Merge pull request #824 from telemt/flow

MSS Tuning
Docs for MSS Tuning
2026-06-22 19:01:10 +03:00 · 2026-06-06 12:25:33 +03:00 · 2026-06-06 12:24:27 +03:00 · 2026-06-06 12:17:19 +03:00 · 2026-06-06 12:11:05 +03:00 · 2026-06-05 14:36:00 +03:00
88 changed files with 4441 additions and 1206 deletions
@@ -111,9 +111,9 @@ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 [[package]]
 name = "asn1-rs"
-version = "0.7.1"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
+checksum = "b7f43a50ac4fdca5df8e885c21b835997f0a1cdee65494a6847694a98652d9d8"
 dependencies = [
 "asn1-rs-derive",
 "asn1-rs-impl",
@@ -121,7 +121,7 @@ dependencies = [
 "nom",
 "num-traits",
 "rusticata-macros",
- "thiserror 2.0.18",
+ "thiserror",
 "time",
 ]
@@ -167,15 +167,15 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 [[package]]
 name = "autocfg"
-version = "1.5.0"
+version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+checksum = "f2032f911046de80f0a198e0901378627c33f59ea0ac00e363d481118bd70a53"
 [[package]]
 name = "aws-lc-rs"
-version = "1.16.3"
+version = "1.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f"
+checksum = "5ec2f1fc3ec205783a5da9a7e6c1509cc69dedf09a1949e412c1e18469326d00"
 dependencies = [
 "aws-lc-sys",
 "zeroize",
@@ -183,9 +183,9 @@ dependencies = [
 [[package]]
 name = "aws-lc-sys"
-version = "0.40.0"
+version = "0.41.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7"
+checksum = "1a2f9779ce85b93ab6170dd940ad0169b5766ff848247aff13bb788b832fe3f4"
 dependencies = [
 "cc",
 "cmake",
@@ -220,12 +220,6 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7"
 [[package]]
 name = "bitflags"
 version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 [[package]]
 name = "bitflags"
 version = "2.11.1"
@@ -234,9 +228,9 @@ checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
 [[package]]
 name = "blake3"
-version = "1.8.4"
+version = "1.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d2d5991425dfd0785aed03aedcf0b321d61975c9b5b3689c774a2610ae0b51e"
+checksum = "0aa83c34e62843d924f905e0f5c866eb1dd6545fc4d719e803d9ba6030371fce"
 dependencies = [
 "arrayref",
 "arrayvec",
@@ -266,9 +260,9 @@ dependencies = [
 [[package]]
 name = "bumpalo"
-version = "3.20.2"
+version = "3.20.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
+checksum = "72f5acc6cb2ba439de613abc23857ec3d78374d8ed5ac84e9d11336e87da8649"
 [[package]]
 name = "byte_string"
@@ -299,9 +293,9 @@ dependencies = [
 [[package]]
 name = "cc"
-version = "1.2.60"
+version = "1.2.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43c5703da9466b66a946814e1adf53ea2c90f10063b86290cc9eb67ce3478a20"
+checksum = "556e016178bb5662a08681bbe0f00f8e17631781a4dfc8c45e466e4b185ec27f"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -309,12 +303,6 @@ dependencies = [
 "shlex",
 ]
 [[package]]
 name = "cesu8"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
@@ -660,9 +648,9 @@ dependencies = [
 [[package]]
 name = "dashmap"
-version = "6.1.0"
+version = "6.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
+checksum = "e6361d5c062261c78a176addb82d4c821ae42bed6089de0e12603cd25de2059c"
 dependencies = [
 "cfg-if",
 "crossbeam-utils",
@@ -674,9 +662,9 @@ dependencies = [
 [[package]]
 name = "data-encoding"
-version = "2.10.0"
+version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea"
+checksum = "a4ae5f15dda3c708c0ade84bfee31ccab44a3da4f88015ed22f63732abe300c8"
 [[package]]
 name = "der"
@@ -724,9 +712,9 @@ dependencies = [
 [[package]]
 name = "displaydoc"
-version = "0.2.5"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+checksum = "1ac70aa55017e108007fbaf5aa0f54b021c98f92ff8af59d42eda9da96e3dd4f"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -771,9 +759,9 @@ dependencies = [
 [[package]]
 name = "either"
-version = "1.15.0"
+version = "1.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+checksum = "91622ff5e7162018101f2fea40d6ebf4a78bbe5a49736a2020649edf9693679e"
 [[package]]
 name = "enum-as-inner"
@@ -1014,9 +1002,9 @@ dependencies = [
 [[package]]
 name = "h2"
-version = "0.4.13"
+version = "0.4.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
+checksum = "171fefbc92fe4a4de27e0698d6a5b392d6a0e333506bc49133760b3bcf948733"
 dependencies = [
 "atomic-waker",
 "bytes",
@@ -1070,9 +1058,9 @@ dependencies = [
 [[package]]
 name = "hashbrown"
-version = "0.17.0"
+version = "0.17.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
 [[package]]
 name = "heck"
@@ -1104,7 +1092,7 @@ dependencies = [
 "once_cell",
 "rand 0.9.4",
 "ring",
- "thiserror 2.0.18",
+ "thiserror",
 "tinyvec",
 "tokio",
 "tracing",
@@ -1127,7 +1115,7 @@ dependencies = [
 "rand 0.9.4",
 "resolv-conf",
 "smallvec",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tracing",
 ]
@@ -1152,9 +1140,9 @@ dependencies = [
 [[package]]
 name = "http"
-version = "1.4.0"
+version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+checksum = "8be7462df143984c4598a256ef469b251d7d7f9e271135073e78fc535414f3d0"
 dependencies = [
 "bytes",
 "itoa",
@@ -1197,9 +1185,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 [[package]]
 name = "hyper"
-version = "1.9.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6299f016b246a94207e63da54dbe807655bf9e00044f73ded42c3ac5305fbcca"
+checksum = "eb92f162bf56536459fc83c79b974bb12837acfed43d6bc370a7916d0ae15ecc"
 dependencies = [
 "atomic-waker",
 "bytes",
@@ -1380,9 +1368,9 @@ dependencies = [
 [[package]]
 name = "idna_adapter"
-version = "1.2.1"
+version = "1.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+checksum = "cb68373c0d6620ef8105e855e7745e18b0d00d3bdb07fb532e434244cdb9a714"
 dependencies = [
 "icu_normalizer",
 "icu_properties",
@@ -1395,7 +1383,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
 dependencies = [
 "equivalent",
- "hashbrown 0.17.0",
+ "hashbrown 0.17.1",
 "serde",
 "serde_core",
 ]
@@ -1406,7 +1394,7 @@ version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bd5b3eaf1a28b758ac0faa5a4254e8ab2705605496f1b1f3fbbc3988ad73d199"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "inotify-sys",
 "libc",
 ]
@@ -1458,16 +1446,6 @@ dependencies = [
 "serde",
 ]
 [[package]]
 name = "iri-string"
 version = "0.7.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
 dependencies = [
 "memchr",
 "serde",
 ]
 [[package]]
 name = "itertools"
 version = "0.13.0"
@@ -1485,27 +1463,32 @@ checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 [[package]]
 name = "jni"
-version = "0.21.1"
+version = "0.22.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
+checksum = "5efd9a482cf3a427f00d6b35f14332adc7902ce91efb778580e180ff90fa3498"
 dependencies = [
 "cesu8",
 "cfg-if",
 "combine",
- "jni-sys 0.3.1",
+ "jni-macros",
 "jni-sys",
 "log",
- "thiserror 1.0.69",
+ "simd_cesu8",
 "thiserror",
 "walkdir",
- "windows-sys 0.45.0",
+ "windows-link",
 ]
 [[package]]
-name = "jni-sys"
+name = "jni-macros"
-version = "0.3.1"
+version = "0.22.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41a652e1f9b6e0275df1f15b32661cf0d4b78d4d87ddec5e0c3c20f097433258"
+checksum = "a00109accc170f0bdb141fed3e393c565b6f5e072365c3bd58f5b062591560a3"
 dependencies = [
- "jni-sys 0.4.1",
+ "proc-macro2",
 "quote",
 "rustc_version",
 "simd_cesu8",
 "syn",
 ]
 [[package]]
@@ -1539,9 +1522,9 @@ dependencies = [
 [[package]]
 name = "js-sys"
-version = "0.3.95"
+version = "0.3.99"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2964e92d1d9dc3364cae4d718d93f227e3abb088e747d92e0395bfdedf1c12ca"
+checksum = "142bc4740e452c1e57ade0cbc129f139c9093e354346f0872ef985f4f5cf5f11"
 dependencies = [
 "cfg-if",
 "futures-util",
@@ -1561,11 +1544,11 @@ dependencies = [
 [[package]]
 name = "kqueue-sys"
-version = "1.0.4"
+version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed9625ffda8729b85e45cf04090035ac368927b8cebc34898e7c120f52e4838b"
+checksum = "07293a4e297ac234359b510362495713f75ea345d5307140414f20c69ffeb087"
 dependencies = [
- "bitflags 1.3.2",
+ "bitflags",
 "libc",
 ]
@@ -1583,9 +1566,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 [[package]]
 name = "libc"
-version = "0.2.185"
+version = "0.2.186"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f"
+checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
 [[package]]
 name = "linux-raw-sys"
@@ -1610,9 +1593,9 @@ dependencies = [
 [[package]]
 name = "log"
-version = "0.4.29"
+version = "0.4.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+checksum = "616ec5685824bcc94416c6d4a7a446eea774a31efd7062c8480ba6fd06d7a6e5"
 [[package]]
 name = "lru"
@@ -1656,9 +1639,9 @@ dependencies = [
 [[package]]
 name = "memchr"
-version = "2.8.0"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+checksum = "6b947ae49db0d222b1dbc6b113ce7248a3fc3a6ca21b696717bfc000ba4484d8"
 [[package]]
 name = "memoffset"
@@ -1677,9 +1660,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 [[package]]
 name = "mio"
-version = "1.2.0"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
+checksum = "02bd0af71c67b473010cbbc60715ee815645a4dc942899111f494b4b737d6fda"
 dependencies = [
 "libc",
 "log",
@@ -1706,11 +1689,11 @@ dependencies = [
 [[package]]
 name = "nix"
-version = "0.31.2"
+version = "0.31.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
+checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "cfg-if",
 "cfg_aliases",
 "libc",
@@ -1733,7 +1716,7 @@ version = "8.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "fsevent-sys",
 "inotify",
 "kqueue",
@@ -1751,7 +1734,7 @@ version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42b8cfee0e339a0337359f3c88165702ac6e600dc01c0cc9579a92d62b08477a"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 ]
 [[package]]
@@ -1775,9 +1758,9 @@ dependencies = [
 [[package]]
 name = "num-conv"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"
+checksum = "521739c6d2bac4aa25192232afe6841231376b2b26d4d9fae5ecf8ca5772e441"
 [[package]]
 name = "num-integer"
@@ -1875,18 +1858,18 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 [[package]]
 name = "pin-project"
-version = "1.1.11"
+version = "1.1.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517"
+checksum = "2466b2336ed02bcdca6b294417127b90ec92038d1d5c4fbeac971a922e0e0924"
 dependencies = [
 "pin-project-internal",
 ]
 [[package]]
 name = "pin-project-internal"
-version = "1.1.11"
+version = "1.1.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
+checksum = "c96395f0a926bc13b1c17622aaddda1ecb55d49c8f1bf9777e4d877800a43f8b"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2017,7 +2000,7 @@ checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
 dependencies = [
 "bit-set",
 "bit-vec",
- "bitflags 2.11.1",
+ "bitflags",
 "num-traits",
 "rand 0.9.4",
 "rand_chacha",
@@ -2048,7 +2031,7 @@ dependencies = [
 "rustc-hash",
 "rustls",
 "socket2",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tracing",
 "web-time",
@@ -2070,7 +2053,7 @@ dependencies = [
 "rustls",
 "rustls-pki-types",
 "slab",
- "thiserror 2.0.18",
+ "thiserror",
 "tinyvec",
 "tracing",
 "web-time",
@@ -2201,7 +2184,7 @@ version = "0.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 ]
 [[package]]
@@ -2235,9 +2218,9 @@ checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 [[package]]
 name = "reqwest"
-version = "0.13.2"
+version = "0.13.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
+checksum = "219c5811de6525e5416c7d5d53bb656d3afdbc6c5af816e0802bcfa42dbdc1c3"
 dependencies = [
 "base64",
 "bytes",
@@ -2331,7 +2314,7 @@ version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "errno",
 "libc",
 "linux-raw-sys",
@@ -2340,9 +2323,9 @@ dependencies = [
 [[package]]
 name = "rustls"
-version = "0.23.38"
+version = "0.23.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69f9466fb2c14ea04357e91413efb882e2a6d4a406e625449bc0a5d360d53a21"
+checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b"
 dependencies = [
 "aws-lc-rs",
 "once_cell",
@@ -2367,9 +2350,9 @@ dependencies = [
 [[package]]
 name = "rustls-pki-types"
-version = "1.14.0"
+version = "1.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9"
 dependencies = [
 "web-time",
 "zeroize",
@@ -2377,9 +2360,9 @@ dependencies = [
 [[package]]
 name = "rustls-platform-verifier"
-version = "0.6.2"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
+checksum = "26d1e2536ce4f35f4846aa13bff16bd0ff40157cdb14cc056c7b14ba41233ba0"
 dependencies = [
 "core-foundation",
 "core-foundation-sys",
@@ -2479,7 +2462,7 @@ version = "3.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "core-foundation",
 "core-foundation-sys",
 "libc",
@@ -2544,9 +2527,9 @@ dependencies = [
 [[package]]
 name = "serde_json"
-version = "1.0.149"
+version = "1.0.150"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+checksum = "e8014e44b4736ed0538adeecded0fce2a272f22dc9578a7eb6b2d9993c74cfb9"
 dependencies = [
 "itoa",
 "memchr",
@@ -2629,7 +2612,7 @@ dependencies = [
 "shadowsocks-crypto",
 "socket2",
 "spin",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tokio-tfo",
 "trait-variant",
@@ -2667,9 +2650,9 @@ dependencies = [
 [[package]]
 name = "shlex"
-version = "1.3.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+checksum = "f8fadd59c855ef2080decdef8ff161eb6661b86933c9d82e5ba29dc602a55aba"
 [[package]]
 name = "signal-hook-registry"
@@ -2687,6 +2670,22 @@ version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
 [[package]]
 name = "simd_cesu8"
 version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94f90157bb87cddf702797c5dadfa0be7d266cdf49e22da2fcaa32eff75b2c33"
 dependencies = [
 "rustc_version",
 "simdutf8",
 ]
 [[package]]
 name = "simdutf8"
 version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3a9fe34e3e7a50316060351f37187a3f546bce95496156754b601a5fa71b76e"
 [[package]]
 name = "slab"
 version = "0.4.12"
@@ -2701,9 +2700,9 @@ checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 [[package]]
 name = "socket2"
-version = "0.6.3"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
+checksum = "52d1cfed4120b4d927bf7c0f86d2087a4a7d6027c906d9f9d525a80573b9be51"
 dependencies = [
 "libc",
 "windows-sys 0.61.2",
@@ -2791,7 +2790,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
 [[package]]
 name = "telemt"
-version = "3.4.12"
+version = "3.4.15"
 dependencies = [
 "aes",
 "anyhow",
@@ -2835,7 +2834,7 @@ dependencies = [
 "socket2",
 "static_assertions",
 "subtle",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tokio-rustls",
 "tokio-test",
@@ -2864,33 +2863,13 @@ dependencies = [
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "thiserror"
 version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
 dependencies = [
 "thiserror-impl 1.0.69",
 ]
 [[package]]
 name = "thiserror"
 version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
 dependencies = [
- "thiserror-impl 2.0.18",
+ "thiserror-impl",
 ]
 [[package]]
 name = "thiserror-impl"
 version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
@@ -2981,9 +2960,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 [[package]]
 name = "tokio"
-version = "1.52.1"
+version = "1.52.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
+checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
 dependencies = [
 "bytes",
 "libc",
@@ -3130,20 +3109,20 @@ dependencies = [
 [[package]]
 name = "tower-http"
-version = "0.6.8"
+version = "0.6.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+checksum = "4cfcf7e2740e6fc6d4d688b4ef00650406bb94adf4731e43c096c3a19fe40840"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "bytes",
 "futures-util",
 "http",
 "http-body",
 "iri-string",
 "pin-project-lite",
 "tower",
 "tower-layer",
 "tower-service",
 "url",
 ]
 [[package]]
@@ -3177,7 +3156,7 @@ checksum = "050686193eb999b4bb3bc2acfa891a13da00f79734704c4b8b4ef1a10b368a3c"
 dependencies = [
 "crossbeam-channel",
 "symlink",
- "thiserror 2.0.18",
+ "thiserror",
 "time",
 "tracing-subscriber",
 ]
@@ -3384,9 +3363,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.118"
+version = "0.2.122"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bf938a0bacb0469e83c1e148908bd7d5a6010354cf4fb73279b7447422e3a89"
+checksum = "3ed04576f974d2b2fba0f38c51dbc5518011e38c36bf1143164be765528fd409"
 dependencies = [
 "cfg-if",
 "once_cell",
@@ -3397,9 +3376,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.68"
+version = "0.4.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f371d383f2fb139252e0bfac3b81b265689bf45b6874af544ffa4c975ac1ebf8"
+checksum = "9473dbd2991ae90b6291c3c32c30c6187ac49aa32f9905d1cce280ec1e110b0f"
 dependencies = [
 "js-sys",
 "wasm-bindgen",
@@ -3407,9 +3386,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.118"
+version = "0.2.122"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eeff24f84126c0ec2db7a449f0c2ec963c6a49efe0698c4242929da037ca28ed"
+checksum = "916151b09da36bd82f6615cbf3a419e2f0ba23a03c6160e8e92eb6bd4aa1dec6"
 dependencies = [
 "quote",
 "wasm-bindgen-macro-support",
@@ -3417,9 +3396,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.118"
+version = "0.2.122"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d08065faf983b2b80a79fd87d8254c409281cf7de75fc4b773019824196c904"
+checksum = "299047362ccbfce148b67ab7e73349f77748e00c8296f9542adfad2ad82c5c5e"
 dependencies = [
 "bumpalo",
 "proc-macro2",
@@ -3430,9 +3409,9 @@ dependencies = [
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.118"
+version = "0.2.122"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5fd04d9e306f1907bd13c6361b5c6bfc7b3b3c095ed3f8a9246390f8dbdee129"
+checksum = "9a929b2c61f11ba3e9bc35b50c1f25cb38e0e892c0c231ae2b8cf78d5dad4437"
 dependencies = [
 "unicode-ident",
 ]
@@ -3465,7 +3444,7 @@ version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
 dependencies = [
- "bitflags 2.11.1",
+ "bitflags",
 "hashbrown 0.15.5",
 "indexmap",
 "semver",
@@ -3473,9 +3452,9 @@ dependencies = [
 [[package]]
 name = "web-sys"
-version = "0.3.95"
+version = "0.3.99"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f2dfbb17949fa2088e5d39408c48368947b86f7834484e87b73de55bc14d97d"
+checksum = "6d621441cfc37b84979402712047321980c178f299193a3589d05b99e8763436"
 dependencies = [
 "js-sys",
 "wasm-bindgen",
@@ -3616,15 +3595,6 @@ dependencies = [
 "windows-link",
 ]
 [[package]]
 name = "windows-sys"
 version = "0.45.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
 dependencies = [
 "windows-targets 0.42.2",
 ]
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -3652,21 +3622,6 @@ dependencies = [
 "windows-link",
 ]
 [[package]]
 name = "windows-targets"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
 dependencies = [
 "windows_aarch64_gnullvm 0.42.2",
 "windows_aarch64_msvc 0.42.2",
 "windows_i686_gnu 0.42.2",
 "windows_i686_msvc 0.42.2",
 "windows_x86_64_gnu 0.42.2",
 "windows_x86_64_gnullvm 0.42.2",
 "windows_x86_64_msvc 0.42.2",
 ]
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -3700,12 +3655,6 @@ dependencies = [
 "windows_x86_64_msvc 0.53.1",
 ]
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -3718,12 +3667,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -3736,12 +3679,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -3766,12 +3703,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -3784,12 +3715,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -3802,12 +3727,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -3820,12 +3739,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -3840,9 +3753,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
 [[package]]
 name = "winnow"
-version = "1.0.1"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5"
+checksum = "0592e1c9d151f854e6fd382574c3a0855250e1d9b2f99d9281c6e6391af352f1"
 [[package]]
 name = "wit-bindgen"
@@ -3908,7 +3821,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
 dependencies = [
 "anyhow",
- "bitflags 2.11.1",
+ "bitflags",
 "indexmap",
 "log",
 "serde",
@@ -3969,7 +3882,7 @@ dependencies = [
 "nom",
 "oid-registry",
 "rusticata-macros",
- "thiserror 2.0.18",
+ "thiserror",
 "time",
 ]
@@ -3998,18 +3911,18 @@ dependencies = [
 [[package]]
 name = "zerocopy"
-version = "0.8.48"
+version = "0.8.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
+checksum = "bce33a6288fa3f072a8c2c7d0f2fdbb90e28298f0135c1f99b96c3db2efcc60b"
 dependencies = [
 "zerocopy-derive",
 ]
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.48"
+version = "0.8.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
+checksum = "8fd425244944f4ab65ccff928e7323354c5a018c75838362fdce749dfad2ee1e"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -4018,9 +3931,9 @@ dependencies = [
 [[package]]
 name = "zerofrom"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df"
+checksum = "0ec05a11813ea801ff6d75110ad09cd0824ddba17dfe17128ea0d5f68e6c5272"
 dependencies = [
 "zerofrom-derive",
 ]
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.4.12"
+version = "3.4.15"
 edition = "2024"
 [features]
@@ -4,13 +4,13 @@
 [🇷🇺 README на русском](https://github.com/telemt/telemt/blob/main/README.ru.md)
 ***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***
 > [!NOTE]
 >
-> Fixed TLS ClientHello is now available in official clients for Desktop / Android / iOS
+> From June 5th, 2026: we are already analyzing the causes of a new wave of "malfunctions"
 > 
-> To work with EE-MTProxy, please update your client!
+> Telegram Clients TLS ClientHello has been banned by JA3 Fingerprint: we are already looking for ways to solve this problem
 >
 > You can try build your client with our Telegram Devlibrary - [tdlib-obf](https://github.com/telemt/tdlib-obf)
 <p align="center">
  <a href="https://t.me/telemtrs">
@@ -1,57 +1,52 @@
 # Telemt — MTProxy на Rust + Tokio
-[![Latest Release](https://img.shields.io/github/v/release/telemt/telemt?color=neon)](https://github.com/telemt/telemt/releases/latest) [![Stars](https://img.shields.io/github/stars/telemt/telemt?style=social)](https://github.com/telemt/telemt/stargazers) [![Forks](https://img.shields.io/github/forks/telemt/telemt?style=social)](https://github.com/telemt/telemt/network/members) [![Telegram](https://img.shields.io/badge/Telegram-Chat-24a1de?logo=telegram&logoColor=24a1de)](https://t.me/telemtrs)
+[![Latest Release](https://img.shields.io/github/v/release/telemt/telemt?color=neon)](https://github.com/telemt/telemt/releases/latest) [![Stars](https://img.shields.io/github/stars/telemt/telemt?style=social)](https://github.com/telemt/telemt/stargazers) [![Forks](https://img.shields.io/github/forks/telemt/telemt?style=social)](https://github.com/telemt/telemt/network/members)
 ***Решает проблемы раньше, чем другие узнают об их существовании***
 > [!NOTE]
 >
-> Исправленный TLS ClientHello доступен в Telegram для настольных ПК, Android и iOS.
+> Клиенты Telegram подвергаются блокировке по JA3-отпечатку; мы ищем варианты решения этой проблемы
 > 
-> Пожалуйста, обновите клиентское приложение для работы с EE-MTProxy.
+> Вы можете попробовать собрать свой клиент с нашей Telegram Devlibrary — [tdlib-obf](https://github.com/telemt/tdlib-obf)
 <p align="center">
  <a href="https://t.me/telemtrs">
-    <img src="/docs/assets/telegram_button.svg" width="150"/>
+    <img src="https://github.com/user-attachments/assets/30b7e7b9-974a-4e3d-aab6-b58a85de4507" width="240"/>
  </a>
 </p>
-**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust. Он полностью реализует официальный алгоритм прокси Telegram и добавляет множество улучшений для продакшена:
+**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust: он полностью реализует официальный алгоритм Telegram прокси и добавляет множество различных улучшений
 ## Установка и обновление одной командой
 ```bash
 curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
 ```
 - [Инструкция по быстрому запуску](docs/Quick_start/QUICK_START_GUIDE.ru.md)
 - [Quick Start Guide](docs/Quick_start/QUICK_START_GUIDE.en.md)
-Реализация **TLS-fronting** максимально приближена к поведению реального HTTPS-трафика (подробнее - [FAQ](docs/FAQ.ru.md#распознаваемость-для-dpi-и-сканеров)).
+## Функционал
 Наша реализация **TLS-fronting** одна из наиболее глубоко отлаженных, продвинутых и почти поведенчески неотличима от настоящего: мы уверены, что сделали это правильно - [см. доказательства в нашей проверке](docs/FAQ.ru.md#распознаваемость-для-dpi-и-сканеров).
-***Middle-End Pool*** оптимизирован для высокой производительности.
+Наша архитектура ***Middle-End Pool*** в стандартных сценариях самая производительная, по сравнению с другими реализациями подключения к Middle-End прокси: не кардинально, но достаточно
- Поддержка всех режимов MTProto proxy:
+- Полная поддержа всех официальных режимов MTProto proxy:
  - Classic;
-  - Secure (префикс `dd`);
+  - Secure — с префиксом `dd`;
-  - Fake TLS (префикс `ee` + SNI fronting);
+  - Fake TLS — с префиксом `ee` + SNI fronting;
 - Защита от replay-атак;
- Маскировка трафика (перенаправление неизвестных подключений на реальные сайты);
+- Опциональная маскировка трафика: перенаправление неизвестных подключений на реальные сайты;
- Настраиваемые keepalive, таймауты, IPv6 и «быстрый режим»;
+- Настраиваемые keepalive, таймауты, IPv6 и "быстрый режим";
 - Корректное завершение работы (Ctrl+C);
- Подробное логирование через `trace` и `debug`.
+- Подробное логирование через `trace` и `debug` с помощью `RUST_LOG`.
-# Подробнее о Telemt
+## ЧаВо
- [FAQ](#faq)
+- [Часто задаваемые вопросы](docs/FAQ.ru.md)
 - [Архитектура](docs/Architecture)
 - [Параметры конфигурационного файла](docs/Config_params)
 - [Сборка](#build)
 - [Установка на BSD](#%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-%D0%BD%D0%B0-bsd)
 - [Почему Rust?](#why-rust)
-## FAQ
+# Узнайте больше о Telemt
- [FAQ RU](docs/FAQ.ru.md)
+- [Наша архитектура](docs/Architecture)
- [FAQ EN](docs/FAQ.en.md)
+- [Все конфигурационные параметры](docs/Config_params)
 - [Как собрать Telemt самостоятельно?](#сборка)
 - [Установка на BSD](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md)
 - [Почему Rust?](#почему-rust)
 ## Сборка
 ```bash
@@ -63,7 +58,7 @@ cd telemt
 cargo build --release
 # В текущем release-профиле используется lto = "fat" для максимальной оптимизации (см. Cargo.toml).
-# На системах с малым объёмом RAM (~1 ГБ) можно переопределить это значение на "thin".
+# На системах с малым объёмом ОЗУ (~1 ГБ) можно переопределить это значение на "thin".
 # Перейдите в каталог /bin
 mv ./target/release/telemt /bin
@@ -73,24 +68,19 @@ chmod +x /bin/telemt
 telemt config.toml
 ```
 ## Установка на BSD
 - Руководство по сборке и настройке на английском языке [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md);
 - Пример rc.d скрипта: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd);
 - Поддержка sandbox с `pledge(2)` и `unveil(2)` пока не реализована.
 ## Почему Rust?
- Надёжность для долгоживущих процессов;
+- Надёжность при длительной работе и идемпотентное поведение;
- Детерминированное управление ресурсами (RAII);
+- Детерминированное управление ресурсами — RAII;
 - Отсутствие сборщика мусора;
- Безопасность памяти;
+- Безопасность памяти и меньше поверхность атаки;
 - Асинхронная архитектура Tokio.
 ## Поддержать Telemt
-Telemt — это бесплатное программное обеспечение с открытым исходным кодом, разработанное в свободное время.
+Telemt — это бесплатное программное обеспечение с открытым исходным кодом, разрабатываемое в свободное время.
 Если оно оказалось вам полезным, вы можете поддержать дальнейшую разработку.
-Принимаемые криптовалюты (BTC, ETH, USDT, 350+ и другие):
+Любая криптовалюта (BTC, ETH, USDT и 350+ других):
 <p align="center">
  <a href="https://nowpayments.io/donation?api_key=2bf1afd2-abc2-49f9-a012-f1e715b37223" target="_blank" rel="noreferrer noopener">
@@ -10,12 +10,15 @@ services:
      - "443:443"
      - "127.0.0.1:9090:9090"
      - "127.0.0.1:9091:9091"
-    # Allow caching 'proxy-secret' in read-only container
+    # Working dir uses tmpfs for caching 'proxy-secret' at runtime.
-    working_dir: /etc/telemt
+    # Config is mounted as a directory (not a single file) so the API can
    # atomically update config.toml via write-temp → rename within the same FS.
    working_dir: /run/telemt
    command: ["/etc/telemt/config.toml"]
    volumes:
-      - ./config.toml:/etc/telemt/config.toml:ro
+      - ./config:/etc/telemt:rw
    tmpfs:
-      - /etc/telemt:rw,mode=1777,size=4m
+      - /run/telemt:rw,mode=1777,size=4m
    environment:
      - RUST_LOG=info
    healthcheck:
@@ -24,8 +27,6 @@ services:
      timeout: 5s
      retries: 3
      start_period: 20s
    # Uncomment this line if you want to use host network for IPv6, but bridge is default and usually better
    # network_mode: host
    cap_drop:
      - ALL
    cap_add:
@@ -37,3 +38,8 @@ services:
      nofile:
        soft: 65536
        hard: 262144
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "5"
@@ -86,6 +86,9 @@ Die unten angegebenen `Default`-Werte sind Code-Defaults (bei fehlendem Schlüss
 | `[[upstreams]].weight` | alle Upstreams | `u16` | nein | `1` | Basisgewicht für weighted-random Auswahl. |
 | `[[upstreams]].enabled` | alle Upstreams | `bool` | nein | `true` | Deaktivierte Einträge werden beim Start ignoriert. |
 | `[[upstreams]].scopes` | alle Upstreams | `String` | nein | `""` | Komma-separierte Scope-Tags für Request-Routing. |
 | `[[upstreams]].ipv4` | alle Upstreams | `Option<bool>` | nein | `auto` | Erlaubt IPv4-DC-Ziele für diesen Upstream. |
 | `[[upstreams]].ipv6` | alle Upstreams | `Option<bool>` | nein | `auto` | Erlaubt IPv6-DC-Ziele für diesen Upstream, inklusive Proxy-Egress unabhängig vom Host-IPv6. |
 | `[[upstreams]].prefer` | alle Upstreams | `Option<4 \| 6>` | nein | effective `[network].prefer` | Pro-Upstream-Präferenz für die DC-Ziel-Adressfamilie. |
 | `interface` | `direct` | `Option<String>` | nein | `null` | Interface-Name (z. B. `eth0`) oder lokale Literal-IP. |
 | `bind_addresses` | `direct` | `Option<Vec<IpAddr>>` | nein | `null` | Explizite Source-IP-Kandidaten (strikter Vorrang vor `interface`). |
 | `address` | `socks4` | `String` | ja | n/a | SOCKS4-Server (`ip:port` oder `host:port`). |
@@ -86,6 +86,9 @@ Defaults below are code defaults (used when a key is omitted), not necessarily v
 | `[[upstreams]].weight` | all upstreams | `u16` | no | `1` | Base weight for weighted-random selection. |
 | `[[upstreams]].enabled` | all upstreams | `bool` | no | `true` | Disabled entries are ignored at startup. |
 | `[[upstreams]].scopes` | all upstreams | `String` | no | `""` | Comma-separated scope tags for request-level routing. |
 | `[[upstreams]].ipv4` | all upstreams | `Option<bool>` | no | `auto` | Allow IPv4 DC targets for this upstream. |
 | `[[upstreams]].ipv6` | all upstreams | `Option<bool>` | no | `auto` | Allow IPv6 DC targets for this upstream, including proxy egress independent of host IPv6. |
 | `[[upstreams]].prefer` | all upstreams | `Option<4 \| 6>` | no | effective `[network].prefer` | Per-upstream DC target family preference. |
 | `interface` | `direct` | `Option<String>` | no | `null` | Interface name (e.g. `eth0`) or literal local IP for bind selection. |
 | `bind_addresses` | `direct` | `Option<Vec<IpAddr>>` | no | `null` | Explicit local source IP candidates (strict priority over `interface`). |
 | `address` | `socks4` | `String` | yes | n/a | SOCKS4 server endpoint (`ip:port` or `host:port`). |
@@ -86,6 +86,9 @@
 | `[[upstreams]].weight` | все upstream | `u16` | нет | `1` | Базовый вес в weighted-random выборе. |
 | `[[upstreams]].enabled` | все upstream | `bool` | нет | `true` | Выключенные записи игнорируются на старте. |
 | `[[upstreams]].scopes` | все upstream | `String` | нет | `""` | Список scope-токенов через запятую для маршрутизации. |
 | `[[upstreams]].ipv4` | все upstream | `Option<bool>` | нет | `auto` | Разрешает IPv4 DC-targets для этого upstream. |
 | `[[upstreams]].ipv6` | все upstream | `Option<bool>` | нет | `auto` | Разрешает IPv6 DC-targets для этого upstream, включая proxy egress независимо от IPv6 на хосте. |
 | `[[upstreams]].prefer` | все upstream | `Option<4 \| 6>` | нет | эффективный `[network].prefer` | Предпочтительное семейство DC-target для конкретного upstream. |
 | `interface` | `direct` | `Option<String>` | нет | `null` | Имя интерфейса (например `eth0`) или literal локальный IP. |
 | `bind_addresses` | `direct` | `Option<Vec<IpAddr>>` | нет | `null` | Явные кандидаты source IP (имеют приоритет над `interface`). |
 | `address` | `socks4` | `String` | да | n/a | Адрес SOCKS4 сервера (`ip:port` или `host:port`). |
@@ -103,6 +103,7 @@ Notes:
 | `GET` | `/v1/runtime/me-selftest` | none | `200` | `RuntimeMeSelftestData` |
 | `GET` | `/v1/runtime/connections/summary` | none | `200` | `RuntimeEdgeConnectionsSummaryData` |
 | `GET` | `/v1/runtime/events/recent` | none | `200` | `RuntimeEdgeEventsData` |
 | `GET` | `/v1/runtime/tls-fingerprints` | optional `limit=1..1000` | `200` | `RuntimeEdgeTlsFingerprintsData` |
 | `GET` | `/v1/stats/users/active-ips` | none | `200` | `UserActiveIps[]` |
 | `GET` | `/v1/stats/users` | none | `200` | `UserInfo[]` |
 | `GET` | `/v1/users` | none | `200` | `UserInfo[]` |
@@ -111,6 +112,8 @@ Notes:
 | `PATCH` | `/v1/users/{username}` | `PatchUserRequest` | `200` or `202` | `UserInfo` |
 | `DELETE` | `/v1/users/{username}` | none | `200` or `202` | `DeleteUserResponse` |
 | `POST` | `/v1/users/{username}/rotate-secret` | `RotateSecretRequest` or empty body | `200` or `202` | `CreateUserResponse` |
 | `POST` | `/v1/users/{username}/enable` | empty body | `200` or `202` | `UserInfo` |
 | `POST` | `/v1/users/{username}/disable` | empty body | `200` or `202` | `UserInfo` |
 | `POST` | `/v1/users/{username}/reset-quota` | empty body | `200` | `ResetUserQuotaResponse` |
 ## Endpoint Behavior
@@ -146,6 +149,8 @@ Notes:
 | `PATCH /v1/users/{username}` | Updates selected per-user fields with JSON Merge Patch semantics. |
 | `DELETE /v1/users/{username}` | Deletes one user and related per-user access-map entries. |
 | `POST /v1/users/{username}/rotate-secret` | Rotates one user's secret and returns the effective secret. |
 | `POST /v1/users/{username}/enable` | Enables one user, removing any disabled override from config. |
 | `POST /v1/users/{username}/disable` | Disables one user and closes active runtime sessions for that user. |
 | `POST /v1/users/{username}/reset-quota` | Resets one user's runtime quota counter and persists quota state. |
 ## Common Error Codes
@@ -175,6 +180,8 @@ Notes:
 | `PUT /v1/users/{username}` | `405 method_not_allowed`. |
 | `POST /v1/users/{username}` | `404 not_found`. |
 | `POST /v1/users/{username}/rotate-secret/` | Trailing slash is trimmed and the route matches `rotate-secret`. |
 | `POST /v1/users/{username}/enable/` | Trailing slash is trimmed and the route matches `enable`. |
 | `POST /v1/users/{username}/disable/` | Trailing slash is trimmed and the route matches `disable`. |
 | `POST /v1/users/{username}/reset-quota/` | Trailing slash is trimmed and the route matches `reset-quota`. |
 ## Body and JSON Semantics
@@ -208,6 +215,7 @@ Notes:
 | `rate_limit_up_bps` | `u64` | no | Per-user upload rate limit in bytes per second. |
 | `rate_limit_down_bps` | `u64` | no | Per-user download rate limit in bytes per second. |
 | `max_unique_ips` | `usize` | no | Per-user unique source IP limit. |
 | `enabled` | `bool` | no | User enable flag. Missing means enabled. `false` persists a disabled override. |
 ### `PatchUserRequest`
 | Field | Type | Required | Description |
@@ -220,6 +228,7 @@ Notes:
 | `rate_limit_up_bps` | `u64|null` | no | Per-user upload rate limit in bytes per second; `null` removes the upload direction limit. |
 | `rate_limit_down_bps` | `u64|null` | no | Per-user download rate limit in bytes per second; `null` removes the download direction limit. |
 | `max_unique_ips` | `usize|null` | no | Per-user unique source IP limit; `null` removes the per-user override. |
 | `enabled` | `bool|null` | no | `false` disables the user. `true` or `null` removes the disabled override, so the user is enabled. |
 ### `access.user_source_deny` via API
 - In current API surface, per-user deny-list is **not** exposed as a dedicated field in `CreateUserRequest` / `PatchUserRequest`.
