut write_buf = buf;
        if let Some(limit) = this.quota_limit {
-            let used_before = this.user_stats.quota_used();
-            let remaining = limit.saturating_sub(used_before);
-            if remaining == 0 {
-                this.quota_exceeded.store(true, Ordering::Release);
-                return Poll::Ready(Err(quota_io_error()));
+            if !buf.is_empty() {
+                let mut reserve_rounds = 0usize;
+                while reserved_bytes == 0 {
+                    let used_before = this.user_stats.quota_used();
+                    let remaining = limit.saturating_sub(used_before);
+                    if remaining == 0 {
+                        this.quota_exceeded.store(true, Ordering::Release);
+                        return Poll::Ready(Err(quota_io_error()));
+                    }
+                    remaining_before = Some(remaining);
+
+                    let desired = remaining.min(buf.len() as u64);
+                    let mut saw_contention = false;
+                    for _ in 0..QUOTA_RESERVE_SPIN_RETRIES {
+                        match this.user_stats.quota_try_reserve(desired, limit) {
+                            Ok(_) => {
+                                reserved_bytes = desired;
+                                write_buf = &buf[..desired as usize];
+                                break;
+                            }
+                            Err(crate::stats::QuotaReserveError::LimitExceeded) => {
+                                break;
+                            }
+                            Err(crate::stats::QuotaReserveError::Contended) => {
+                                saw_contention = true;
+                            }
+                        }
+                    }
+
+                    if reserved_bytes == 0 {
+                        reserve_rounds = reserve_rounds.saturating_add(1);
+                        if reserve_rounds >= QUOTA_RESERVE_MAX_ROUNDS {
+                            this.quota_exceeded.store(true, Ordering::Release);
+                            return Poll::Ready(Err(quota_io_error()));
+                        }
+                        if saw_contention {
+                            std::thread::yield_now();
+                        }
+                    }
+                }
+            } else {
+                let used_before = this.user_stats.quota_used();
+                let remaining = limit.saturating_sub(used_before);
+                if remaining == 0 {
+                    this.quota_exceeded.store(true, Ordering::Release);
+                    return Poll::Ready(Err(quota_io_error()));
+                }
+                remaining_before = Some(remaining);
            }
-            remaining_before = Some(remaining);
        }

-        match Pin::new(&mut this.inner).poll_write(cx, buf) {
+        match Pin::new(&mut this.inner).poll_write(cx, write_buf) {
            Poll::Ready(Ok(n)) => {
+                if reserved_bytes > n as u64 {
+                    let refund = reserved_bytes - n as u64;
+                    let mut current = this.user_stats.quota_used.load(Ordering::Relaxed);
+                    loop {
+                        let next = current.saturating_sub(refund);
+                        match this.user_stats.quota_used.compare_exchange_weak(
+                            current,
+                            next,
+                            Ordering::Relaxed,
+                            Ordering::Relaxed,
+                        ) {
+                            Ok(_) => break,
+                            Err(observed) => current = observed,
+                        }
+                    }
+                }
+
                if n > 0 {
                    let n_to_charge = n as u64;

@@ -395,8 +488,6 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
                        .increment_user_msgs_to_handle(this.user_stats.as_ref());

                    if let (Some(limit), Some(remaining)) = (this.quota_limit, remaining_before) {
-                        this.stats
-                            .quota_charge_post_write(this.user_stats.as_ref(), n_to_charge);
                        if should_immediate_quota_check(remaining, n_to_charge) {
                            this.quota_bytes_since_check = 0;
                            if this.user_stats.quota_used() >= limit {
@@ -419,7 +510,42 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
                }
                Poll::Ready(Ok(n))
            }
-            other => other,
+            Poll::Ready(Err(err)) => {
+                if reserved_bytes > 0 {
+                    let mut current = this.user_stats.quota_used.load(Ordering::Relaxed);
+                    loop {
+                        let next = current.saturating_sub(reserved_bytes);
+                        match this.user_stats.quota_used.compare_exchange_weak(
+                            current,
+                            next,
+                            Ordering::Relaxed,
+                            Ordering::Relaxed,
+                        ) {
+                            Ok(_) => break,
+                            Err(observed) => current = observed,
+                        }
+                    }
+                }
+                Poll::Ready(Err(err))
+            }
+            Poll::Pending => {
+                if reserved_bytes > 0 {
+                    let mut current = this.user_stats.quota_used.load(Ordering::Relaxed);
+                    loop {
+                        let next = current.saturating_sub(reserved_bytes);
+                        match this.user_stats.quota_used.compare_exchange_weak(
+                            current,
+                            next,
+                            Ordering::Relaxed,
+                            Ordering::Relaxed,
+                        ) {
+                            Ok(_) => break,
+                            Err(observed) => current = observed,
+                        }
+                    }
+                }
+                Poll::Pending
+            }
        }
    }

@@ -453,6 +579,7 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
 /// - Clean shutdown: both write sides are shut down on exit
 /// - Error propagation: quota exits return `ProxyError::DataQuotaExceeded`,
 ///   other I/O failures are returned as `ProxyError::Io`
+#[allow(dead_code)]
 pub async fn relay_bidirectional<CR, CW, SR, SW>(
    client_reader: CR,
    client_writer: CW,
@@ -471,6 +598,42 @@ where
    SR: AsyncRead + Unpin + Send + 'static,
    SW: AsyncWrite + Unpin + Send + 'static,
 {
+    relay_bidirectional_with_activity_timeout(
+        client_reader,
+        client_writer,
+        server_reader,
+        server_writer,
+        c2s_buf_size,
+        s2c_buf_size,
+        user,
+        stats,
+        quota_limit,
+        _buffer_pool,
+        ACTIVITY_TIMEOUT,
+    )
+    .await
+}
+
+pub async fn relay_bidirectional_with_activity_timeout<CR, CW, SR, SW>(
+    client_reader: CR,
+    client_writer: CW,
+    server_reader: SR,
+    server_writer: SW,
+    c2s_buf_size: usize,
+    s2c_buf_size: usize,
+    user: &str,
+    stats: Arc<Stats>,
+    quota_limit: Option<u64>,
+    _buffer_pool: Arc<BufferPool>,
+    activity_timeout: Duration,
+) -> Result<()>
+where
+    CR: AsyncRead + Unpin + Send + 'static,
+    CW: AsyncWrite + Unpin + Send + 'static,
+    SR: AsyncRead + Unpin + Send + 'static,
+    SW: AsyncWrite + Unpin + Send + 'static,
+{
+    let activity_timeout = activity_timeout.max(Duration::from_secs(1));
    let epoch = Instant::now();
    let counters = Arc::new(SharedCounters::new());
    let quota_exceeded = Arc::new(AtomicBool::new(false));
@@ -512,7 +675,7 @@ where
            }

            // ── Activity timeout ────────────────────────────────────
-            if idle >= ACTIVITY_TIMEOUT {
+            if idle >= activity_timeout {
                let c2s = wd_counters.c2s_bytes.load(Ordering::Relaxed);
                let s2c = wd_counters.s2c_bytes.load(Ordering::Relaxed);
                warn!(
@@ -671,3 +834,7 @@ mod relay_watchdog_delta_security_tests;
 #[cfg(test)]
 #[path = "tests/relay_atomic_quota_invariant_tests.rs"]
 mod relay_atomic_quota_invariant_tests;
+
+#[cfg(test)]
+#[path = "tests/relay_baseline_invariant_tests.rs"]
+mod relay_baseline_invariant_tests;
@@ -0,0 +1,165 @@
+use std::collections::HashSet;
+use std::collections::hash_map::RandomState;
+use std::net::{IpAddr, SocketAddr};
+use std::sync::atomic::{AtomicBool, AtomicU32, AtomicU64, Ordering};
+use std::sync::{Arc, Mutex};
+use std::time::Instant;
+
+use dashmap::DashMap;
+use tokio::sync::mpsc;
+
+use crate::proxy::handshake::{AuthProbeSaturationState, AuthProbeState};
+use crate::proxy::middle_relay::{DesyncDedupRotationState, RelayIdleCandidateRegistry};
+
+const HANDSHAKE_RECENT_USER_RING_LEN: usize = 64;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) enum ConntrackCloseReason {
+    NormalEof,
+    Timeout,
+    Pressure,
+    Reset,
+    Other,
+}
+
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct ConntrackCloseEvent {
+    pub(crate) src: SocketAddr,
+    pub(crate) dst: SocketAddr,
+    pub(crate) reason: ConntrackCloseReason,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) enum ConntrackClosePublishResult {
+    Sent,
+    Disabled,
+    QueueFull,
+    QueueClosed,
+}
+
+pub(crate) struct HandshakeSharedState {
+    pub(crate) auth_probe: DashMap<IpAddr, AuthProbeState>,
+    pub(crate) auth_probe_saturation: Mutex<Option<AuthProbeSaturationState>>,
+    pub(crate) auth_probe_eviction_hasher: RandomState,
+    pub(crate) invalid_secret_warned: Mutex<HashSet<(String, String)>>,
+    pub(crate) unknown_sni_warn_next_allowed: Mutex<Option<Instant>>,
+    pub(crate) sticky_user_by_ip: DashMap<IpAddr, u32>,
+    pub(crate) sticky_user_by_ip_prefix: DashMap<u64, u32>,
+    pub(crate) sticky_user_by_sni_hash: DashMap<u64, u32>,
+    pub(crate) recent_user_ring: Box<[AtomicU32]>,
+    pub(crate) recent_user_ring_seq: AtomicU64,
+    pub(crate) auth_expensive_checks_total: AtomicU64,
+    pub(crate) auth_budget_exhausted_total: AtomicU64,
+}
+
+pub(crate) struct MiddleRelaySharedState {
+    pub(crate) desync_dedup: DashMap<u64, Instant>,
+    pub(crate) desync_dedup_previous: DashMap<u64, Instant>,
+    pub(crate) desync_hasher: RandomState,
+    pub(crate) desync_full_cache_last_emit_at: Mutex<Option<Instant>>,
+    pub(crate) desync_dedup_rotation_state: Mutex<DesyncDedupRotationState>,
+    pub(crate) relay_idle_registry: Mutex<RelayIdleCandidateRegistry>,
+    pub(crate) relay_idle_mark_seq: AtomicU64,
+}
+
+pub(crate) struct ProxySharedState {
+    pub(crate) handshake: HandshakeSharedState,
+    pub(crate) middle_relay: MiddleRelaySharedState,
+    pub(crate) conntrack_pressure_active: AtomicBool,
+    pub(crate) conntrack_close_tx: Mutex<Option<mpsc::Sender<ConntrackCloseEvent>>>,
+}
+
+impl ProxySharedState {
+    pub(crate) fn new() -> Arc<Self> {
+        Arc::new(Self {
+            handshake: HandshakeSharedState {
+                auth_probe: DashMap::new(),
+                auth_probe_saturation: Mutex::new(None),
+                auth_probe_eviction_hasher: RandomState::new(),
+                invalid_secret_warned: Mutex::new(HashSet::new()),
+                unknown_sni_warn_next_allowed: Mutex::new(None),
+                sticky_user_by_ip: DashMap::new(),
+                sticky_user_by_ip_prefix: DashMap::new(),
+                sticky_user_by_sni_hash: DashMap::new(),
+                recent_user_ring: std::iter::repeat_with(|| AtomicU32::new(0))
+                    .take(HANDSHAKE_RECENT_USER_RING_LEN)
+                    .collect::<Vec<_>>()
+                    .into_boxed_slice(),
+                recent_user_ring_seq: AtomicU64::new(0),
+                auth_expensive_checks_total: AtomicU64::new(0),
+                auth_budget_exhausted_total: AtomicU64::new(0),
+            },
+            middle_relay: MiddleRelaySharedState {
+                desync_dedup: DashMap::new(),
+                desync_dedup_previous: DashMap::new(),
+                desync_hasher: RandomState::new(),
+                desync_full_cache_last_emit_at: Mutex::new(None),
+                desync_dedup_rotation_state: Mutex::new(DesyncDedupRotationState::default()),
+                relay_idle_registry: Mutex::new(RelayIdleCandidateRegistry::default()),
+                relay_idle_mark_seq: AtomicU64::new(0),
+            },
+            conntrack_pressure_active: AtomicBool::new(false),
+            conntrack_close_tx: Mutex::new(None),
+        })
+    }
+
+    pub(crate) fn set_conntrack_close_sender(&self, tx: mpsc::Sender<ConntrackCloseEvent>) {
+        match self.conntrack_close_tx.lock() {
+            Ok(mut guard) => {
+                *guard = Some(tx);
+            }
+            Err(poisoned) => {
+                let mut guard = poisoned.into_inner();
+                *guard = Some(tx);
+                self.conntrack_close_tx.clear_poison();
+            }
+        }
+    }
+
+    pub(crate) fn disable_conntrack_close_sender(&self) {
+        match self.conntrack_close_tx.lock() {
+            Ok(mut guard) => {
+                *guard = None;
+            }
+            Err(poisoned) => {
+                let mut guard = poisoned.into_inner();
+                *guard = None;
+                self.conntrack_close_tx.clear_poison();
+            }
+        }
+    }
+
+    pub(crate) fn publish_conntrack_close_event(
+        &self,
+        event: ConntrackCloseEvent,
+    ) -> ConntrackClosePublishResult {
+        let tx = match self.conntrack_close_tx.lock() {
+            Ok(guard) => guard.clone(),
+            Err(poisoned) => {
+                let guard = poisoned.into_inner();
+                let cloned = guard.clone();
+                self.conntrack_close_tx.clear_poison();
+                cloned
+            }
+        };
+
+        let Some(tx) = tx else {
+            return ConntrackClosePublishResult::Disabled;
+        };
+
+        match tx.try_send(event) {
+            Ok(()) => ConntrackClosePublishResult::Sent,
+            Err(mpsc::error::TrySendError::Full(_)) => ConntrackClosePublishResult::QueueFull,
+            Err(mpsc::error::TrySendError::Closed(_)) => ConntrackClosePublishResult::QueueClosed,
+        }
+    }
+
+    pub(crate) fn set_conntrack_pressure_active(&self, active: bool) {
+        self.conntrack_pressure_active
+            .store(active, Ordering::Relaxed);
+    }
+
+    pub(crate) fn conntrack_pressure_active(&self) -> bool {
+        self.conntrack_pressure_active.load(Ordering::Relaxed)
+    }
+}
@@ -0,0 +1,260 @@
+use super::*;
+use std::sync::Arc;
+use std::sync::atomic::{AtomicUsize, Ordering};
+use std::time::{Duration, Instant};
+
+static RACE_TEST_KEY_COUNTER: AtomicUsize = AtomicUsize::new(1_000_000);
+
+fn race_unique_key(prefix: &str) -> String {
+    let id = RACE_TEST_KEY_COUNTER.fetch_add(1, Ordering::Relaxed);
+    format!("{}_{}", prefix, id)
+}
+
+// ── TOCTOU race: concurrent record_user_tier can downgrade tier ─────────
+// Two threads call record_user_tier for the same NEW user simultaneously.
+// Thread A records Tier1, Thread B records Base. Without atomic entry API,
+// the insert() call overwrites without max(), causing Tier1 → Base downgrade.
+
+#[test]
+fn adaptive_record_concurrent_insert_no_tier_downgrade() {
+    // Run multiple rounds to increase race detection probability.
+    for round in 0..50 {
+        let key = race_unique_key(&format!("race_downgrade_{}", round));
+        let key_a = key.clone();
+        let key_b = key.clone();
+
+        let barrier = Arc::new(std::sync::Barrier::new(2));
+        let barrier_a = Arc::clone(&barrier);
+        let barrier_b = Arc::clone(&barrier);
+
+        let ha = std::thread::spawn(move || {
+            barrier_a.wait();
+            record_user_tier(&key_a, AdaptiveTier::Tier2);
+        });
+
+        let hb = std::thread::spawn(move || {
+            barrier_b.wait();
+            record_user_tier(&key_b, AdaptiveTier::Base);
+        });
+
+        ha.join().expect("thread A panicked");
+        hb.join().expect("thread B panicked");
+
+        let result = seed_tier_for_user(&key);
+        profiles().remove(&key);
+
+        // The final tier must be at least Tier2, never downgraded to Base.
+        // With correct max() semantics: max(Tier2, Base) = Tier2.
+        assert!(
+            result >= AdaptiveTier::Tier2,
+            "Round {}: concurrent insert downgraded tier from Tier2 to {:?}",
+            round,
+            result,
+        );
+    }
+}
+
+// ── TOCTOU race: three threads write three tiers, highest must survive ──
+
+#[test]
+fn adaptive_record_triple_concurrent_insert_highest_tier_survives() {
+    for round in 0..30 {
+        let key = race_unique_key(&format!("triple_race_{}", round));
+        let barrier = Arc::new(std::sync::Barrier::new(3));
+
+        let handles: Vec<_> = [AdaptiveTier::Base, AdaptiveTier::Tier1, AdaptiveTier::Tier3]
+            .into_iter()
+            .map(|tier| {
+                let k = key.clone();
+                let b = Arc::clone(&barrier);
+                std::thread::spawn(move || {
+                    b.wait();
+                    record_user_tier(&k, tier);
+                })
+            })
+            .collect();
+
+        for h in handles {
+            h.join().expect("thread panicked");
+        }
+
+        let result = seed_tier_for_user(&key);
+        profiles().remove(&key);
+
+        assert!(
+            result >= AdaptiveTier::Tier3,
+            "Round {}: triple concurrent insert didn't preserve Tier3, got {:?}",
+            round,
+            result,
+        );
+    }
+}
+
+// ── Stress: 20 threads writing different tiers to same key ──────────────
+
+#[test]
+fn adaptive_record_20_concurrent_writers_no_panic_no_downgrade() {
+    let key = race_unique_key("stress_20");
+    let barrier = Arc::new(std::sync::Barrier::new(20));
+
+    let handles: Vec<_> = (0..20u32)
+        .map(|i| {
+            let k = key.clone();
+            let b = Arc::clone(&barrier);
+            std::thread::spawn(move || {
+                b.wait();
+                let tier = match i % 4 {
+                    0 => AdaptiveTier::Base,
+                    1 => AdaptiveTier::Tier1,
+                    2 => AdaptiveTier::Tier2,
+                    _ => AdaptiveTier::Tier3,
+                };
+                for _ in 0..100 {
+                    record_user_tier(&k, tier);
+                }
+            })
+        })
+        .collect();
+
+    for h in handles {
+        h.join().expect("thread panicked");
+    }
+
+    let result = seed_tier_for_user(&key);
+    profiles().remove(&key);
+
+    // At least one thread writes Tier3, max() should preserve it
+    assert!(
+        result >= AdaptiveTier::Tier3,
+        "20 concurrent writers: expected at least Tier3, got {:?}",
+        result,
+    );
+}
+
+// ── TOCTOU: seed reads stale, concurrent record inserts fresh ───────────
+// Verifies remove_if predicate preserves fresh insertions.
+
+#[test]
+fn adaptive_seed_and_record_race_preserves_fresh_entry() {
+    for round in 0..30 {
+        let key = race_unique_key(&format!("seed_record_race_{}", round));
+
+        // Plant a stale entry
+        let stale_time = Instant::now() - Duration::from_secs(600);
+        profiles().insert(
+            key.clone(),
+            UserAdaptiveProfile {
+                tier: AdaptiveTier::Tier1,
+                seen_at: stale_time,
+            },
+        );
+
+        let key_seed = key.clone();
+        let key_record = key.clone();
+        let barrier = Arc::new(std::sync::Barrier::new(2));
+        let barrier_s = Arc::clone(&barrier);
+        let barrier_r = Arc::clone(&barrier);
+
+        let h_seed = std::thread::spawn(move || {
+            barrier_s.wait();
+            seed_tier_for_user(&key_seed)
+        });
+
+        let h_record = std::thread::spawn(move || {
+            barrier_r.wait();
+            record_user_tier(&key_record, AdaptiveTier::Tier3);
+        });
+
+        let _seed_result = h_seed.join().expect("seed thread panicked");
+        h_record.join().expect("record thread panicked");
+
+        let final_result = seed_tier_for_user(&key);
+        profiles().remove(&key);
+
+        // Fresh Tier3 entry should survive the stale-removal race.
+        // Due to non-deterministic scheduling, the outcome depends on ordering:
+        // - If record wins: Tier3 is present, seed returns Tier3
+        // - If seed wins: stale entry removed, then record inserts Tier3
+        // Either way, Tier3 should be visible after both complete.
+        assert!(
+            final_result == AdaptiveTier::Tier3 || final_result == AdaptiveTier::Base,
+            "Round {}: unexpected tier after seed+record race: {:?}",
+            round,
+            final_result,
+        );
+    }
+}
+
+// ── Eviction safety: retain() during concurrent inserts ─────────────────
+
+#[test]
+fn adaptive_eviction_during_concurrent_inserts_no_panic() {
+    let prefix = race_unique_key("evict_conc");
+    let stale_time = Instant::now() - Duration::from_secs(600);
+
+    // Pre-fill with stale entries to push past the eviction threshold
+    for i in 0..100 {
+        let k = format!("{}_{}", prefix, i);
+        profiles().insert(
+            k,
+            UserAdaptiveProfile {
+                tier: AdaptiveTier::Base,
+                seen_at: stale_time,
+            },
+        );
+    }
+
+    let barrier = Arc::new(std::sync::Barrier::new(10));
+    let handles: Vec<_> = (0..10)
+        .map(|t| {
+            let b = Arc::clone(&barrier);
+            let pfx = prefix.clone();
+            std::thread::spawn(move || {
+                b.wait();
+                for i in 0..50 {
+                    let k = format!("{}_t{}_{}", pfx, t, i);
+                    record_user_tier(&k, AdaptiveTier::Tier1);
+                }
+            })
+        })
+        .collect();
+
+    for h in handles {
+        h.join().expect("eviction thread panicked");
+    }
+
+    // Cleanup
+    profiles().retain(|k, _| !k.starts_with(&prefix));
+}
+
+// ── Adversarial: attacker races insert+seed in tight loop ───────────────
+
+#[test]
+fn adaptive_tight_loop_insert_seed_race_no_panic() {
+    let key = race_unique_key("tight_loop");
+    let key_w = key.clone();
+    let key_r = key.clone();
+
+    let done = Arc::new(std::sync::atomic::AtomicBool::new(false));
+    let done_w = Arc::clone(&done);
+    let done_r = Arc::clone(&done);
+
+    let writer = std::thread::spawn(move || {
+        while !done_w.load(Ordering::Relaxed) {
+            record_user_tier(&key_w, AdaptiveTier::Tier2);
+        }
+    });
+
+    let reader = std::thread::spawn(move || {
+        while !done_r.load(Ordering::Relaxed) {
+            let _ = seed_tier_for_user(&key_r);
+        }
+    });
+
+    std::thread::sleep(Duration::from_millis(100));
+    done.store(true, Ordering::Relaxed);
+
+    writer.join().expect("writer panicked");
+    reader.join().expect("reader panicked");
+    profiles().remove(&key);
+}
@@ -0,0 +1,453 @@
+use super::*;
+use std::sync::atomic::{AtomicUsize, Ordering};
+use std::time::{Duration, Instant};
+
+// Unique key generator to avoid test interference through the global DashMap.
+static TEST_KEY_COUNTER: AtomicUsize = AtomicUsize::new(0);
+
+fn unique_key(prefix: &str) -> String {
+    let id = TEST_KEY_COUNTER.fetch_add(1, Ordering::Relaxed);
+    format!("{}_{}", prefix, id)
+}
+
+// ── Positive / Lifecycle ────────────────────────────────────────────────
+
+#[test]
+fn adaptive_seed_unknown_user_returns_base() {
+    let key = unique_key("seed_unknown");
+    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Base);
+}
+
+#[test]
+fn adaptive_record_then_seed_returns_recorded_tier() {
+    let key = unique_key("record_seed");
+    record_user_tier(&key, AdaptiveTier::Tier1);
+    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Tier1);
+}
+
+#[test]
+fn adaptive_separate_users_have_independent_tiers() {
+    let key_a = unique_key("indep_a");
+    let key_b = unique_key("indep_b");
+    record_user_tier(&key_a, AdaptiveTier::Tier1);
+    record_user_tier(&key_b, AdaptiveTier::Tier2);
+    assert_eq!(seed_tier_for_user(&key_a), AdaptiveTier::Tier1);
+    assert_eq!(seed_tier_for_user(&key_b), AdaptiveTier::Tier2);
+}
+
+#[test]
+fn adaptive_record_upgrades_tier_within_ttl() {
+    let key = unique_key("upgrade");
+    record_user_tier(&key, AdaptiveTier::Base);
+    record_user_tier(&key, AdaptiveTier::Tier1);
+    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Tier1);
+}
+
+#[test]
+fn adaptive_record_does_not_downgrade_within_ttl() {
+    let key = unique_key("no_downgrade");
+    record_user_tier(&key, AdaptiveTier::Tier2);
+    record_user_tier(&key, AdaptiveTier::Base);
+    // max(Tier2, Base) = Tier2 — within TTL the higher tier is retained
+    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Tier2);
+}
+
+// ── Edge Cases ──────────────────────────────────────────────────────────
+
+#[test]
+fn adaptive_base_tier_buffers_unchanged() {
+    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Base, 65536, 262144);
+    assert_eq!(c2s, 65536);
+    assert_eq!(s2c, 262144);
+}
+
+#[test]
+fn adaptive_tier1_buffers_within_caps() {
+    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier1, 65536, 262144);
+    assert!(c2s > 65536, "Tier1 c2s should exceed Base");
+    assert!(
+        c2s <= 128 * 1024,
+        "Tier1 c2s should not exceed DIRECT_C2S_CAP_BYTES"
+    );
+    assert!(s2c > 262144, "Tier1 s2c should exceed Base");
+    assert!(
+        s2c <= 512 * 1024,
+        "Tier1 s2c should not exceed DIRECT_S2C_CAP_BYTES"
+    );
+}
+
+#[test]
+fn adaptive_tier3_buffers_capped() {
+    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier3, 65536, 262144);
+    assert!(c2s <= 128 * 1024, "Tier3 c2s must not exceed cap");
+    assert!(s2c <= 512 * 1024, "Tier3 s2c must not exceed cap");
+}
+
+#[test]
+fn adaptive_scale_zero_base_returns_at_least_one() {
+    // scale(0, num, den, cap) should return at least 1 (the .max(1) guard)
+    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier1, 0, 0);
+    assert!(c2s >= 1);
+    assert!(s2c >= 1);
+}
+
+// ── Stale Entry Handling ────────────────────────────────────────────────
+
+#[test]
+fn adaptive_stale_profile_returns_base_tier() {
+    let key = unique_key("stale_base");
+    // Manually insert a stale entry with seen_at in the far past.
+    // PROFILE_TTL = 300s, so 600s ago is well past expiry.
+    let stale_time = Instant::now() - Duration::from_secs(600);
+    profiles().insert(
+        key.clone(),
+        UserAdaptiveProfile {
+            tier: AdaptiveTier::Tier3,
+            seen_at: stale_time,
+        },
+    );
+    assert_eq!(
+        seed_tier_for_user(&key),
+        AdaptiveTier::Base,
+        "Stale profile should return Base"
+    );
+}
+
+// RED TEST: exposes the stale entry leak bug.
+// After seed_tier_for_user returns Base for a stale entry, the entry should be
+// removed from the cache. Currently it is NOT removed — stale entries accumulate
+// indefinitely, consuming memory.
+#[test]
+fn adaptive_stale_entry_removed_after_seed() {
+    let key = unique_key("stale_removal");
+    let stale_time = Instant::now() - Duration::from_secs(600);
+    profiles().insert(
+        key.clone(),
+        UserAdaptiveProfile {
+            tier: AdaptiveTier::Tier2,
+            seen_at: stale_time,
+        },
+    );
+    let _ = seed_tier_for_user(&key);
+    // After seeding, the stale entry should have been removed.
+    assert!(
+        !profiles().contains_key(&key),
+        "Stale entry should be removed from cache after seed_tier_for_user"
+    );
+}
+
+// ── Cardinality Attack / Unbounded Growth ───────────────────────────────
+
+// RED TEST: exposes the missing eviction cap.
+// An attacker who can trigger record_user_tier with arbitrary user keys can
+// grow the global DashMap without bound, exhausting server memory.
+// After inserting MAX_USER_PROFILES_ENTRIES + 1 stale entries, record_user_tier
+// must trigger retain()-based eviction that purges all stale entries.
+#[test]
+fn adaptive_profile_cache_bounded_under_cardinality_attack() {
+    let prefix = unique_key("cardinality");
+    let stale_time = Instant::now() - Duration::from_secs(600);
+    let n = MAX_USER_PROFILES_ENTRIES + 1;
+    for i in 0..n {
+        let key = format!("{}_{}", prefix, i);
+        profiles().insert(
+            key,
+            UserAdaptiveProfile {
+                tier: AdaptiveTier::Base,
+                seen_at: stale_time,
+            },
+        );
+    }
+    // This insert should push the cache over MAX_USER_PROFILES_ENTRIES and trigger eviction.
+    let trigger_key = unique_key("cardinality_trigger");
+    record_user_tier(&trigger_key, AdaptiveTier::Base);
+
+    // Count surviving stale entries.
+    let mut surviving_stale = 0;
+    for i in 0..n {
+        let key = format!("{}_{}", prefix, i);
+        if profiles().contains_key(&key) {
+            surviving_stale += 1;
+        }
+    }
+    // Cleanup: remove anything that survived + the trigger key.
+    for i in 0..n {
+        let key = format!("{}_{}", prefix, i);
+        profiles().remove(&key);
+    }
+    profiles().remove(&trigger_key);
+
+    // All stale entries (600s past PROFILE_TTL=300s) should have been evicted.
+    assert_eq!(
+        surviving_stale, 0,
+        "All {} stale entries should be evicted, but {} survived",
+        n, surviving_stale
+    );
+}
+
+// ── Key Length Validation ────────────────────────────────────────────────
+
+// RED TEST: exposes missing key length validation.
+// An attacker can submit arbitrarily large user keys, each consuming memory
+// for the String allocation in the DashMap key.
+#[test]
+fn adaptive_oversized_user_key_rejected_on_record() {
+    let oversized_key: String = "X".repeat(1024); // 1KB key — should be rejected
+    record_user_tier(&oversized_key, AdaptiveTier::Tier1);
+    // With key length validation, the oversized key should NOT be stored.
+    let stored = profiles().contains_key(&oversized_key);
+    // Cleanup regardless
+    profiles().remove(&oversized_key);
+    assert!(
+        !stored,
+        "Oversized user key (1024 bytes) should be rejected by record_user_tier"
+    );
+}
+
+#[test]
+fn adaptive_oversized_user_key_rejected_on_seed() {
+    let oversized_key: String = "X".repeat(1024);
+    // Insert it directly to test seed behavior
+    profiles().insert(
+        oversized_key.clone(),
+        UserAdaptiveProfile {
+            tier: AdaptiveTier::Tier3,
+            seen_at: Instant::now(),
+        },
+    );
+    let result = seed_tier_for_user(&oversized_key);
+    profiles().remove(&oversized_key);
+    assert_eq!(
+        result,
+        AdaptiveTier::Base,
+        "Oversized user key should return Base from seed_tier_for_user"
+    );
+}
+
+#[test]
+fn adaptive_empty_user_key_safe() {
+    // Empty string is a valid (if unusual) key — should not panic
+    record_user_tier("", AdaptiveTier::Tier1);
+    let tier = seed_tier_for_user("");
+    profiles().remove("");
+    assert_eq!(tier, AdaptiveTier::Tier1);
+}
+
+#[test]
+fn adaptive_max_length_key_accepted() {
+    // A key at exactly 512 bytes should be accepted
+    let key: String = "K".repeat(512);
+    record_user_tier(&key, AdaptiveTier::Tier1);
+    let tier = seed_tier_for_user(&key);
+    profiles().remove(&key);
+    assert_eq!(tier, AdaptiveTier::Tier1);
+}
+
+// ── Concurrent Access Safety ────────────────────────────────────────────
+
+#[test]
+fn adaptive_concurrent_record_and_seed_no_torn_read() {
+    let key = unique_key("concurrent_rw");
+    let key_clone = key.clone();
+
+    // Record from multiple threads simultaneously
+    let handles: Vec<_> = (0..10)
+        .map(|i| {
+            let k = key_clone.clone();
+            std::thread::spawn(move || {
+                let tier = if i % 2 == 0 {
+                    AdaptiveTier::Tier1
+                } else {
+                    AdaptiveTier::Tier2
+                };
+                record_user_tier(&k, tier);
+            })
+        })
+        .collect();
+
+    for h in handles {
+        h.join().expect("thread panicked");
+    }
+
+    let result = seed_tier_for_user(&key);
+    profiles().remove(&key);
+    // Result must be one of the recorded tiers, not a corrupted value
+    assert!(
+        result == AdaptiveTier::Tier1 || result == AdaptiveTier::Tier2,
+        "Concurrent writes produced unexpected tier: {:?}",
+        result
+    );
+}
+
+#[test]
+fn adaptive_concurrent_seed_does_not_panic() {
+    let key = unique_key("concurrent_seed");
+    record_user_tier(&key, AdaptiveTier::Tier1);
+    let key_clone = key.clone();
+
+    let handles: Vec<_> = (0..20)
+        .map(|_| {
+            let k = key_clone.clone();
+            std::thread::spawn(move || {
+                for _ in 0..100 {
+                    let _ = seed_tier_for_user(&k);
+                }
+            })
+        })
+        .collect();
+
+    for h in handles {
+        h.join().expect("concurrent seed panicked");
+    }
+    profiles().remove(&key);
+}
+
+// ── TOCTOU: Concurrent seed + record race ───────────────────────────────
+
+// RED TEST: seed_tier_for_user reads a stale entry, drops the reference,
+// then another thread inserts a fresh entry. If seed then removes unconditionally
+// (without atomic predicate), the fresh entry is lost. With remove_if, the
+// fresh entry survives.
+#[test]
+fn adaptive_remove_if_does_not_delete_fresh_concurrent_insert() {
+    let key = unique_key("toctou");
+    let stale_time = Instant::now() - Duration::from_secs(600);
+    profiles().insert(
+        key.clone(),
+        UserAdaptiveProfile {
+            tier: AdaptiveTier::Tier1,
+            seen_at: stale_time,
+        },
+    );
+
+    // Thread A: seed_tier (will see stale, should attempt removal)
+    // Thread B: record_user_tier (inserts fresh entry concurrently)
+    let key_a = key.clone();
+    let key_b = key.clone();
+
+    let handle_b = std::thread::spawn(move || {
+        // Small yield to increase chance of interleaving
+        std::thread::yield_now();
+        record_user_tier(&key_b, AdaptiveTier::Tier3);
+    });
+
+    let _ = seed_tier_for_user(&key_a);
+
+    handle_b.join().expect("thread B panicked");
+
+    // After both operations, the fresh Tier3 entry should survive.
+    // With a correct remove_if predicate, the fresh entry is NOT deleted.
+    // Without remove_if (current code), the entry may be lost.
+    let final_tier = seed_tier_for_user(&key);
+    profiles().remove(&key);
+
+    // The fresh Tier3 entry should survive the stale-removal race.
+    // Note: Due to non-deterministic scheduling, this test may pass even
+    // without the fix if thread B wins the race. Run with --test-threads=1
+    // or multiple iterations for reliable detection.
+    assert!(
+        final_tier == AdaptiveTier::Tier3 || final_tier == AdaptiveTier::Base,
+        "Unexpected tier after TOCTOU race: {:?}",
+        final_tier
+    );
+}
+
+// ── Fuzz: Random keys ──────────────────────────────────────────────────
+
+#[test]
+fn adaptive_fuzz_random_keys_no_panic() {
+    use rand::{Rng, RngExt};
+    let mut rng = rand::rng();
+    let mut keys = Vec::new();
+    for _ in 0..200 {
+        let len: usize = rng.random_range(0..=256);
+        let key: String = (0..len)
+            .map(|_| {
+                let c: u8 = rng.random_range(0x20..=0x7E);
+                c as char
+            })
+            .collect();
+        record_user_tier(&key, AdaptiveTier::Tier1);
+        let _ = seed_tier_for_user(&key);
+        keys.push(key);
+    }
+    // Cleanup
+    for key in &keys {
+        profiles().remove(key);
+    }
+}
+
+// ── average_throughput_to_tier (proposed function, tests the mapping) ────
+
+// These tests verify the function that will be added in PR-D.
+// They are written against the current code's constant definitions.
+
+#[test]
+fn adaptive_throughput_mapping_below_threshold_is_base() {
+    // 7 Mbps < 8 Mbps threshold → Base
+    // 7 Mbps = 7_000_000 bps = 875_000 bytes/s over 10s = 8_750_000 bytes
+    // max(c2s, s2c) determines direction
+    let c2s_bytes: u64 = 8_750_000;
+    let s2c_bytes: u64 = 1_000_000;
+    let duration_secs: f64 = 10.0;
+    let avg_bps = (c2s_bytes.max(s2c_bytes) as f64 * 8.0) / duration_secs;
+    // 8_750_000 * 8 / 10 = 7_000_000 bps = 7 Mbps → Base
+    assert!(
+        avg_bps < THROUGHPUT_UP_BPS,
+        "Should be below threshold: {} < {}",
+        avg_bps,
+        THROUGHPUT_UP_BPS,
+    );
+}
+
+#[test]
+fn adaptive_throughput_mapping_above_threshold_is_tier1() {
+    // 10 Mbps > 8 Mbps threshold → Tier1
+    let bytes_10mbps_10s: u64 = 12_500_000; // 10 Mbps * 10s / 8 = 12_500_000 bytes
+    let duration_secs: f64 = 10.0;
+    let avg_bps = (bytes_10mbps_10s as f64 * 8.0) / duration_secs;
+    assert!(
+        avg_bps >= THROUGHPUT_UP_BPS,
+        "Should be above threshold: {} >= {}",
+        avg_bps,
+        THROUGHPUT_UP_BPS,
+    );
+}
+
+#[test]
+fn adaptive_throughput_short_session_should_return_base() {
+    // Sessions shorter than 1 second should not promote (too little data to judge)
+    let duration_secs: f64 = 0.5;
+    // Even with high throughput, short sessions should return Base
+    assert!(
+        duration_secs < 1.0,
+        "Short session duration guard should activate"
+    );
+}
+
+// ── me_flush_policy_for_tier ────────────────────────────────────────────
+
+#[test]
+fn adaptive_me_flush_base_unchanged() {
+    let (frames, bytes, delay) =
+        me_flush_policy_for_tier(AdaptiveTier::Base, 32, 65536, Duration::from_micros(1000));
+    assert_eq!(frames, 32);
+    assert_eq!(bytes, 65536);
+    assert_eq!(delay, Duration::from_micros(1000));
+}
+
+#[test]
+fn adaptive_me_flush_tier1_delay_reduced() {
+    let (_, _, delay) =
+        me_flush_policy_for_tier(AdaptiveTier::Tier1, 32, 65536, Duration::from_micros(1000));
+    // Tier1: delay * 7/10 = 700 µs
+    assert_eq!(delay, Duration::from_micros(700));
+}
+
+#[test]
+fn adaptive_me_flush_delay_never_below_minimum() {
+    let (_, _, delay) =
+        me_flush_policy_for_tier(AdaptiveTier::Tier3, 32, 65536, Duration::from_micros(200));
+    // Tier3: 200 * 3/10 = 60, but min is ME_DELAY_MIN_US = 150
+    assert!(delay.as_micros() >= 150, "Delay must respect minimum");
+}
@@ -7,12 +7,6 @@ use std::time::{Duration, Instant};

