Merge 2d15eb1f6d into b3f11624c9

Text block fix

.github/workflows/release.yml

@@ -151,6 +151,14 @@ jobs:
           mkdir -p dist
           cp "target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}" dist/telemt
 
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
+            STRIP_BIN=aarch64-linux-gnu-strip
+          else
+            STRIP_BIN=strip
+          fi
+
+          "${STRIP_BIN}" dist/telemt
+
           cd dist
           tar -czf "${{ matrix.asset }}.tar.gz" \
             --owner=0 --group=0 --numeric-owner \
@@ -279,6 +287,14 @@ jobs:
           mkdir -p dist
           cp "target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}" dist/telemt
 
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            STRIP_BIN=aarch64-linux-musl-strip
+          else
+            STRIP_BIN=strip
+          fi
+
+          "${STRIP_BIN}" dist/telemt
+
           cd dist
           tar -czf "${{ matrix.asset }}.tar.gz" \
             --owner=0 --group=0 --numeric-owner \

Cargo.lock

@@ -2780,7 +2780,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
 
 [[package]]
 name = "telemt"
-version = "3.3.37"
+version = "3.3.38"
 dependencies = [
  "aes",
  "anyhow",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.3.37"
+version = "3.3.38"
 edition = "2024"
 
 [features]

LICENSE

@@ -14,11 +14,15 @@ are preserved and complied with.
 The canonical version of this License is the English version.
 Official translations are provided for informational purposes only
 and for convenience, and do not have legal force. In case of any
-discrepancy, the English version of this License shall prevail.
-Available versions:
-- English in Markdown: docs/LICENSE/LICENSE.md
-- German: docs/LICENSE/LICENSE.de.md
-- Russian: docs/LICENSE/LICENSE.ru.md
+discrepancy, the English version of this License shall prevail
+
+/----------------------------------------------------------\
+| Language    | Location                                   |
+|-------------|--------------------------------------------|
+| English     | docs/LICENSE/TELEMT-PUBLIC-LICENSE-3.en.md |
+| German      | docs/LICENSE/TELEMT-PUBLIC-LICENSE-3.de.md |
+| Russian     | docs/LICENSE/TELEMT-PUBLIC-LICENSE-3.ru.md |
+\----------------------------------------------------------/
 
 ### License Versioning Policy
 

README.md

@@ -2,182 +2,60 @@
 
 ***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***
 
-[**Telemt Chat in Telegram**](https://t.me/telemtrs)
+> [!NOTE]
+>
+> Fixed TLS ClientHello is now available in **Telegram Desktop** starting from version **6.7.2**: to work with EE-MTProxy, please update your client;
+> 
+> Fixed TLS ClientHello for Telegram Android Client is available in [our chat](https://t.me/telemtrs/30234/36441); **official releases for Android and iOS are "work in progress"**;
+
+<p align="center">
+  <a href="https://t.me/telemtrs">
+    <img src="docs/assets/telegram_button.png" alt="Join us in Telegram" />
+  </a>
+</p>
 
 **Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as:
-- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md)
-- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md)
-- Anti-Replay on Sliding Window
-- Prometheus-format Metrics
-- TLS-Fronting and TCP-Splicing for masking from "prying" eyes
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md);
+- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md);
+- Anti-Replay on Sliding Window;
+- Prometheus-format Metrics;
+- TLS-Fronting and TCP-Splicing for masking from "prying" eyes.
+
+![telemt_scheme](docs/assets/telemt.png)
 
 ⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
 
 ⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
 
 - Full support for all official MTProto proxy modes:
-  - Classic
-  - Secure - with `dd` prefix
-  - Fake TLS - with `ee` prefix + SNI fronting
-- Replay attack protection
-- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
-- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
-- Graceful shutdown on Ctrl+C
-- Extensive logging via `trace` and `debug` with `RUST_LOG` method
+  - Classic;
+  - Secure - with `dd` prefix;
+  - Fake TLS - with `ee` prefix + SNI fronting;
+- Replay attack protection;
+- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪;
+- Configurable keepalives + timeouts + IPv6 and "Fast Mode";
+- Graceful shutdown on Ctrl+C;
+- Extensive logging via `trace` and `debug` with `RUST_LOG` method.
 
 # GOTO
-- [Quick Start Guide](#quick-start-guide)
 - [FAQ](#faq)
-  - [Recognizability for DPI and crawler](#recognizability-for-dpi-and-crawler)
-    - [Client WITH secret-key accesses the MTProxy resource:](#client-with-secret-key-accesses-the-mtproxy-resource)
-    - [Client WITHOUT secret-key gets transparent access to the specified resource:](#client-without-secret-key-gets-transparent-access-to-the-specified-resource)
-  - [Telegram Calls via MTProxy](#telegram-calls-via-mtproxy)
-  - [How does DPI see MTProxy TLS?](#how-does-dpi-see-mtproxy-tls)
-  - [Whitelist on IP](#whitelist-on-ip)
-  - [Too many open files](#too-many-open-files)
+- [Architecture](docs/Architecture)
+- [Quick Start Guide](#quick-start-guide)
+- [Config parameters](docs/Config_params)
 - [Build](#build)
 - [Why Rust?](#why-rust)
 - [Issues](#issues)
 - [Roadmap](#roadmap)
 
-
 ## Quick Start Guide
-- [Quick Start Guide RU](docs/QUICK_START_GUIDE.ru.md)
-- [Quick Start Guide EN](docs/QUICK_START_GUIDE.en.md)
+- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
 
 ## FAQ
 
 - [FAQ RU](docs/FAQ.ru.md)
 - [FAQ EN](docs/FAQ.en.md)
 
-### Recognizability for DPI and crawler
-Since version 1.1.0.0, we have debugged masking perfectly: for all clients without "presenting" a key, 
-we transparently direct traffic to the target host!
-
-- We consider this a breakthrough aspect, which has no stable analogues today
-- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
-- Here is our evidence:
-    - 212.220.88.77 - "dummy" host, running `telemt`
-    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
-    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
-      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
-      - Crawlers completely satisfied receiving responses from `mask_host`
-  #### Client WITH secret-key accesses the MTProxy resource:
-  
-  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
-  
-  #### Client WITHOUT secret-key gets transparent access to the specified resource:
-    - with trusted certificate
-    - with original handshake
-    - with full request-response way
-    - with low-latency overhead
-```bash
-root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
-* Added petrovich.ru:443:212.220.88.77 to DNS cache
-* Hostname petrovich.ru was found in DNS cache
-*   Trying 212.220.88.77:443...
-* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
-* ALPN: offers h2,http/1.1
-* TLSv1.3 (OUT), TLS handshake, Client hello (1):
-*  CAfile: /etc/ssl/certs/ca-certificates.crt
-*  CApath: /etc/ssl/certs
-* TLSv1.3 (IN), TLS handshake, Server hello (2):
-* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-* TLSv1.3 (IN), TLS handshake, Certificate (11):
-* TLSv1.3 (IN), TLS handshake, CERT verify (15):
-* TLSv1.3 (IN), TLS handshake, Finished (20):
-* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-* TLSv1.3 (OUT), TLS handshake, Finished (20):
-* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-* ALPN: server did not agree on a protocol. Uses default.
-* Server certificate:
-*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
-*  start date: Jan 28 11:21:01 2025 GMT
-*  expire date: Mar  1 11:21:00 2026 GMT
-*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
-*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
-*  SSL certificate verify ok.
-* using HTTP/1.x
-> HEAD / HTTP/1.1
-> Host: petrovich.ru
-> User-Agent: curl/7.88.1
-> Accept: */*
-> 
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* old SSL session ID is stale, removing
-< HTTP/1.1 200 OK
-HTTP/1.1 200 OK
-< Server: Variti/0.9.3a
-Server: Variti/0.9.3a
-< Date: Thu, 01 Jan 2026 00:0000 GMT
-Date: Thu, 01 Jan 2026 00:0000 GMT
-< Access-Control-Allow-Origin: *
-Access-Control-Allow-Origin: *
-< Content-Type: text/html
-Content-Type: text/html
-< Cache-Control: no-store
-Cache-Control: no-store
-< Expires: Thu, 01 Jan 2026 00:0000 GMT
-Expires: Thu, 01 Jan 2026 00:0000 GMT
-< Pragma: no-cache
-Pragma: no-cache
-< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-< Content-Type: text/html
-Content-Type: text/html
-< Content-Length: 31253
-Content-Length: 31253
-< Connection: keep-alive
-Connection: keep-alive
-< Keep-Alive: timeout=60
-Keep-Alive: timeout=60
-
-< 
-* Connection #0 to host petrovich.ru left intact
-
-```
-- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
-  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
-### Telegram Calls via MTProxy
-- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
-### How does DPI see MTProxy TLS?
-- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
-- the SNI you specify sends both the client and the server;
-- ALPN is similar to HTTP 1.1/2;
-- high entropy, which is normal for AES-encrypted traffic;
-### Whitelist on IP
-- MTProxy cannot work when there is: 
-  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
-  - OR all TCP traffic is blocked
-  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
-  - OR all TLS traffic is blocked
-  - OR specified port is blocked: use 443 to make it "like real"
-  - OR provided SNI is blocked: use "officially approved"/innocuous name
-- like most protocols on the Internet; 
-- these situations are observed:
-  - in China behind the Great Firewall
-  - in Russia on mobile networks, less in wired networks
-  - in Iran during "activity"
-### Too many open files
-- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
-- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
-- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
-```yaml
-ulimits:
-  nofile:
-    soft: 65536
-    hard: 65536
-```
-- **System-wide** (optional): add to `/etc/security/limits.conf`:
-```
-*       soft    nofile  1048576
-*       hard    nofile  1048576
-root    soft    nofile  1048576
-root    hard    nofile  1048576
-```
-
-
 ## Build
 ```bash
 # Cloning repo
@@ -200,7 +78,7 @@ telemt config.toml
 ```
 
 ### OpenBSD
-- Build and service setup guide: [OpenBSD Guide (EN)](docs/OPENBSD.en.md)
+- Build and service setup guide: [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md)
 - Example rc.d script: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd)
 - Status: OpenBSD sandbox hardening with `pledge(2)` and `unveil(2)` is not implemented yet.
 

README.ru.md

@@ -0,0 +1,123 @@
+# Telemt — MTProxy на Rust + Tokio
+
+***Решает проблемы раньше, чем другие узнают об их существовании***
+
+> [!NOTE]
+>
+> Исправленный TLS ClientHello доступен в **Telegram Desktop** начиная с версии **6.7.2**: для работы с EE-MTProxy обновите клиент.
+>
+> Исправленный TLS ClientHello для Telegram Android доступен в нашем чате; **официальные релизы для Android и iOS находятся в процессе разработки**.
+
+<p align="center">
+  <a href="https://t.me/telemtrs">
+    <img src="docs/assets/telegram_button.png" alt="Мы в Telegram" />
+  </a>
+</p>
+
+**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust. Он полностью реализует официальный алгоритм прокси Telegram и добавляет множество улучшений для продакшена:
+
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + жизненный цикл генераций](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md);
+- [Полноценный API с управлением](https://github.com/telemt/telemt/blob/main/docs/API.md);
+- Защита от повторных атак (Anti-Replay on Sliding Window);
+- Метрики в формате Prometheus;
+- TLS-fronting и TCP-splicing для маскировки от DPI.
+
+![telemt_scheme](docs/assets/telemt.png)
+
+## Особенности
+
+⚓ Реализация **TLS-fronting** максимально приближена к поведению реального HTTPS-трафика.
+
+⚓ ***Middle-End Pool*** оптимизирован для высокой производительности.
+
+- Поддержка всех режимов MTProto proxy:
+  - Classic;
+  - Secure (префикс `dd`);
+  - Fake TLS (префикс `ee` + SNI fronting);
+- Защита от replay-атак;
+- Маскировка трафика (перенаправление неизвестных подключений на реальные сайты);
+- Настраиваемые keepalive, таймауты, IPv6 и «быстрый режим»;
+- Корректное завершение работы (Ctrl+C);
+- Подробное логирование через `trace` и `debug`.
+
+# Навигация
+- [FAQ](#faq)
+- [Архитектура](docs/Architecture)
+- [Быстрый старт](#quick-start-guide)
+- [Параметры конфигурационного файла](docs/Config_params)
+- [Сборка](#build)
+- [Почему Rust?](#why-rust)
+- [Известные проблемы](#issues)
+- [Планы](#roadmap)
+
+## Быстрый старт
+- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
+
+## FAQ
+
+- [FAQ RU](docs/FAQ.ru.md)
+- [FAQ EN](docs/FAQ.en.md)
+
+## Сборка
+
+```bash
+# Клонируйте репозиторий
+git clone https://github.com/telemt/telemt 
+# Смените каталог на telemt
+cd telemt
+# Начните процесс сборки
+cargo build --release
+
+# Устройства с небольшим объёмом оперативной памяти (1 ГБ, например NanoPi Neo3 / Raspberry Pi Zero 2):
+# используется параметр lto = «thin» для уменьшения пикового потребления памяти.
+# Если ваш пользовательский набор инструментов переопределяет профили, не используйте Fat LTO.
+
+# Перейдите в каталог /bin
+mv ./target/release/telemt /bin
+# Сделайте файл исполняемым
+chmod +x /bin/telemt
+# Запустите!
+telemt config.toml
+```
+
+### Устройства с малым объемом RAM
+Для устройств с ~1 ГБ RAM (например Raspberry Pi):
+- используется облегчённая оптимизация линковщика (thin LTO);
+- не рекомендуется включать fat LTO.
+
+## OpenBSD
+
+- Руководство по сборке и настройке на английском языке [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md);
+- Пример rc.d скрипта: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd);
+- Поддержка sandbox с `pledge(2)` и `unveil(2)` пока не реализована.
+
+## Почему Rust?
+
+- Надёжность для долгоживущих процессов;
+- Детерминированное управление ресурсами (RAII);
+- Отсутствие сборщика мусора;
+- Безопасность памяти;
+- Асинхронная архитектура Tokio.
+
+## Известные проблемы
+
+- ✅ [Поддержка SOCKS5 как upstream](https://github.com/telemt/telemt/issues/1) -> added Upstream Management;
+- ✅ [Проблема зависания загрузки медиа на iOS](https://github.com/telemt/telemt/issues/2).
+
+## Планы
+
+- Публичный IP в ссылках;
+- Перезагрузка конфигурации на лету;
+- Привязка к устройству или IP для входящих и исходящих соединений;
+- Поддержка рекламных тегов по SNI / секретному ключу;
+- Улучшенная обработка ошибок;
+- Zero-copy оптимизации;
+- Проверка состояния дата-центров;
+- Отсутствие глобального изменяемого состояния;
+- Изоляция клиентов и справедливое распределение трафика;
+- «Политика секретов» — маршрутизация по SNI / секрету;
+- Балансировщик с несколькими источниками и отработка отказов;
+- Строгие FSM для handshake;
+- Улучшенная защита от replay-атак;
+- Веб-интерфейс: статистика, состояние работоспособности, задержка, пользовательский опыт...

docs/Architecture/Fronting-splitting/TLS-F-TCP-S.ru.md

@@ -130,7 +130,7 @@ mask_host:mask_port
 **Telemt работает как TCP-переключатель:**
 
 1) принимает соединение
-2️) определяет тип клиента
+2) определяет тип клиента
 3) либо:
 