@@ -807,6 +816,43 @@ An empty request body is accepted and generates a new secret automatically.
 | `event_type` | `string` | Event kind identifier. |
 | `context` | `string` | Context text (truncated to implementation-defined max length). |
 ### `RuntimeEdgeTlsFingerprintsData`
 | Field | Type | Description |
 | --- | --- | --- |
 | `enabled` | `bool` | Endpoint availability under `runtime_edge_enabled`. |
 | `reason` | `string?` | `feature_disabled` when endpoint is disabled. |
 | `generated_at_epoch_secs` | `u64` | Snapshot generation timestamp. |
 | `data` | `RuntimeEdgeTlsFingerprintsPayload?` | Null when unavailable. |
 #### `RuntimeEdgeTlsFingerprintsPayload`
 | Field | Type | Description |
 | --- | --- | --- |
 | `limit` | `usize` | Effective Top-N row count. |
 | `retention_secs` | `u64` | In-memory retention window, derived from `general.beobachten_minutes`. |
 | `capacity` | `usize` | Maximum retained fingerprint buckets. |
 | `dropped_total` | `u64` | Buckets dropped because the collector was full. |
 | `parse_error_total` | `u64` | Complete ClientHello records that could not be fingerprinted. |
 | `by_fingerprint` | `RuntimeEdgeTlsFingerprintRow[]` | Global JA3/JA4 leaderboard. |
 | `by_ip` | `RuntimeEdgeTlsFingerprintRow[]` | Source-IP scoped leaderboard. |
 | `by_cidr` | `RuntimeEdgeTlsFingerprintRow[]` | Source CIDR scoped leaderboard (`/24` for IPv4, `/56` for IPv6). |
 | `by_user` | `RuntimeEdgeTlsFingerprintRow[]` | Authenticated user scoped leaderboard. |
 #### `RuntimeEdgeTlsFingerprintRow`
 | Field | Type | Description |
 | --- | --- | --- |
 | `scope` | `string?` | IP, CIDR, or username; absent in `by_fingerprint`. |
 | `ja3` | `string` | JA3 MD5 hash. |
 | `ja3_raw` | `string` | Raw JA3 field string. |
 | `ja4` | `string` | JA4 TLS client fingerprint. |
 | `ja4_raw` | `string` | Raw JA4 material used for the hashed parts. |
 | `total` | `u64` | Complete ClientHello observations for this bucket. |
 | `auth_success` | `u64` | TLS-authenticated observations for this bucket. |
 | `bad_or_probe` | `u64` | Complete ClientHello observations later classified as bad/probe. |
 | `first_seen_epoch_secs` | `u64` | First observation timestamp. |
 | `last_seen_epoch_secs` | `u64` | Last observation timestamp. |
 JA3 follows the Salesforce ClientHello field order. JA4 follows the FoxIO TLS-client `a_b_c` format; GREASE values are excluded and no high-cardinality Prometheus labels are emitted for fingerprints.
 ### `ZeroAllData`
 | Field | Type | Description |
 | --- | --- | --- |
@@ -1165,6 +1211,7 @@ An empty request body is accepted and generates a new secret automatically.
 | Field | Type | Description |
 | --- | --- | --- |
 | `username` | `string` | Username. |
 | `enabled` | `bool` | Effective user enable flag. Missing config entry is reported as `true`. |
 | `in_runtime` | `bool` | Whether current runtime config already contains this user. |
 | `user_ad_tag` | `string?` | Optional ad tag (32 hex chars). |
 | `max_tcp_conns` | `usize?` | Optional max concurrent TCP limit. |
@@ -1239,6 +1286,8 @@ Link generation uses active config and enabled modes:
 | `POST /v1/users` | Creates user, validates config, then atomically updates only affected `access.*` TOML tables (`access.users` always, plus optional per-user tables present in request). |
 | `PATCH /v1/users/{username}` | Partial update of provided fields only. Missing fields remain unchanged; explicit `null` removes optional per-user entries. The write path updates only affected `access.*` TOML tables. |
 | `POST /v1/users/{username}/rotate-secret` | Replaces the user's secret with a provided valid 32-hex value or a generated value, then returns the effective secret in `CreateUserResponse`. |
 | `POST /v1/users/{username}/enable` | Enables the user idempotently by removing the `access.user_enabled[username]` override and updating the runtime admission state immediately. |
 | `POST /v1/users/{username}/disable` | Disables the user idempotently by writing `access.user_enabled[username] = false`, updating runtime admission immediately, and cancelling active sessions for that username. |
 | `POST /v1/users/{username}/reset-quota` | Resets the runtime quota counter for the route username, persists quota state to `general.quota_state_path`, and does not modify user config. |
 | `DELETE /v1/users/{username}` | Deletes only specified user, removes this user from related optional `access.user_*` maps, blocks last-user deletion, and atomically updates only related `access.*` TOML tables. |
@@ -1282,6 +1331,7 @@ Additional runtime endpoint behavior:
 | `/v1/runtime/me-selftest` | No | ME pool unavailable => `enabled=false`, `reason=source_unavailable` | `enabled=true`, full payload |
 | `/v1/runtime/connections/summary` | `runtime_edge_enabled=false` => `enabled=false`, `reason=feature_disabled` | Recompute lock contention with no cache entry => `enabled=true`, `reason=source_unavailable` | `enabled=true`, full payload |
 | `/v1/runtime/events/recent` | `runtime_edge_enabled=false` => `enabled=false`, `reason=feature_disabled` | Not used in current implementation | `enabled=true`, full payload |
 | `/v1/runtime/tls-fingerprints` | `runtime_edge_enabled=false` => `enabled=false`, `reason=feature_disabled` | Not used in current implementation | `enabled=true`, full payload |
 ## ME Fallback Behavior Exposed Via API
@@ -0,0 +1,507 @@
 # JA3 и JA4 анализ в Telemt
 Этот документ описывает, как использовать JA3/JA4 telemetry в Telemt для диагностики блокировок, которые происходят на основе TLS ClientHello, особенно JA4 TLS client fingerprint.
 Цель документа практическая: помочь оператору понять, какой клиентский TLS-отпечаток реально доходит до Telemt, как он распределён по IP/CIDR/пользователям, и как отделить JA4-based фильтрацию от блокировки по IP, SNI, домену, server flight или активному сканированию.
 ## Коротко
 JA3 и JA4 описывают форму TLS ClientHello. ClientHello отправляет клиент, поэтому JA3/JA4 в этом контексте являются fingerprint'ами клиентской TLS-реализации, а не Telemt как сервера.
 Telemt собирает JA3/JA4 только из уже прочитанного полного ClientHello:
 - без packet capture;
 - без MITM;
 - без расшифровки TLS;
 - без дополнительных сетевых чтений;
 - без Prometheus labels с высокой кардинальностью;
 - с ограниченным in-memory TTL/cap collector.
 Собранные данные доступны:
 - через API: `GET /v1/runtime/tls-fingerprints`;
 - через `/beobachten`, если `general.beobachten=true`.
 Основная польза:
 - увидеть, какие JA4 реально используют клиенты;
 - понять, один ли fingerprint страдает у всех пользователей;
 - отделить проблему клиента от проблемы IP/ASN/домена;
 - увидеть, доходят ли проблемные соединения до Telemt вообще;
 - сравнить successful TLS-auth и bad/probe поток для одного fingerprint;
 - собрать evidence для последующего изменения клиента, маршрута или deployment-профиля.
 ## Что такое JA3
 JA3 - старый и широко совместимый способ получить hash от TLS ClientHello.
 JA3 строится из ClientHello fields:
 ```text
 SSLVersion,Cipher,SSLExtension,EllipticCurve,EllipticCurvePointFormat
 ```
 Значения внутри полей записываются в порядке, в котором они пришли в ClientHello. GREASE values исключаются. Итоговая строка хэшируется MD5, поэтому в API есть два поля:
 - `ja3` - MD5 hash;
 - `ja3_raw` - исходная строка, из которой получен hash.
 Практическое значение JA3 в 2026 году ограничено тем, что современные TLS-клиенты и браузерные стеки могут менять порядок extensions. Поэтому JA3 полезен как совместимый исторический сигнал, но для диагностики современных блокировок обычно важнее JA4.
 ## Что такое JA4
 JA4 TLS client fingerprint - более структурированный fingerprint ClientHello.
 JA4 в Telemt считается для TLS-over-TCP ClientHello и имеет форму:
 ```text
 t<version><sni_marker><cipher_count><extension_count><alpn_marker>_<cipher_hash>_<extension_hash>
 ```
 Пример:
 ```text
 t13d1516h2_8daaf6152771_e5627efa2ab1
 ```
 Части JA4:
 | Часть | Смысл |
 | --- | --- |
 | `t` | TLS over TCP. Telemt сейчас не считает JA4 для QUIC/DTLS. |
 | `13`, `12`, `11`, `10` | TLS version, предпочтительно из `supported_versions`. |
 | `d` / `i` | Есть SNI domain (`d`) или SNI отсутствует (`i`). |
 | `15` | Количество cipher suites без GREASE, capped до `99`. |
 | `16` | Количество extensions без GREASE, capped до `99`. |
 | `h2`, `h1`, `00` | ALPN marker: первый и последний символ первого ALPN value или `00`. |
 | `cipher_hash` | SHA256 от отсортированного списка ciphers, первые 12 hex chars. |
 | `extension_hash` | SHA256 от отсортированных extensions плюс signature algorithms, первые 12 hex chars. |
 Важное отличие JA4 от JA3: JA4 нормализует часть полей, поэтому он устойчивее к простому изменению порядка extensions. Это делает JA4 удобным для фильтров и одновременно полезным для диагностики таких фильтров.
 ## Где Telemt видит ClientHello
 В TLS/FakeTLS режиме Telemt получает первые bytes соединения и определяет, похоже ли оно на TLS handshake. Если record является полным ClientHello и проходит bounds checks, Telemt один раз парсит его для JA3/JA4.
 Дальше возможны три исхода:
 1. **Успешный MTProxy/FakeTLS клиент**
   - Telemt принимает TLS-auth;
   - fingerprint записывается в global/IP/CIDR scopes;
   - после успешной TLS-auth Telemt добавляет user scope.
 2. **Bad client или probe**
   - ClientHello полный, но auth не проходит;
   - fingerprint записывается в global/IP/CIDR scopes;
   - user scope не записывается;
   - `bad_or_probe` увеличивается.
 3. **Неполный или обрезанный ClientHello**
   - fingerprint не считается;
   - такие случаи остаются в существующих bad-class counters.
 Если фильтр режет трафик до того, как TCP connection или ClientHello дошли до процесса Telemt, Telemt не увидит этот fingerprint. Это важнейшее диагностическое отличие: отсутствие fingerprint'а во время жалобы пользователя часто означает блокировку до приложения, а не проблему внутри Telemt.
 ## Включение сбора
 Collector включается, когда включён хотя бы один потребитель:
 ```toml
 [general]
 beobachten = true
 beobachten_minutes = 10
 ```
 или:
 ```toml
 [server.api]
 runtime_edge_enabled = true
 runtime_edge_top_n = 50
 ```
 Практически:
 - для файлового/metrics endpoint анализа достаточно `general.beobachten=true`;
 - для API snapshot нужен `server.api.runtime_edge_enabled=true`;
 - `general.beobachten_minutes` задаёт retention window для fingerprint buckets;
 - `server.api.runtime_edge_top_n` задаёт default Top-N размер API snapshot.
 ## API snapshot
 Endpoint:
 ```bash
 curl -s http://127.0.0.1:9091/v1/runtime/tls-fingerprints
 ```
 С явным лимитом:
 ```bash
 curl -s 'http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=100'
 ```
 Если API защищён header'ом:
 ```bash
 curl -s \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  'http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=100'
 ```
 Если `runtime_edge_enabled=false`, endpoint возвращает payload с:
 ```json
 {
  "enabled": false,
  "reason": "feature_disabled"
 }
 ```
 ### Структура payload
 Основные поля:
 | Поле | Смысл |
 | --- | --- |
 | `retention_secs` | Текущее TTL окно collector'а. |
 | `capacity` | Максимум retained buckets. |
 | `dropped_total` | Сколько новых buckets отброшено из-за cap. |
 | `parse_error_total` | Сколько полных ClientHello не удалось распарсить. |
 | `by_fingerprint` | Top fingerprints глобально. |
 | `by_ip` | Top fingerprints по exact source IP. |
 | `by_cidr` | Top fingerprints по source prefix: IPv4 `/24`, IPv6 `/56`. |
 | `by_user` | Top fingerprints по authenticated user. |
 Строка snapshot:
 | Поле | Смысл |
 | --- | --- |
 | `scope` | IP, CIDR или username. В `by_fingerprint` отсутствует. |
 | `ja3` | JA3 hash. |
 | `ja3_raw` | Raw JA3 string. |
 | `ja4` | JA4 TLS client fingerprint. |
 | `ja4_raw` | Raw JA4 material. |
 | `total` | Сколько полных ClientHello попало в этот bucket. |
 | `auth_success` | Сколько из них успешно прошли TLS-auth. |
 | `bad_or_probe` | Сколько были bad/probe после полного ClientHello. |
 | `first_seen_epoch_secs` | Первый timestamp bucket'а. |
 | `last_seen_epoch_secs` | Последний timestamp bucket'а. |
 ### Быстрый просмотр через jq
 Top JA4 глобально:
 ```bash
 curl -s http://127.0.0.1:9091/v1/runtime/tls-fingerprints \
  | jq -r '.data.data.by_fingerprint[] | [.ja4, .total, .auth_success, .bad_or_probe] | @tsv'
 ```
 Top JA4 по пользователям:
 ```bash
 curl -s http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=100 \
  | jq -r '.data.data.by_user[] | [.scope, .ja4, .total, .auth_success] | @tsv'
 ```
 Top JA4 по CIDR:
 ```bash
 curl -s http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=100 \
  | jq -r '.data.data.by_cidr[] | [.scope, .ja4, .total, .auth_success, .bad_or_probe] | @tsv'
 ```
 Ошибки парсинга и drops:
 ```bash
 curl -s http://127.0.0.1:9091/v1/runtime/tls-fingerprints \
  | jq '.data.data | {retention_secs, capacity, dropped_total, parse_error_total}'
 ```
 ## Beobachten output
 Если включён endpoint metrics, `/beobachten` содержит обычные forensic buckets и, когда есть данные, append-only секцию TLS fingerprints:
 ```bash
 curl -s http://127.0.0.1:9090/beobachten
 ```
 Фрагмент:
 ```text
 [tls_fingerprints]
 retention_secs=600 capacity=65536 dropped_total=0 parse_error_total=0
 [tls_fingerprints.by_fingerprint]
 ja4=t13d1516h2_8daaf6152771_e5627efa2ab1 ja3=... total=42 auth_success=41 bad_or_probe=1 first_seen=... last_seen=...
 [tls_fingerprints.by_cidr]
 scope=203.0.113.0/24 ja4=t13d1516h2_8daaf6152771_e5627efa2ab1 ja3=... total=10 auth_success=10 bad_or_probe=0 first_seen=... last_seen=...
 ```
 `/beobachten` удобен для быстрой операторской диагностики без API client. API удобнее для автоматической корреляции.
 ## Как анализировать JA4-based блокировку
 ### 1. Зафиксировать симптом
 Перед анализом нужно записать:
 - какие пользователи жалуются;
 - какая версия Telegram client используется;
 - какая платформа: Desktop, Android, iOS;
 - какой источник сети: mobile ISP, home ISP, corporate network, country/region;
 - работает ли тот же пользователь через другой network path;
 - работает ли другой пользователь с того же IP/CIDR;
 - видит ли Telemt новые ClientHello от проблемного пользователя в момент попытки.
 JA4 без контекста почти всегда недостаточен. Фильтры часто используют сочетание:
 - JA4;
 - destination IP;
 - SNI;
 - порт;
 - ASN/source network;
 - rate или connection pattern;
 - reputation домена/IP;
 - active probing result.
 ### 2. Проверить, доходит ли ClientHello до Telemt
 Во время попытки подключения проблемного пользователя смотрите:
 ```bash
 curl -s 'http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=200' \
  | jq '.data.data.by_user, .data.data.by_ip, .data.data.by_cidr'
 ```
 Интерпретация:
 | Наблюдение | Вероятный вывод |
 | --- | --- |
 | Нет новых rows для IP/CIDR пользователя | Блокировка до Telemt: routing, firewall, ISP/DPI drop, IP block, SYN/TCP reset, UDP/TCP path issue. |
 | Есть `by_ip`/`by_cidr`, но нет `by_user` | ClientHello дошёл, но TLS-auth/MTProxy layer не дошёл до успешного пользователя. Возможны bad key, probe, wrong client, active scanner, обрыв после ClientHello. |
 | Есть `by_user.auth_success` | Клиентский JA4 дошёл и был принят Telemt. Если пользователь всё равно видит проблему, искать нужно дальше: relay path, Telegram upstream, quota, route mode, session cancellation, ME/direct routing. |
 | Резко растёт `bad_or_probe` для одного JA4 | Вероятны сканеры или неправильные клиенты с тем же fingerprint family. |
 ### 3. Сравнить working и blocked случаи
 Снимите snapshot во время working case и blocked case:
 ```bash
 curl -s 'http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=500' > tls-fp-working.json
 curl -s 'http://127.0.0.1:9091/v1/runtime/tls-fingerprints?limit=500' > tls-fp-blocked.json
 ```
 Сравните:
 - появился ли тот же `ja4` в blocked сети;
 - меняется ли `ja4` между версиями клиента;
 - меняется ли только IP/CIDR при том же `ja4`;
 - есть ли `auth_success` для того же `ja4` из других сетей;
 - отличается ли `bad_or_probe` между сетями.
 Ключевая матрица:
 | Working JA4 | Blocked JA4 | Вывод |
 | --- | --- | --- |
 | Same | Same, но blocked network не доходит до Telemt | Вероятна фильтрация по JA4 + destination/IP/SNI/network до приложения. |
 | Same | Same, доходит и `auth_success>0` | JA4 ClientHello не является точкой отказа; искать post-auth проблему. |
 | Different | Blocked только один JA4 | Вероятен client-version/platform-specific fingerprint block. |
 | Same | `bad_or_probe` растёт, `auth_success=0` | Возможно, доходит не тот клиент/secret или фильтр/прокси ломает поток после ClientHello. |
 ### 4. Разделить client JA4 и server fingerprint
 JA4 ClientHello - это клиентская сторона. Настройки Telemt вроде TLS-front server flight, `mask_host`, ticket-tail или CCS replay не меняют ClientHello, который отправляет Telegram client.
 Если фильтр принимает решение строго после ClientHello, то серверные улучшения могут не помочь. В этом случае полезные действия:
 - проверить обновление Telegram client;
 - сравнить платформы и версии клиента;
 - проверить, меняется ли JA4 на другой версии;
 - проверить, блокируется ли тот же JA4 к другому destination;
 - проверить, блокируется ли другой JA4 к тому же Telemt IP/SNI;
 - собрать evidence для client-side fingerprint fix.
 Если ClientHello проходит, а блокировка возникает после server response, тогда уже важны:
 - форма FakeTLS server flight;
 - TLS front profile fidelity;
 - `mask_host` поведение для non-auth clients;
 - certificate/provenance fallback для сканеров;
 - TCP relay behavior;
 - upstream route к Telegram.
 ### 5. Коррелировать с packet capture
 Telemt collector показывает только то, что процесс увидел. Для подтверждения фильтрации до Telemt нужен внешний capture.
 На сервере:
 ```bash
 sudo tcpdump -i any -w telemt-clienthello.pcap host CLIENT_IP and port 443
 ```
 Быстрый tshark вывод ClientHello fields:
 ```bash
 tshark -r telemt-clienthello.pcap -Y "tls.handshake.type == 1" -T fields \
  -e frame.time_epoch \
  -e ip.src \
  -e ip.dst \
  -e tcp.srcport \
  -e tcp.dstport \
  -e tls.handshake.extensions_server_name \
  -e tls.handshake.extensions_alpn_str
 ```
 Если на клиентской стороне capture видит ClientHello, а серверный capture не видит, проблема в сети между клиентом и сервером. Если серверный capture видит ClientHello, но Telemt API не видит fingerprint, проверьте порт, listener, PROXY protocol, TLS record fragmentation и bounds/errors.
 ## Практические сценарии
 ### Сценарий A: один JA4 перестал работать у многих пользователей
 Признаки:
 - один `ja4` доминирует в жалобах;
 - у разных source CIDR нет `auth_success`;
 - working пользователи используют другой JA4;
 - обновление клиента меняет поведение.
 Вероятный вывод: фильтр на стороне сети научился распознавать конкретный ClientHello family.
 Действия:
 - сравнить Telegram client versions;
 - проверить, не используют ли пользователи старые клиенты;
 - собрать `ja4`, `ja4_raw`, platform/version, source network;
 - проверить тот же client через другую сеть;
 - проверить другой client version через ту же сеть.
 ### Сценарий B: один CIDR не работает, JA4 обычный
 Признаки:
 - тот же `ja4` успешно работает из других сетей;
 - проблемный `/24` или `/56` не доходит до Telemt или не получает `auth_success`;
 - нет общей корреляции по версии клиента.
 Вероятный вывод: проблема не в JA4 alone, а в source network policy или destination reputation.
 Действия:
 - сменить route/VPS/IP;
 - проверить port;
 - проверить SNI/domain reputation;
 - сравнить с другим Telemt endpoint;
 - смотреть server-side packet capture.
 ### Сценарий C: много `bad_or_probe` на одном JA4
 Признаки:
 - `bad_or_probe` высокий;
 - `by_user` пустой или слабый;
 - source IP/CIDR разнообразные;
 - попытки не соответствуют реальным пользователям.
 Вероятный вывод: активное сканирование или нерелевантный TLS traffic с похожим ClientHello.
 Действия:
 - смотреть `/beobachten` по IP classes;
 - проверить `unknown_tls_sni` и bad-client counters;
 - убедиться, что fallback `mask_host` отвечает правдоподобно;
 - не делать вывод о блокировке пользователей только по global `bad_or_probe`.
 ### Сценарий D: `auth_success` есть, но пользователь жалуется
 Признаки:
 - fingerprint присутствует в `by_user`;
 - `auth_success` растёт;
 - соединение проходит TLS-auth.
 Вероятный вывод: JA4 ClientHello не является причиной отказа в этом случае.
 Действия:
 - проверить user enabled/disabled status;
 - проверить quota;
 - проверить direct/ME route;
 - проверить upstream health;
 - проверить runtime events;
 - смотреть relay/session logs.
 ## Что нельзя вывести из JA3/JA4
 JA3/JA4 не говорят:
 - почему сеть приняла решение о блокировке;
 - какой именно vendor DPI используется;
 - был ли block только по JA4 или по связке JA4+IP+SNI;
 - что произошло с соединением после TLS-auth;
 - как выглядит server-side TLS fingerprint;
 - как ведёт себя HTTP layer после TLS.
 JA3/JA4 также не являются уникальной идентичностью человека. Это fingerprint клиентской TLS-реализации и её настроек. Один fingerprint может быть у большого числа пользователей.
 ## Ограничения collector'а Telemt
 - Считается только TLS ClientHello, который полностью дошёл до Telemt.
 - QUIC/DTLS/HTTP JA4 variants не собираются.
 - Truncated ClientHello не fingerprint'ится.
 - User scope появляется только после успешной TLS-auth.
 - `by_ip` и `by_cidr` отражают source address после нормализации/PROXY protocol path, если он используется.
 - Collector bounded: при большом количестве уникальных buckets возможен рост `dropped_total`.
 - Retention зависит от `general.beobachten_minutes`.
 - Данные runtime in-memory; это snapshot для диагностики, а не долговременное хранилище.
 ## Рекомендованный workflow расследования
 1. Включить `runtime_edge_enabled=true` и разумный `runtime_edge_top_n`, например `100`.
 2. Зафиксировать baseline в период нормальной работы.
 3. Во время жалобы снять API snapshot и `/beobachten`.
 4. Сравнить `by_user`, `by_ip`, `by_cidr`, `by_fingerprint`.
 5. Проверить, появляется ли problematic source в Telemt вообще.
 6. Если не появляется, снять packet capture на сервере и клиенте.
 7. Если появляется без `auth_success`, проверить secret/client/proxy link и bad/probe counters.
 8. Если появляется с `auth_success`, исключить JA4 ClientHello как primary cause и перейти к relay/upstream/runtime диагностике.
 9. Если один JA4 стабильно коррелирует с block, собрать client version/platform evidence.
 10. Проверить, меняет ли обновление клиента JA4 и результат подключения.
 ## Минимальный incident report
 Для полезного отчёта по JA4-based блокировке соберите:
 ```text
 time_window:
 telemt_version:
 server_ip:
 server_port:
 tls_domain:
 mask_host:
 client_platform:
 client_version:
 source_network:
 source_ip_or_cidr:
 ja4:
 ja4_raw:
 ja3:
 total:
 auth_success:
 bad_or_probe:
 seen_in_by_user: yes/no
 seen_in_by_ip: yes/no
 seen_in_by_cidr: yes/no
 server_tcpdump_seen_clienthello: yes/no
 client_tcpdump_sent_clienthello: yes/no
 works_from_other_network: yes/no
 works_with_other_client_version: yes/no
 ```
 Этот набор обычно достаточен, чтобы отличить client fingerprint block от IP/SNI/reputation block и от post-auth проблем Telemt.
 ## Источники форматов
 - JA3 reference: https://github.com/salesforce/ja3
 - JA4 technical details: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
@@ -85,145 +85,7 @@ This document lists all configuration keys accepted by `config.toml`.
 # [general]
-| Key | Type | Default |
+
 | --- | ---- | ------- |
 | [`data_path`](#data_path) | `String` | — |
 | [`prefer_ipv6`](#prefer_ipv6) | `bool` | `false` |
 | [`fast_mode`](#fast_mode) | `bool` | `true` |
 | [`use_middle_proxy`](#use_middle_proxy) | `bool` | `true` |
 | [`proxy_secret_path`](#proxy_secret_path) | `String` | `"proxy-secret"` |
 | [`proxy_config_v4_cache_path`](#proxy_config_v4_cache_path) | `String` | `"cache/proxy-config-v4.txt"` |
 | [`proxy_config_v6_cache_path`](#proxy_config_v6_cache_path) | `String` | `"cache/proxy-config-v6.txt"` |
 | [`ad_tag`](#ad_tag) | `String` | — |
 | [`middle_proxy_nat_ip`](#middle_proxy_nat_ip) | `IpAddr` | — |
 | [`middle_proxy_nat_probe`](#middle_proxy_nat_probe) | `bool` | `true` |
 | [`middle_proxy_nat_stun`](#middle_proxy_nat_stun) | `String` | — |
 | [`middle_proxy_nat_stun_servers`](#middle_proxy_nat_stun_servers) | `String[]` | `[]` |
 | [`stun_nat_probe_concurrency`](#stun_nat_probe_concurrency) | `usize` | `8` |
 | [`middle_proxy_pool_size`](#middle_proxy_pool_size) | `usize` | `8` |
 | [`middle_proxy_warm_standby`](#middle_proxy_warm_standby) | `usize` | `16` |
 | [`me_init_retry_attempts`](#me_init_retry_attempts) | `u32` | `0` |
 | [`me2dc_fallback`](#me2dc_fallback) | `bool` | `true` |
 | [`me2dc_fast`](#me2dc_fast) | `bool` | `true` |
 | [`me_keepalive_enabled`](#me_keepalive_enabled) | `bool` | `true` |
 | [`me_keepalive_interval_secs`](#me_keepalive_interval_secs) | `u64` | `8` |
 | [`me_keepalive_jitter_secs`](#me_keepalive_jitter_secs) | `u64` | `2` |
 | [`me_keepalive_payload_random`](#me_keepalive_payload_random) | `bool` | `true` |
 | [`rpc_proxy_req_every`](#rpc_proxy_req_every) | `u64` | `0` |
 | [`me_writer_cmd_channel_capacity`](#me_writer_cmd_channel_capacity) | `usize` | `4096` |
 | [`me_route_channel_capacity`](#me_route_channel_capacity) | `usize` | `768` |
 | [`me_c2me_channel_capacity`](#me_c2me_channel_capacity) | `usize` | `1024` |
 | [`me_c2me_send_timeout_ms`](#me_c2me_send_timeout_ms) | `u64` | `4000` |
 | [`me_reader_route_data_wait_ms`](#me_reader_route_data_wait_ms) | `u64` | `2` |
 | [`me_d2c_flush_batch_max_frames`](#me_d2c_flush_batch_max_frames) | `usize` | `32` |
 | [`me_d2c_flush_batch_max_bytes`](#me_d2c_flush_batch_max_bytes) | `usize` | `131072` |
 | [`me_d2c_flush_batch_max_delay_us`](#me_d2c_flush_batch_max_delay_us) | `u64` | `500` |
 | [`me_d2c_ack_flush_immediate`](#me_d2c_ack_flush_immediate) | `bool` | `true` |
 | [`me_quota_soft_overshoot_bytes`](#me_quota_soft_overshoot_bytes) | `u64` | `65536` |
 | [`me_d2c_frame_buf_shrink_threshold_bytes`](#me_d2c_frame_buf_shrink_threshold_bytes) | `usize` | `262144` |
 | [`direct_relay_copy_buf_c2s_bytes`](#direct_relay_copy_buf_c2s_bytes) | `usize` | `65536` |
 | [`direct_relay_copy_buf_s2c_bytes`](#direct_relay_copy_buf_s2c_bytes) | `usize` | `262144` |
 | [`crypto_pending_buffer`](#crypto_pending_buffer) | `usize` | `262144` |
 | [`max_client_frame`](#max_client_frame) | `usize` | `16777216` |
 | [`desync_all_full`](#desync_all_full) | `bool` | `false` |
 | [`beobachten`](#beobachten) | `bool` | `true` |
 | [`beobachten_minutes`](#beobachten_minutes) | `u64` | `10` |
 | [`beobachten_flush_secs`](#beobachten_flush_secs) | `u64` | `15` |
 | [`beobachten_file`](#beobachten_file) | `String` | `"cache/beobachten.txt"` |
 | [`hardswap`](#hardswap) | `bool` | `true` |
 | [`me_warmup_stagger_enabled`](#me_warmup_stagger_enabled) | `bool` | `true` |
 | [`me_warmup_step_delay_ms`](#me_warmup_step_delay_ms) | `u64` | `500` |
 | [`me_warmup_step_jitter_ms`](#me_warmup_step_jitter_ms) | `u64` | `300` |
 | [`me_reconnect_max_concurrent_per_dc`](#me_reconnect_max_concurrent_per_dc) | `u32` | `8` |
 | [`me_reconnect_backoff_base_ms`](#me_reconnect_backoff_base_ms) | `u64` | `500` |
 | [`me_reconnect_backoff_cap_ms`](#me_reconnect_backoff_cap_ms) | `u64` | `30000` |
 | [`me_reconnect_fast_retry_count`](#me_reconnect_fast_retry_count) | `u32` | `16` |
 | [`me_single_endpoint_shadow_writers`](#me_single_endpoint_shadow_writers) | `u8` | `2` |
 | [`me_single_endpoint_outage_mode_enabled`](#me_single_endpoint_outage_mode_enabled) | `bool` | `true` |
 | [`me_single_endpoint_outage_disable_quarantine`](#me_single_endpoint_outage_disable_quarantine) | `bool` | `true` |
 | [`me_single_endpoint_outage_backoff_min_ms`](#me_single_endpoint_outage_backoff_min_ms) | `u64` | `250` |
 | [`me_single_endpoint_outage_backoff_max_ms`](#me_single_endpoint_outage_backoff_max_ms) | `u64` | `3000` |
 | [`me_single_endpoint_shadow_rotate_every_secs`](#me_single_endpoint_shadow_rotate_every_secs) | `u64` | `900` |
 | [`me_floor_mode`](#me_floor_mode) | `"static"` or `"adaptive"` | `"adaptive"` |
 | [`me_adaptive_floor_idle_secs`](#me_adaptive_floor_idle_secs) | `u64` | `90` |
 | [`me_adaptive_floor_min_writers_single_endpoint`](#me_adaptive_floor_min_writers_single_endpoint) | `u8` | `1` |
 | [`me_adaptive_floor_min_writers_multi_endpoint`](#me_adaptive_floor_min_writers_multi_endpoint) | `u8` | `1` |
 | [`me_adaptive_floor_recover_grace_secs`](#me_adaptive_floor_recover_grace_secs) | `u64` | `180` |
 | [`me_adaptive_floor_writers_per_core_total`](#me_adaptive_floor_writers_per_core_total) | `u16` | `48` |
 | [`me_adaptive_floor_cpu_cores_override`](#me_adaptive_floor_cpu_cores_override) | `u16` | `0` |
 | [`me_adaptive_floor_max_extra_writers_single_per_core`](#me_adaptive_floor_max_extra_writers_single_per_core) | `u16` | `1` |
 | [`me_adaptive_floor_max_extra_writers_multi_per_core`](#me_adaptive_floor_max_extra_writers_multi_per_core) | `u16` | `2` |
 | [`me_adaptive_floor_max_active_writers_per_core`](#me_adaptive_floor_max_active_writers_per_core) | `u16` | `64` |
 | [`me_adaptive_floor_max_warm_writers_per_core`](#me_adaptive_floor_max_warm_writers_per_core) | `u16` | `64` |
 | [`me_adaptive_floor_max_active_writers_global`](#me_adaptive_floor_max_active_writers_global) | `u32` | `256` |
 | [`me_adaptive_floor_max_warm_writers_global`](#me_adaptive_floor_max_warm_writers_global) | `u32` | `256` |
 | [`upstream_connect_retry_attempts`](#upstream_connect_retry_attempts) | `u32` | `2` |
 | [`upstream_connect_retry_backoff_ms`](#upstream_connect_retry_backoff_ms) | `u64` | `100` |
 | [`upstream_connect_budget_ms`](#upstream_connect_budget_ms) | `u64` | `3000` |
 | [`upstream_unhealthy_fail_threshold`](#upstream_unhealthy_fail_threshold) | `u32` | `5` |
 | [`upstream_connect_failfast_hard_errors`](#upstream_connect_failfast_hard_errors) | `bool` | `false` |
 | [`stun_iface_mismatch_ignore`](#stun_iface_mismatch_ignore) | `bool` | `false` |
 | [`unknown_dc_log_path`](#unknown_dc_log_path) | `String` | `"unknown-dc.txt"` |
 | [`unknown_dc_file_log_enabled`](#unknown_dc_file_log_enabled) | `bool` | `false` |
 | [`log_level`](#log_level) | `"debug"`, `"verbose"`, `"normal"`, or `"silent"` | `"normal"` |
 | [`disable_colors`](#disable_colors) | `bool` | `false` |
 | [`me_socks_kdf_policy`](#me_socks_kdf_policy) | `"strict"` or `"compat"` | `"strict"` |
 | [`me_route_backpressure_enabled`](#me_route_backpressure_enabled) | `bool` | `false` |
 | [`me_route_fairshare_enabled`](#me_route_fairshare_enabled) | `bool` | `false` |
 | [`me_route_backpressure_base_timeout_ms`](#me_route_backpressure_base_timeout_ms) | `u64` | `25` |
 | [`me_route_backpressure_high_timeout_ms`](#me_route_backpressure_high_timeout_ms) | `u64` | `120` |
 | [`me_route_backpressure_high_watermark_pct`](#me_route_backpressure_high_watermark_pct) | `u8` | `80` |
 | [`me_health_interval_ms_unhealthy`](#me_health_interval_ms_unhealthy) | `u64` | `1000` |
 | [`me_health_interval_ms_healthy`](#me_health_interval_ms_healthy) | `u64` | `3000` |
 | [`me_admission_poll_ms`](#me_admission_poll_ms) | `u64` | `1000` |
 | [`me_warn_rate_limit_ms`](#me_warn_rate_limit_ms) | `u64` | `5000` |
 | [`me_route_no_writer_mode`](#me_route_no_writer_mode) | `"async_recovery_failfast"`, `"inline_recovery_legacy"`, or `"hybrid_async_persistent"` | `"hybrid_async_persistent"` |
 | [`me_route_no_writer_wait_ms`](#me_route_no_writer_wait_ms) | `u64` | `250` |
 | [`me_route_hybrid_max_wait_ms`](#me_route_hybrid_max_wait_ms) | `u64` | `3000` |
 | [`me_route_blocking_send_timeout_ms`](#me_route_blocking_send_timeout_ms) | `u64` | `250` |
 | [`me_route_inline_recovery_attempts`](#me_route_inline_recovery_attempts) | `u32` | `3` |
 | [`me_route_inline_recovery_wait_ms`](#me_route_inline_recovery_wait_ms) | `u64` | `3000` |
 | [`fast_mode_min_tls_record`](#fast_mode_min_tls_record) | `usize` | `0` |
 | [`update_every`](#update_every) | `u64` | `300` |
 | [`me_reinit_every_secs`](#me_reinit_every_secs) | `u64` | `900` |
 | [`me_hardswap_warmup_delay_min_ms`](#me_hardswap_warmup_delay_min_ms) | `u64` | `1000` |
 | [`me_hardswap_warmup_delay_max_ms`](#me_hardswap_warmup_delay_max_ms) | `u64` | `2000` |
 | [`me_hardswap_warmup_extra_passes`](#me_hardswap_warmup_extra_passes) | `u8` | `3` |
 | [`me_hardswap_warmup_pass_backoff_base_ms`](#me_hardswap_warmup_pass_backoff_base_ms) | `u64` | `500` |
 | [`me_config_stable_snapshots`](#me_config_stable_snapshots) | `u8` | `2` |
 | [`me_config_apply_cooldown_secs`](#me_config_apply_cooldown_secs) | `u64` | `300` |
 | [`me_snapshot_require_http_2xx`](#me_snapshot_require_http_2xx) | `bool` | `true` |
 | [`me_snapshot_reject_empty_map`](#me_snapshot_reject_empty_map) | `bool` | `true` |
 | [`me_snapshot_min_proxy_for_lines`](#me_snapshot_min_proxy_for_lines) | `u32` | `1` |
 | [`proxy_secret_stable_snapshots`](#proxy_secret_stable_snapshots) | `u8` | `2` |
 | [`proxy_secret_rotate_runtime`](#proxy_secret_rotate_runtime) | `bool` | `true` |
 | [`me_secret_atomic_snapshot`](#me_secret_atomic_snapshot) | `bool` | `true` |
 | [`proxy_secret_len_max`](#proxy_secret_len_max) | `usize` | `256` |
 | [`me_pool_drain_ttl_secs`](#me_pool_drain_ttl_secs) | `u64` | `90` |
 | [`me_instadrain`](#me_instadrain) | `bool` | `false` |
 | [`me_pool_drain_threshold`](#me_pool_drain_threshold) | `u64` | `32` |
 | [`me_pool_drain_soft_evict_enabled`](#me_pool_drain_soft_evict_enabled) | `bool` | `true` |
 | [`me_pool_drain_soft_evict_grace_secs`](#me_pool_drain_soft_evict_grace_secs) | `u64` | `10` |
 | [`me_pool_drain_soft_evict_per_writer`](#me_pool_drain_soft_evict_per_writer) | `u8` | `2` |
 | [`me_pool_drain_soft_evict_budget_per_core`](#me_pool_drain_soft_evict_budget_per_core) | `u16` | `16` |
 | [`me_pool_drain_soft_evict_cooldown_ms`](#me_pool_drain_soft_evict_cooldown_ms) | `u64` | `1000` |
 | [`me_bind_stale_mode`](#me_bind_stale_mode) | `"never"`, `"ttl"`, or `"always"` | `"ttl"` |
 | [`me_bind_stale_ttl_secs`](#me_bind_stale_ttl_secs) | `u64` | `90` |
 | [`me_pool_min_fresh_ratio`](#me_pool_min_fresh_ratio) | `f32` | `0.8` |
 | [`me_reinit_drain_timeout_secs`](#me_reinit_drain_timeout_secs) | `u64` | `90` |
 | [`proxy_secret_auto_reload_secs`](#proxy_secret_auto_reload_secs) | `u64` | `3600` |
 | [`proxy_config_auto_reload_secs`](#proxy_config_auto_reload_secs) | `u64` | `3600` |
 | [`me_reinit_singleflight`](#me_reinit_singleflight) | `bool` | `true` |
 | [`me_reinit_trigger_channel`](#me_reinit_trigger_channel) | `usize` | `64` |
 | [`me_reinit_coalesce_window_ms`](#me_reinit_coalesce_window_ms) | `u64` | `200` |
 | [`me_deterministic_writer_sort`](#me_deterministic_writer_sort) | `bool` | `true` |
 | [`me_writer_pick_mode`](#me_writer_pick_mode) | `"sorted_rr"` or `"p2c"` | `"p2c"` |
 | [`me_writer_pick_sample_size`](#me_writer_pick_sample_size) | `u8` | `3` |
 | [`ntp_check`](#ntp_check) | `bool` | `true` |
 | [`ntp_servers`](#ntp_servers) | `String[]` | `["pool.ntp.org"]` |
 | [`auto_degradation_enabled`](#auto_degradation_enabled) | `bool` | `true` |
 | [`degradation_min_unavailable_dc_groups`](#degradation_min_unavailable_dc_groups) | `u8` | `2` |
 | [`rst_on_close`](#rst_on_close) | `"off"`, `"errors"`, or `"always"` | `"off"` |
 | Key | Type | Default | Hot-Reload |
 | --- | ---- | ------- | ---------- |
 | [`data_path`](#data_path) | `String` | — | `✘` |
@@ -770,7 +632,7 @@ This document lists all configuration keys accepted by `config.toml`.