 // --- Helpers ---

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {
    let mut cfg = ProxyConfig::default();
    cfg.access.users.clear();
@@ -147,8 +141,8 @@ fn make_valid_tls_client_hello_with_alpn(

 #[tokio::test]
 async fn tls_minimum_viable_length_boundary() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x11u8; 16];
    let config = test_config_with_secret_hex("11111111111111111111111111111111");
@@ -200,8 +194,8 @@ async fn tls_minimum_viable_length_boundary() {

 #[tokio::test]
 async fn mtproto_extreme_dc_index_serialization() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "22222222222222222222222222222222";
    let config = test_config_with_secret_hex(secret_hex);
@@ -241,8 +235,8 @@ async fn mtproto_extreme_dc_index_serialization() {

 #[tokio::test]
 async fn alpn_strict_case_and_padding_rejection() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x33u8; 16];
    let mut config = test_config_with_secret_hex("33333333333333333333333333333333");
@@ -297,8 +291,8 @@ fn ipv4_mapped_ipv6_bucketing_anomaly() {

 #[tokio::test]
 async fn mtproto_invalid_ciphertext_does_not_poison_replay_cache() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "55555555555555555555555555555555";
    let config = test_config_with_secret_hex(secret_hex);
@@ -341,8 +335,8 @@ async fn mtproto_invalid_ciphertext_does_not_poison_replay_cache() {

 #[tokio::test]
 async fn tls_invalid_session_does_not_poison_replay_cache() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x66u8; 16];
    let config = test_config_with_secret_hex("66666666666666666666666666666666");
@@ -387,8 +381,8 @@ async fn tls_invalid_session_does_not_poison_replay_cache() {

 #[tokio::test]
 async fn server_hello_delay_timing_neutrality_on_hmac_failure() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x77u8; 16];
    let mut config = test_config_with_secret_hex("77777777777777777777777777777777");
@@ -425,8 +419,8 @@ async fn server_hello_delay_timing_neutrality_on_hmac_failure() {

 #[tokio::test]
 async fn server_hello_delay_inversion_resilience() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x88u8; 16];
    let mut config = test_config_with_secret_hex("88888888888888888888888888888888");
@@ -462,10 +456,9 @@ async fn server_hello_delay_inversion_resilience() {

 #[tokio::test]
 async fn mixed_valid_and_invalid_user_secrets_configuration() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
-    let _warn_guard = warned_secrets_test_lock().lock().unwrap();
-    clear_warned_secrets_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+    clear_warned_secrets_for_testing_in_shared(shared.as_ref());

    let mut config = ProxyConfig::default();
    config.access.ignore_time_skew = true;
@@ -513,8 +506,8 @@ async fn mixed_valid_and_invalid_user_secrets_configuration() {

 #[tokio::test]
 async fn tls_emulation_fallback_when_cache_missing() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0xAAu8; 16];
    let mut config = test_config_with_secret_hex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
@@ -547,8 +540,8 @@ async fn tls_emulation_fallback_when_cache_missing() {

 #[tokio::test]
 async fn classic_mode_over_tls_transport_protocol_confusion() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
    let mut config = test_config_with_secret_hex(secret_hex);
@@ -608,8 +601,8 @@ fn generate_tg_nonce_never_emits_reserved_bytes() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn dashmap_concurrent_saturation_stress() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let ip_a: IpAddr = "192.0.2.13".parse().unwrap();
    let ip_b: IpAddr = "198.51.100.13".parse().unwrap();
@@ -617,9 +610,10 @@ async fn dashmap_concurrent_saturation_stress() {

    for i in 0..100 {
        let target_ip = if i % 2 == 0 { ip_a } else { ip_b };
+        let shared = shared.clone();
        tasks.push(tokio::spawn(async move {
            for _ in 0..50 {
-                auth_probe_record_failure(target_ip, Instant::now());
+                auth_probe_record_failure_in(shared.as_ref(), target_ip, Instant::now());
            }
        }));
    }
@@ -630,11 +624,11 @@ async fn dashmap_concurrent_saturation_stress() {
    }

    assert!(
-        auth_probe_is_throttled_for_testing(ip_a),
+        auth_probe_is_throttled_for_testing_in_shared(shared.as_ref(), ip_a),
        "IP A must be throttled after concurrent stress"
    );
    assert!(
-        auth_probe_is_throttled_for_testing(ip_b),
+        auth_probe_is_throttled_for_testing_in_shared(shared.as_ref(), ip_b),
        "IP B must be throttled after concurrent stress"
    );
 }
@@ -661,15 +655,15 @@ fn prototag_invalid_bytes_fail_closed() {

 #[test]
 fn auth_probe_eviction_hash_collision_stress() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    let now = Instant::now();

    for i in 0..10_000u32 {
        let ip = IpAddr::V4(Ipv4Addr::new(10, 0, (i >> 8) as u8, (i & 0xFF) as u8));
-        auth_probe_record_failure_with_state(state, ip, now);
+        auth_probe_record_failure_with_state_in(shared.as_ref(), state, ip, now);
    }

    assert!(
@@ -44,12 +44,6 @@ fn make_valid_mtproto_handshake(
    handshake
 }

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {
    let mut cfg = ProxyConfig::default();
    cfg.access.users.clear();
@@ -67,8 +61,8 @@ fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {

 #[tokio::test]
 async fn mtproto_handshake_bit_flip_anywhere_rejected() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "11223344556677889900aabbccddeeff";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -181,26 +175,26 @@ async fn mtproto_handshake_timing_neutrality_mocked() {

 #[tokio::test]
 async fn auth_probe_throttle_saturation_stress() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let now = Instant::now();

    // Record enough failures for one IP to trigger backoff
    let target_ip = IpAddr::V4(Ipv4Addr::new(1, 1, 1, 1));
    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
-        auth_probe_record_failure(target_ip, now);
+        auth_probe_record_failure_in(shared.as_ref(), target_ip, now);
    }

-    assert!(auth_probe_is_throttled(target_ip, now));
+    assert!(auth_probe_is_throttled_in(shared.as_ref(), target_ip, now));

    // Stress test with many unique IPs
    for i in 0..500u32 {
        let ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, (i % 256) as u8));
-        auth_probe_record_failure(ip, now);
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
    }

-    let tracked = AUTH_PROBE_STATE.get().map(|state| state.len()).unwrap_or(0);
+    let tracked = auth_probe_state_for_testing_in_shared(shared.as_ref()).len();
    assert!(
        tracked <= AUTH_PROBE_TRACK_MAX_ENTRIES,
        "auth probe state grew past hard cap: {tracked} > {AUTH_PROBE_TRACK_MAX_ENTRIES}"
@@ -209,8 +203,8 @@ async fn auth_probe_throttle_saturation_stress() {

 #[tokio::test]
 async fn mtproto_handshake_abridged_prefix_rejected() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let mut handshake = [0x5Au8; HANDSHAKE_LEN];
    handshake[0] = 0xef; // Abridged prefix
@@ -235,8 +229,8 @@ async fn mtproto_handshake_abridged_prefix_rejected() {

 #[tokio::test]
 async fn mtproto_handshake_preferred_user_mismatch_continues() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret1_hex = "11111111111111111111111111111111";
    let secret2_hex = "22222222222222222222222222222222";
@@ -278,8 +272,8 @@ async fn mtproto_handshake_preferred_user_mismatch_continues() {

 #[tokio::test]
 async fn mtproto_handshake_concurrent_flood_stability() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "00112233445566778899aabbccddeeff";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 1);
@@ -320,8 +314,8 @@ async fn mtproto_handshake_concurrent_flood_stability() {

 #[tokio::test]
 async fn mtproto_replay_is_rejected_across_distinct_peers() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "0123456789abcdeffedcba9876543210";
    let handshake = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -360,8 +354,8 @@ async fn mtproto_replay_is_rejected_across_distinct_peers() {

 #[tokio::test]
 async fn mtproto_blackhat_mutation_corpus_never_panics_and_stays_fail_closed() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "89abcdef012345670123456789abcdef";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -405,27 +399,27 @@ async fn mtproto_blackhat_mutation_corpus_never_panics_and_stays_fail_closed() {

 #[tokio::test]
 async fn auth_probe_success_clears_throttled_peer_state() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let target_ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 90));
    let now = Instant::now();
    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
-        auth_probe_record_failure(target_ip, now);
+        auth_probe_record_failure_in(shared.as_ref(), target_ip, now);
    }
-    assert!(auth_probe_is_throttled(target_ip, now));
+    assert!(auth_probe_is_throttled_in(shared.as_ref(), target_ip, now));

-    auth_probe_record_success(target_ip);
+    auth_probe_record_success_in(shared.as_ref(), target_ip);
    assert!(
-        !auth_probe_is_throttled(target_ip, now + Duration::from_millis(1)),
+        !auth_probe_is_throttled_in(shared.as_ref(), target_ip, now + Duration::from_millis(1)),
        "successful auth must clear per-peer throttle state"
    );
 }

 #[tokio::test]
 async fn mtproto_invalid_storm_over_cap_keeps_probe_map_hard_bounded() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "00112233445566778899aabbccddeeff";
    let mut invalid = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -458,7 +452,7 @@ async fn mtproto_invalid_storm_over_cap_keeps_probe_map_hard_bounded() {
        assert!(matches!(res, HandshakeResult::BadClient { .. }));
    }

-    let tracked = AUTH_PROBE_STATE.get().map(|state| state.len()).unwrap_or(0);
+    let tracked = auth_probe_state_for_testing_in_shared(shared.as_ref()).len();
    assert!(
        tracked <= AUTH_PROBE_TRACK_MAX_ENTRIES,
        "probe map must remain bounded under invalid storm: {tracked}"
@@ -467,8 +461,8 @@ async fn mtproto_invalid_storm_over_cap_keeps_probe_map_hard_bounded() {

 #[tokio::test]
 async fn mtproto_property_style_multi_bit_mutations_fail_closed_or_auth_only() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "f0e1d2c3b4a5968778695a4b3c2d1e0f";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -520,8 +514,8 @@ async fn mtproto_property_style_multi_bit_mutations_fail_closed_or_auth_only() {
 #[tokio::test]
 #[ignore = "heavy soak; run manually"]
 async fn mtproto_blackhat_20k_mutation_soak_never_panics() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -3,15 +3,9 @@ use std::collections::HashSet;
 use std::net::{IpAddr, Ipv4Addr};
 use std::time::{Duration, Instant};

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 #[test]
 fn adversarial_large_state_offsets_escape_first_scan_window() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let base = Instant::now();
    let state_len = 65_536usize;
    let scan_limit = 1_024usize;
@@ -25,7 +19,8 @@ fn adversarial_large_state_offsets_escape_first_scan_window() {
            ((i.wrapping_mul(131)) & 0xff) as u8,
        ));
        let now = base + Duration::from_nanos(i);
-        let start = auth_probe_scan_start_offset(ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
        if start >= scan_limit {
            saw_offset_outside_first_window = true;
            break;
@@ -40,7 +35,7 @@ fn adversarial_large_state_offsets_escape_first_scan_window() {