 - обрабатывает MTProxy внутри

docs/CONFIG_PARAMS.en.md

@@ -1,448 +0,0 @@
-# Telemt Config Parameters Reference
-
-This document lists all configuration keys accepted by `config.toml`.
-
-> [!WARNING]
-> 
-> The configuration parameters detailed in this document are intended for advanced users and fine-tuning purposes. Modifying these settings without a clear understanding of their function may lead to application instability or other unexpected behavior. Please proceed with caution and at your own risk.
-
-## Top-level keys
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| include | `String` (special directive) | `null` | — | Includes another TOML file with `include = "relative/or/absolute/path.toml"`; includes are processed recursively before parsing. |
-| show_link | `"*" \| String[]` | `[]` (`ShowLink::None`) | — | Legacy top-level link visibility selector (`"*"` for all users or explicit usernames list). |
-| dc_overrides | `Map<String, String[]>` | `{}` | — | Overrides DC endpoints for non-standard DCs; key is DC id string, value is `ip:port` list. |
-| default_dc | `u8 \| null` | `null` (effective fallback: `2` in ME routing) | — | Default DC index used for unmapped non-standard DCs. |
-
-## [general]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| data_path | `String \| null` | `null` | — | Optional runtime data directory path. |
-| prefer_ipv6 | `bool` | `false` | Deprecated. Use `network.prefer`. | Deprecated legacy IPv6 preference flag migrated to `network.prefer`. |
-| fast_mode | `bool` | `true` | — | Enables fast-path optimizations for traffic processing. |
-| use_middle_proxy | `bool` | `true` | none | Enables ME transport mode; if `false`, runtime falls back to direct DC routing. |
-| proxy_secret_path | `String \| null` | `"proxy-secret"` | Path may be `null`. | Path to Telegram infrastructure proxy-secret file used by ME handshake logic. |
-| proxy_config_v4_cache_path | `String \| null` | `"cache/proxy-config-v4.txt"` | — | Optional cache path for raw `getProxyConfig` (IPv4) snapshot. |
-| proxy_config_v6_cache_path | `String \| null` | `"cache/proxy-config-v6.txt"` | — | Optional cache path for raw `getProxyConfigV6` (IPv6) snapshot. |
-| ad_tag | `String \| null` | `null` | — | Global fallback ad tag (32 hex characters). |
-| middle_proxy_nat_ip | `IpAddr \| null` | `null` | Must be a valid IP when set. | Manual public NAT IP override used as ME address material when set. |
-| middle_proxy_nat_probe | `bool` | `true` | Auto-forced to `true` when `use_middle_proxy = true`. | Enables ME NAT probing; runtime may force it on when ME mode is active. |
-| middle_proxy_nat_stun | `String \| null` | `null` | Deprecated. Use `network.stun_servers`. | Deprecated legacy single STUN server for NAT probing. |
-| middle_proxy_nat_stun_servers | `String[]` | `[]` | Deprecated. Use `network.stun_servers`. | Deprecated legacy STUN list for NAT probing fallback. |
-| stun_nat_probe_concurrency | `usize` | `8` | Must be `> 0`. | Maximum number of parallel STUN probes during NAT/public endpoint discovery. |
-| middle_proxy_pool_size | `usize` | `8` | none | Target size of active ME writer pool. |
-| middle_proxy_warm_standby | `usize` | `16` | none | Reserved compatibility field in current runtime revision. |
-| me_init_retry_attempts | `u32` | `0` | `0..=1_000_000`. | Startup retries for ME pool initialization (`0` means unlimited). |
-| me2dc_fallback | `bool` | `true` | — | Allows fallback from ME mode to direct DC when ME startup fails. |
-| me_keepalive_enabled | `bool` | `true` | none | Enables periodic ME keepalive/ping traffic. |
-| me_keepalive_interval_secs | `u64` | `8` | none | Base ME keepalive interval in seconds. |
-| me_keepalive_jitter_secs | `u64` | `2` | none | Keepalive jitter in seconds to reduce synchronized bursts. |
-| me_keepalive_payload_random | `bool` | `true` | none | Randomizes keepalive payload bytes instead of fixed zero payload. |
-| rpc_proxy_req_every | `u64` | `0` | `0` or `10..=300`. | Interval for service `RPC_PROXY_REQ` activity signals (`0` disables). |
-| me_writer_cmd_channel_capacity | `usize` | `4096` | Must be `> 0`. | Capacity of per-writer command channel. |
-| me_route_channel_capacity | `usize` | `768` | Must be `> 0`. | Capacity of per-connection ME response route channel. |
-| me_c2me_channel_capacity | `usize` | `1024` | Must be `> 0`. | Capacity of per-client command queue (client reader -> ME sender). |
-| me_c2me_send_timeout_ms | `u64` | `4000` | `0..=60000`. | Maximum wait for enqueueing client->ME commands when the per-client queue is full (`0` keeps legacy unbounded wait). |
-| me_reader_route_data_wait_ms | `u64` | `2` | `0..=20`. | Bounded wait for routing ME DATA to per-connection queue (`0` = no wait). |
-| me_d2c_flush_batch_max_frames | `usize` | `32` | `1..=512`. | Max ME->client frames coalesced before flush. |
-| me_d2c_flush_batch_max_bytes | `usize` | `131072` | `4096..=2_097_152`. | Max ME->client payload bytes coalesced before flush. |
-| me_d2c_flush_batch_max_delay_us | `u64` | `500` | `0..=5000`. | Max microsecond wait for coalescing more ME->client frames (`0` disables timed coalescing). |
-| me_d2c_ack_flush_immediate | `bool` | `true` | — | Flushes client writer immediately after quick-ack write. |
-| me_quota_soft_overshoot_bytes | `u64` | `65536` | `0..=16_777_216`. | Extra per-route quota allowance (bytes) tolerated before writer-side quota enforcement drops route data. |
-| me_d2c_frame_buf_shrink_threshold_bytes | `usize` | `262144` | `4096..=16_777_216`. | Threshold for shrinking oversized ME->client frame-aggregation buffers after flush. |
-| direct_relay_copy_buf_c2s_bytes | `usize` | `65536` | `4096..=1_048_576`. | Copy buffer size for client->DC direction in direct relay. |
-| direct_relay_copy_buf_s2c_bytes | `usize` | `262144` | `8192..=2_097_152`. | Copy buffer size for DC->client direction in direct relay. |
-| crypto_pending_buffer | `usize` | `262144` | — | Max pending ciphertext buffer per client writer (bytes). |
-| max_client_frame | `usize` | `16777216` | — | Maximum allowed client MTProto frame size (bytes). |
-| desync_all_full | `bool` | `false` | — | Emits full crypto-desync forensic logs for every event. |
-| beobachten | `bool` | `true` | — | Enables per-IP forensic observation buckets. |
-| beobachten_minutes | `u64` | `10` | Must be `> 0`. | Retention window (minutes) for per-IP observation buckets. |
-| beobachten_flush_secs | `u64` | `15` | Must be `> 0`. | Snapshot flush interval (seconds) for observation output file. |
-| beobachten_file | `String` | `"cache/beobachten.txt"` | — | Observation snapshot output file path. |
-| hardswap | `bool` | `true` | none | Enables generation-based ME hardswap strategy. |
-| me_warmup_stagger_enabled | `bool` | `true` | none | Staggers extra ME warmup dials to avoid connection spikes. |
-| me_warmup_step_delay_ms | `u64` | `500` | none | Base delay in milliseconds between warmup dial steps. |
-| me_warmup_step_jitter_ms | `u64` | `300` | none | Additional random delay in milliseconds for warmup steps. |
-| me_reconnect_max_concurrent_per_dc | `u32` | `8` | none | Limits concurrent reconnect workers per DC during health recovery. |
-| me_reconnect_backoff_base_ms | `u64` | `500` | none | Initial reconnect backoff in milliseconds. |
-| me_reconnect_backoff_cap_ms | `u64` | `30000` | none | Maximum reconnect backoff cap in milliseconds. |
-| me_reconnect_fast_retry_count | `u32` | `16` | none | Immediate retry budget before long backoff behavior applies. |
-| me_single_endpoint_shadow_writers | `u8` | `2` | `0..=32`. | Additional reserve writers for one-endpoint DC groups. |
-| me_single_endpoint_outage_mode_enabled | `bool` | `true` | — | Enables aggressive outage recovery for one-endpoint DC groups. |
-| me_single_endpoint_outage_disable_quarantine | `bool` | `true` | — | Ignores endpoint quarantine in one-endpoint outage mode. |
-| me_single_endpoint_outage_backoff_min_ms | `u64` | `250` | Must be `> 0`; also `<= me_single_endpoint_outage_backoff_max_ms`. | Minimum reconnect backoff in outage mode (ms). |
-| me_single_endpoint_outage_backoff_max_ms | `u64` | `3000` | Must be `> 0`; also `>= me_single_endpoint_outage_backoff_min_ms`. | Maximum reconnect backoff in outage mode (ms). |
-| me_single_endpoint_shadow_rotate_every_secs | `u64` | `900` | — | Periodic shadow writer rotation interval (`0` disables). |
-| me_floor_mode | `"static" \| "adaptive"` | `"adaptive"` | — | Writer floor policy mode. |
-| me_adaptive_floor_idle_secs | `u64` | `90` | — | Idle time before adaptive floor may reduce one-endpoint target. |
-| me_adaptive_floor_min_writers_single_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for one-endpoint DC groups. |
-| me_adaptive_floor_min_writers_multi_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for multi-endpoint DC groups. |
-| me_adaptive_floor_recover_grace_secs | `u64` | `180` | — | Grace period to hold static floor after activity. |
-| me_adaptive_floor_writers_per_core_total | `u16` | `48` | Must be `> 0`. | Global writer budget per logical CPU core in adaptive mode. |
-| me_adaptive_floor_cpu_cores_override | `u16` | `0` | — | Manual CPU core count override (`0` uses auto-detection). |
-| me_adaptive_floor_max_extra_writers_single_per_core | `u16` | `1` | — | Per-core max extra writers above base floor for one-endpoint DCs. |
-| me_adaptive_floor_max_extra_writers_multi_per_core | `u16` | `2` | — | Per-core max extra writers above base floor for multi-endpoint DCs. |
-| me_adaptive_floor_max_active_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for active ME writers per logical CPU core. |
-| me_adaptive_floor_max_warm_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for warm ME writers per logical CPU core. |
-| me_adaptive_floor_max_active_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for active ME writers. |
-| me_adaptive_floor_max_warm_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for warm ME writers. |
-| upstream_connect_retry_attempts | `u32` | `2` | Must be `> 0`. | Connect attempts for selected upstream before error/fallback. |
-| upstream_connect_retry_backoff_ms | `u64` | `100` | — | Delay between upstream connect attempts (ms). |
-| upstream_connect_budget_ms | `u64` | `3000` | Must be `> 0`. | Total wall-clock budget for one upstream connect request (ms). |
-| tg_connect | `u64` | `10` | Must be `> 0`. | Per-attempt upstream TCP connect timeout to Telegram DC (seconds). |
-| upstream_unhealthy_fail_threshold | `u32` | `5` | Must be `> 0`. | Consecutive failed requests before upstream is marked unhealthy. |
-| upstream_connect_failfast_hard_errors | `bool` | `false` | — | Skips additional retries for hard non-transient connect errors. |
-| stun_iface_mismatch_ignore | `bool` | `false` | none | Reserved compatibility flag in current runtime revision. |
-| unknown_dc_log_path | `String \| null` | `"unknown-dc.txt"` | — | File path for unknown-DC request logging (`null` disables file path). |
-| unknown_dc_file_log_enabled | `bool` | `false` | — | Enables unknown-DC file logging. |
-| log_level | `"debug" \| "verbose" \| "normal" \| "silent"` | `"normal"` | — | Runtime logging verbosity. |
-| disable_colors | `bool` | `false` | — | Disables ANSI colors in logs. |
-| me_socks_kdf_policy | `"strict" \| "compat"` | `"strict"` | — | SOCKS-bound KDF fallback policy for ME handshake. |
-| me_route_backpressure_base_timeout_ms | `u64` | `25` | Must be `> 0`. | Base backpressure timeout for route-channel send (ms). |
-| me_route_backpressure_high_timeout_ms | `u64` | `120` | Must be `>= me_route_backpressure_base_timeout_ms`. | High backpressure timeout when queue occupancy exceeds watermark (ms). |
-| me_route_backpressure_high_watermark_pct | `u8` | `80` | `1..=100`. | Queue occupancy threshold (%) for high timeout mode. |
-| me_health_interval_ms_unhealthy | `u64` | `1000` | Must be `> 0`. | Health monitor interval while writer coverage is degraded (ms). |
-| me_health_interval_ms_healthy | `u64` | `3000` | Must be `> 0`. | Health monitor interval while writer coverage is healthy (ms). |
-| me_admission_poll_ms | `u64` | `1000` | Must be `> 0`. | Poll interval for conditional-admission checks (ms). |
-| me_warn_rate_limit_ms | `u64` | `5000` | Must be `> 0`. | Cooldown for repetitive ME warning logs (ms). |
-| me_route_no_writer_mode | `"async_recovery_failfast" \| "inline_recovery_legacy" \| "hybrid_async_persistent"` | `"hybrid_async_persistent"` | — | Route behavior when no writer is immediately available. |
-| me_route_no_writer_wait_ms | `u64` | `250` | `10..=5000`. | Max wait in async-recovery failfast mode (ms). |
-| me_route_hybrid_max_wait_ms | `u64` | `3000` | `50..=60000`. | Maximum cumulative wait in hybrid no-writer mode before failfast fallback (ms). |
-| me_route_blocking_send_timeout_ms | `u64` | `250` | `0..=5000`. | Maximum wait for blocking route-channel send fallback (`0` keeps legacy unbounded wait). |
-| me_route_inline_recovery_attempts | `u32` | `3` | Must be `> 0`. | Inline recovery attempts in legacy mode. |
-| me_route_inline_recovery_wait_ms | `u64` | `3000` | `10..=30000`. | Max inline recovery wait in legacy mode (ms). |
-| fast_mode_min_tls_record | `usize` | `0` | — | Minimum TLS record size when fast-mode coalescing is enabled (`0` disables). |
-| update_every | `u64 \| null` | `300` | If set: must be `> 0`; if `null`: legacy fallback path is used. | Unified refresh interval for ME config and proxy-secret updater tasks. |
-| me_reinit_every_secs | `u64` | `900` | Must be `> 0`. | Periodic interval for zero-downtime ME reinit cycle. |
-| me_hardswap_warmup_delay_min_ms | `u64` | `1000` | Must be `<= me_hardswap_warmup_delay_max_ms`. | Lower bound for hardswap warmup dial spacing. |
-| me_hardswap_warmup_delay_max_ms | `u64` | `2000` | Must be `> 0`. | Upper bound for hardswap warmup dial spacing. |
-| me_hardswap_warmup_extra_passes | `u8` | `3` | Must be within `[0, 10]`. | Additional warmup passes after the base pass in one hardswap cycle. |
-| me_hardswap_warmup_pass_backoff_base_ms | `u64` | `500` | Must be `> 0`. | Base backoff between extra hardswap warmup passes. |
-| me_config_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical ME config snapshots required before apply. |
-| me_config_apply_cooldown_secs | `u64` | `300` | none | Cooldown between applied ME endpoint-map updates. |
-| me_snapshot_require_http_2xx | `bool` | `true` | — | Requires 2xx HTTP responses for applying config snapshots. |
-| me_snapshot_reject_empty_map | `bool` | `true` | — | Rejects empty config snapshots. |
-| me_snapshot_min_proxy_for_lines | `u32` | `1` | Must be `> 0`. | Minimum parsed `proxy_for` rows required to accept snapshot. |
-| proxy_secret_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical proxy-secret snapshots required before rotation. |
-| proxy_secret_rotate_runtime | `bool` | `true` | none | Enables runtime proxy-secret rotation from updater snapshots. |
-| me_secret_atomic_snapshot | `bool` | `true` | — | Keeps selector and secret bytes from the same snapshot atomically. |
-| proxy_secret_len_max | `usize` | `256` | Must be within `[32, 4096]`. | Upper length limit for accepted proxy-secret bytes. |
-| me_pool_drain_ttl_secs | `u64` | `90` | none | Time window where stale writers remain fallback-eligible after map change. |
-| me_instadrain | `bool` | `false` | — | Forces draining stale writers to be removed on the next cleanup tick, bypassing TTL/deadline waiting. |
-| me_pool_drain_threshold | `u64` | `128` | — | Max draining stale writers before batch force-close (`0` disables threshold cleanup). |
-| me_pool_drain_soft_evict_enabled | `bool` | `true` | — | Enables gradual soft-eviction of stale writers during drain/reinit instead of immediate hard close. |
-| me_pool_drain_soft_evict_grace_secs | `u64` | `30` | `0..=3600`. | Grace period before stale writers become soft-evict candidates. |
-| me_pool_drain_soft_evict_per_writer | `u8` | `1` | `1..=16`. | Maximum stale routes soft-evicted per writer in one eviction pass. |
-| me_pool_drain_soft_evict_budget_per_core | `u16` | `8` | `1..=64`. | Per-core budget limiting aggregate soft-eviction work per pass. |
-| me_pool_drain_soft_evict_cooldown_ms | `u64` | `5000` | Must be `> 0`. | Cooldown between consecutive soft-eviction passes (ms). |
-| me_bind_stale_mode | `"never" \| "ttl" \| "always"` | `"ttl"` | — | Policy for new binds on stale draining writers. |
-| me_bind_stale_ttl_secs | `u64` | `90` | — | TTL for stale bind allowance when stale mode is `ttl`. |
-| me_pool_min_fresh_ratio | `f32` | `0.8` | Must be within `[0.0, 1.0]`. | Minimum fresh desired-DC coverage ratio before stale writers are drained. |
-| me_reinit_drain_timeout_secs | `u64` | `120` | `0` disables force-close; if `> 0` and `< me_pool_drain_ttl_secs`, runtime bumps it to TTL. | Force-close timeout for draining stale writers (`0` keeps indefinite draining). |
-| proxy_secret_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy secret reload interval (fallback when `update_every` is not set). |
-| proxy_config_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy config reload interval (fallback when `update_every` is not set). |
-| me_reinit_singleflight | `bool` | `true` | — | Serializes ME reinit cycles across trigger sources. |
-| me_reinit_trigger_channel | `usize` | `64` | Must be `> 0`. | Trigger queue capacity for reinit scheduler. |
-| me_reinit_coalesce_window_ms | `u64` | `200` | — | Trigger coalescing window before starting reinit (ms). |
-| me_deterministic_writer_sort | `bool` | `true` | — | Enables deterministic candidate sort for writer binding path. |
-| me_writer_pick_mode | `"sorted_rr" \| "p2c"` | `"p2c"` | — | Writer selection mode for route bind path. |
-| me_writer_pick_sample_size | `u8` | `3` | `2..=4`. | Number of candidates sampled by picker in `p2c` mode. |
-| ntp_check | `bool` | `true` | — | Enables NTP drift check at startup. |
-| ntp_servers | `String[]` | `["pool.ntp.org"]` | — | NTP servers used for drift check. |
-| auto_degradation_enabled | `bool` | `true` | none | Reserved compatibility flag in current runtime revision. |
-| degradation_min_unavailable_dc_groups | `u8` | `2` | none | Reserved compatibility threshold in current runtime revision. |
-
-## [general.modes]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| classic | `bool` | `false` | — | Enables classic MTProxy mode. |
-| secure | `bool` | `false` | — | Enables secure mode. |
-| tls | `bool` | `true` | — | Enables TLS mode. |
-
-## [general.links]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| show | `"*" \| String[]` | `"*"` | — | Selects users whose tg:// links are shown at startup. |
-| public_host | `String \| null` | `null` | — | Public hostname/IP override for generated tg:// links. |
-| public_port | `u16 \| null` | `null` | — | Public port override for generated tg:// links. |
-
-## [general.telemetry]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| core_enabled | `bool` | `true` | — | Enables core hot-path telemetry counters. |
-| user_enabled | `bool` | `true` | — | Enables per-user telemetry counters. |
-| me_level | `"silent" \| "normal" \| "debug"` | `"normal"` | — | Middle-End telemetry verbosity level. |
-
-## [network]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| ipv4 | `bool` | `true` | — | Enables IPv4 networking. |
-| ipv6 | `bool` | `false` | — | Enables/disables IPv6 when set |
-| prefer | `u8` | `4` | Must be `4` or `6`. | Preferred IP family for selection (`4` or `6`). |
-| multipath | `bool` | `false` | — | Enables multipath behavior where supported. |
-| stun_use | `bool` | `true` | none | Global STUN switch; when `false`, STUN probing path is disabled. |
-| stun_servers | `String[]` | Built-in STUN list (13 hosts) | Deduplicated; empty values are removed. | Primary STUN server list for NAT/public endpoint discovery. |
-| stun_tcp_fallback | `bool` | `true` | none | Enables TCP fallback for STUN when UDP path is blocked. |
-| http_ip_detect_urls | `String[]` | `["https://ifconfig.me/ip", "https://api.ipify.org"]` | none | HTTP fallback endpoints for public IP detection when STUN is unavailable. |
-| cache_public_ip_path | `String` | `"cache/public_ip.txt"` | — | File path for caching detected public IP. |
-| dns_overrides | `String[]` | `[]` | Must match `host:port:ip`; IPv6 must be bracketed. | Runtime DNS overrides in `host:port:ip` format. |
-
-## [server]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| port | `u16` | `443` | — | Main proxy listen port. |
-| listen_addr_ipv4 | `String \| null` | `"0.0.0.0"` | — | IPv4 bind address for TCP listener. |
-| listen_addr_ipv6 | `String \| null` | `"::"` | — | IPv6 bind address for TCP listener. |
-| listen_unix_sock | `String \| null` | `null` | — | Unix socket path for listener. |
-| listen_unix_sock_perm | `String \| null` | `null` | — | Unix socket permissions in octal string (e.g., `"0666"`). |
-| listen_tcp | `bool \| null` | `null` (auto) | — | Explicit TCP listener enable/disable override. |
-| proxy_protocol | `bool` | `false` | — | Enables HAProxy PROXY protocol parsing on incoming client connections. |
-| proxy_protocol_header_timeout_ms | `u64` | `500` | Must be `> 0`. | Timeout for PROXY protocol header read/parse (ms). |
-| proxy_protocol_trusted_cidrs | `IpNetwork[]` | `[]` | — | When non-empty, only connections from these proxy source CIDRs are allowed to provide PROXY protocol headers. If empty, PROXY headers are rejected by default (security hardening). |
-| metrics_port | `u16 \| null` | `null` | — | Metrics endpoint port (enables metrics listener). |
-| metrics_listen | `String \| null` | `null` | — | Full metrics bind address (`IP:PORT`), overrides `metrics_port`. |
-| metrics_whitelist | `IpNetwork[]` | `["127.0.0.1/32", "::1/128"]` | — | CIDR whitelist for metrics endpoint access. |
-| max_connections | `u32` | `10000` | — | Max concurrent client connections (`0` = unlimited). |
-| accept_permit_timeout_ms | `u64` | `250` | `0..=60000`. | Maximum wait for acquiring a connection-slot permit before the accepted connection is dropped (`0` keeps legacy unbounded wait). |
-
-Note: When `server.proxy_protocol` is enabled, incoming PROXY protocol headers are parsed from the first bytes of the connection and the client source address is replaced with `src_addr` from the header. For security, the peer source IP (the direct connection address) is verified against `server.proxy_protocol_trusted_cidrs`; if this list is empty, PROXY headers are rejected and the connection is considered untrusted. 
-
-## [server.api]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| enabled | `bool` | `true` | — | Enables control-plane REST API. |
-| listen | `String` | `"0.0.0.0:9091"` | Must be valid `IP:PORT`. | API bind address in `IP:PORT` format. |
-| whitelist | `IpNetwork[]` | `["127.0.0.0/8"]` | — | CIDR whitelist allowed to access API. |
-| auth_header | `String` | `""` | — | Exact expected `Authorization` header value (empty = disabled). |
-| request_body_limit_bytes | `usize` | `65536` | Must be `> 0`. | Maximum accepted HTTP request body size. |
-| minimal_runtime_enabled | `bool` | `true` | — | Enables minimal runtime snapshots endpoint logic. |
-| minimal_runtime_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for minimal runtime snapshots (ms; `0` disables cache). |
-| runtime_edge_enabled | `bool` | `false` | — | Enables runtime edge endpoints. |
-| runtime_edge_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for runtime edge aggregation payloads (ms). |
-| runtime_edge_top_n | `usize` | `10` | `1..=1000`. | Top-N size for edge connection leaderboard. |
-| runtime_edge_events_capacity | `usize` | `256` | `16..=4096`. | Ring-buffer capacity for runtime edge events. |
-| read_only | `bool` | `false` | — | Rejects mutating API endpoints when enabled. |
-
-## [[server.listeners]]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| ip | `IpAddr` | — | — | Listener bind IP. |
-| announce | `String \| null` | — | — | Public IP/domain announced in proxy links (priority over `announce_ip`). |
-| announce_ip | `IpAddr \| null` | — | Deprecated. Use `announce`. | Deprecated legacy announce IP (migrated to `announce` if needed). |
-| proxy_protocol | `bool \| null` | `null` | — | Per-listener override for PROXY protocol enable flag. |
-| reuse_allow | `bool` | `false` | — | Enables `SO_REUSEPORT` for multi-instance bind sharing. |
-
-## [timeouts]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| client_handshake | `u64` | `30` | — | Client handshake timeout. |
-| relay_idle_policy_v2_enabled | `bool` | `true` | — | Enables soft/hard middle-relay client idle policy. |
-| relay_client_idle_soft_secs | `u64` | `120` | Must be `> 0`; must be `<= relay_client_idle_hard_secs`. | Soft idle threshold for middle-relay client uplink inactivity (seconds). |
-| relay_client_idle_hard_secs | `u64` | `360` | Must be `> 0`; must be `>= relay_client_idle_soft_secs`. | Hard idle threshold for middle-relay client uplink inactivity (seconds). |
-| relay_idle_grace_after_downstream_activity_secs | `u64` | `30` | Must be `<= relay_client_idle_hard_secs`. | Extra hard-idle grace after recent downstream activity (seconds). |
-| client_keepalive | `u64` | `15` | — | Client keepalive timeout. |
-| client_ack | `u64` | `90` | — | Client ACK timeout. |
-| me_one_retry | `u8` | `12` | none | Fast reconnect attempts budget for single-endpoint DC scenarios. |
-| me_one_timeout_ms | `u64` | `1200` | none | Timeout in milliseconds for each quick single-endpoint reconnect attempt. |
-
-## [censorship]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| tls_domain | `String` | `"petrovich.ru"` | — | Primary TLS domain used in fake TLS handshake profile. |
-| tls_domains | `String[]` | `[]` | — | Additional TLS domains for generating multiple links. |
-| unknown_sni_action | `"drop" \| "mask"` | `"drop"` | — | Action for TLS ClientHello with unknown/non-configured SNI. |
-| tls_fetch_scope | `String` | `""` | Value is trimmed during load; empty keeps default upstream routing behavior. | Upstream scope tag used for TLS-front metadata fetches. |
-| tls_fetch | `Table` | built-in defaults | See `[censorship.tls_fetch]` section below. | TLS-front metadata fetch strategy settings. |
-| mask | `bool` | `true` | — | Enables masking/fronting relay mode. |
-| mask_host | `String \| null` | `null` | — | Upstream mask host for TLS fronting relay. |
-| mask_port | `u16` | `443` | — | Upstream mask port for TLS fronting relay. |
-| mask_unix_sock | `String \| null` | `null` | — | Unix socket path for mask backend instead of TCP host/port. |
-| fake_cert_len | `usize` | `2048` | — | Length of synthetic certificate payload when emulation data is unavailable. |
-| tls_emulation | `bool` | `true` | — | Enables certificate/TLS behavior emulation from cached real fronts. |
-| tls_front_dir | `String` | `"tlsfront"` | — | Directory path for TLS front cache storage. |
-| server_hello_delay_min_ms | `u64` | `0` | — | Minimum server_hello delay for anti-fingerprint behavior (ms). |
-| server_hello_delay_max_ms | `u64` | `0` | — | Maximum server_hello delay for anti-fingerprint behavior (ms). |
-| tls_new_session_tickets | `u8` | `0` | — | Number of `NewSessionTicket` messages to emit after handshake. |
-| tls_full_cert_ttl_secs | `u64` | `90` | — | TTL for sending full cert payload per (domain, client IP) tuple. |
-| alpn_enforce | `bool` | `true` | — | Enforces ALPN echo behavior based on client preference. |
-| mask_proxy_protocol | `u8` | `0` | — | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
-| mask_shape_hardening | `bool` | `true` | — | Enables client->mask shape-channel hardening by applying controlled tail padding to bucket boundaries on mask relay shutdown. |
-| mask_shape_hardening_aggressive_mode | `bool` | `false` | Requires `mask_shape_hardening = true`. | Opt-in aggressive shaping profile: allows shaping on backend-silent non-EOF paths and switches above-cap blur to strictly positive random tail. |
-| mask_shape_bucket_floor_bytes | `usize` | `512` | Must be `> 0`; should be `<= mask_shape_bucket_cap_bytes`. | Minimum bucket size used by shape-channel hardening. |
-| mask_shape_bucket_cap_bytes | `usize` | `4096` | Must be `>= mask_shape_bucket_floor_bytes`. | Maximum bucket size used by shape-channel hardening; traffic above cap is not padded further. |
-| mask_shape_above_cap_blur | `bool` | `false` | Requires `mask_shape_hardening = true`; requires `mask_shape_above_cap_blur_max_bytes > 0`. | Adds bounded randomized tail bytes even when forwarded size already exceeds cap. |
-| mask_shape_above_cap_blur_max_bytes | `usize` | `512` | Must be `<= 1048576`; must be `> 0` when `mask_shape_above_cap_blur = true`. | Maximum randomized extra bytes appended above cap. |
-| mask_relay_max_bytes | `usize` | `5242880` | Must be `> 0`; must be `<= 67108864`. | Maximum relayed bytes per direction on unauthenticated masking fallback path. |
-| mask_classifier_prefetch_timeout_ms | `u64` | `5` | Must be within `[5, 50]`. | Timeout budget (ms) for extending fragmented initial classifier window on masking fallback. |
-| mask_timing_normalization_enabled | `bool` | `false` | Requires `mask_timing_normalization_floor_ms > 0`; requires `ceiling >= floor`. | Enables timing envelope normalization on masking outcomes. |
-| mask_timing_normalization_floor_ms | `u64` | `0` | Must be `> 0` when timing normalization is enabled; must be `<= ceiling`. | Lower bound (ms) for masking outcome normalization target. |
-| mask_timing_normalization_ceiling_ms | `u64` | `0` | Must be `>= floor`; must be `<= 60000`. | Upper bound (ms) for masking outcome normalization target. |
-
-## [censorship.tls_fetch]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| profiles | `("modern_chrome_like" \| "modern_firefox_like" \| "compat_tls12" \| "legacy_minimal")[]` | `["modern_chrome_like", "modern_firefox_like", "compat_tls12", "legacy_minimal"]` | Empty list falls back to defaults; values are deduplicated preserving order. | Ordered ClientHello profile fallback chain for TLS-front metadata fetch. |
-| strict_route | `bool` | `true` | — | Fails closed on upstream-route connect errors instead of falling back to direct TCP when route is configured. |
-| attempt_timeout_ms | `u64` | `5000` | Must be `> 0`. | Timeout budget per one TLS-fetch profile attempt (ms). |
-| total_budget_ms | `u64` | `15000` | Must be `> 0`. | Total wall-clock budget across all TLS-fetch attempts (ms). |
-| grease_enabled | `bool` | `false` | — | Enables GREASE-style random values in selected ClientHello extensions for fetch traffic. |
-| deterministic | `bool` | `false` | — | Enables deterministic ClientHello randomness for debugging/tests. |
-| profile_cache_ttl_secs | `u64` | `600` | `0` disables cache. | TTL for winner-profile cache entries used by TLS fetch path. |
-
-### Shape-channel hardening notes (`[censorship]`)
-
-These parameters are designed to reduce one specific fingerprint source during masking: the exact number of bytes sent from proxy to `mask_host` for invalid or probing traffic.
-
-Without hardening, a censor can often correlate probe input length with backend-observed length very precisely (for example: `5 + body_sent` on early TLS reject paths). That creates a length-based classifier signal.
-
-When `mask_shape_hardening = true`, Telemt pads the **client->mask** stream tail to a bucket boundary at relay shutdown:
-
-- Total bytes sent to mask are first measured.
-- A bucket is selected using powers of two starting from `mask_shape_bucket_floor_bytes`.
-- Padding is added only if total bytes are below `mask_shape_bucket_cap_bytes`.
-- If bytes already exceed cap, no extra padding is added.
-
-This means multiple nearby probe sizes collapse into the same backend-observed size class, making active classification harder.
-
-What each parameter changes in practice:
-
-- `mask_shape_hardening`
-	Enables or disables this entire length-shaping stage on the fallback path.
-	When `false`, backend-observed length stays close to the real forwarded probe length.
-	When `true`, clean relay shutdown can append random padding bytes to move the total into a bucket.
-
-- `mask_shape_bucket_floor_bytes`
-	Sets the first bucket boundary used for small probes.
-	Example: with floor `512`, a malformed probe that would otherwise forward `37` bytes can be expanded to `512` bytes on clean EOF.
-	Larger floor values hide very small probes better, but increase egress cost.
-
-- `mask_shape_bucket_cap_bytes`
-	Sets the largest bucket Telemt will pad up to with bucket logic.
-	Example: with cap `4096`, a forwarded total of `1800` bytes may be padded to `2048` or `4096` depending on the bucket ladder, but a total already above `4096` will not be bucket-padded further.
-	Larger cap values increase the range over which size classes are collapsed, but also increase worst-case overhead.
-
-- Clean EOF matters in conservative mode
-	In the default profile, shape padding is intentionally conservative: it is applied on clean relay shutdown, not on every timeout/drip path.
-	This avoids introducing new timeout-tail artifacts that some backends or tests interpret as a separate fingerprint.
-
-Practical trade-offs:
-
-- Better anti-fingerprinting on size/shape channel.
-- Slightly higher egress overhead for small probes due to padding.
-- Behavior is intentionally conservative and enabled by default.
-
-Recommended starting profile:
-
-- `mask_shape_hardening = true` (default)
-- `mask_shape_bucket_floor_bytes = 512`
-- `mask_shape_bucket_cap_bytes = 4096`
-
-### Aggressive mode notes (`[censorship]`)
-
-`mask_shape_hardening_aggressive_mode` is an opt-in profile for higher anti-classifier pressure.
-
-- Default is `false` to preserve conservative timeout/no-tail behavior.
-- Requires `mask_shape_hardening = true`.
-- When enabled, backend-silent non-EOF masking paths may be shaped.
-- When enabled together with above-cap blur, the random extra tail uses `[1, max]` instead of `[0, max]`.
-
-What changes when aggressive mode is enabled:
-
-- Backend-silent timeout paths can be shaped
-	In default mode, a client that keeps the socket half-open and times out will usually not receive shape padding on that path.
-	In aggressive mode, Telemt may still shape that backend-silent session if no backend bytes were returned.
-	This is specifically aimed at active probes that try to avoid EOF in order to preserve an exact backend-observed length.
-
-- Above-cap blur always adds at least one byte
-	In default mode, above-cap blur may choose `0`, so some oversized probes still land on their exact base forwarded length.
-	In aggressive mode, that exact-base sample is removed by construction.
-
-- Tradeoff
-	Aggressive mode improves resistance to active length classifiers, but it is more opinionated and less conservative.
-	If your deployment prioritizes strict compatibility with timeout/no-tail semantics, leave it disabled.
-	If your threat model includes repeated active probing by a censor, this mode is the stronger profile.
-
-Use this mode only when your threat model prioritizes classifier resistance over strict compatibility with conservative masking semantics.
-
-### Above-cap blur notes (`[censorship]`)
-
-`mask_shape_above_cap_blur` adds a second-stage blur for very large probes that are already above `mask_shape_bucket_cap_bytes`.
-
-- A random tail in `[0, mask_shape_above_cap_blur_max_bytes]` is appended in default mode.
-- In aggressive mode, the random tail becomes strictly positive: `[1, mask_shape_above_cap_blur_max_bytes]`.
-- This reduces exact-size leakage above cap at bounded overhead.
-- Keep `mask_shape_above_cap_blur_max_bytes` conservative to avoid unnecessary egress growth.
-
-Operational meaning:
-
-- Without above-cap blur
-	A probe that forwards `5005` bytes will still look like `5005` bytes to the backend if it is already above cap.
-
-- With above-cap blur enabled
-	That same probe may look like any value in a bounded window above its base length.
-	Example with `mask_shape_above_cap_blur_max_bytes = 64`:
-	backend-observed size becomes `5005..5069` in default mode, or `5006..5069` in aggressive mode.
-
-- Choosing `mask_shape_above_cap_blur_max_bytes`
-	Small values reduce cost but preserve more separability between far-apart oversized classes.
-	Larger values blur oversized classes more aggressively, but add more egress overhead and more output variance.
-
-### Timing normalization envelope notes (`[censorship]`)
-
-`mask_timing_normalization_enabled` smooths timing differences between masking outcomes by applying a target duration envelope.
-
-- A random target is selected in `[mask_timing_normalization_floor_ms, mask_timing_normalization_ceiling_ms]`.
-- Fast paths are delayed up to the selected target.
-- Slow paths are not forced to finish by the ceiling (the envelope is best-effort shaping, not truncation).
-
-Recommended starting profile for timing shaping:
-
-- `mask_timing_normalization_enabled = true`
-- `mask_timing_normalization_floor_ms = 180`
-- `mask_timing_normalization_ceiling_ms = 320`
-
-If your backend or network is very bandwidth-constrained, reduce cap first. If probes are still too distinguishable in your environment, increase floor gradually.
-
-## [access]
-
-| Parameter | Type | Default | Constraints / validation | TOML shape example | Description |
-|---|---|---|---|---|---|
-| users | `Map<String, String>` | `{"default": "000…000"}` | Secret must be 32 hex characters. | `[access.users]`<br>`user = "32-hex secret"`<br>`user2 = "32-hex secret"` | User credentials map used for client authentication. |
-| user_ad_tags | `Map<String, String>` | `{}` | Every value must be exactly 32 hex characters. | `[access.user_ad_tags]`<br>`user = "32-hex ad_tag"` | Per-user ad tags used as override over `general.ad_tag`. |
-| user_max_tcp_conns | `Map<String, usize>` | `{}` | — | `[access.user_max_tcp_conns]`<br>`user = 500` | Per-user maximum concurrent TCP connections. |
-| user_expirations | `Map<String, DateTime<Utc>>` | `{}` | Timestamp must be valid RFC3339/ISO-8601 datetime. | `[access.user_expirations]`<br>`user = "2026-12-31T23:59:59Z"` | Per-user account expiration timestamps. |
-| user_data_quota | `Map<String, u64>` | `{}` | — | `[access.user_data_quota]`<br>`user = 1073741824` | Per-user traffic quota in bytes. |
-| user_max_unique_ips | `Map<String, usize>` | `{}` | — | `[access.user_max_unique_ips]`<br>`user = 16` | Per-user unique source IP limits. |
-| user_max_unique_ips_global_each | `usize` | `0` | — | `user_max_unique_ips_global_each = 0` | Global fallback used when `[access.user_max_unique_ips]` has no per-user override. |
-| user_max_unique_ips_mode | `"active_window" \| "time_window" \| "combined"` | `"active_window"` | — | `user_max_unique_ips_mode = "active_window"` | Unique source IP limit accounting mode. |
-| user_max_unique_ips_window_secs | `u64` | `30` | Must be `> 0`. | `user_max_unique_ips_window_secs = 30` | Window size (seconds) used by unique-IP accounting modes that use time windows. |
-| replay_check_len | `usize` | `65536` | — | `replay_check_len = 65536` | Replay-protection storage length. |
-| replay_window_secs | `u64` | `1800` | — | `replay_window_secs = 1800` | Replay-protection window in seconds. |
-| ignore_time_skew | `bool` | `false` | — | `ignore_time_skew = false` | Disables client/server timestamp skew checks in replay validation when enabled. |
-
-## [[upstreams]]
-
-| Parameter | Type | Default | Constraints / validation | Description |
-|---|---|---|---|---|
-| type | `"direct" \| "socks4" \| "socks5"` | — | Required field. | Upstream transport type selector. |
-| weight | `u16` | `1` | none | Base weight used by weighted-random upstream selection. |
-| enabled | `bool` | `true` | none | Disabled entries are excluded from upstream selection at runtime. |
-| scopes | `String` | `""` | none | Comma-separated scope tags used for request-level upstream filtering. |
-| interface | `String \| null` | `null` | Optional; type-specific runtime rules apply. | Optional outbound interface/local bind hint (supported with type-specific rules). |
-| bind_addresses | `String[] \| null` | `null` | Applies to `type = "direct"`. | Optional explicit local source bind addresses for `type = "direct"`. |
-| address | `String` | — | Required for `type = "socks4"` and `type = "socks5"`. | SOCKS server endpoint (`host:port` or `ip:port`) for SOCKS upstream types. |
-| user_id | `String \| null` | `null` | Only for `type = "socks4"`. | SOCKS4 CONNECT user ID (`type = "socks4"` only). |
-| username | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 username (`type = "socks5"` only). |
-| password | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 password (`type = "socks5"` only). |