    ```
 ## beobachten
  - **Constraints / validation**: `bool`.
-  - **Description**: Enables per-IP forensic observation buckets.
+  - **Description**: Enables per-IP forensic observation buckets and appends TLS JA3/JA4 fingerprint snapshots to Beobachten output when available.
  - **Example**:
    ```toml
@@ -779,7 +641,7 @@ This document lists all configuration keys accepted by `config.toml`.
    ```
 ## beobachten_minutes
  - **Constraints / validation**: Must be `> 0` (minutes).
-  - **Description**: Retention window (minutes) for per-IP observation buckets.
+  - **Description**: Retention window (minutes) for per-IP observation buckets and in-memory TLS fingerprint buckets.
  - **Example**:
    ```toml
@@ -1943,6 +1805,7 @@ This document lists all configuration keys accepted by `config.toml`.
 | [`listen_unix_sock`](#listen_unix_sock) | `String` | — | `✘` |
 | [`listen_unix_sock_perm`](#listen_unix_sock_perm) | `String` | — | `✘` |
 | [`listen_tcp`](#listen_tcp) | `bool` | — (auto) | `✘` |
 | [`client_mss`](#client_mss) | `String` | `""` | `✘` |
 | [`proxy_protocol`](#proxy_protocol) | `bool` | `false` | `✘` |
 | [`proxy_protocol_header_timeout_ms`](#proxy_protocol_header_timeout_ms) | `u64` | `500` | `✘` |
 | [`proxy_protocol_trusted_cidrs`](#proxy_protocol_trusted_cidrs) | `IpNetwork[]` | `[]` | `✘` |
@@ -2025,6 +1888,16 @@ This document lists all configuration keys accepted by `config.toml`.
    listen_unix_sock = "/run/telemt.sock"
    listen_tcp = true
    ```
 ## client_mss
  - **Constraints / validation**: `String`. Empty or omitted means do not change kernel MSS. Presets: `"extreme-low"` = `88`, `"tspu"` = `92`, `"2in8"` = `256`. Custom decimal strings must be within `88..=4096`.
  - **Description**: Client-facing TCP MSS applied to TCP listener sockets before `listen(2)`, so Linux can announce it in SYN/ACK. This affects only proxy client TCP listeners, not API, metrics, Unix sockets, Telegram upstreams, ME sockets, or mask backend connections. Changes require listener restart/rebind.
  - **Performance note**: Low MSS increases packet count predictably. Approximate segment multiplier is `ceil(1460 / client_mss)`.
  - **Example**:
    ```toml
    [server]
    client_mss = "tspu"
    ```
 ## proxy_protocol
  - **Constraints / validation**: `bool`.
  - **Description**: Enables HAProxy PROXY protocol parsing on incoming connections (PROXY v1/v2). When enabled, client source address is taken from the PROXY header.
@@ -2311,7 +2184,7 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
    ```
 ## runtime_edge_top_n
  - **Constraints / validation**: `1..=1000`.
-  - **Description**: Top-N size for edge connection leaderboard.
+  - **Description**: Top-N size for edge connection and TLS fingerprint leaderboard snapshots.
  - **Example**:
    ```toml
@@ -2345,6 +2218,7 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
 | --- | ---- | ------- | ---------- |
 | [`ip`](#ip) | `IpAddr` | — | `✘` |
 | [`port`](#port-serverlisteners) | `u16` | `server.port` | `✘` |
 | [`client_mss`](#client_mss-serverlisteners) | `String` | `[server].client_mss` | `✘` |
 | [`announce`](#announce) | `String` | — | `✘` |
 | [`announce_ip`](#announce_ip) | `IpAddr` | — | `✘` |
 | [`proxy_protocol`](#proxy_protocol) | `bool` | — | `✘` |
@@ -2369,6 +2243,17 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
    ip = "0.0.0.0"
    port = 443
    ```
 ## client_mss (server.listeners)
  - **Constraints / validation**: `String` (optional). Same values as `[server].client_mss`.
  - **Description**: Per-listener MSS override. When omitted, inherits `[server].client_mss`; when set to an empty string, disables MSS shaping for this listener even if the global value is set. Changes require listener restart/rebind.
  - **Example**:
    ```toml
    [[server.listeners]]
    ip = "0.0.0.0"
    port = 443
    client_mss = "256"
    ```
 ## announce
  - **Constraints / validation**: `String` (optional). Must not be empty when set.
  - **Description**: Public IP/domain announced in proxy links for this listener. Takes precedence over `announce_ip`.
@@ -2525,41 +2410,6 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
 # [censorship]
 | Key | Type | Default |
 | --- | ---- | ------- |
 | [`tls_domain`](#tls_domain) | `String` | `"petrovich.ru"` |
 | [`tls_domains`](#tls_domains) | `String[]` | `[]` |
 | [`unknown_sni_action`](#unknown_sni_action) | `"drop"`, `"mask"`, `"accept"`, `"reject_handshake"` | `"drop"` |
 | [`tls_fetch_scope`](#tls_fetch_scope) | `String` | `""` |
 | [`tls_fetch`](#tls_fetch) | `Table` | built-in defaults |
 | [`mask`](#mask) | `bool` | `true` |
 | [`mask_host`](#mask_host) | `String` | — |
 | [`mask_port`](#mask_port) | `u16` | `443` |
 | [`exclusive_mask`](#exclusive_mask) | `Map<String,String>` | `{}` |
 | [`mask_unix_sock`](#mask_unix_sock) | `String` | — |
 | [`fake_cert_len`](#fake_cert_len) | `usize` | `2048` |
 | [`tls_emulation`](#tls_emulation) | `bool` | `true` |
 | [`tls_front_dir`](#tls_front_dir) | `String` | `"tlsfront"` |
 | [`server_hello_delay_min_ms`](#server_hello_delay_min_ms) | `u64` | `0` |
 | [`server_hello_delay_max_ms`](#server_hello_delay_max_ms) | `u64` | `0` |
 | [`tls_new_session_tickets`](#tls_new_session_tickets) | `u8` | `0` |
 | [`tls_full_cert_ttl_secs`](#tls_full_cert_ttl_secs) | `u64` | `90` |
 | [`serverhello_compact`](#serverhello_compact) | `bool` | `false` |
 | [`alpn_enforce`](#alpn_enforce) | `bool` | `true` |
 | [`mask_proxy_protocol`](#mask_proxy_protocol) | `u8` | `0` |
 | [`mask_shape_hardening`](#mask_shape_hardening) | `bool` | `true` |
 | [`mask_shape_hardening_aggressive_mode`](#mask_shape_hardening_aggressive_mode) | `bool` | `false` |
 | [`mask_shape_bucket_floor_bytes`](#mask_shape_bucket_floor_bytes) | `usize` | `512` |
 | [`mask_shape_bucket_cap_bytes`](#mask_shape_bucket_cap_bytes) | `usize` | `4096` |
 | [`mask_shape_above_cap_blur`](#mask_shape_above_cap_blur) | `bool` | `false` |
 | [`mask_shape_above_cap_blur_max_bytes`](#mask_shape_above_cap_blur_max_bytes) | `usize` | `512` |
 | [`mask_relay_max_bytes`](#mask_relay_max_bytes) | `usize` | `5242880` |
 | [`mask_relay_timeout_ms`](#mask_relay_timeout_ms) | `u64` | `60_000` |
 | [`mask_relay_idle_timeout_ms`](#mask_relay_idle_timeout_ms) | `u64` | `5_000` |
 | [`mask_classifier_prefetch_timeout_ms`](#mask_classifier_prefetch_timeout_ms) | `u64` | `5` |
 | [`mask_timing_normalization_enabled`](#mask_timing_normalization_enabled) | `bool` | `false` |
 | [`mask_timing_normalization_floor_ms`](#mask_timing_normalization_floor_ms) | `u64` | `0` |
 | [`mask_timing_normalization_ceiling_ms`](#mask_timing_normalization_ceiling_ms) | `u64` | `0` |
 | Key | Type | Default | Hot-Reload |
 | --- | ---- | ------- | ---------- |
 | [`tls_domain`](#tls_domain) | `String` | `"petrovich.ru"` | `✘` |
@@ -3107,6 +2957,7 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
 | Key | Type | Default | Hot-Reload |
 | --- | ---- | ------- | ---------- |
 | [`users`](#users) | `Map<String, String>` | `{"default": "000…000"}` | `✔` |
 | [`user_enabled`](#user_enabled-1) | `Map<String, bool>` | `{}` | `✔` |
 | [`user_ad_tags`](#user_ad_tags) | `Map<String, String>` | `{}` | `✔` |
 | [`user_max_tcp_conns`](#user_max_tcp_conns) | `Map<String, usize>` | `{}` | `✔` |
 | [`user_max_tcp_conns_global_each`](#user_max_tcp_conns_global_each) | `usize` | `0` | `✔` |
@@ -3133,6 +2984,16 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
    alice = "00112233445566778899aabbccddeeff"
    bob   = "0123456789abcdef0123456789abcdef"
    ```
 ## user_enabled
  - **Constraints / validation**: `Map<String, bool>`.
  - **Description**: Optional per-user enable overrides. Missing users are enabled by default. A value of `false` disables new sessions for that user; setting the value to `true` is accepted but equivalent to removing the override. API enable operations remove the override, while disable operations write `false`.
  - **Runtime behavior**: Hot reload applies this map immediately. Users disabled through API or config reload are rejected after successful authentication and active runtime sessions for that username are cancelled.
  - **Example**:
    ```toml
    [access.user_enabled]
    alice = false
    ```
 ## user_ad_tags
  - **Constraints / validation**: Each value must be **exactly 32 hex characters** (same format as `general.ad_tag`). An all-zero tag is allowed but logs a warning.
  - **Description**: Per-user sponsored-channel ad tag override. When a user has an entry here, it takes precedence over `general.ad_tag`.
@@ -3293,6 +3154,7 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
 | [`scopes`](#scopes) | `String` | `""` | `✘` |
 | [`ipv4`](#ipv4-upstreams) | `bool` | — (auto) | `✘` |
 | [`ipv6`](#ipv6-upstreams) | `bool` | — (auto) | `✘` |
 | [`prefer`](#prefer-upstreams) | `4` or `6` | effective `[network].prefer` | `✘` |
 | [`interface`](#interface) | `String` | — | `✘` |
 | [`bind_addresses`](#bind_addresses) | `String[]` | — | `✘` |
 | [`bindtodevice`](#bindtodevice) | `String` | — | `✘` |
@@ -3364,7 +3226,7 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
    ```
 ## ipv6 (upstreams)
  - **Constraints / validation**: `bool` (optional).
-  - **Description**: Allows IPv6 DC targets for this upstream. When omitted, Telemt auto-detects support from runtime connectivity state.
+  - **Description**: Allows IPv6 DC targets for this upstream. When omitted, Telemt auto-detects support from runtime connectivity state. Set this to `true` when the upstream proxy is reachable from the local host over IPv4 but the proxy itself can connect to Telegram DCs over IPv6.
  - **Example**:
    ```toml
@@ -3372,6 +3234,18 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
    type = "direct"
    ipv6 = false
    ```
 ## prefer (upstreams)
  - **Constraints / validation**: Optional integer. Must be `4` or `6`.
  - **Description**: Overrides the IP family preference for Telegram DC targets selected through this upstream. When omitted, the upstream inherits the effective global `[network].prefer` decision. Use `prefer = 6` together with `ipv6 = true` for a SOCKS or Shadowsocks upstream that can egress over IPv6 even when the local Telemt host is IPv4-only.
  - **Example**:
    ```toml
    [[upstreams]]
    type = "socks5"
    address = "192.0.2.10:1080"
    ipv6 = true
    prefer = 6
    ```
 ## interface
  - **Constraints / validation**: `String` (optional).
    - For `"direct"`: may be an IP address (used as explicit local bind) or an OS interface name (resolved to an IP at runtime; Unix only).
@@ -85,145 +85,7 @@
 # [general]
-| Ключ | Тип | По умолчанию |
+
 | --- | ---- | ------- |
 | [`data_path`](#data_path) | `String` | — |
 | [`prefer_ipv6`](#prefer_ipv6) | `bool` | `false` |
 | [`fast_mode`](#fast_mode) | `bool` | `true` |
 | [`use_middle_proxy`](#use_middle_proxy) | `bool` | `true` |
 | [`proxy_secret_path`](#proxy_secret_path) | `String` | `"proxy-secret"` |
 | [`proxy_config_v4_cache_path`](#proxy_config_v4_cache_path) | `String` | `"cache/proxy-config-v4.txt"` |
 | [`proxy_config_v6_cache_path`](#proxy_config_v6_cache_path) | `String` | `"cache/proxy-config-v6.txt"` |
 | [`ad_tag`](#ad_tag) | `String` | — |
 | [`middle_proxy_nat_ip`](#middle_proxy_nat_ip) | `IpAddr` | — |
 | [`middle_proxy_nat_probe`](#middle_proxy_nat_probe) | `bool` | `true` |
 | [`middle_proxy_nat_stun`](#middle_proxy_nat_stun) | `String` | — |
 | [`middle_proxy_nat_stun_servers`](#middle_proxy_nat_stun_servers) | `String[]` | `[]` |
 | [`stun_nat_probe_concurrency`](#stun_nat_probe_concurrency) | `usize` | `8` |
 | [`middle_proxy_pool_size`](#middle_proxy_pool_size) | `usize` | `8` |
 | [`middle_proxy_warm_standby`](#middle_proxy_warm_standby) | `usize` | `16` |
 | [`me_init_retry_attempts`](#me_init_retry_attempts) | `u32` | `0` |
 | [`me2dc_fallback`](#me2dc_fallback) | `bool` | `true` |
 | [`me2dc_fast`](#me2dc_fast) | `bool` | `true` |
 | [`me_keepalive_enabled`](#me_keepalive_enabled) | `bool` | `true` |
 | [`me_keepalive_interval_secs`](#me_keepalive_interval_secs) | `u64` | `8` |
 | [`me_keepalive_jitter_secs`](#me_keepalive_jitter_secs) | `u64` | `2` |
 | [`me_keepalive_payload_random`](#me_keepalive_payload_random) | `bool` | `true` |
 | [`rpc_proxy_req_every`](#rpc_proxy_req_every) | `u64` | `0` |
 | [`me_writer_cmd_channel_capacity`](#me_writer_cmd_channel_capacity) | `usize` | `4096` |
 | [`me_route_channel_capacity`](#me_route_channel_capacity) | `usize` | `768` |
 | [`me_c2me_channel_capacity`](#me_c2me_channel_capacity) | `usize` | `1024` |
 | [`me_c2me_send_timeout_ms`](#me_c2me_send_timeout_ms) | `u64` | `4000` |
 | [`me_reader_route_data_wait_ms`](#me_reader_route_data_wait_ms) | `u64` | `2` |
 | [`me_d2c_flush_batch_max_frames`](#me_d2c_flush_batch_max_frames) | `usize` | `32` |
 | [`me_d2c_flush_batch_max_bytes`](#me_d2c_flush_batch_max_bytes) | `usize` | `131072` |
 | [`me_d2c_flush_batch_max_delay_us`](#me_d2c_flush_batch_max_delay_us) | `u64` | `500` |
 | [`me_d2c_ack_flush_immediate`](#me_d2c_ack_flush_immediate) | `bool` | `true` |
 | [`me_quota_soft_overshoot_bytes`](#me_quota_soft_overshoot_bytes) | `u64` | `65536` |
 | [`me_d2c_frame_buf_shrink_threshold_bytes`](#me_d2c_frame_buf_shrink_threshold_bytes) | `usize` | `262144` |
 | [`direct_relay_copy_buf_c2s_bytes`](#direct_relay_copy_buf_c2s_bytes) | `usize` | `65536` |
 | [`direct_relay_copy_buf_s2c_bytes`](#direct_relay_copy_buf_s2c_bytes) | `usize` | `262144` |
 | [`crypto_pending_buffer`](#crypto_pending_buffer) | `usize` | `262144` |
 | [`max_client_frame`](#max_client_frame) | `usize` | `16777216` |
 | [`desync_all_full`](#desync_all_full) | `bool` | `false` |
 | [`beobachten`](#beobachten) | `bool` | `true` |
 | [`beobachten_minutes`](#beobachten_minutes) | `u64` | `10` |
 | [`beobachten_flush_secs`](#beobachten_flush_secs) | `u64` | `15` |
 | [`beobachten_file`](#beobachten_file) | `String` | `"cache/beobachten.txt"` |
 | [`hardswap`](#hardswap) | `bool` | `true` |
 | [`me_warmup_stagger_enabled`](#me_warmup_stagger_enabled) | `bool` | `true` |
 | [`me_warmup_step_delay_ms`](#me_warmup_step_delay_ms) | `u64` | `500` |
 | [`me_warmup_step_jitter_ms`](#me_warmup_step_jitter_ms) | `u64` | `300` |
 | [`me_reconnect_max_concurrent_per_dc`](#me_reconnect_max_concurrent_per_dc) | `u32` | `8` |
 | [`me_reconnect_backoff_base_ms`](#me_reconnect_backoff_base_ms) | `u64` | `500` |
 | [`me_reconnect_backoff_cap_ms`](#me_reconnect_backoff_cap_ms) | `u64` | `30000` |
 | [`me_reconnect_fast_retry_count`](#me_reconnect_fast_retry_count) | `u32` | `16` |
 | [`me_single_endpoint_shadow_writers`](#me_single_endpoint_shadow_writers) | `u8` | `2` |
 | [`me_single_endpoint_outage_mode_enabled`](#me_single_endpoint_outage_mode_enabled) | `bool` | `true` |
 | [`me_single_endpoint_outage_disable_quarantine`](#me_single_endpoint_outage_disable_quarantine) | `bool` | `true` |
 | [`me_single_endpoint_outage_backoff_min_ms`](#me_single_endpoint_outage_backoff_min_ms) | `u64` | `250` |
 | [`me_single_endpoint_outage_backoff_max_ms`](#me_single_endpoint_outage_backoff_max_ms) | `u64` | `3000` |
 | [`me_single_endpoint_shadow_rotate_every_secs`](#me_single_endpoint_shadow_rotate_every_secs) | `u64` | `900` |
 | [`me_floor_mode`](#me_floor_mode) | `"static"` or `"adaptive"` | `"adaptive"` |
 | [`me_adaptive_floor_idle_secs`](#me_adaptive_floor_idle_secs) | `u64` | `90` |
 | [`me_adaptive_floor_min_writers_single_endpoint`](#me_adaptive_floor_min_writers_single_endpoint) | `u8` | `1` |
 | [`me_adaptive_floor_min_writers_multi_endpoint`](#me_adaptive_floor_min_writers_multi_endpoint) | `u8` | `1` |
 | [`me_adaptive_floor_recover_grace_secs`](#me_adaptive_floor_recover_grace_secs) | `u64` | `180` |
 | [`me_adaptive_floor_writers_per_core_total`](#me_adaptive_floor_writers_per_core_total) | `u16` | `48` |
 | [`me_adaptive_floor_cpu_cores_override`](#me_adaptive_floor_cpu_cores_override) | `u16` | `0` |
 | [`me_adaptive_floor_max_extra_writers_single_per_core`](#me_adaptive_floor_max_extra_writers_single_per_core) | `u16` | `1` |
 | [`me_adaptive_floor_max_extra_writers_multi_per_core`](#me_adaptive_floor_max_extra_writers_multi_per_core) | `u16` | `2` |
 | [`me_adaptive_floor_max_active_writers_per_core`](#me_adaptive_floor_max_active_writers_per_core) | `u16` | `64` |
 | [`me_adaptive_floor_max_warm_writers_per_core`](#me_adaptive_floor_max_warm_writers_per_core) | `u16` | `64` |
 | [`me_adaptive_floor_max_active_writers_global`](#me_adaptive_floor_max_active_writers_global) | `u32` | `256` |
 | [`me_adaptive_floor_max_warm_writers_global`](#me_adaptive_floor_max_warm_writers_global) | `u32` | `256` |
 | [`upstream_connect_retry_attempts`](#upstream_connect_retry_attempts) | `u32` | `2` |
 | [`upstream_connect_retry_backoff_ms`](#upstream_connect_retry_backoff_ms) | `u64` | `100` |
 | [`upstream_connect_budget_ms`](#upstream_connect_budget_ms) | `u64` | `3000` |
 | [`upstream_unhealthy_fail_threshold`](#upstream_unhealthy_fail_threshold) | `u32` | `5` |
 | [`upstream_connect_failfast_hard_errors`](#upstream_connect_failfast_hard_errors) | `bool` | `false` |
 | [`stun_iface_mismatch_ignore`](#stun_iface_mismatch_ignore) | `bool` | `false` |
 | [`unknown_dc_log_path`](#unknown_dc_log_path) | `String` | `"unknown-dc.txt"` |
 | [`unknown_dc_file_log_enabled`](#unknown_dc_file_log_enabled) | `bool` | `false` |
 | [`log_level`](#log_level) | `"debug"`, `"verbose"`, `"normal"`, or `"silent"` | `"normal"` |
 | [`disable_colors`](#disable_colors) | `bool` | `false` |
 | [`me_socks_kdf_policy`](#me_socks_kdf_policy) | `"strict"` or `"compat"` | `"strict"` |
 | [`me_route_backpressure_enabled`](#me_route_backpressure_enabled) | `bool` | `false` |
 | [`me_route_fairshare_enabled`](#me_route_fairshare_enabled) | `bool` | `false` |
 | [`me_route_backpressure_base_timeout_ms`](#me_route_backpressure_base_timeout_ms) | `u64` | `25` |
 | [`me_route_backpressure_high_timeout_ms`](#me_route_backpressure_high_timeout_ms) | `u64` | `120` |
 | [`me_route_backpressure_high_watermark_pct`](#me_route_backpressure_high_watermark_pct) | `u8` | `80` |
 | [`me_health_interval_ms_unhealthy`](#me_health_interval_ms_unhealthy) | `u64` | `1000` |
 | [`me_health_interval_ms_healthy`](#me_health_interval_ms_healthy) | `u64` | `3000` |
 | [`me_admission_poll_ms`](#me_admission_poll_ms) | `u64` | `1000` |
 | [`me_warn_rate_limit_ms`](#me_warn_rate_limit_ms) | `u64` | `5000` |
 | [`me_route_no_writer_mode`](#me_route_no_writer_mode) | `"async_recovery_failfast"`, `"inline_recovery_legacy"`, or `"hybrid_async_persistent"` | `"hybrid_async_persistent"` |
 | [`me_route_no_writer_wait_ms`](#me_route_no_writer_wait_ms) | `u64` | `250` |
 | [`me_route_hybrid_max_wait_ms`](#me_route_hybrid_max_wait_ms) | `u64` | `3000` |
 | [`me_route_blocking_send_timeout_ms`](#me_route_blocking_send_timeout_ms) | `u64` | `250` |
 | [`me_route_inline_recovery_attempts`](#me_route_inline_recovery_attempts) | `u32` | `3` |
 | [`me_route_inline_recovery_wait_ms`](#me_route_inline_recovery_wait_ms) | `u64` | `3000` |
 | [`fast_mode_min_tls_record`](#fast_mode_min_tls_record) | `usize` | `0` |
 | [`update_every`](#update_every) | `u64` | `300` |
 | [`me_reinit_every_secs`](#me_reinit_every_secs) | `u64` | `900` |
 | [`me_hardswap_warmup_delay_min_ms`](#me_hardswap_warmup_delay_min_ms) | `u64` | `1000` |
 | [`me_hardswap_warmup_delay_max_ms`](#me_hardswap_warmup_delay_max_ms) | `u64` | `2000` |
 | [`me_hardswap_warmup_extra_passes`](#me_hardswap_warmup_extra_passes) | `u8` | `3` |
 | [`me_hardswap_warmup_pass_backoff_base_ms`](#me_hardswap_warmup_pass_backoff_base_ms) | `u64` | `500` |
 | [`me_config_stable_snapshots`](#me_config_stable_snapshots) | `u8` | `2` |
 | [`me_config_apply_cooldown_secs`](#me_config_apply_cooldown_secs) | `u64` | `300` |
 | [`me_snapshot_require_http_2xx`](#me_snapshot_require_http_2xx) | `bool` | `true` |
 | [`me_snapshot_reject_empty_map`](#me_snapshot_reject_empty_map) | `bool` | `true` |
 | [`me_snapshot_min_proxy_for_lines`](#me_snapshot_min_proxy_for_lines) | `u32` | `1` |
 | [`proxy_secret_stable_snapshots`](#proxy_secret_stable_snapshots) | `u8` | `2` |
 | [`proxy_secret_rotate_runtime`](#proxy_secret_rotate_runtime) | `bool` | `true` |
 | [`me_secret_atomic_snapshot`](#me_secret_atomic_snapshot) | `bool` | `true` |
 | [`proxy_secret_len_max`](#proxy_secret_len_max) | `usize` | `256` |
 | [`me_pool_drain_ttl_secs`](#me_pool_drain_ttl_secs) | `u64` | `90` |
 | [`me_instadrain`](#me_instadrain) | `bool` | `false` |
 | [`me_pool_drain_threshold`](#me_pool_drain_threshold) | `u64` | `32` |
 | [`me_pool_drain_soft_evict_enabled`](#me_pool_drain_soft_evict_enabled) | `bool` | `true` |
 | [`me_pool_drain_soft_evict_grace_secs`](#me_pool_drain_soft_evict_grace_secs) | `u64` | `10` |
 | [`me_pool_drain_soft_evict_per_writer`](#me_pool_drain_soft_evict_per_writer) | `u8` | `2` |
 | [`me_pool_drain_soft_evict_budget_per_core`](#me_pool_drain_soft_evict_budget_per_core) | `u16` | `16` |
 | [`me_pool_drain_soft_evict_cooldown_ms`](#me_pool_drain_soft_evict_cooldown_ms) | `u64` | `1000` |
 | [`me_bind_stale_mode`](#me_bind_stale_mode) | `"never"`, `"ttl"`, or `"always"` | `"ttl"` |
 | [`me_bind_stale_ttl_secs`](#me_bind_stale_ttl_secs) | `u64` | `90` |
 | [`me_pool_min_fresh_ratio`](#me_pool_min_fresh_ratio) | `f32` | `0.8` |
 | [`me_reinit_drain_timeout_secs`](#me_reinit_drain_timeout_secs) | `u64` | `90` |
 | [`proxy_secret_auto_reload_secs`](#proxy_secret_auto_reload_secs) | `u64` | `3600` |
 | [`proxy_config_auto_reload_secs`](#proxy_config_auto_reload_secs) | `u64` | `3600` |
 | [`me_reinit_singleflight`](#me_reinit_singleflight) | `bool` | `true` |
 | [`me_reinit_trigger_channel`](#me_reinit_trigger_channel) | `usize` | `64` |
 | [`me_reinit_coalesce_window_ms`](#me_reinit_coalesce_window_ms) | `u64` | `200` |
 | [`me_deterministic_writer_sort`](#me_deterministic_writer_sort) | `bool` | `true` |
 | [`me_writer_pick_mode`](#me_writer_pick_mode) | `"sorted_rr"` or `"p2c"` | `"p2c"` |
 | [`me_writer_pick_sample_size`](#me_writer_pick_sample_size) | `u8` | `3` |
 | [`ntp_check`](#ntp_check) | `bool` | `true` |
 | [`ntp_servers`](#ntp_servers) | `String[]` | `["pool.ntp.org"]` |
 | [`auto_degradation_enabled`](#auto_degradation_enabled) | `bool` | `true` |
 | [`degradation_min_unavailable_dc_groups`](#degradation_min_unavailable_dc_groups) | `u8` | `2` |
 | [`rst_on_close`](#rst_on_close) | `"off"`, `"errors"` или `"always"` | `"off"` |
 | Ключ | Тип | По умолчанию | Hot-Reload |
 | --- | ---- | ------- | ---------- |
 | [`data_path`](#data_path) | `String` | — | `✘` |
@@ -770,7 +632,7 @@
    ```
 ## beobachten
  - **Ограничения / валидация**: `bool`.
-  - **Описание**: Включает "криминалистическое" наблюдения для каждого IP-адреса. Анализирует поведение всех подключений и записывает возможные типы клиентов, которые посылают active-probing запросы.
+  - **Описание**: Включает "криминалистическое" наблюдения для каждого IP-адреса. Анализирует поведение всех подключений, записывает возможные типы клиентов, которые посылают active-probing запросы, и добавляет snapshot’ы TLS JA3/JA4 fingerprint’ов в Beobachten output, когда есть данные.
  - **Пример**:
    ```toml
@@ -779,7 +641,7 @@
    ```
 ## beobachten_minutes
  - **Ограничения / валидация**: Должно быть `> 0` (минут).
-  - **Описание**: Время хранения (минуты) для сегментов наблюдения по каждому IP-адресу.
+  - **Описание**: Время хранения (минуты) для сегментов наблюдения по каждому IP-адресу и in-memory bucket’ов TLS fingerprint’ов.