 #[test]
 fn stress_large_state_offsets_cover_many_scan_windows() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let base = Instant::now();
    let state_len = 65_536usize;
    let scan_limit = 1_024usize;
@@ -54,7 +49,8 @@ fn stress_large_state_offsets_cover_many_scan_windows() {
            ((i.wrapping_mul(17)) & 0xff) as u8,
        ));
        let now = base + Duration::from_micros(i);
-        let start = auth_probe_scan_start_offset(ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
        covered_windows.insert(start / scan_limit);
    }

@@ -68,7 +64,7 @@ fn stress_large_state_offsets_cover_many_scan_windows() {

 #[test]
 fn light_fuzz_offset_always_stays_inside_state_len() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let mut seed = 0xC0FF_EE12_3456_789Au64;
    let base = Instant::now();

@@ -86,7 +82,8 @@ fn light_fuzz_offset_always_stays_inside_state_len() {
        let state_len = ((seed >> 16) as usize % 200_000).saturating_add(1);
        let scan_limit = ((seed >> 40) as usize % 2_048).saturating_add(1);
        let now = base + Duration::from_nanos(seed & 0x0fff);
-        let start = auth_probe_scan_start_offset(ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);

        assert!(
            start < state_len,
@@ -2,68 +2,62 @@ use super::*;
 use std::net::{IpAddr, Ipv4Addr};
 use std::time::{Duration, Instant};

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 #[test]
 fn positive_preauth_throttle_activates_after_failure_threshold() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 20));
    let now = Instant::now();

    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
-        auth_probe_record_failure(ip, now);
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
    }

    assert!(
-        auth_probe_is_throttled(ip, now),
+        auth_probe_is_throttled_in(shared.as_ref(), ip, now),
        "peer must be throttled once fail streak reaches threshold"
    );
 }

 #[test]
 fn negative_unrelated_peer_remains_unthrottled() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let attacker = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 12));
    let benign = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 13));
    let now = Instant::now();

    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
-        auth_probe_record_failure(attacker, now);
+        auth_probe_record_failure_in(shared.as_ref(), attacker, now);
    }

-    assert!(auth_probe_is_throttled(attacker, now));
+    assert!(auth_probe_is_throttled_in(shared.as_ref(), attacker, now));
    assert!(
-        !auth_probe_is_throttled(benign, now),
+        !auth_probe_is_throttled_in(shared.as_ref(), benign, now),
        "throttle state must stay scoped to normalized peer key"
    );
 }

 #[test]
 fn edge_expired_entry_is_pruned_and_no_longer_throttled() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let ip = IpAddr::V4(Ipv4Addr::new(192, 0, 2, 41));
    let base = Instant::now();
    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
-        auth_probe_record_failure(ip, base);
+        auth_probe_record_failure_in(shared.as_ref(), ip, base);
    }

    let expired_at = base + Duration::from_secs(AUTH_PROBE_TRACK_RETENTION_SECS + 1);
    assert!(
-        !auth_probe_is_throttled(ip, expired_at),
+        !auth_probe_is_throttled_in(shared.as_ref(), ip, expired_at),
        "expired entries must not keep throttling peers"
    );

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    assert!(
        state.get(&normalize_auth_probe_ip(ip)).is_none(),
        "expired lookup should prune stale state"
@@ -72,36 +66,40 @@ fn edge_expired_entry_is_pruned_and_no_longer_throttled() {

 #[test]
 fn adversarial_saturation_grace_requires_extra_failures_before_preauth_throttle() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let ip = IpAddr::V4(Ipv4Addr::new(198, 18, 0, 7));
    let now = Instant::now();

    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
-        auth_probe_record_failure(ip, now);
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
    }
-    auth_probe_note_saturation(now);
+    auth_probe_note_saturation_in(shared.as_ref(), now);

    assert!(
-        !auth_probe_should_apply_preauth_throttle(ip, now),
+        !auth_probe_should_apply_preauth_throttle_in(shared.as_ref(), ip, now),
        "during global saturation, peer must receive configured grace window"
    );

    for _ in 0..AUTH_PROBE_SATURATION_GRACE_FAILS {
-        auth_probe_record_failure(ip, now + Duration::from_millis(1));
+        auth_probe_record_failure_in(shared.as_ref(), ip, now + Duration::from_millis(1));
    }

    assert!(
-        auth_probe_should_apply_preauth_throttle(ip, now + Duration::from_millis(1)),
+        auth_probe_should_apply_preauth_throttle_in(
+            shared.as_ref(),
+            ip,
+            now + Duration::from_millis(1)
+        ),
        "after grace failures are exhausted, preauth throttle must activate"
    );
 }

 #[test]
 fn integration_over_cap_insertion_keeps_probe_map_bounded() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let now = Instant::now();
    for idx in 0..(AUTH_PROBE_TRACK_MAX_ENTRIES + 1024) {
@@ -111,10 +109,10 @@ fn integration_over_cap_insertion_keeps_probe_map_bounded() {
            ((idx / 256) % 256) as u8,
            (idx % 256) as u8,
        ));
-        auth_probe_record_failure(ip, now);
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
    }

-    let tracked = auth_probe_state_map().len();
+    let tracked = auth_probe_state_for_testing_in_shared(shared.as_ref()).len();
    assert!(
        tracked <= AUTH_PROBE_TRACK_MAX_ENTRIES,
        "probe map must remain hard bounded under insertion storm"
@@ -123,8 +121,8 @@ fn integration_over_cap_insertion_keeps_probe_map_bounded() {

 #[test]
 fn light_fuzz_randomized_failures_preserve_cap_and_nonzero_streaks() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let mut seed = 0x4D53_5854_6F66_6175u64;
    let now = Instant::now();
@@ -140,10 +138,14 @@ fn light_fuzz_randomized_failures_preserve_cap_and_nonzero_streaks() {
            (seed >> 8) as u8,
            seed as u8,
        ));
-        auth_probe_record_failure(ip, now + Duration::from_millis((seed & 0x3f) as u64));
+        auth_probe_record_failure_in(
+            shared.as_ref(),
+            ip,
+            now + Duration::from_millis((seed & 0x3f) as u64),
+        );
    }

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    assert!(state.len() <= AUTH_PROBE_TRACK_MAX_ENTRIES);
    for entry in state.iter() {
        assert!(entry.value().fail_streak > 0);
@@ -152,13 +154,14 @@ fn light_fuzz_randomized_failures_preserve_cap_and_nonzero_streaks() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn stress_parallel_failure_flood_keeps_state_hard_capped() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let start = Instant::now();
    let mut tasks = Vec::new();

    for worker in 0..8u8 {
+        let shared = shared.clone();
        tasks.push(tokio::spawn(async move {
            for i in 0..4096u32 {
                let ip = IpAddr::V4(Ipv4Addr::new(
@@ -167,7 +170,11 @@ async fn stress_parallel_failure_flood_keeps_state_hard_capped() {
                    ((i >> 8) & 0xff) as u8,
                    (i & 0xff) as u8,
                ));
-                auth_probe_record_failure(ip, start + Duration::from_millis((i % 4) as u64));
+                auth_probe_record_failure_in(
+                    shared.as_ref(),
+                    ip,
+                    start + Duration::from_millis((i % 4) as u64),
+                );
            }
        }));
    }
@@ -176,12 +183,12 @@ async fn stress_parallel_failure_flood_keeps_state_hard_capped() {
        task.await.expect("stress worker must not panic");
    }

-    let tracked = auth_probe_state_map().len();
+    let tracked = auth_probe_state_for_testing_in_shared(shared.as_ref()).len();
    assert!(
        tracked <= AUTH_PROBE_TRACK_MAX_ENTRIES,
        "parallel failure flood must not exceed cap"
    );

    let probe = IpAddr::V4(Ipv4Addr::new(172, 3, 4, 5));
-    let _ = auth_probe_is_throttled(probe, start + Duration::from_millis(2));
+    let _ = auth_probe_is_throttled_in(shared.as_ref(), probe, start + Duration::from_millis(2));
 }
@@ -2,20 +2,14 @@ use super::*;
 use std::net::{IpAddr, Ipv4Addr};
 use std::time::{Duration, Instant};

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 #[test]
 fn edge_zero_state_len_yields_zero_start_offset() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 44));
    let now = Instant::now();

    assert_eq!(
-        auth_probe_scan_start_offset(ip, now, 0, 16),
+        auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, 0, 16),
        0,
        "empty map must not produce non-zero scan offset"
    );
@@ -23,7 +17,7 @@ fn edge_zero_state_len_yields_zero_start_offset() {

 #[test]
 fn adversarial_large_state_must_allow_start_offset_outside_scan_budget_window() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let base = Instant::now();
    let scan_limit = 16usize;
    let state_len = 65_536usize;
@@ -37,7 +31,8 @@ fn adversarial_large_state_must_allow_start_offset_outside_scan_budget_window()
            (i & 0xff) as u8,
        ));
        let now = base + Duration::from_micros(i as u64);
-        let start = auth_probe_scan_start_offset(ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
        assert!(
            start < state_len,
            "start offset must stay within state length; start={start}, len={state_len}"
@@ -56,12 +51,12 @@ fn adversarial_large_state_must_allow_start_offset_outside_scan_budget_window()

 #[test]
 fn positive_state_smaller_than_scan_limit_caps_to_state_len() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let ip = IpAddr::V4(Ipv4Addr::new(192, 0, 2, 17));
    let now = Instant::now();

    for state_len in 1..32usize {
-        let start = auth_probe_scan_start_offset(ip, now, state_len, 64);
+        let start = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, 64);
        assert!(
            start < state_len,
            "start offset must never exceed state length when scan limit is larger"
@@ -71,7 +66,7 @@ fn positive_state_smaller_than_scan_limit_caps_to_state_len() {

 #[test]
 fn light_fuzz_scan_offset_budget_never_exceeds_effective_window() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let mut seed = 0x5A41_5356_4C32_3236u64;
    let base = Instant::now();

@@ -89,7 +84,8 @@ fn light_fuzz_scan_offset_budget_never_exceeds_effective_window() {
        let state_len = ((seed >> 8) as usize % 131_072).saturating_add(1);
        let scan_limit = ((seed >> 32) as usize % 512).saturating_add(1);
        let now = base + Duration::from_nanos(seed & 0xffff);
-        let start = auth_probe_scan_start_offset(ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);

        assert!(
            start < state_len,
@@ -3,22 +3,16 @@ use std::collections::HashSet;
 use std::net::{IpAddr, Ipv4Addr};
 use std::time::{Duration, Instant};

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 #[test]
 fn positive_same_ip_moving_time_yields_diverse_scan_offsets() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 77));
    let base = Instant::now();
    let mut uniq = HashSet::new();

    for i in 0..512u64 {
        let now = base + Duration::from_nanos(i);
-        let offset = auth_probe_scan_start_offset(ip, now, 65_536, 16);
+        let offset = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, 65_536, 16);
        uniq.insert(offset);
    }

@@ -31,7 +25,7 @@ fn positive_same_ip_moving_time_yields_diverse_scan_offsets() {

 #[test]
 fn adversarial_many_ips_same_time_spreads_offsets_without_bias_collapse() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let now = Instant::now();
    let mut uniq = HashSet::new();

@@ -42,7 +36,13 @@ fn adversarial_many_ips_same_time_spreads_offsets_without_bias_collapse() {
            i as u8,
            (255 - (i as u8)),
        ));
-        uniq.insert(auth_probe_scan_start_offset(ip, now, 65_536, 16));
+        uniq.insert(auth_probe_scan_start_offset_in(
+            shared.as_ref(),
+            ip,
+            now,
+            65_536,
+            16,
+        ));
    }

    assert!(
@@ -54,12 +54,13 @@ fn adversarial_many_ips_same_time_spreads_offsets_without_bias_collapse() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn stress_parallel_failure_churn_under_saturation_remains_capped_and_live() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let start = Instant::now();
    let mut workers = Vec::new();
    for worker in 0..8u8 {
+        let shared = shared.clone();
        workers.push(tokio::spawn(async move {
            for i in 0..8192u32 {
                let ip = IpAddr::V4(Ipv4Addr::new(
@@ -68,7 +69,11 @@ async fn stress_parallel_failure_churn_under_saturation_remains_capped_and_live(
                    ((i >> 8) & 0xff) as u8,
                    (i & 0xff) as u8,
                ));
-                auth_probe_record_failure(ip, start + Duration::from_micros((i % 128) as u64));
+                auth_probe_record_failure_in(
+                    shared.as_ref(),
+                    ip,
+                    start + Duration::from_micros((i % 128) as u64),
+                );
            }
        }));
    }
@@ -78,17 +83,22 @@ async fn stress_parallel_failure_churn_under_saturation_remains_capped_and_live(
    }

    assert!(
-        auth_probe_state_map().len() <= AUTH_PROBE_TRACK_MAX_ENTRIES,
+        auth_probe_state_for_testing_in_shared(shared.as_ref()).len()
+            <= AUTH_PROBE_TRACK_MAX_ENTRIES,
        "state must remain hard-capped under parallel saturation churn"
    );

    let probe = IpAddr::V4(Ipv4Addr::new(10, 4, 1, 1));
-    let _ = auth_probe_should_apply_preauth_throttle(probe, start + Duration::from_millis(1));
+    let _ = auth_probe_should_apply_preauth_throttle_in(
+        shared.as_ref(),
+        probe,
+        start + Duration::from_millis(1),
+    );
 }

 #[test]
 fn light_fuzz_scan_offset_stays_within_window_for_randomized_inputs() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();
    let mut seed = 0xA55A_1357_2468_9BDFu64;
    let base = Instant::now();

@@ -107,7 +117,8 @@ fn light_fuzz_scan_offset_stays_within_window_for_randomized_inputs() {
        let scan_limit = ((seed >> 40) as usize % 1024).saturating_add(1);
        let now = base + Duration::from_nanos(seed & 0x1fff);

-        let offset = auth_probe_scan_start_offset(ip, now, state_len, scan_limit);
+        let offset =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
        assert!(
            offset < state_len,
            "scan offset must always remain inside state length"
@@ -0,0 +1,237 @@
+use super::*;
+use crate::crypto::sha256_hmac;
+use crate::stats::ReplayChecker;
+use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::time::{Duration, Instant};
+use tokio::time::timeout;
+
+fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {
+    let mut cfg = ProxyConfig::default();
+    cfg.access.users.clear();
+    cfg.access
+        .users
+        .insert("user".to_string(), secret_hex.to_string());
+    cfg.access.ignore_time_skew = true;
+    cfg.censorship.mask = true;
+    cfg
+}
+
+fn make_valid_tls_handshake(secret: &[u8], timestamp: u32) -> Vec<u8> {
+    let session_id_len: usize = 32;
+    let len = tls::TLS_DIGEST_POS + tls::TLS_DIGEST_LEN + 1 + session_id_len;
+    let mut handshake = vec![0x42u8; len];
+
+    handshake[tls::TLS_DIGEST_POS + tls::TLS_DIGEST_LEN] = session_id_len as u8;
+    handshake[tls::TLS_DIGEST_POS..tls::TLS_DIGEST_POS + tls::TLS_DIGEST_LEN].fill(0);
+
+    let computed = sha256_hmac(secret, &handshake);
+    let mut digest = computed;
+    let ts = timestamp.to_le_bytes();
+    for i in 0..4 {
+        digest[28 + i] ^= ts[i];
+    }
+
+    handshake[tls::TLS_DIGEST_POS..tls::TLS_DIGEST_POS + tls::TLS_DIGEST_LEN]
+        .copy_from_slice(&digest);
+    handshake
+}
+
+#[tokio::test]
+async fn handshake_baseline_probe_always_falls_back_to_masking() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let cfg = test_config_with_secret_hex("11111111111111111111111111111111");
+    let replay_checker = ReplayChecker::new(64, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+    let peer: SocketAddr = "198.51.100.210:44321".parse().unwrap();
+
+    let probe = b"not-a-tls-clienthello";
+    let res = handle_tls_handshake(
+        probe,
+        tokio::io::empty(),
+        tokio::io::sink(),
+        peer,
+        &cfg,
+        &replay_checker,
+        &rng,
+        None,
+    )
+    .await;
+
+    assert!(matches!(res, HandshakeResult::BadClient { .. }));
+}
+
+#[tokio::test]
+async fn handshake_baseline_invalid_secret_triggers_fallback_not_error_response() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let good_secret = [0x22u8; 16];
+    let bad_cfg = test_config_with_secret_hex("33333333333333333333333333333333");
+    let replay_checker = ReplayChecker::new(64, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+    let peer: SocketAddr = "198.51.100.211:44322".parse().unwrap();
+
+    let handshake = make_valid_tls_handshake(&good_secret, 0);
+    let res = handle_tls_handshake(
+        &handshake,
+        tokio::io::empty(),
+        tokio::io::sink(),
+        peer,
+        &bad_cfg,
+        &replay_checker,
+        &rng,
+        None,
+    )
+    .await;
+
+    assert!(matches!(res, HandshakeResult::BadClient { .. }));
+}
+
+#[tokio::test]
+async fn handshake_baseline_auth_probe_streak_increments_per_ip() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let cfg = test_config_with_secret_hex("44444444444444444444444444444444");
+    let replay_checker = ReplayChecker::new(64, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+
+    let peer: SocketAddr = "203.0.113.10:5555".parse().unwrap();
+    let untouched_ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 11));
+    let bad_probe = b"\x16\x03\x01\x00";
+
+    for expected in 1..=3 {
+        let res = handle_tls_handshake_with_shared(
+            bad_probe,
+            tokio::io::empty(),
+            tokio::io::sink(),
+            peer,
+            &cfg,
+            &replay_checker,
+            &rng,
+            None,
+            shared.as_ref(),
+        )
+        .await;
+        assert!(matches!(res, HandshakeResult::BadClient { .. }));
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()),
+            Some(expected)
+        );
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), untouched_ip),
+            None
+        );
+    }
+}
+
+#[test]
+fn handshake_baseline_saturation_fires_at_compile_time_threshold() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 33));
+    let now = Instant::now();
+
+    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS.saturating_sub(1) {
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
+    }
+    assert!(!auth_probe_is_throttled_in(shared.as_ref(), ip, now));
+
+    auth_probe_record_failure_in(shared.as_ref(), ip, now);
+    assert!(auth_probe_is_throttled_in(shared.as_ref(), ip, now));
+}
+
+#[test]
+fn handshake_baseline_repeated_probes_streak_monotonic() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 42));
+    let now = Instant::now();
+    let mut prev = 0u32;
+
+    for _ in 0..100 {
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
+        let current =
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), ip).unwrap_or(0);
+        assert!(current >= prev, "streak must be monotonic");
+        prev = current;
+    }
+}
+
+#[test]
+fn handshake_baseline_throttled_ip_incurs_backoff_delay() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 44));
+    let now = Instant::now();
+
+    for _ in 0..AUTH_PROBE_BACKOFF_START_FAILS {
+        auth_probe_record_failure_in(shared.as_ref(), ip, now);
+    }
+
+    let delay = auth_probe_backoff(AUTH_PROBE_BACKOFF_START_FAILS);
+    assert!(delay >= Duration::from_millis(AUTH_PROBE_BACKOFF_BASE_MS));
+
+    let before_expiry = now + delay.saturating_sub(Duration::from_millis(1));
+    let after_expiry = now + delay + Duration::from_millis(1);
+
+    assert!(auth_probe_is_throttled_in(
+        shared.as_ref(),
+        ip,
+        before_expiry
+    ));
+    assert!(!auth_probe_is_throttled_in(
+        shared.as_ref(),
+        ip,
+        after_expiry
+    ));
+}
+
+#[tokio::test]
+async fn handshake_baseline_malformed_probe_frames_fail_closed_to_masking() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let cfg = test_config_with_secret_hex("55555555555555555555555555555555");
+    let replay_checker = ReplayChecker::new(64, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+    let peer: SocketAddr = "198.51.100.212:44323".parse().unwrap();
+
+    let corpus: Vec<Vec<u8>> = vec![
+        vec![0x16, 0x03, 0x01],
+        vec![0x16, 0x03, 0x01, 0xFF, 0xFF],
+        vec![0x00; 128],
+        (0..64u8).collect(),
+    ];
+
+    for probe in corpus {
+        let res = timeout(
+            Duration::from_millis(250),
+            handle_tls_handshake(
+                &probe,
+                tokio::io::empty(),
+                tokio::io::sink(),
+                peer,
+                &cfg,
+                &replay_checker,
+                &rng,
+                None,
+            ),
+        )
+        .await
+        .expect("malformed probe handling must complete in bounded time");
+
+        assert!(
+            matches!(
+                res,
+                HandshakeResult::BadClient { .. } | HandshakeResult::Error(_)
+            ),
+            "malformed probe must fail closed"
+        );
+    }
+}
@@ -67,16 +67,10 @@ fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {
    cfg
 }

-fn auth_probe_test_guard() -> MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 #[tokio::test]
 async fn mtproto_handshake_duplicate_digest_is_replayed_on_second_attempt() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "11223344556677889900aabbccddeeff";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
@@ -110,13 +104,13 @@ async fn mtproto_handshake_duplicate_digest_is_replayed_on_second_attempt() {
    .await;
    assert!(matches!(second, HandshakeResult::BadClient { .. }));

-    clear_auth_probe_state_for_testing();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
 }

 #[tokio::test]
 async fn mtproto_handshake_fuzz_corpus_never_panics_and_stays_fail_closed() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "00112233445566778899aabbccddeeff";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 1);
@@ -178,13 +172,13 @@ async fn mtproto_handshake_fuzz_corpus_never_panics_and_stays_fail_closed() {
        );
    }

-    clear_auth_probe_state_for_testing();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
 }

 #[tokio::test]
 async fn mtproto_handshake_mixed_corpus_never_panics_and_exact_duplicates_are_rejected() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "99887766554433221100ffeeddccbbaa";
    let base = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 4);
@@ -274,5 +268,5 @@ async fn mtproto_handshake_mixed_corpus_never_panics_and_exact_duplicates_are_re
        );
    }

-    clear_auth_probe_state_for_testing();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
 }
@@ -11,12 +11,6 @@ use tokio::sync::Barrier;

 // --- Helpers ---

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {
    let mut cfg = ProxyConfig::default();
    cfg.access.users.clear();
@@ -164,8 +158,8 @@ fn make_valid_tls_client_hello_with_sni_and_alpn(

 #[tokio::test]
 async fn server_hello_delay_bypassed_if_max_is_zero_despite_high_min() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x1Au8; 16];
    let mut config = test_config_with_secret_hex("1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a");
@@ -201,10 +195,10 @@ async fn server_hello_delay_bypassed_if_max_is_zero_despite_high_min() {

 #[test]
 fn auth_probe_backoff_extreme_fail_streak_clamps_safely() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    let peer_ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 99));
    let now = Instant::now();

@@ -217,7 +211,7 @@ fn auth_probe_backoff_extreme_fail_streak_clamps_safely() {
        },
    );

-    auth_probe_record_failure_with_state(&state, peer_ip, now);
+    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, peer_ip, now);

    let updated = state.get(&peer_ip).unwrap();
    assert_eq!(updated.fail_streak, u32::MAX);
@@ -270,8 +264,8 @@ fn generate_tg_nonce_cryptographic_uniqueness_and_entropy() {

 #[tokio::test]
 async fn mtproto_multi_user_decryption_isolation() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let mut config = ProxyConfig::default();
    config.general.modes.secure = true;
@@ -323,10 +317,8 @@ async fn mtproto_multi_user_decryption_isolation() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn invalid_secret_warning_lock_contention_and_bound() {
-    let _guard = warned_secrets_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner());
-    clear_warned_secrets_for_testing();
+    let shared = ProxySharedState::new();
+    clear_warned_secrets_for_testing_in_shared(shared.as_ref());

    let tasks = 50;
    let iterations_per_task = 100;
@@ -335,11 +327,18 @@ async fn invalid_secret_warning_lock_contention_and_bound() {

    for t in 0..tasks {
        let b = barrier.clone();
+        let shared = shared.clone();
        handles.push(tokio::spawn(async move {
            b.wait().await;
            for i in 0..iterations_per_task {
                let user_name = format!("contention_user_{}_{}", t, i);
-                warn_invalid_secret_once(&user_name, "invalid_hex", ACCESS_SECRET_BYTES, None);
+                warn_invalid_secret_once_in(
+                    shared.as_ref(),
+                    &user_name,
+                    "invalid_hex",
+                    ACCESS_SECRET_BYTES,
+                    None,
+                );
            }
        }));
    }
@@ -348,7 +347,7 @@ async fn invalid_secret_warning_lock_contention_and_bound() {
        handle.await.unwrap();
    }

-    let warned = INVALID_SECRET_WARNED.get().unwrap();
+    let warned = warned_secrets_for_testing_in_shared(shared.as_ref());
    let guard = warned
        .lock()
        .unwrap_or_else(|poisoned| poisoned.into_inner());
@@ -362,8 +361,8 @@ async fn invalid_secret_warning_lock_contention_and_bound() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn mtproto_strict_concurrent_replay_race_condition() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret_hex = "4A4A4A4A4A4A4A4A4A4A4A4A4A4A4A4A";
    let config = Arc::new(test_config_with_secret_hex(secret_hex));
@@ -428,8 +427,8 @@ async fn mtproto_strict_concurrent_replay_race_condition() {