docs/FAQ.en.md

@@ -1,5 +1,4 @@
 ## How to set up a "proxy sponsor" channel and statistics via the @MTProxybot
-
 1. Go to the @MTProxybot.
 2. Enter the `/newproxy` command.
 3. Send your server's IP address and port. For example: `1.2.3.4:443`.
@@ -32,13 +31,130 @@ use_middle_proxy = true
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
+## Recognizability for DPI and crawler
 
-## Why do you need a middle proxy (ME)
+On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS, 
+based on the ECH extension and the ordering of cipher suites, 
+as well as an overall unique JA3/JA4 fingerprint 
+that does not occur in modern browsers: 
+we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
+
+- We consider this a breakthrough aspect, which has no stable analogues today
+- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
+- Here is our evidence:
+    - 212.220.88.77 - "dummy" host, running `telemt`
+    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
+    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
+      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
+      - Crawlers completely satisfied receiving responses from `mask_host`
+  ### Client WITH secret-key accesses the MTProxy resource:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  ### Client WITHOUT secret-key gets transparent access to the specified resource:
+    - with trusted certificate
+    - with original handshake
+    - with full request-response way
+    - with low-latency overhead
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
+  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
+
+
+## F.A.Q.
+
+### Telegram Calls via MTProxy
+- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
+
+### How does DPI see MTProxy TLS?
+- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
+- the SNI you specify sends both the client and the server;
+- ALPN is similar to HTTP 1.1/2;
+- high entropy, which is normal for AES-encrypted traffic;
+
+### Whitelist on IP
+- MTProxy cannot work when there is: 
+  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
+  - OR all TCP traffic is blocked
+  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
+  - OR all TLS traffic is blocked
+  - OR specified port is blocked: use 443 to make it "like real"
+  - OR provided SNI is blocked: use "officially approved"/innocuous name
+- like most protocols on the Internet; 
+- these situations are observed:
+  - in China behind the Great Firewall
+  - in Russia on mobile networks, less in wired networks
+  - in Iran during "activity"
+
+### Why do you need a middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167
 
-
-## How many people can use one link
-
+### How many people can use one link
 By default, an unlimited number of people can use a single link.  
 However, you can limit the number of unique IP addresses for each user:
 ```toml
@@ -47,8 +163,7 @@ hello = 1
 ```
 This parameter sets the maximum number of unique IP addresses from which a single link can be used simultaneously. If the first user disconnects, a second one can connect. At the same time, multiple users can connect from a single IP address simultaneously (for example, devices on the same Wi-Fi network).
 
-## How to create multiple different links
-
+### How to create multiple different links
 1. Generate the required number of secrets using the command: `openssl rand -hex 16`.
 2. Open the configuration file: `nano /etc/telemt/telemt.toml`.
 3. Add new users to the `[access.users]` section:
@@ -64,7 +179,7 @@ user3 = "00000000000000000000000000000003"
 curl -s http://127.0.0.1:9091/v1/users | jq
 ```
 
-## "Unknown TLS SNI" error
+### "Unknown TLS SNI" error
 Usually, this error occurs if you have changed the `tls_domain` parameter, but users continue to connect using old links with the previous domain.
 
 If you need to allow connections with any domains (ignoring SNI mismatches), add the following parameters:
@@ -73,7 +188,7 @@ If you need to allow connections with any domains (ignoring SNI mismatches), add
 unknown_sni_action = "mask"
 ```
 
-## How to view metrics
+### How to view metrics
 
 1. Open the configuration file: `nano /etc/telemt/telemt.toml`.
 2. Add the following parameters:
@@ -87,6 +202,25 @@ metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
 > [!WARNING]
 > The value `"0.0.0.0/0"` in `metrics_whitelist` opens access to metrics from any IP address. It is recommended to replace it with your personal IP, for example: `"1.2.3.4/32"`.
 