  - **Пример**:
    ```toml
@@ -1945,6 +1807,7 @@
 | [`listen_unix_sock`](#listen_unix_sock) | `String` | — | `✘` |
 | [`listen_unix_sock_perm`](#listen_unix_sock_perm) | `String` | — | `✘` |
 | [`listen_tcp`](#listen_tcp) | `bool` | — (auto) | `✘` |
 | [`client_mss`](#client_mss) | `String` | `""` | `✘` |
 | [`proxy_protocol`](#proxy_protocol) | `bool` | `false` | `✘` |
 | [`proxy_protocol_header_timeout_ms`](#proxy_protocol_header_timeout_ms) | `u64` | `500` | `✘` |
 | [`proxy_protocol_trusted_cidrs`](#proxy_protocol_trusted_cidrs) | `IpNetwork[]` | `[]` | `✘` |
@@ -2027,6 +1890,16 @@
    listen_unix_sock = "/run/telemt.sock"
    listen_tcp = true
    ```
 ## client_mss
  - **Ограничения / валидация**: `String`. Пустое значение или отсутствие параметра означает, что Telemt не изменяет MSS, выбранный ядром. Поддерживаемые presets: `"extreme-low"` = `88`, `"tspu"` = `92`, `"2in8"` = `256`. Пользовательское десятичное значение должно быть строкой в диапазоне `88..=4096`.
  - **Описание**: MSS для входящих TCP-соединений клиентов. Значение применяется к TCP listener-сокетам до `listen(2)`, чтобы Linux мог объявить его в SYN/ACK. Параметр влияет только на proxy client TCP listeners и не применяется к API, metrics, Unix sockets, Telegram upstreams, ME sockets или mask backend connections. Изменение требует restart/rebind listener’ов.
  - **Performance note**: Низкий MSS предсказуемо увеличивает количество TCP-сегментов. Приблизительный multiplier: `ceil(1460 / client_mss)`.
  - **Пример**:
    ```toml
    [server]
    client_mss = "tspu"
    ```
 ## proxy_protocol
  - **Ограничения / валидация**: `bool`.
  - **Описание**: Включает поддержку разбора PROXY protocol от HAProxy (v1/v2) на входящих соединениях. При включении исходный IP клиента берётся из PROXY-заголовка.
@@ -2317,7 +2190,7 @@
    ```
 ## runtime_edge_top_n
  - **Ограничения / валидация**: `1..=1000`.
-  - **Описание**: Размер выборки Top-N для рейтинга (leaderboard) edge-соединений.
+  - **Описание**: Размер выборки Top-N для snapshot’ов рейтинга edge-соединений и TLS fingerprint’ов.
  - **Пример**:
    ```toml
@@ -2351,6 +2224,7 @@
 | --- | ---- | ------- | ---------- |
 | [`ip`](#ip) | `IpAddr` | — | `✘` |
 | [`port`](#port-serverlisteners) | `u16` | `server.port` | `✘` |
 | [`client_mss`](#client_mss-serverlisteners) | `String` | `[server].client_mss` | `✘` |
 | [`announce`](#announce) | `String` | — | `✘` |
 | [`announce_ip`](#announce_ip) | `IpAddr` | — | `✘` |
 | [`proxy_protocol`](#proxy_protocol) | `bool` | — | `✘` |
@@ -2375,6 +2249,17 @@
    ip = "0.0.0.0"
    port = 443
    ```
 ## client_mss (server.listeners)
  - **Ограничения / валидация**: `String` (необязательный параметр). Допустимые значения совпадают с `[server].client_mss`.
  - **Описание**: Per-listener override для MSS. Если параметр не задан, listener наследует `[server].client_mss`; если задана пустая строка, MSS shaping отключается только для этого listener’а, даже когда глобальный параметр задан. Изменение требует restart/rebind listener’а.
  - **Пример**:
    ```toml
    [[server.listeners]]
    ip = "0.0.0.0"
    port = 443
    client_mss = "256"
    ```
 ## announce
  - **Ограничения / валидация**: `String` (необязательный параметр). Не должен быть пустым, если задан.
  - **Описание**: Публичный IP-адрес или домен, объявляемый в proxy-ссылках для данного listener’а. Имеет приоритет над `announce_ip`.
@@ -2531,41 +2416,6 @@
 # [censorship]
 | Ключ | Тип | По умолчанию |
 | --- | ---- | ------- |
 | [`tls_domain`](#tls_domain) | `String` | `"petrovich.ru"` |
 | [`tls_domains`](#tls_domains) | `String[]` | `[]` |
 | [`unknown_sni_action`](#unknown_sni_action) | `"drop"`, `"mask"`, `"accept"`, `"reject_handshake"` | `"drop"` |
 | [`tls_fetch_scope`](#tls_fetch_scope) | `String` | `""` |
 | [`tls_fetch`](#tls_fetch) | `Table` | built-in defaults |
 | [`mask`](#mask) | `bool` | `true` |
 | [`mask_host`](#mask_host) | `String` | — |
 | [`mask_port`](#mask_port) | `u16` | `443` |
 | [`exclusive_mask`](#exclusive_mask) | `Map<String,String>` | `{}` |
 | [`mask_unix_sock`](#mask_unix_sock) | `String` | — |
 | [`fake_cert_len`](#fake_cert_len) | `usize` | `2048` |
 | [`tls_emulation`](#tls_emulation) | `bool` | `true` |
 | [`tls_front_dir`](#tls_front_dir) | `String` | `"tlsfront"` |
 | [`server_hello_delay_min_ms`](#server_hello_delay_min_ms) | `u64` | `0` |
 | [`server_hello_delay_max_ms`](#server_hello_delay_max_ms) | `u64` | `0` |
 | [`tls_new_session_tickets`](#tls_new_session_tickets) | `u8` | `0` |
 | [`tls_full_cert_ttl_secs`](#tls_full_cert_ttl_secs) | `u64` | `90` |
 | [`serverhello_compact`](#serverhello_compact) | `bool` | `false` |
 | [`alpn_enforce`](#alpn_enforce) | `bool` | `true` |
 | [`mask_proxy_protocol`](#mask_proxy_protocol) | `u8` | `0` |
 | [`mask_shape_hardening`](#mask_shape_hardening) | `bool` | `true` |
 | [`mask_shape_hardening_aggressive_mode`](#mask_shape_hardening_aggressive_mode) | `bool` | `false` |
 | [`mask_shape_bucket_floor_bytes`](#mask_shape_bucket_floor_bytes) | `usize` | `512` |
 | [`mask_shape_bucket_cap_bytes`](#mask_shape_bucket_cap_bytes) | `usize` | `4096` |
 | [`mask_shape_above_cap_blur`](#mask_shape_above_cap_blur) | `bool` | `false` |
 | [`mask_shape_above_cap_blur_max_bytes`](#mask_shape_above_cap_blur_max_bytes) | `usize` | `512` |
 | [`mask_relay_max_bytes`](#mask_relay_max_bytes) | `usize` | `5242880` |
 | [`mask_relay_timeout_ms`](mask_relay_timeout_ms) | `u64` | `60_000` |
 | [`mask_relay_idle_timeout_ms`](mask_relay_idle_timeout_ms) | `u64` | `5_000` |
 | [`mask_classifier_prefetch_timeout_ms`](#mask_classifier_prefetch_timeout_ms) | `u64` | `5` |
 | [`mask_timing_normalization_enabled`](#mask_timing_normalization_enabled) | `bool` | `false` |
 | [`mask_timing_normalization_floor_ms`](#mask_timing_normalization_floor_ms) | `u64` | `0` |
 | [`mask_timing_normalization_ceiling_ms`](#mask_timing_normalization_ceiling_ms) | `u64` | `0` |
 | Ключ | Тип | По умолчанию | Hot-Reload |
 | --- | ---- | ------- | ---------- |
 | [`tls_domain`](#tls_domain) | `String` | `"petrovich.ru"` | `✘` |
@@ -3300,6 +3150,7 @@
 | [`scopes`](#scopes) | `String` | `""` | `✘` |
 | [`ipv4`](#ipv4-upstreams) | `bool` | — (auto) | `✘` |
 | [`ipv6`](#ipv6-upstreams) | `bool` | — (auto) | `✘` |
 | [`prefer`](#prefer-upstreams) | `4` или `6` | эффективный `[network].prefer` | `✘` |
 | [`interface`](#interface) | `String` | — | `✘` |
 | [`bind_addresses`](#bind_addresses) | `String[]` | — | `✘` |
 | [`bindtodevice`](#bindtodevice) | `String` | — | `✘` |
@@ -3371,7 +3222,7 @@
    ```
 ## ipv6 (upstreams)
  - **Ограничения / валидация**: `bool` (необязательный параметр).
-  - **Описание**: Разрешает IPv6 DC-targets для этого upstream. Если не задан, Telemt определяет поддержку автоматически по runtime-состоянию connectivity.
+  - **Описание**: Разрешает IPv6 DC-targets для этого upstream. Если не задан, Telemt определяет поддержку автоматически по runtime-состоянию connectivity. Установите `true`, если upstream proxy доступен с локального хоста по IPv4, но сам proxy умеет подключаться к Telegram DC по IPv6.
  - **Пример**:
    ```toml
@@ -3379,6 +3230,18 @@
    type = "direct"
    ipv6 = false
    ```
 ## prefer (upstreams)
  - **Ограничения / валидация**: Необязательное число. Должно быть `4` или `6`.
  - **Описание**: Переопределяет предпочтительное IP-семейство для Telegram DC-targets, выбранных через этот upstream. Если параметр не задан, upstream наследует эффективное глобальное решение `[network].prefer`. Используйте `prefer = 6` вместе с `ipv6 = true` для SOCKS или Shadowsocks upstream, который умеет выходить в IPv6, даже если локальный хост с Telemt работает только по IPv4.
  - **Пример**:
    ```toml
    [[upstreams]]
    type = "socks5"
    address = "192.0.2.10:1080"
    ipv6 = true
    prefer = 6
    ```
 ## interface
  - **Ограничения / валидация**: `String` (необязательный параметр).
    - для `"direct"`: может быть IP-адресом (используется как явный local bind) или именем сетевого интерфейса ОС (резолвится в IP во время выполнения; только Unix).
@@ -172,7 +172,7 @@ Those cross-DC requests are normal and happen constantly.
 > If your home DC is DC2 and DC2 goes down, you **cannot** reach DC5 even though DC5 itself is perfectly healthy.  
 > The client has no valid session to route the request through.  
-This is also why an MTProxy only needs to reach Telegram's DC infrastructure as a whole.  
+This is also why it is required for MTProxy to reach Telegram's DC infrastructure as a whole.  
 The proxy itself doesn't care which DC your account lives on. The client negotiates the correct DC through the proxy after connecting.
 ### How many people can use one link
@@ -40,6 +40,8 @@ hello2 = "ad_tag2"
 > Проблема с TLS отпечатком исправлена в последних версиях клиентов Telegram для Desktop / Android / iOS.  
 > Обновите свой клиент для корректной работы с MTProxy Fake-TLS!
 - Для расследования блокировок на базе JA4 ClientHello используйте отдельную инструкцию: [`JA3 и JA4 анализ в Telemt`](Architecture/Fronting-splitting/TLS_JA3_JA4_ANALYSIS.ru.md).
 - Мы считаем это прорывом, которому на сегодняшний день нет стабильных аналогов;
 - Исходя из этого: если `telemt` настроен правильно, **режим TLS полностью идентичен реальному «рукопожатию» + обмену данными** с указанным хостом;
 - Вот наши доказательства:
@@ -157,7 +159,7 @@ https://github.com/telemt/telemt/discussions/167
 ## Как клиенты взаимодействуют с дата-центрами Telegram
 При регистрации аккаунта Telegram он навсегда привязывается к одному из дата-центров (DC).  
-Telegram заранее определяет к какому DC привязать аккаунт исходя из региона, к которому относиться номер телефона.  
+Telegram заранее определяет к какому DC привязать аккаунт исходя из региона, к которому относится номер телефона.  
 Этот DC становится вашим **домашним**: именно там хранится весь контент, который вы загружаете (фото, видео, файлы, сообщения).  
 И именно на нем клиент авторизуется при каждом подключении.  
@@ -170,7 +172,7 @@ Telegram заранее определяет к какому DC привязат
 > Если ваш домашний DC — DC2, и DC2 лежит, вы **не сможете** достучаться  и до DC5, даже если сам DC5 полностью исправен.  
 > У клиента просто нет валидной сессии, через которую можно было бы направить запрос.  
-По той же причине MTProxy достаточно иметь доступ к инфраструктуре Telegram в целом.  
+По той же причине MTProxy необходимо иметь доступ к инфраструктуре Telegram целиком, а не частично.  
 Cамому MTProxy всё равно, на каком DC живёт ваш аккаунт. Клиент cам договаривается о нужном DC через прокси уже после подключения.  
 ## Что такое dd и ee в контексте MTProxy?
@@ -235,7 +235,10 @@ curl -s http://127.0.0.1:9091/v1/users | jq -r '.data[] | "[\(.username)]", (.li
 # Telemt через Docker Compose
-**1. Отредактируйте `config.toml` в корневом каталоге репозитория (как минимум: порт, пользовательские секреты, tls_domain)**  
+**1. Создайте директорию `config/` и поместите в неё отрдеактированный `config.toml` (указав как минимум: порт, пользовательские секреты, tls_domain):**
 ```bash
 mkdir config && mv config.toml config/
 ```
 **2. Запустите контейнер:**
 ```bash
 docker compose up -d --build
@@ -249,7 +252,7 @@ docker compose logs -f telemt
 docker compose down
 ```
 > [!NOTE]
-> - В `docker-compose.yml` файл `./config.toml` монтируется в `/app/config.toml` (доступно только для чтения)  
+> - Директория `./config/` монтируется в `/etc/telemt/` (read-write), что позволяет API атомарно обновлять config.toml
 > - По умолчанию публикуются порты 443:443, а контейнер запускается со сброшенными привилегиями (добавлена только `NET_BIND_SERVICE`)  
 > - Если вам действительно нужна сеть хоста (обычно это требуется только для некоторых конфигураций IPv6), раскомментируйте `network_mode: host`
@@ -84,21 +84,22 @@ set_language() {
            L_INFO_KEEP_CONF="Примечание: Конфигурация сохранена. Используйте 'purge' для очистки."
            L_INFO_I_START="Начинается установка"
            L_I_STAGE_1=">>> Этап 1: Проверка окружения и зависимостей"
-            L_I_STAGE_1_5=">>> Этап 1.5: Интерактивная настройка"
+            L_I_STAGE_2=">>> Этап 2: Интерактивная настройка"
            L_I_PROMPT_DOM="\nПожалуйста, укажите домен TLS\nНажмите Enter, чтобы оставить по умолчанию [%s]: "
            L_I_PROMPT_PORT="\nПожалуйста, укажите порт сервера\nНажмите Enter, чтобы оставить по умолчанию [%s]: "
            L_WARN_NO_TTY="Интерактивный режим недоступен (нет TTY). Используется:"
-            L_I_STAGE_2=">>> Этап 2: Загрузка архива"
+            L_I_STAGE_3=">>> Этап 3: Загрузка архива"
            L_ERR_TMP_DIR="Не удалось создать временную директорию"
            L_ERR_TMP_INV="Временная директория недействительна"
            L_INFO_FALLBACK="Сборка x86_64-v3 не найдена, откат к стандартной x86_64..."
            L_ERR_DL_FAIL="Ошибка загрузки архива"
-            L_I_STAGE_3=">>> Этап 3: Распаковка архива"
+            L_I_STAGE_4=">>> Этап 4: Распаковка архива"
            L_ERR_EXTRACT="Ошибка распаковки архива."
            L_ERR_BIN_NOT_FOUND="Бинарный файл не найден в архиве"
-            L_I_STAGE_4=">>> Этап 4: Настройка окружения (Юзер, Группа, Папки)"
+            L_I_STAGE_5=">>> Этап 5: Настройка окружения (Юзер, Группа, Папки)"
-            L_I_STAGE_5=">>> Этап 5: Установка бинарного файла"
+            L_I_STAGE_6=">>> Этап 6: Установка бинарного файла"
-            L_I_STAGE_6=">>> Этап 6: Генерация/Обновление конфигурации"
+            L_I_STAGE_7=">>> Этап 7: Генерация/Обновление конфигурации"
-            L_I_STAGE_7=">>> Этап 7: Установка и запуск службы"
+            L_I_STAGE_8=">>> Этап 8: Установка и запуск службы"
            L_OUT_WARN_H="УСТАНОВКА ЗАВЕРШЕНА С ПРЕДУПРЕЖДЕНИЯМИ"
            L_OUT_WARN_D="Служба установлена, но не запустилась.\nПожалуйста, проверьте логи.\n"
            L_OUT_SUCC_H="УСТАНОВКА УСПЕШНО ЗАВЕРШЕНА"
@@ -160,21 +161,22 @@ set_language() {
            L_INFO_KEEP_CONF="Note: Configuration kept. Run with 'purge' to remove completely."
            L_INFO_I_START="Starting installation of"
            L_I_STAGE_1=">>> Stage 1: Verifying environment and dependencies"
-            L_I_STAGE_1_5=">>> Stage 1.5: Interactive Setup"
+            L_I_STAGE_2=">>> Stage 2: Interactive Setup"
            L_I_PROMPT_DOM="\nPlease specify the TLS Domain\nPress Enter to keep default [%s]: "
            L_I_PROMPT_PORT="\nPlease specify the Server Port\nPress Enter to keep default [%s]: "
            L_WARN_NO_TTY="Interactive mode unavailable (no TTY). Using:"
-            L_I_STAGE_2=">>> Stage 2: Downloading archive"
+            L_I_STAGE_3=">>> Stage 3: Downloading archive"
            L_ERR_TMP_DIR="Temp directory creation failed"
            L_ERR_TMP_INV="Temp directory is invalid or was not created"
            L_INFO_FALLBACK="x86_64-v3 build not found, falling back to standard x86_64..."
            L_ERR_DL_FAIL="Download failed"
-            L_I_STAGE_3=">>> Stage 3: Extracting archive"
+            L_I_STAGE_4=">>> Stage 4: Extracting archive"
            L_ERR_EXTRACT="Extraction failed."
            L_ERR_BIN_NOT_FOUND="Binary not found in archive"
-            L_I_STAGE_4=">>> Stage 4: Setting up environment (User, Group, Directories)"
+            L_I_STAGE_5=">>> Stage 5: Setting up environment (User, Group, Directories)"
-            L_I_STAGE_5=">>> Stage 5: Installing binary"
+            L_I_STAGE_6=">>> Stage 6: Installing binary"
-            L_I_STAGE_6=">>> Stage 6: Generating/Updating configuration"
+            L_I_STAGE_7=">>> Stage 7: Generating/Updating configuration"
-            L_I_STAGE_7=">>> Stage 7: Installing and starting service"
+            L_I_STAGE_8=">>> Stage 8: Installing and starting service"
            L_OUT_WARN_H="INSTALLATION COMPLETED WITH WARNINGS"
            L_OUT_WARN_D="The service was installed but failed to start.\nPlease check the logs to determine the issue.\n"
            L_OUT_SUCC_H="INSTALLATION SUCCESS"
@@ -269,7 +271,10 @@ say() {
    if [ "$#" -eq 0 ] || [ -z "${1:-}" ]; then
        printf '\n'
    else
-        printf '[INFO] %s\n' "$*"
+        case "$*" in
            \[*\]*) printf '%s\n' "$*" ;;
            *) printf '[INFO] %s\n' "$*" ;;
        esac
    fi
 }
 die() { printf '[ERROR] %s\n' "$*" >&2; exit 1; }
@@ -527,9 +532,9 @@ setup_dirs() {
 stop_service() {
    svc="$(get_svc_mgr)"
-    if [ "$svc" = "systemd" ] && systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    if [ "$svc" = "systemd" ] && $SUDO systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
        $SUDO systemctl stop "$SERVICE_NAME" 2>/dev/null || true
-    elif [ "$svc" = "openrc" ] && rc-service "$SERVICE_NAME" status >/dev/null 2>&1; then
+    elif [ "$svc" = "openrc" ] && $SUDO rc-service "$SERVICE_NAME" status >/dev/null 2>&1; then
        $SUDO rc-service "$SERVICE_NAME" stop 2>/dev/null || true
    fi
 }
@@ -832,10 +837,36 @@ case "$ACTION" in
            fi
        fi
-        check_port_availability
+        if [ "$PORT_PROVIDED" -eq 0 ] || [ "$DOMAIN_PROVIDED" -eq 0 ]; then
            say "$L_I_STAGE_2"
        fi
        if [ "$PORT_PROVIDED" -eq 0 ]; then
            if [ -t 0 ] || [ -c /dev/tty ]; then
                while true; do
                    printf "$L_I_PROMPT_PORT" "$SERVER_PORT"
                    read -r input_port </dev/tty || input_port=""
                    if [ -z "$input_port" ]; then
                        break
                    fi
                    case "$input_port" in
                        *[!0-9]*) printf '[ERROR] %s\n' "$L_ERR_PORT_NUM" >&2; continue ;;
                    esac
                    port_num="$(printf '%s\n' "$input_port" | sed 's/^0*//')"
                    [ -z "$port_num" ] && port_num="0"
                    if [ "${#port_num}" -gt 5 ] || [ "$port_num" -lt 1 ] || [ "$port_num" -gt 65535 ]; then
                        printf '[ERROR] %s\n' "$L_ERR_PORT_RANGE" >&2; continue
                    fi
                    SERVER_PORT="$port_num"
                    break
                done
            else
                say "[WARNING] $L_WARN_NO_TTY $SERVER_PORT"
            fi
            PORT_PROVIDED=1
        fi
        if [ "$DOMAIN_PROVIDED" -eq 0 ]; then
            say "$L_I_STAGE_1_5"
            if [ -t 0 ] || [ -c /dev/tty ]; then
                printf "$L_I_PROMPT_DOM" "$TLS_DOMAIN"
                read -r input_domain </dev/tty || input_domain=""
@@ -848,6 +879,8 @@ case "$ACTION" in
            DOMAIN_PROVIDED=1
        fi
        check_port_availability
        if [ "$TARGET_VERSION" != "latest" ]; then
            TARGET_VERSION="${TARGET_VERSION#v}"
        fi
@@ -861,7 +894,7 @@ case "$ACTION" in
            DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
        fi
-        say "$L_I_STAGE_2"
+        say "$L_I_STAGE_3"
        TEMP_DIR="$(mktemp -d)" || die "$L_ERR_TMP_DIR"
        if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
            die "$L_ERR_TMP_INV"
@@ -883,7 +916,7 @@ case "$ACTION" in
            fi
        fi
-        say "$L_I_STAGE_3"
+        say "$L_I_STAGE_4"
        if ! gzip -dc "${TEMP_DIR}/${FILE_NAME}" | tar -xf - -C "$TEMP_DIR" 2>/dev/null; then
            die "$L_ERR_EXTRACT"
        fi
@@ -891,16 +924,16 @@ case "$ACTION" in
        EXTRACTED_BIN="$(find "$TEMP_DIR" -type f -name "$BIN_NAME" -print 2>/dev/null | head -n 1 || true)"
        [ -n "$EXTRACTED_BIN" ] || die "$L_ERR_BIN_NOT_FOUND"
-        say "$L_I_STAGE_4"
+        say "$L_I_STAGE_5"
        ensure_user_group; setup_dirs; stop_service
-        say "$L_I_STAGE_5"
+        say "$L_I_STAGE_6"
        install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
-        say "$L_I_STAGE_6"
+        say "$L_I_STAGE_7"
        install_config
-        say "$L_I_STAGE_7"
+        say "$L_I_STAGE_8"
        install_service
        if [ "${SERVICE_START_FAILED:-0}" -eq 1 ]; then
@@ -14,6 +14,7 @@ use super::model::ApiFailure;
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub(super) enum AccessSection {
    Users,
    UserEnabled,
    UserAdTags,
    UserMaxTcpConns,
    UserExpirations,
@@ -26,6 +27,7 @@ impl AccessSection {
    fn table_name(self) -> &'static str {
        match self {
            Self::Users => "access.users",
            Self::UserEnabled => "access.user_enabled",
            Self::UserAdTags => "access.user_ad_tags",
            Self::UserMaxTcpConns => "access.user_max_tcp_conns",
            Self::UserExpirations => "access.user_expirations",
@@ -135,6 +137,15 @@ fn render_access_section(cfg: &ProxyConfig, section: AccessSection) -> Result<St
                .collect();
            serialize_table_body(&rows)?
        }
        AccessSection::UserEnabled => {
            let rows: BTreeMap<String, bool> = cfg
                .access
                .user_enabled
                .iter()
                .map(|(key, value)| (key.clone(), *value))
                .collect();
            serialize_table_body(&rows)?
        }
        AccessSection::UserAdTags => {
            let rows: BTreeMap<String, String> = cfg
                .access
@@ -204,6 +215,7 @@ fn render_access_section(cfg: &ProxyConfig, section: AccessSection) -> Result<St
 fn access_section_is_empty(cfg: &ProxyConfig, section: AccessSection) -> bool {
    match section {
        AccessSection::Users => cfg.access.users.is_empty(),
        AccessSection::UserEnabled => cfg.access.user_enabled.is_empty(),
        AccessSection::UserAdTags => cfg.access.user_ad_tags.is_empty(),
        AccessSection::UserMaxTcpConns => cfg.access.user_max_tcp_conns.is_empty(),
        AccessSection::UserExpirations => cfg.access.user_expirations.is_empty(),
@@ -1,6 +1,7 @@
 use http_body_util::{BodyExt, Full};
 use hyper::StatusCode;
 use hyper::body::{Bytes, Incoming};
 use hyper::header::ALLOW;
 use serde::Serialize;
 use serde::de::DeserializeOwned;
@@ -25,6 +26,8 @@ pub(super) fn success_response<T: Serialize>(
 }
 pub(super) fn error_response(request_id: u64, failure: ApiFailure) -> hyper::Response<Full<Bytes>> {
    let status = failure.status;
    let allow = failure.allow;
    let payload = ErrorResponse {
        ok: false,
        error: ErrorBody {
@@ -40,11 +43,13 @@ pub(super) fn error_response(request_id: u64, failure: ApiFailure) -> hyper::Res
        )
        .into_bytes()
    });
-    hyper::Response::builder()
+    let mut builder = hyper::Response::builder()
-        .status(failure.status)
+        .status(status)
-        .header("content-type", "application/json; charset=utf-8")
+        .header("content-type", "application/json; charset=utf-8");
-        .body(Full::new(Bytes::from(body)))
+    if let Some(allow) = allow {
-        .unwrap()
+        builder = builder.header(ALLOW, allow);
    }
    builder.body(Full::new(Bytes::from(body))).unwrap()
 }
 pub(super) async fn read_json<T: DeserializeOwned>(
@@ -22,6 +22,7 @@ use tracing::{debug, info, warn};
 use crate::config::{ApiGrayAction, ProxyConfig};
 use crate::ip_tracker::UserIpTracker;
 use crate::proxy::route_mode::RouteRuntimeController;
 use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::StartupTracker;
 use crate::stats::Stats;
 use crate::transport::UpstreamManager;
@@ -41,7 +42,9 @@ mod runtime_watch;
 mod runtime_zero;
 mod users;
-use config_store::{current_revision, load_config_from_disk, parse_if_match};
+use config_store::{
    current_revision, ensure_expected_revision, load_config_from_disk, parse_if_match,
 };
 use events::ApiEventStore;
 use http_utils::{error_response, read_json, read_optional_json, success_response};
 use model::{
@@ -49,9 +52,10 @@ use model::{
    PatchUserRequest, ResetUserQuotaResponse, RotateSecretRequest, SummaryData, UserActiveIps,
    is_valid_username,
 };
 use patch::Patch;
 use runtime_edge::{
    EdgeConnectionsCacheEntry, build_runtime_connections_summary_data,
-    build_runtime_events_recent_data,
+    build_runtime_events_recent_data, build_runtime_tls_fingerprints_data,
 };
 use runtime_init::build_runtime_initialization_data;
 use runtime_min::{
@@ -69,12 +73,17 @@ use runtime_zero::{
    build_system_info_data,
 };
 use users::{
-    build_user_quota_list, create_user, delete_user, patch_user, rotate_secret, users_from_config,
+    build_user_quota_list, create_user, delete_user, patch_user, rotate_secret, set_user_enabled,
    users_from_config,
 };
 const API_MAX_CONTROL_CONNECTIONS: usize = 1024;
 const API_HTTP_CONNECTION_TIMEOUT: Duration = Duration::from_secs(15);
 const ROUTE_USERNAME_ERROR: &str = "username must match [A-Za-z0-9_.-] and be 1..64 chars";
 const ALLOW_GET: &str = "GET";
 const ALLOW_POST: &str = "POST";
 const ALLOW_GET_POST: &str = "GET, POST";
 const ALLOW_GET_PATCH_DELETE: &str = "GET, PATCH, DELETE";
 pub(super) struct ApiRuntimeState {
    pub(super) process_started_at_epoch_secs: u64,
@@ -101,6 +110,7 @@ pub(super) struct ApiShared {
    pub(super) runtime_state: Arc<ApiRuntimeState>,
    pub(super) startup_tracker: Arc<StartupTracker>,
    pub(super) route_runtime: Arc<RouteRuntimeController>,
    pub(super) proxy_shared: Arc<ProxySharedState>,
 }
 impl ApiShared {
@@ -125,12 +135,67 @@ fn parse_route_username(user: &str) -> Result<&str, ApiFailure> {
    }
 }
 fn user_action_route_matches(path: &str, suffix: &str) -> bool {
    path.strip_prefix("/v1/users/")
        .and_then(|path| path.strip_suffix(suffix))
        .map(|user| !user.is_empty() && !user.contains('/'))
        .unwrap_or(false)
 }
 fn allowed_methods_for_path(path: &str) -> Option<&'static str> {
    match path {
        "/v1/health"
        | "/v1/health/ready"
        | "/v1/system/info"
        | "/v1/runtime/gates"
        | "/v1/runtime/initialization"
        | "/v1/limits/effective"
        | "/v1/security/posture"
        | "/v1/security/whitelist"
        | "/v1/stats/summary"
        | "/v1/stats/zero/all"
        | "/v1/stats/upstreams"
        | "/v1/stats/minimal/all"
        | "/v1/stats/me-writers"
        | "/v1/stats/dcs"
        | "/v1/runtime/me-pool-state"
        | "/v1/runtime/me_pool_state"
        | "/v1/runtime/me-quality"
        | "/v1/runtime/me_quality"
        | "/v1/runtime/upstream-quality"
        | "/v1/runtime/upstream_quality"
        | "/v1/runtime/nat-stun"
        | "/v1/runtime/nat_stun"
        | "/v1/runtime/me-selftest"
        | "/v1/runtime/connections/summary"
        | "/v1/runtime/events/recent"
        | "/v1/runtime/tls-fingerprints"
        | "/v1/stats/users/active-ips"
        | "/v1/stats/users/quota"
        | "/v1/stats/users" => Some(ALLOW_GET),
        "/v1/users" => Some(ALLOW_GET_POST),
        _ if user_action_route_matches(path, "/reset-quota") => Some(ALLOW_POST),
        _ if user_action_route_matches(path, "/rotate-secret") => Some(ALLOW_POST),
        _ if user_action_route_matches(path, "/enable") => Some(ALLOW_POST),
        _ if user_action_route_matches(path, "/disable") => Some(ALLOW_POST),
        _ if path
            .strip_prefix("/v1/users/")
            .map(|user| !user.is_empty() && !user.contains('/'))
            .unwrap_or(false) =>
        {
            Some(ALLOW_GET_PATCH_DELETE)
        }
        _ => None,
    }
 }
 pub async fn serve(
    listen: SocketAddr,
    stats: Arc<Stats>,
    ip_tracker: Arc<UserIpTracker>,
    me_pool: Arc<RwLock<Option<Arc<MePool>>>>,
    route_runtime: Arc<RouteRuntimeController>,
    proxy_shared: Arc<ProxySharedState>,
    upstream_manager: Arc<UpstreamManager>,
    config_rx: watch::Receiver<Arc<ProxyConfig>>,
    admission_rx: watch::Receiver<bool>,
@@ -180,6 +245,7 @@ pub async fn serve(
        runtime_state: runtime_state.clone(),
        startup_tracker,
        route_runtime,
        proxy_shared,
    });
    spawn_runtime_watchers(
@@ -435,22 +501,22 @@ async fn handle(
                let data = build_dcs_data(shared.as_ref(), api_cfg).await;
                Ok(success_response(StatusCode::OK, data, revision))
            }
-            ("GET", "/v1/runtime/me_pool_state") => {
+            ("GET", "/v1/runtime/me-pool-state") | ("GET", "/v1/runtime/me_pool_state") => {
                let revision = current_revision(&shared.config_path).await?;
                let data = build_runtime_me_pool_state_data(shared.as_ref()).await;
                Ok(success_response(StatusCode::OK, data, revision))
            }
-            ("GET", "/v1/runtime/me_quality") => {
+            ("GET", "/v1/runtime/me-quality") | ("GET", "/v1/runtime/me_quality") => {
                let revision = current_revision(&shared.config_path).await?;
                let data = build_runtime_me_quality_data(shared.as_ref()).await;
                Ok(success_response(StatusCode::OK, data, revision))
            }
-            ("GET", "/v1/runtime/upstream_quality") => {
+            ("GET", "/v1/runtime/upstream-quality") | ("GET", "/v1/runtime/upstream_quality") => {
                let revision = current_revision(&shared.config_path).await?;
                let data = build_runtime_upstream_quality_data(shared.as_ref()).await;
                Ok(success_response(StatusCode::OK, data, revision))
            }
-            ("GET", "/v1/runtime/nat_stun") => {
+            ("GET", "/v1/runtime/nat-stun") | ("GET", "/v1/runtime/nat_stun") => {
                let revision = current_revision(&shared.config_path).await?;
                let data = build_runtime_nat_stun_data(shared.as_ref()).await;
                Ok(success_response(StatusCode::OK, data, revision))
@@ -475,6 +541,15 @@ async fn handle(
                );
                Ok(success_response(StatusCode::OK, data, revision))
            }
            ("GET", "/v1/runtime/tls-fingerprints") => {
                let revision = current_revision(&shared.config_path).await?;
                let data = build_runtime_tls_fingerprints_data(
                    shared.as_ref(),
                    cfg.as_ref(),
                    query.as_deref(),
                );
                Ok(success_response(StatusCode::OK, data, revision))
            }
            ("GET", "/v1/stats/users/active-ips") => {
                let revision = current_revision(&shared.config_path).await?;
                let usernames: Vec<_> = cfg.access.users.keys().cloned().collect();
@@ -506,7 +581,7 @@ async fn handle(
                .await;
                Ok(success_response(StatusCode::OK, users, revision))
            }
-            ("GET", "/v1/users/quota") => {
+            ("GET", "/v1/stats/users/quota") => {
                let revision = current_revision(&shared.config_path).await?;
                let disk_cfg = load_config_from_disk(&shared.config_path).await?;
                let data = build_user_quota_list(&disk_cfg, shared.stats.as_ref());
@@ -525,6 +600,7 @@ async fn handle(
                }
                let expected_revision = parse_if_match(req.headers());
                let body = read_json::<CreateUserRequest>(req.into_body(), body_limit).await?;
                let requested_enabled = body.enabled;
                let result = create_user(body, expected_revision, &shared).await;
                let (mut data, revision) = match result {
                    Ok(ok) => ok,
@@ -537,6 +613,25 @@ async fn handle(
                };
                let runtime_cfg = config_rx.borrow().clone();
                data.user.in_runtime = runtime_cfg.access.users.contains_key(&data.user.username);
                if let Some(enabled) = requested_enabled {
                    shared
                        .proxy_shared
                        .set_user_enabled(&data.user.username, enabled);
                    if !enabled {
                        let cancelled = shared
                            .proxy_shared
                            .cancel_user_sessions(&data.user.username);
                        if cancelled > 0 {
                            shared.runtime_events.record(
                                "api.user.disable.runtime",
                                format!(
                                    "username={} cancelled_sessions={}",
                                    data.user.username, cancelled
                                ),
                            );
                        }
                    }
                }
                shared.runtime_events.record(
                    "api.user.create.ok",
                    format!("username={}", data.user.username),
@@ -549,6 +644,99 @@ async fn handle(
                Ok(success_response(status, data, revision))
            }
            _ => {
                if method == Method::POST
                    && let Some(base_user) = normalized_path
                        .strip_prefix("/v1/users/")
                        .and_then(|path| path.strip_suffix("/enable"))
                    && !base_user.is_empty()
                    && !base_user.contains('/')
                {
                    let base_user = parse_route_username(base_user)?;
                    if api_cfg.read_only {
                        return Ok(error_response(
                            request_id,
                            ApiFailure::new(
                                StatusCode::FORBIDDEN,
                                "read_only",
                                "API runs in read-only mode",
                            ),
                        ));
                    }
                    let expected_revision = parse_if_match(req.headers());
                    let result =
                        set_user_enabled(base_user, true, expected_revision, &shared).await;
                    let (mut data, revision) = match result {
                        Ok(ok) => ok,
                        Err(error) => {
                            shared.runtime_events.record(
                                "api.user.enable.failed",
                                format!("username={} code={}", base_user, error.code),
                            );
                            return Err(error);
                        }
                    };
                    let runtime_cfg = config_rx.borrow().clone();
                    data.in_runtime = runtime_cfg.access.users.contains_key(&data.username);
                    shared.proxy_shared.set_user_enabled(base_user, true);
                    shared
                        .runtime_events
                        .record("api.user.enable.ok", format!("username={}", base_user));
                    let status = if data.in_runtime {
                        StatusCode::OK
                    } else {
                        StatusCode::ACCEPTED
                    };
                    return Ok(success_response(status, data, revision));
                }
                if method == Method::POST
                    && let Some(base_user) = normalized_path
                        .strip_prefix("/v1/users/")
                        .and_then(|path| path.strip_suffix("/disable"))
                    && !base_user.is_empty()
                    && !base_user.contains('/')
                {
                    let base_user = parse_route_username(base_user)?;
                    if api_cfg.read_only {
                        return Ok(error_response(
                            request_id,
                            ApiFailure::new(
                                StatusCode::FORBIDDEN,
                                "read_only",
                                "API runs in read-only mode",
                            ),
                        ));
                    }
                    let expected_revision = parse_if_match(req.headers());