 #[tokio::test]
 async fn tls_alpn_zero_length_protocol_handled_safely() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x5Bu8; 16];
    let mut config = test_config_with_secret_hex("5b5b5b5b5b5b5b5b5b5b5b5b5b5b5b5b");
@@ -461,8 +460,8 @@ async fn tls_alpn_zero_length_protocol_handled_safely() {

 #[tokio::test]
 async fn tls_sni_massive_hostname_does_not_panic() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x6Cu8; 16];
    let config = test_config_with_secret_hex("6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c");
@@ -497,8 +496,8 @@ async fn tls_sni_massive_hostname_does_not_panic() {

 #[tokio::test]
 async fn tls_progressive_truncation_fuzzing_no_panics() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x7Du8; 16];
    let config = test_config_with_secret_hex("7d7d7d7d7d7d7d7d7d7d7d7d7d7d7d7d");
@@ -535,8 +534,8 @@ async fn tls_progressive_truncation_fuzzing_no_panics() {

 #[tokio::test]
 async fn mtproto_pure_entropy_fuzzing_no_panics() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let config = test_config_with_secret_hex("8e8e8e8e8e8e8e8e8e8e8e8e8e8e8e8e");
    let replay_checker = ReplayChecker::new(128, Duration::from_secs(60));
@@ -569,10 +568,8 @@ async fn mtproto_pure_entropy_fuzzing_no_panics() {

 #[test]
 fn decode_user_secret_odd_length_hex_rejection() {
-    let _guard = warned_secrets_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner());
-    clear_warned_secrets_for_testing();
+    let shared = ProxySharedState::new();
+    clear_warned_secrets_for_testing_in_shared(shared.as_ref());

    let mut config = ProxyConfig::default();
    config.access.users.clear();
@@ -581,7 +578,7 @@ fn decode_user_secret_odd_length_hex_rejection() {
        "1234567890123456789012345678901".to_string(),
    );

-    let decoded = decode_user_secrets(&config, None);
+    let decoded = decode_user_secrets_in(shared.as_ref(), &config, None);
    assert!(
        decoded.is_empty(),
        "Odd-length hex string must be gracefully rejected by hex::decode without unwrapping"
@@ -590,10 +587,10 @@ fn decode_user_secret_odd_length_hex_rejection() {

 #[test]
 fn saturation_grace_pre_existing_high_fail_streak_immediate_throttle() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    let peer_ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 112));
    let now = Instant::now();

@@ -608,7 +605,7 @@ fn saturation_grace_pre_existing_high_fail_streak_immediate_throttle() {
    );

    {
-        let mut guard = auth_probe_saturation_state_lock();
+        let mut guard = auth_probe_saturation_state_lock_for_testing_in_shared(shared.as_ref());
        *guard = Some(AuthProbeSaturationState {
            fail_streak: AUTH_PROBE_BACKOFF_START_FAILS,
            blocked_until: now + Duration::from_secs(5),
@@ -616,7 +613,7 @@ fn saturation_grace_pre_existing_high_fail_streak_immediate_throttle() {
        });
    }

-    let is_throttled = auth_probe_should_apply_preauth_throttle(peer_ip, now);
+    let is_throttled = auth_probe_should_apply_preauth_throttle_in(shared.as_ref(), peer_ip, now);
    assert!(
        is_throttled,
        "A peer with a pre-existing high fail streak must be immediately throttled when saturation begins, receiving no unearned grace period"
@@ -625,21 +622,22 @@ fn saturation_grace_pre_existing_high_fail_streak_immediate_throttle() {

 #[test]
 fn auth_probe_saturation_note_resets_retention_window() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let base_time = Instant::now();

-    auth_probe_note_saturation(base_time);
+    auth_probe_note_saturation_in(shared.as_ref(), base_time);
    let later = base_time + Duration::from_secs(AUTH_PROBE_TRACK_RETENTION_SECS - 1);
-    auth_probe_note_saturation(later);
+    auth_probe_note_saturation_in(shared.as_ref(), later);

    let check_time = base_time + Duration::from_secs(AUTH_PROBE_TRACK_RETENTION_SECS + 5);

    // This call may return false if backoff has elapsed, but it must not clear
    // the saturation state because `later` refreshed last_seen.
-    let _ = auth_probe_saturation_is_throttled_at_for_testing(check_time);
-    let guard = auth_probe_saturation_state_lock();
+    let _ =
+        auth_probe_saturation_is_throttled_at_for_testing_in_shared(shared.as_ref(), check_time);
+    let guard = auth_probe_saturation_state_lock_for_testing_in_shared(shared.as_ref());
    assert!(
        guard.is_some(),
        "Ongoing saturation notes must refresh last_seen so saturation state remains retained past the original window"
@@ -6,12 +6,6 @@ use std::sync::Arc;
 use std::time::{Duration, Instant};
 use tokio::sync::Barrier;

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 fn test_config_with_secret_hex(secret_hex: &str) -> ProxyConfig {
    let mut cfg = ProxyConfig::default();
    cfg.access.users.clear();
@@ -127,8 +121,8 @@ fn make_valid_mtproto_handshake(

 #[tokio::test]
 async fn tls_alpn_reject_does_not_pollute_replay_cache() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let secret = [0x11u8; 16];
    let mut config = test_config_with_secret_hex("11111111111111111111111111111111");
@@ -164,8 +158,8 @@ async fn tls_alpn_reject_does_not_pollute_replay_cache() {

 #[tokio::test]
 async fn tls_truncated_session_id_len_fails_closed_without_panic() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let config = test_config_with_secret_hex("33333333333333333333333333333333");
    let replay_checker = ReplayChecker::new(128, Duration::from_secs(60));
@@ -193,10 +187,10 @@ async fn tls_truncated_session_id_len_fails_closed_without_panic() {

 #[test]
 fn auth_probe_eviction_identical_timestamps_keeps_map_bounded() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    let same = Instant::now();

    for i in 0..AUTH_PROBE_TRACK_MAX_ENTRIES {
@@ -212,7 +206,12 @@ fn auth_probe_eviction_identical_timestamps_keeps_map_bounded() {
    }

    let new_ip = IpAddr::V4(Ipv4Addr::new(192, 168, 21, 21));
-    auth_probe_record_failure_with_state(state, new_ip, same + Duration::from_millis(1));
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        state,
+        new_ip,
+        same + Duration::from_millis(1),
+    );

    assert_eq!(state.len(), AUTH_PROBE_TRACK_MAX_ENTRIES);
    assert!(state.contains_key(&new_ip));
@@ -220,21 +219,21 @@ fn auth_probe_eviction_identical_timestamps_keeps_map_bounded() {

 #[test]
 fn clear_auth_probe_state_recovers_from_poisoned_saturation_lock() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

-    let saturation = auth_probe_saturation_state();
+    let shared_for_poison = shared.clone();
    let poison_thread = std::thread::spawn(move || {
-        let _hold = saturation
+        let _hold = auth_probe_saturation_state_for_testing_in_shared(shared_for_poison.as_ref())
            .lock()
            .unwrap_or_else(|poisoned| poisoned.into_inner());
        panic!("intentional poison for regression coverage");
    });
    let _ = poison_thread.join();

-    clear_auth_probe_state_for_testing();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

-    let guard = auth_probe_saturation_state()
+    let guard = auth_probe_saturation_state_for_testing_in_shared(shared.as_ref())
        .lock()
        .unwrap_or_else(|poisoned| poisoned.into_inner());
    assert!(guard.is_none());
@@ -242,12 +241,9 @@ fn clear_auth_probe_state_recovers_from_poisoned_saturation_lock() {

 #[tokio::test]
 async fn mtproto_invalid_length_secret_is_ignored_and_valid_user_still_auths() {
-    let _probe_guard = auth_probe_test_guard();
-    let _warn_guard = warned_secrets_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner());
-    clear_auth_probe_state_for_testing();
-    clear_warned_secrets_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+    clear_warned_secrets_for_testing_in_shared(shared.as_ref());

    let mut config = ProxyConfig::default();
    config.general.modes.secure = true;
@@ -285,14 +281,14 @@ async fn mtproto_invalid_length_secret_is_ignored_and_valid_user_still_auths() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn saturation_grace_exhaustion_under_concurrency_keeps_peer_throttled() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    let peer_ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 80));
    let now = Instant::now();

    {
-        let mut guard = auth_probe_saturation_state()
+        let mut guard = auth_probe_saturation_state_for_testing_in_shared(shared.as_ref())
            .lock()
            .unwrap_or_else(|poisoned| poisoned.into_inner());
        *guard = Some(AuthProbeSaturationState {
@@ -302,7 +298,7 @@ async fn saturation_grace_exhaustion_under_concurrency_keeps_peer_throttled() {
        });
    }

-    let state = auth_probe_state_map();
+    let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
    state.insert(
        peer_ip,
        AuthProbeState {
@@ -318,9 +314,10 @@ async fn saturation_grace_exhaustion_under_concurrency_keeps_peer_throttled() {

    for _ in 0..tasks {
        let b = barrier.clone();
+        let shared = shared.clone();
        handles.push(tokio::spawn(async move {
            b.wait().await;
-            auth_probe_record_failure(peer_ip, Instant::now());
+            auth_probe_record_failure_in(shared.as_ref(), peer_ip, Instant::now());
        }));
    }

@@ -333,7 +330,8 @@ async fn saturation_grace_exhaustion_under_concurrency_keeps_peer_throttled() {
        final_state.fail_streak
            >= AUTH_PROBE_BACKOFF_START_FAILS + AUTH_PROBE_SATURATION_GRACE_FAILS
    );
-    assert!(auth_probe_should_apply_preauth_throttle(
+    assert!(auth_probe_should_apply_preauth_throttle_in(
+        shared.as_ref(),
        peer_ip,
        Instant::now()
    ));
@@ -1,46 +1,39 @@
 use super::*;
 use std::time::{Duration, Instant};

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
-fn poison_saturation_mutex() {
-    let saturation = auth_probe_saturation_state();
-    let poison_thread = std::thread::spawn(move || {
+fn poison_saturation_mutex(shared: &ProxySharedState) {
+    let saturation = auth_probe_saturation_state_for_testing_in_shared(shared);
+    let _ = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
        let _guard = saturation
            .lock()
            .expect("saturation mutex must be lockable for poison setup");
        panic!("intentional poison for saturation mutex resilience test");
-    });
-    let _ = poison_thread.join();
+    }));
 }

 #[test]
 fn auth_probe_saturation_note_recovers_after_mutex_poison() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
-    poison_saturation_mutex();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+    poison_saturation_mutex(shared.as_ref());

    let now = Instant::now();
-    auth_probe_note_saturation(now);
+    auth_probe_note_saturation_in(shared.as_ref(), now);

    assert!(
-        auth_probe_saturation_is_throttled_at_for_testing(now),
+        auth_probe_saturation_is_throttled_at_for_testing_in_shared(shared.as_ref(), now),
        "poisoned saturation mutex must not disable saturation throttling"
    );
 }

 #[test]
 fn auth_probe_saturation_check_recovers_after_mutex_poison() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
-    poison_saturation_mutex();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+    poison_saturation_mutex(shared.as_ref());

    {
-        let mut guard = auth_probe_saturation_state_lock();
+        let mut guard = auth_probe_saturation_state_lock_for_testing_in_shared(shared.as_ref());
        *guard = Some(AuthProbeSaturationState {
            fail_streak: AUTH_PROBE_BACKOFF_START_FAILS,
            blocked_until: Instant::now() + Duration::from_millis(10),
@@ -49,23 +42,25 @@ fn auth_probe_saturation_check_recovers_after_mutex_poison() {
    }

    assert!(
-        auth_probe_saturation_is_throttled_for_testing(),
+        auth_probe_saturation_is_throttled_for_testing_in_shared(shared.as_ref()),
        "throttle check must recover poisoned saturation mutex and stay fail-closed"
    );
 }

 #[test]
 fn clear_auth_probe_state_clears_saturation_even_if_poisoned() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
-    poison_saturation_mutex();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+    poison_saturation_mutex(shared.as_ref());

-    auth_probe_note_saturation(Instant::now());
-    assert!(auth_probe_saturation_is_throttled_for_testing());
+    auth_probe_note_saturation_in(shared.as_ref(), Instant::now());
+    assert!(auth_probe_saturation_is_throttled_for_testing_in_shared(
+        shared.as_ref()
+    ));

-    clear_auth_probe_state_for_testing();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
    assert!(
-        !auth_probe_saturation_is_throttled_for_testing(),
+        !auth_probe_saturation_is_throttled_for_testing_in_shared(shared.as_ref()),
        "clear helper must clear saturation state even after poison"
    );
 }
@@ -4,12 +4,6 @@ use crate::protocol::constants::{ProtoTag, TLS_RECORD_HANDSHAKE, TLS_VERSION};
 use std::net::SocketAddr;
 use std::time::{Duration, Instant};

-fn auth_probe_test_guard() -> std::sync::MutexGuard<'static, ()> {
-    auth_probe_test_lock()
-        .lock()
-        .unwrap_or_else(|poisoned| poisoned.into_inner())
-}
-
 fn make_valid_mtproto_handshake(
    secret_hex: &str,
    proto_tag: ProtoTag,
@@ -149,8 +143,8 @@ fn median_ns(samples: &mut [u128]) -> u128 {
 #[tokio::test]
 #[ignore = "manual benchmark: timing-sensitive and host-dependent"]
 async fn mtproto_user_scan_timing_manual_benchmark() {
-    let _guard = auth_probe_test_guard();
-    clear_auth_probe_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());

    const DECOY_USERS: usize = 8_000;
    const ITERATIONS: usize = 250;
@@ -243,7 +237,7 @@ async fn mtproto_user_scan_timing_manual_benchmark() {
 #[tokio::test]
 #[ignore = "manual benchmark: timing-sensitive and host-dependent"]
 async fn tls_sni_preferred_vs_no_sni_fallback_manual_benchmark() {
-    let _guard = auth_probe_test_guard();
+    let shared = ProxySharedState::new();

    const DECOY_USERS: usize = 8_000;
    const ITERATIONS: usize = 250;
@@ -281,7 +275,7 @@ async fn tls_sni_preferred_vs_no_sni_fallback_manual_benchmark() {
        let no_sni = make_valid_tls_handshake(&target_secret, (i as u32).wrapping_add(10_000));

        let started_sni = Instant::now();
-        let sni_secrets = decode_user_secrets(&config, Some(preferred_user));
+        let sni_secrets = decode_user_secrets_in(shared.as_ref(), &config, Some(preferred_user));
        let sni_result = tls::validate_tls_handshake_with_replay_window(
            &with_sni,
            &sni_secrets,
@@ -292,7 +286,7 @@ async fn tls_sni_preferred_vs_no_sni_fallback_manual_benchmark() {
        assert!(sni_result.is_some());

        let started_no_sni = Instant::now();
-        let no_sni_secrets = decode_user_secrets(&config, None);
+        let no_sni_secrets = decode_user_secrets_in(shared.as_ref(), &config, None);
        let no_sni_result = tls::validate_tls_handshake_with_replay_window(
            &no_sni,
            &no_sni_secrets,
@@ -0,0 +1,156 @@
+use super::*;
+use tokio::io::duplex;
+use tokio::net::TcpListener;
+use tokio::time::{Duration, Instant, timeout};
+
+#[test]
+fn masking_baseline_timing_normalization_budget_within_bounds() {
+    let mut config = ProxyConfig::default();
+    config.censorship.mask_timing_normalization_enabled = true;
+    config.censorship.mask_timing_normalization_floor_ms = 120;
+    config.censorship.mask_timing_normalization_ceiling_ms = 180;
+
+    for _ in 0..256 {
+        let budget = mask_outcome_target_budget(&config);
+        assert!(budget >= Duration::from_millis(120));
+        assert!(budget <= Duration::from_millis(180));
+    }
+}
+
+#[tokio::test]
+async fn masking_baseline_fallback_relays_to_mask_host() {
+    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let backend_addr = listener.local_addr().unwrap();
+    let initial = b"GET /baseline HTTP/1.1\r\nHost: x\r\n\r\n".to_vec();
+    let reply = b"HTTP/1.1 200 OK\r\nContent-Length: 2\r\n\r\nOK".to_vec();
+
+    let accept_task = tokio::spawn({
+        let initial = initial.clone();
+        let reply = reply.clone();
+        async move {
+            let (mut stream, _) = listener.accept().await.unwrap();
+            let mut seen = vec![0u8; initial.len()];
+            stream.read_exact(&mut seen).await.unwrap();
+            assert_eq!(seen, initial);
+            stream.write_all(&reply).await.unwrap();
+        }
+    });
+
+    let mut config = ProxyConfig::default();
+    config.general.beobachten = false;
+    config.censorship.mask = true;
+    config.censorship.mask_host = Some("127.0.0.1".to_string());
+    config.censorship.mask_port = backend_addr.port();
+    config.censorship.mask_unix_sock = None;
+    config.censorship.mask_proxy_protocol = 0;
+
+    let peer: SocketAddr = "203.0.113.70:55070".parse().unwrap();
+    let local_addr: SocketAddr = "127.0.0.1:443".parse().unwrap();
+
+    let (client_reader, _client_writer) = duplex(1024);
+    let (mut visible_reader, visible_writer) = duplex(2048);
+    let beobachten = BeobachtenStore::new();
+
+    handle_bad_client(
+        client_reader,
+        visible_writer,
+        &initial,
+        peer,
+        local_addr,
+        &config,
+        &beobachten,
+    )
+    .await;
+
+    let mut observed = vec![0u8; reply.len()];
+    visible_reader.read_exact(&mut observed).await.unwrap();
+    assert_eq!(observed, reply);
+    accept_task.await.unwrap();
+}
+
+#[test]
+fn masking_baseline_no_normalization_returns_default_budget() {
+    let mut config = ProxyConfig::default();
+    config.censorship.mask_timing_normalization_enabled = false;
+    let budget = mask_outcome_target_budget(&config);
+    assert_eq!(budget, MASK_TIMEOUT);
+}
+
+#[tokio::test]
+async fn masking_baseline_unreachable_mask_host_silent_failure() {
+    let mut config = ProxyConfig::default();
+    config.general.beobachten = false;
+    config.censorship.mask = true;
+    config.censorship.mask_unix_sock = None;
+    config.censorship.mask_host = Some("127.0.0.1".to_string());
+    config.censorship.mask_port = 1;
+    config.censorship.mask_timing_normalization_enabled = false;
+
+    let peer: SocketAddr = "203.0.113.71:55071".parse().unwrap();
+    let local_addr: SocketAddr = "127.0.0.1:443".parse().unwrap();
+    let beobachten = BeobachtenStore::new();
+
+    let (client_reader, _client_writer) = duplex(1024);
+    let (mut visible_reader, visible_writer) = duplex(1024);
+
+    let started = Instant::now();
+    handle_bad_client(
+        client_reader,
+        visible_writer,
+        b"GET / HTTP/1.1\r\n\r\n",
+        peer,
+        local_addr,
+        &config,
+        &beobachten,
+    )
+    .await;
+    let elapsed = started.elapsed();
+
+    assert!(elapsed < Duration::from_secs(1));
+
+    let mut buf = [0u8; 1];
+    let read_res = timeout(Duration::from_millis(50), visible_reader.read(&mut buf)).await;
+    match read_res {
+        Ok(Ok(0)) | Err(_) => {}
+        Ok(Ok(n)) => panic!("expected no response bytes, got {n}"),
+        Ok(Err(e)) => panic!("unexpected client-side read error: {e}"),
+    }
+}
+
+#[tokio::test]
+async fn masking_baseline_light_fuzz_initial_data_no_panic() {
+    let mut config = ProxyConfig::default();
+    config.general.beobachten = false;
+    config.censorship.mask = false;
+
+    let peer: SocketAddr = "203.0.113.72:55072".parse().unwrap();
+    let local_addr: SocketAddr = "127.0.0.1:443".parse().unwrap();
+    let beobachten = BeobachtenStore::new();
+
+    let corpus: Vec<Vec<u8>> = vec![
+        vec![],
+        vec![0x00],
+        vec![0xFF; 1024],
+        (0..255u8).collect(),
+        b"\xF0\x28\x8C\x28".to_vec(),
+    ];
+
+    for sample in corpus {
+        let (client_reader, _client_writer) = duplex(1024);
+        let (_visible_reader, visible_writer) = duplex(1024);
+        timeout(
+            Duration::from_millis(300),
+            handle_bad_client(
+                client_reader,
+                visible_writer,
+                &sample,
+                peer,
+                local_addr,
+                &config,
+                &beobachten,
+            ),
+        )
+        .await
+        .expect("fuzz sample must complete in bounded time");
+    }
+}
@@ -0,0 +1,336 @@
+use super::*;
+use rand::SeedableRng;
+use rand::rngs::StdRng;
+
+fn seeded_rng(seed: u64) -> StdRng {
+    StdRng::seed_from_u64(seed)
+}
+
+// ── Positive: all samples within configured envelope ────────────────────
+
+#[test]
+fn masking_lognormal_all_samples_within_configured_envelope() {
+    let mut rng = seeded_rng(42);
+    let floor: u64 = 500;
+    let ceiling: u64 = 2000;
+    for _ in 0..10_000 {
+        let val = sample_lognormal_percentile_bounded(floor, ceiling, &mut rng);
+        assert!(
+            val >= floor && val <= ceiling,
+            "sample {} outside [{}, {}]",
+            val,
+            floor,
+            ceiling,
+        );
+    }
+}
+
+// ── Statistical: median near geometric mean ─────────────────────────────
+
+#[test]
+fn masking_lognormal_sample_median_near_geometric_mean_of_range() {
+    let mut rng = seeded_rng(42);
+    let floor: u64 = 500;
+    let ceiling: u64 = 2000;
+    let geometric_mean = ((floor as f64) * (ceiling as f64)).sqrt();
+
+    let mut samples: Vec<u64> = (0..10_000)
+        .map(|_| sample_lognormal_percentile_bounded(floor, ceiling, &mut rng))
+        .collect();
+    samples.sort();
+    let median = samples[samples.len() / 2] as f64;
+
+    let tolerance = geometric_mean * 0.10;
+    assert!(
+        (median - geometric_mean).abs() <= tolerance,
+        "median {} not within 10% of geometric mean {} (tolerance {})",
+        median,
+        geometric_mean,
+        tolerance,
+    );
+}
+
+// ── Edge: degenerate floor == ceiling returns exactly that value ─────────
+
+#[test]
+fn masking_lognormal_degenerate_floor_eq_ceiling_returns_floor() {
+    let mut rng = seeded_rng(99);
+    for _ in 0..100 {
+        let val = sample_lognormal_percentile_bounded(1000, 1000, &mut rng);
+        assert_eq!(
+            val, 1000,
+            "floor == ceiling must always return exactly that value"
+        );
+    }
+}
+
+// ── Edge: floor > ceiling (misconfiguration) clamps safely ──────────────
+
+#[test]
+fn masking_lognormal_floor_greater_than_ceiling_returns_ceiling() {
+    let mut rng = seeded_rng(77);
+    let val = sample_lognormal_percentile_bounded(2000, 500, &mut rng);
+    assert_eq!(
+        val, 500,
+        "floor > ceiling misconfiguration must return ceiling (the minimum)"
+    );
+}
+
+// ── Edge: floor == 1, ceiling == 1 ──────────────────────────────────────
+
+#[test]
+fn masking_lognormal_floor_1_ceiling_1_returns_1() {
+    let mut rng = seeded_rng(12);
+    let val = sample_lognormal_percentile_bounded(1, 1, &mut rng);
+    assert_eq!(val, 1);
+}
+
+// ── Edge: floor == 1, ceiling very large ────────────────────────────────
+
+#[test]
+fn masking_lognormal_wide_range_all_samples_within_bounds() {
+    let mut rng = seeded_rng(55);
+    let floor: u64 = 1;
+    let ceiling: u64 = 100_000;
+    for _ in 0..10_000 {
+        let val = sample_lognormal_percentile_bounded(floor, ceiling, &mut rng);
+        assert!(
+            val >= floor && val <= ceiling,
+            "sample {} outside [{}, {}]",
+            val,
+            floor,
+            ceiling,
+        );
+    }
+}
+
+// ── Adversarial: extreme sigma (floor very close to ceiling) ────────────
+
+#[test]
+fn masking_lognormal_narrow_range_does_not_panic() {
+    let mut rng = seeded_rng(88);
+    let floor: u64 = 999;
+    let ceiling: u64 = 1001;
+    for _ in 0..10_000 {
+        let val = sample_lognormal_percentile_bounded(floor, ceiling, &mut rng);
+        assert!(
+            val >= floor && val <= ceiling,
+            "narrow range sample {} outside [{}, {}]",
+            val,
+            floor,
+            ceiling,
+        );
+    }
+}
+
+// ── Adversarial: u64::MAX ceiling does not overflow ──────────────────────
+
+#[test]
+fn masking_lognormal_u64_max_ceiling_no_overflow() {
+    let mut rng = seeded_rng(123);
+    let floor: u64 = 1;
+    let ceiling: u64 = u64::MAX;
+    for _ in 0..1000 {
+        let val = sample_lognormal_percentile_bounded(floor, ceiling, &mut rng);
+        assert!(val >= floor, "sample {} below floor {}", val, floor);
+        // u64::MAX clamp ensures no overflow
+    }
+}
+
+// ── Adversarial: floor == 0 guard ───────────────────────────────────────
+// The function should handle floor=0 gracefully even though callers
+// should never pass it. Verifies no panic on ln(0).
+
+#[test]
+fn masking_lognormal_floor_zero_no_panic() {
+    let mut rng = seeded_rng(200);
+    let val = sample_lognormal_percentile_bounded(0, 1000, &mut rng);
+    assert!(val <= 1000, "sample {} exceeds ceiling 1000", val);
+}
+
+// ── Adversarial: both zero → returns 0 ──────────────────────────────────
+
+#[test]
+fn masking_lognormal_both_zero_returns_zero() {
+    let mut rng = seeded_rng(201);
+    let val = sample_lognormal_percentile_bounded(0, 0, &mut rng);
+    assert_eq!(val, 0, "floor=0 ceiling=0 must return 0");
+}
+
+// ── Distribution shape: not uniform ─────────────────────────────────────
+// A DPI classifier trained on uniform delay samples should detect a
+// distribution where > 60% of samples fall in the lower half of the range.
+// Log-normal is right-skewed: more samples near floor than ceiling.
+
+#[test]
+fn masking_lognormal_distribution_is_right_skewed() {
+    let mut rng = seeded_rng(42);
+    let floor: u64 = 100;
+    let ceiling: u64 = 5000;
+    let midpoint = (floor + ceiling) / 2;
+
+    let samples: Vec<u64> = (0..10_000)
+        .map(|_| sample_lognormal_percentile_bounded(floor, ceiling, &mut rng))
+        .collect();
+
+    let below_mid = samples.iter().filter(|&&s| s < midpoint).count();
+    let ratio = below_mid as f64 / samples.len() as f64;
+
+    assert!(
+        ratio > 0.55,
+        "Log-normal should be right-skewed (>55% below midpoint), got {}%",
+        ratio * 100.0,
+    );
+}
+
+// ── Determinism: same seed produces same sequence ───────────────────────
+
+#[test]
+fn masking_lognormal_deterministic_with_same_seed() {
+    let mut rng1 = seeded_rng(42);
+    let mut rng2 = seeded_rng(42);
+    for _ in 0..100 {
+        let a = sample_lognormal_percentile_bounded(500, 2000, &mut rng1);
+        let b = sample_lognormal_percentile_bounded(500, 2000, &mut rng2);
+        assert_eq!(a, b, "Same seed must produce same output");
+    }
+}
+
+// ── Fuzz: 1000 random (floor, ceiling) pairs, no panics ─────────────────
+
+#[test]
+fn masking_lognormal_fuzz_random_params_no_panic() {
+    use rand::Rng;
+    let mut rng = seeded_rng(999);
+    for _ in 0..1000 {
+        let a: u64 = rng.random_range(0..=10_000);
+        let b: u64 = rng.random_range(0..=10_000);
+        let floor = a.min(b);
+        let ceiling = a.max(b);
+        let val = sample_lognormal_percentile_bounded(floor, ceiling, &mut rng);
+        assert!(
+            val >= floor && val <= ceiling,
+            "fuzz: sample {} outside [{}, {}]",
+            val,
+            floor,
+            ceiling,
+        );
+    }
+}
+
+// ── Fuzz: adversarial floor > ceiling pairs ──────────────────────────────
+
+#[test]
+fn masking_lognormal_fuzz_inverted_params_no_panic() {
+    use rand::Rng;
+    let mut rng = seeded_rng(777);
+    for _ in 0..500 {
+        let floor: u64 = rng.random_range(1..=10_000);
+        let ceiling: u64 = rng.random_range(0..floor);
+        // When floor > ceiling, must return ceiling (the smaller value)
+        let val = sample_lognormal_percentile_bounded(floor, ceiling, &mut rng);
+        assert_eq!(
+            val, ceiling,
+            "inverted: floor={} ceiling={} should return ceiling, got {}",
+            floor, ceiling, val,
+        );
+    }
+}
+
+// ── Security: clamp spike check ─────────────────────────────────────────
+// With well-parameterized sigma, no more than 5% of samples should be
+// at exactly floor or exactly ceiling (clamp spikes). A spike > 10%
+// is detectable by DPI as bimodal.
+
+#[test]
+fn masking_lognormal_no_clamp_spike_at_boundaries() {
+    let mut rng = seeded_rng(42);
+    let floor: u64 = 500;
+    let ceiling: u64 = 2000;
+    let n = 10_000;
+    let samples: Vec<u64> = (0..n)
+        .map(|_| sample_lognormal_percentile_bounded(floor, ceiling, &mut rng))
+        .collect();
+
+    let at_floor = samples.iter().filter(|&&s| s == floor).count();
+    let at_ceiling = samples.iter().filter(|&&s| s == ceiling).count();
+    let floor_pct = at_floor as f64 / n as f64;
+    let ceiling_pct = at_ceiling as f64 / n as f64;
+
+    assert!(
+        floor_pct < 0.05,
+        "floor clamp spike: {}% of samples at exactly floor (max 5%)",
+        floor_pct * 100.0,
+    );
+    assert!(
+        ceiling_pct < 0.05,
+        "ceiling clamp spike: {}% of samples at exactly ceiling (max 5%)",
+        ceiling_pct * 100.0,
+    );
+}
+
+// ── Integration: mask_outcome_target_budget uses log-normal for path 3 ──
+
+#[tokio::test]
+async fn masking_lognormal_integration_budget_within_bounds() {
+    let mut config = ProxyConfig::default();
+    config.censorship.mask_timing_normalization_enabled = true;
+    config.censorship.mask_timing_normalization_floor_ms = 500;
+    config.censorship.mask_timing_normalization_ceiling_ms = 2000;
+
+    for _ in 0..100 {
+        let budget = mask_outcome_target_budget(&config);
+        let ms = budget.as_millis() as u64;
+        assert!(
+            ms >= 500 && ms <= 2000,
+            "budget {} ms outside [500, 2000]",
+            ms,
+        );
+    }
+}
+
+// ── Integration: floor == 0 path stays uniform (NOT log-normal) ─────────
+
+#[tokio::test]
+async fn masking_lognormal_floor_zero_path_stays_uniform() {
+    let mut config = ProxyConfig::default();
+    config.censorship.mask_timing_normalization_enabled = true;
+    config.censorship.mask_timing_normalization_floor_ms = 0;
+    config.censorship.mask_timing_normalization_ceiling_ms = 1000;
+
+    for _ in 0..100 {
+        let budget = mask_outcome_target_budget(&config);
+        let ms = budget.as_millis() as u64;
+        // floor=0 path uses uniform [0, ceiling], not log-normal
+        assert!(ms <= 1000, "budget {} ms exceeds ceiling 1000", ms);
+    }
+}
+
+// ── Integration: floor > ceiling misconfiguration is safe ───────────────
+
+#[tokio::test]
+async fn masking_lognormal_misconfigured_floor_gt_ceiling_safe() {
+    let mut config = ProxyConfig::default();
+    config.censorship.mask_timing_normalization_enabled = true;
+    config.censorship.mask_timing_normalization_floor_ms = 2000;
+    config.censorship.mask_timing_normalization_ceiling_ms = 500;
+
+    let budget = mask_outcome_target_budget(&config);
+    let ms = budget.as_millis() as u64;
+    // floor > ceiling: should not exceed the minimum of the two
+    assert!(
+        ms <= 2000,
+        "misconfigured budget {} ms should be bounded",
+        ms,
+    );
+}
+
+// ── Stress: rapid repeated calls do not panic or starve ─────────────────
+
+#[test]
+fn masking_lognormal_stress_rapid_calls_no_panic() {
+    let mut rng = seeded_rng(42);
+    for _ in 0..100_000 {
+        let _ = sample_lognormal_percentile_bounded(100, 5000, &mut rng);
+    }
+}
@@ -0,0 +1,60 @@
+use super::*;
+use std::time::{Duration, Instant};
+
+#[test]
+fn middle_relay_baseline_public_api_idle_roundtrip_contract() {
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
+
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 7001));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7001)
+    );
+
+    clear_relay_idle_candidate_for_testing(shared.as_ref(), 7001);
+    assert_ne!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7001)
+    );
+
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 7001));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7001)
+    );
+
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
+}
+
+#[test]
+fn middle_relay_baseline_public_api_desync_window_contract() {
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());
+
+    let key = 0xDEAD_BEEF_0000_0001u64;
+    let t0 = Instant::now();
+
+    assert!(should_emit_full_desync_for_testing(
+        shared.as_ref(),
+        key,
+        false,
+        t0
+    ));
+    assert!(!should_emit_full_desync_for_testing(
+        shared.as_ref(),
+        key,
+        false,
+        t0 + Duration::from_secs(1)
+    ));
+
+    let t1 = t0 + DESYNC_DEDUP_WINDOW + Duration::from_millis(10);
+    assert!(should_emit_full_desync_for_testing(
+        shared.as_ref(),
+        key,
+        false,
+        t1
+    ));
+
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());
+}
@@ -5,22 +5,25 @@ use std::thread;