+### Too many open files
+- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
+- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
+- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
+```yaml
+ulimits:
+  nofile:
+    soft: 65536
+    hard: 65536
+```
+- **System-wide** (optional): add to `/etc/security/limits.conf`:
+```
+*       soft    nofile  1048576
+*       hard    nofile  1048576
+root    soft    nofile  1048576
+root    hard    nofile  1048576
+```
+
+
 ## Additional parameters
 
 ### Domain in the link instead of IP

docs/FAQ.ru.md

@@ -32,6 +32,122 @@ use_middle_proxy = true
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
+## Распознаваемость для DPI и сканеров
+
+1 апреля 2026 года нам стало известно о методе обнаружения MTProxy Fake-TLS, основанном на расширении ECH и порядке набора шифров, 
+а также об общем уникальном отпечатке JA3/JA4, который не встречается в современных браузерах: мы уже отправили первоначальные изменения разработчикам Telegram Desktop и работаем над обновлениями для других клиентов.
+
+- Мы считаем это прорывом, которому на сегодняшний день нет стабильных аналогов;
+- Исходя из этого: если `telemt` настроен правильно, **режим TLS полностью идентичен реальному «рукопожатию» + обмену данными** с указанным хостом;
+- Вот наши доказательства:
+    - 212.220.88.77 — «фиктивный» хост, на котором запущен `telemt`;
+    - `petrovich.ru` — хост с `tls` + `masking`, в HEX: `706574726f766963682e7275`;
+    - **Без MITM + без поддельных сертификатов/шифрования** = чистое прозрачное *TCP Splice* к «лучшему» исходному серверу: MTProxy или tls/mask-host:
+      - DPI видит легитимный HTTPS к `tls_host`, включая *достоверную цепочку доверия* и энтропию;
+      - Краулеры полностью удовлетворены получением ответов от `mask_host`.
+ 
+  ### Клиент С секретным ключом получает доступ к ресурсу MTProxy:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  ### Клиент БЕЗ секретного ключа получает прозрачный доступ к указанному ресурсу:
+    - с доверенным сертификатом;
+    - с исходным «рукопожатием»;
+    - с полным циклом запрос-ответ;
+    - с низкой задержкой.
+
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- Мы поставили перед собой задачу, не сдавались и не просто «бились в пустоту»: теперь у нас есть что вам показать.
+- Не верите нам на слово? — Это прекрасно, и мы уважаем ваше решение: вы можете собрать свой собственный `telemt` или скачать готовую сборку и проверить её прямо сейчас.
+
+### Звонки в Telegram через MTProxy
+- Архитектура Telegram **НЕ поддерживает звонки через MTProxy**, а только через SOCKS5, который невозможно замаскировать
+
+### Как DPI распознает TLS-соединение MTProxy?
+- DPI распознает MTProxy в режиме Fake TLS (ee) как TLS 1.3
+- указанный вами SNI отправляется как клиентом, так и сервером;
+- ALPN аналогичен HTTP 1.1/2;
+- высокая энтропия, что нормально для трафика, зашифрованного AES;
+
+### Белый список по IP
+- MTProxy не может работать, если: 
+  - отсутствует IP-связь с целевым хостом: российский белый список в мобильных сетях — «Белый список»;
+  - ИЛИ весь TCP-трафик заблокирован;
+  - ИЛИ трафик с высокой энтропией/зашифрованный трафик заблокирован: контент-фильтры в университетах и критически важной инфраструктуре;
+  - ИЛИ весь TLS-трафик заблокирован;
+  - ИЛИ заблокирован указанный порт: используйте 443, чтобы сделать его «как настоящий»;
+  - ИЛИ заблокирован предоставленный SNI: используйте «официально одобренное»/безобидное имя;
+- как и большинство протоколов в Интернете; 
+- такие ситуации наблюдаются:
+  - в Китае за Великим файрволом;
+  - в России в мобильных сетях, реже в проводных сетях;
+  - в Иране во время «активности».
+
 
 ## Зачем нужен middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167
@@ -104,7 +220,7 @@ max_connections = 10000    # 0 - без ограничений, 10000 - по у
 ```
 
 ### Upstream Manager
-Для настройки исходящих подключений (апстримов) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
+Для настройки исходящих подключений (Upstreams) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
 
 #### Привязка к исходящему IP-адресу
 ```toml
@@ -119,20 +235,20 @@ interface = "192.168.1.100" # Замените на ваш исходящий IP
 - Без авторизации:
 ```toml
 [[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-weight = 1                 # Set Weight for Scenarios
+type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234"   # адрес сервера SOCKS
+weight = 1                 # вес
 enabled = true
 ```
 
 - С авторизацией:
 ```toml
 [[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-username = "user"          # Username for Auth on SOCKS-server
-password = "pass"          # Password for Auth on SOCKS-server
-weight = 1                 # Set Weight for Scenarios
+type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234"   # адрес сервера SOCKS
+username = "user"          # имя пользователя
+password = "pass"          # пароль
+weight = 1                 # вес
 enabled = true
 ```
 

docs/Quick_start/QUICK_START_GUIDE.en.md

@@ -128,8 +128,8 @@ WorkingDirectory=/opt/telemt
 ExecStart=/bin/telemt /etc/telemt/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 [Install]

docs/Quick_start/QUICK_START_GUIDE.ru.md

@@ -128,8 +128,8 @@ WorkingDirectory=/opt/telemt
 ExecStart=/bin/telemt /etc/telemt/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 [Install]

install.sh

@@ -8,18 +8,62 @@ CONFIG_DIR="${CONFIG_DIR:-/etc/telemt}"
 CONFIG_FILE="${CONFIG_FILE:-${CONFIG_DIR}/telemt.toml}"
 WORK_DIR="${WORK_DIR:-/opt/telemt}"
 TLS_DOMAIN="${TLS_DOMAIN:-petrovich.ru}"
+SERVER_PORT="${SERVER_PORT:-443}"
+USER_SECRET=""
+AD_TAG=""
 SERVICE_NAME="telemt"
 TEMP_DIR=""
 SUDO=""
 CONFIG_PARENT_DIR=""
 SERVICE_START_FAILED=0
 
+PORT_PROVIDED=0
+SECRET_PROVIDED=0
+AD_TAG_PROVIDED=0
+DOMAIN_PROVIDED=0
+
 ACTION="install"
 TARGET_VERSION="${VERSION:-latest}"
 
 while [ $# -gt 0 ]; do
     case "$1" in
         -h|--help) ACTION="help"; shift ;;
+        -d|--domain)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s requires a domain argument.\n' "$1" >&2
+                exit 1
+            fi
+            TLS_DOMAIN="$2"; DOMAIN_PROVIDED=1; shift 2 ;;
+        -p|--port)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s requires a port argument.\n' "$1" >&2; exit 1
+            fi
+            case "$2" in
+                *[!0-9]*) printf '[ERROR] Port must be a valid number.\n' >&2; exit 1 ;;
+            esac
+            port_num="$(printf '%s\n' "$2" | sed 's/^0*//')"
+            [ -z "$port_num" ] && port_num="0"
+            if [ "${#port_num}" -gt 5 ] || [ "$port_num" -lt 1 ] || [ "$port_num" -gt 65535 ]; then
+                printf '[ERROR] Port must be between 1 and 65535.\n' >&2; exit 1
+            fi
+            SERVER_PORT="$port_num"; PORT_PROVIDED=1; shift 2 ;;
+        -s|--secret)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s requires a secret argument.\n' "$1" >&2; exit 1
+            fi
+            case "$2" in
+                *[!0-9a-fA-F]*)
+                    printf '[ERROR] Secret must contain only hex characters.\n' >&2; exit 1 ;;
+            esac
+            if [ "${#2}" -ne 32 ]; then
+                printf '[ERROR] Secret must be exactly 32 chars.\n' >&2; exit 1
+            fi
+            USER_SECRET="$2"; SECRET_PROVIDED=1; shift 2 ;;
+        -a|--ad-tag|--ad_tag)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s requires an ad_tag argument.\n' "$1" >&2; exit 1
+            fi
+            AD_TAG="$2"; AD_TAG_PROVIDED=1; shift 2 ;;
         uninstall|--uninstall)
             if [ "$ACTION" != "purge" ]; then ACTION="uninstall"; fi
             shift ;;
@@ -52,11 +96,17 @@ cleanup() {
 trap cleanup EXIT INT TERM
 
 show_help() {
-    say "Usage: $0 [ <version> | install | uninstall | purge | --help ]"
+    say "Usage: $0 [ <version> | install | uninstall | purge ] [ options ]"
     say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
     say "  install      Install the latest version"
-    say "  uninstall    Remove the binary and service (keeps config and user)"
+    say "  uninstall    Remove the binary and service"
     say "  purge        Remove everything including configuration, data, and user"
+    say ""
+    say "Options:"
+    say "  -d, --domain Set TLS domain (default: petrovich.ru)"
+    say "  -p, --port   Set server port (default: 443)"
+    say "  -s, --secret Set specific user secret (32 hex characters)"
+    say "  -a, --ad-tag Set ad_tag"
     exit 0
 }
 
@@ -73,13 +123,13 @@ get_realpath() {
     path_in="$1"
     case "$path_in" in /*) ;; *) path_in="$(pwd)/$path_in" ;; esac
 
-    if command -v realpath >/dev/null 2>&1; then 
+    if command -v realpath >/dev/null 2>&1; then
         if realpath_out="$(realpath -m "$path_in" 2>/dev/null)"; then
             printf '%s\n' "$realpath_out"
             return
         fi
     fi
-    
+
     if command -v readlink >/dev/null 2>&1; then
         resolved_path="$(readlink -f "$path_in" 2>/dev/null || true)"
         if [ -n "$resolved_path" ]; then
@@ -112,6 +162,14 @@ get_svc_mgr() {
     else echo "none"; fi
 }
 
+is_config_exists() {
+    if [ -n "$SUDO" ]; then
+        $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"
+    else
+        [ -f "$CONFIG_FILE" ]
+    fi
+}
+
 verify_common() {
     [ -n "$BIN_NAME" ] || die "BIN_NAME cannot be empty."
     [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR cannot be empty."
@@ -119,7 +177,7 @@ verify_common() {
     [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE cannot be empty."
 
     case "${INSTALL_DIR}${CONFIG_DIR}${WORK_DIR}${CONFIG_FILE}" in
-        *[!a-zA-Z0-9_./-]*) die "Invalid characters in paths. Only alphanumeric, _, ., -, and / allowed." ;;
+        *[!a-zA-Z0-9_./-]*) die "Invalid characters in paths." ;;
     esac
 
     case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "Invalid characters in version." ;; esac
@@ -137,11 +195,11 @@ verify_common() {
     if [ "$(id -u)" -eq 0 ]; then
         SUDO=""
     else
-        command -v sudo >/dev/null 2>&1 || die "This script requires root or sudo. Neither found."
+        command -v sudo >/dev/null 2>&1 || die "This script requires root or sudo."
         SUDO="sudo"
         if ! sudo -n true 2>/dev/null; then
             if ! [ -t 0 ]; then
-                die "sudo requires a password, but no TTY detected. Aborting to prevent hang."
+                die "sudo requires a password, but no TTY detected."
             fi
         fi
     fi
@@ -154,21 +212,7 @@ verify_common() {
         die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
     fi
 
-    for path in "$CONFIG_DIR" "$CONFIG_PARENT_DIR" "$WORK_DIR"; do
-        check_path="$(get_realpath "$path")"
-        case "$check_path" in
-            /|/bin|/sbin|/usr|/usr/bin|/usr/sbin|/usr/local|/usr/local/bin|/usr/local/sbin|/usr/local/etc|/usr/local/share|/etc|/var|/var/lib|/var/log|/var/run|/home|/root|/tmp|/lib|/lib64|/opt|/run|/boot|/dev|/sys|/proc)
-                die "Safety check failed: '$path' (resolved to '$check_path') is a critical system directory." ;;
-        esac
-    done
-
-    check_install_dir="$(get_realpath "$INSTALL_DIR")"
-    case "$check_install_dir" in
-        /|/etc|/var|/home|/root|/tmp|/usr|/usr/local|/opt|/boot|/dev|/sys|/proc|/run)
-            die "Safety check failed: INSTALL_DIR '$INSTALL_DIR' is a critical system directory." ;;
-    esac
-
-    for cmd in id uname grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip rmdir; do
+    for cmd in id uname awk grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip; do
         command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
     done
 }
@@ -177,14 +221,41 @@ verify_install_deps() {
     command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "Neither curl nor wget is installed."
     command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "Need cp or install"
 
-    if ! command -v setcap >/dev/null 2>&1; then
+    if ! command -v setcap >/dev/null 2>&1 || ! command -v conntrack >/dev/null 2>&1; then
         if command -v apk >/dev/null 2>&1; then
-            $SUDO apk add --no-cache libcap-utils >/dev/null 2>&1 || $SUDO apk add --no-cache libcap >/dev/null 2>&1 || true
+            $SUDO apk add --no-cache libcap-utils libcap conntrack-tools >/dev/null 2>&1 || true
         elif command -v apt-get >/dev/null 2>&1; then
-            $SUDO apt-get update -q >/dev/null 2>&1 || true
-            $SUDO apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
-        elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap >/dev/null 2>&1 || true
-        elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap >/dev/null 2>&1 || true
+            $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin conntrack >/dev/null 2>&1 || {
+                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get update -q >/dev/null 2>&1 || true
+                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin conntrack >/dev/null 2>&1 || true
+            }
+        elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap conntrack-tools >/dev/null 2>&1 || true
+        elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap conntrack-tools >/dev/null 2>&1 || true
+        fi
+    fi
+}
+
+check_port_availability() {
+    port_info=""
+
+    if command -v ss >/dev/null 2>&1; then
+        port_info=$($SUDO ss -tulnp 2>/dev/null | grep -E ":${SERVER_PORT}([[:space:]]|$)" || true)
+    elif command -v netstat >/dev/null 2>&1; then
+        port_info=$($SUDO netstat -tulnp 2>/dev/null | grep -E ":${SERVER_PORT}([[:space:]]|$)" || true)
+    elif command -v lsof >/dev/null 2>&1; then
+        port_info=$($SUDO lsof -i :${SERVER_PORT} 2>/dev/null | grep LISTEN || true)
+    else
+        say "[WARNING] Network diagnostic tools (ss, netstat, lsof) not found. Skipping port check."
+        return 0
+    fi
+
+    if [ -n "$port_info" ]; then
+        if printf '%s\n' "$port_info" | grep -q "${BIN_NAME}"; then
+            say "  -> Port ${SERVER_PORT} is in use by ${BIN_NAME}. Ignoring as it will be restarted."
+        else
+            say "[ERROR] Port ${SERVER_PORT} is already in use by another process:"
+            printf '  %s\n' "$port_info"
+            die "Please free the port ${SERVER_PORT} or change it and try again."
         fi
     fi
 }
@@ -192,7 +263,13 @@ verify_install_deps() {
 detect_arch() {
     sys_arch="$(uname -m)"
     case "$sys_arch" in
-        x86_64|amd64) echo "x86_64" ;;
+        x86_64|amd64)
+            if [ -r /proc/cpuinfo ] && grep -q "avx2" /proc/cpuinfo 2>/dev/null && grep -q "bmi2" /proc/cpuinfo 2>/dev/null; then
+                echo "x86_64-v3"
+            else
+                echo "x86_64"
+            fi
+            ;;
         aarch64|arm64) echo "aarch64" ;;
         *) die "Unsupported architecture: $sys_arch" ;;
     esac
@@ -236,10 +313,10 @@ ensure_user_group() {
 
 setup_dirs() {
     $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "Failed to create directories"
-    
+
     $SUDO chown telemt:telemt "$WORK_DIR" && $SUDO chmod 750 "$WORK_DIR"
     $SUDO chown root:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
-    
+
     if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
         $SUDO chown root:telemt "$CONFIG_PARENT_DIR" && $SUDO chmod 750 "$CONFIG_PARENT_DIR"
     fi
@@ -261,17 +338,19 @@ install_binary() {
     fi
 
     $SUDO mkdir -p "$INSTALL_DIR" || die "Failed to create install directory"
+    
+    $SUDO rm -f "$bin_dst" 2>/dev/null || true
+
     if command -v install >/dev/null 2>&1; then
         $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "Failed to install binary"
     else
-        $SUDO rm -f "$bin_dst" 2>/dev/null || true
         $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "Failed to copy binary"
     fi
 
     $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "Binary not executable: $bin_dst"
 
     if command -v setcap >/dev/null 2>&1; then
-        $SUDO setcap cap_net_bind_service=+ep "$bin_dst" 2>/dev/null || true
+        $SUDO setcap cap_net_bind_service,cap_net_admin=+ep "$bin_dst" 2>/dev/null || true
     fi
 }
 
@@ -287,11 +366,20 @@ generate_secret() {
 }
 
 generate_config_content() {
+    conf_secret="$1"
+    conf_tag="$2"
     escaped_tls_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
 
     cat <<EOF
 [general]
-use_middle_proxy = false
+use_middle_proxy = true
+EOF
+
+    if [ -n "$conf_tag" ]; then
+        echo "ad_tag = \"${conf_tag}\""
+    fi
+
+    cat <<EOF
 
 [general.modes]
 classic = false
@@ -299,7 +387,7 @@ secure = false
 tls = true
 
 [server]
-port = 443
+port = ${SERVER_PORT}
 
 [server.api]
 enabled = true
@@ -310,28 +398,73 @@ whitelist = ["127.0.0.1/32"]
 tls_domain = "${escaped_tls_domain}"
 
 [access.users]
-hello = "$1"
+hello = "${conf_secret}"
 EOF
 }
 
 install_config() {
-    if [ -n "$SUDO" ]; then
-        if $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"; then
-            say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
-            return 0
-        fi
-    elif [ -f "$CONFIG_FILE" ]; then
-        say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
+    if is_config_exists; then
+        say "  -> Config already exists at $CONFIG_FILE. Updating parameters..."
+
+        tmp_conf="${TEMP_DIR}/config.tmp"
+        $SUDO cat "$CONFIG_FILE" > "$tmp_conf"
+        
+        escaped_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
+
+        export AWK_PORT="$SERVER_PORT"
+        export AWK_SECRET="$USER_SECRET"
+        export AWK_DOMAIN="$escaped_domain"
+        export AWK_AD_TAG="$AD_TAG"
+        export AWK_FLAG_P="$PORT_PROVIDED"
+        export AWK_FLAG_S="$SECRET_PROVIDED"
+        export AWK_FLAG_D="$DOMAIN_PROVIDED"
+        export AWK_FLAG_A="$AD_TAG_PROVIDED"
+
+        awk '
+        BEGIN { ad_tag_handled = 0 }
+        
+        ENVIRON["AWK_FLAG_P"] == "1" && /^[ \t]*port[ \t]*=/ { print "port = " ENVIRON["AWK_PORT"]; next }
+        ENVIRON["AWK_FLAG_S"] == "1" && /^[ \t]*hello[ \t]*=/ { print "hello = \"" ENVIRON["AWK_SECRET"] "\""; next }
+        ENVIRON["AWK_FLAG_D"] == "1" && /^[ \t]*tls_domain[ \t]*=/ { print "tls_domain = \"" ENVIRON["AWK_DOMAIN"] "\""; next }
+        
+        ENVIRON["AWK_FLAG_A"] == "1" && /^[ \t]*ad_tag[ \t]*=/ { 
+            if (!ad_tag_handled) { 
+                print "ad_tag = \"" ENVIRON["AWK_AD_TAG"] "\""; 
+                ad_tag_handled = 1; 
+            } 
+            next 
+        }
+        ENVIRON["AWK_FLAG_A"] == "1" && /^\[general\]/ { 
+            print; 
+            if (!ad_tag_handled) { 
+                print "ad_tag = \"" ENVIRON["AWK_AD_TAG"] "\""; 
+                ad_tag_handled = 1; 
+            } 
+            next 
+        }
+        
+        { print }
+        ' "$tmp_conf" > "${tmp_conf}.new" && mv "${tmp_conf}.new" "$tmp_conf"
+
+        [ "$PORT_PROVIDED" -eq 1 ] && say "  -> Updated port: $SERVER_PORT"
+        [ "$SECRET_PROVIDED" -eq 1 ] && say "  -> Updated secret for user 'hello'"
+        [ "$DOMAIN_PROVIDED" -eq 1 ] && say "  -> Updated tls_domain: $TLS_DOMAIN"
+        [ "$AD_TAG_PROVIDED" -eq 1 ] && say "  -> Updated ad_tag"
+
+        write_root "$CONFIG_FILE" < "$tmp_conf"
+        rm -f "$tmp_conf"
         return 0
     fi
 
-    toml_secret="$(generate_secret)" || die "Failed to generate secret."
+    if [ -z "$USER_SECRET" ]; then
+        USER_SECRET="$(generate_secret)" || die "Failed to generate secret."
+    fi
 
-    generate_config_content "$toml_secret" | write_root "$CONFIG_FILE" || die "Failed to install config"
+    generate_config_content "$USER_SECRET" "$AD_TAG" | write_root "$CONFIG_FILE" || die "Failed to install config"
     $SUDO chown root:telemt "$CONFIG_FILE" && $SUDO chmod 640 "$CONFIG_FILE"
 
     say "  -> Config created successfully."
-    say "  -> Generated secret for default user 'hello': $toml_secret"
+    say "  -> Configured secret for user 'hello': $USER_SECRET"
 }
 
 generate_systemd_content() {
@@ -348,9 +481,10 @@ Group=telemt
 WorkingDirectory=$WORK_DIR
 ExecStart="${INSTALL_DIR}/${BIN_NAME}" "${CONFIG_FILE}"
 Restart=on-failure
+RestartSec=5
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
 
 [Install]
 WantedBy=multi-user.target
@@ -381,7 +515,7 @@ install_service() {
 
         $SUDO systemctl daemon-reload || true
         $SUDO systemctl enable "$SERVICE_NAME" || true
-        
+
         if ! $SUDO systemctl start "$SERVICE_NAME"; then
             say "[WARNING] Failed to start service"
             SERVICE_START_FAILED=1
@@ -391,16 +525,16 @@ install_service() {
         $SUDO chown root:root "/etc/init.d/${SERVICE_NAME}" && $SUDO chmod 0755 "/etc/init.d/${SERVICE_NAME}"
 
         $SUDO rc-update add "$SERVICE_NAME" default 2>/dev/null || true
-        
+
         if ! $SUDO rc-service "$SERVICE_NAME" start 2>/dev/null; then
             say "[WARNING] Failed to start service"
             SERVICE_START_FAILED=1
         fi
     else
         cmd="\"${INSTALL_DIR}/${BIN_NAME}\" \"${CONFIG_FILE}\""
-        if [ -n "$SUDO" ]; then 
+        if [ -n "$SUDO" ]; then
             say "  -> Service manager not found. Start manually: sudo -u telemt $cmd"
-        else 
+        else
             say "  -> Service manager not found. Start manually: su -s /bin/sh telemt -c '$cmd'"
         fi
     fi
@@ -415,9 +549,10 @@ kill_user_procs() {
         if command -v pgrep >/dev/null 2>&1; then
             pids="$(pgrep -u telemt 2>/dev/null || true)"
         else
-            pids="$(ps -u telemt -o pid= 2>/dev/null || true)"
+            pids="$(ps -ef 2>/dev/null | awk '$1=="telemt"{print $2}' || true)"
+            [ -z "$pids" ] && pids="$(ps 2>/dev/null | awk '$2=="telemt"{print $1}' || true)"
         fi
-        
+
         if [ -n "$pids" ]; then
             for pid in $pids; do
                 case "$pid" in ''|*[!0-9]*) continue ;; *) $SUDO kill "$pid" 2>/dev/null || true ;; esac
@@ -457,15 +592,16 @@ uninstall() {
         say ">>> Stage 5: Purging configuration, data, and user"
         $SUDO rm -rf "$CONFIG_DIR" "$WORK_DIR"
         $SUDO rm -f "$CONFIG_FILE"
-        if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
-            $SUDO rmdir "$CONFIG_PARENT_DIR" 2>/dev/null || true
-        fi
+        sleep 1 
         $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
-        $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
+        
+        if check_os_entity group telemt; then
+            $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
+        fi
     else
         say "Note: Configuration and user kept. Run with 'purge' to remove completely."
     fi
-    
+
     printf '\n====================================================================\n'
     printf '                    UNINSTALLATION COMPLETE\n'
     printf '====================================================================\n\n'
@@ -479,18 +615,28 @@ case "$ACTION" in
         say "Starting installation of $BIN_NAME (Version: $TARGET_VERSION)"
 
         say ">>> Stage 1: Verifying environment and dependencies"
-        verify_common; verify_install_deps
+        verify_common
+        verify_install_deps
 