                    let result =
                        set_user_enabled(base_user, false, expected_revision, &shared).await;
                    let (mut data, revision) = match result {
                        Ok(ok) => ok,
                        Err(error) => {
                            shared.runtime_events.record(
                                "api.user.disable.failed",
                                format!("username={} code={}", base_user, error.code),
                            );
                            return Err(error);
                        }
                    };
                    let runtime_cfg = config_rx.borrow().clone();
                    data.in_runtime = runtime_cfg.access.users.contains_key(&data.username);
                    let newly_disabled = shared.proxy_shared.set_user_enabled(base_user, false);
                    let cancelled = shared.proxy_shared.cancel_user_sessions(base_user);
                    shared.runtime_events.record(
                        "api.user.disable.ok",
                        format!(
                            "username={} newly_disabled={} cancelled_sessions={}",
                            base_user, newly_disabled, cancelled
                        ),
                    );
                    let status = if data.in_runtime {
                        StatusCode::OK
                    } else {
                        StatusCode::ACCEPTED
                    };
                    return Ok(success_response(status, data, revision));
                }
                if method == Method::POST
                    && let Some(user) = normalized_path
                        .strip_prefix("/v1/users/")
@@ -567,6 +755,16 @@ async fn handle(
                            ),
                        ));
                    }
                    let expected_revision = parse_if_match(req.headers());
                    let disk_cfg = load_config_from_disk(&shared.config_path).await?;
                    ensure_expected_revision(&shared.config_path, expected_revision.as_deref())
                        .await?;
                    if !disk_cfg.access.users.contains_key(user) {
                        return Ok(error_response(
                            request_id,
                            ApiFailure::new(StatusCode::NOT_FOUND, "not_found", "User not found"),
                        ));
                    }
                    let snapshot = match crate::quota_state::reset_user_quota(
                        &shared.quota_state_path,
                        shared.stats.as_ref(),
@@ -696,6 +894,11 @@ async fn handle(
                        let expected_revision = parse_if_match(req.headers());
                        let body =
                            read_json::<PatchUserRequest>(req.into_body(), body_limit).await?;
                        let enabled_update = match &body.enabled {
                            Patch::Unchanged => None,
                            Patch::Remove => Some(true),
                            Patch::Set(enabled) => Some(*enabled),
                        };
                        let result = patch_user(user, body, expected_revision, &shared).await;
                        let (mut data, revision) = match result {
                            Ok(ok) => ok,
@@ -709,6 +912,22 @@ async fn handle(
                        };
                        let runtime_cfg = config_rx.borrow().clone();
                        data.in_runtime = runtime_cfg.access.users.contains_key(&data.username);
                        if let Some(enabled) = enabled_update {
                            shared
                                .proxy_shared
                                .set_user_enabled(&data.username, enabled);
                            if !enabled {
                                let cancelled =
                                    shared.proxy_shared.cancel_user_sessions(&data.username);
                                shared.runtime_events.record(
                                    "api.user.disable.runtime",
                                    format!(
                                        "username={} cancelled_sessions={}",
                                        data.username, cancelled
                                    ),
                                );
                            }
                        }
                        shared
                            .runtime_events
                            .record("api.user.patch.ok", format!("username={}", data.username));
@@ -742,9 +961,12 @@ async fn handle(
                                return Err(error);
                            }
                        };
-                        shared
+                        shared.proxy_shared.set_user_enabled(&deleted_user, true);
-                            .runtime_events
+                        let cancelled = shared.proxy_shared.cancel_user_sessions(&deleted_user);
-                            .record("api.user.delete.ok", format!("username={}", deleted_user));
+                        shared.runtime_events.record(
                            "api.user.delete.ok",
                            format!("username={} cancelled_sessions={}", deleted_user, cancelled),
                        );
                        let runtime_cfg = config_rx.borrow().clone();
                        let in_runtime = runtime_cfg.access.users.contains_key(&deleted_user);
                        let response = DeleteUserResponse {
@@ -761,16 +983,18 @@ async fn handle(
                    if method == Method::POST {
                        return Ok(error_response(
                            request_id,
-                            ApiFailure::new(StatusCode::NOT_FOUND, "not_found", "Route not found"),
+                            ApiFailure::method_not_allowed(ALLOW_GET_PATCH_DELETE),
                        ));
                    }
                    return Ok(error_response(
                        request_id,
-                        ApiFailure::new(
+                        ApiFailure::method_not_allowed(ALLOW_GET_PATCH_DELETE),
-                            StatusCode::METHOD_NOT_ALLOWED,
+                    ));
-                            "method_not_allowed",
+                }
-                            "Unsupported HTTP method for this route",
+                if let Some(allow) = allowed_methods_for_path(normalized_path) {
-                        ),
+                    return Ok(error_response(
                        request_id,
                        ApiFailure::method_not_allowed(allow),
                    ));
                }
                debug!(
@@ -15,6 +15,7 @@ pub(super) struct ApiFailure {
    pub(super) status: StatusCode,
    pub(super) code: &'static str,
    pub(super) message: String,
    pub(super) allow: Option<&'static str>,
 }
 impl ApiFailure {
@@ -23,6 +24,7 @@ impl ApiFailure {
            status,
            code,
            message: message.into(),
            allow: None,
        }
    }
@@ -33,6 +35,15 @@ impl ApiFailure {
    pub(super) fn bad_request(message: impl Into<String>) -> Self {
        Self::new(StatusCode::BAD_REQUEST, "bad_request", message)
    }
    pub(super) fn method_not_allowed(allow: &'static str) -> Self {
        Self {
            status: StatusCode::METHOD_NOT_ALLOWED,
            code: "method_not_allowed",
            message: "Unsupported HTTP method for this route".to_string(),
            allow: Some(allow),
        }
    }
 }
 #[derive(Serialize)]
@@ -468,6 +479,7 @@ pub(super) struct TlsDomainLink {
 #[derive(Serialize)]
 pub(super) struct UserInfo {
    pub(super) username: String,
    pub(super) enabled: bool,
    pub(super) in_runtime: bool,
    pub(super) user_ad_tag: Option<String>,
    pub(super) max_tcp_conns: Option<usize>,
@@ -534,6 +546,7 @@ pub(super) struct CreateUserRequest {
    pub(super) rate_limit_up_bps: Option<u64>,
    pub(super) rate_limit_down_bps: Option<u64>,
    pub(super) max_unique_ips: Option<usize>,
    pub(super) enabled: Option<bool>,
 }
 #[derive(Deserialize)]
@@ -553,6 +566,8 @@ pub(super) struct PatchUserRequest {
    pub(super) rate_limit_down_bps: Patch<u64>,
    #[serde(default, deserialize_with = "patch_field")]
    pub(super) max_unique_ips: Patch<usize>,
    #[serde(default, deserialize_with = "patch_field")]
    pub(super) enabled: Patch<bool>,
 }
 #[derive(Default, Deserialize)]
@@ -12,6 +12,8 @@ const FEATURE_DISABLED_REASON: &str = "feature_disabled";
 const SOURCE_UNAVAILABLE_REASON: &str = "source_unavailable";
 const EVENTS_DEFAULT_LIMIT: usize = 50;
 const EVENTS_MAX_LIMIT: usize = 1000;
 const TLS_FINGERPRINTS_MAX_LIMIT: usize = 1000;
 const RUNTIME_EDGE_RETENTION_MAX_MINUTES: u64 = 24 * 60;
 #[derive(Clone, Serialize)]
 pub(super) struct RuntimeEdgeConnectionUserData {
@@ -90,6 +92,44 @@ pub(super) struct RuntimeEdgeEventsData {
    pub(super) data: Option<RuntimeEdgeEventsPayload>,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeEdgeTlsFingerprintRow {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub(super) scope: Option<String>,
    pub(super) ja3: String,
    pub(super) ja3_raw: String,
    pub(super) ja4: String,
    pub(super) ja4_raw: String,
    pub(super) total: u64,
    pub(super) auth_success: u64,
    pub(super) bad_or_probe: u64,
    pub(super) first_seen_epoch_secs: u64,
    pub(super) last_seen_epoch_secs: u64,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeEdgeTlsFingerprintsPayload {
    pub(super) limit: usize,
    pub(super) retention_secs: u64,
    pub(super) capacity: usize,
    pub(super) dropped_total: u64,
    pub(super) parse_error_total: u64,
    pub(super) by_fingerprint: Vec<RuntimeEdgeTlsFingerprintRow>,
    pub(super) by_ip: Vec<RuntimeEdgeTlsFingerprintRow>,
    pub(super) by_cidr: Vec<RuntimeEdgeTlsFingerprintRow>,
    pub(super) by_user: Vec<RuntimeEdgeTlsFingerprintRow>,
 }
 #[derive(Serialize)]
 pub(super) struct RuntimeEdgeTlsFingerprintsData {
    pub(super) enabled: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub(super) reason: Option<&'static str>,
    pub(super) generated_at_epoch_secs: u64,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub(super) data: Option<RuntimeEdgeTlsFingerprintsPayload>,
 }
 pub(super) async fn build_runtime_connections_summary_data(
    shared: &ApiShared,
    cfg: &ProxyConfig,
@@ -162,6 +202,65 @@ pub(super) fn build_runtime_events_recent_data(
    }
 }
 pub(super) fn build_runtime_tls_fingerprints_data(
    shared: &ApiShared,
    cfg: &ProxyConfig,
    query: Option<&str>,
 ) -> RuntimeEdgeTlsFingerprintsData {
    let now_epoch_secs = now_epoch_secs();
    let api_cfg = &cfg.server.api;
    if !api_cfg.runtime_edge_enabled {
        return RuntimeEdgeTlsFingerprintsData {
            enabled: false,
            reason: Some(FEATURE_DISABLED_REASON),
            generated_at_epoch_secs: now_epoch_secs,
            data: None,
        };
    }
    let limit = parse_recent_events_limit(
        query,
        api_cfg.runtime_edge_top_n.max(1),
        TLS_FINGERPRINTS_MAX_LIMIT,
    );
    let snapshot = shared
        .stats
        .tls_fingerprint_snapshot(runtime_edge_retention(cfg), limit);
    RuntimeEdgeTlsFingerprintsData {
        enabled: true,
        reason: None,
        generated_at_epoch_secs: now_epoch_secs,
        data: Some(RuntimeEdgeTlsFingerprintsPayload {
            limit,
            retention_secs: snapshot.retention_secs,
            capacity: snapshot.capacity,
            dropped_total: snapshot.dropped_total,
            parse_error_total: snapshot.parse_error_total,
            by_fingerprint: snapshot
                .by_fingerprint
                .into_iter()
                .map(runtime_tls_fingerprint_row)
                .collect(),
            by_ip: snapshot
                .by_ip
                .into_iter()
                .map(runtime_tls_fingerprint_row)
                .collect(),
            by_cidr: snapshot
                .by_cidr
                .into_iter()
                .map(runtime_tls_fingerprint_row)
                .collect(),
            by_user: snapshot
                .by_user
                .into_iter()
                .map(runtime_tls_fingerprint_row)
                .collect(),
        }),
    }
 }
 async fn get_connections_payload_cached(
    shared: &ApiShared,
    cache_ttl_ms: u64,
@@ -286,6 +385,35 @@ fn parse_recent_events_limit(query: Option<&str>, default_limit: usize, max_limi
    default_limit
 }
 fn runtime_edge_retention(cfg: &ProxyConfig) -> Duration {
    let minutes = cfg
        .general
        .beobachten_minutes
        .clamp(1, RUNTIME_EDGE_RETENTION_MAX_MINUTES);
    Duration::from_secs(minutes.saturating_mul(60))
 }
 fn runtime_tls_fingerprint_row(
    row: crate::stats::TlsFingerprintSnapshotRow,
 ) -> RuntimeEdgeTlsFingerprintRow {
    RuntimeEdgeTlsFingerprintRow {
        scope: if row.scope_key.is_empty() {
            None
        } else {
            Some(row.scope_key)
        },
        ja3: row.ja3,
        ja3_raw: row.ja3_raw,
        ja4: row.ja4,
        ja4_raw: row.ja4_raw,
        total: row.total,
        auth_success: row.auth_success,
        bad_or_probe: row.bad_or_probe,
        first_seen_epoch_secs: row.first_seen_epoch_secs,
        last_seen_epoch_secs: row.last_seen_epoch_secs,
    }
 }
 fn now_epoch_secs() -> u64 {
    SystemTime::now()
        .duration_since(UNIX_EPOCH)
@@ -32,6 +32,7 @@ pub(super) async fn create_user(
    let touches_user_rate_limits =
        body.rate_limit_up_bps.is_some() || body.rate_limit_down_bps.is_some();
    let touches_user_max_unique_ips = body.max_unique_ips.is_some();
    let touches_user_enabled = matches!(body.enabled, Some(false));
    if !is_valid_username(&body.username) {
        return Err(ApiFailure::bad_request(
@@ -111,6 +112,9 @@ pub(super) async fn create_user(
            .user_max_unique_ips
            .insert(body.username.clone(), limit);
    }
    if matches!(body.enabled, Some(false)) {
        cfg.access.user_enabled.insert(body.username.clone(), false);
    }
    cfg.validate()
        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
@@ -134,6 +138,9 @@ pub(super) async fn create_user(
    if touches_user_max_unique_ips {
        touched_sections.push(AccessSection::UserMaxUniqueIps);
    }
    if touches_user_enabled {
        touched_sections.push(AccessSection::UserEnabled);
    }
    let revision =
        save_access_sections_to_disk(&shared.config_path, &cfg, &touched_sections).await?;
@@ -161,6 +168,7 @@ pub(super) async fn create_user(
        .find(|entry| entry.username == body.username)
        .unwrap_or(UserInfo {
            username: body.username.clone(),
            enabled: cfg.access.is_user_enabled(&body.username),
            in_runtime: false,
            user_ad_tag: None,
            max_tcp_conns: cfg
@@ -202,6 +210,7 @@ pub(super) async fn patch_user(
    let touches_user_rate_limits = !matches!(&body.rate_limit_up_bps, Patch::Unchanged)
        || !matches!(&body.rate_limit_down_bps, Patch::Unchanged);
    let touches_user_max_unique_ips = !matches!(&body.max_unique_ips, Patch::Unchanged);
    let touches_user_enabled = !matches!(&body.enabled, Patch::Unchanged);
    if let Some(secret) = body.secret.as_ref()
        && !is_valid_user_secret(secret)
@@ -313,6 +322,15 @@ pub(super) async fn patch_user(
            Some(Some(limit))
        }
    };
    match body.enabled {
        Patch::Unchanged => {}
        Patch::Remove | Patch::Set(true) => {
            cfg.access.user_enabled.remove(user);
        }
        Patch::Set(false) => {
            cfg.access.user_enabled.insert(user.to_string(), false);
        }
    }
    cfg.validate()
        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
@@ -339,6 +357,9 @@ pub(super) async fn patch_user(
    if touches_user_max_unique_ips {
        touched_sections.push(AccessSection::UserMaxUniqueIps);
    }
    if touches_user_enabled {
        touched_sections.push(AccessSection::UserEnabled);
    }
    let revision = if touched_sections.is_empty() {
        current_revision(&shared.config_path).await?
@@ -399,6 +420,7 @@ pub(super) async fn rotate_secret(
        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
    let touched_sections = [
        AccessSection::Users,
        AccessSection::UserEnabled,
        AccessSection::UserAdTags,
        AccessSection::UserMaxTcpConns,
        AccessSection::UserExpirations,
@@ -434,6 +456,55 @@ pub(super) async fn rotate_secret(
    ))
 }
 pub(super) async fn set_user_enabled(
    user: &str,
    enabled: bool,
    expected_revision: Option<String>,
    shared: &ApiShared,
 ) -> Result<(UserInfo, String), ApiFailure> {
    let _guard = shared.mutation_lock.lock().await;
    let mut cfg = load_config_from_disk(&shared.config_path).await?;
    ensure_expected_revision(&shared.config_path, expected_revision.as_deref()).await?;
    if !cfg.access.users.contains_key(user) {
        return Err(ApiFailure::new(
            StatusCode::NOT_FOUND,
            "not_found",
            "User not found",
        ));
    }
    if enabled {
        cfg.access.user_enabled.remove(user);
    } else {
        cfg.access.user_enabled.insert(user.to_string(), false);
    }
    cfg.validate()
        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
    let revision =
        save_access_sections_to_disk(&shared.config_path, &cfg, &[AccessSection::UserEnabled])
            .await?;
    drop(_guard);
    let (detected_ip_v4, detected_ip_v6) = shared.detected_link_ips();
    let users = users_from_config(
        &cfg,
        &shared.stats,
        &shared.ip_tracker,
        detected_ip_v4,
        detected_ip_v6,
        None,
    )
    .await;
    let user_info = users
        .into_iter()
        .find(|entry| entry.username == user)
        .ok_or_else(|| ApiFailure::internal("failed to build updated user view"))?;
    Ok((user_info, revision))
 }
 pub(super) async fn delete_user(
    user: &str,
    expected_revision: Option<String>,
@@ -459,6 +530,7 @@ pub(super) async fn delete_user(
    }
    cfg.access.users.remove(user);
    cfg.access.user_enabled.remove(user);
    cfg.access.user_ad_tags.remove(user);
    cfg.access.user_max_tcp_conns.remove(user);
    cfg.access.user_expirations.remove(user);
@@ -470,6 +542,7 @@ pub(super) async fn delete_user(
        .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
    let touched_sections = [
        AccessSection::Users,
        AccessSection::UserEnabled,
        AccessSection::UserAdTags,
        AccessSection::UserMaxTcpConns,
        AccessSection::UserExpirations,
@@ -518,6 +591,7 @@ pub(super) async fn users_from_config(
            })
            .unwrap_or_else(empty_user_links);
        users.push(UserInfo {
            enabled: cfg.access.is_user_enabled(&username),
            in_runtime: runtime_cfg
                .map(|runtime| runtime.access.users.contains_key(&username))
                .unwrap_or(false),
@@ -876,6 +950,43 @@ mod tests {
        assert_eq!(alice.rate_limit_down_bps, None);
    }
    #[tokio::test]
    async fn users_from_config_reports_user_enabled_default_and_override() {
        let mut cfg = ProxyConfig::default();
        cfg.access.users.insert(
            "alice".to_string(),
            "0123456789abcdef0123456789abcdef".to_string(),
        );
        cfg.access.users.insert(
            "bob".to_string(),
            "fedcba9876543210fedcba9876543210".to_string(),
        );
        cfg.access.user_enabled.insert("bob".to_string(), false);
        let stats = Stats::new();
        let tracker = UserIpTracker::new();
        let users = users_from_config(&cfg, &stats, &tracker, None, None, None).await;
        let alice = users
            .iter()
            .find(|entry| entry.username == "alice")
            .expect("alice must be present");
        let bob = users
            .iter()
            .find(|entry| entry.username == "bob")
            .expect("bob must be present");
        assert!(alice.enabled);
        assert!(!bob.enabled);
        cfg.access.user_enabled.insert("bob".to_string(), true);
        let users = users_from_config(&cfg, &stats, &tracker, None, None, None).await;
        let bob = users
            .iter()
            .find(|entry| entry.username == "bob")
            .expect("bob must be present");
        assert!(bob.enabled);
    }
    #[tokio::test]
    async fn users_from_config_marks_runtime_membership_when_snapshot_is_provided() {
        let mut disk_cfg = ProxyConfig::default();
@@ -705,6 +705,9 @@ ignore_time_skew = false
 type = "direct"
 enabled = true
 weight = 10
 # Optional per-upstream DC family policy:
 # ipv6 = true
 # prefer = 6
 "#,
        username = username,
        secret = secret,
@@ -118,6 +118,7 @@ pub struct HotFields {
    pub me_admission_poll_ms: u64,
    pub me_warn_rate_limit_ms: u64,
    pub users: std::collections::HashMap<String, String>,
    pub user_enabled: std::collections::HashMap<String, bool>,
    pub user_ad_tags: std::collections::HashMap<String, String>,
    pub user_max_tcp_conns: std::collections::HashMap<String, usize>,
    pub user_max_tcp_conns_global_each: usize,
@@ -247,6 +248,7 @@ impl HotFields {
            me_admission_poll_ms: cfg.general.me_admission_poll_ms,
            me_warn_rate_limit_ms: cfg.general.me_warn_rate_limit_ms,
            users: cfg.access.users.clone(),
            user_enabled: cfg.access.user_enabled.clone(),
            user_ad_tags: cfg.access.user_ad_tags.clone(),
            user_max_tcp_conns: cfg.access.user_max_tcp_conns.clone(),
            user_max_tcp_conns_global_each: cfg.access.user_max_tcp_conns_global_each,
@@ -310,6 +312,7 @@ fn listeners_equal(
    lhs.iter().zip(rhs.iter()).all(|(a, b)| {
        a.ip == b.ip
            && a.port == b.port
            && a.client_mss == b.client_mss
            && a.announce == b.announce
            && a.announce_ip == b.announce_ip
            && a.proxy_protocol == b.proxy_protocol
@@ -551,6 +554,7 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
    cfg.general.me_warn_rate_limit_ms = new.general.me_warn_rate_limit_ms;
    cfg.access.users = new.access.users.clone();
    cfg.access.user_enabled = new.access.user_enabled.clone();
    cfg.access.user_ad_tags = new.access.user_ad_tags.clone();
    cfg.access.user_max_tcp_conns = new.access.user_max_tcp_conns.clone();
    cfg.access.user_max_tcp_conns_global_each = new.access.user_max_tcp_conns_global_each;
@@ -605,6 +609,7 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
        || old.server.listen_addr_ipv4 != new.server.listen_addr_ipv4
        || old.server.listen_addr_ipv6 != new.server.listen_addr_ipv6
        || old.server.listen_tcp != new.server.listen_tcp
        || old.server.client_mss != new.server.client_mss
        || old.server.listen_unix_sock != new.server.listen_unix_sock
        || old.server.listen_unix_sock_perm != new.server.listen_unix_sock_perm
    {
@@ -1178,6 +1183,16 @@ fn log_changes(
        }
    }
    if old_hot.user_enabled != new_hot.user_enabled {
        info!(
            "config reload: user_enabled updated ({} disabled overrides)",
            new_hot
                .user_enabled
                .values()
                .filter(|enabled| !**enabled)
                .count()
        );
    }
    if old_hot.user_max_tcp_conns != new_hot.user_max_tcp_conns {
        info!(
            "config reload: user_max_tcp_conns updated ({} entries)",
@@ -299,6 +299,7 @@ const SERVER_CONFIG_KEYS: &[&str] = &[
    "listen_unix_sock",
    "listen_unix_sock_perm",
    "listen_tcp",
    "client_mss",
    "proxy_protocol",
    "proxy_protocol_header_timeout_ms",
    "proxy_protocol_trusted_cidrs",
@@ -344,6 +345,7 @@ const CONNTRACK_CONTROL_CONFIG_KEYS: &[&str] = &[
 const LISTENER_CONFIG_KEYS: &[&str] = &[
    "ip",
    "port",
    "client_mss",
    "announce",
    "announce_ip",
    "proxy_protocol",
@@ -411,6 +413,7 @@ const TLS_FETCH_CONFIG_KEYS: &[&str] = &[
 const ACCESS_CONFIG_KEYS: &[&str] = &[
    "users",
    "user_enabled",
    "user_ad_tags",
    "user_max_tcp_conns",
    "user_max_tcp_conns_global_each",
@@ -1006,6 +1009,14 @@ fn validate_upstreams(config: &ProxyConfig) -> Result<()> {
                "upstream.ipv4 and upstream.ipv6 cannot both be false".to_string(),
            ));
        }
        if let Some(prefer) = upstream.prefer
            && prefer != 4
            && prefer != 6
        {
            return Err(ProxyError::Config(
                "upstream.prefer must be 4 or 6".to_string(),
            ));
        }
        if let UpstreamType::Shadowsocks { url, .. } = &upstream.upstream_type {
            let parsed = ShadowsocksServerConfig::from_url(url)
@@ -1021,6 +1032,26 @@ fn validate_upstreams(config: &ProxyConfig) -> Result<()> {
    Ok(())
 }
 fn normalize_upstream_family_policy(config: &mut ProxyConfig) {
    for (idx, upstream) in config.upstreams.iter_mut().enumerate() {
        if matches!(upstream.ipv4, Some(false)) && upstream.prefer == Some(4) {
            warn!(
                upstream = idx,
                "upstream.prefer=4 but upstream.ipv4=false; forcing prefer=6"
            );
            upstream.prefer = Some(6);
        }
        if matches!(upstream.ipv6, Some(false)) && upstream.prefer == Some(6) {
            warn!(
                upstream = idx,
                "upstream.prefer=6 but upstream.ipv6=false; forcing prefer=4"
            );
            upstream.prefer = Some(4);
        }
    }
 }
 // ============= Main Config =============
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
@@ -1904,6 +1935,20 @@ impl ProxyConfig {
            ));
        }
        config
            .server
            .client_mss_value()
            .map_err(|error| ProxyError::Config(format!("server.client_mss {error}")))?;
        for (idx, listener) in config.server.listeners.iter().enumerate() {
            if listener.client_mss.is_some() {
                listener
                    .effective_client_mss(&config.server)
                    .map_err(|error| {
                        ProxyError::Config(format!("server.listeners[{idx}].client_mss {error}"))
                    })?;
            }
        }
        if config.server.accept_permit_timeout_ms > 60_000 {
            return Err(ProxyError::Config(
                "server.accept_permit_timeout_ms must be within [0, 60000]".to_string(),
@@ -2144,6 +2189,7 @@ impl ProxyConfig {
                config.server.listeners.push(ListenerConfig {
                    ip: ipv4,
                    port: Some(config.server.port),
                    client_mss: None,
                    announce: None,
                    announce_ip: None,
                    proxy_protocol: None,
@@ -2156,6 +2202,7 @@ impl ProxyConfig {
                config.server.listeners.push(ListenerConfig {
                    ip: ipv6,
                    port: Some(config.server.port),
                    client_mss: None,
                    announce: None,
                    announce_ip: None,
                    proxy_protocol: None,
@@ -2199,8 +2246,10 @@ impl ProxyConfig {
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            });
        }
        normalize_upstream_family_policy(&mut config);
        // Ensure default DC203 override is present.
        config
@@ -2429,6 +2478,7 @@ mod tests {
        assert_eq!(cfg.general.update_every, default_update_every());
        assert_eq!(cfg.server.listen_addr_ipv4, default_listen_addr_ipv4());
        assert_eq!(cfg.server.listen_addr_ipv6, default_listen_addr_ipv6_opt());
        assert_eq!(cfg.server.client_mss_value(), Ok(None));
        assert_eq!(
            cfg.server.proxy_protocol_trusted_cidrs,
            default_proxy_protocol_trusted_cidrs()
@@ -3756,6 +3806,153 @@ mod tests {
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn client_mss_presets_and_listener_override_are_resolved() {
        let toml = r#"
            [server]
            client_mss = "tspu"
            [[server.listeners]]
            ip = "127.0.0.1"
            port = 1443
            [[server.listeners]]
            ip = "127.0.0.2"
            port = 1444
            client_mss = "2in8"
            [[server.listeners]]
            ip = "127.0.0.3"
            port = 1445
            client_mss = ""
            [[server.listeners]]
            ip = "127.0.0.4"
            port = 1446
            client_mss = "extreme-low"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_client_mss_valid_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.server.client_mss_value(), Ok(Some(92)));
        assert_eq!(
            cfg.server.listeners[0].effective_client_mss(&cfg.server),
            Ok(Some(92))
        );
        assert_eq!(
            cfg.server.listeners[1].effective_client_mss(&cfg.server),
            Ok(Some(256))
        );
        assert_eq!(
            cfg.server.listeners[2].effective_client_mss(&cfg.server),
            Ok(None)
        );
        assert_eq!(
            cfg.server.listeners[3].effective_client_mss(&cfg.server),
            Ok(Some(88))
        );
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn client_mss_custom_value_is_accepted() {
        let toml = r#"
            [server]
            client_mss = "4096"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_client_mss_custom_valid_test.toml");
        std::fs::write(&path, toml).unwrap();
        let cfg = ProxyConfig::load(&path).unwrap();
        assert_eq!(cfg.server.client_mss_value(), Ok(Some(4096)));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn client_mss_out_of_range_is_rejected() {
        for value in ["87", "4097"] {
            let toml = format!(
                r#"
                [server]
                client_mss = "{value}"
                [censorship]
                tls_domain = "example.com"
                [access.users]
                user = "00000000000000000000000000000000"
            "#
            );
            let dir = std::env::temp_dir();
            let path = dir.join(format!("telemt_client_mss_out_of_range_{value}_test.toml"));
            std::fs::write(&path, toml).unwrap();
            let err = ProxyConfig::load(&path).unwrap_err().to_string();
            assert!(err.contains("server.client_mss custom value must be within [88, 4096]"));
            let _ = std::fs::remove_file(path);
        }
    }
    #[test]
    fn client_mss_unquoted_number_is_rejected() {
        let toml = r#"
            [server]
            client_mss = 256
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_client_mss_unquoted_number_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("client_mss"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn listener_client_mss_invalid_preset_is_rejected() {
        let toml = r#"
            [[server.listeners]]
            ip = "127.0.0.1"
            port = 1443
            client_mss = "tiny"
            [censorship]
            tls_domain = "example.com"
            [access.users]
            user = "00000000000000000000000000000000"
        "#;
        let dir = std::env::temp_dir();
        let path = dir.join("telemt_listener_client_mss_invalid_test.toml");
        std::fs::write(&path, toml).unwrap();
        let err = ProxyConfig::load(&path).unwrap_err().to_string();
        assert!(err.contains("server.listeners[0].client_mss"));
        assert!(err.contains("must be \"\", extreme-low, tspu, 2in8"));
        let _ = std::fs::remove_file(path);
    }
    #[test]
    fn api_runtime_edge_cache_ttl_out_of_range_is_rejected() {
        let toml = r#"
@@ -1,14 +1,21 @@
 use super::*;
 use std::fs;
 use std::path::PathBuf;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{SystemTime, UNIX_EPOCH};
 static TEMP_CONFIG_COUNTER: AtomicU64 = AtomicU64::new(0);
 fn write_temp_config(contents: &str) -> PathBuf {
    let nonce = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .expect("system time must be after unix epoch")
        .as_nanos();
-    let path = std::env::temp_dir().join(format!("telemt-load-mask-shape-security-{nonce}.toml"));
+    let seq = TEMP_CONFIG_COUNTER.fetch_add(1, Ordering::Relaxed);
    let pid = std::process::id();
    let path = std::env::temp_dir().join(format!(
        "telemt-load-mask-shape-security-{pid}-{seq}-{nonce}.toml"
    ));
    fs::write(&path, contents).expect("temp config write must succeed");
    path
 }
@@ -1451,6 +1451,11 @@ pub struct ServerConfig {
    #[serde(default)]
    pub listen_tcp: Option<bool>,
    /// Client-facing TCP MSS preset or custom value for all TCP listeners.
    /// Empty string or omitted value keeps the kernel default.
    #[serde(default)]
    pub client_mss: Option<String>,
    /// Accept HAProxy PROXY protocol headers on incoming connections.
    /// When enabled, real client IPs are extracted from PROXY v1/v2 headers.
    #[serde(default)]
@@ -1517,6 +1522,7 @@ impl Default for ServerConfig {
            listen_unix_sock: None,
            listen_unix_sock_perm: None,
            listen_tcp: None,
            client_mss: None,
            proxy_protocol: false,
            proxy_protocol_header_timeout_ms: default_proxy_protocol_header_timeout_ms(),
            proxy_protocol_trusted_cidrs: default_proxy_protocol_trusted_cidrs(),
@@ -1892,6 +1898,9 @@ pub struct AccessConfig {
    #[serde(default = "default_access_users")]
    pub users: HashMap<String, String>,
    #[serde(default)]
    pub user_enabled: HashMap<String, bool>,
    /// Per-user ad_tag (32 hex chars from @MTProxybot).
    #[serde(default)]
    pub user_ad_tags: HashMap<String, String>,
@@ -1963,6 +1972,7 @@ impl Default for AccessConfig {
    fn default() -> Self {
        Self {
            users: default_access_users(),
            user_enabled: HashMap::new(),
            user_ad_tags: HashMap::new(),
            user_max_tcp_conns: HashMap::new(),
            user_max_tcp_conns_global_each: default_user_max_tcp_conns_global_each(),
@@ -1983,6 +1993,10 @@ impl Default for AccessConfig {
 }
 impl AccessConfig {
    pub fn is_user_enabled(&self, username: &str) -> bool {
        self.user_enabled.get(username).copied().unwrap_or(true)
    }
    /// Returns true if `ip` is contained in any CIDR listed for `username` under `user_source_deny`.
    pub fn is_user_source_ip_denied(&self, username: &str, ip: IpAddr) -> bool {
        self.user_source_deny
@@ -2057,6 +2071,20 @@ pub struct UpstreamConfig {
    /// `None` means auto-detect from runtime connectivity state.
    #[serde(default)]
    pub ipv6: Option<bool>,
    /// Per-upstream IP family preference for Telegram DC targets.
    /// `None` inherits the effective global `[network].prefer` decision.
    #[serde(default)]
    pub prefer: Option<u8>,
 }
 impl UpstreamConfig {
    pub fn prefer_ipv6(&self, default_prefer_ipv6: bool) -> bool {
        match self.prefer {
            Some(6) => true,
            Some(4) => false,
            _ => default_prefer_ipv6,
        }
    }
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -2065,6 +2093,10 @@ pub struct ListenerConfig {
    /// Per-listener TCP port. If omitted, falls back to legacy `server.port`.
    #[serde(default)]
    pub port: Option<u16>,
    /// Per-listener client-facing TCP MSS preset or custom value.
    /// Empty string disables MSS shaping for this listener.
    #[serde(default)]
    pub client_mss: Option<String>,
    /// IP address or hostname to announce in proxy links.
    /// Takes precedence over `announce_ip` if both are set.