 #[test]
 fn desync_all_full_bypass_does_not_initialize_or_grow_dedup_cache() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

-    let initial_len = DESYNC_DEDUP.get().map(|dedup| dedup.len()).unwrap_or(0);
+    let initial_len = desync_dedup_len_for_testing(shared.as_ref());
    let now = Instant::now();

    for i in 0..20_000u64 {
        assert!(
-            should_emit_full_desync(0xD35E_D000_0000_0000u64 ^ i, true, now),
+            should_emit_full_desync_for_testing(
+                shared.as_ref(),
+                0xD35E_D000_0000_0000u64 ^ i,
+                true,
+                now
+            ),
            "desync_all_full path must always emit"
        );
    }

-    let after_len = DESYNC_DEDUP.get().map(|dedup| dedup.len()).unwrap_or(0);
+    let after_len = desync_dedup_len_for_testing(shared.as_ref());
    assert_eq!(
        after_len, initial_len,
        "desync_all_full bypass must not allocate or accumulate dedup entries"
@@ -29,39 +32,39 @@ fn desync_all_full_bypass_does_not_initialize_or_grow_dedup_cache() {

 #[test]
 fn desync_all_full_bypass_keeps_existing_dedup_entries_unchanged() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

-    let dedup = DESYNC_DEDUP.get_or_init(DashMap::new);
    let seed_time = Instant::now() - Duration::from_secs(7);
-    dedup.insert(0xAAAABBBBCCCCDDDD, seed_time);
-    dedup.insert(0x1111222233334444, seed_time);
+    desync_dedup_insert_for_testing(shared.as_ref(), 0xAAAABBBBCCCCDDDD, seed_time);
+    desync_dedup_insert_for_testing(shared.as_ref(), 0x1111222233334444, seed_time);

    let now = Instant::now();
    for i in 0..2048u64 {
        assert!(
-            should_emit_full_desync(0xF011_F000_0000_0000u64 ^ i, true, now),
+            should_emit_full_desync_for_testing(
+                shared.as_ref(),
+                0xF011_F000_0000_0000u64 ^ i,
+                true,
+                now
+            ),
            "desync_all_full must bypass suppression and dedup refresh"
        );
    }

    assert_eq!(
-        dedup.len(),
+        desync_dedup_len_for_testing(shared.as_ref()),
        2,
        "bypass path must not mutate dedup cardinality"
    );
    assert_eq!(
-        *dedup
-            .get(&0xAAAABBBBCCCCDDDD)
+        desync_dedup_get_for_testing(shared.as_ref(), 0xAAAABBBBCCCCDDDD)
            .expect("seed key must remain"),
        seed_time,
        "bypass path must not refresh existing dedup timestamps"
    );
    assert_eq!(
-        *dedup
-            .get(&0x1111222233334444)
+        desync_dedup_get_for_testing(shared.as_ref(), 0x1111222233334444)
            .expect("seed key must remain"),
        seed_time,
        "bypass path must not touch unrelated dedup entries"
@@ -70,14 +73,13 @@ fn desync_all_full_bypass_keeps_existing_dedup_entries_unchanged() {

 #[test]
 fn edge_all_full_burst_does_not_poison_later_false_path_tracking() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

    let now = Instant::now();
    for i in 0..8192u64 {
-        assert!(should_emit_full_desync(
+        assert!(should_emit_full_desync_for_testing(
+            shared.as_ref(),
            0xABCD_0000_0000_0000 ^ i,
            true,
            now
@@ -86,26 +88,20 @@ fn edge_all_full_burst_does_not_poison_later_false_path_tracking() {

    let tracked_key = 0xDEAD_BEEF_0000_0001u64;
    assert!(
-        should_emit_full_desync(tracked_key, false, now),
+        should_emit_full_desync_for_testing(shared.as_ref(), tracked_key, false, now),
        "first false-path event after all_full burst must still be tracked and emitted"
    );

-    let dedup = DESYNC_DEDUP
-        .get()
-        .expect("false path should initialize dedup");
-    assert!(dedup.get(&tracked_key).is_some());
+    assert!(desync_dedup_get_for_testing(shared.as_ref(), tracked_key).is_some());
 }

 #[test]
 fn adversarial_mixed_sequence_true_steps_never_change_cache_len() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

-    let dedup = DESYNC_DEDUP.get_or_init(DashMap::new);
    for i in 0..256u64 {
-        dedup.insert(0x1000_0000_0000_0000 ^ i, Instant::now());
+        desync_dedup_insert_for_testing(shared.as_ref(), 0x1000_0000_0000_0000 ^ i, Instant::now());
    }

    let mut seed = 0xC0DE_CAFE_BAAD_F00Du64;
@@ -116,9 +112,14 @@ fn adversarial_mixed_sequence_true_steps_never_change_cache_len() {

        let flag_all_full = (seed & 0x1) == 1;
        let key = 0x7000_0000_0000_0000u64 ^ i ^ seed;
-        let before = dedup.len();
-        let _ = should_emit_full_desync(key, flag_all_full, Instant::now());
-        let after = dedup.len();
+        let before = desync_dedup_len_for_testing(shared.as_ref());
+        let _ = should_emit_full_desync_for_testing(
+            shared.as_ref(),
+            key,
+            flag_all_full,
+            Instant::now(),
+        );
+        let after = desync_dedup_len_for_testing(shared.as_ref());

        if flag_all_full {
            assert_eq!(after, before, "all_full step must not mutate dedup length");
@@ -128,50 +129,51 @@ fn adversarial_mixed_sequence_true_steps_never_change_cache_len() {

 #[test]
 fn light_fuzz_all_full_mode_always_emits_and_stays_bounded() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

    let mut seed = 0x1234_5678_9ABC_DEF0u64;
-    let before = DESYNC_DEDUP.get().map(|d| d.len()).unwrap_or(0);
+    let before = desync_dedup_len_for_testing(shared.as_ref());

    for _ in 0..20_000 {
        seed ^= seed << 7;
        seed ^= seed >> 9;
        seed ^= seed << 8;
        let key = seed ^ 0x55AA_55AA_55AA_55AAu64;
-        assert!(should_emit_full_desync(key, true, Instant::now()));
+        assert!(should_emit_full_desync_for_testing(
+            shared.as_ref(),
+            key,
+            true,
+            Instant::now()
+        ));
    }

-    let after = DESYNC_DEDUP.get().map(|d| d.len()).unwrap_or(0);
+    let after = desync_dedup_len_for_testing(shared.as_ref());
    assert_eq!(after, before);
    assert!(after <= DESYNC_DEDUP_MAX_ENTRIES);
 }

 #[test]
 fn stress_parallel_all_full_storm_does_not_grow_or_mutate_cache() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

-    let dedup = DESYNC_DEDUP.get_or_init(DashMap::new);
    let seed_time = Instant::now() - Duration::from_secs(2);
    for i in 0..1024u64 {
-        dedup.insert(0x8888_0000_0000_0000 ^ i, seed_time);
+        desync_dedup_insert_for_testing(shared.as_ref(), 0x8888_0000_0000_0000 ^ i, seed_time);
    }
-    let before_len = dedup.len();
+    let before_len = desync_dedup_len_for_testing(shared.as_ref());

    let emits = Arc::new(AtomicUsize::new(0));
    let mut workers = Vec::new();
    for worker in 0..16u64 {
        let emits = Arc::clone(&emits);
+        let shared = shared.clone();
        workers.push(thread::spawn(move || {
            let now = Instant::now();
            for i in 0..4096u64 {
                let key = 0xFACE_0000_0000_0000u64 ^ (worker << 20) ^ i;
-                if should_emit_full_desync(key, true, now) {
+                if should_emit_full_desync_for_testing(shared.as_ref(), key, true, now) {
                    emits.fetch_add(1, Ordering::Relaxed);
                }
            }
@@ -184,7 +186,7 @@ fn stress_parallel_all_full_storm_does_not_grow_or_mutate_cache() {

    assert_eq!(emits.load(Ordering::Relaxed), 16 * 4096);
    assert_eq!(
-        dedup.len(),
+        desync_dedup_len_for_testing(shared.as_ref()),
        before_len,
        "parallel all_full storm must not mutate cache len"
    );
@@ -360,73 +360,103 @@ async fn stress_many_idle_sessions_fail_closed_without_hang() {

 #[test]
 fn pressure_evicts_oldest_idle_candidate_with_deterministic_ordering() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    assert!(mark_relay_idle_candidate(10));
-    assert!(mark_relay_idle_candidate(11));
-    assert_eq!(oldest_relay_idle_candidate(), Some(10));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 10));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 11));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(10)
+    );

-    note_relay_pressure_event();
+    note_relay_pressure_event_for_testing(shared.as_ref());

    let mut seen_for_newer = 0u64;
    assert!(
-        !maybe_evict_idle_candidate_on_pressure(11, &mut seen_for_newer, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            11,
+            &mut seen_for_newer,
+            &stats
+        ),
        "newer idle candidate must not be evicted while older candidate exists"
    );
-    assert_eq!(oldest_relay_idle_candidate(), Some(10));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(10)
+    );

    let mut seen_for_oldest = 0u64;
    assert!(
-        maybe_evict_idle_candidate_on_pressure(10, &mut seen_for_oldest, &stats),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            10,
+            &mut seen_for_oldest,
+            &stats
+        ),
        "oldest idle candidate must be evicted first under pressure"
    );
-    assert_eq!(oldest_relay_idle_candidate(), Some(11));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(11)
+    );
    assert_eq!(stats.get_relay_pressure_evict_total(), 1);

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn pressure_does_not_evict_without_new_pressure_signal() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    assert!(mark_relay_idle_candidate(21));
-    let mut seen = relay_pressure_event_seq();
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 21));
+    let mut seen = relay_pressure_event_seq_for_testing(shared.as_ref());

    assert!(
-        !maybe_evict_idle_candidate_on_pressure(21, &mut seen, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 21, &mut seen, &stats),
        "without new pressure signal, candidate must stay"
    );
    assert_eq!(stats.get_relay_pressure_evict_total(), 0);
-    assert_eq!(oldest_relay_idle_candidate(), Some(21));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(21)
+    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn stress_pressure_eviction_preserves_fifo_across_many_candidates() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

    let mut seen_per_conn = std::collections::HashMap::new();
    for conn_id in 1000u64..1064u64 {
-        assert!(mark_relay_idle_candidate(conn_id));
+        assert!(mark_relay_idle_candidate_for_testing(
+            shared.as_ref(),
+            conn_id
+        ));
        seen_per_conn.insert(conn_id, 0u64);
    }

    for expected in 1000u64..1064u64 {
-        note_relay_pressure_event();
+        note_relay_pressure_event_for_testing(shared.as_ref());

        let mut seen = *seen_per_conn
            .get(&expected)
            .expect("per-conn pressure cursor must exist");
        assert!(
-            maybe_evict_idle_candidate_on_pressure(expected, &mut seen, &stats),
+            maybe_evict_idle_candidate_on_pressure_for_testing(
+                shared.as_ref(),
+                expected,
+                &mut seen,
+                &stats
+            ),
            "expected conn_id {expected} must be evicted next by deterministic FIFO ordering"
        );
        seen_per_conn.insert(expected, seen);
@@ -436,33 +466,51 @@ fn stress_pressure_eviction_preserves_fifo_across_many_candidates() {
        } else {
            Some(expected + 1)
        };
-        assert_eq!(oldest_relay_idle_candidate(), next);
+        assert_eq!(
+            oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+            next
+        );
    }

    assert_eq!(stats.get_relay_pressure_evict_total(), 64);
-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_single_pressure_event_must_not_evict_more_than_one_candidate() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    assert!(mark_relay_idle_candidate(301));
-    assert!(mark_relay_idle_candidate(302));
-    assert!(mark_relay_idle_candidate(303));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 301));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 302));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 303));

    let mut seen_301 = 0u64;
    let mut seen_302 = 0u64;
    let mut seen_303 = 0u64;

    // Single pressure event should authorize at most one eviction globally.
-    note_relay_pressure_event();
+    note_relay_pressure_event_for_testing(shared.as_ref());

-    let evicted_301 = maybe_evict_idle_candidate_on_pressure(301, &mut seen_301, &stats);
-    let evicted_302 = maybe_evict_idle_candidate_on_pressure(302, &mut seen_302, &stats);
-    let evicted_303 = maybe_evict_idle_candidate_on_pressure(303, &mut seen_303, &stats);
+    let evicted_301 = maybe_evict_idle_candidate_on_pressure_for_testing(
+        shared.as_ref(),
+        301,
+        &mut seen_301,
+        &stats,
+    );
+    let evicted_302 = maybe_evict_idle_candidate_on_pressure_for_testing(
+        shared.as_ref(),
+        302,
+        &mut seen_302,
+        &stats,
+    );
+    let evicted_303 = maybe_evict_idle_candidate_on_pressure_for_testing(
+        shared.as_ref(),
+        303,
+        &mut seen_303,
+        &stats,
+    );

    let evicted_total = [evicted_301, evicted_302, evicted_303]
        .iter()
@@ -474,30 +522,40 @@ fn blackhat_single_pressure_event_must_not_evict_more_than_one_candidate() {
        "single pressure event must not cascade-evict multiple idle candidates"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_pressure_counter_must_track_global_budget_not_per_session_cursor() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    assert!(mark_relay_idle_candidate(401));
-    assert!(mark_relay_idle_candidate(402));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 401));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 402));

    let mut seen_oldest = 0u64;
    let mut seen_next = 0u64;

-    note_relay_pressure_event();
+    note_relay_pressure_event_for_testing(shared.as_ref());

    assert!(
-        maybe_evict_idle_candidate_on_pressure(401, &mut seen_oldest, &stats),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            401,
+            &mut seen_oldest,
+            &stats
+        ),
        "oldest candidate must consume pressure budget first"
    );

    assert!(
-        !maybe_evict_idle_candidate_on_pressure(402, &mut seen_next, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            402,
+            &mut seen_next,
+            &stats
+        ),
        "next candidate must not consume the same pressure budget"
    );

@@ -507,47 +565,67 @@ fn blackhat_pressure_counter_must_track_global_budget_not_per_session_cursor() {
        "single pressure budget must produce exactly one eviction"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_stale_pressure_before_idle_mark_must_not_trigger_eviction() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

    // Pressure happened before any idle candidate existed.
-    note_relay_pressure_event();
-    assert!(mark_relay_idle_candidate(501));
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 501));

    let mut seen = 0u64;
    assert!(
-        !maybe_evict_idle_candidate_on_pressure(501, &mut seen, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            501,
+            &mut seen,
+            &stats
+        ),
        "stale pressure (before soft-idle mark) must not evict newly marked candidate"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_stale_pressure_must_not_evict_any_of_newly_marked_batch() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    note_relay_pressure_event();
-    assert!(mark_relay_idle_candidate(511));
-    assert!(mark_relay_idle_candidate(512));
-    assert!(mark_relay_idle_candidate(513));
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 511));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 512));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 513));

    let mut seen_511 = 0u64;
    let mut seen_512 = 0u64;
    let mut seen_513 = 0u64;

    let evicted = [
-        maybe_evict_idle_candidate_on_pressure(511, &mut seen_511, &stats),
-        maybe_evict_idle_candidate_on_pressure(512, &mut seen_512, &stats),
-        maybe_evict_idle_candidate_on_pressure(513, &mut seen_513, &stats),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            511,
+            &mut seen_511,
+            &stats,
+        ),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            512,
+            &mut seen_512,
+            &stats,
+        ),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            513,
+            &mut seen_513,
+            &stats,
+        ),
    ]
    .iter()
    .filter(|value| **value)
@@ -558,111 +636,118 @@ fn blackhat_stale_pressure_must_not_evict_any_of_newly_marked_batch() {
        "stale pressure event must not evict any candidate from a newly marked batch"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_stale_pressure_seen_without_candidates_must_be_globally_invalidated() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    note_relay_pressure_event();
+    note_relay_pressure_event_for_testing(shared.as_ref());

    // Session A observed pressure while there were no candidates.
    let mut seen_a = 0u64;
    assert!(
-        !maybe_evict_idle_candidate_on_pressure(999_001, &mut seen_a, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            999_001,
+            &mut seen_a,
+            &stats
+        ),
        "no candidate existed, so no eviction is possible"
    );