-        if [ "$TARGET_VERSION" != "latest" ]; then 
+        if is_config_exists && [ "$PORT_PROVIDED" -eq 0 ]; then
+            ext_port="$($SUDO awk -F'=' '/^[ \t]*port[ \t]*=/ {gsub(/[^0-9]/, "", $2); print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+            if [ -n "$ext_port" ]; then
+                SERVER_PORT="$ext_port"
+            fi
+        fi
+
+        check_port_availability
+
+        if [ "$TARGET_VERSION" != "latest" ]; then
             TARGET_VERSION="${TARGET_VERSION#v}"
         fi
-        
+
         ARCH="$(detect_arch)"; LIBC="$(detect_libc)"
         FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
-        
+
         if [ "$TARGET_VERSION" = "latest" ]; then
             DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
-        else 
+        else
             DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
         fi
 
@@ -500,7 +646,21 @@ case "$ACTION" in
             die "Temp directory is invalid or was not created"
         fi
 
-        fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "Download failed"
+        if ! fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}"; then
+            if [ "$ARCH" = "x86_64-v3" ]; then
+                say "  -> x86_64-v3 build not found, falling back to standard x86_64..."
+                ARCH="x86_64"
+                FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
+                if [ "$TARGET_VERSION" = "latest" ]; then
+                    DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
+                else
+                    DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
+                fi
+                fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "Download failed"
+            else
+                die "Download failed"
+            fi
+        fi
 
         say ">>> Stage 3: Extracting archive"
         if ! gzip -dc "${TEMP_DIR}/${FILE_NAME}" | tar -xf - -C "$TEMP_DIR" 2>/dev/null; then
@@ -512,13 +672,13 @@ case "$ACTION" in
 
         say ">>> Stage 4: Setting up environment (User, Group, Directories)"
         ensure_user_group; setup_dirs; stop_service
-        
+
         say ">>> Stage 5: Installing binary"
         install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
-        
-        say ">>> Stage 6: Generating configuration"
+
+        say ">>> Stage 6: Generating/Updating configuration"
         install_config
-        
+
         say ">>> Stage 7: Installing and starting service"
         install_service
 
@@ -533,7 +693,7 @@ case "$ACTION" in
             printf '                      INSTALLATION SUCCESS\n'
             printf '====================================================================\n\n'
         fi
-        
+
         svc="$(get_svc_mgr)"
         if [ "$svc" = "systemd" ]; then
             printf 'To check the status of your proxy service, run:\n'
@@ -542,15 +702,18 @@ case "$ACTION" in
             printf 'To check the status of your proxy service, run:\n'
             printf '  rc-service %s status\n\n' "$SERVICE_NAME"
         fi
-        
+
+        API_LISTEN="$($SUDO awk -F'"' '/^[ \t]*listen[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+        API_LISTEN="${API_LISTEN:-127.0.0.1:9091}"
+
         printf 'To get your user connection links (for Telegram), run:\n'
         if command -v jq >/dev/null 2>&1; then
-            printf '  curl -s http://127.0.0.1:9091/v1/users | jq -r '\''.data[] | "User: \\(.username)\\n\\(.links.tls[0] // empty)\\n"'\''\n'
+            printf '  curl -s http://%s/v1/users | jq -r '\''.data[]? | "User: \\(.username)\\n\\(.links.tls[0] // empty)\\n"'\''\n' "$API_LISTEN"
         else
-            printf '  curl -s http://127.0.0.1:9091/v1/users\n'
+            printf '  curl -s http://%s/v1/users\n' "$API_LISTEN"
             printf '  (Tip: Install '\''jq'\'' for a much cleaner output)\n'
         fi
-        
+
         printf '\n====================================================================\n'
         ;;
 esac

src/config/defaults.rs

@@ -100,7 +100,7 @@ pub(crate) fn default_fake_cert_len() -> usize {
 }
 
 pub(crate) fn default_tls_front_dir() -> String {
-    "tlsfront".to_string()
+    "/etc/telemt/tlsfront".to_string()
 }
 
 pub(crate) fn default_replay_check_len() -> usize {
@@ -302,7 +302,7 @@ pub(crate) fn default_me2dc_fallback() -> bool {
 }
 
 pub(crate) fn default_me2dc_fast() -> bool {
-    false
+    true
 }
 
 pub(crate) fn default_keepalive_interval() -> u64 {
@@ -558,7 +558,7 @@ pub(crate) fn default_beobachten_flush_secs() -> u64 {
 }
 
 pub(crate) fn default_beobachten_file() -> String {
-    "cache/beobachten.txt".to_string()
+    "/etc/telemt/beobachten.txt".to_string()
 }
 
 pub(crate) fn default_tls_new_session_tickets() -> u8 {

src/config/load.rs

@@ -947,7 +947,11 @@ impl ProxyConfig {
         }
 
         if matches!(config.server.conntrack_control.mode, ConntrackMode::Hybrid)
-            && config.server.conntrack_control.hybrid_listener_ips.is_empty()
+            && config
+                .server
+                .conntrack_control
+                .hybrid_listener_ips
+                .is_empty()
         {
             return Err(ProxyError::Config(
                 "server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid"
@@ -2503,9 +2507,9 @@ mod tests {
         let path = dir.join("telemt_conntrack_high_watermark_invalid_test.toml");
         std::fs::write(&path, toml).unwrap();
         let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(
-            err.contains("server.conntrack_control.pressure_high_watermark_pct must be within [1, 100]")
-        );
+        assert!(err.contains(
+            "server.conntrack_control.pressure_high_watermark_pct must be within [1, 100]"
+        ));
         let _ = std::fs::remove_file(path);
     }
 
@@ -2570,9 +2574,9 @@ mod tests {
         let path = dir.join("telemt_conntrack_hybrid_requires_ips_test.toml");
         std::fs::write(&path, toml).unwrap();
         let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(
-            err.contains("server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid")
-        );
+        assert!(err.contains(
+            "server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid"
+        ));
         let _ = std::fs::remove_file(path);
     }
 

src/conntrack_control.rs

@@ -56,7 +56,11 @@ pub(crate) fn spawn_conntrack_controller(
     shared: Arc<ProxySharedState>,
 ) {
     if !cfg!(target_os = "linux") {
-        let enabled = config_rx.borrow().server.conntrack_control.inline_conntrack_control;
+        let enabled = config_rx
+            .borrow()
+            .server
+            .conntrack_control
+            .inline_conntrack_control;
         stats.set_conntrack_control_enabled(enabled);
         stats.set_conntrack_control_available(false);
         stats.set_conntrack_pressure_active(false);
@@ -65,7 +69,9 @@ pub(crate) fn spawn_conntrack_controller(
         shared.disable_conntrack_close_sender();
         shared.set_conntrack_pressure_active(false);
         if enabled {
-            warn!("conntrack control is configured but unsupported on this OS; disabling runtime worker");
+            warn!(
+                "conntrack control is configured but unsupported on this OS; disabling runtime worker"
+            );
         }
         return;
     }
@@ -88,7 +94,13 @@ async fn run_conntrack_controller(
     let mut delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
     let mut backend = pick_backend(cfg.server.conntrack_control.backend);
 
-    apply_runtime_state(stats.as_ref(), shared.as_ref(), &cfg, backend.is_some(), false);
+    apply_runtime_state(
+        stats.as_ref(),
+        shared.as_ref(),
+        &cfg,
+        backend.is_some(),
+        false,
+    );
     reconcile_rules(&cfg, backend, stats.as_ref()).await;
 
     loop {
@@ -315,7 +327,9 @@ fn pick_backend(configured: ConntrackBackend) -> Option<NetfilterBackend> {
             }
         }
         ConntrackBackend::Nftables => command_exists("nft").then_some(NetfilterBackend::Nftables),
-        ConntrackBackend::Iptables => command_exists("iptables").then_some(NetfilterBackend::Iptables),
+        ConntrackBackend::Iptables => {
+            command_exists("iptables").then_some(NetfilterBackend::Iptables)
+        }
     }
 }
 
@@ -396,7 +410,12 @@ fn notrack_targets(cfg: &ProxyConfig) -> (Vec<Option<IpAddr>>, Vec<Option<IpAddr
 }
 
 async fn apply_nft_rules(cfg: &ProxyConfig) -> Result<(), String> {
-    let _ = run_command("nft", &["delete", "table", "inet", "telemt_conntrack"], None).await;
+    let _ = run_command(
+        "nft",
+        &["delete", "table", "inet", "telemt_conntrack"],
+        None,
+    )
+    .await;
     if matches!(cfg.server.conntrack_control.mode, ConntrackMode::Tracked) {
         return Ok(());
     }
@@ -446,7 +465,12 @@ async fn apply_iptables_rules_for_binary(
         return Ok(());
     }
     let chain = "TELEMT_NOTRACK";
-    let _ = run_command(binary, &["-t", "raw", "-D", "PREROUTING", "-j", chain], None).await;
+    let _ = run_command(
+        binary,
+        &["-t", "raw", "-D", "PREROUTING", "-j", chain],
+        None,
+    )
+    .await;
     let _ = run_command(binary, &["-t", "raw", "-F", chain], None).await;
     let _ = run_command(binary, &["-t", "raw", "-X", chain], None).await;
 
@@ -456,8 +480,20 @@ async fn apply_iptables_rules_for_binary(
 
     run_command(binary, &["-t", "raw", "-N", chain], None).await?;
     run_command(binary, &["-t", "raw", "-F", chain], None).await?;
-    if run_command(binary, &["-t", "raw", "-C", "PREROUTING", "-j", chain], None).await.is_err() {
-        run_command(binary, &["-t", "raw", "-I", "PREROUTING", "1", "-j", chain], None).await?;
+    if run_command(
+        binary,
+        &["-t", "raw", "-C", "PREROUTING", "-j", chain],
+        None,
+    )
+    .await
+    .is_err()
+    {
+        run_command(
+            binary,
+            &["-t", "raw", "-I", "PREROUTING", "1", "-j", chain],
+            None,
+        )
+        .await?;
     }
 
     let (v4_targets, v6_targets) = notrack_targets(cfg);
@@ -487,11 +523,26 @@ async fn apply_iptables_rules_for_binary(
 }
 
 async fn clear_notrack_rules_all_backends() {
-    let _ = run_command("nft", &["delete", "table", "inet", "telemt_conntrack"], None).await;
-    let _ = run_command("iptables", &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"], None).await;
+    let _ = run_command(
+        "nft",
+        &["delete", "table", "inet", "telemt_conntrack"],
+        None,
+    )
+    .await;
+    let _ = run_command(
+        "iptables",
+        &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"],
+        None,
+    )
+    .await;
     let _ = run_command("iptables", &["-t", "raw", "-F", "TELEMT_NOTRACK"], None).await;
     let _ = run_command("iptables", &["-t", "raw", "-X", "TELEMT_NOTRACK"], None).await;
-    let _ = run_command("ip6tables", &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"], None).await;
+    let _ = run_command(
+        "ip6tables",
+        &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"],
+        None,
+    )
+    .await;
     let _ = run_command("ip6tables", &["-t", "raw", "-F", "TELEMT_NOTRACK"], None).await;
     let _ = run_command("ip6tables", &["-t", "raw", "-X", "TELEMT_NOTRACK"], None).await;
 }

src/logging.rs

@@ -88,8 +88,10 @@ pub fn init_logging(
             // Use a custom fmt layer that writes to syslog
             let fmt_layer = fmt::Layer::default()
                 .with_ansi(false)
-                .with_target(true)
-                .with_writer(SyslogWriter::new);
+                .with_target(false)
+                .with_level(false)
+                .without_time()
+                .with_writer(SyslogMakeWriter::new());
 
             tracing_subscriber::registry()
                 .with(filter_layer)
@@ -137,12 +139,17 @@ pub fn init_logging(
 
 /// Syslog writer for tracing.
 #[cfg(unix)]
+#[derive(Clone, Copy)]
+struct SyslogMakeWriter;
+
+#[cfg(unix)]
+#[derive(Clone, Copy)]
 struct SyslogWriter {
-    _private: (),
+    priority: libc::c_int,
 }
 
 #[cfg(unix)]
-impl SyslogWriter {
+impl SyslogMakeWriter {
     fn new() -> Self {
         // Open syslog connection on first use
         static INIT: std::sync::Once = std::sync::Once::new();
@@ -153,7 +160,18 @@ impl SyslogWriter {
                 libc::openlog(ident, libc::LOG_PID | libc::LOG_NDELAY, libc::LOG_DAEMON);
             }
         });
-        Self { _private: () }
+        Self
+    }
+}
+
+#[cfg(unix)]
+fn syslog_priority_for_level(level: &tracing::Level) -> libc::c_int {
+    match *level {
+        tracing::Level::ERROR => libc::LOG_ERR,
+        tracing::Level::WARN => libc::LOG_WARNING,
+        tracing::Level::INFO => libc::LOG_INFO,
+        tracing::Level::DEBUG => libc::LOG_DEBUG,
+        tracing::Level::TRACE => libc::LOG_DEBUG,
     }
 }
 
@@ -168,26 +186,13 @@ impl std::io::Write for SyslogWriter {
             return Ok(buf.len());
         }
 
-        // Determine priority based on log level in the message
-        let priority = if msg.contains(" ERROR ") || msg.contains(" error ") {
-            libc::LOG_ERR
-        } else if msg.contains(" WARN ") || msg.contains(" warn ") {
-            libc::LOG_WARNING
-        } else if msg.contains(" INFO ") || msg.contains(" info ") {
-            libc::LOG_INFO
-        } else if msg.contains(" DEBUG ") || msg.contains(" debug ") {
-            libc::LOG_DEBUG
-        } else {
-            libc::LOG_INFO
-        };
-
         // Write to syslog
         let c_msg = std::ffi::CString::new(msg.as_bytes())
             .unwrap_or_else(|_| std::ffi::CString::new("(invalid utf8)").unwrap());
 
         unsafe {
             libc::syslog(
-                priority,
+                self.priority,
                 b"%s\0".as_ptr() as *const libc::c_char,
                 c_msg.as_ptr(),
             );
@@ -202,11 +207,19 @@ impl std::io::Write for SyslogWriter {
 }
 
 #[cfg(unix)]
-impl<'a> tracing_subscriber::fmt::MakeWriter<'a> for SyslogWriter {
+impl<'a> tracing_subscriber::fmt::MakeWriter<'a> for SyslogMakeWriter {
     type Writer = SyslogWriter;
 
     fn make_writer(&'a self) -> Self::Writer {
-        SyslogWriter::new()
+        SyslogWriter {
+            priority: libc::LOG_INFO,
+        }
+    }
+
+    fn make_writer_for(&'a self, meta: &tracing::Metadata<'_>) -> Self::Writer {
+        SyslogWriter {
+            priority: syslog_priority_for_level(meta.level()),
+        }
     }
 }
 
@@ -302,4 +315,29 @@ mod tests {
             LogDestination::Syslog
         ));
     }
+
+    #[cfg(unix)]
+    #[test]
+    fn test_syslog_priority_for_level_mapping() {
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::ERROR),
+            libc::LOG_ERR
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::WARN),
+            libc::LOG_WARNING
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::INFO),
+            libc::LOG_INFO
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::DEBUG),
+            libc::LOG_DEBUG
+        );
+        assert_eq!(
+            syslog_priority_for_level(&tracing::Level::TRACE),
+            libc::LOG_DEBUG
+        );
+    }
 }

src/maestro/helpers.rs

@@ -18,19 +18,38 @@ use crate::transport::middle_proxy::{
 pub(crate) fn resolve_runtime_config_path(
     config_path_cli: &str,
     startup_cwd: &std::path::Path,
+    config_path_explicit: bool,
 ) -> PathBuf {
-    let raw = PathBuf::from(config_path_cli);
-    let absolute = if raw.is_absolute() {
-        raw
-    } else {
-        startup_cwd.join(raw)
-    };
-    absolute.canonicalize().unwrap_or(absolute)
+    if config_path_explicit {
+        let raw = PathBuf::from(config_path_cli);
+        let absolute = if raw.is_absolute() {
+            raw
+        } else {
+            startup_cwd.join(raw)
+        };
+        return absolute.canonicalize().unwrap_or(absolute);
+    }
+
+    let etc_telemt = std::path::Path::new("/etc/telemt");
+    let candidates = [
+        startup_cwd.join("config.toml"),
+        startup_cwd.join("telemt.toml"),
+        etc_telemt.join("telemt.toml"),
+        etc_telemt.join("config.toml"),
+    ];
+    for candidate in candidates {
+        if candidate.is_file() {
+            return candidate.canonicalize().unwrap_or(candidate);
+        }
+    }
+
+    startup_cwd.join("config.toml")
 }
 
 /// Parsed CLI arguments.
 pub(crate) struct CliArgs {
     pub config_path: String,
+    pub config_path_explicit: bool,
     pub data_path: Option<PathBuf>,
     pub silent: bool,
     pub log_level: Option<String>,
@@ -39,6 +58,7 @@ pub(crate) struct CliArgs {
 
 pub(crate) fn parse_cli() -> CliArgs {
     let mut config_path = "config.toml".to_string();
+    let mut config_path_explicit = false;
     let mut data_path: Option<PathBuf> = None;
     let mut silent = false;
     let mut log_level: Option<String> = None;
@@ -74,6 +94,20 @@ pub(crate) fn parse_cli() -> CliArgs {
                     s.trim_start_matches("--data-path=").to_string(),
                 ));
             }
+            "--working-dir" => {
+                i += 1;
+                if i < args.len() {
+                    data_path = Some(PathBuf::from(args[i].clone()));
+                } else {
+                    eprintln!("Missing value for --working-dir");
+                    std::process::exit(0);
+                }
+            }
+            s if s.starts_with("--working-dir=") => {
+                data_path = Some(PathBuf::from(
+                    s.trim_start_matches("--working-dir=").to_string(),
+                ));
+            }
             "--silent" | "-s" => {
                 silent = true;
             }
@@ -111,13 +145,11 @@ pub(crate) fn parse_cli() -> CliArgs {
                     i += 1;
                 }
             }
-            s if s.starts_with("--working-dir") => {
-                if !s.contains('=') {
-                    i += 1;
-                }
-            }
             s if !s.starts_with('-') => {
-                config_path = s.to_string();
+                if !matches!(s, "run" | "start" | "stop" | "reload" | "status") {
+                    config_path = s.to_string();
+                    config_path_explicit = true;
+                }
             }
             other => {
                 eprintln!("Unknown option: {}", other);
@@ -128,6 +160,7 @@ pub(crate) fn parse_cli() -> CliArgs {
 
     CliArgs {
         config_path,
+        config_path_explicit,
         data_path,
         silent,
         log_level,
@@ -152,6 +185,7 @@ fn print_help() {
     eprintln!(
         "  --data-path <DIR>       Set data directory (absolute path; overrides config value)"
     );
+    eprintln!("  --working-dir <DIR>     Alias for --data-path");
     eprintln!("  --silent, -s            Suppress info logs");
     eprintln!("  --log-level <LEVEL>     debug|verbose|normal|silent");
     eprintln!("  --help, -h              Show this help");
@@ -210,7 +244,7 @@ mod tests {
         let target = startup_cwd.join("config.toml");
         std::fs::write(&target, " ").unwrap();
 
-        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd);
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, true);
         assert_eq!(resolved, target.canonicalize().unwrap());
 
         let _ = std::fs::remove_file(&target);
@@ -226,11 +260,45 @@ mod tests {
         let startup_cwd = std::env::temp_dir().join(format!("telemt_cfg_path_missing_{nonce}"));
         std::fs::create_dir_all(&startup_cwd).unwrap();
 