    #[serde(default)]
@@ -2082,6 +2114,64 @@ pub struct ListenerConfig {
    pub reuse_allow: bool,
 }
 /// Client-facing TCP MSS preset for extreme-low fragmentation profiles.
 pub const CLIENT_MSS_EXTREME_LOW: u16 = 88;
 /// Client-facing TCP MSS preset matching TSPU-oriented deployments.
 pub const CLIENT_MSS_TSPU: u16 = 92;
 /// Client-facing TCP MSS preset for 2-in-8 segment shaping.
 pub const CLIENT_MSS_2IN8: u16 = 256;
 /// Minimum accepted custom client-facing TCP MSS value.
 pub const CLIENT_MSS_MIN: u16 = CLIENT_MSS_EXTREME_LOW;
 /// Maximum accepted custom client-facing TCP MSS value.
 pub const CLIENT_MSS_MAX: u16 = 4096;
 impl ServerConfig {
    /// Resolves the global client-facing TCP MSS setting.
    pub fn client_mss_value(&self) -> std::result::Result<Option<u16>, String> {
        parse_client_mss(self.client_mss.as_deref())
    }
 }
 impl ListenerConfig {
    /// Resolves the listener MSS override, falling back to the global server value.
    pub fn effective_client_mss(
        &self,
        server: &ServerConfig,
    ) -> std::result::Result<Option<u16>, String> {
        match self.client_mss.as_deref() {
            Some(value) => parse_client_mss(Some(value)),
            None => server.client_mss_value(),
        }
    }
 }
 fn parse_client_mss(raw: Option<&str>) -> std::result::Result<Option<u16>, String> {
    let Some(raw) = raw else {
        return Ok(None);
    };
    let value = raw.trim();
    if value.is_empty() {
        return Ok(None);
    }
    match value.to_ascii_lowercase().as_str() {
        "extreme-low" => return Ok(Some(CLIENT_MSS_EXTREME_LOW)),
        "tspu" => return Ok(Some(CLIENT_MSS_TSPU)),
        "2in8" => return Ok(Some(CLIENT_MSS_2IN8)),
        _ => {}
    }
    let parsed = value
        .parse::<u16>()
        .map_err(|_| "must be \"\", extreme-low, tspu, 2in8, or a decimal value".to_string())?;
    if !(CLIENT_MSS_MIN..=CLIENT_MSS_MAX).contains(&parsed) {
        return Err(format!(
            "custom value must be within [{CLIENT_MSS_MIN}, {CLIENT_MSS_MAX}]"
        ));
    }
    Ok(Some(parsed))
 }
 // ============= ShowLink =============
 /// Controls which users' proxy links are displayed at startup.
@@ -705,7 +705,7 @@ fn nofile_soft_limit() -> Option<u64> {
        if rc != 0 {
            return None;
        }
-        return Some(lim.rlim_cur);
+        return Some(lim.rlim_cur.into());
    }
    #[cfg(not(target_os = "linux"))]
    {
@@ -245,6 +245,9 @@ pub enum ProxyError {
    InvalidSecret { user: String, reason: String },
    // ============= User Errors =============
    #[error("User {user} disabled")]
    UserDisabled { user: String },
    #[error("User {user} expired")]
    UserExpired { user: String },
@@ -147,7 +147,7 @@ pub(crate) async fn run_startup_connectivity(
            .any(|r| r.rtt_ms.is_some());
        if upstream_result.both_available {
-            if prefer_ipv6 {
+            if upstream_result.prefer_ipv6 {
                info!("  IPv6 in use / IPv4 is fallback");
            } else {
                info!("  IPv4 in use / IPv6 is fallback");
@@ -1,6 +1,7 @@
 #![allow(clippy::items_after_test_module)]
 use std::path::{Path, PathBuf};
 use std::sync::atomic::{AtomicBool, Ordering};
 use std::time::Duration;
 use tokio::sync::watch;
@@ -18,8 +19,27 @@ use crate::transport::middle_proxy::{
 const MAESTRO_COLOR: &str = "\x1b[92m";
 const COLOR_RESET: &str = "\x1b[0m";
 static MAESTRO_COLORS_ENABLED: AtomicBool = AtomicBool::new(true);
 /// Enables or disables ANSI color in direct MAESTRO status lines.
 pub(crate) fn set_maestro_colors_enabled(enabled: bool) {
    MAESTRO_COLORS_ENABLED.store(enabled, Ordering::Relaxed);
 }
 fn format_maestro_line(message: impl AsRef<str>, colors_enabled: bool) -> String {
    if colors_enabled {
        format!("{MAESTRO_COLOR}MAESTRO{COLOR_RESET}: {}", message.as_ref())
    } else {
        format!("MAESTRO: {}", message.as_ref())
    }
 }
 /// Prints a direct MAESTRO status line outside the tracing subscriber.
 pub(crate) fn print_maestro_line(message: impl AsRef<str>) {
-    eprintln!("{MAESTRO_COLOR}MAESTRO{COLOR_RESET}: {}", message.as_ref());
+    eprintln!(
        "{}",
        format_maestro_line(message, MAESTRO_COLORS_ENABLED.load(Ordering::Relaxed))
    );
 }
 pub(crate) fn resolve_runtime_config_path(
@@ -274,11 +294,24 @@ mod tests {
    use std::path::{Path, PathBuf};
    use super::{
-        expected_handshake_close_description, is_expected_handshake_eof, peer_close_description,
+        expected_handshake_close_description, format_maestro_line, is_expected_handshake_eof,
-        resolve_runtime_base_dir, resolve_runtime_config_path,
+        peer_close_description, resolve_runtime_base_dir, resolve_runtime_config_path,
    };
    use crate::error::{ProxyError, StreamError};
    #[test]
    fn maestro_line_formatter_respects_disabled_colors() {
        let plain = format_maestro_line("boot", false);
        assert_eq!(plain, "MAESTRO: boot");
        assert!(!plain.contains('\x1b'));
    }
    #[test]
    fn maestro_line_formatter_keeps_color_when_enabled() {
        let colored = format_maestro_line("boot", true);
        assert!(colored.contains("\x1b[92mMAESTRO\x1b[0m"));
    }
    #[test]
    fn resolve_runtime_config_path_anchors_relative_to_startup_cwd() {
        let nonce = std::time::SystemTime::now()
@@ -47,6 +47,10 @@ fn default_link_port(config: &ProxyConfig) -> u16 {
        .unwrap_or(config.server.port)
 }
 fn mss_segment_multiplier(client_mss: u16) -> u16 {
    1460u16.div_ceil(client_mss)
 }
 #[allow(clippy::too_many_arguments)]
 pub(crate) async fn bind_listeners(
    config: &Arc<ProxyConfig>,
@@ -90,10 +94,22 @@ pub(crate) async fn bind_listeners(
            warn!(%addr, "Skipping IPv6 listener: IPv6 disabled by [network]");
            continue;
        }
        let client_mss = match listener_conf.effective_client_mss(&config.server) {
            Ok(value) => value,
            Err(error) => {
                warn!(
                    %addr,
                    error = %error,
                    "Invalid listener client MSS after config validation; using kernel default"
                );
                None
            }
        };
        let options = ListenOptions {
            reuse_port: listener_conf.reuse_allow,
            ipv6_only: listener_conf.ip.is_ipv6(),
            backlog: config.server.listen_backlog,
            client_mss,
            ..Default::default()
        };
@@ -101,6 +117,14 @@ pub(crate) async fn bind_listeners(
            Ok(socket) => {
                let listener = TcpListener::from_std(socket.into())?;
                info!("Listening on {}", addr);
                if let Some(client_mss) = client_mss {
                    info!(
                        %addr,
                        client_mss,
                        segment_multiplier = mss_segment_multiplier(client_mss),
                        "Client-facing TCP MSS configured"
                    );
                }
                let listener_proxy_protocol = listener_conf
                    .proxy_protocol
                    .unwrap_or(config.server.proxy_protocol);
@@ -49,6 +49,7 @@ use crate::transport::UpstreamManager;
 use crate::transport::middle_proxy::MePool;
 use helpers::{
    parse_cli, print_maestro_line, resolve_runtime_base_dir, resolve_runtime_config_path,
    set_maestro_colors_enabled,
 };
 #[cfg(unix)]
@@ -314,6 +315,7 @@ async fn run_telemt_core(
        eprintln!("[telemt] Invalid network.dns_overrides: {}", e);
        std::process::exit(1);
    }
    set_maestro_colors_enabled(!config.general.disable_colors);
    startup_tracker
        .complete_component(COMPONENT_CONFIG_LOAD, Some("config is ready".to_string()))
        .await;
@@ -462,6 +464,12 @@ async fn run_telemt_core(
            config.network.dns_overrides.len()
        );
    }
    let shared_state = ProxySharedState::new();
    shared_state.apply_user_enabled_config(&config.access.user_enabled);
    shared_state.traffic_limiter.apply_policy(
        config.access.user_rate_limits.clone(),
        config.access.cidr_rate_limits.clone(),
    );
    let (api_config_tx, api_config_rx) = watch::channel(Arc::new(config.clone()));
    let (detected_ips_tx, detected_ips_rx) = watch::channel((None::<IpAddr>, None::<IpAddr>));
@@ -500,6 +508,7 @@ async fn run_telemt_core(
            let me_pool_api = api_me_pool.clone();
            let upstream_manager_api = upstream_manager.clone();
            let route_runtime_api = route_runtime.clone();
            let proxy_shared_api = shared_state.clone();
            let config_rx_api = api_config_rx.clone();
            let admission_rx_api = admission_rx.clone();
            let config_path_api = config_path.clone();
@@ -513,6 +522,7 @@ async fn run_telemt_core(
                    ip_tracker_api,
                    me_pool_api,
                    route_runtime_api,
                    proxy_shared_api,
                    upstream_manager_api,
                    config_rx_api,
                    admission_rx_api,
@@ -730,11 +740,6 @@ async fn run_telemt_core(
    ));
    let buffer_pool = Arc::new(BufferPool::with_config(64 * 1024, 4096));
    let shared_state = ProxySharedState::new();
    shared_state.traffic_limiter.apply_policy(
        config.access.user_rate_limits.clone(),
        config.access.cidr_rate_limits.clone(),
    );
    if direct_first_startup {
        startup_tracker
@@ -3,7 +3,7 @@ use std::path::Path;
 use std::sync::Arc;
 use tokio::sync::{mpsc, watch};
-use tracing::{debug, warn};
+use tracing::{debug, info, warn};
 use tracing_subscriber::EnvFilter;
 use tracing_subscriber::reload;
@@ -234,6 +234,27 @@ pub(crate) async fn spawn_runtime_tasks(
        }
    });
    let shared_user_enabled = shared_state.clone();
    let mut config_rx_user_enabled = config_rx.clone();
    tokio::spawn(async move {
        loop {
            if config_rx_user_enabled.changed().await.is_err() {
                break;
            }
            let cfg = config_rx_user_enabled.borrow_and_update().clone();
            for user in shared_user_enabled.apply_user_enabled_config(&cfg.access.user_enabled) {
                let cancelled = shared_user_enabled.cancel_user_sessions(&user);
                if cancelled > 0 {
                    info!(
                        user = %user,
                        cancelled,
                        "Disabled user sessions cancelled after config reload"
                    );
                }
            }
        }
    });
    let beobachten_writer = beobachten.clone();
    let config_rx_beobachten = config_rx.clone();
    tokio::spawn(async move {
@@ -55,8 +55,10 @@ pub async fn serve(
                return;
            }
        };
-        let is_ipv6 = addr.is_ipv6();
+        // Match `server.api.listen`: `[::]:port` is a dual-stack wildcard
-        match bind_metrics_listener(addr, is_ipv6, listen_backlog) {
+        // on Linux when `net.ipv6.bindv6only=0`.
        let ipv6_only = addr.is_ipv6() && !addr.ip().is_unspecified();
        match bind_metrics_listener(addr, ipv6_only, listen_backlog) {
            Ok(listener) => {
                info!("Metrics endpoint: http://{}/metrics and /beobachten", addr);
                serve_listener(
@@ -286,7 +288,7 @@ async fn handle<B>(
    }
    if req.uri().path() == "/beobachten" {
-        let body = render_beobachten(beobachten, config);
+        let body = render_beobachten(stats, beobachten, config);
        let resp = Response::builder()
            .status(StatusCode::OK)
            .header("content-type", "text/plain; charset=utf-8")
@@ -302,13 +304,22 @@ async fn handle<B>(
    Ok(resp)
 }
-fn render_beobachten(beobachten: &BeobachtenStore, config: &ProxyConfig) -> String {
+fn render_beobachten(stats: &Stats, beobachten: &BeobachtenStore, config: &ProxyConfig) -> String {
    if !config.general.beobachten {
        return "beobachten disabled\n".to_string();
    }
    let ttl = Duration::from_secs(config.general.beobachten_minutes.saturating_mul(60));
-    beobachten.snapshot_text(ttl)
+    let mut body = beobachten.snapshot_text(ttl);
    let tls_text = stats.tls_fingerprint_snapshot_text(ttl, 20);
    if !tls_text.is_empty() {
        if !body.ends_with('\n') {
            body.push('\n');
        }
        body.push('\n');
        body.push_str(&tls_text);
    }
    body
 }
 fn tls_front_domains(config: &ProxyConfig) -> Vec<String> {
@@ -4,6 +4,7 @@ pub mod constants;
 pub mod frame;
 pub mod obfuscation;
 pub mod tls;
 pub mod tls_fingerprint;
 #[allow(unused_imports)]
 pub use constants::*;
@@ -13,3 +14,5 @@ pub use frame::*;
 pub use obfuscation::*;
 #[allow(unused_imports)]
 pub use tls::*;
 #[allow(unused_imports)]
 pub use tls_fingerprint::*;
@@ -1385,6 +1385,7 @@ fn emulated_server_hello_never_places_alpn_in_server_hello_extensions() {
        false,
        true,
        ClientHelloTlsVersion::Tls13,
        [0x13, 0x01],
        &rng,
        Some(b"h2".to_vec()),
        0,
@@ -1509,12 +1510,22 @@ fn test_validate_tls_handshake_format() {
 }
 fn build_client_hello_with_exts(exts: Vec<(u16, Vec<u8>)>, host: &str) -> Vec<u8> {
    build_client_hello_with_ciphers_and_exts(&[[0x13, 0x01]], exts, host)
 }
 fn build_client_hello_with_ciphers_and_exts(
    cipher_suites: &[[u8; 2]],
    exts: Vec<(u16, Vec<u8>)>,
    host: &str,
 ) -> Vec<u8> {
    let mut body = Vec::new();
    body.extend_from_slice(&TLS_VERSION);
    body.extend_from_slice(&[0u8; 32]);
    body.push(0);
-    body.extend_from_slice(&2u16.to_be_bytes());
+    body.extend_from_slice(&((cipher_suites.len() * 2) as u16).to_be_bytes());
-    body.extend_from_slice(&[0x13, 0x01]);
+    for suite in cipher_suites {
        body.extend_from_slice(suite);
    }
    body.push(1);
    body.push(0);
@@ -1654,6 +1665,52 @@ fn detect_client_hello_tls_version_rejects_malformed_supported_versions() {
    assert!(detect_client_hello_tls_version(&ch).is_none());
 }
 #[test]
 fn select_server_hello_cipher_suite_keeps_profile_cipher_when_offered() {
    let ch = build_client_hello_with_ciphers_and_exts(
        &[[0x13, 0x01], [0x13, 0x03]],
        Vec::new(),
        "example.com",
    );
    assert_eq!(
        select_server_hello_cipher_suite(&ch, [0x13, 0x03]),
        [0x13, 0x03]
    );
 }
 #[test]
 fn select_server_hello_cipher_suite_ignores_profile_tls12_cipher() {
    let ch = build_client_hello_with_ciphers_and_exts(
        &[[0xc0, 0x2f], [0x13, 0x03]],
        Vec::new(),
        "example.com",
    );
    assert_eq!(
        select_server_hello_cipher_suite(&ch, [0xc0, 0x2f]),
        [0x13, 0x03]
    );
 }
 #[test]
 fn select_server_hello_cipher_suite_falls_back_to_offered_tls13_suite() {
    let ch = build_client_hello_with_ciphers_and_exts(&[[0x13, 0x03]], Vec::new(), "example.com");
    assert_eq!(
        select_server_hello_cipher_suite(&ch, [0x13, 0x01]),
        [0x13, 0x03]
    );
 }
 #[test]
 fn select_server_hello_cipher_suite_keeps_preferred_for_malformed_clienthello() {
    let mut ch =
        build_client_hello_with_ciphers_and_exts(&[[0x13, 0x03]], Vec::new(), "example.com");
    ch.truncate(12);
    assert_eq!(
        select_server_hello_cipher_suite(&ch, [0x13, 0x01]),
        [0x13, 0x01]
    );
 }
 #[test]
 fn extract_sni_rejects_zero_length_host_name() {
    let mut sni_ext = Vec::new();
@@ -2179,7 +2236,7 @@ fn light_fuzz_boot_time_timestamp_matrix_with_short_replay_window_obeys_boot_cap
 }
 #[test]
-fn server_hello_application_data_contains_alpn_marker_when_selected() {
+fn server_hello_application_data_omits_alpn_marker_when_selected() {
    let secret = b"alpn_marker_test";
    let client_digest = [0x55u8; TLS_DIGEST_LEN];
    let session_id = vec![0xAB; 32];
@@ -2206,8 +2263,8 @@ fn server_hello_application_data_contains_alpn_marker_when_selected() {
    assert!(
        app_payload
            .windows(expected.len())
-            .any(|window| window == expected),
+            .all(|window| window != expected),
-        "first application payload must carry ALPN marker for selected protocol"
+        "first application payload must not expose plaintext ALPN marker bytes"
    );
 }
@@ -2303,14 +2360,14 @@ fn server_hello_ignores_oversized_alpn_when_marker_would_not_fit() {
 }
 #[test]
-fn server_hello_embeds_full_alpn_marker_when_it_exactly_fits_fake_cert_len() {
+fn server_hello_omits_alpn_marker_even_when_it_would_fit_fake_cert_len() {
    let secret = b"alpn_exact_fit_test";
    let client_digest = [0x58u8; TLS_DIGEST_LEN];
    let session_id = vec![0xA5; 32];
    let rng = crate::crypto::SecureRandom::new();
    let proto = vec![b'z'; 57];
-    // marker_len = 4 + (2 + (1 + proto_len)) = 7 + proto_len = 64
+    // marker_len = 4 + (2 + (1 + proto_len)) = 7 + proto_len = 64.
    let response = build_server_hello(
        secret,
        &client_digest,
@@ -2336,7 +2393,7 @@ fn server_hello_embeds_full_alpn_marker_when_it_exactly_fits_fake_cert_len() {
    expected_marker.extend_from_slice(&proto);
    assert_eq!(app_payload.len(), expected_marker.len());
-    assert_eq!(app_payload, expected_marker.as_slice());
+    assert_ne!(app_payload, expected_marker.as_slice());
 }
 #[test]
@@ -105,6 +105,8 @@ mod extension_type {
 /// TLS Cipher Suites
 mod cipher_suite {
    pub const TLS_AES_128_GCM_SHA256: [u8; 2] = [0x13, 0x01];
    pub const TLS_AES_256_GCM_SHA384: [u8; 2] = [0x13, 0x02];
    pub const TLS_CHACHA20_POLY1305_SHA256: [u8; 2] = [0x13, 0x03];
 }
 /// TLS Named Curves
@@ -241,6 +243,13 @@ impl ServerHelloBuilder {
        self
    }
    fn with_cipher_suite(mut self, cipher_suite: [u8; 2]) -> Self {
        if cipher_suite != [0, 0] {
            self.cipher_suite = cipher_suite;
        }
        self
    }
    /// Build ServerHello message (without record header)
    fn build_message(&self) -> Vec<u8> {
        let Ok(session_id_len) = u8::try_from(self.session_id.len()) else {
@@ -520,6 +529,33 @@ pub fn build_server_hello(
    rng: &SecureRandom,
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    build_server_hello_with_cipher(
        secret,
        client_digest,
        session_id,
        fake_cert_len,
        rng,
        cipher_suite::TLS_AES_128_GCM_SHA256,
        alpn,
        new_session_tickets,
    )
 }
 /// Build TLS ServerHello response with a caller-selected cipher suite.
 ///
 /// The caller is responsible for selecting a suite that is compatible with the
 /// already-authenticated ClientHello. Keeping the selection outside this
 /// builder avoids extra ClientHello parsing in the response construction path.
 pub(crate) fn build_server_hello_with_cipher(
    secret: &[u8],
    client_digest: &[u8; TLS_DIGEST_LEN],
    session_id: &[u8],
    fake_cert_len: usize,
    rng: &SecureRandom,
    selected_cipher_suite: [u8; 2],
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    const MIN_APP_DATA: usize = 64;
    const MAX_APP_DATA: usize = MAX_TLS_CIPHERTEXT_SIZE;
@@ -528,6 +564,7 @@ pub fn build_server_hello(
    // Build ServerHello
    let server_hello = ServerHelloBuilder::new(session_id.to_vec())
        .with_cipher_suite(selected_cipher_suite)
        .with_x25519_key(&x25519_key)
        .with_tls13_version()
        .build_record();
@@ -538,28 +575,14 @@ pub fn build_server_hello(
        TLS_VERSION[0],
        TLS_VERSION[1],
        0x00,
-        0x01, // length = 1
+        0x01,
-        0x01, // CCS byte
+        0x01,
    ];
    // Build first encrypted flight mimic as opaque ApplicationData bytes.
-    // Embed a compact EncryptedExtensions-like ALPN block when selected.
+    // ALPN belongs inside encrypted EncryptedExtensions in real TLS 1.3.
    let mut fake_cert = Vec::with_capacity(fake_cert_len);
-    if let Some(proto) = alpn
+    let _ = alpn;
        .as_ref()
        .filter(|p| !p.is_empty() && p.len() <= u8::MAX as usize)
    {
        let proto_list_len = 1usize + proto.len();
        let ext_data_len = 2usize + proto_list_len;
        let marker_len = 4usize + ext_data_len;
        if marker_len <= fake_cert_len {
            fake_cert.extend_from_slice(&0x0010u16.to_be_bytes());
            fake_cert.extend_from_slice(&(ext_data_len as u16).to_be_bytes());
            fake_cert.extend_from_slice(&(proto_list_len as u16).to_be_bytes());
            fake_cert.push(proto.len() as u8);
            fake_cert.extend_from_slice(proto);
        }
    }
    if fake_cert.len() < fake_cert_len {
        fake_cert.extend_from_slice(&rng.bytes(fake_cert_len - fake_cert.len()));
    } else if fake_cert.len() > fake_cert_len {
@@ -580,7 +603,7 @@ pub fn build_server_hello(
    let ticket_count = new_session_tickets.min(4);
    if ticket_count > 0 {
        for _ in 0..ticket_count {
-            let ticket_len: usize = rng.range(48) + 48; // 48-95 bytes
+            let ticket_len: usize = rng.range(48) + 48;
            let mut record = Vec::with_capacity(5 + ticket_len);
            record.push(TLS_RECORD_APPLICATION);
            record.extend_from_slice(&TLS_VERSION);
@@ -927,6 +950,112 @@ pub fn detect_client_hello_tls_version(handshake: &[u8]) -> Option<ClientHelloTl
    }
 }
 fn client_hello_cipher_suites_range(handshake: &[u8]) -> Option<(usize, usize)> {
    if handshake.len() < 5 || handshake[0] != TLS_RECORD_HANDSHAKE {
        return None;
    }
    let record_len = u16::from_be_bytes([handshake[3], handshake[4]]) as usize;
    let record_end = 5usize.checked_add(record_len)?;
    if record_end > handshake.len() {
        return None;
    }
    let mut pos = 5;
    if handshake.get(pos) != Some(&0x01) {
        return None;
    }
    pos += 1;
    if pos + 3 > record_end {
        return None;
    }
    let handshake_len = ((handshake[pos] as usize) << 16)
        | ((handshake[pos + 1] as usize) << 8)
        | handshake[pos + 2] as usize;
    pos += 3;
    let handshake_end = pos.checked_add(handshake_len)?;
    if handshake_end > record_end {
        return None;
    }
    if pos + 2 + 32 > handshake_end {
        return None;
    }
    pos += 2 + 32;
    let session_id_len = *handshake.get(pos)? as usize;
    pos = pos.checked_add(1)?.checked_add(session_id_len)?;
    if pos + 2 > handshake_end {
        return None;
    }
    let cipher_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
    if cipher_len == 0 || cipher_len % 2 != 0 {
        return None;
    }
    pos += 2;
    let cipher_end = pos.checked_add(cipher_len)?;
    if cipher_end > handshake_end {
        return None;
    }
    Some((pos, cipher_end))
 }
 fn client_hello_offers_cipher_suite(
    handshake: &[u8],
    range: (usize, usize),
    suite: [u8; 2],
 ) -> bool {
    let mut pos = range.0;
    while pos + 1 < range.1 {
        if handshake[pos] == suite[0] && handshake[pos + 1] == suite[1] {
            return true;
        }
        pos += 2;
    }
    false
 }
 fn is_tls13_cipher_suite(suite: [u8; 2]) -> bool {
    suite == cipher_suite::TLS_AES_128_GCM_SHA256
        || suite == cipher_suite::TLS_AES_256_GCM_SHA384
        || suite == cipher_suite::TLS_CHACHA20_POLY1305_SHA256
 }
 /// Select the ServerHello cipher suite from the already-received ClientHello.
 ///
 /// This is intentionally a borrowed, zero-allocation scan. It runs only for an
 /// authenticated success response and keeps malformed or unexpected ClientHello
 /// shapes on the previous fallback behavior.
 pub(crate) fn select_server_hello_cipher_suite(handshake: &[u8], preferred: [u8; 2]) -> [u8; 2] {
    let preferred = if is_tls13_cipher_suite(preferred) {
        preferred
    } else {
        cipher_suite::TLS_AES_128_GCM_SHA256
    };
    let Some(range) = client_hello_cipher_suites_range(handshake) else {
        return preferred;
    };
    if client_hello_offers_cipher_suite(handshake, range, preferred) {
        return preferred;
    }
    for fallback in [
        cipher_suite::TLS_AES_128_GCM_SHA256,
        cipher_suite::TLS_CHACHA20_POLY1305_SHA256,
        cipher_suite::TLS_AES_256_GCM_SHA384,
    ] {
        if client_hello_offers_cipher_suite(handshake, range, fallback) {
            return fallback;
        }
    }
    preferred
 }
 /// Check if bytes look like a TLS ClientHello
 pub fn is_tls_handshake(first_bytes: &[u8]) -> bool {
    if first_bytes.len() < 3 {
@@ -0,0 +1,450 @@
 //! Passive JA3 / JA4 TLS ClientHello fingerprinting.