    // Candidate appears later; Session B must not be able to consume stale pressure.
-    assert!(mark_relay_idle_candidate(521));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 521));
    let mut seen_b = 0u64;
    assert!(
-        !maybe_evict_idle_candidate_on_pressure(521, &mut seen_b, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            521,
+            &mut seen_b,
+            &stats
+        ),
        "once pressure is observed with empty candidate set, it must not be replayed later"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_stale_pressure_must_not_survive_candidate_churn() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
    let stats = Stats::new();

-    note_relay_pressure_event();
-    assert!(mark_relay_idle_candidate(531));
-    clear_relay_idle_candidate(531);
-    assert!(mark_relay_idle_candidate(532));
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 531));
+    clear_relay_idle_candidate_for_testing(shared.as_ref(), 531);
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 532));

    let mut seen = 0u64;
    assert!(
-        !maybe_evict_idle_candidate_on_pressure(532, &mut seen, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            532,
+            &mut seen,
+            &stats
+        ),
        "stale pressure must not survive clear+remark churn cycles"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_pressure_seq_saturation_must_not_disable_future_pressure_accounting() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

    {
-        let mut guard = relay_idle_candidate_registry()
-            .lock()
-            .expect("registry lock must be available");
-        guard.pressure_event_seq = u64::MAX;
-        guard.pressure_consumed_seq = u64::MAX - 1;
+        set_relay_pressure_state_for_testing(shared.as_ref(), u64::MAX, u64::MAX - 1);
    }

    // A new pressure event should still be representable; saturating at MAX creates a permanent lockout.
-    note_relay_pressure_event();
-    let after = relay_pressure_event_seq();
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    let after = relay_pressure_event_seq_for_testing(shared.as_ref());
    assert_ne!(
        after,
        u64::MAX,
        "pressure sequence saturation must not permanently freeze event progression"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn blackhat_pressure_seq_saturation_must_not_break_multiple_distinct_events() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

    {
-        let mut guard = relay_idle_candidate_registry()
-            .lock()
-            .expect("registry lock must be available");
-        guard.pressure_event_seq = u64::MAX;
-        guard.pressure_consumed_seq = u64::MAX;
+        set_relay_pressure_state_for_testing(shared.as_ref(), u64::MAX, u64::MAX);
    }

-    note_relay_pressure_event();
-    let first = relay_pressure_event_seq();
-    note_relay_pressure_event();
-    let second = relay_pressure_event_seq();
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    let first = relay_pressure_event_seq_for_testing(shared.as_ref());
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    let second = relay_pressure_event_seq_for_testing(shared.as_ref());

    assert!(
        second > first,
        "distinct pressure events must remain distinguishable even at sequence boundary"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn integration_race_single_pressure_event_allows_at_most_one_eviction_under_parallel_claims()
 {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

    let stats = Arc::new(Stats::new());
    let sessions = 16usize;
@@ -671,20 +756,28 @@ async fn integration_race_single_pressure_event_allows_at_most_one_eviction_unde
    let mut seen_per_session = vec![0u64; sessions];

    for conn_id in &conn_ids {
-        assert!(mark_relay_idle_candidate(*conn_id));
+        assert!(mark_relay_idle_candidate_for_testing(
+            shared.as_ref(),
+            *conn_id
+        ));
    }

    for round in 0..rounds {
-        note_relay_pressure_event();
+        note_relay_pressure_event_for_testing(shared.as_ref());

        let mut joins = Vec::with_capacity(sessions);
        for (idx, conn_id) in conn_ids.iter().enumerate() {
            let mut seen = seen_per_session[idx];
            let conn_id = *conn_id;
            let stats = stats.clone();
+            let shared = shared.clone();
            joins.push(tokio::spawn(async move {
-                let evicted =
-                    maybe_evict_idle_candidate_on_pressure(conn_id, &mut seen, stats.as_ref());
+                let evicted = maybe_evict_idle_candidate_on_pressure_for_testing(
+                    shared.as_ref(),
+                    conn_id,
+                    &mut seen,
+                    stats.as_ref(),
+                );
                (idx, conn_id, seen, evicted)
            }));
        }
@@ -706,7 +799,7 @@ async fn integration_race_single_pressure_event_allows_at_most_one_eviction_unde
        );
        if let Some(conn) = evicted_conn {
            assert!(
-                mark_relay_idle_candidate(conn),
+                mark_relay_idle_candidate_for_testing(shared.as_ref(), conn),
                "round {round}: evicted conn must be re-markable as idle candidate"
            );
        }
@@ -721,13 +814,13 @@ async fn integration_race_single_pressure_event_allows_at_most_one_eviction_unde
        "parallel race must still observe at least one successful eviction"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalidation_and_budget() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

    let stats = Arc::new(Stats::new());
    let sessions = 12usize;
@@ -736,7 +829,10 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
    let mut seen_per_session = vec![0u64; sessions];

    for conn_id in &conn_ids {
-        assert!(mark_relay_idle_candidate(*conn_id));
+        assert!(mark_relay_idle_candidate_for_testing(
+            shared.as_ref(),
+            *conn_id
+        ));
    }

    let mut expected_total_evictions = 0u64;
@@ -745,20 +841,25 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
        let empty_phase = round % 5 == 0;
        if empty_phase {
            for conn_id in &conn_ids {
-                clear_relay_idle_candidate(*conn_id);
+                clear_relay_idle_candidate_for_testing(shared.as_ref(), *conn_id);
            }
        }

-        note_relay_pressure_event();
+        note_relay_pressure_event_for_testing(shared.as_ref());

        let mut joins = Vec::with_capacity(sessions);
        for (idx, conn_id) in conn_ids.iter().enumerate() {
            let mut seen = seen_per_session[idx];
            let conn_id = *conn_id;
            let stats = stats.clone();
+            let shared = shared.clone();
            joins.push(tokio::spawn(async move {
-                let evicted =
-                    maybe_evict_idle_candidate_on_pressure(conn_id, &mut seen, stats.as_ref());
+                let evicted = maybe_evict_idle_candidate_on_pressure_for_testing(
+                    shared.as_ref(),
+                    conn_id,
+                    &mut seen,
+                    stats.as_ref(),
+                );
                (idx, conn_id, seen, evicted)
            }));
        }
@@ -780,7 +881,10 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
                "round {round}: empty candidate phase must not allow stale-pressure eviction"
            );
            for conn_id in &conn_ids {
-                assert!(mark_relay_idle_candidate(*conn_id));
+                assert!(mark_relay_idle_candidate_for_testing(
+                    shared.as_ref(),
+                    *conn_id
+                ));
            }
        } else {
            assert!(
@@ -789,7 +893,10 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
            );
            if let Some(conn_id) = evicted_conn {
                expected_total_evictions = expected_total_evictions.saturating_add(1);
-                assert!(mark_relay_idle_candidate(conn_id));
+                assert!(mark_relay_idle_candidate_for_testing(
+                    shared.as_ref(),
+                    conn_id
+                ));
            }
        }
    }
@@ -800,5 +907,5 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
        "global pressure eviction counter must match observed per-round successful consumes"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }
@@ -3,12 +3,13 @@ use std::panic::{AssertUnwindSafe, catch_unwind};

 #[test]
 fn blackhat_registry_poison_recovers_with_fail_closed_reset_and_pressure_accounting() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

    let _ = catch_unwind(AssertUnwindSafe(|| {
-        let registry = relay_idle_candidate_registry();
-        let mut guard = registry
+        let mut guard = shared
+            .middle_relay
+            .relay_idle_registry
            .lock()
            .expect("registry lock must be acquired before poison");
        guard.by_conn_id.insert(
@@ -23,40 +24,50 @@ fn blackhat_registry_poison_recovers_with_fail_closed_reset_and_pressure_account
    }));

    // Helper lock must recover from poison, reset stale state, and continue.
-    assert!(mark_relay_idle_candidate(42));
-    assert_eq!(oldest_relay_idle_candidate(), Some(42));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 42));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(42)
+    );

-    let before = relay_pressure_event_seq();
-    note_relay_pressure_event();
-    let after = relay_pressure_event_seq();
+    let before = relay_pressure_event_seq_for_testing(shared.as_ref());
+    note_relay_pressure_event_for_testing(shared.as_ref());
+    let after = relay_pressure_event_seq_for_testing(shared.as_ref());
    assert!(
        after > before,
        "pressure accounting must still advance after poison"
    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

 #[test]
 fn clear_state_helper_must_reset_poisoned_registry_for_deterministic_fifo_tests() {
-    let _guard = relay_idle_pressure_test_scope();
-    clear_relay_idle_pressure_state_for_testing();
+    let shared = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

    let _ = catch_unwind(AssertUnwindSafe(|| {
-        let registry = relay_idle_candidate_registry();
-        let _guard = registry
+        let _guard = shared
+            .middle_relay
+            .relay_idle_registry
            .lock()
            .expect("registry lock must be acquired before poison");
        panic!("intentional poison while lock held");
    }));

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());

-    assert_eq!(oldest_relay_idle_candidate(), None);
-    assert_eq!(relay_pressure_event_seq(), 0);
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        None
+    );
+    assert_eq!(relay_pressure_event_seq_for_testing(shared.as_ref()), 0);

-    assert!(mark_relay_idle_candidate(7));
-    assert_eq!(oldest_relay_idle_candidate(), Some(7));
+    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 7));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7)
+    );

-    clear_relay_idle_pressure_state_for_testing();
+    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }
@@ -1,7 +1,6 @@
 use super::*;
 use crate::stats::Stats;
 use crate::stream::BufferPool;
-use std::collections::HashSet;
 use std::sync::Arc;
 use tokio::time::{Duration as TokioDuration, timeout};

@@ -16,32 +15,30 @@ fn make_pooled_payload(data: &[u8]) -> PooledBuffer {
 #[test]
 #[ignore = "Tracking for M-04: Verify should_emit_full_desync returns true on first occurrence and false on duplicate within window"]
 fn should_emit_full_desync_filters_duplicates() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

    let key = 0x4D04_0000_0000_0001_u64;
    let base = Instant::now();

    assert!(
-        should_emit_full_desync(key, false, base),
+        should_emit_full_desync_for_testing(shared.as_ref(), key, false, base),
        "first occurrence must emit full forensic record"
    );
    assert!(
-        !should_emit_full_desync(key, false, base),
+        !should_emit_full_desync_for_testing(shared.as_ref(), key, false, base),
        "duplicate at same timestamp must be suppressed"
    );

    let within_window = base + DESYNC_DEDUP_WINDOW - TokioDuration::from_millis(1);
    assert!(
-        !should_emit_full_desync(key, false, within_window),
+        !should_emit_full_desync_for_testing(shared.as_ref(), key, false, within_window),
        "duplicate strictly inside dedup window must stay suppressed"
    );

    let on_window_edge = base + DESYNC_DEDUP_WINDOW;
    assert!(
-        should_emit_full_desync(key, false, on_window_edge),
+        should_emit_full_desync_for_testing(shared.as_ref(), key, false, on_window_edge),
        "duplicate at window boundary must re-emit and refresh"
    );
 }
@@ -49,39 +46,34 @@ fn should_emit_full_desync_filters_duplicates() {
 #[test]
 #[ignore = "Tracking for M-04: Verify desync dedup eviction behaves correctly under map-full condition"]
 fn desync_dedup_eviction_under_map_full_condition() {
-    let _guard = desync_dedup_test_lock()
-        .lock()
-        .expect("desync dedup test lock must be available");
-    clear_desync_dedup_for_testing();
+    let shared = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(shared.as_ref());

    let base = Instant::now();
    for key in 0..DESYNC_DEDUP_MAX_ENTRIES as u64 {
        assert!(
-            should_emit_full_desync(key, false, base),
+            should_emit_full_desync_for_testing(shared.as_ref(), key, false, base),
            "unique key should be inserted while warming dedup cache"
        );
    }

-    let dedup = DESYNC_DEDUP
-        .get()
-        .expect("dedup map must exist after warm-up insertions");
    assert_eq!(
-        dedup.len(),
+        desync_dedup_len_for_testing(shared.as_ref()),
        DESYNC_DEDUP_MAX_ENTRIES,
        "cache warm-up must reach exact hard cap"
    );

-    let before_keys: HashSet<u64> = dedup.iter().map(|entry| *entry.key()).collect();
+    let before_keys = desync_dedup_keys_for_testing(shared.as_ref());
    let newcomer_key = 0x4D04_FFFF_FFFF_0001_u64;

    assert!(
-        should_emit_full_desync(newcomer_key, false, base),
+        should_emit_full_desync_for_testing(shared.as_ref(), newcomer_key, false, base),
        "first newcomer at map-full must emit under bounded full-cache gate"
    );

-    let after_keys: HashSet<u64> = dedup.iter().map(|entry| *entry.key()).collect();
+    let after_keys = desync_dedup_keys_for_testing(shared.as_ref());
    assert_eq!(
-        dedup.len(),
+        desync_dedup_len_for_testing(shared.as_ref()),
        DESYNC_DEDUP_MAX_ENTRIES,
        "map-full insertion must preserve hard capacity bound"
    );
@@ -102,7 +94,7 @@ fn desync_dedup_eviction_under_map_full_condition() {
    );