-        let resolved = resolve_runtime_config_path("missing.toml", &startup_cwd);
+        let resolved = resolve_runtime_config_path("missing.toml", &startup_cwd, true);
         assert_eq!(resolved, startup_cwd.join("missing.toml"));
 
         let _ = std::fs::remove_dir(&startup_cwd);
     }
+
+    #[test]
+    fn resolve_runtime_config_path_uses_startup_candidates_when_not_explicit() {
+        let nonce = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let startup_cwd =
+            std::env::temp_dir().join(format!("telemt_cfg_startup_candidates_{nonce}"));
+        std::fs::create_dir_all(&startup_cwd).unwrap();
+        let telemt = startup_cwd.join("telemt.toml");
+        std::fs::write(&telemt, " ").unwrap();
+
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, false);
+        assert_eq!(resolved, telemt.canonicalize().unwrap());
+
+        let _ = std::fs::remove_file(&telemt);
+        let _ = std::fs::remove_dir(&startup_cwd);
+    }
+
+    #[test]
+    fn resolve_runtime_config_path_defaults_to_startup_config_when_none_found() {
+        let nonce = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let startup_cwd = std::env::temp_dir().join(format!("telemt_cfg_startup_default_{nonce}"));
+        std::fs::create_dir_all(&startup_cwd).unwrap();
+
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, false);
+        assert_eq!(resolved, startup_cwd.join("config.toml"));
+
+        let _ = std::fs::remove_dir(&startup_cwd);
+    }
 }
 
 pub(crate) fn print_proxy_links(host: &str, port: u16, config: &ProxyConfig) {

src/maestro/mod.rs

@@ -28,8 +28,8 @@ use tracing::{error, info, warn};
 use tracing_subscriber::{EnvFilter, fmt, prelude::*, reload};
 
 use crate::api;
-use crate::conntrack_control;
 use crate::config::{LogLevel, ProxyConfig};
+use crate::conntrack_control;
 use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::network::probe::{decide_network_capabilities, log_probe_result, run_probe};
@@ -112,6 +112,7 @@ async fn run_inner(
         .await;
     let cli_args = parse_cli();
     let config_path_cli = cli_args.config_path;
+    let config_path_explicit = cli_args.config_path_explicit;
     let data_path = cli_args.data_path;
     let cli_silent = cli_args.silent;
     let cli_log_level = cli_args.log_level;
@@ -123,7 +124,8 @@ async fn run_inner(
             std::process::exit(1);
         }
     };
-    let config_path = resolve_runtime_config_path(&config_path_cli, &startup_cwd);
+    let mut config_path =
+        resolve_runtime_config_path(&config_path_cli, &startup_cwd, config_path_explicit);
 
     let mut config = match ProxyConfig::load(&config_path) {
         Ok(c) => c,
@@ -133,11 +135,99 @@ async fn run_inner(
                 std::process::exit(1);
             } else {
                 let default = ProxyConfig::default();
-                std::fs::write(&config_path, toml::to_string_pretty(&default).unwrap()).unwrap();
-                eprintln!(
-                    "[telemt] Created default config at {}",
-                    config_path.display()
-                );
+
+                let serialized =
+                    match toml::to_string_pretty(&default).or_else(|_| toml::to_string(&default)) {
+                        Ok(value) => Some(value),
+                        Err(serialize_error) => {
+                            eprintln!(
+                                "[telemt] Warning: failed to serialize default config: {}",
+                                serialize_error
+                            );
+                            None
+                        }
+                    };
+
+                if config_path_explicit {
+                    if let Some(serialized) = serialized.as_ref() {
+                        if let Err(write_error) = std::fs::write(&config_path, serialized) {
+                            eprintln!(
+                                "[telemt] Error: failed to create explicit config at {}: {}",
+                                config_path.display(),
+                                write_error
+                            );
+                            std::process::exit(1);
+                        }
+                        eprintln!(
+                            "[telemt] Created default config at {}",
+                            config_path.display()
+                        );
+                    } else {
+                        eprintln!(
+                            "[telemt] Warning: running with in-memory default config without writing to disk"
+                        );
+                    }
+                } else {
+                    let system_dir = std::path::Path::new("/etc/telemt");
+                    let system_config_path = system_dir.join("telemt.toml");
+                    let startup_config_path = startup_cwd.join("config.toml");
+                    let mut persisted = false;
+
+                    if let Some(serialized) = serialized.as_ref() {
+                        match std::fs::create_dir_all(system_dir) {
+                            Ok(()) => match std::fs::write(&system_config_path, serialized) {
+                                Ok(()) => {
+                                    config_path = system_config_path;
+                                    eprintln!(
+                                        "[telemt] Created default config at {}",
+                                        config_path.display()
+                                    );
+                                    persisted = true;
+                                }
+                                Err(write_error) => {
+                                    eprintln!(
+                                        "[telemt] Warning: failed to write default config at {}: {}",
+                                        system_config_path.display(),
+                                        write_error
+                                    );
+                                }
+                            },
+                            Err(create_error) => {
+                                eprintln!(
+                                    "[telemt] Warning: failed to create {}: {}",
+                                    system_dir.display(),
+                                    create_error
+                                );
+                            }
+                        }
+
+                        if !persisted {
+                            match std::fs::write(&startup_config_path, serialized) {
+                                Ok(()) => {
+                                    config_path = startup_config_path;
+                                    eprintln!(
+                                        "[telemt] Created default config at {}",
+                                        config_path.display()
+                                    );
+                                    persisted = true;
+                                }
+                                Err(write_error) => {
+                                    eprintln!(
+                                        "[telemt] Warning: failed to write default config at {}: {}",
+                                        startup_config_path.display(),
+                                        write_error
+                                    );
+                                }
+                            }
+                        }
+                    }
+
+                    if !persisted {
+                        eprintln!(
+                            "[telemt] Warning: running with in-memory default config without writing to disk"
+                        );
+                    }
+                }
                 default
             }
         }

src/main.rs

@@ -2,8 +2,8 @@
 
 mod api;
 mod cli;
-mod conntrack_control;
 mod config;
+mod conntrack_control;
 mod crypto;
 #[cfg(unix)]
 mod daemon;

src/proxy/adaptive_buffers.rs

@@ -246,7 +246,9 @@ pub fn seed_tier_for_user(user: &str) -> AdaptiveTier {
         if now.saturating_duration_since(value.seen_at) <= PROFILE_TTL {
             return value.tier;
         }
-        profiles().remove_if(user, |_, v| now.saturating_duration_since(v.seen_at) > PROFILE_TTL);
+        profiles().remove_if(user, |_, v| {
+            now.saturating_duration_since(v.seen_at) > PROFILE_TTL
+        });
     }
     AdaptiveTier::Base
 }

src/proxy/client.rs

@@ -518,15 +518,15 @@ where
                 );
                 return Err(ProxyError::Io(e));
             }
-                Err(_) => {
-                    debug!(
-                        peer = %real_peer,
-                        idle_secs = first_byte_idle_secs,
-                        "Closing idle pooled connection before first client byte"
-                    );
-                    return Ok(());
-                }
+            Err(_) => {
+                debug!(
+                    peer = %real_peer,
+                    idle_secs = first_byte_idle_secs,
+                    "Closing idle pooled connection before first client byte"
+                );
+                return Ok(());
             }
+        }
     };
 
     let handshake_timeout = handshake_timeout_with_mask_grace(&config);

src/proxy/direct_relay.rs

@@ -17,13 +17,13 @@ use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
 use crate::proxy::handshake::{HandshakeSuccess, encrypt_tg_nonce_with_ciphers, generate_tg_nonce};
-use crate::proxy::shared_state::{
-    ConntrackCloseEvent, ConntrackClosePublishResult, ConntrackCloseReason, ProxySharedState,
-};
 use crate::proxy::route_mode::{
     ROUTE_SWITCH_ERROR_MSG, RelayRouteMode, RouteCutoverState, affected_cutover_state,
     cutover_stagger_delay,
 };
+use crate::proxy::shared_state::{
+    ConntrackCloseEvent, ConntrackClosePublishResult, ConntrackCloseReason, ProxySharedState,
+};
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::UpstreamManager;

src/proxy/handshake.rs

@@ -118,7 +118,11 @@ fn auth_probe_state_expired(state: &AuthProbeState, now: Instant) -> bool {
     now.duration_since(state.last_seen) > retention
 }
 
-fn auth_probe_eviction_offset_in(shared: &ProxySharedState, peer_ip: IpAddr, now: Instant) -> usize {
+fn auth_probe_eviction_offset_in(
+    shared: &ProxySharedState,
+    peer_ip: IpAddr,
+    now: Instant,
+) -> usize {
     let hasher_state = &shared.handshake.auth_probe_eviction_hasher;
     let mut hasher = hasher_state.build_hasher();
     peer_ip.hash(&mut hasher);

src/proxy/masking.rs

@@ -255,7 +255,11 @@ async fn wait_mask_connect_budget(started: Instant) {
 // sigma is chosen so ~99% of raw samples land inside [floor, ceiling] before clamp.
 // When floor > ceiling (misconfiguration), returns ceiling (the smaller value).
 // When floor == ceiling, returns that value. When both are 0, returns 0.
-pub(crate) fn sample_lognormal_percentile_bounded(floor: u64, ceiling: u64, rng: &mut impl Rng) -> u64 {
+pub(crate) fn sample_lognormal_percentile_bounded(
+    floor: u64,
+    ceiling: u64,
+    rng: &mut impl Rng,
+) -> u64 {
     if ceiling == 0 && floor == 0 {
         return 0;
     }
@@ -296,7 +300,9 @@ fn mask_outcome_target_budget(config: &ProxyConfig) -> Duration {
         }
         if ceiling > floor {
             let mut rng = rand::rng();
-            return Duration::from_millis(sample_lognormal_percentile_bounded(floor, ceiling, &mut rng));
+            return Duration::from_millis(sample_lognormal_percentile_bounded(
+                floor, ceiling, &mut rng,
+            ));
         }
         // ceiling <= floor: use the larger value (fail-closed: preserve longer delay)
         return Duration::from_millis(floor.max(ceiling));

src/proxy/middle_relay.rs

@@ -3,12 +3,12 @@ use std::collections::hash_map::DefaultHasher;
 use std::collections::{BTreeSet, HashMap};
 #[cfg(test)]
 use std::future::Future;
-use std::hash::{BuildHasher, Hash};
 #[cfg(test)]
 use std::hash::Hasher;
+use std::hash::{BuildHasher, Hash};
 use std::net::{IpAddr, SocketAddr};
-use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
+use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{Duration, Instant};
 
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
@@ -21,13 +21,13 @@ use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::{secure_padding_len, *};
 use crate::proxy::handshake::HandshakeSuccess;
-use crate::proxy::shared_state::{
-    ConntrackCloseEvent, ConntrackClosePublishResult, ConntrackCloseReason, ProxySharedState,
-};
 use crate::proxy::route_mode::{
     ROUTE_SWITCH_ERROR_MSG, RelayRouteMode, RouteCutoverState, affected_cutover_state,
     cutover_stagger_delay,
 };
+use crate::proxy::shared_state::{
+    ConntrackCloseEvent, ConntrackClosePublishResult, ConntrackCloseReason, ProxySharedState,
+};
 use crate::stats::{
     MeD2cFlushReason, MeD2cQuotaRejectStage, MeD2cWriteMode, QuotaReserveError, Stats, UserStats,
 };
@@ -257,9 +257,7 @@ impl RelayClientIdlePolicy {
         if self.soft_idle > self.hard_idle {
             self.soft_idle = self.hard_idle;
         }
-        self.legacy_frame_read_timeout = self
-            .legacy_frame_read_timeout
-            .min(pressure_hard_idle_cap);
+        self.legacy_frame_read_timeout = self.legacy_frame_read_timeout.min(pressure_hard_idle_cap);
         if self.grace_after_downstream_activity > self.hard_idle {
             self.grace_after_downstream_activity = self.hard_idle;
         }
@@ -461,12 +459,15 @@ fn report_desync_frame_too_large_in(
         .map(|b| matches!(b[0], b'G' | b'P' | b'H' | b'C' | b'D'))
         .unwrap_or(false);
     let now = Instant::now();
-    let dedup_key = hash_value_in(shared, &(
-        state.user.as_str(),
-        state.peer_hash,
-        proto_tag,
-        DESYNC_ERROR_CLASS,
-    ));
+    let dedup_key = hash_value_in(
+        shared,
+        &(
+            state.user.as_str(),
+            state.peer_hash,
+            proto_tag,
+            DESYNC_ERROR_CLASS,
+        ),
+    );
     let emit_full = should_emit_full_desync_in(shared, dedup_key, state.desync_all_full, now);
     let duration_ms = state.started_at.elapsed().as_millis() as u64;
     let bytes_me2c = state.bytes_me2c.load(Ordering::Relaxed);
@@ -631,7 +632,10 @@ fn observe_me_d2c_flush_event(
 }
 
 #[cfg(test)]
-pub(crate) fn mark_relay_idle_candidate_for_testing(shared: &ProxySharedState, conn_id: u64) -> bool {
+pub(crate) fn mark_relay_idle_candidate_for_testing(
+    shared: &ProxySharedState,
+    conn_id: u64,
+) -> bool {
     let registry = &shared.middle_relay.relay_idle_registry;
     let mut guard = match registry.lock() {
         Ok(guard) => guard,
@@ -716,7 +720,10 @@ pub(crate) fn relay_pressure_event_seq_for_testing(shared: &ProxySharedState) ->
 
 #[cfg(test)]
 pub(crate) fn relay_idle_mark_seq_for_testing(shared: &ProxySharedState) -> u64 {
-    shared.middle_relay.relay_idle_mark_seq.load(Ordering::Relaxed)
+    shared
+        .middle_relay
+        .relay_idle_mark_seq
+        .load(Ordering::Relaxed)
 }
 
 #[cfg(test)]
@@ -865,10 +872,7 @@ pub(crate) fn desync_dedup_insert_for_testing(shared: &ProxySharedState, key: u6
 }
 
 #[cfg(test)]
-pub(crate) fn desync_dedup_get_for_testing(
-    shared: &ProxySharedState,
-    key: u64,
-) -> Option<Instant> {
+pub(crate) fn desync_dedup_get_for_testing(shared: &ProxySharedState, key: u64) -> Option<Instant> {
     shared
         .middle_relay
         .desync_dedup
@@ -877,7 +881,9 @@ pub(crate) fn desync_dedup_get_for_testing(
 }
 
 #[cfg(test)]
-pub(crate) fn desync_dedup_keys_for_testing(shared: &ProxySharedState) -> std::collections::HashSet<u64> {
+pub(crate) fn desync_dedup_keys_for_testing(
+    shared: &ProxySharedState,
+) -> std::collections::HashSet<u64> {
     shared
         .middle_relay
         .desync_dedup

src/proxy/shared_state.rs

@@ -8,7 +8,7 @@ use std::time::Instant;
 use dashmap::DashMap;
 use tokio::sync::mpsc;
 
-use crate::proxy::handshake::{AuthProbeState, AuthProbeSaturationState};
+use crate::proxy::handshake::{AuthProbeSaturationState, AuthProbeState};
 use crate::proxy::middle_relay::{DesyncDedupRotationState, RelayIdleCandidateRegistry};
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
@@ -136,7 +136,8 @@ impl ProxySharedState {
     }
 
     pub(crate) fn set_conntrack_pressure_active(&self, active: bool) {
-        self.conntrack_pressure_active.store(active, Ordering::Relaxed);
+        self.conntrack_pressure_active
+            .store(active, Ordering::Relaxed);
     }
 
     pub(crate) fn conntrack_pressure_active(&self) -> bool {

src/proxy/tests/adaptive_buffers_record_race_security_tests.rs

@@ -1,6 +1,6 @@
 use super::*;
-use std::sync::atomic::{AtomicUsize, Ordering};
 use std::sync::Arc;
+use std::sync::atomic::{AtomicUsize, Ordering};
 use std::time::{Duration, Instant};
 
 static RACE_TEST_KEY_COUNTER: AtomicUsize = AtomicUsize::new(1_000_000);

src/proxy/tests/adaptive_buffers_security_tests.rs

@@ -65,9 +65,15 @@ fn adaptive_base_tier_buffers_unchanged() {
 fn adaptive_tier1_buffers_within_caps() {
     let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier1, 65536, 262144);
     assert!(c2s > 65536, "Tier1 c2s should exceed Base");
-    assert!(c2s <= 128 * 1024, "Tier1 c2s should not exceed DIRECT_C2S_CAP_BYTES");
+    assert!(
+        c2s <= 128 * 1024,
+        "Tier1 c2s should not exceed DIRECT_C2S_CAP_BYTES"
+    );
     assert!(s2c > 262144, "Tier1 s2c should exceed Base");
-    assert!(s2c <= 512 * 1024, "Tier1 s2c should not exceed DIRECT_S2C_CAP_BYTES");
+    assert!(
+        s2c <= 512 * 1024,
+        "Tier1 s2c should not exceed DIRECT_S2C_CAP_BYTES"
+    );
 }
 
 #[test]

src/proxy/tests/handshake_auth_probe_eviction_bias_security_tests.rs

@@ -19,7 +19,8 @@ fn adversarial_large_state_offsets_escape_first_scan_window() {
             ((i.wrapping_mul(131)) & 0xff) as u8,
         ));
         let now = base + Duration::from_nanos(i);
-        let start = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
         if start >= scan_limit {
             saw_offset_outside_first_window = true;
             break;
@@ -48,7 +49,8 @@ fn stress_large_state_offsets_cover_many_scan_windows() {
             ((i.wrapping_mul(17)) & 0xff) as u8,
         ));
         let now = base + Duration::from_micros(i);
-        let start = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
         covered_windows.insert(start / scan_limit);
     }
 
@@ -80,7 +82,8 @@ fn light_fuzz_offset_always_stays_inside_state_len() {
         let state_len = ((seed >> 16) as usize % 200_000).saturating_add(1);
         let scan_limit = ((seed >> 40) as usize % 2_048).saturating_add(1);
         let now = base + Duration::from_nanos(seed & 0x0fff);
-        let start = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
 
         assert!(
             start < state_len,

src/proxy/tests/handshake_auth_probe_hardening_adversarial_tests.rs

@@ -87,7 +87,11 @@ fn adversarial_saturation_grace_requires_extra_failures_before_preauth_throttle(
     }
 
     assert!(
-        auth_probe_should_apply_preauth_throttle_in(shared.as_ref(), ip, now + Duration::from_millis(1)),
+        auth_probe_should_apply_preauth_throttle_in(
+            shared.as_ref(),
+            ip,
+            now + Duration::from_millis(1)
+        ),
         "after grace failures are exhausted, preauth throttle must activate"
     );
 }
@@ -134,7 +138,11 @@ fn light_fuzz_randomized_failures_preserve_cap_and_nonzero_streaks() {
             (seed >> 8) as u8,
             seed as u8,
         ));
-        auth_probe_record_failure_in(shared.as_ref(), ip, now + Duration::from_millis((seed & 0x3f) as u64));
+        auth_probe_record_failure_in(
+            shared.as_ref(),
+            ip,
+            now + Duration::from_millis((seed & 0x3f) as u64),
+        );
     }
 
     let state = auth_probe_state_for_testing_in_shared(shared.as_ref());
@@ -162,7 +170,11 @@ async fn stress_parallel_failure_flood_keeps_state_hard_capped() {
                     ((i >> 8) & 0xff) as u8,
                     (i & 0xff) as u8,
                 ));
-                auth_probe_record_failure_in(shared.as_ref(), ip, start + Duration::from_millis((i % 4) as u64));
+                auth_probe_record_failure_in(
+                    shared.as_ref(),
+                    ip,
+                    start + Duration::from_millis((i % 4) as u64),
+                );
             }
         }));
     }

src/proxy/tests/handshake_auth_probe_scan_budget_security_tests.rs

@@ -31,7 +31,8 @@ fn adversarial_large_state_must_allow_start_offset_outside_scan_budget_window()
             (i & 0xff) as u8,
         ));
         let now = base + Duration::from_micros(i as u64);
-        let start = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
         assert!(
             start < state_len,
             "start offset must stay within state length; start={start}, len={state_len}"
@@ -83,7 +84,8 @@ fn light_fuzz_scan_offset_budget_never_exceeds_effective_window() {
         let state_len = ((seed >> 8) as usize % 131_072).saturating_add(1);
         let scan_limit = ((seed >> 32) as usize % 512).saturating_add(1);
         let now = base + Duration::from_nanos(seed & 0xffff);
-        let start = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
+        let start =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
 
         assert!(
             start < state_len,

src/proxy/tests/handshake_auth_probe_scan_offset_stress_tests.rs

@@ -36,7 +36,13 @@ fn adversarial_many_ips_same_time_spreads_offsets_without_bias_collapse() {
             i as u8,
             (255 - (i as u8)),
         ));
-        uniq.insert(auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, 65_536, 16));
+        uniq.insert(auth_probe_scan_start_offset_in(
+            shared.as_ref(),
+            ip,
+            now,
+            65_536,
+            16,
+        ));
     }
 
     assert!(
@@ -63,7 +69,11 @@ async fn stress_parallel_failure_churn_under_saturation_remains_capped_and_live(
                     ((i >> 8) & 0xff) as u8,
                     (i & 0xff) as u8,
                 ));
-                auth_probe_record_failure_in(shared.as_ref(), ip, start + Duration::from_micros((i % 128) as u64));
+                auth_probe_record_failure_in(
+                    shared.as_ref(),
+                    ip,
+                    start + Duration::from_micros((i % 128) as u64),
+                );
             }
         }));
     }
@@ -73,12 +83,17 @@ async fn stress_parallel_failure_churn_under_saturation_remains_capped_and_live(
     }
 
     assert!(
-        auth_probe_state_for_testing_in_shared(shared.as_ref()).len() <= AUTH_PROBE_TRACK_MAX_ENTRIES,
+        auth_probe_state_for_testing_in_shared(shared.as_ref()).len()
+            <= AUTH_PROBE_TRACK_MAX_ENTRIES,
         "state must remain hard-capped under parallel saturation churn"
     );
 
     let probe = IpAddr::V4(Ipv4Addr::new(10, 4, 1, 1));
-    let _ = auth_probe_should_apply_preauth_throttle_in(shared.as_ref(), probe, start + Duration::from_millis(1));
+    let _ = auth_probe_should_apply_preauth_throttle_in(
+        shared.as_ref(),
+        probe,
+        start + Duration::from_millis(1),
+    );
 }
 