 use crate::crypto::hash::md5;
 use crate::crypto::sha256;
 use crate::protocol::constants::TLS_RECORD_HANDSHAKE;
 const EXT_SNI: u16 = 0x0000;
 const EXT_SUPPORTED_GROUPS: u16 = 0x000a;
 const EXT_EC_POINT_FORMATS: u16 = 0x000b;
 const EXT_SIGNATURE_ALGORITHMS: u16 = 0x000d;
 const EXT_ALPN: u16 = 0x0010;
 const EXT_SUPPORTED_VERSIONS: u16 = 0x002b;
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct TlsClientFingerprint {
    pub ja3: String,
    pub ja3_raw: String,
    pub ja4: String,
    pub ja4_raw: String,
 }
 #[derive(Default)]
 struct ParsedClientHello {
    legacy_version: u16,
    ciphers: Vec<u16>,
    extensions: Vec<u16>,
    supported_groups: Vec<u16>,
    ec_point_formats: Vec<u8>,
    signature_algorithms: Vec<u16>,
    supported_versions: Vec<u16>,
    alpn_first: Option<Vec<u8>>,
    sni_present: bool,
 }
 pub fn fingerprint_client_hello(handshake: &[u8]) -> Option<TlsClientFingerprint> {
    let parsed = parse_client_hello(handshake)?;
    let ja3_raw = ja3_raw(&parsed);
    let ja3 = hex::encode(md5(ja3_raw.as_bytes()));
    let (ja4, ja4_raw) = ja4(&parsed);
    Some(TlsClientFingerprint {
        ja3,
        ja3_raw,
        ja4,
        ja4_raw,
    })
 }
 fn parse_client_hello(handshake: &[u8]) -> Option<ParsedClientHello> {
    if handshake.len() < 5 || handshake[0] != TLS_RECORD_HANDSHAKE {
        return None;
    }
    let record_len = read_u16_at(handshake, 3)? as usize;
    let record_end = 5usize.checked_add(record_len)?;
    if record_end > handshake.len() {
        return None;
    }
    let mut pos = 5usize;
    if *handshake.get(pos)? != 0x01 {
        return None;
    }
    pos = pos.checked_add(1)?;
    if pos + 3 > record_end {
        return None;
    }
    let handshake_len = ((usize::from(handshake[pos])) << 16)
        | ((usize::from(handshake[pos + 1])) << 8)
        | usize::from(handshake[pos + 2]);
    pos = pos.checked_add(3)?;
    let handshake_end = pos.checked_add(handshake_len)?;
    if handshake_end > record_end {
        return None;
    }
    if pos + 2 + 32 > handshake_end {
        return None;
    }
    let legacy_version = read_u16_at(handshake, pos)?;
    pos = pos.checked_add(2 + 32)?;
    let session_id_len = usize::from(*handshake.get(pos)?);
    pos = pos.checked_add(1)?.checked_add(session_id_len)?;
    if pos + 2 > handshake_end {
        return None;
    }
    let cipher_len = read_u16_at(handshake, pos)? as usize;
    pos = pos.checked_add(2)?;
    let cipher_end = pos.checked_add(cipher_len)?;
    if cipher_end > handshake_end || cipher_len % 2 != 0 {
        return None;
    }
    let mut ciphers = Vec::with_capacity(cipher_len / 2);
    while pos + 1 < cipher_end {
        let value = read_u16_at(handshake, pos)?;
        if !is_grease(value) {
            ciphers.push(value);
        }
        pos = pos.checked_add(2)?;
    }
    let comp_len = usize::from(*handshake.get(pos)?);
    pos = pos.checked_add(1)?.checked_add(comp_len)?;
    if pos > handshake_end {
        return None;
    }
    let mut parsed = ParsedClientHello {
        legacy_version,
        ciphers,
        ..ParsedClientHello::default()
    };
    if pos == handshake_end {
        return Some(parsed);
    }
    if pos + 2 > handshake_end {
        return None;
    }
    let ext_len = read_u16_at(handshake, pos)? as usize;
    pos = pos.checked_add(2)?;
    let ext_end = pos.checked_add(ext_len)?;
    if ext_end > handshake_end {
        return None;
    }
    while pos + 4 <= ext_end {
        let etype = read_u16_at(handshake, pos)?;
        let elen = read_u16_at(handshake, pos + 2)? as usize;
        pos = pos.checked_add(4)?;
        let data_end = pos.checked_add(elen)?;
        if data_end > ext_end {
            return None;
        }
        let data = handshake.get(pos..data_end)?;
        if !is_grease(etype) {
            parsed.extensions.push(etype);
            match etype {
                EXT_SNI => parsed.sni_present = true,
                EXT_SUPPORTED_GROUPS => {
                    parsed.supported_groups = parse_u16_vector(data, 2)?;
                }
                EXT_EC_POINT_FORMATS => {
                    parsed.ec_point_formats = parse_u8_vector(data)?;
                }
                EXT_SIGNATURE_ALGORITHMS => {
                    parsed.signature_algorithms = parse_u16_vector(data, 2)?;
                }
                EXT_ALPN => {
                    parsed.alpn_first = parse_alpn_first(data)?;
                }
                EXT_SUPPORTED_VERSIONS => {
                    parsed.supported_versions = parse_u16_vector(data, 1)?;
                }
                _ => {}
            }
        }
        pos = data_end;
    }
    if pos != ext_end {
        return None;
    }
    Some(parsed)
 }
 fn parse_u16_vector(data: &[u8], len_prefix_len: usize) -> Option<Vec<u16>> {
    let (list_len, mut pos) = match len_prefix_len {
        1 => (usize::from(*data.first()?), 1usize),
        2 => (read_u16_at(data, 0)? as usize, 2usize),
        _ => return None,
    };
    let list_end = pos.checked_add(list_len)?;
    if list_end > data.len() || list_len % 2 != 0 {
        return None;
    }
    let mut out = Vec::with_capacity(list_len / 2);
    while pos + 1 < list_end {
        let value = read_u16_at(data, pos)?;
        if !is_grease(value) {
            out.push(value);
        }
        pos = pos.checked_add(2)?;
    }
    Some(out)
 }
 fn parse_u8_vector(data: &[u8]) -> Option<Vec<u8>> {
    let list_len = usize::from(*data.first()?);
    let list_start = 1usize;
    let list_end = list_start.checked_add(list_len)?;
    if list_end > data.len() {
        return None;
    }
    Some(data.get(list_start..list_end)?.to_vec())
 }
 fn parse_alpn_first(data: &[u8]) -> Option<Option<Vec<u8>>> {
    if data.len() < 2 {
        return None;
    }
    let list_len = read_u16_at(data, 0)? as usize;
    let mut pos = 2usize;
    let list_end = pos.checked_add(list_len)?;
    if list_end > data.len() {
        return None;
    }
    if pos == list_end {
        return Some(None);
    }
    let protocol_len = usize::from(*data.get(pos)?);
    pos = pos.checked_add(1)?;
    let protocol_end = pos.checked_add(protocol_len)?;
    if protocol_end > list_end {
        return None;
    }
    if protocol_len == 0 {
        return Some(None);
    }
    Some(Some(data.get(pos..protocol_end)?.to_vec()))
 }
 fn ja3_raw(parsed: &ParsedClientHello) -> String {
    format!(
        "{},{},{},{},{}",
        parsed.legacy_version,
        join_decimal_u16(&parsed.ciphers),
        join_decimal_u16(&parsed.extensions),
        join_decimal_u16(&parsed.supported_groups),
        join_decimal_u8(&parsed.ec_point_formats)
    )
 }
 fn ja4(parsed: &ParsedClientHello) -> (String, String) {
    let a = format!(
        "t{}{}{:02}{:02}{}",
        ja4_version_code(parsed),
        if parsed.sni_present { "d" } else { "i" },
        count_ja4(parsed.ciphers.len()),
        count_ja4(parsed.extensions.len()),
        ja4_alpn_marker(parsed.alpn_first.as_deref())
    );
    let mut ciphers = parsed.ciphers.clone();
    ciphers.sort_unstable();
    let cipher_raw = join_hex_u16(&ciphers);
    let cipher_hash = if ciphers.is_empty() {
        "000000000000".to_string()
    } else {
        sha256_truncated_12(&cipher_raw)
    };
    let mut extensions_for_hash = parsed
        .extensions
        .iter()
        .copied()
        .filter(|value| *value != EXT_SNI && *value != EXT_ALPN)
        .collect::<Vec<_>>();
    extensions_for_hash.sort_unstable();
    let extension_raw = join_hex_u16(&extensions_for_hash);
    let signature_raw = join_hex_u16(&parsed.signature_algorithms);
    let extension_hash_input = if signature_raw.is_empty() {
        extension_raw.clone()
    } else {
        format!("{extension_raw}_{signature_raw}")
    };
    let extension_hash = if extensions_for_hash.is_empty() {
        "000000000000".to_string()
    } else {
        sha256_truncated_12(&extension_hash_input)
    };
    (
        format!("{a}_{cipher_hash}_{extension_hash}"),
        format!("{a}_{cipher_raw}_{extension_hash_input}"),
    )
 }
 fn ja4_version_code(parsed: &ParsedClientHello) -> &'static str {
    let version = parsed
        .supported_versions
        .iter()
        .copied()
        .max()
        .unwrap_or(parsed.legacy_version);
    match version {
        0x0304 => "13",
        0x0303 => "12",
        0x0302 => "11",
        0x0301 => "10",
        0x0300 => "s3",
        0x0002 => "s2",
        0xfeff => "d1",
        0xfefd => "d2",
        0xfefc => "d3",
        _ => "00",
    }
 }
 fn ja4_alpn_marker(alpn_first: Option<&[u8]>) -> String {
    let Some(value) = alpn_first else {
        return "00".to_string();
    };
    let Some(first) = value.first().copied() else {
        return "00".to_string();
    };
    let last = value.last().copied().unwrap_or(first);
    if first.is_ascii_alphanumeric() && last.is_ascii_alphanumeric() {
        return format!("{}{}", first as char, last as char);
    }
    let encoded = hex::encode(value);
    if encoded.is_empty() {
        return "00".to_string();
    }
    let first_hex = encoded.as_bytes()[0] as char;
    let last_hex = encoded.as_bytes()[encoded.len().saturating_sub(1)] as char;
    format!("{first_hex}{last_hex}")
 }
 fn count_ja4(count: usize) -> usize {
    count.min(99)
 }
 fn sha256_truncated_12(input: &str) -> String {
    let mut encoded = hex::encode(sha256(input.as_bytes()));
    encoded.truncate(12);
    encoded
 }
 fn join_decimal_u16(values: &[u16]) -> String {
    values
        .iter()
        .map(u16::to_string)
        .collect::<Vec<_>>()
        .join("-")
 }
 fn join_decimal_u8(values: &[u8]) -> String {
    values
        .iter()
        .map(u8::to_string)
        .collect::<Vec<_>>()
        .join("-")
 }
 fn join_hex_u16(values: &[u16]) -> String {
    values
        .iter()
        .map(|value| format!("{value:04x}"))
        .collect::<Vec<_>>()
        .join(",")
 }
 fn read_u16_at(buf: &[u8], pos: usize) -> Option<u16> {
    Some(u16::from_be_bytes([
        *buf.get(pos)?,
        *buf.get(pos.checked_add(1)?)?,
    ]))
 }
 fn is_grease(value: u16) -> bool {
    let high = (value >> 8) as u8;
    let low = value as u8;
    high == low && (high & 0x0f) == 0x0a
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    fn sample_client_hello() -> Vec<u8> {
        let mut body = Vec::new();
        body.extend_from_slice(&[0x03, 0x03]);
        body.extend_from_slice(&[0x11; 32]);
        body.push(0);
        body.extend_from_slice(&10u16.to_be_bytes());
        body.extend_from_slice(&[0x0a, 0x0a, 0x13, 0x01, 0x13, 0x02, 0xc0, 0x2f, 0x00, 0xff]);
        body.push(1);
        body.push(0);
        let mut extensions = Vec::new();
        append_ext(&mut extensions, EXT_SNI, &[0, 0]);
        append_ext(&mut extensions, EXT_ALPN, &[0, 3, 2, b'h', b'2']);
        append_ext(
            &mut extensions,
            EXT_SUPPORTED_GROUPS,
            &[0, 6, 0x0a, 0x0a, 0x00, 0x17, 0x00, 0x1d],
        );
        append_ext(&mut extensions, EXT_EC_POINT_FORMATS, &[1, 0]);
        append_ext(
            &mut extensions,
            EXT_SIGNATURE_ALGORITHMS,
            &[0, 4, 0x04, 0x03, 0x08, 0x04],
        );
        append_ext(
            &mut extensions,
            EXT_SUPPORTED_VERSIONS,
            &[4, 0x03, 0x04, 0x03, 0x03],
        );
        body.extend_from_slice(&(extensions.len() as u16).to_be_bytes());
        body.extend_from_slice(&extensions);
        let mut record = Vec::new();
        record.push(TLS_RECORD_HANDSHAKE);
        record.extend_from_slice(&[0x03, 0x01]);
        record.extend_from_slice(&((body.len() + 4) as u16).to_be_bytes());
        record.push(0x01);
        record.extend_from_slice(&[
            ((body.len() >> 16) & 0xff) as u8,
            ((body.len() >> 8) & 0xff) as u8,
            (body.len() & 0xff) as u8,
        ]);
        record.extend_from_slice(&body);
        record
    }
    fn append_ext(out: &mut Vec<u8>, etype: u16, data: &[u8]) {
        out.extend_from_slice(&etype.to_be_bytes());
        out.extend_from_slice(&(data.len() as u16).to_be_bytes());
        out.extend_from_slice(data);
    }
    #[test]
    fn ja3_and_ja4_ignore_grease_and_remain_stable() {
        let fp = fingerprint_client_hello(&sample_client_hello())
            .expect("sample ClientHello must fingerprint");
        assert_eq!(
            fp.ja3_raw,
            "771,4865-4866-49199-255,0-16-10-11-13-43,23-29,0"
        );
        assert!(fp.ja4.starts_with("t13d0406h2_"));
    }
    #[test]
    fn malformed_client_hello_returns_none() {
        let mut hello = sample_client_hello();
        hello.truncate(12);
        assert!(fingerprint_client_hello(&hello).is_none());
    }
 }
@@ -98,6 +98,7 @@ use crate::error::{HandshakeResult, ProxyError, Result, StreamError};
 use crate::ip_tracker::UserIpTracker;
 use crate::protocol::constants::*;
 use crate::protocol::tls;
 use crate::protocol::tls_fingerprint::{self, TlsClientFingerprint};
 use crate::stats::beobachten::BeobachtenStore;
 use crate::stats::{ReplayChecker, Stats};
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
@@ -350,6 +351,60 @@ fn record_beobachten_class(
    beobachten.record(class, peer_ip, beobachten_ttl(config));
 }
 fn tls_fingerprint_collection_enabled(config: &ProxyConfig) -> bool {
    config.general.beobachten || config.server.api.runtime_edge_enabled
 }
 fn observe_tls_client_fingerprint(
    stats: &Stats,
    config: &ProxyConfig,
    peer_ip: IpAddr,
    handshake: &[u8],
 ) -> Option<TlsClientFingerprint> {
    if !tls_fingerprint_collection_enabled(config) {
        return None;
    }
    match tls_fingerprint::fingerprint_client_hello(handshake) {
        Some(fingerprint) => {
            stats.record_tls_fingerprint_observed(&fingerprint, peer_ip, beobachten_ttl(config));
            Some(fingerprint)
        }
        None => {
            stats.increment_tls_fingerprint_parse_error();
            None
        }
    }
 }
 fn record_tls_fingerprint_auth_success(
    stats: &Stats,
    config: &ProxyConfig,
    peer_ip: IpAddr,
    fingerprint: Option<&TlsClientFingerprint>,
    user: &str,
 ) {
    if let Some(fingerprint) = fingerprint {
        stats.record_tls_fingerprint_auth_success(
            fingerprint,
            peer_ip,
            user,
            beobachten_ttl(config),
        );
    }
 }
 fn record_tls_fingerprint_bad_or_probe(
    stats: &Stats,
    config: &ProxyConfig,
    peer_ip: IpAddr,
    fingerprint: Option<&TlsClientFingerprint>,
 ) {
    if let Some(fingerprint) = fingerprint {
        stats.record_tls_fingerprint_bad_or_probe(fingerprint, peer_ip, beobachten_ttl(config));
    }
 }
 fn classify_expected_64_got_0(kind: std::io::ErrorKind) -> Option<&'static str> {
    match kind {
        std::io::ErrorKind::UnexpectedEof => Some("expected_64_got_0_unexpected_eof"),
@@ -705,6 +760,9 @@ where
                ));
            }
            let tls_fingerprint =
                observe_tls_client_fingerprint(stats.as_ref(), &config, real_peer.ip(), &handshake);
            let (read_half, write_half) = tokio::io::split(stream);
            let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake_with_shared(
@@ -715,6 +773,12 @@ where
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
                    stats.increment_connects_bad_with_class("tls_handshake_bad_client");
                    record_tls_fingerprint_bad_or_probe(
                        stats.as_ref(),
                        &config,
                        real_peer.ip(),
                        tls_fingerprint.as_ref(),
                    );
                    return Ok(masking_outcome(
                        reader,
                        writer,
@@ -726,10 +790,23 @@ where
                    ));
                }
                HandshakeResult::Error(e) => {
                    record_tls_fingerprint_bad_or_probe(
                        stats.as_ref(),
                        &config,
                        real_peer.ip(),
                        tls_fingerprint.as_ref(),
                    );
                    increment_bad_on_unknown_tls_sni(stats.as_ref(), &e);
                    return Err(e);
                }
            };
            record_tls_fingerprint_auth_success(
                stats.as_ref(),
                &config,
                real_peer.ip(),
                tls_fingerprint.as_ref(),
                tls_user.as_str(),
            );
            debug!(peer = %peer, "Reading MTProto handshake through TLS");
            let mtproto_data = tls_reader.read_exact(HANDSHAKE_LEN).await?;
@@ -1295,6 +1372,13 @@ impl RunningClientHandler {
            ));
        }
        let tls_fingerprint = observe_tls_client_fingerprint(
            self.stats.as_ref(),
            &self.config,
            peer.ip(),
            &handshake,
        );
        let config = self.config.clone();
        let replay_checker = self.replay_checker.clone();
        let stats = self.stats.clone();
@@ -1318,6 +1402,12 @@ impl RunningClientHandler {
            HandshakeResult::Success(result) => result,
            HandshakeResult::BadClient { reader, writer } => {
                stats.increment_connects_bad_with_class("tls_handshake_bad_client");
                record_tls_fingerprint_bad_or_probe(
                    stats.as_ref(),
                    &config,
                    peer.ip(),
                    tls_fingerprint.as_ref(),
                );
                return Ok(masking_outcome(
                    reader,
                    writer,
@@ -1329,10 +1419,23 @@ impl RunningClientHandler {
                ));
            }
            HandshakeResult::Error(e) => {
                record_tls_fingerprint_bad_or_probe(
                    stats.as_ref(),
                    &config,
                    peer.ip(),
                    tls_fingerprint.as_ref(),
                );
                increment_bad_on_unknown_tls_sni(stats.as_ref(), &e);
                return Err(e);
            }
        };
        record_tls_fingerprint_auth_success(
            stats.as_ref(),
            &config,
            peer.ip(),
            tls_fingerprint.as_ref(),
            tls_user.as_str(),
        );
        debug!(peer = %peer, "Reading MTProto handshake through TLS");
        let mtproto_data = tls_reader.read_exact(HANDSHAKE_LEN).await?;
@@ -1558,6 +1661,11 @@ impl RunningClientHandler {
    {
        let user = success.user.clone();
        if !shared.is_user_enabled(&user) {
            warn!(user = %user, "Disabled user rejected");
            return Err(ProxyError::UserDisabled { user });
        }
        let user_limit_reservation = match Self::acquire_user_connection_reservation_static(
            &user,
            &config,
@@ -1576,6 +1684,8 @@ impl RunningClientHandler {
        let route_snapshot = route_runtime.snapshot();
        let session_id = rng.u64();
        let _user_session = shared.register_user_session(&user, session_id);
        let session_cancel = _user_session.token();
        let selected_me_pool = if config.general.use_middle_proxy
            && matches!(route_snapshot.mode, RelayRouteMode::Middle)
        {
@@ -1607,6 +1717,7 @@ impl RunningClientHandler {
                    route_runtime.subscribe(),
                    route_snapshot,
                    session_id,
                    session_cancel.clone(),
                    shared.clone(),
                )
                .await
@@ -1625,6 +1736,7 @@ impl RunningClientHandler {
                    route_snapshot,
                    session_id,
                    local_addr,
                    session_cancel.clone(),
                    shared.clone(),
                )
                .await
@@ -1644,6 +1756,7 @@ impl RunningClientHandler {
                route_snapshot,
                session_id,
                local_addr,
                session_cancel,
                shared.clone(),
            )
            .await
@@ -10,6 +10,7 @@ use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, ReadHalf, WriteHalf, split};
 use tokio::sync::watch;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, info, warn};
 use crate::config::ProxyConfig;
@@ -258,6 +259,7 @@ where
        route_snapshot,
        session_id,
        SocketAddr::from(([0, 0, 0, 0], config.server.port)),
        CancellationToken::new(),
        ProxySharedState::new(),
    )
    .await
@@ -276,6 +278,7 @@ pub(crate) async fn handle_via_direct_with_shared<R, W>(
    route_snapshot: RouteCutoverState,
    session_id: u64,
    local_addr: SocketAddr,
    session_cancel: CancellationToken,
    shared: Arc<ProxySharedState>,
 ) -> Result<()>
 where
@@ -302,14 +305,25 @@ where
            "Ignoring invalid scope hint and falling back to default upstream selection"
        );
    }
-    let tg_stream = upstream_manager
+    let tg_stream = tokio::select! {
-        .connect(dc_addr, Some(success.dc_idx), scope_hint)
+        result = upstream_manager.connect(dc_addr, Some(success.dc_idx), scope_hint) => result?,
-        .await?;
+        _ = session_cancel.cancelled() => {
            return Err(ProxyError::UserDisabled {
                user: user.to_string(),
            });
        }
    };
    debug!(peer = %success.peer, dc_addr = %dc_addr, "Connected, performing TG handshake");
-    let (tg_reader, tg_writer) =
+    let (tg_reader, tg_writer) = tokio::select! {
-        do_tg_handshake_static(tg_stream, &success, &config, rng.as_ref()).await?;
+        result = do_tg_handshake_static(tg_stream, &success, &config, rng.as_ref()) => result?,
        _ = session_cancel.cancelled() => {
            return Err(ProxyError::UserDisabled {
                user: user.to_string(),
            });
        }
    };
    debug!(peer = %success.peer, "TG handshake complete, starting relay");
@@ -331,7 +345,8 @@ where
    } else {
        Duration::from_secs(1800)
    };
-    let relay_result = crate::proxy::relay::relay_bidirectional_with_activity_timeout_and_lease(
+    let relay_result =
        crate::proxy::relay::relay_bidirectional_with_activity_timeout_lease_and_cancel(
            client_reader,
            client_writer,
            tg_reader,
@@ -344,6 +359,7 @@ where
            buffer_pool,
            traffic_lease,
            relay_activity_timeout,
            session_cancel.clone(),
        );
    tokio::pin!(relay_result);
    let relay_result = loop {
@@ -371,6 +387,11 @@ where
                    break relay_result.await;
                }
            }
            _ = session_cancel.cancelled() => {
                break Err(ProxyError::UserDisabled {
                    user: user.to_string(),
                });
            }
        }
    };
@@ -1504,6 +1504,13 @@ where
    let validation_session_id_slice = &validation_session_id[..validation_session_id_len];
    let response = if let Some((cached_entry, use_full_cert_payload)) = cached {
        let preferred_cipher_suite = if cached_entry.server_hello_template.cipher_suite == [0, 0] {
            [0x13, 0x01]
        } else {
            cached_entry.server_hello_template.cipher_suite
        };
        let selected_cipher_suite =
            tls::select_server_hello_cipher_suite(handshake, preferred_cipher_suite);
        emulator::build_emulated_server_hello(
            &validated_secret,
            &validation_digest,
@@ -1512,17 +1519,20 @@ where
            use_full_cert_payload,
            config.censorship.serverhello_compact,
            client_tls_version,
            selected_cipher_suite,
            rng,
            selected_alpn.clone(),
            config.censorship.tls_new_session_tickets,
        )
    } else {
-        tls::build_server_hello(
+        let selected_cipher_suite = tls::select_server_hello_cipher_suite(handshake, [0x13, 0x01]);
        tls::build_server_hello_with_cipher(
            &validated_secret,
            &validation_digest,
            validation_session_id_slice,
            config.censorship.fake_cert_len,
            rng,
            selected_cipher_suite,
            selected_alpn.clone(),
            config.censorship.tls_new_session_tickets,
        )
@@ -1,6 +1,6 @@
 use std::collections::BTreeSet;
 #[cfg(test)]
 use std::collections::hash_map::DefaultHasher;
 use std::collections::{BTreeSet, HashMap};
 #[cfg(test)]
 use std::future::Future;
 #[cfg(test)]
@@ -1,4 +1,5 @@
 use super::*;
 use dashmap::DashMap;
 mod read;
@@ -10,10 +11,10 @@ pub(crate) use self::read::{
 #[derive(Default)]
 pub(crate) struct RelayIdleCandidateRegistry {
-    pub(in crate::proxy::middle_relay) by_conn_id: HashMap<u64, RelayIdleCandidateMeta>,
+    pub(in crate::proxy::middle_relay) by_conn_id: DashMap<u64, RelayIdleCandidateMeta>,
-    pub(in crate::proxy::middle_relay) ordered: BTreeSet<(u64, u64)>,
+    pub(in crate::proxy::middle_relay) ordered: parking_lot::Mutex<BTreeSet<(u64, u64)>>,
-    pressure_event_seq: u64,
+    pressure_event_seq: AtomicU64,
-    pressure_consumed_seq: u64,
+    pressure_consumed_seq: AtomicU64,
 }
 /// Queue metadata used to preserve FIFO ordering for idle relay eviction.
@@ -23,25 +24,10 @@ pub(in crate::proxy::middle_relay) struct RelayIdleCandidateMeta {
    pub(in crate::proxy::middle_relay) mark_pressure_seq: u64,
 }
 pub(super) fn relay_idle_candidate_registry_lock_in(
    shared: &ProxySharedState,
 ) -> std::sync::MutexGuard<'_, RelayIdleCandidateRegistry> {
    let registry = &shared.middle_relay.relay_idle_registry;
    match registry.lock() {
        Ok(guard) => guard,
        Err(poisoned) => {
            let mut guard = poisoned.into_inner();
            *guard = RelayIdleCandidateRegistry::default();
            registry.clear_poison();
            guard
        }
    }
 }
 pub(super) fn mark_relay_idle_candidate_in(shared: &ProxySharedState, conn_id: u64) -> bool {
-    let mut guard = relay_idle_candidate_registry_lock_in(shared);
+    let registry = &shared.middle_relay.relay_idle_registry;
-    if guard.by_conn_id.contains_key(&conn_id) {
+    if registry.by_conn_id.contains_key(&conn_id) {
        return false;
    }
@@ -52,24 +38,38 @@ pub(super) fn mark_relay_idle_candidate_in(shared: &ProxySharedState, conn_id: u
        .saturating_add(1);
    let meta = RelayIdleCandidateMeta {
        mark_order_seq,
-        mark_pressure_seq: guard.pressure_event_seq,
+        mark_pressure_seq: registry.pressure_event_seq.load(Ordering::Relaxed),
    };
-    guard.by_conn_id.insert(conn_id, meta);
+    match registry.by_conn_id.entry(conn_id) {
-    guard.ordered.insert((meta.mark_order_seq, conn_id));
+        dashmap::mapref::entry::Entry::Occupied(_) => false,
        dashmap::mapref::entry::Entry::Vacant(entry) => {
            entry.insert(meta);
            registry
                .ordered
                .lock()
                .insert((meta.mark_order_seq, conn_id));
            true
        }
    }
 }
 pub(super) fn clear_relay_idle_candidate_in(shared: &ProxySharedState, conn_id: u64) {
-    let mut guard = relay_idle_candidate_registry_lock_in(shared);
+    let registry = &shared.middle_relay.relay_idle_registry;
-    if let Some(meta) = guard.by_conn_id.remove(&conn_id) {
+    if let Some((_, meta)) = registry.by_conn_id.remove(&conn_id) {
-        guard.ordered.remove(&(meta.mark_order_seq, conn_id));
+        registry
            .ordered
            .lock()
            .remove(&(meta.mark_order_seq, conn_id));
    }
 }
 pub(super) fn note_relay_pressure_event_in(shared: &ProxySharedState) {
-    let mut guard = relay_idle_candidate_registry_lock_in(shared);
+    shared
-    guard.pressure_event_seq = guard.pressure_event_seq.wrapping_add(1);
+        .middle_relay
        .relay_idle_registry
        .pressure_event_seq
        .fetch_add(1, Ordering::Relaxed);
 }
 pub(crate) fn note_global_relay_pressure(shared: &ProxySharedState) {
@@ -77,8 +77,11 @@ pub(crate) fn note_global_relay_pressure(shared: &ProxySharedState) {
 }
 pub(super) fn relay_pressure_event_seq_in(shared: &ProxySharedState) -> u64 {
-    let guard = relay_idle_candidate_registry_lock_in(shared);
+    shared
-    guard.pressure_event_seq
+        .middle_relay
        .relay_idle_registry
        .pressure_event_seq
        .load(Ordering::Relaxed)
 }
 pub(super) fn maybe_evict_idle_candidate_on_pressure_in(
@@ -87,33 +90,52 @@ pub(super) fn maybe_evict_idle_candidate_on_pressure_in(
    seen_pressure_seq: &mut u64,
    stats: &Stats,
 ) -> bool {
-    let mut guard = relay_idle_candidate_registry_lock_in(shared);
+    let registry = &shared.middle_relay.relay_idle_registry;
-    let latest_pressure_seq = guard.pressure_event_seq;
+    let latest_pressure_seq = registry.pressure_event_seq.load(Ordering::Relaxed);
    if latest_pressure_seq == *seen_pressure_seq {
        return false;
    }
    *seen_pressure_seq = latest_pressure_seq;
-    if latest_pressure_seq == guard.pressure_consumed_seq {
+    let consumed_pressure_seq = registry.pressure_consumed_seq.load(Ordering::Relaxed);
    if latest_pressure_seq == consumed_pressure_seq {
        return false;
    }
-    if guard.ordered.is_empty() {
+    let oldest = {
-        guard.pressure_consumed_seq = latest_pressure_seq;
+        let mut ordered = registry.ordered.lock();
        loop {
            let Some((mark_order_seq, candidate_conn_id)) = ordered.iter().next().copied() else {
                // Empty queues consume the event so later candidates cannot replay stale pressure.
                let _ = registry.pressure_consumed_seq.compare_exchange(
                    consumed_pressure_seq,
                    latest_pressure_seq,
                    Ordering::Relaxed,
                    Ordering::Relaxed,
                );
                return false;
            };
            let Some(candidate_meta) = registry.by_conn_id.get(&candidate_conn_id) else {
                ordered.remove(&(mark_order_seq, candidate_conn_id));
                continue;
            };
            if candidate_meta.mark_order_seq != mark_order_seq {
                ordered.remove(&(mark_order_seq, candidate_conn_id));
                continue;
            }
-
+            break Some(candidate_conn_id);
-    let oldest = guard
+        }
-        .ordered
+    };
        .iter()
        .next()
        .map(|(_, candidate_conn_id)| *candidate_conn_id);
    if oldest != Some(conn_id) {
        return false;
    }
-    let Some(candidate_meta) = guard.by_conn_id.get(&conn_id).copied() else {
+    let Some(candidate_meta) = registry
        .by_conn_id
        .get(&conn_id)
        .map(|entry| *entry.value())
    else {
        return false;
    };
@@ -121,10 +143,27 @@ pub(super) fn maybe_evict_idle_candidate_on_pressure_in(
        return false;
    }
-    if let Some(meta) = guard.by_conn_id.remove(&conn_id) {
+    // Claim the global pressure budget before removal; otherwise racing sessions
-        guard.ordered.remove(&(meta.mark_order_seq, conn_id));
+    // can observe the next FIFO item and spend the same event more than once.
    if registry
        .pressure_consumed_seq
        .compare_exchange(
            consumed_pressure_seq,
            latest_pressure_seq,
            Ordering::Relaxed,
            Ordering::Relaxed,
        )
        .is_err()
    {
        return false;
    }
    if let Some((_, meta)) = registry.by_conn_id.remove(&conn_id) {
        registry
            .ordered
            .lock()
            .remove(&(meta.mark_order_seq, conn_id));
    }
    guard.pressure_consumed_seq = latest_pressure_seq;
    stats.increment_relay_pressure_evict_total();
    true
 }
@@ -220,72 +259,32 @@ pub(crate) fn mark_relay_idle_candidate_for_testing(
    shared: &ProxySharedState,
    conn_id: u64,
 ) -> bool {
-    let registry = &shared.middle_relay.relay_idle_registry;
+    mark_relay_idle_candidate_in(shared, conn_id)
    let mut guard = match registry.lock() {
        Ok(guard) => guard,
        Err(poisoned) => {
            let mut guard = poisoned.into_inner();
            *guard = RelayIdleCandidateRegistry::default();
            registry.clear_poison();
            guard
        }
    };
    if guard.by_conn_id.contains_key(&conn_id) {
        return false;
    }
    let mark_order_seq = shared
        .middle_relay
        .relay_idle_mark_seq
        .fetch_add(1, Ordering::Relaxed);
    let mark_pressure_seq = guard.pressure_event_seq;
    let meta = RelayIdleCandidateMeta {
        mark_order_seq,
        mark_pressure_seq,
    };
    guard.by_conn_id.insert(conn_id, meta);
    guard.ordered.insert((mark_order_seq, conn_id));
    true
 }
 #[cfg(test)]
 pub(crate) fn oldest_relay_idle_candidate_for_testing(shared: &ProxySharedState) -> Option<u64> {
    let registry = &shared.middle_relay.relay_idle_registry;
-    let guard = match registry.lock() {
+    registry
-        Ok(guard) => guard,
+        .ordered
-        Err(poisoned) => {
+        .lock()
-            let mut guard = poisoned.into_inner();
+        .iter()
-            *guard = RelayIdleCandidateRegistry::default();
+        .next()
-            registry.clear_poison();
+        .map(|(_, conn_id)| *conn_id)
            guard
        }
    };
    guard.ordered.iter().next().map(|(_, conn_id)| *conn_id)
 }
 #[cfg(test)]
 pub(crate) fn clear_relay_idle_candidate_for_testing(shared: &ProxySharedState, conn_id: u64) {
-    let registry = &shared.middle_relay.relay_idle_registry;
+    clear_relay_idle_candidate_in(shared, conn_id);
    let mut guard = match registry.lock() {
        Ok(guard) => guard,
        Err(poisoned) => {
            let mut guard = poisoned.into_inner();
            *guard = RelayIdleCandidateRegistry::default();
            registry.clear_poison();
            guard
        }
    };
    if let Some(meta) = guard.by_conn_id.remove(&conn_id) {
        guard.ordered.remove(&(meta.mark_order_seq, conn_id));
    }
 }
 #[cfg(test)]
 pub(crate) fn clear_relay_idle_pressure_state_for_testing_in_shared(shared: &ProxySharedState) {
-    if let Ok(mut guard) = shared.middle_relay.relay_idle_registry.lock() {
+    let registry = &shared.middle_relay.relay_idle_registry;
-        *guard = RelayIdleCandidateRegistry::default();
+    registry.by_conn_id.clear();
-    }
+    registry.ordered.lock().clear();
    registry.pressure_event_seq.store(0, Ordering::Relaxed);
    registry.pressure_consumed_seq.store(0, Ordering::Relaxed);
    shared
        .middle_relay
        .relay_idle_mark_seq
@@ -327,15 +326,10 @@ pub(crate) fn set_relay_pressure_state_for_testing(
    pressure_consumed_seq: u64,
 ) {
    let registry = &shared.middle_relay.relay_idle_registry;
-    let mut guard = match registry.lock() {
+    registry
-        Ok(guard) => guard,
+        .pressure_event_seq
-        Err(poisoned) => {
+        .store(pressure_event_seq, Ordering::Relaxed);
-            let mut guard = poisoned.into_inner();
+    registry
-            *guard = RelayIdleCandidateRegistry::default();
+        .pressure_consumed_seq
-            registry.clear_poison();
+        .store(pressure_consumed_seq, Ordering::Relaxed);
            guard
        }
    };
    guard.pressure_event_seq = pressure_event_seq;
    guard.pressure_consumed_seq = pressure_consumed_seq;
 }
@@ -41,11 +41,12 @@ pub(super) async fn reserve_user_quota_with_yield(
            return Err(MiddleQuotaReserveError::DeadlineExceeded);
        }
        tokio::select! {
-            _ = tokio::time::sleep(Duration::from_millis(backoff_ms)) => {}
+            biased;
            _ = cancel.cancelled() => {
                stats.increment_quota_acquire_cancelled_total();
                return Err(MiddleQuotaReserveError::Cancelled);
            }
            _ = tokio::time::sleep(Duration::from_millis(backoff_ms)) => {}
        }
        backoff_rounds = backoff_rounds.saturating_add(1);
        if backoff_rounds >= QUOTA_RESERVE_MAX_BACKOFF_ROUNDS {
@@ -128,11 +129,12 @@ pub(super) async fn wait_for_traffic_budget_or_cancel(
            return Err(ProxyError::TrafficBudgetWaitDeadlineExceeded);
        }
        tokio::select! {
-            _ = tokio::time::sleep(next_refill_delay()) => {}
+            biased;
            _ = cancel.cancelled() => {
                stats.increment_flow_wait_middle_rate_limit_cancelled_total();
                return Err(ProxyError::TrafficBudgetWaitCancelled);
            }
            _ = tokio::time::sleep(next_refill_delay()) => {}
        }
        let wait_ms = wait_started_at
            .elapsed()
@@ -13,6 +13,7 @@ pub(crate) async fn handle_via_middle_proxy<R, W>(
    mut route_rx: watch::Receiver<RouteCutoverState>,
    route_snapshot: RouteCutoverState,
    session_id: u64,
    session_cancel: CancellationToken,
    shared: Arc<ProxySharedState>,
 ) -> Result<()>
 where
@@ -20,6 +21,10 @@ where
    W: AsyncWrite + Unpin + Send + 'static,
 {
    let user = success.user.clone();
    if session_cancel.is_cancelled() {
        return Err(ProxyError::UserDisabled { user });
    }
    let quota_limit = config.access.user_data_quota.get(&user).copied();
    let quota_user_stats = quota_limit.map(|_| stats.get_or_create_user_stats_handle(&user));
    let peer = success.peer;
@@ -590,6 +595,25 @@ where
        }
        tokio::select! {
            _ = session_cancel.cancelled() => {
                warn!(
                    user = %user,
                    conn_id,
                    "Disabled user middle session cancelled"
                );
                let _ = enqueue_c2me_command_in(
                    shared.as_ref(),
                    &c2me_tx,
                    C2MeCommand::Close,
                    c2me_send_timeout,
                    stats.as_ref(),
                )
                .await;
                main_result = Err(ProxyError::UserDisabled {
                    user: user.clone(),
                });
                break;
            }
            changed = route_rx.changed(), if route_watch_open => {
                if changed.is_err() {
                    route_watch_open = false;
@@ -55,11 +55,13 @@ use crate::error::{ProxyError, Result};
 use crate::proxy::traffic_limiter::TrafficLease;
 use crate::stats::Stats;
 use crate::stream::BufferPool;
 use std::future::pending;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, Ordering};
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, copy_bidirectional_with_sizes};
 use tokio::time::Instant;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, warn};
 // ============= Constants =============
@@ -191,6 +193,84 @@ pub async fn relay_bidirectional_with_activity_timeout_and_lease<CR, CW, SR, SW>
    traffic_lease: Option<Arc<TrafficLease>>,
    activity_timeout: Duration,
 ) -> Result<()>
 where
    CR: AsyncRead + Unpin + Send + 'static,
    CW: AsyncWrite + Unpin + Send + 'static,
    SR: AsyncRead + Unpin + Send + 'static,
    SW: AsyncWrite + Unpin + Send + 'static,
 {
    relay_bidirectional_with_activity_timeout_lease_cancel_inner(
        client_reader,
        client_writer,
        server_reader,
        server_writer,
        c2s_buf_size,
        s2c_buf_size,
        user,
        stats,
        quota_limit,
        _buffer_pool,
        traffic_lease,
        activity_timeout,
        None,
    )
    .await
 }
 pub async fn relay_bidirectional_with_activity_timeout_lease_and_cancel<CR, CW, SR, SW>(
    client_reader: CR,
    client_writer: CW,
    server_reader: SR,
    server_writer: SW,
    c2s_buf_size: usize,
    s2c_buf_size: usize,
    user: &str,
    stats: Arc<Stats>,
    quota_limit: Option<u64>,
    _buffer_pool: Arc<BufferPool>,
    traffic_lease: Option<Arc<TrafficLease>>,
    activity_timeout: Duration,
    session_cancel: CancellationToken,
 ) -> Result<()>
 where
    CR: AsyncRead + Unpin + Send + 'static,
    CW: AsyncWrite + Unpin + Send + 'static,
    SR: AsyncRead + Unpin + Send + 'static,
    SW: AsyncWrite + Unpin + Send + 'static,
 {
    relay_bidirectional_with_activity_timeout_lease_cancel_inner(
        client_reader,
        client_writer,
        server_reader,
        server_writer,
        c2s_buf_size,
        s2c_buf_size,
        user,
        stats,
        quota_limit,
        _buffer_pool,
        traffic_lease,
        activity_timeout,
        Some(session_cancel),
    )
    .await
 }
 async fn relay_bidirectional_with_activity_timeout_lease_cancel_inner<CR, CW, SR, SW>(
    client_reader: CR,
    client_writer: CW,
    server_reader: SR,
    server_writer: SW,
    c2s_buf_size: usize,
    s2c_buf_size: usize,
    user: &str,
    stats: Arc<Stats>,
    quota_limit: Option<u64>,
    _buffer_pool: Arc<BufferPool>,
    traffic_lease: Option<Arc<TrafficLease>>,
    activity_timeout: Duration,
    session_cancel: Option<CancellationToken>,
 ) -> Result<()>
 where
    CR: AsyncRead + Unpin + Send + 'static,
    CW: AsyncWrite + Unpin + Send + 'static,
@@ -287,14 +367,29 @@ where
    //
    // When the watchdog fires, select! drops the copy future,
    // releasing the &mut borrows on client and server.