    assert!(
-        !should_emit_full_desync(newcomer_key, false, base),
+        !should_emit_full_desync_for_testing(shared.as_ref(), newcomer_key, false, base),
        "immediate duplicate newcomer must remain suppressed"
    );
 }
@@ -0,0 +1,674 @@
+use crate::proxy::client::handle_client_stream_with_shared;
+use crate::proxy::handshake::{
+    auth_probe_fail_streak_for_testing_in_shared, auth_probe_is_throttled_for_testing_in_shared,
+    auth_probe_record_failure_for_testing, clear_auth_probe_state_for_testing_in_shared,
+    clear_unknown_sni_warn_state_for_testing_in_shared, clear_warned_secrets_for_testing_in_shared,
+    should_emit_unknown_sni_warn_for_testing_in_shared, warned_secrets_for_testing_in_shared,
+};
+use crate::proxy::middle_relay::{
+    clear_desync_dedup_for_testing_in_shared, clear_relay_idle_candidate_for_testing,
+    clear_relay_idle_pressure_state_for_testing_in_shared, mark_relay_idle_candidate_for_testing,
+    maybe_evict_idle_candidate_on_pressure_for_testing, note_relay_pressure_event_for_testing,
+    oldest_relay_idle_candidate_for_testing, relay_idle_mark_seq_for_testing,
+    relay_pressure_event_seq_for_testing, should_emit_full_desync_for_testing,
+};
+use crate::proxy::route_mode::{RelayRouteMode, RouteRuntimeController};
+use crate::proxy::shared_state::ProxySharedState;
+use crate::{
+    config::{ProxyConfig, UpstreamConfig, UpstreamType},
+    crypto::SecureRandom,
+    ip_tracker::UserIpTracker,
+    stats::{ReplayChecker, Stats, beobachten::BeobachtenStore},
+    stream::BufferPool,
+    transport::UpstreamManager,
+};
+use std::net::{IpAddr, Ipv4Addr};
+use std::sync::Arc;
+use std::time::{Duration, Instant};
+use tokio::io::{AsyncWriteExt, duplex};
+use tokio::sync::Barrier;
+
+struct ClientHarness {
+    config: Arc<ProxyConfig>,
+    stats: Arc<Stats>,
+    upstream_manager: Arc<UpstreamManager>,
+    replay_checker: Arc<ReplayChecker>,
+    buffer_pool: Arc<BufferPool>,
+    rng: Arc<SecureRandom>,
+    route_runtime: Arc<RouteRuntimeController>,
+    ip_tracker: Arc<UserIpTracker>,
+    beobachten: Arc<BeobachtenStore>,
+}
+
+fn new_client_harness() -> ClientHarness {
+    let mut cfg = ProxyConfig::default();
+    cfg.censorship.mask = false;
+    cfg.general.modes.classic = true;
+    cfg.general.modes.secure = true;
+    let config = Arc::new(cfg);
+    let stats = Arc::new(Stats::new());
+
+    let upstream_manager = Arc::new(UpstreamManager::new(
+        vec![UpstreamConfig {
+            upstream_type: UpstreamType::Direct {
+                interface: None,
+                bind_addresses: None,
+            },
+            weight: 1,
+            enabled: true,
+            scopes: String::new(),
+            selected_scope: String::new(),
+        }],
+        1,
+        1,
+        1,
+        10,
+        1,
+        false,
+        stats.clone(),
+    ));
+
+    ClientHarness {
+        config,
+        stats,
+        upstream_manager,
+        replay_checker: Arc::new(ReplayChecker::new(128, Duration::from_secs(60))),
+        buffer_pool: Arc::new(BufferPool::new()),
+        rng: Arc::new(SecureRandom::new()),
+        route_runtime: Arc::new(RouteRuntimeController::new(RelayRouteMode::Direct)),
+        ip_tracker: Arc::new(UserIpTracker::new()),
+        beobachten: Arc::new(BeobachtenStore::new()),
+    }
+}
+
+async fn drive_invalid_mtproto_handshake(
+    shared: Arc<ProxySharedState>,
+    peer: std::net::SocketAddr,
+) {
+    let harness = new_client_harness();
+    let (server_side, mut client_side) = duplex(4096);
+    let invalid = [0u8; 64];
+
+    let task = tokio::spawn(handle_client_stream_with_shared(
+        server_side,
+        peer,
+        harness.config,
+        harness.stats,
+        harness.upstream_manager,
+        harness.replay_checker,
+        harness.buffer_pool,
+        harness.rng,
+        None,
+        harness.route_runtime,
+        None,
+        harness.ip_tracker,
+        harness.beobachten,
+        shared,
+        false,
+    ));
+
+    client_side
+        .write_all(&invalid)
+        .await
+        .expect("failed to write invalid handshake");
+    client_side
+        .shutdown()
+        .await
+        .expect("failed to shutdown client");
+    let _ = tokio::time::timeout(Duration::from_secs(3), task)
+        .await
+        .expect("client task timed out")
+        .expect("client task join failed");
+}
+
+#[test]
+fn proxy_shared_state_two_instances_do_not_share_auth_probe_state() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 10));
+    auth_probe_record_failure_for_testing(a.as_ref(), ip, Instant::now());
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip),
+        Some(1)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip),
+        None
+    );
+}
+
+#[test]
+fn proxy_shared_state_two_instances_do_not_share_desync_dedup() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(a.as_ref());
+
+    let now = Instant::now();
+    let key = 0xA5A5_u64;
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now
+    ));
+    assert!(should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now
+    ));
+}
+
+#[test]
+fn proxy_shared_state_two_instances_do_not_share_idle_registry() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(a.as_ref());
+
+    assert!(mark_relay_idle_candidate_for_testing(a.as_ref(), 111));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(a.as_ref()),
+        Some(111)
+    );
+    assert_eq!(oldest_relay_idle_candidate_for_testing(b.as_ref()), None);
+}
+
+#[test]
+fn proxy_shared_state_reset_in_one_instance_does_not_affect_another() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+
+    let ip_a = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 1));
+    let ip_b = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 2));
+    let now = Instant::now();
+
+    auth_probe_record_failure_for_testing(a.as_ref(), ip_a, now);
+    auth_probe_record_failure_for_testing(b.as_ref(), ip_b, now);
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip_a),
+        None
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip_b),
+        Some(1)
+    );
+}
+
+#[test]
+fn proxy_shared_state_parallel_auth_probe_updates_stay_per_instance() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(192, 0, 2, 77));
+    let now = Instant::now();
+
+    for _ in 0..5 {
+        auth_probe_record_failure_for_testing(a.as_ref(), ip, now);
+    }
+    for _ in 0..3 {
+        auth_probe_record_failure_for_testing(b.as_ref(), ip, now + Duration::from_millis(1));
+    }
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip),
+        Some(5)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip),
+        Some(3)
+    );
+}
+
+#[tokio::test]
+async fn proxy_shared_state_client_pipeline_records_probe_failures_in_instance_state() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+    let peer_ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 200));
+    let peer = std::net::SocketAddr::new(peer_ip, 54001);
+
+    drive_invalid_mtproto_handshake(shared.clone(), peer).await;
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer_ip),
+        Some(1),
+        "invalid handshake in client pipeline must update injected shared auth-probe state"
+    );
+}
+
+#[tokio::test]
+async fn proxy_shared_state_client_pipeline_keeps_auth_probe_isolated_between_instances() {
+    let shared_a = ProxySharedState::new();
+    let shared_b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared_a.as_ref());
+    clear_auth_probe_state_for_testing_in_shared(shared_b.as_ref());
+
+    let peer_a_ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 210));
+    let peer_b_ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 211));
+
+    drive_invalid_mtproto_handshake(
+        shared_a.clone(),
+        std::net::SocketAddr::new(peer_a_ip, 54110),
+    )
+    .await;
+    drive_invalid_mtproto_handshake(
+        shared_b.clone(),
+        std::net::SocketAddr::new(peer_b_ip, 54111),
+    )
+    .await;
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared_a.as_ref(), peer_a_ip),
+        Some(1)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared_b.as_ref(), peer_b_ip),
+        Some(1)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared_a.as_ref(), peer_b_ip),
+        None
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared_b.as_ref(), peer_a_ip),
+        None
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_client_pipeline_high_contention_same_ip_stays_lossless_per_instance() {
+    let shared_a = ProxySharedState::new();
+    let shared_b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared_a.as_ref());
+    clear_auth_probe_state_for_testing_in_shared(shared_b.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 250));
+    let workers = 48u16;
+    let barrier = Arc::new(Barrier::new((workers as usize) * 2));
+    let mut tasks = Vec::new();
+
+    for i in 0..workers {
+        let shared_a = shared_a.clone();
+        let barrier_a = barrier.clone();
+        let peer_a = std::net::SocketAddr::new(ip, 56000 + i);
+        tasks.push(tokio::spawn(async move {
+            barrier_a.wait().await;
+            drive_invalid_mtproto_handshake(shared_a, peer_a).await;
+        }));
+
+        let shared_b = shared_b.clone();
+        let barrier_b = barrier.clone();
+        let peer_b = std::net::SocketAddr::new(ip, 56100 + i);
+        tasks.push(tokio::spawn(async move {
+            barrier_b.wait().await;
+            drive_invalid_mtproto_handshake(shared_b, peer_b).await;
+        }));
+    }
+
+    for task in tasks {
+        task.await.expect("pipeline task join failed");
+    }
+
+    let streak_a = auth_probe_fail_streak_for_testing_in_shared(shared_a.as_ref(), ip)
+        .expect("instance A must track probe failures");
+    let streak_b = auth_probe_fail_streak_for_testing_in_shared(shared_b.as_ref(), ip)
+        .expect("instance B must track probe failures");
+
+    assert!(streak_a > 0);
+    assert!(streak_b > 0);
+
+    clear_auth_probe_state_for_testing_in_shared(shared_a.as_ref());
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared_a.as_ref(), ip),
+        None,
+        "clearing one instance must reset only that instance"
+    );
+    assert!(
+        auth_probe_fail_streak_for_testing_in_shared(shared_b.as_ref(), ip).is_some(),
+        "clearing one instance must not clear the other instance"
+    );
+}
+
+#[test]
+fn proxy_shared_state_auth_saturation_does_not_bleed_across_instances() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+    clear_auth_probe_state_for_testing_in_shared(b.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 77));
+    let future_now = Instant::now() + Duration::from_secs(1);
+    for _ in 0..8 {
+        auth_probe_record_failure_for_testing(a.as_ref(), ip, future_now);
+    }
+
+    assert!(auth_probe_is_throttled_for_testing_in_shared(
+        a.as_ref(),
+        ip
+    ));
+    assert!(!auth_probe_is_throttled_for_testing_in_shared(
+        b.as_ref(),
+        ip
+    ));
+}
+
+#[test]
+fn proxy_shared_state_poison_clear_in_one_instance_does_not_affect_other_instance() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+    clear_auth_probe_state_for_testing_in_shared(b.as_ref());
+
+    let ip_a = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 31));
+    let ip_b = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 32));
+    let now = Instant::now();
+
+    auth_probe_record_failure_for_testing(a.as_ref(), ip_a, now);
+    auth_probe_record_failure_for_testing(b.as_ref(), ip_b, now);
+
+    let a_for_poison = a.clone();
+    let _ = std::thread::spawn(move || {
+        let _hold = a_for_poison
+            .handshake
+            .auth_probe_saturation
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        panic!("intentional poison for per-instance isolation regression coverage");
+    })
+    .join();
+
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip_a),
+        None
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip_b),
+        Some(1),
+        "poison recovery and clear in one instance must not touch other instance state"
+    );
+}
+
+#[test]
+fn proxy_shared_state_unknown_sni_cooldown_does_not_bleed_across_instances() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_unknown_sni_warn_state_for_testing_in_shared(a.as_ref());
+    clear_unknown_sni_warn_state_for_testing_in_shared(b.as_ref());
+
+    let now = Instant::now();
+    assert!(should_emit_unknown_sni_warn_for_testing_in_shared(
+        a.as_ref(),
+        now
+    ));
+    assert!(should_emit_unknown_sni_warn_for_testing_in_shared(
+        b.as_ref(),
+        now
+    ));
+}
+
+#[test]
+fn proxy_shared_state_warned_secret_cache_does_not_bleed_across_instances() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_warned_secrets_for_testing_in_shared(a.as_ref());
+    clear_warned_secrets_for_testing_in_shared(b.as_ref());
+
+    let key = ("isolation-user".to_string(), "invalid_hex".to_string());
+    {
+        let warned = warned_secrets_for_testing_in_shared(a.as_ref());
+        let mut guard = warned
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard.insert(key.clone());
+    }
+
+    let contains_in_a = {
+        let warned = warned_secrets_for_testing_in_shared(a.as_ref());
+        let guard = warned
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard.contains(&key)
+    };
+    let contains_in_b = {
+        let warned = warned_secrets_for_testing_in_shared(b.as_ref());
+        let guard = warned
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard.contains(&key)
+    };
+
+    assert!(contains_in_a);
+    assert!(!contains_in_b);
+}
+
+#[test]
+fn proxy_shared_state_idle_mark_seq_is_per_instance() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(a.as_ref());
+    clear_relay_idle_pressure_state_for_testing_in_shared(b.as_ref());
+
+    assert_eq!(relay_idle_mark_seq_for_testing(a.as_ref()), 0);
+    assert_eq!(relay_idle_mark_seq_for_testing(b.as_ref()), 0);
+
+    assert!(mark_relay_idle_candidate_for_testing(a.as_ref(), 9001));
+    assert_eq!(relay_idle_mark_seq_for_testing(a.as_ref()), 1);
+    assert_eq!(relay_idle_mark_seq_for_testing(b.as_ref()), 0);
+
+    assert!(mark_relay_idle_candidate_for_testing(b.as_ref(), 9002));
+    assert_eq!(relay_idle_mark_seq_for_testing(a.as_ref()), 1);
+    assert_eq!(relay_idle_mark_seq_for_testing(b.as_ref()), 1);
+}
+
+#[test]
+fn proxy_shared_state_unknown_sni_clear_in_one_instance_does_not_reset_other() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_unknown_sni_warn_state_for_testing_in_shared(a.as_ref());
+    clear_unknown_sni_warn_state_for_testing_in_shared(b.as_ref());
+
+    let now = Instant::now();
+    assert!(should_emit_unknown_sni_warn_for_testing_in_shared(
+        a.as_ref(),
+        now
+    ));
+    assert!(should_emit_unknown_sni_warn_for_testing_in_shared(
+        b.as_ref(),
+        now
+    ));
+
+    clear_unknown_sni_warn_state_for_testing_in_shared(a.as_ref());
+    assert!(should_emit_unknown_sni_warn_for_testing_in_shared(
+        a.as_ref(),
+        now + Duration::from_millis(1)
+    ));
+    assert!(!should_emit_unknown_sni_warn_for_testing_in_shared(
+        b.as_ref(),
+        now + Duration::from_millis(1)
+    ));
+}
+
+#[test]
+fn proxy_shared_state_warned_secret_clear_in_one_instance_does_not_clear_other() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_warned_secrets_for_testing_in_shared(a.as_ref());
+    clear_warned_secrets_for_testing_in_shared(b.as_ref());
+
+    let key = (
+        "clear-isolation-user".to_string(),
+        "invalid_length".to_string(),
+    );
+    {
+        let warned_a = warned_secrets_for_testing_in_shared(a.as_ref());
+        let mut guard_a = warned_a
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard_a.insert(key.clone());
+
+        let warned_b = warned_secrets_for_testing_in_shared(b.as_ref());
+        let mut guard_b = warned_b
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard_b.insert(key.clone());
+    }
+
+    clear_warned_secrets_for_testing_in_shared(a.as_ref());
+
+    let has_a = {
+        let warned = warned_secrets_for_testing_in_shared(a.as_ref());
+        let guard = warned
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard.contains(&key)
+    };
+    let has_b = {
+        let warned = warned_secrets_for_testing_in_shared(b.as_ref());
+        let guard = warned
+            .lock()
+            .unwrap_or_else(|poisoned| poisoned.into_inner());
+        guard.contains(&key)
+    };
+
+    assert!(!has_a);
+    assert!(has_b);
+}
+
+#[test]
+fn proxy_shared_state_desync_duplicate_suppression_is_instance_scoped() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(a.as_ref());
+    clear_desync_dedup_for_testing_in_shared(b.as_ref());
+
+    let now = Instant::now();
+    let key = 0xBEEF_0000_0000_0001u64;
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now
+    ));
+    assert!(!should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now + Duration::from_millis(1)
+    ));
+    assert!(should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now
+    ));
+}
+
+#[test]
+fn proxy_shared_state_desync_clear_in_one_instance_does_not_clear_other() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_desync_dedup_for_testing_in_shared(a.as_ref());
+    clear_desync_dedup_for_testing_in_shared(b.as_ref());
+
+    let now = Instant::now();
+    let key = 0xCAFE_0000_0000_0001u64;
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now
+    ));
+    assert!(should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now
+    ));
+
+    clear_desync_dedup_for_testing_in_shared(a.as_ref());
+
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now + Duration::from_millis(2)
+    ));
+    assert!(!should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now + Duration::from_millis(2)
+    ));
+}
+
+#[test]
+fn proxy_shared_state_idle_candidate_clear_in_one_instance_does_not_affect_other() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(a.as_ref());
+    clear_relay_idle_pressure_state_for_testing_in_shared(b.as_ref());
+
+    assert!(mark_relay_idle_candidate_for_testing(a.as_ref(), 1001));
+    assert!(mark_relay_idle_candidate_for_testing(b.as_ref(), 2002));
+    clear_relay_idle_candidate_for_testing(a.as_ref(), 1001);
+
+    assert_eq!(oldest_relay_idle_candidate_for_testing(a.as_ref()), None);
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(b.as_ref()),
+        Some(2002)
+    );
+}
+
+#[test]
+fn proxy_shared_state_pressure_seq_increments_are_instance_scoped() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(a.as_ref());
+    clear_relay_idle_pressure_state_for_testing_in_shared(b.as_ref());
+
+    assert_eq!(relay_pressure_event_seq_for_testing(a.as_ref()), 0);
+    assert_eq!(relay_pressure_event_seq_for_testing(b.as_ref()), 0);
+
+    note_relay_pressure_event_for_testing(a.as_ref());
+    note_relay_pressure_event_for_testing(a.as_ref());
+
+    assert_eq!(relay_pressure_event_seq_for_testing(a.as_ref()), 2);
+    assert_eq!(relay_pressure_event_seq_for_testing(b.as_ref()), 0);
+}
+
+#[test]
+fn proxy_shared_state_pressure_consumption_does_not_cross_instances() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_relay_idle_pressure_state_for_testing_in_shared(a.as_ref());
+    clear_relay_idle_pressure_state_for_testing_in_shared(b.as_ref());
+
+    assert!(mark_relay_idle_candidate_for_testing(a.as_ref(), 7001));
+    assert!(mark_relay_idle_candidate_for_testing(b.as_ref(), 7001));
+    note_relay_pressure_event_for_testing(a.as_ref());
+
+    let stats = Stats::new();
+    let mut seen_a = 0u64;
+    let mut seen_b = 0u64;
+
+    assert!(maybe_evict_idle_candidate_on_pressure_for_testing(
+        a.as_ref(),
+        7001,
+        &mut seen_a,
+        &stats
+    ));
+    assert!(!maybe_evict_idle_candidate_on_pressure_for_testing(
+        b.as_ref(),
+        7001,
+        &mut seen_b,
+        &stats
+    ));
+}
@@ -0,0 +1,265 @@
+use crate::proxy::handshake::{
+    auth_probe_fail_streak_for_testing_in_shared, auth_probe_record_failure_for_testing,
+    clear_auth_probe_state_for_testing_in_shared,
+    clear_unknown_sni_warn_state_for_testing_in_shared,
+    should_emit_unknown_sni_warn_for_testing_in_shared,
+};
+use crate::proxy::middle_relay::{
+    clear_desync_dedup_for_testing_in_shared,
+    clear_relay_idle_pressure_state_for_testing_in_shared, mark_relay_idle_candidate_for_testing,
+    oldest_relay_idle_candidate_for_testing, should_emit_full_desync_for_testing,
+};
+use crate::proxy::shared_state::ProxySharedState;
+use rand::RngExt;
+use rand::SeedableRng;
+use rand::rngs::StdRng;
+use std::net::{IpAddr, Ipv4Addr};
+use std::sync::Arc;
+use std::time::Instant;
+use tokio::sync::Barrier;
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_50_concurrent_instances_no_counter_bleed() {
+    let mut handles = Vec::new();
+    for i in 0..50_u8 {
+        handles.push(tokio::spawn(async move {
+            let shared = ProxySharedState::new();
+            clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+            let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 200));
+            auth_probe_record_failure_for_testing(shared.as_ref(), ip, Instant::now());
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), ip)
+        }));
+    }
+
+    for handle in handles {
+        let streak = handle.await.expect("task join failed");
+        assert_eq!(streak, Some(1));
+    }
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_desync_rotation_concurrent_20_instances() {
+    let now = Instant::now();
+    let key = 0xD35E_D35E_u64;
+    let mut handles = Vec::new();
+    for _ in 0..20_u64 {
+        handles.push(tokio::spawn(async move {
+            let shared = ProxySharedState::new();
+            clear_desync_dedup_for_testing_in_shared(shared.as_ref());
+            should_emit_full_desync_for_testing(shared.as_ref(), key, false, now)
+        }));
+    }
+
+    for handle in handles {
+        let emitted = handle.await.expect("task join failed");
+        assert!(emitted);
+    }
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_idle_registry_concurrent_10_instances() {
+    let mut handles = Vec::new();
+    let conn_id = 42_u64;
+    for _ in 1..=10_u64 {
+        handles.push(tokio::spawn(async move {
+            let shared = ProxySharedState::new();
+            clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
+            let marked = mark_relay_idle_candidate_for_testing(shared.as_ref(), conn_id);
+            let oldest = oldest_relay_idle_candidate_for_testing(shared.as_ref());
+            (marked, oldest)
+        }));
+    }
+
+    for (i, handle) in handles.into_iter().enumerate() {
+        let (marked, oldest) = handle.await.expect("task join failed");
+        assert!(marked, "instance {} failed to mark", i);
+        assert_eq!(oldest, Some(conn_id));
+    }
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_dual_instance_same_ip_high_contention_no_counter_bleed() {
+    let a = ProxySharedState::new();
+    let b = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(a.as_ref());
+    clear_auth_probe_state_for_testing_in_shared(b.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 200));
+    let mut handles = Vec::new();
+
+    for _ in 0..64 {
+        let a = a.clone();
+        let b = b.clone();
+        handles.push(tokio::spawn(async move {
+            auth_probe_record_failure_for_testing(a.as_ref(), ip, Instant::now());
+            auth_probe_record_failure_for_testing(b.as_ref(), ip, Instant::now());
+        }));
+    }
+
+    for handle in handles {
+        handle.await.expect("task join failed");
+    }
+
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip),
+        Some(64)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip),
+        Some(64)
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_unknown_sni_parallel_instances_no_cross_cooldown() {
+    let mut handles = Vec::new();
+    let now = Instant::now();
+
+    for _ in 0..32 {
+        handles.push(tokio::spawn(async move {
+            let shared = ProxySharedState::new();
+            clear_unknown_sni_warn_state_for_testing_in_shared(shared.as_ref());
+            let first = should_emit_unknown_sni_warn_for_testing_in_shared(shared.as_ref(), now);
+            let second = should_emit_unknown_sni_warn_for_testing_in_shared(
+                shared.as_ref(),
+                now + std::time::Duration::from_millis(1),
+            );
+            (first, second)
+        }));
+    }
+
+    for handle in handles {
+        let (first, second) = handle.await.expect("task join failed");
+        assert!(first);
+        assert!(!second);
+    }
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_auth_probe_high_contention_increments_are_lossless() {
+    let shared = ProxySharedState::new();
+    clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
+
+    let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, 33));
+    let workers = 128usize;
+    let rounds = 20usize;
+
+    for _ in 0..rounds {
+        let start = Arc::new(Barrier::new(workers));
+        let mut handles = Vec::with_capacity(workers);
+
+        for _ in 0..workers {
+            let shared = shared.clone();
+            let start = start.clone();
+            handles.push(tokio::spawn(async move {
+                start.wait().await;
+                auth_probe_record_failure_for_testing(shared.as_ref(), ip, Instant::now());
+            }));
+        }
+
+        for handle in handles {
+            handle.await.expect("task join failed");
+        }
+    }
+
+    let expected = (workers * rounds) as u32;
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), ip),
+        Some(expected),
+        "auth probe fail streak must account for every concurrent update"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn proxy_shared_state_seed_matrix_concurrency_isolation_no_counter_bleed() {
+    let seeds: [u64; 8] = [
+        0x0000_0000_0000_0001,
+        0x1111_1111_1111_1111,
+        0xA5A5_A5A5_A5A5_A5A5,
+        0xDEAD_BEEF_CAFE_BABE,
+        0x0123_4567_89AB_CDEF,
+        0xFEDC_BA98_7654_3210,
+        0x0F0F_F0F0_55AA_AA55,
+        0x1357_9BDF_2468_ACE0,
+    ];
+
+    for seed in seeds {
+        let mut rng = StdRng::seed_from_u64(seed);
+        let shared_a = ProxySharedState::new();
+        let shared_b = ProxySharedState::new();
+        clear_auth_probe_state_for_testing_in_shared(shared_a.as_ref());
+        clear_auth_probe_state_for_testing_in_shared(shared_b.as_ref());
+
+        let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, rng.random_range(1_u8..=250_u8)));
+        let workers = rng.random_range(16_usize..=48_usize);
+        let rounds = rng.random_range(4_usize..=10_usize);
+
+        let mut expected_a: u32 = 0;
+        let mut expected_b: u32 = 0;
+
+        for _ in 0..rounds {
+            let start = Arc::new(Barrier::new(workers * 2));
+            let mut handles = Vec::with_capacity(workers * 2);
+
+            for _ in 0..workers {
+                let a_ops = rng.random_range(1_u32..=3_u32);
+                let b_ops = rng.random_range(1_u32..=3_u32);
+                expected_a = expected_a.saturating_add(a_ops);
+                expected_b = expected_b.saturating_add(b_ops);
+
+                let shared_a = shared_a.clone();
+                let start_a = start.clone();
+                handles.push(tokio::spawn(async move {
+                    start_a.wait().await;
+                    for _ in 0..a_ops {
+                        auth_probe_record_failure_for_testing(
+                            shared_a.as_ref(),
+                            ip,
+                            Instant::now(),
+                        );
+                    }
+                }));
+
+                let shared_b = shared_b.clone();
+                let start_b = start.clone();
+                handles.push(tokio::spawn(async move {
+                    start_b.wait().await;
+                    for _ in 0..b_ops {
+                        auth_probe_record_failure_for_testing(
+                            shared_b.as_ref(),
+                            ip,
+                            Instant::now(),
+                        );
+                    }
+                }));
+            }
+
+            for handle in handles {
+                handle.await.expect("task join failed");
+            }
+        }
+
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared_a.as_ref(), ip),
+            Some(expected_a),
+            "seed {seed:#x}: instance A streak mismatch"
+        );
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared_b.as_ref(), ip),
+            Some(expected_b),
+            "seed {seed:#x}: instance B streak mismatch"
+        );
+
+        clear_auth_probe_state_for_testing_in_shared(shared_a.as_ref());
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared_a.as_ref(), ip),
+            None,
+            "seed {seed:#x}: clearing A must reset only A"
+        );
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared_b.as_ref(), ip),
+            Some(expected_b),
+            "seed {seed:#x}: clearing A must not mutate B"
+        );
+    }
+}
@@ -0,0 +1,284 @@
+use super::*;
+use crate::error::ProxyError;
+use crate::stats::Stats;
+use crate::stream::BufferPool;
+use std::io;
+use std::sync::Arc;
+use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, ReadBuf, duplex};
+use tokio::time::{Duration, timeout};
+
+struct BrokenPipeWriter;
+
+impl AsyncWrite for BrokenPipeWriter {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        _cx: &mut Context<'_>,
+        _buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        Poll::Ready(Err(io::Error::new(
+            io::ErrorKind::BrokenPipe,
+            "forced broken pipe",
+        )))
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Poll::Ready(Ok(()))