 #[test]
@@ -102,7 +117,8 @@ fn light_fuzz_scan_offset_stays_within_window_for_randomized_inputs() {
         let scan_limit = ((seed >> 40) as usize % 1024).saturating_add(1);
         let now = base + Duration::from_nanos(seed & 0x1fff);
 
-        let offset = auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
+        let offset =
+            auth_probe_scan_start_offset_in(shared.as_ref(), ip, now, state_len, scan_limit);
         assert!(
             offset < state_len,
             "scan offset must always remain inside state length"

src/proxy/tests/handshake_baseline_invariant_tests.rs

@@ -116,8 +116,14 @@ async fn handshake_baseline_auth_probe_streak_increments_per_ip() {
         )
         .await;
         assert!(matches!(res, HandshakeResult::BadClient { .. }));
-        assert_eq!(auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()), Some(expected));
-        assert_eq!(auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), untouched_ip), None);
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()),
+            Some(expected)
+        );
+        assert_eq!(
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), untouched_ip),
+            None
+        );
     }
 }
 
@@ -149,7 +155,8 @@ fn handshake_baseline_repeated_probes_streak_monotonic() {
 
     for _ in 0..100 {
         auth_probe_record_failure_in(shared.as_ref(), ip, now);
-        let current = auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), ip).unwrap_or(0);
+        let current =
+            auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), ip).unwrap_or(0);
         assert!(current >= prev, "streak must be monotonic");
         prev = current;
     }
@@ -173,8 +180,16 @@ fn handshake_baseline_throttled_ip_incurs_backoff_delay() {
     let before_expiry = now + delay.saturating_sub(Duration::from_millis(1));
     let after_expiry = now + delay + Duration::from_millis(1);
 
-    assert!(auth_probe_is_throttled_in(shared.as_ref(), ip, before_expiry));
-    assert!(!auth_probe_is_throttled_in(shared.as_ref(), ip, after_expiry));
+    assert!(auth_probe_is_throttled_in(
+        shared.as_ref(),
+        ip,
+        before_expiry
+    ));
+    assert!(!auth_probe_is_throttled_in(
+        shared.as_ref(),
+        ip,
+        after_expiry
+    ));
 }
 
 #[tokio::test]
@@ -212,7 +227,10 @@ async fn handshake_baseline_malformed_probe_frames_fail_closed_to_masking() {
         .expect("malformed probe handling must complete in bounded time");
 
         assert!(
-            matches!(res, HandshakeResult::BadClient { .. } | HandshakeResult::Error(_)),
+            matches!(
+                res,
+                HandshakeResult::BadClient { .. } | HandshakeResult::Error(_)
+            ),
             "malformed probe must fail closed"
         );
     }

src/proxy/tests/handshake_more_clever_tests.rs

@@ -332,7 +332,13 @@ async fn invalid_secret_warning_lock_contention_and_bound() {
             b.wait().await;
             for i in 0..iterations_per_task {
                 let user_name = format!("contention_user_{}_{}", t, i);
-                warn_invalid_secret_once_in(shared.as_ref(), &user_name, "invalid_hex", ACCESS_SECRET_BYTES, None);
+                warn_invalid_secret_once_in(
+                    shared.as_ref(),
+                    &user_name,
+                    "invalid_hex",
+                    ACCESS_SECRET_BYTES,
+                    None,
+                );
             }
         }));
     }
@@ -629,7 +635,8 @@ fn auth_probe_saturation_note_resets_retention_window() {
 
     // This call may return false if backoff has elapsed, but it must not clear
     // the saturation state because `later` refreshed last_seen.
-    let _ = auth_probe_saturation_is_throttled_at_for_testing_in_shared(shared.as_ref(), check_time);
+    let _ =
+        auth_probe_saturation_is_throttled_at_for_testing_in_shared(shared.as_ref(), check_time);
     let guard = auth_probe_saturation_state_lock_for_testing_in_shared(shared.as_ref());
     assert!(
         guard.is_some(),

src/proxy/tests/handshake_real_bug_stress_tests.rs

@@ -206,7 +206,12 @@ fn auth_probe_eviction_identical_timestamps_keeps_map_bounded() {
     }
 
     let new_ip = IpAddr::V4(Ipv4Addr::new(192, 168, 21, 21));
-    auth_probe_record_failure_with_state_in(shared.as_ref(), state, new_ip, same + Duration::from_millis(1));
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        state,
+        new_ip,
+        same + Duration::from_millis(1),
+    );
 
     assert_eq!(state.len(), AUTH_PROBE_TRACK_MAX_ENTRIES);
     assert!(state.contains_key(&new_ip));
@@ -325,7 +330,8 @@ async fn saturation_grace_exhaustion_under_concurrency_keeps_peer_throttled() {
         final_state.fail_streak
             >= AUTH_PROBE_BACKOFF_START_FAILS + AUTH_PROBE_SATURATION_GRACE_FAILS
     );
-    assert!(auth_probe_should_apply_preauth_throttle_in(shared.as_ref(), 
+    assert!(auth_probe_should_apply_preauth_throttle_in(
+        shared.as_ref(),
         peer_ip,
         Instant::now()
     ));

src/proxy/tests/handshake_saturation_poison_security_tests.rs

@@ -54,7 +54,9 @@ fn clear_auth_probe_state_clears_saturation_even_if_poisoned() {
     poison_saturation_mutex(shared.as_ref());
 
     auth_probe_note_saturation_in(shared.as_ref(), Instant::now());
-    assert!(auth_probe_saturation_is_throttled_for_testing_in_shared(shared.as_ref()));
+    assert!(auth_probe_saturation_is_throttled_for_testing_in_shared(
+        shared.as_ref()
+    ));
 
     clear_auth_probe_state_for_testing_in_shared(shared.as_ref());
     assert!(

src/proxy/tests/handshake_security_tests.rs

@@ -1427,7 +1427,13 @@ fn invalid_secret_warning_cache_is_bounded() {
 
     for idx in 0..(WARNED_SECRET_MAX_ENTRIES + 32) {
         let user = format!("warned_user_{idx}");
-        warn_invalid_secret_once_in(shared.as_ref(), &user, "invalid_length", ACCESS_SECRET_BYTES, Some(idx));
+        warn_invalid_secret_once_in(
+            shared.as_ref(),
+            &user,
+            "invalid_length",
+            ACCESS_SECRET_BYTES,
+            Some(idx),
+        );
     }
 
     let warned = warned_secrets_for_testing_in_shared(shared.as_ref());
@@ -1640,11 +1646,15 @@ fn unknown_sni_warn_cooldown_first_event_is_warn_and_repeated_events_are_info_un
         "first unknown SNI event must be eligible for WARN emission"
     );
     assert!(
-        !should_emit_unknown_sni_warn_for_testing_in_shared(shared.as_ref(), now + Duration::from_secs(1)),
+        !should_emit_unknown_sni_warn_for_testing_in_shared(
+            shared.as_ref(),
+            now + Duration::from_secs(1)
+        ),
         "events inside cooldown window must be demoted from WARN to INFO"
     );
     assert!(
-        should_emit_unknown_sni_warn_for_testing_in_shared(shared.as_ref(), 
+        should_emit_unknown_sni_warn_for_testing_in_shared(
+            shared.as_ref(),
             now + Duration::from_secs(UNKNOWN_SNI_WARN_COOLDOWN_SECS)
         ),
         "once cooldown expires, next unknown SNI event must be WARN-eligible again"
@@ -1725,7 +1735,12 @@ fn auth_probe_over_cap_churn_still_tracks_newcomer_after_round_limit() {
     }
 
     let newcomer = IpAddr::V4(Ipv4Addr::new(203, 0, 114, 77));
-    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, newcomer, now + Duration::from_secs(1));
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        &state,
+        newcomer,
+        now + Duration::from_secs(1),
+    );
 
     assert!(
         state.get(&newcomer).is_some(),
@@ -1931,8 +1946,18 @@ fn auth_probe_ipv6_is_bucketed_by_prefix_64() {
     let ip_a = IpAddr::V6("2001:db8:abcd:1234:1:2:3:4".parse().unwrap());
     let ip_b = IpAddr::V6("2001:db8:abcd:1234:ffff:eeee:dddd:cccc".parse().unwrap());
 
-    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, normalize_auth_probe_ip(ip_a), now);
-    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, normalize_auth_probe_ip(ip_b), now);
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        &state,
+        normalize_auth_probe_ip(ip_a),
+        now,
+    );
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        &state,
+        normalize_auth_probe_ip(ip_b),
+        now,
+    );
 
     let normalized = normalize_auth_probe_ip(ip_a);
     assert_eq!(
@@ -1956,8 +1981,18 @@ fn auth_probe_ipv6_different_prefixes_use_distinct_buckets() {
     let ip_a = IpAddr::V6("2001:db8:1111:2222:1:2:3:4".parse().unwrap());
     let ip_b = IpAddr::V6("2001:db8:1111:3333:1:2:3:4".parse().unwrap());
 
-    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, normalize_auth_probe_ip(ip_a), now);
-    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, normalize_auth_probe_ip(ip_b), now);
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        &state,
+        normalize_auth_probe_ip(ip_a),
+        now,
+    );
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        &state,
+        normalize_auth_probe_ip(ip_b),
+        now,
+    );
 
     assert_eq!(
         state.len(),
@@ -2070,7 +2105,12 @@ fn auth_probe_round_limited_overcap_eviction_marks_saturation_and_keeps_newcomer
     }
 
     let newcomer = IpAddr::V4(Ipv4Addr::new(203, 0, 113, 40));
-    auth_probe_record_failure_with_state_in(shared.as_ref(), &state, newcomer, now + Duration::from_millis(1));
+    auth_probe_record_failure_with_state_in(
+        shared.as_ref(),
+        &state,
+        newcomer,
+        now + Duration::from_millis(1),
+    );
 
     assert!(
         state.get(&newcomer).is_some(),
@@ -2081,7 +2121,10 @@ fn auth_probe_round_limited_overcap_eviction_marks_saturation_and_keeps_newcomer
         "high fail-streak sentinel must survive round-limited eviction"
     );
     assert!(
-        auth_probe_saturation_is_throttled_at_for_testing_in_shared(shared.as_ref(), now + Duration::from_millis(1)),
+        auth_probe_saturation_is_throttled_at_for_testing_in_shared(
+            shared.as_ref(),
+            now + Duration::from_millis(1)
+        ),
         "round-limited over-cap path must activate saturation throttle marker"
     );
 }
@@ -2163,7 +2206,8 @@ fn stress_auth_probe_overcap_churn_does_not_starve_high_threat_sentinel_bucket()
             ((step >> 8) & 0xff) as u8,
             (step & 0xff) as u8,
         ));
-        auth_probe_record_failure_with_state_in(shared.as_ref(), 
+        auth_probe_record_failure_with_state_in(
+            shared.as_ref(),
             &state,
             newcomer,
             base_now + Duration::from_millis(step as u64 + 1),
@@ -2226,7 +2270,8 @@ fn light_fuzz_auth_probe_overcap_eviction_prefers_less_threatening_entries() {
             ((round >> 8) & 0xff) as u8,
             (round & 0xff) as u8,
         ));
-        auth_probe_record_failure_with_state_in(shared.as_ref(), 
+        auth_probe_record_failure_with_state_in(
+            shared.as_ref(),
             &state,
             newcomer,
             now + Duration::from_millis(round as u64 + 1),
@@ -3105,7 +3150,10 @@ async fn saturation_grace_boundary_still_admits_valid_tls_before_exhaustion() {
         matches!(result, HandshakeResult::Success(_)),
         "valid TLS should still pass while peer remains within saturation grace budget"
     );
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()), None);
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()),
+        None
+    );
 }
 
 #[tokio::test]
@@ -3171,7 +3219,10 @@ async fn saturation_grace_exhaustion_blocks_valid_tls_until_backoff_expires() {
         matches!(allowed, HandshakeResult::Success(_)),
         "valid TLS should recover after peer-specific pre-auth backoff has elapsed"
     );
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()), None);
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(shared.as_ref(), peer.ip()),
+        None
+    );
 }
 
 #[tokio::test]

src/proxy/tests/masking_lognormal_timing_security_tests.rs

@@ -1,6 +1,6 @@
 use super::*;
-use rand::rngs::StdRng;
 use rand::SeedableRng;
+use rand::rngs::StdRng;
 
 fn seeded_rng(seed: u64) -> StdRng {
     StdRng::seed_from_u64(seed)
@@ -57,7 +57,10 @@ fn masking_lognormal_degenerate_floor_eq_ceiling_returns_floor() {
     let mut rng = seeded_rng(99);
     for _ in 0..100 {
         let val = sample_lognormal_percentile_bounded(1000, 1000, &mut rng);
-        assert_eq!(val, 1000, "floor == ceiling must always return exactly that value");
+        assert_eq!(
+            val, 1000,
+            "floor == ceiling must always return exactly that value"
+        );
     }
 }
 

src/proxy/tests/middle_relay_baseline_invariant_tests.rs

@@ -7,13 +7,22 @@ fn middle_relay_baseline_public_api_idle_roundtrip_contract() {
     clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 7001));
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(7001));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7001)
+    );
 
     clear_relay_idle_candidate_for_testing(shared.as_ref(), 7001);
-    assert_ne!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(7001));
+    assert_ne!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7001)
+    );
 
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 7001));
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(7001));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7001)
+    );
 
     clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }
@@ -26,7 +35,12 @@ fn middle_relay_baseline_public_api_desync_window_contract() {
     let key = 0xDEAD_BEEF_0000_0001u64;
     let t0 = Instant::now();
 
-    assert!(should_emit_full_desync_for_testing(shared.as_ref(), key, false, t0));
+    assert!(should_emit_full_desync_for_testing(
+        shared.as_ref(),
+        key,
+        false,
+        t0
+    ));
     assert!(!should_emit_full_desync_for_testing(
         shared.as_ref(),
         key,
@@ -35,7 +49,12 @@ fn middle_relay_baseline_public_api_desync_window_contract() {
     ));
 
     let t1 = t0 + DESYNC_DEDUP_WINDOW + Duration::from_millis(10);
-    assert!(should_emit_full_desync_for_testing(shared.as_ref(), key, false, t1));
+    assert!(should_emit_full_desync_for_testing(
+        shared.as_ref(),
+        key,
+        false,
+        t1
+    ));
 
     clear_desync_dedup_for_testing_in_shared(shared.as_ref());
 }

src/proxy/tests/middle_relay_desync_all_full_dedup_security_tests.rs

@@ -13,7 +13,12 @@ fn desync_all_full_bypass_does_not_initialize_or_grow_dedup_cache() {
 
     for i in 0..20_000u64 {
         assert!(
-            should_emit_full_desync_for_testing(shared.as_ref(), 0xD35E_D000_0000_0000u64 ^ i, true, now),
+            should_emit_full_desync_for_testing(
+                shared.as_ref(),
+                0xD35E_D000_0000_0000u64 ^ i,
+                true,
+                now
+            ),
             "desync_all_full path must always emit"
         );
     }
@@ -37,7 +42,12 @@ fn desync_all_full_bypass_keeps_existing_dedup_entries_unchanged() {
     let now = Instant::now();
     for i in 0..2048u64 {
         assert!(
-            should_emit_full_desync_for_testing(shared.as_ref(), 0xF011_F000_0000_0000u64 ^ i, true, now),
+            should_emit_full_desync_for_testing(
+                shared.as_ref(),
+                0xF011_F000_0000_0000u64 ^ i,
+                true,
+                now
+            ),
             "desync_all_full must bypass suppression and dedup refresh"
         );
     }
@@ -68,7 +78,8 @@ fn edge_all_full_burst_does_not_poison_later_false_path_tracking() {
 
     let now = Instant::now();
     for i in 0..8192u64 {
-        assert!(should_emit_full_desync_for_testing(shared.as_ref(), 
+        assert!(should_emit_full_desync_for_testing(
+            shared.as_ref(),
             0xABCD_0000_0000_0000 ^ i,
             true,
             now
@@ -102,7 +113,12 @@ fn adversarial_mixed_sequence_true_steps_never_change_cache_len() {
         let flag_all_full = (seed & 0x1) == 1;
         let key = 0x7000_0000_0000_0000u64 ^ i ^ seed;
         let before = desync_dedup_len_for_testing(shared.as_ref());
-        let _ = should_emit_full_desync_for_testing(shared.as_ref(), key, flag_all_full, Instant::now());
+        let _ = should_emit_full_desync_for_testing(
+            shared.as_ref(),
+            key,
+            flag_all_full,
+            Instant::now(),
+        );
         let after = desync_dedup_len_for_testing(shared.as_ref());
 
         if flag_all_full {
@@ -124,7 +140,12 @@ fn light_fuzz_all_full_mode_always_emits_and_stays_bounded() {
         seed ^= seed >> 9;
         seed ^= seed << 8;
         let key = seed ^ 0x55AA_55AA_55AA_55AAu64;
-        assert!(should_emit_full_desync_for_testing(shared.as_ref(), key, true, Instant::now()));
+        assert!(should_emit_full_desync_for_testing(
+            shared.as_ref(),
+            key,
+            true,
+            Instant::now()
+        ));
     }
 
     let after = desync_dedup_len_for_testing(shared.as_ref());

src/proxy/tests/middle_relay_idle_policy_security_tests.rs

@@ -366,23 +366,42 @@ fn pressure_evicts_oldest_idle_candidate_with_deterministic_ordering() {
 
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 10));
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 11));
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(10));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(10)
+    );
 
     note_relay_pressure_event_for_testing(shared.as_ref());
 
     let mut seen_for_newer = 0u64;
     assert!(
-        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 11, &mut seen_for_newer, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            11,
+            &mut seen_for_newer,
+            &stats
+        ),
         "newer idle candidate must not be evicted while older candidate exists"
     );
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(10));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(10)
+    );
 
     let mut seen_for_oldest = 0u64;
     assert!(
-        maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 10, &mut seen_for_oldest, &stats),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            10,
+            &mut seen_for_oldest,
+            &stats
+        ),
         "oldest idle candidate must be evicted first under pressure"
     );
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(11));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(11)
+    );
     assert_eq!(stats.get_relay_pressure_evict_total(), 1);
 
     clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
@@ -402,7 +421,10 @@ fn pressure_does_not_evict_without_new_pressure_signal() {
         "without new pressure signal, candidate must stay"
     );
     assert_eq!(stats.get_relay_pressure_evict_total(), 0);
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(21));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(21)
+    );
 
     clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }
@@ -415,7 +437,10 @@ fn stress_pressure_eviction_preserves_fifo_across_many_candidates() {
 
     let mut seen_per_conn = std::collections::HashMap::new();
     for conn_id in 1000u64..1064u64 {
-        assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), conn_id));
+        assert!(mark_relay_idle_candidate_for_testing(
+            shared.as_ref(),
+            conn_id
+        ));
         seen_per_conn.insert(conn_id, 0u64);
     }
 
@@ -426,7 +451,12 @@ fn stress_pressure_eviction_preserves_fifo_across_many_candidates() {
             .get(&expected)
             .expect("per-conn pressure cursor must exist");
         assert!(
-            maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), expected, &mut seen, &stats),
+            maybe_evict_idle_candidate_on_pressure_for_testing(
+                shared.as_ref(),
+                expected,
+                &mut seen,
+                &stats
+            ),
             "expected conn_id {expected} must be evicted next by deterministic FIFO ordering"
         );
         seen_per_conn.insert(expected, seen);
@@ -436,7 +466,10 @@ fn stress_pressure_eviction_preserves_fifo_across_many_candidates() {
         } else {
             Some(expected + 1)
         };
-        assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), next);
+        assert_eq!(
+            oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+            next
+        );
     }
 
     assert_eq!(stats.get_relay_pressure_evict_total(), 64);
@@ -460,9 +493,24 @@ fn blackhat_single_pressure_event_must_not_evict_more_than_one_candidate() {
     // Single pressure event should authorize at most one eviction globally.
     note_relay_pressure_event_for_testing(shared.as_ref());
 