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Poll::Ready(Ok(()))
+    }
+}
+
+#[tokio::test(start_paused = true)]
+async fn relay_baseline_activity_timeout_fires_after_inactivity() {
+    let stats = Arc::new(Stats::new());
+    let user = "relay-baseline-idle-timeout";
+
+    let (_client_peer, relay_client) = duplex(1024);
+    let (_server_peer, relay_server) = duplex(1024);
+
+    let (client_reader, client_writer) = tokio::io::split(relay_client);
+    let (server_reader, server_writer) = tokio::io::split(relay_server);
+
+    let relay_task = tokio::spawn(relay_bidirectional(
+        client_reader,
+        client_writer,
+        server_reader,
+        server_writer,
+        1024,
+        1024,
+        user,
+        Arc::clone(&stats),
+        None,
+        Arc::new(BufferPool::new()),
+    ));
+
+    tokio::task::yield_now().await;
+    tokio::time::advance(ACTIVITY_TIMEOUT.saturating_sub(Duration::from_secs(1))).await;
+    tokio::task::yield_now().await;
+    assert!(
+        !relay_task.is_finished(),
+        "relay must stay alive before inactivity timeout"
+    );
+
+    tokio::time::advance(WATCHDOG_INTERVAL + Duration::from_secs(2)).await;
+
+    let done = timeout(Duration::from_secs(1), relay_task)
+        .await
+        .expect("relay must complete after inactivity timeout")
+        .expect("relay task must not panic");
+
+    assert!(
+        done.is_ok(),
+        "relay must return Ok(()) after inactivity timeout"
+    );
+}
+
+#[tokio::test]
+async fn relay_baseline_zero_bytes_returns_ok_and_counters_zero() {
+    let stats = Arc::new(Stats::new());
+    let user = "relay-baseline-zero-bytes";
+
+    let (client_peer, relay_client) = duplex(1024);
+    let (server_peer, relay_server) = duplex(1024);
+
+    let (client_reader, client_writer) = tokio::io::split(relay_client);
+    let (server_reader, server_writer) = tokio::io::split(relay_server);
+
+    let relay_task = tokio::spawn(relay_bidirectional(
+        client_reader,
+        client_writer,
+        server_reader,
+        server_writer,
+        1024,
+        1024,
+        user,
+        Arc::clone(&stats),
+        None,
+        Arc::new(BufferPool::new()),
+    ));
+
+    drop(client_peer);
+    drop(server_peer);
+
+    let done = timeout(Duration::from_secs(2), relay_task)
+        .await
+        .expect("relay must stop after both peers close")
+        .expect("relay task must not panic");
+
+    assert!(done.is_ok(), "relay must return Ok(()) on immediate EOF");
+    assert_eq!(stats.get_user_total_octets(user), 0);
+}
+
+#[tokio::test]
+async fn relay_baseline_bidirectional_bytes_counted_symmetrically() {
+    let stats = Arc::new(Stats::new());
+    let user = "relay-baseline-bidir-counters";
+
+    let (mut client_peer, relay_client) = duplex(16 * 1024);
+    let (relay_server, mut server_peer) = duplex(16 * 1024);
+
+    let (client_reader, client_writer) = tokio::io::split(relay_client);
+    let (server_reader, server_writer) = tokio::io::split(relay_server);
+
+    let relay_task = tokio::spawn(relay_bidirectional(
+        client_reader,
+        client_writer,
+        server_reader,
+        server_writer,
+        4096,
+        4096,
+        user,
+        Arc::clone(&stats),
+        None,
+        Arc::new(BufferPool::new()),
+    ));
+
+    let c2s = vec![0xAA; 4096];
+    let s2c = vec![0xBB; 2048];
+
+    client_peer.write_all(&c2s).await.unwrap();
+    server_peer.write_all(&s2c).await.unwrap();
+
+    let mut seen_c2s = vec![0u8; c2s.len()];
+    let mut seen_s2c = vec![0u8; s2c.len()];
+    server_peer.read_exact(&mut seen_c2s).await.unwrap();
+    client_peer.read_exact(&mut seen_s2c).await.unwrap();
+
+    assert_eq!(seen_c2s, c2s);
+    assert_eq!(seen_s2c, s2c);
+
+    drop(client_peer);
+    drop(server_peer);
+
+    let done = timeout(Duration::from_secs(2), relay_task)
+        .await
+        .expect("relay must complete after both peers close")
+        .expect("relay task must not panic");
+    assert!(done.is_ok());
+
+    assert_eq!(
+        stats.get_user_total_octets(user),
+        (c2s.len() + s2c.len()) as u64
+    );
+}
+
+#[tokio::test]
+async fn relay_baseline_both_sides_close_simultaneously_no_panic() {
+    let stats = Arc::new(Stats::new());
+
+    let (client_peer, relay_client) = duplex(1024);
+    let (relay_server, server_peer) = duplex(1024);
+
+    let (client_reader, client_writer) = tokio::io::split(relay_client);
+    let (server_reader, server_writer) = tokio::io::split(relay_server);
+
+    let relay_task = tokio::spawn(relay_bidirectional(
+        client_reader,
+        client_writer,
+        server_reader,
+        server_writer,
+        1024,
+        1024,
+        "relay-baseline-sim-close",
+        Arc::clone(&stats),
+        None,
+        Arc::new(BufferPool::new()),
+    ));
+
+    drop(client_peer);
+    drop(server_peer);
+
+    let done = timeout(Duration::from_secs(2), relay_task)
+        .await
+        .expect("relay must complete")
+        .expect("relay task must not panic");
+    assert!(done.is_ok());
+}
+
+#[tokio::test]
+async fn relay_baseline_broken_pipe_midtransfer_returns_error() {
+    let stats = Arc::new(Stats::new());
+    let user = "relay-baseline-broken-pipe";
+
+    let (mut client_peer, relay_client) = duplex(1024);
+    let (client_reader, client_writer) = tokio::io::split(relay_client);
+
+    let relay_task = tokio::spawn(relay_bidirectional(
+        client_reader,
+        client_writer,
+        tokio::io::empty(),
+        BrokenPipeWriter,
+        1024,
+        1024,
+        user,
+        Arc::clone(&stats),
+        None,
+        Arc::new(BufferPool::new()),
+    ));
+
+    client_peer.write_all(b"trigger").await.unwrap();
+
+    let done = timeout(Duration::from_secs(2), relay_task)
+        .await
+        .expect("relay must return after broken pipe")
+        .expect("relay task must not panic");
+
+    match done {
+        Err(ProxyError::Io(err)) => {
+            assert!(
+                matches!(
+                    err.kind(),
+                    io::ErrorKind::BrokenPipe | io::ErrorKind::ConnectionReset
+                ),
+                "expected BrokenPipe/ConnectionReset, got {:?}",
+                err.kind()
+            );
+        }
+        other => panic!("expected ProxyError::Io, got {other:?}"),
+    }
+}
+
+#[tokio::test]
+async fn relay_baseline_many_small_writes_exact_counter() {
+    let stats = Arc::new(Stats::new());
+    let user = "relay-baseline-many-small";
+
+    let (mut client_peer, relay_client) = duplex(4096);
+    let (relay_server, mut server_peer) = duplex(4096);
+
+    let (client_reader, client_writer) = tokio::io::split(relay_client);
+    let (server_reader, server_writer) = tokio::io::split(relay_server);
+
+    let relay_task = tokio::spawn(relay_bidirectional(
+        client_reader,
+        client_writer,
+        server_reader,
+        server_writer,
+        1024,
+        1024,
+        user,
+        Arc::clone(&stats),
+        None,
+        Arc::new(BufferPool::new()),
+    ));
+
+    for i in 0..10_000u32 {
+        let b = [(i & 0xFF) as u8];
+        client_peer.write_all(&b).await.unwrap();
+        let mut seen = [0u8; 1];
+        server_peer.read_exact(&mut seen).await.unwrap();
+        assert_eq!(seen, b);
+    }
+
+    drop(client_peer);
+    drop(server_peer);
+
+    let done = timeout(Duration::from_secs(3), relay_task)
+        .await
+        .expect("relay must complete for many small writes")
+        .expect("relay task must not panic");
+    assert!(done.is_ok());
+    assert_eq!(stats.get_user_total_octets(user), 10_000);
+}
@@ -0,0 +1,205 @@
+use crate::config::ProxyConfig;
+use rand::SeedableRng;
+use rand::rngs::StdRng;
+use std::io;
+use std::pin::Pin;
+use std::sync::Arc;
+use std::task::{Context, Poll};
+use tokio::io::AsyncWrite;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::sync::Arc;
+    use std::sync::atomic::{AtomicUsize, Ordering};
+    use std::task::{RawWaker, RawWakerVTable, Waker};
+
+    unsafe fn wake_counter_clone(data: *const ()) -> RawWaker {
+        let arc = Arc::<AtomicUsize>::from_raw(data.cast::<AtomicUsize>());
+        let cloned = Arc::clone(&arc);
+        let _ = Arc::into_raw(arc);
+        RawWaker::new(
+            Arc::into_raw(cloned).cast::<()>(),
+            &WAKE_COUNTER_WAKER_VTABLE,
+        )
+    }
+
+    unsafe fn wake_counter_wake(data: *const ()) {
+        let arc = Arc::<AtomicUsize>::from_raw(data.cast::<AtomicUsize>());
+        arc.fetch_add(1, Ordering::SeqCst);
+    }
+
+    unsafe fn wake_counter_wake_by_ref(data: *const ()) {
+        let arc = Arc::<AtomicUsize>::from_raw(data.cast::<AtomicUsize>());
+        arc.fetch_add(1, Ordering::SeqCst);
+        let _ = Arc::into_raw(arc);
+    }
+
+    unsafe fn wake_counter_drop(data: *const ()) {
+        let _ = Arc::<AtomicUsize>::from_raw(data.cast::<AtomicUsize>());
+    }
+
+    static WAKE_COUNTER_WAKER_VTABLE: RawWakerVTable = RawWakerVTable::new(
+        wake_counter_clone,
+        wake_counter_wake,
+        wake_counter_wake_by_ref,
+        wake_counter_drop,
+    );
+
+    fn wake_counter_waker(counter: Arc<AtomicUsize>) -> Waker {
+        let raw = RawWaker::new(
+            Arc::into_raw(counter).cast::<()>(),
+            &WAKE_COUNTER_WAKER_VTABLE,
+        );
+        // SAFETY: `raw` points to a valid `Arc<AtomicUsize>` and uses a vtable
+        // that preserves Arc reference-counting semantics.
+        unsafe { Waker::from_raw(raw) }
+    }
+
+    #[test]
+    fn pending_count_writer_write_pending_does_not_spurious_wake() {
+        let counter = Arc::new(AtomicUsize::new(0));
+        let waker = wake_counter_waker(Arc::clone(&counter));
+        let mut cx = Context::from_waker(&waker);
+
+        let mut writer = PendingCountWriter::new(RecordingWriter::new(), 1, 0);
+        let poll = Pin::new(&mut writer).poll_write(&mut cx, b"x");
+
+        assert!(matches!(poll, Poll::Pending));
+        assert_eq!(counter.load(Ordering::SeqCst), 0);
+    }
+
+    #[test]
+    fn pending_count_writer_flush_pending_does_not_spurious_wake() {
+        let counter = Arc::new(AtomicUsize::new(0));
+        let waker = wake_counter_waker(Arc::clone(&counter));
+        let mut cx = Context::from_waker(&waker);
+
+        let mut writer = PendingCountWriter::new(RecordingWriter::new(), 0, 1);
+        let poll = Pin::new(&mut writer).poll_flush(&mut cx);
+
+        assert!(matches!(poll, Poll::Pending));
+        assert_eq!(counter.load(Ordering::SeqCst), 0);
+    }
+}
+
+// In-memory AsyncWrite that records both per-write and per-flush granularity.
+pub struct RecordingWriter {
+    pub writes: Vec<Vec<u8>>,
+    pub flushed: Vec<Vec<u8>>,
+    current_record: Vec<u8>,
+}
+
+impl RecordingWriter {
+    pub fn new() -> Self {
+        Self {
+            writes: Vec::new(),
+            flushed: Vec::new(),
+            current_record: Vec::new(),
+        }
+    }
+
+    pub fn total_bytes(&self) -> usize {
+        self.writes.iter().map(|w| w.len()).sum()
+    }
+}
+
+impl Default for RecordingWriter {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl AsyncWrite for RecordingWriter {
+    fn poll_write(
+        mut self: Pin<&mut Self>,
+        _cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        let me = self.as_mut().get_mut();
+        me.writes.push(buf.to_vec());
+        me.current_record.extend_from_slice(buf);
+        Poll::Ready(Ok(buf.len()))
+    }
+
+    fn poll_flush(mut self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        let me = self.as_mut().get_mut();
+        let record = std::mem::take(&mut me.current_record);
+        if !record.is_empty() {
+            me.flushed.push(record);
+        }
+        Poll::Ready(Ok(()))
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Poll::Ready(Ok(()))
+    }
+}
+
+// Returns Poll::Pending for the first N write/flush calls, then delegates.
+pub struct PendingCountWriter<W> {
+    pub inner: W,
+    pub write_pending_remaining: usize,
+    pub flush_pending_remaining: usize,
+}
+
+impl<W> PendingCountWriter<W> {
+    pub fn new(inner: W, write_pending: usize, flush_pending: usize) -> Self {
+        Self {
+            inner,
+            write_pending_remaining: write_pending,
+            flush_pending_remaining: flush_pending,
+        }
+    }
+}
+
+impl<W: AsyncWrite + Unpin> AsyncWrite for PendingCountWriter<W> {
+    fn poll_write(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        let me = self.as_mut().get_mut();
+        if me.write_pending_remaining > 0 {
+            me.write_pending_remaining -= 1;
+            return Poll::Pending;
+        }
+        Pin::new(&mut me.inner).poll_write(cx, buf)
+    }
+
+    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        let me = self.as_mut().get_mut();
+        if me.flush_pending_remaining > 0 {
+            me.flush_pending_remaining -= 1;
+            return Poll::Pending;
+        }
+        Pin::new(&mut me.inner).poll_flush(cx)
+    }
+
+    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        Pin::new(&mut self.inner).poll_shutdown(cx)
+    }
+}
+
+pub fn seeded_rng(seed: u64) -> StdRng {
+    StdRng::seed_from_u64(seed)
+}
+
+pub fn tls_only_config() -> Arc<ProxyConfig> {
+    let mut cfg = ProxyConfig::default();
+    cfg.general.modes.tls = true;
+    Arc::new(cfg)
+}
+
+pub fn handshake_test_config(secret_hex: &str) -> ProxyConfig {
+    let mut cfg = ProxyConfig::default();
+    cfg.access.users.clear();
+    cfg.access
+        .users
+        .insert("test-user".to_string(), secret_hex.to_string());
+    cfg.access.ignore_time_skew = true;
+    cfg.censorship.mask = true;
+    cfg.censorship.mask_host = Some("127.0.0.1".to_string());
+    cfg.censorship.mask_port = 0;
+    cfg
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alexey	6d5a1a29df	Merge pull request #677 from xaosproxy/feat/rst-on-close feat: add configurable RST-on-close mode for client sockets	2026-04-11 10:35:16 +03:00
Alexey	026ca5cc1d	Merge pull request #678 from avbor/main Fixed link to quick start guide	2026-04-11 10:34:05 +03:00
Alexey	b11dec7f91	Update FUNDING.yml	2026-04-10 20:37:09 +03:00
Alexey	edd1405562	Update FUNDING.yml	2026-04-10 20:34:43 +03:00
brekotis	45dd7485a9	Create FUNDING.yml	2026-04-10 15:49:29 +03:00
brekotis	901cf11c51	Add donation section to README.md	2026-04-10 15:48:24 +03:00
Alexey	227a64ef06	Update CODE_OF_CONDUCT.md	2026-04-10 13:17:51 +03:00
Alexander	6748ed920e	Update VPS_DOUBLE_HOP.ru.md	2026-04-10 11:53:35 +03:00
Alexander	303b273c77	Update VPS_DOUBLE_HOP.en.md	2026-04-10 11:52:58 +03:00
Alexander	3bcc129b8d	Fix link in quick start	2026-04-10 11:17:17 +03:00
Alexander	3ffbd294d2	Fix link to quick start	2026-04-10 11:16:41 +03:00
sintanial	ddeda8d914	feat: add configurable RST-on-close mode for client sockets Add `rst_on_close` config option (off/errors/always) to control SO_LINGER(0) behaviour on accepted TCP connections. - `off` (default): normal FIN on all closes, no behaviour change. - `errors`: SO_LINGER(0) set on accept, cleared after successful handshake auth. Pre-handshake failures (scanners, DPI probes, timeouts) send RST instead of FIN, eliminating FIN-WAIT-1 and orphan socket accumulation. Authenticated relay sessions still close gracefully with FIN. - `always`: SO_LINGER(0) on accept, never cleared — all closes send RST regardless of handshake outcome.	2026-04-10 05:01:38 +03:00
Alexey	17fd01a2c4	Update CODE_OF_CONDUCT.md	2026-04-09 23:27:16 +03:00
Alexey	8ed43a562c	Update CODE_OF_CONDUCT.md	2026-04-09 23:25:19 +03:00
Alexey	fd6243b6cc	Update CODE_OF_CONDUCT.md	2026-04-09 23:21:37 +03:00
Alexey	44127c6f96	Update CODE_OF_CONDUCT.md	2026-04-09 23:21:21 +03:00
Alexey	a0c7a9e62c	Update CODE_OF_CONDUCT.md	2026-04-09 23:17:06 +03:00
Alexey	d7af1cc206	Update CODE_OF_CONDUCT.md	2026-04-09 23:07:58 +03:00
Alexey	f8e22970c1	Merge pull request #670 from TWRoman/main [docs] Update CONFIG-PARAMS and README	2026-04-09 21:55:47 +03:00
Roman	792f626336	Update README.ru.md	2026-04-09 21:53:08 +03:00
Roman	c5c98bb7fa	Update README.ru.md	2026-04-09 21:46:33 +03:00
Roman	6102280345	Update README.ru.md	2026-04-09 21:45:30 +03:00
Roman	177f0f0325	Update README.ru.md	2026-04-09 21:30:34 +03:00
Roman	abcce12368	Merge branch 'main' into main	2026-04-09 21:26:40 +03:00
Alexey	31cbf31491	Update README.md	2026-04-09 21:18:52 +03:00
Alexey	f479ecd1ad	Update README.md	2026-04-09 21:14:42 +03:00
Alexey	5c953eb4ba	Update README.md	2026-04-09 21:13:50 +03:00
Alexey	3771eb4ab2	Merge pull request #674 from agvol/main Dashboards: add grafana dashboard by user	2026-04-09 21:07:27 +03:00
Roman	07d19027f6	Merge branch 'main' into main	2026-04-09 19:21:28 +03:00
Alexey	877d16659e	Merge pull request #666 from miniusercoder/highload-docs Add High-Load Configuration & Tuning Guide	2026-04-09 18:58:13 +03:00
Andrey Voloshin	79f4ff4eec	Dashboards: add grafana dashboard by user	2026-04-09 15:55:35 +03:00
Roman	e6c64525e3	Merge branch 'main' into main	2026-04-09 13:02:03 +03:00
Alexey	ec231aade6	Update docker-compose.yml	2026-04-09 12:55:38 +03:00
Roman	59df74e341	Update README.ru.md	2026-04-09 11:58:29 +03:00
TWRoman	21a33e4d2a	New button for README	2026-04-09 10:15:46 +03:00
Roman	73bf23eb61	Update README.md Lost dot in README ^-^	2026-04-09 09:20:10 +03:00
TWRoman	4a904568da	Minor changes in README	2026-04-09 09:04:54 +03:00
TWRoman	265478b9ca	[docs] Update CONFIG-PARAMS.en, ru	2026-04-08 19:37:03 +03:00
Roman	038f688e75	Update CONFIG_PARAMS.ru.md	2026-04-08 19:28:28 +03:00
Roman	fa3a1b4dbc	Update CONFIG_PARAMS.ru.md	2026-04-08 19:25:26 +03:00
TWRoman	e2e8b54f87	[docs] Update CONFIG-PARAMS.en	2026-04-08 19:21:44 +03:00
TWRoman	45c66bc823	[docs] Update CONFIG-PARAMS.en	2026-04-08 19:10:26 +03:00
miniusercoder	5e38a72add	Remove maxconn and nbthread settings from high load configuration examples	2026-04-08 18:29:04 +03:00
Alexey	731619bfaa	Merge pull request #668 from groozchique/main [docs] change suggested config.toml in quick start guide	2026-04-08 16:10:36 +03:00
Alexey	c23cdddbd2	Merge pull request #663 from TWRoman/main Minor changes in README and README.ru	2026-04-08 16:09:21 +03:00
miniusercoder	7ba02ea3d5	fix double-hop highload config example	2026-04-08 16:01:36 +03:00
Nick Parfyonov	1e06c32718	[docs] change suggested config.toml in quick start guide This changes current suggested config in quick start guide to be inline with default config.toml from main branch	2026-04-08 15:52:55 +03:00
miniusercoder	38c5f73d6a	Add High-Load Configuration & Tuning Guide	2026-04-08 15:52:21 +03:00
Roman	010f176ad4	Update README.md Fixed the link in 29.	2026-04-08 15:18:38 +03:00
TWRoman	2f616500c9	Minor changes in README and README.ru	2026-04-08 15:12:58 +03:00
Alexey	852dc11722	Update README.md	2026-04-08 11:52:17 +03:00
Alexey	cda9600169	Update README.md	2026-04-08 11:52:00 +03:00
Alexey	dc03c73dd6	Update README.md	2026-04-08 11:50:50 +03:00
Alexey	c99f55f216	Update README.md	2026-04-08 11:35:37 +03:00
Alexey	f5786d284b	Merge pull request #657 from Dimasssss/patch-3 Update install.sh - Add interactive domain prompt and EN/RU support	2026-04-08 11:33:06 +03:00
Alexey	0281cad564	Merge pull request #658 from Dimasssss/patch-4 Add install.sh installation method to QUICK_START_GUIDE	2026-04-08 11:30:20 +03:00
Dimasssss	91d9cb8de0	Update README.md	2026-04-07 23:06:11 +03:00
Dimasssss	9e74a78209	Update QUICK_START_GUIDE.en.md	2026-04-07 22:40:54 +03:00
Dimasssss	9933cdf245	Update QUICK_START_GUIDE.ru.md	2026-04-07 22:39:39 +03:00
Dimasssss	b4a3ad9aad	Update install.sh - Add interactive domain prompt, EN/RU support, and script optimizations	2026-04-07 21:43:22 +03:00
Alexey	23156a840d	Merge pull request #654 from TWRoman/main Changes to the documentation and README	2026-04-07 20:12:55 +03:00
Roman	cf9d4b2c61	Changes in README and Docs Changed the folder structure of the documentation. Edited the README. Added a Russian-language README. Moved some information from the README to the FAQ.	2026-04-07 20:00:23 +03:00
TWRoman	63cfc067f6	Changes in README and Docs	2026-04-07 20:00:23 +03:00
TWRoman	5863b33b81	Changes in README and Docs	2026-04-07 20:00:22 +03:00
TWRoman	7ce87749c0	Changes in README and Docs	2026-04-07 20:00:22 +03:00
Alexey	bc691539a1	Bump	2026-04-07 19:28:05 +03:00
Alexey	2162a63e3e	Memory Hard-bounds + Handshake Budget in Metrics + No mutable in hotpath ConnRegistry + Build-info in Metrics + TLS Fronting fixes + Round-bounded Retries + Bounded Retry-Round Constant + QueueFall Bounded Retry on Data-route: merge pull request #655 from telemt/flow Memory Hard-bounds + Handshake Budget in Metrics + No mutable in hotpath ConnRegistry + Build-info in Metrics + TLS Fronting fixes + Round-bounded Retries + Bounded Retry-Round Constant + QueueFall Bounded Retry on Data-route	2026-04-07 19:26:07 +03:00
Alexey	4a77335ba9	Round-bounded Retries + Bounded Retry-Round Constant Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-07 19:19:40 +03:00
Alexey	ba29b66c4c	Merge branch 'flow' of https://github.com/telemt/telemt into flow	2026-04-07 18:42:10 +03:00
Alexey	e8cf97095f	QueueFall Bounded Retry on Data-route Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-07 18:41:59 +03:00
Alexey	ee4264af50	Merge pull request #624 from mammuthus/feature/metrics-build-info metrics: export CARGO_PKG_VERSION as telemt_build_info version metric	2026-04-07 18:35:06 +03:00
Alexey	59c2476650	Merge branch 'flow' into feature/metrics-build-info	2026-04-07 18:34:51 +03:00
Alexey	89d6be267d	Merge pull request #652 from groozchique/flow [docs] Hotfix for link's obtaining command	2026-04-07 18:23:34 +03:00
Alexey	3b717c75da	Memory Hard-bounds + Handshake Budget in Metrics + No mutable in hotpath ConnRegistry Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-07 18:18:47 +03:00
Nick Parfyonov	3af7673342	[docs] add classic/secure links to the output After further testing I discovered that the current command only returns TLS links, ignoring classic/secure links if they are present	2026-04-07 13:53:12 +03:00
Alexey	ad2057ad44	Merge pull request #649 from JetJava/flow tls_front/emulator: hash compact cert info payload before TLS emulation	2026-04-07 13:26:22 +03:00
Alexey	f8cfd4f0bc	Merge pull request #651 from groozchique/flow [FAQ] More user-friendly output when obtaining proxy links	2026-04-07 13:22:17 +03:00
Alexey	5cbcfb2a91	Merge pull request #643 from Dimasssss/patch-2 Update install.sh - fix "Permission denied (os error 13)"	2026-04-07 13:20:46 +03:00
Alexey	aec2c23a0c	Merge pull request #650 from pavlozt/fix/zabbix-storage Zabbix template: disable intermediate data storage	2026-04-07 13:19:35 +03:00
Nick Parfyonov	f5e63ab145	[FAQ] change output of user's links more to more user-friendly look Currently output of existing method for obtaining proxy links of users is cluttered and messy, let's change it to a more clean and precise one	2026-04-07 13:12:22 +03:00
PavelZ	12f99eebab	Zabbix template: disable intermediate data storage	2026-04-07 11:55:51 +03:00
Ivan	bc3ad02a20	tls_front/emulator: hash compact cert info payload before TLS emulation	2026-04-07 11:31:12 +04:00
Alexey	14674bd4e6	Update relay.rs	2026-04-06 19:01:12 +03:00
Alexey	a36c7b3f66	Update handshake_security_tests.rs	2026-04-06 17:45:45 +03:00
Alexey	d848e4a729	Fixes for test + Rustfmt	2026-04-06 16:12:46 +03:00
Alexey	8d865a980c	MRU Search + Runtime user snapshot + Ordered candidate auth + Sticky hints + Overload Budgets	2026-04-06 15:04:15 +03:00
Dimasssss	f829439e8f	Update install.sh - fix "Permission denied (os error 13)"	2026-04-06 14:33:02 +03:00
Alexey	a14f8b14d2	Licenses Updating	2026-04-06 13:40:32 +03:00
Alexey	31af2da4d5	Licenses -> License	2026-04-06 13:33:08 +03:00
Alexey	ac2b88d6ea	License -> Licenses	2026-04-06 13:32:18 +03:00
Alexey	4a3ef62494	License 3.3 Translations	2026-04-06 13:31:22 +03:00
Alexey	6996d6e597	Update LICENSE	2026-04-06 13:21:16 +03:00
Alexey	b3f11624c9	Update LICENSE	2026-04-06 13:12:06 +03:00
Alexey	13dc1f70bf	Accept as unknown_sni_action	2026-04-06 12:03:06 +03:00
Alexey	b88457b9bc	Rename test.yml to check.yml	2026-04-06 11:19:35 +03:00
Alexey	d176766db2	Uploading Binary as artifact in Github Actions	2026-04-06 11:17:15 +03:00
Alexey	fa4e2000a8	Privileges fix Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-06 11:10:41 +03:00
Alexey	4d87a790cc	Merge pull request #626 from vladon/fix/strip-release-binaries [codex] Strip release binaries before packaging	2026-04-05 21:12:07 +03:00
Alexey	07fed8f871	Merge pull request #632 from SysAdminKo/main Актуализация документации CONFIG_PARAMS	2026-04-05 21:10:58 +03:00
Alexey	407d686d49	Merge pull request #638 from Dimasssss/patch-1 Update install.sh - add port availability check and new CLI arguments + update QUICK_START_GUIDE - add CAP_NET_ADMIN Service	2026-04-05 21:06:29 +03:00
Dimasssss	eac5cc81fb	Update QUICK_START_GUIDE.ru.md	2026-04-05 18:53:16 +03:00
Dimasssss	c51d16f403	Update QUICK_START_GUIDE.en.md	2026-04-05 18:53:06 +03:00
Dimasssss	b5146bba94	Update install.sh	2026-04-05 18:43:08 +03:00
SysAdminKo	5ed525fa48	Add server.conntrack_control configuration section with detailed parameters and descriptions This update introduces a new section in the configuration documentation for `server.conntrack_control`, outlining various parameters such as `inline_conntrack_control`, `mode`, `backend`, `profile`, `hybrid_listener_ips`, `pressure_high_watermark_pct`, `pressure_low_watermark_pct`, and `delete_budget_per_sec`. Each parameter includes constraints, descriptions, and examples to assist users in configuring conntrack control effectively.	2026-04-05 18:05:13 +03:00
Олегсей Бреднев	9f7c1693ce	Merge branch 'telemt:main' into main	2026-04-05 17:42:08 +03:00
Dimasssss	1524396e10	Update install.sh Новые аргументы командной строки: -d, --domain : TLS-домен (дефолт: petrovich.ru) -p, --port : Порт сервера (дефолт: 443) -s, --secret : Секрет пользователя (32 hex-символа) -a, --ad-tag : Установка ad_tag ⚠️ Если эти флаги переданы при запуске, они заменят собой старые сохраненные значения.	2026-04-05 17:32:21 +03:00
Alexey	e630ea0045	Bump	2026-04-05 17:31:48 +03:00
Alexey	4574e423c6	New Relay Methods + Conntrack Control + Cleanup Methods for Memory + Buffer Pool Trim + Shrink Session Vec + ME2DC Fast for unstoppable init + Config Fallback + Working Directory Setup + Logging fixes with --syslog: merge pull request #637 from telemt/flow New Relay Methods + Conntrack Control + Cleanup Methods for Memory + Buffer Pool Trim + Shrink Session Vec + ME2DC Fast for unstoppable init + Config Fallback + Working Directory Setup + Logging fixes with --syslog	2026-04-05 17:30:43 +03:00
Alexey	5f5582865e	Rustfmt	2026-04-05 17:23:40 +03:00
Alexey	1f54e4a203	Logging fixes with --syslog Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-05 17:21:47 +03:00
Alexey	defa37da05	Merge pull request #636 from Dimasssss/patch-3 Update install.sh - add x86_64-v3 support + Add -d/--domain argument	2026-04-05 15:38:26 +03:00
Dimasssss	5fd058b6fd	Update install.sh - Add -d/--domain Example usage: `./install.sh -d example.com` `./install.sh --domain example.com`	2026-04-05 14:49:31 +03:00
Alexey	977ee53b72	Config Fallback + Working Directory Setup Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-05 14:40:17 +03:00
Dimasssss	5b11522620	Update install.sh	2026-04-05 13:26:52 +03:00
Alexey	8fe6fcb7eb	ME2DC Fast for unstoppable init	2026-04-05 13:10:35 +03:00
Alexey	486e439ae6	Update Cargo.toml + Cargo.lock	2026-04-05 12:19:24 +03:00
SysAdminKo	444a20672d	Refine CONFIG_PARAMS documentation by updating default values to use a dash (—) for optional parameters instead of null. Adjust constraints for clarity, ensuring all types are accurately represented as required. Enhance descriptions for better understanding of configuration options.	2026-04-04 21:56:24 +03:00
Alexey	8e7b27a16d	Deleting Kilocode	2026-04-04 18:10:09 +03:00
Alexey	7f0057acd7	Conntrack Control Method Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-04-04 11:28:32 +03:00
Alexey	7fe38f1b9f	Merge pull request #627 from DavidOsipov/flow Фазы 1 и 2 полностью выполнены	2026-04-04 18:40:03 +03:00
Alexey	c2f16a343a	Update README.md	2026-04-03 19:13:57 +03:00
mammuthus	9b64d2ee17	style(metrics): apply rustfmt for build_info additions	2026-04-03 07:49:37 +00:00
David Osipov	6ea867ce36	Phase 2 implemented with additional guards	2026-04-03 02:08:59 +04:00
Vlad Yaroslavlev	d673935b6d	Merge branch 'main' into fix/strip-release-binaries	2026-04-03 00:35:20 +03:00
Vladislav Yaroslavlev	363b5014f7	Strip release binaries before packaging	2026-04-03 00:17:43 +03:00
Alexey	bb6237151c	Update README.md	2026-04-03 00:06:34 +03:00
mammuthus	873618ce53	metrics: export telemt_build_info version metric	2026-04-02 18:14:50 +00:00
David Osipov	a9f695623d	Implementation plan + Phase 1 finished	2026-04-02 20:08:47 +04:00
David Osipov	5c29870632	Update dependencies in Cargo.lock to latest versions	2026-04-02 13:21:56 +04:00
Alexey	f6704d7d65	Update README.md	2026-04-02 10:59:19 +03:00
Alexey	3d20002e56	Update README.md	2026-04-02 10:58:50 +03:00
Alexey	8fcd0fa950	Merge pull request #618 from SysAdminKo/main Переработка документации CONFIG_PARAMS	2026-04-01 17:24:22 +03:00
SysAdminKo	645e968778	Enhance CONFIG_PARAMS documentation with AI-assisted notes and detailed parameter descriptions. Update formatting for clarity and include examples for key configuration options.	2026-04-01 16:04:11 +03:00
Alexey	b46216d357	Update README.md	2026-04-01 11:52:13 +03:00
				`@@ -0,0 +1 @@`
				<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 150 30" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;"><path d="M150,15c0,8.279 -6.721,15 -15,15l-120,0c-8.279,0 -15,-6.721 -15,-15c0,-8.279 6.721,-15 15,-15l120,0c8.279,0 15,6.721 15,15Z" style="fill:#24a1ed;"/><g transform="matrix(20.833333,0,0,20.833333,111.464184,22.329305)"></g><text x="39.666px" y="22.329px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:20.833px;fill:#fff;">Join us!</text></svg>