-    let evicted_301 = maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 301, &mut seen_301, &stats);
-    let evicted_302 = maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 302, &mut seen_302, &stats);
-    let evicted_303 = maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 303, &mut seen_303, &stats);
+    let evicted_301 = maybe_evict_idle_candidate_on_pressure_for_testing(
+        shared.as_ref(),
+        301,
+        &mut seen_301,
+        &stats,
+    );
+    let evicted_302 = maybe_evict_idle_candidate_on_pressure_for_testing(
+        shared.as_ref(),
+        302,
+        &mut seen_302,
+        &stats,
+    );
+    let evicted_303 = maybe_evict_idle_candidate_on_pressure_for_testing(
+        shared.as_ref(),
+        303,
+        &mut seen_303,
+        &stats,
+    );
 
     let evicted_total = [evicted_301, evicted_302, evicted_303]
         .iter()
@@ -492,12 +540,22 @@ fn blackhat_pressure_counter_must_track_global_budget_not_per_session_cursor() {
     note_relay_pressure_event_for_testing(shared.as_ref());
 
     assert!(
-        maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 401, &mut seen_oldest, &stats),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            401,
+            &mut seen_oldest,
+            &stats
+        ),
         "oldest candidate must consume pressure budget first"
     );
 
     assert!(
-        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 402, &mut seen_next, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            402,
+            &mut seen_next,
+            &stats
+        ),
         "next candidate must not consume the same pressure budget"
     );
 
@@ -522,7 +580,12 @@ fn blackhat_stale_pressure_before_idle_mark_must_not_trigger_eviction() {
 
     let mut seen = 0u64;
     assert!(
-        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 501, &mut seen, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            501,
+            &mut seen,
+            &stats
+        ),
         "stale pressure (before soft-idle mark) must not evict newly marked candidate"
     );
 
@@ -545,9 +608,24 @@ fn blackhat_stale_pressure_must_not_evict_any_of_newly_marked_batch() {
     let mut seen_513 = 0u64;
 
     let evicted = [
-        maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 511, &mut seen_511, &stats),
-        maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 512, &mut seen_512, &stats),
-        maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 513, &mut seen_513, &stats),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            511,
+            &mut seen_511,
+            &stats,
+        ),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            512,
+            &mut seen_512,
+            &stats,
+        ),
+        maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            513,
+            &mut seen_513,
+            &stats,
+        ),
     ]
     .iter()
     .filter(|value| **value)
@@ -572,7 +650,12 @@ fn blackhat_stale_pressure_seen_without_candidates_must_be_globally_invalidated(
     // Session A observed pressure while there were no candidates.
     let mut seen_a = 0u64;
     assert!(
-        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 999_001, &mut seen_a, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            999_001,
+            &mut seen_a,
+            &stats
+        ),
         "no candidate existed, so no eviction is possible"
     );
 
@@ -580,7 +663,12 @@ fn blackhat_stale_pressure_seen_without_candidates_must_be_globally_invalidated(
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 521));
     let mut seen_b = 0u64;
     assert!(
-        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 521, &mut seen_b, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            521,
+            &mut seen_b,
+            &stats
+        ),
         "once pressure is observed with empty candidate set, it must not be replayed later"
     );
 
@@ -600,7 +688,12 @@ fn blackhat_stale_pressure_must_not_survive_candidate_churn() {
 
     let mut seen = 0u64;
     assert!(
-        !maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), 532, &mut seen, &stats),
+        !maybe_evict_idle_candidate_on_pressure_for_testing(
+            shared.as_ref(),
+            532,
+            &mut seen,
+            &stats
+        ),
         "stale pressure must not survive clear+remark churn cycles"
     );
 
@@ -663,7 +756,10 @@ async fn integration_race_single_pressure_event_allows_at_most_one_eviction_unde
     let mut seen_per_session = vec![0u64; sessions];
 
     for conn_id in &conn_ids {
-        assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), *conn_id));
+        assert!(mark_relay_idle_candidate_for_testing(
+            shared.as_ref(),
+            *conn_id
+        ));
     }
 
     for round in 0..rounds {
@@ -676,8 +772,12 @@ async fn integration_race_single_pressure_event_allows_at_most_one_eviction_unde
             let stats = stats.clone();
             let shared = shared.clone();
             joins.push(tokio::spawn(async move {
-                let evicted =
-                    maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), conn_id, &mut seen, stats.as_ref());
+                let evicted = maybe_evict_idle_candidate_on_pressure_for_testing(
+                    shared.as_ref(),
+                    conn_id,
+                    &mut seen,
+                    stats.as_ref(),
+                );
                 (idx, conn_id, seen, evicted)
             }));
         }
@@ -729,7 +829,10 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
     let mut seen_per_session = vec![0u64; sessions];
 
     for conn_id in &conn_ids {
-        assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), *conn_id));
+        assert!(mark_relay_idle_candidate_for_testing(
+            shared.as_ref(),
+            *conn_id
+        ));
     }
 
     let mut expected_total_evictions = 0u64;
@@ -751,8 +854,12 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
             let stats = stats.clone();
             let shared = shared.clone();
             joins.push(tokio::spawn(async move {
-                let evicted =
-                    maybe_evict_idle_candidate_on_pressure_for_testing(shared.as_ref(), conn_id, &mut seen, stats.as_ref());
+                let evicted = maybe_evict_idle_candidate_on_pressure_for_testing(
+                    shared.as_ref(),
+                    conn_id,
+                    &mut seen,
+                    stats.as_ref(),
+                );
                 (idx, conn_id, seen, evicted)
             }));
         }
@@ -774,7 +881,10 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
                 "round {round}: empty candidate phase must not allow stale-pressure eviction"
             );
             for conn_id in &conn_ids {
-                assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), *conn_id));
+                assert!(mark_relay_idle_candidate_for_testing(
+                    shared.as_ref(),
+                    *conn_id
+                ));
             }
         } else {
             assert!(
@@ -783,7 +893,10 @@ async fn integration_race_burst_pressure_with_churn_preserves_empty_set_invalida
             );
             if let Some(conn_id) = evicted_conn {
                 expected_total_evictions = expected_total_evictions.saturating_add(1);
-                assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), conn_id));
+                assert!(mark_relay_idle_candidate_for_testing(
+                    shared.as_ref(),
+                    conn_id
+                ));
             }
         }
     }

src/proxy/tests/middle_relay_idle_registry_poison_security_tests.rs

@@ -25,7 +25,10 @@ fn blackhat_registry_poison_recovers_with_fail_closed_reset_and_pressure_account
 
     // Helper lock must recover from poison, reset stale state, and continue.
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 42));
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(42));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(42)
+    );
 
     let before = relay_pressure_event_seq_for_testing(shared.as_ref());
     note_relay_pressure_event_for_testing(shared.as_ref());
@@ -54,11 +57,17 @@ fn clear_state_helper_must_reset_poisoned_registry_for_deterministic_fifo_tests(
 
     clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), None);
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        None
+    );
     assert_eq!(relay_pressure_event_seq_for_testing(shared.as_ref()), 0);
 
     assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 7));
-    assert_eq!(oldest_relay_idle_candidate_for_testing(shared.as_ref()), Some(7));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
+        Some(7)
+    );
 
     clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }

src/proxy/tests/proxy_shared_state_isolation_tests.rs

@@ -1,10 +1,10 @@
+use crate::proxy::client::handle_client_stream_with_shared;
 use crate::proxy::handshake::{
     auth_probe_fail_streak_for_testing_in_shared, auth_probe_is_throttled_for_testing_in_shared,
     auth_probe_record_failure_for_testing, clear_auth_probe_state_for_testing_in_shared,
     clear_unknown_sni_warn_state_for_testing_in_shared, clear_warned_secrets_for_testing_in_shared,
     should_emit_unknown_sni_warn_for_testing_in_shared, warned_secrets_for_testing_in_shared,
 };
-use crate::proxy::client::handle_client_stream_with_shared;
 use crate::proxy::middle_relay::{
     clear_desync_dedup_for_testing_in_shared, clear_relay_idle_candidate_for_testing,
     clear_relay_idle_pressure_state_for_testing_in_shared, mark_relay_idle_candidate_for_testing,
@@ -81,7 +81,10 @@ fn new_client_harness() -> ClientHarness {
     }
 }
 
-async fn drive_invalid_mtproto_handshake(shared: Arc<ProxySharedState>, peer: std::net::SocketAddr) {
+async fn drive_invalid_mtproto_handshake(
+    shared: Arc<ProxySharedState>,
+    peer: std::net::SocketAddr,
+) {
     let harness = new_client_harness();
     let (server_side, mut client_side) = duplex(4096);
     let invalid = [0u8; 64];
@@ -108,7 +111,10 @@ async fn drive_invalid_mtproto_handshake(shared: Arc<ProxySharedState>, peer: st
         .write_all(&invalid)
         .await
         .expect("failed to write invalid handshake");
-    client_side.shutdown().await.expect("failed to shutdown client");
+    client_side
+        .shutdown()
+        .await
+        .expect("failed to shutdown client");
     let _ = tokio::time::timeout(Duration::from_secs(3), task)
         .await
         .expect("client task timed out")
@@ -128,7 +134,10 @@ fn proxy_shared_state_two_instances_do_not_share_auth_probe_state() {
         auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip),
         Some(1)
     );
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip), None);
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip),
+        None
+    );
 }
 
 #[test]
@@ -139,8 +148,18 @@ fn proxy_shared_state_two_instances_do_not_share_desync_dedup() {
 
     let now = Instant::now();
     let key = 0xA5A5_u64;
-    assert!(should_emit_full_desync_for_testing(a.as_ref(), key, false, now));
-    assert!(should_emit_full_desync_for_testing(b.as_ref(), key, false, now));
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now
+    ));
+    assert!(should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now
+    ));
 }
 
 #[test]
@@ -150,7 +169,10 @@ fn proxy_shared_state_two_instances_do_not_share_idle_registry() {
     clear_relay_idle_pressure_state_for_testing_in_shared(a.as_ref());
 
     assert!(mark_relay_idle_candidate_for_testing(a.as_ref(), 111));
-    assert_eq!(oldest_relay_idle_candidate_for_testing(a.as_ref()), Some(111));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(a.as_ref()),
+        Some(111)
+    );
     assert_eq!(oldest_relay_idle_candidate_for_testing(b.as_ref()), None);
 }
 
@@ -168,7 +190,10 @@ fn proxy_shared_state_reset_in_one_instance_does_not_affect_another() {
     auth_probe_record_failure_for_testing(b.as_ref(), ip_b, now);
     clear_auth_probe_state_for_testing_in_shared(a.as_ref());
 
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip_a), None);
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip_a),
+        None
+    );
     assert_eq!(
         auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip_b),
         Some(1)
@@ -191,8 +216,14 @@ fn proxy_shared_state_parallel_auth_probe_updates_stay_per_instance() {
         auth_probe_record_failure_for_testing(b.as_ref(), ip, now + Duration::from_millis(1));
     }
 
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip), Some(5));
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip), Some(3));
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip),
+        Some(5)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip),
+        Some(3)
+    );
 }
 
 #[tokio::test]
@@ -317,8 +348,14 @@ fn proxy_shared_state_auth_saturation_does_not_bleed_across_instances() {
         auth_probe_record_failure_for_testing(a.as_ref(), ip, future_now);
     }
 
-    assert!(auth_probe_is_throttled_for_testing_in_shared(a.as_ref(), ip));
-    assert!(!auth_probe_is_throttled_for_testing_in_shared(b.as_ref(), ip));
+    assert!(auth_probe_is_throttled_for_testing_in_shared(
+        a.as_ref(),
+        ip
+    ));
+    assert!(!auth_probe_is_throttled_for_testing_in_shared(
+        b.as_ref(),
+        ip
+    ));
 }
 
 #[test]
@@ -348,7 +385,10 @@ fn proxy_shared_state_poison_clear_in_one_instance_does_not_affect_other_instanc
 
     clear_auth_probe_state_for_testing_in_shared(a.as_ref());
 
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip_a), None);
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip_a),
+        None
+    );
     assert_eq!(
         auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip_b),
         Some(1),
@@ -463,7 +503,10 @@ fn proxy_shared_state_warned_secret_clear_in_one_instance_does_not_clear_other()
     clear_warned_secrets_for_testing_in_shared(a.as_ref());
     clear_warned_secrets_for_testing_in_shared(b.as_ref());
 
-    let key = ("clear-isolation-user".to_string(), "invalid_length".to_string());
+    let key = (
+        "clear-isolation-user".to_string(),
+        "invalid_length".to_string(),
+    );
     {
         let warned_a = warned_secrets_for_testing_in_shared(a.as_ref());
         let mut guard_a = warned_a
@@ -508,14 +551,24 @@ fn proxy_shared_state_desync_duplicate_suppression_is_instance_scoped() {
 
     let now = Instant::now();
     let key = 0xBEEF_0000_0000_0001u64;
-    assert!(should_emit_full_desync_for_testing(a.as_ref(), key, false, now));
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now
+    ));
     assert!(!should_emit_full_desync_for_testing(
         a.as_ref(),
         key,
         false,
         now + Duration::from_millis(1)
     ));
-    assert!(should_emit_full_desync_for_testing(b.as_ref(), key, false, now));
+    assert!(should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now
+    ));
 }
 
 #[test]
@@ -527,8 +580,18 @@ fn proxy_shared_state_desync_clear_in_one_instance_does_not_clear_other() {
 
     let now = Instant::now();
     let key = 0xCAFE_0000_0000_0001u64;
-    assert!(should_emit_full_desync_for_testing(a.as_ref(), key, false, now));
-    assert!(should_emit_full_desync_for_testing(b.as_ref(), key, false, now));
+    assert!(should_emit_full_desync_for_testing(
+        a.as_ref(),
+        key,
+        false,
+        now
+    ));
+    assert!(should_emit_full_desync_for_testing(
+        b.as_ref(),
+        key,
+        false,
+        now
+    ));
 
     clear_desync_dedup_for_testing_in_shared(a.as_ref());
 
@@ -558,7 +621,10 @@ fn proxy_shared_state_idle_candidate_clear_in_one_instance_does_not_affect_other
     clear_relay_idle_candidate_for_testing(a.as_ref(), 1001);
 
     assert_eq!(oldest_relay_idle_candidate_for_testing(a.as_ref()), None);
-    assert_eq!(oldest_relay_idle_candidate_for_testing(b.as_ref()), Some(2002));
+    assert_eq!(
+        oldest_relay_idle_candidate_for_testing(b.as_ref()),
+        Some(2002)
+    );
 }
 
 #[test]

src/proxy/tests/proxy_shared_state_parallel_execution_tests.rs

@@ -1,16 +1,17 @@
 use crate::proxy::handshake::{
     auth_probe_fail_streak_for_testing_in_shared, auth_probe_record_failure_for_testing,
-    clear_auth_probe_state_for_testing_in_shared, clear_unknown_sni_warn_state_for_testing_in_shared,
+    clear_auth_probe_state_for_testing_in_shared,
+    clear_unknown_sni_warn_state_for_testing_in_shared,
     should_emit_unknown_sni_warn_for_testing_in_shared,
 };
 use crate::proxy::middle_relay::{
-    clear_desync_dedup_for_testing_in_shared, clear_relay_idle_pressure_state_for_testing_in_shared,
-    mark_relay_idle_candidate_for_testing, oldest_relay_idle_candidate_for_testing,
-    should_emit_full_desync_for_testing,
+    clear_desync_dedup_for_testing_in_shared,
+    clear_relay_idle_pressure_state_for_testing_in_shared, mark_relay_idle_candidate_for_testing,
+    oldest_relay_idle_candidate_for_testing, should_emit_full_desync_for_testing,
 };
 use crate::proxy::shared_state::ProxySharedState;
-use rand::SeedableRng;
 use rand::RngExt;
+use rand::SeedableRng;
 use rand::rngs::StdRng;
 use std::net::{IpAddr, Ipv4Addr};
 use std::sync::Arc;
@@ -99,8 +100,14 @@ async fn proxy_shared_state_dual_instance_same_ip_high_contention_no_counter_ble
         handle.await.expect("task join failed");
     }
 
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip), Some(64));
-    assert_eq!(auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip), Some(64));
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(a.as_ref(), ip),
+        Some(64)
+    );
+    assert_eq!(
+        auth_probe_fail_streak_for_testing_in_shared(b.as_ref(), ip),
+        Some(64)
+    );
 }
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
@@ -183,12 +190,7 @@ async fn proxy_shared_state_seed_matrix_concurrency_isolation_no_counter_bleed()
         clear_auth_probe_state_for_testing_in_shared(shared_a.as_ref());
         clear_auth_probe_state_for_testing_in_shared(shared_b.as_ref());
 
-        let ip = IpAddr::V4(Ipv4Addr::new(
-            198,
-            51,
-            100,
-            rng.random_range(1_u8..=250_u8),
-        ));
+        let ip = IpAddr::V4(Ipv4Addr::new(198, 51, 100, rng.random_range(1_u8..=250_u8)));
         let workers = rng.random_range(16_usize..=48_usize);
         let rounds = rng.random_range(4_usize..=10_usize);
 
@@ -210,7 +212,11 @@ async fn proxy_shared_state_seed_matrix_concurrency_isolation_no_counter_bleed()
                 handles.push(tokio::spawn(async move {
                     start_a.wait().await;
                     for _ in 0..a_ops {
-                        auth_probe_record_failure_for_testing(shared_a.as_ref(), ip, Instant::now());
+                        auth_probe_record_failure_for_testing(
+                            shared_a.as_ref(),
+                            ip,
+                            Instant::now(),
+                        );
                     }
                 }));
 
@@ -219,7 +225,11 @@ async fn proxy_shared_state_seed_matrix_concurrency_isolation_no_counter_bleed()
                 handles.push(tokio::spawn(async move {
                     start_b.wait().await;
                     for _ in 0..b_ops {
-                        auth_probe_record_failure_for_testing(shared_b.as_ref(), ip, Instant::now());
+                        auth_probe_record_failure_for_testing(
+                            shared_b.as_ref(),
+                            ip,
+                            Instant::now(),
+                        );
                     }
                 }));
             }

src/proxy/tests/relay_baseline_invariant_tests.rs

@@ -69,7 +69,10 @@ async fn relay_baseline_activity_timeout_fires_after_inactivity() {
         .expect("relay must complete after inactivity timeout")
         .expect("relay task must not panic");
 
-    assert!(done.is_ok(), "relay must return Ok(()) after inactivity timeout");
+    assert!(
+        done.is_ok(),
+        "relay must return Ok(()) after inactivity timeout"
+    );
 }
 
 #[tokio::test]
@@ -155,7 +158,10 @@ async fn relay_baseline_bidirectional_bytes_counted_symmetrically() {
         .expect("relay task must not panic");
     assert!(done.is_ok());
 
-    assert_eq!(stats.get_user_total_octets(user), (c2s.len() + s2c.len()) as u64);
+    assert_eq!(
+        stats.get_user_total_octets(user),
+        (c2s.len() + s2c.len()) as u64
+    );
 }
 
 #[tokio::test]
@@ -222,7 +228,10 @@ async fn relay_baseline_broken_pipe_midtransfer_returns_error() {
     match done {
         Err(ProxyError::Io(err)) => {
             assert!(
-                matches!(err.kind(), io::ErrorKind::BrokenPipe | io::ErrorKind::ConnectionReset),
+                matches!(
+                    err.kind(),
+                    io::ErrorKind::BrokenPipe | io::ErrorKind::ConnectionReset
+                ),
                 "expected BrokenPipe/ConnectionReset, got {:?}",
                 err.kind()
             );

src/proxy/tests/test_harness_common.rs

@@ -1,6 +1,6 @@
 use crate::config::ProxyConfig;
-use rand::rngs::StdRng;
 use rand::SeedableRng;
+use rand::rngs::StdRng;
 use std::io;
 use std::pin::Pin;
 use std::sync::Arc;
@@ -18,7 +18,10 @@ mod tests {
         let arc = Arc::<AtomicUsize>::from_raw(data.cast::<AtomicUsize>());
         let cloned = Arc::clone(&arc);
         let _ = Arc::into_raw(arc);
-        RawWaker::new(Arc::into_raw(cloned).cast::<()>(), &WAKE_COUNTER_WAKER_VTABLE)
+        RawWaker::new(
+            Arc::into_raw(cloned).cast::<()>(),
+            &WAKE_COUNTER_WAKER_VTABLE,
+        )
     }
 
     unsafe fn wake_counter_wake(data: *const ()) {

src/stats/mod.rs

@@ -1593,13 +1593,15 @@ impl Stats {
         self.conntrack_delete_success_total.load(Ordering::Relaxed)
     }
     pub fn get_conntrack_delete_not_found_total(&self) -> u64 {
-        self.conntrack_delete_not_found_total.load(Ordering::Relaxed)
+        self.conntrack_delete_not_found_total
+            .load(Ordering::Relaxed)
     }
     pub fn get_conntrack_delete_error_total(&self) -> u64 {
         self.conntrack_delete_error_total.load(Ordering::Relaxed)
     }
     pub fn get_conntrack_close_event_drop_total(&self) -> u64 {
-        self.conntrack_close_event_drop_total.load(Ordering::Relaxed)
+        self.conntrack_close_event_drop_total
+            .load(Ordering::Relaxed)
     }
     pub fn get_me_keepalive_sent(&self) -> u64 {
         self.me_keepalive_sent.load(Ordering::Relaxed)