-    let copy_result = tokio::select! {
+    enum RelayOutcome {
        Copy(std::io::Result<(u64, u64)>),
        ActivityTimeout,
        UserDisabled,
    }
    let cancel_wait = async move {
        match session_cancel {
            Some(token) => token.cancelled().await,
            None => pending::<()>().await,
        }
    };
    tokio::pin!(cancel_wait);
    let relay_outcome = tokio::select! {
        result = copy_bidirectional_with_sizes(
            &mut client,
            &mut server,
            c2s_buf_size.max(1),
            s2c_buf_size.max(1),
-        ) => Some(result),
+        ) => RelayOutcome::Copy(result),
-        _ = watchdog => None, // Activity timeout — cancel relay
+        _ = watchdog => RelayOutcome::ActivityTimeout,
        _ = &mut cancel_wait => RelayOutcome::UserDisabled,
    };
    // ── Clean shutdown ──────────────────────────────────────────────
@@ -308,8 +403,8 @@ where
    let s2c_ops = counters.s2c_ops.load(Ordering::Relaxed);
    let duration = epoch.elapsed();
-    match copy_result {
+    match relay_outcome {
-        Some(Ok((c2s, s2c))) => {
+        RelayOutcome::Copy(Ok((c2s, s2c))) => {
            // Normal completion — one side closed the connection
            debug!(
                user = %user_owned,
@@ -322,7 +417,7 @@ where
            );
            Ok(())
        }
-        Some(Err(e)) if is_quota_io_error(&e) => {
+        RelayOutcome::Copy(Err(e)) if is_quota_io_error(&e) => {
            let c2s = counters.c2s_bytes.load(Ordering::Relaxed);
            let s2c = counters.s2c_bytes.load(Ordering::Relaxed);
            warn!(
@@ -338,7 +433,7 @@ where
                user: user_owned.clone(),
            })
        }
-        Some(Err(e)) => {
+        RelayOutcome::Copy(Err(e)) => {
            // I/O error in one of the directions
            let c2s = counters.c2s_bytes.load(Ordering::Relaxed);
            let s2c = counters.s2c_bytes.load(Ordering::Relaxed);
@@ -354,7 +449,7 @@ where
            );
            Err(e.into())
        }
-        None => {
+        RelayOutcome::ActivityTimeout => {
            // Activity timeout (watchdog fired)
            let c2s = counters.c2s_bytes.load(Ordering::Relaxed);
            let s2c = counters.s2c_bytes.load(Ordering::Relaxed);
@@ -369,6 +464,22 @@ where
            );
            Ok(())
        }
        RelayOutcome::UserDisabled => {
            let c2s = counters.c2s_bytes.load(Ordering::Relaxed);
            let s2c = counters.s2c_bytes.load(Ordering::Relaxed);
            debug!(
                user = %user_owned,
                c2s_bytes = c2s,
                s2c_bytes = s2c,
                c2s_msgs = c2s_ops,
                s2c_msgs = s2c_ops,
                duration_secs = duration.as_secs(),
                "Relay finished (user disabled)"
            );
            Err(ProxyError::UserDisabled {
                user: user_owned.clone(),
            })
        }
    }
 }
@@ -1,5 +1,5 @@
 use std::collections::HashSet;
 use std::collections::hash_map::RandomState;
 use std::collections::{HashMap, HashSet};
 use std::net::{IpAddr, SocketAddr};
 use std::sync::atomic::{AtomicBool, AtomicU32, AtomicU64, Ordering};
 use std::sync::{Arc, Mutex};
@@ -7,6 +7,7 @@ use std::time::Instant;
 use dashmap::DashMap;
 use tokio::sync::mpsc;
 use tokio_util::sync::CancellationToken;
 use crate::proxy::handshake::{AuthProbeSaturationState, AuthProbeState};
 use crate::proxy::middle_relay::{DesyncDedupRotationState, RelayIdleCandidateRegistry};
@@ -59,7 +60,7 @@ pub(crate) struct MiddleRelaySharedState {
    pub(crate) desync_hasher: RandomState,
    pub(crate) desync_full_cache_last_emit_at: Mutex<Option<Instant>>,
    pub(crate) desync_dedup_rotation_state: Mutex<DesyncDedupRotationState>,
-    pub(crate) relay_idle_registry: Mutex<RelayIdleCandidateRegistry>,
+    pub(crate) relay_idle_registry: RelayIdleCandidateRegistry,
    pub(crate) relay_idle_mark_seq: AtomicU64,
 }
@@ -67,10 +68,35 @@ pub(crate) struct ProxySharedState {
    pub(crate) handshake: HandshakeSharedState,
    pub(crate) middle_relay: MiddleRelaySharedState,
    pub(crate) traffic_limiter: Arc<TrafficLimiter>,
    disabled_users: DashMap<String, ()>,
    active_user_sessions: DashMap<(String, u64), CancellationToken>,
    pub(crate) conntrack_pressure_active: AtomicBool,
    pub(crate) conntrack_close_tx: Mutex<Option<mpsc::Sender<ConntrackCloseEvent>>>,
 }
 #[must_use = "registered user sessions must be kept alive until relay completion"]
 pub(crate) struct UserSessionRegistration {
    token: CancellationToken,
    _guard: UserSessionGuard,
 }
 impl UserSessionRegistration {
    pub(crate) fn token(&self) -> CancellationToken {
        self.token.clone()
    }
 }
 struct UserSessionGuard {
    shared: Arc<ProxySharedState>,
    key: (String, u64),
 }
 impl Drop for UserSessionGuard {
    fn drop(&mut self) {
        self.shared.active_user_sessions.remove(&self.key);
    }
 }
 impl ProxySharedState {
    pub(crate) fn new() -> Arc<Self> {
        Arc::new(Self {
@@ -97,15 +123,86 @@ impl ProxySharedState {
                desync_hasher: RandomState::new(),
                desync_full_cache_last_emit_at: Mutex::new(None),
                desync_dedup_rotation_state: Mutex::new(DesyncDedupRotationState::default()),
-                relay_idle_registry: Mutex::new(RelayIdleCandidateRegistry::default()),
+                relay_idle_registry: RelayIdleCandidateRegistry::default(),
                relay_idle_mark_seq: AtomicU64::new(0),
            },
            traffic_limiter: TrafficLimiter::new(),
            disabled_users: DashMap::new(),
            active_user_sessions: DashMap::new(),
            conntrack_pressure_active: AtomicBool::new(false),
            conntrack_close_tx: Mutex::new(None),
        })
    }
    pub(crate) fn is_user_enabled(&self, user: &str) -> bool {
        !self.disabled_users.contains_key(user)
    }
    pub(crate) fn set_user_enabled(&self, user: &str, enabled: bool) -> bool {
        if enabled {
            self.disabled_users.remove(user);
            false
        } else {
            self.disabled_users.insert(user.to_string(), ()).is_none()
        }
    }
    pub(crate) fn apply_user_enabled_config(
        &self,
        user_enabled: &HashMap<String, bool>,
    ) -> Vec<String> {
        let desired_disabled = user_enabled
            .iter()
            .filter_map(|(user, enabled)| (!*enabled).then_some(user.clone()))
            .collect::<HashSet<_>>();
        let current_disabled = self
            .disabled_users
            .iter()
            .map(|entry| entry.key().clone())
            .collect::<HashSet<_>>();
        for user in current_disabled.difference(&desired_disabled) {
            self.disabled_users.remove(user);
        }
        let newly_disabled = desired_disabled
            .difference(&current_disabled)
            .cloned()
            .collect::<Vec<_>>();
        for user in desired_disabled {
            self.disabled_users.insert(user, ());
        }
        newly_disabled
    }
    pub(crate) fn register_user_session(
        self: &Arc<Self>,
        user: &str,
        session_id: u64,
    ) -> UserSessionRegistration {
        let token = CancellationToken::new();
        let key = (user.to_string(), session_id);
        self.active_user_sessions.insert(key.clone(), token.clone());
        UserSessionRegistration {
            token,
            _guard: UserSessionGuard {
                shared: Arc::clone(self),
                key,
            },
        }
    }
    pub(crate) fn cancel_user_sessions(&self, user: &str) -> usize {
        let tokens = self
            .active_user_sessions
            .iter()
            .filter_map(|entry| (entry.key().0 == user).then(|| entry.value().clone()))
            .collect::<Vec<_>>();
        for token in &tokens {
            token.cancel();
        }
        tokens.len()
    }
    pub(crate) fn set_conntrack_close_sender(&self, tx: mpsc::Sender<ConntrackCloseEvent>) {
        match self.conntrack_close_tx.lock() {
            Ok(mut guard) => {
@@ -166,3 +263,48 @@ impl ProxySharedState {
        self.conntrack_pressure_active.load(Ordering::Relaxed)
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn user_enabled_config_sync_tracks_disabled_overrides() {
        let shared = ProxySharedState::new();
        assert!(shared.is_user_enabled("alice"));
        let mut user_enabled = HashMap::new();
        user_enabled.insert("alice".to_string(), false);
        user_enabled.insert("bob".to_string(), true);
        let mut newly_disabled = shared.apply_user_enabled_config(&user_enabled);
        newly_disabled.sort();
        assert_eq!(newly_disabled, vec!["alice".to_string()]);
        assert!(!shared.is_user_enabled("alice"));
        assert!(shared.is_user_enabled("bob"));
        assert!(shared.apply_user_enabled_config(&user_enabled).is_empty());
        user_enabled.clear();
        assert!(shared.apply_user_enabled_config(&user_enabled).is_empty());
        assert!(shared.is_user_enabled("alice"));
    }
    #[test]
    fn cancel_user_sessions_cancels_only_registered_matching_user() {
        let shared = ProxySharedState::new();
        let alice_1 = shared.register_user_session("alice", 1);
        let alice_2 = shared.register_user_session("alice", 2);
        let bob = shared.register_user_session("bob", 1);
        let alice_1_token = alice_1.token();
        let alice_2_token = alice_2.token();
        let bob_token = bob.token();
        drop(alice_1);
        assert_eq!(shared.cancel_user_sessions("alice"), 1);
        assert!(!alice_1_token.is_cancelled());
        assert!(alice_2_token.is_cancelled());
        assert!(!bob_token.is_cancelled());
    }
 }
@@ -39,6 +39,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -35,6 +35,7 @@ fn build_harness(config: ProxyConfig) -> PipelineHarness {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -33,6 +33,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -46,6 +46,7 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> PipelineHarness {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -24,6 +24,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -47,6 +47,7 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> RedTeamHarness {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -240,6 +241,7 @@ async fn redteam_03_masking_duration_must_be_less_than_1ms_when_backend_down() {
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            }],
            1,
            1,
@@ -484,6 +486,7 @@ async fn measure_invalid_probe_duration_ms(delay_ms: u64, tls_len: u16, body_sen
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            }],
            1,
            1,
@@ -561,6 +564,7 @@ async fn capture_forwarded_probe_len(tls_len: u16, body_sent: usize) -> usize {
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            }],
            1,
            1,
@@ -21,6 +21,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -19,6 +19,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -33,6 +33,7 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -341,6 +341,7 @@ async fn relay_task_abort_releases_user_gate_and_ip_reservation() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -459,6 +460,7 @@ async fn relay_cutover_releases_user_gate_and_ip_reservation() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -586,6 +588,7 @@ async fn integration_route_cutover_and_quota_overlap_fails_closed_and_releases_s
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -759,6 +762,7 @@ async fn proxy_protocol_header_is_rejected_when_trust_list_is_empty() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -839,6 +843,7 @@ async fn proxy_protocol_header_from_untrusted_peer_range_is_rejected_under_load(
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            }],
            1,
            1,
@@ -1032,6 +1037,7 @@ async fn short_tls_probe_is_masked_through_client_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1123,6 +1129,7 @@ async fn tls12_record_probe_is_masked_through_client_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1212,6 +1219,7 @@ async fn handle_client_stream_increments_connects_all_exactly_once() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1308,6 +1316,7 @@ async fn running_client_handler_increments_connects_all_exactly_once() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1401,6 +1410,7 @@ async fn idle_pooled_connection_closes_cleanly_in_generic_stream_path() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1475,6 +1485,7 @@ async fn idle_pooled_connection_closes_cleanly_in_client_handler_path() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1564,6 +1575,7 @@ async fn partial_tls_header_stall_triggers_handshake_timeout() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1892,6 +1904,7 @@ async fn valid_tls_path_does_not_fall_back_to_mask_backend() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -2004,6 +2017,7 @@ async fn valid_tls_with_invalid_mtproto_falls_back_to_mask_backend() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -2114,6 +2128,7 @@ async fn client_handler_tls_bad_mtproto_is_forwarded_to_mask_backend() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -2239,6 +2254,7 @@ async fn alpn_mismatch_tls_probe_is_masked_through_client_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -2335,6 +2351,7 @@ async fn invalid_hmac_tls_probe_is_masked_through_client_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -2437,6 +2454,7 @@ async fn burst_invalid_tls_probes_are_masked_verbatim() {
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            }],
            1,
            1,
@@ -3395,6 +3413,7 @@ async fn relay_connect_error_releases_user_and_ip_before_return() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -3963,6 +3982,7 @@ async fn untrusted_proxy_header_source_is_rejected() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4036,6 +4056,7 @@ async fn empty_proxy_trusted_cidrs_rejects_proxy_header_by_default() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4136,6 +4157,7 @@ async fn oversized_tls_record_is_masked_in_generic_stream_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4242,6 +4264,7 @@ async fn oversized_tls_record_is_masked_in_client_handler_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4362,6 +4385,7 @@ async fn tls_record_len_min_minus_1_is_rejected_in_generic_stream_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4468,6 +4492,7 @@ async fn tls_record_len_min_minus_1_is_rejected_in_client_handler_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4577,6 +4602,7 @@ async fn tls_record_len_16384_is_accepted_in_generic_stream_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -4681,6 +4707,7 @@ async fn tls_record_len_16384_is_accepted_in_client_handler_pipeline() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -32,6 +32,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -74,12 +75,17 @@ async fn run_generic_once(class: ProbeClass) -> u128 {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let backend_addr = listener.local_addr().unwrap();
    let backend_reply = REPLY_404.to_vec();
    let probe = match class {
        ProbeClass::MalformedTlsTruncation => malformed_tls_probe(),
        ProbeClass::PlainWebBaseline => plain_web_probe(),
    };
    let accept_task = tokio::spawn({
        let backend_reply = backend_reply.clone();
        let expected_probe_len = probe.len();
        async move {
            let (mut stream, _) = listener.accept().await.unwrap();
-            let mut buf = [0u8; 5];
+            let mut buf = vec![0u8; expected_probe_len];
            stream.read_exact(&mut buf).await.unwrap();
            stream.write_all(&backend_reply).await.unwrap();
        }
@@ -93,6 +99,7 @@ async fn run_generic_once(class: ProbeClass) -> u128 {
    cfg.censorship.mask_host = Some("127.0.0.1".to_string());
    cfg.censorship.mask_port = backend_addr.port();
    cfg.censorship.mask_proxy_protocol = 0;
    cfg.censorship.mask_shape_hardening = false;
    if matches!(class, ProbeClass::PlainWebBaseline) {
        cfg.general.modes.classic = false;
@@ -129,11 +136,6 @@ async fn run_generic_once(class: ProbeClass) -> u128 {
        false,
    ));
    let probe = match class {
        ProbeClass::MalformedTlsTruncation => malformed_tls_probe(),
        ProbeClass::PlainWebBaseline => plain_web_probe(),
    };
    let started = Instant::now();
    client_side.write_all(&probe).await.unwrap();
    client_side.shutdown().await.unwrap();
@@ -169,11 +171,16 @@ async fn run_client_handler_once(class: ProbeClass) -> u128 {
    let front_addr = front_listener.local_addr().unwrap();
    let backend_reply = REPLY_404.to_vec();
    let probe = match class {
        ProbeClass::MalformedTlsTruncation => malformed_tls_probe(),
        ProbeClass::PlainWebBaseline => plain_web_probe(),
    };
    let mask_accept_task = tokio::spawn({
        let backend_reply = backend_reply.clone();
        let expected_probe_len = probe.len();
        async move {
            let (mut stream, _) = mask_listener.accept().await.unwrap();
-            let mut buf = [0u8; 5];
+            let mut buf = vec![0u8; expected_probe_len];
            stream.read_exact(&mut buf).await.unwrap();
            stream.write_all(&backend_reply).await.unwrap();
        }
@@ -187,6 +194,7 @@ async fn run_client_handler_once(class: ProbeClass) -> u128 {
    cfg.censorship.mask_host = Some("127.0.0.1".to_string());
    cfg.censorship.mask_port = backend_addr.port();
    cfg.censorship.mask_proxy_protocol = 0;
    cfg.censorship.mask_shape_hardening = false;
    if matches!(class, ProbeClass::PlainWebBaseline) {
        cfg.general.modes.classic = false;
@@ -239,11 +247,6 @@ async fn run_client_handler_once(class: ProbeClass) -> u128 {
        })
    };
    let probe = match class {
        ProbeClass::MalformedTlsTruncation => malformed_tls_probe(),
        ProbeClass::PlainWebBaseline => plain_web_probe(),
    };
    let mut client = TcpStream::connect(front_addr).await.unwrap();
    let started = Instant::now();
    client.write_all(&probe).await.unwrap();
@@ -34,6 +34,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -35,6 +35,7 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -49,6 +49,7 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> PipelineHarness {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1338,6 +1338,7 @@ async fn direct_relay_abort_midflight_releases_route_gauge() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1448,6 +1449,7 @@ async fn direct_relay_cutover_midflight_releases_route_gauge() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1570,6 +1572,7 @@ async fn direct_relay_cutover_storm_multi_session_keeps_generic_errors_and_relea
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -1803,6 +1806,7 @@ async fn negative_direct_relay_dc_connection_refused_fails_fast() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        100,
@@ -1897,6 +1901,7 @@ async fn adversarial_direct_relay_cutover_integrity() {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        100,
@@ -22,6 +22,7 @@ async fn adversarial_delayed_interface_lookup_does_not_consume_outcome_floor_bud
    let refresh_lock = LOCAL_INTERFACE_REFRESH_LOCK.get_or_init(|| AsyncMutex::new(()));
    let held_refresh_guard = refresh_lock.lock().await;
    reset_local_interface_enumerations_for_tests();
    let (mut client, server) = duplex(1024);
    let started = Instant::now();
@@ -1,33 +1,21 @@
 use super::*;
 use std::panic::{AssertUnwindSafe, catch_unwind};
 #[test]
-fn blackhat_registry_poison_recovers_with_fail_closed_reset_and_pressure_accounting() {
+fn blackhat_registry_stale_order_entry_is_skipped_and_pressure_accounting_continues() {
    let shared = ProxySharedState::new();
    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
-    let _ = catch_unwind(AssertUnwindSafe(|| {
+    shared
        let mut guard = shared
        .middle_relay
        .relay_idle_registry
        .ordered
        .lock()
-            .expect("registry lock must be acquired before poison");
+        .insert((0, 999));
        guard.by_conn_id.insert(
            999,
            RelayIdleCandidateMeta {
                mark_order_seq: 1,
                mark_pressure_seq: 0,
            },
        );
        guard.ordered.insert((1, 999));
        panic!("intentional poison for idle-registry recovery");
    }));
    // Helper lock must recover from poison, reset stale state, and continue.
    assert!(mark_relay_idle_candidate_for_testing(shared.as_ref(), 42));
    assert_eq!(
        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
-        Some(42)
+        Some(999)
    );
    let before = relay_pressure_event_seq_for_testing(shared.as_ref());
@@ -35,25 +23,43 @@ fn blackhat_registry_poison_recovers_with_fail_closed_reset_and_pressure_account
    let after = relay_pressure_event_seq_for_testing(shared.as_ref());
    assert!(
        after > before,
-        "pressure accounting must still advance after poison"
+        "pressure accounting must still advance with stale ordered entries"
    );
    let mut seen_pressure_seq = before;
    assert!(maybe_evict_idle_candidate_on_pressure_for_testing(
        shared.as_ref(),
        42,
        &mut seen_pressure_seq,
        &Stats::new()
    ));
    assert_eq!(
        oldest_relay_idle_candidate_for_testing(shared.as_ref()),
        None
    );
    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
 }
 #[test]
-fn clear_state_helper_must_reset_poisoned_registry_for_deterministic_fifo_tests() {
+fn clear_state_helper_must_reset_split_registry_for_deterministic_fifo_tests() {
    let shared = ProxySharedState::new();
    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
-    let _ = catch_unwind(AssertUnwindSafe(|| {
+    shared.middle_relay.relay_idle_registry.by_conn_id.insert(
-        let _guard = shared
+        999,
        RelayIdleCandidateMeta {
            mark_order_seq: 1,
            mark_pressure_seq: 0,
        },
    );
    shared
        .middle_relay
        .relay_idle_registry
        .ordered
        .lock()
-            .expect("registry lock must be acquired before poison");
+        .insert((1, 999));
-        panic!("intentional poison while lock held");
+    set_relay_pressure_state_for_testing(shared.as_ref(), 7, 6);
    }));
    clear_relay_idle_pressure_state_for_testing_in_shared(shared.as_ref());
@@ -61,6 +61,7 @@ fn new_client_harness() -> ClientHarness {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        }],
        1,
        1,
@@ -10,6 +10,7 @@ mod me_counters;
 mod me_getters;
 mod replay;
 pub mod telemetry;
 pub mod tls_fingerprints;
 mod users;
 mod writer_counters;
@@ -22,6 +23,7 @@ use std::time::Instant;
 #[allow(unused_imports)]
 pub use self::replay::{ReplayChecker, ReplayStats};
 use self::telemetry::TelemetryPolicy;
 pub use self::tls_fingerprints::TlsFingerprintSnapshotRow;
 use crate::config::MeWriterPickMode;
 #[derive(Clone, Copy)]
@@ -333,6 +335,7 @@ pub struct Stats {
    telemetry_user_enabled: AtomicBool,
    telemetry_me_level: AtomicU8,
    cached_epoch_secs: AtomicU64,
    tls_fingerprints: tls_fingerprints::TlsFingerprintCollector,
    user_stats: DashMap<String, Arc<UserStats>>,
    user_stats_last_cleanup_epoch_secs: AtomicU64,
    start_time: parking_lot::RwLock<Option<Instant>>,
@@ -0,0 +1,556 @@
 //! Bounded TLS JA3/JA4 fingerprint aggregation.
 use std::cmp::Reverse;
 use std::hash::Hash;
 use std::net::{IpAddr, Ipv6Addr};
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::Duration;
 use dashmap::DashMap;
 use dashmap::mapref::entry::Entry;
 use crate::protocol::tls_fingerprint::TlsClientFingerprint;
 use super::Stats;
 const CLEANUP_INTERVAL_SECS: u64 = 30;
 const MAX_TLS_FINGERPRINT_BUCKETS: usize = 65_536;
 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)]
 pub enum TlsFingerprintScopeKind {
    Fingerprint,
    Ip,
    Cidr,
    User,
 }
 #[derive(Clone, Debug)]
 pub struct TlsFingerprintSnapshotRow {
    pub scope_key: String,
    pub ja3: String,
    pub ja3_raw: String,
    pub ja4: String,
    pub ja4_raw: String,
    pub total: u64,
    pub auth_success: u64,
    pub bad_or_probe: u64,
    pub first_seen_epoch_secs: u64,
    pub last_seen_epoch_secs: u64,
 }
 #[derive(Clone, Debug)]
 pub struct TlsFingerprintSnapshot {
    pub retention_secs: u64,
    pub capacity: usize,
    pub dropped_total: u64,
    pub parse_error_total: u64,
    pub by_fingerprint: Vec<TlsFingerprintSnapshotRow>,
    pub by_ip: Vec<TlsFingerprintSnapshotRow>,
    pub by_cidr: Vec<TlsFingerprintSnapshotRow>,
    pub by_user: Vec<TlsFingerprintSnapshotRow>,
 }
 #[derive(Clone, Debug, Eq, Hash, PartialEq)]
 struct TlsFingerprintKey {
    scope_kind: TlsFingerprintScopeKind,
    scope_key: String,
    ja3: String,
    ja3_raw: String,
    ja4: String,
    ja4_raw: String,
 }
 struct TlsFingerprintEntry {
    first_seen_epoch_secs: AtomicU64,
    last_seen_epoch_secs: AtomicU64,
    total: AtomicU64,
    auth_success: AtomicU64,
    bad_or_probe: AtomicU64,
 }
 #[derive(Default)]
 pub struct TlsFingerprintCollector {
    entries: DashMap<TlsFingerprintKey, TlsFingerprintEntry>,
    dropped_total: AtomicU64,
    parse_error_total: AtomicU64,
    last_cleanup_epoch_secs: AtomicU64,
 }
 impl TlsFingerprintCollector {
    pub fn record_observed(
        &self,
        fingerprint: &TlsClientFingerprint,
        peer_ip: IpAddr,
        ttl: Duration,
    ) {
        if ttl.is_zero() {
            return;
        }
        let now = now_epoch_secs();
        self.cleanup_if_needed(now, ttl.as_secs());
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Fingerprint, ""),
            fingerprint,
            now,
            true,
            false,
            false,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Ip, &peer_ip.to_string()),
            fingerprint,
            now,
            true,
            false,
            false,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Cidr, &cidr_bucket(peer_ip)),
            fingerprint,
            now,
            true,
            false,
            false,
        );
    }
    pub fn record_auth_success(
        &self,
        fingerprint: &TlsClientFingerprint,
        peer_ip: IpAddr,
        user: &str,
        ttl: Duration,
    ) {
        if ttl.is_zero() || user.is_empty() {
            return;
        }
        let now = now_epoch_secs();
        self.cleanup_if_needed(now, ttl.as_secs());
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Fingerprint, ""),
            fingerprint,
            now,
            false,
            true,
            false,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Ip, &peer_ip.to_string()),
            fingerprint,
            now,
            false,
            true,
            false,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Cidr, &cidr_bucket(peer_ip)),
            fingerprint,
            now,
            false,
            true,
            false,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::User, user),
            fingerprint,
            now,
            true,
            true,
            false,
        );
    }
    pub fn record_bad_or_probe(
        &self,
        fingerprint: &TlsClientFingerprint,
        peer_ip: IpAddr,
        ttl: Duration,
    ) {
        if ttl.is_zero() {
            return;
        }
        let now = now_epoch_secs();
        self.cleanup_if_needed(now, ttl.as_secs());
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Fingerprint, ""),
            fingerprint,
            now,
            false,
            false,
            true,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Ip, &peer_ip.to_string()),
            fingerprint,
            now,
            false,
            false,
            true,
        );
        self.record_scoped(
            scope_key(TlsFingerprintScopeKind::Cidr, &cidr_bucket(peer_ip)),
            fingerprint,
            now,
            false,
            false,
            true,
        );
    }
    pub fn increment_parse_error(&self) {
        self.parse_error_total.fetch_add(1, Ordering::Relaxed);
    }
    pub fn snapshot(&self, ttl: Duration, limit: usize) -> TlsFingerprintSnapshot {
        let now = now_epoch_secs();
        self.cleanup(now, ttl.as_secs());
        let limit = limit.clamp(1, 1000);
        let mut by_fingerprint = Vec::new();
        let mut by_ip = Vec::new();
        let mut by_cidr = Vec::new();
        let mut by_user = Vec::new();
        for entry in self.entries.iter() {
            let row = snapshot_row(entry.key(), entry.value());
            match entry.key().scope_kind {
                TlsFingerprintScopeKind::Fingerprint => by_fingerprint.push(row),
                TlsFingerprintScopeKind::Ip => by_ip.push(row),
                TlsFingerprintScopeKind::Cidr => by_cidr.push(row),
                TlsFingerprintScopeKind::User => by_user.push(row),
            }
        }
        sort_and_truncate(&mut by_fingerprint, limit);
        sort_and_truncate(&mut by_ip, limit);
        sort_and_truncate(&mut by_cidr, limit);
        sort_and_truncate(&mut by_user, limit);
        TlsFingerprintSnapshot {
            retention_secs: ttl.as_secs(),
            capacity: MAX_TLS_FINGERPRINT_BUCKETS,
            dropped_total: self.dropped_total.load(Ordering::Relaxed),
            parse_error_total: self.parse_error_total.load(Ordering::Relaxed),
            by_fingerprint,
            by_ip,
            by_cidr,
            by_user,
        }
    }
    pub fn snapshot_text(&self, ttl: Duration, limit: usize) -> String {
        let snapshot = self.snapshot(ttl, limit);
        if snapshot.by_fingerprint.is_empty()
            && snapshot.by_ip.is_empty()
            && snapshot.by_cidr.is_empty()
            && snapshot.by_user.is_empty()
        {
            return String::new();
        }
        let mut out = String::new();
        out.push_str("[tls_fingerprints]\n");
        out.push_str(&format!(
            "retention_secs={} capacity={} dropped_total={} parse_error_total={}\n",
            snapshot.retention_secs,
            snapshot.capacity,
            snapshot.dropped_total,
            snapshot.parse_error_total
        ));
        append_rows(
            &mut out,
            "tls_fingerprints.by_fingerprint",
            &snapshot.by_fingerprint,
        );
        append_rows(&mut out, "tls_fingerprints.by_ip", &snapshot.by_ip);
        append_rows(&mut out, "tls_fingerprints.by_cidr", &snapshot.by_cidr);
        append_rows(&mut out, "tls_fingerprints.by_user", &snapshot.by_user);
        out
    }
    fn record_scoped(
        &self,
        scope: (TlsFingerprintScopeKind, String),
        fingerprint: &TlsClientFingerprint,
        now_epoch_secs: u64,
        count_total: bool,
        count_auth_success: bool,
        count_bad_or_probe: bool,
    ) {
        let key = TlsFingerprintKey {
            scope_kind: scope.0,
            scope_key: scope.1,
            ja3: fingerprint.ja3.clone(),
            ja3_raw: fingerprint.ja3_raw.clone(),
            ja4: fingerprint.ja4.clone(),
            ja4_raw: fingerprint.ja4_raw.clone(),
        };
        if let Some(entry) = self.entries.get(&key) {
            update_entry(
                entry.value(),
                now_epoch_secs,
                count_total,
                count_auth_success,
                count_bad_or_probe,
            );
            return;
        }
        if self.entries.len() >= MAX_TLS_FINGERPRINT_BUCKETS {
            self.dropped_total.fetch_add(1, Ordering::Relaxed);
            return;
        }
        match self.entries.entry(key) {
            Entry::Occupied(entry) => {
                update_entry(
                    entry.get(),
                    now_epoch_secs,
                    count_total,
                    count_auth_success,
                    count_bad_or_probe,
                );
            }
            Entry::Vacant(entry) => {
                entry.insert(TlsFingerprintEntry::new(
                    now_epoch_secs,
                    if count_total { 1 } else { 0 },
                    if count_auth_success { 1 } else { 0 },
                    if count_bad_or_probe { 1 } else { 0 },
                ));
            }
        }
    }
    fn cleanup_if_needed(&self, now_epoch_secs: u64, ttl_secs: u64) {
        let last = self.last_cleanup_epoch_secs.load(Ordering::Relaxed);
        if now_epoch_secs.saturating_sub(last) < CLEANUP_INTERVAL_SECS {
            return;
        }
        if self
            .last_cleanup_epoch_secs
            .compare_exchange(last, now_epoch_secs, Ordering::AcqRel, Ordering::Relaxed)
            .is_err()
        {
            return;
        }
        self.cleanup(now_epoch_secs, ttl_secs);
    }
    fn cleanup(&self, now_epoch_secs: u64, ttl_secs: u64) {
        if ttl_secs == 0 {
            self.entries.clear();
            return;
        }
        self.entries.retain(|_, entry| {
            let last_seen = entry.last_seen_epoch_secs.load(Ordering::Relaxed);
            now_epoch_secs.saturating_sub(last_seen) <= ttl_secs
        });
    }
 }
 impl TlsFingerprintEntry {
    fn new(now_epoch_secs: u64, total: u64, auth_success: u64, bad_or_probe: u64) -> Self {
        Self {
            first_seen_epoch_secs: AtomicU64::new(now_epoch_secs),
            last_seen_epoch_secs: AtomicU64::new(now_epoch_secs),
            total: AtomicU64::new(total),
            auth_success: AtomicU64::new(auth_success),
            bad_or_probe: AtomicU64::new(bad_or_probe),
        }
    }
 }
 fn update_entry(
    entry: &TlsFingerprintEntry,
    now_epoch_secs: u64,
    count_total: bool,
    count_auth_success: bool,
    count_bad_or_probe: bool,
 ) {
    entry
        .last_seen_epoch_secs
        .store(now_epoch_secs, Ordering::Relaxed);
    if count_total {
        entry.total.fetch_add(1, Ordering::Relaxed);
    }
    if count_auth_success {
        entry.auth_success.fetch_add(1, Ordering::Relaxed);
    }
    if count_bad_or_probe {
        entry.bad_or_probe.fetch_add(1, Ordering::Relaxed);
    }
 }
 fn snapshot_row(key: &TlsFingerprintKey, entry: &TlsFingerprintEntry) -> TlsFingerprintSnapshotRow {
    TlsFingerprintSnapshotRow {
        scope_key: key.scope_key.clone(),
        ja3: key.ja3.clone(),
        ja3_raw: key.ja3_raw.clone(),
        ja4: key.ja4.clone(),
        ja4_raw: key.ja4_raw.clone(),
        total: entry.total.load(Ordering::Relaxed),
        auth_success: entry.auth_success.load(Ordering::Relaxed),
        bad_or_probe: entry.bad_or_probe.load(Ordering::Relaxed),
        first_seen_epoch_secs: entry.first_seen_epoch_secs.load(Ordering::Relaxed),
        last_seen_epoch_secs: entry.last_seen_epoch_secs.load(Ordering::Relaxed),
    }
 }
 fn sort_and_truncate(rows: &mut Vec<TlsFingerprintSnapshotRow>, limit: usize) {
    rows.sort_by_key(|row| {
        (
            Reverse(row.total),
            row.scope_key.clone(),
            row.ja4.clone(),
            row.ja3.clone(),
        )
    });
    rows.truncate(limit);
 }
 fn append_rows(out: &mut String, section: &str, rows: &[TlsFingerprintSnapshotRow]) {
    if rows.is_empty() {
        return;
    }
    out.push('[');
    out.push_str(section);
    out.push_str("]\n");
    for row in rows {
        if row.scope_key.is_empty() {
            out.push_str(&format!(
                "ja4={} ja3={} total={} auth_success={} bad_or_probe={} first_seen={} last_seen={}\n",
                row.ja4,
                row.ja3,
                row.total,
                row.auth_success,
                row.bad_or_probe,
                row.first_seen_epoch_secs,
                row.last_seen_epoch_secs
            ));
        } else {
            out.push_str(&format!(
                "scope={} ja4={} ja3={} total={} auth_success={} bad_or_probe={} first_seen={} last_seen={}\n",
                row.scope_key,
                row.ja4,
                row.ja3,
                row.total,
                row.auth_success,
                row.bad_or_probe,
                row.first_seen_epoch_secs,
                row.last_seen_epoch_secs
            ));
        }
    }
 }
 fn scope_key(kind: TlsFingerprintScopeKind, key: &str) -> (TlsFingerprintScopeKind, String) {
    (kind, key.to_string())
 }
 fn cidr_bucket(ip: IpAddr) -> String {
    match ip {
        IpAddr::V4(ip) => {
            let [a, b, c, _] = ip.octets();
            format!("{a}.{b}.{c}.0/24")
        }
        IpAddr::V6(ip) => {
            let mut octets = ip.octets();
            for byte in &mut octets[7..] {
                *byte = 0;
            }
            format!("{}/56", Ipv6Addr::from(octets))
        }
    }
 }
 fn now_epoch_secs() -> u64 {
    std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs()
 }
 impl Stats {
    pub fn record_tls_fingerprint_observed(
        &self,
        fingerprint: &TlsClientFingerprint,
        peer_ip: IpAddr,
        ttl: Duration,
    ) {
        if self.telemetry_core_enabled() {
            self.tls_fingerprints
                .record_observed(fingerprint, peer_ip, ttl);
        }
    }
    pub fn record_tls_fingerprint_auth_success(
        &self,
        fingerprint: &TlsClientFingerprint,
        peer_ip: IpAddr,
        user: &str,
        ttl: Duration,
    ) {
        if self.telemetry_core_enabled() {
            self.tls_fingerprints
                .record_auth_success(fingerprint, peer_ip, user, ttl);
        }
    }
    pub fn record_tls_fingerprint_bad_or_probe(
        &self,
        fingerprint: &TlsClientFingerprint,
        peer_ip: IpAddr,
        ttl: Duration,
    ) {
        if self.telemetry_core_enabled() {
            self.tls_fingerprints
                .record_bad_or_probe(fingerprint, peer_ip, ttl);
        }
    }
    pub fn increment_tls_fingerprint_parse_error(&self) {
        if self.telemetry_core_enabled() {
            self.tls_fingerprints.increment_parse_error();
        }
    }
    pub fn tls_fingerprint_snapshot(&self, ttl: Duration, limit: usize) -> TlsFingerprintSnapshot {
        self.tls_fingerprints.snapshot(ttl, limit)
    }
    pub fn tls_fingerprint_snapshot_text(&self, ttl: Duration, limit: usize) -> String {
        self.tls_fingerprints.snapshot_text(ttl, limit)
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    fn fp() -> TlsClientFingerprint {
        TlsClientFingerprint {
            ja3: "ja3".to_string(),
            ja3_raw: "771,4865,,,0".to_string(),
            ja4: "t13d010100_hash_hash".to_string(),
            ja4_raw: "raw".to_string(),
        }
    }
    #[test]
    fn aggregates_ip_cidr_and_user_scopes() {
        let collector = TlsFingerprintCollector::default();
        let ip: IpAddr = "192.0.2.15".parse().expect("test IP parses");
        collector.record_observed(&fp(), ip, Duration::from_secs(60));
        collector.record_auth_success(&fp(), ip, "alice", Duration::from_secs(60));
        let snapshot = collector.snapshot(Duration::from_secs(60), 10);
        assert_eq!(snapshot.by_fingerprint[0].total, 1);
        assert_eq!(snapshot.by_fingerprint[0].auth_success, 1);
        assert_eq!(snapshot.by_ip[0].scope_key, "192.0.2.15");
        assert_eq!(snapshot.by_cidr[0].scope_key, "192.0.2.0/24");
        assert_eq!(snapshot.by_user[0].scope_key, "alice");
        assert_eq!(snapshot.by_user[0].total, 1);
    }
 }
@@ -8,12 +8,17 @@ use crate::protocol::constants::{
 use crate::protocol::tls::{
    ClientHelloTlsVersion, TLS_DIGEST_LEN, TLS_DIGEST_POS, gen_fake_x25519_key,
 };
-use crate::tls_front::types::{CachedTlsData, ParsedCertificateInfo, TlsProfileSource};
+use crate::tls_front::types::{
    CachedTlsData, ParsedCertificateInfo, TlsExtension, TlsProfileSource,
 };
 use crc32fast::Hasher;
 const MIN_APP_DATA: usize = 64;
 const MAX_APP_DATA: usize = MAX_TLS_CIPHERTEXT_SIZE;
 const MAX_TICKET_RECORDS: usize = 4;
 const EXT_SUPPORTED_VERSIONS: u16 = 0x002b;
 const EXT_KEY_SHARE: u16 = 0x0033;
 const EXT_ALPN: u16 = 0x0010;
 fn jitter_and_clamp_sizes(sizes: &[usize], rng: &SecureRandom) -> Vec<usize> {
    sizes
@@ -185,6 +190,74 @@ fn hash_compact_cert_info_payload(cert_payload: Vec<u8>) -> Option<Vec<u8>> {
    Some(hashed)
 }
 fn push_supported_versions_extension(extensions: &mut Vec<u8>) {
    extensions.extend_from_slice(&EXT_SUPPORTED_VERSIONS.to_be_bytes());
    extensions.extend_from_slice(&(2u16).to_be_bytes());
    extensions.extend_from_slice(&0x0304u16.to_be_bytes());
 }
 fn push_key_share_extension(extensions: &mut Vec<u8>, rng: &SecureRandom) {
    let key = gen_fake_x25519_key(rng);
    extensions.extend_from_slice(&EXT_KEY_SHARE.to_be_bytes());
    extensions.extend_from_slice(&(2 + 2 + 32u16).to_be_bytes());
    extensions.extend_from_slice(&0x001du16.to_be_bytes());
    extensions.extend_from_slice(&(32u16).to_be_bytes());
    extensions.extend_from_slice(&key);
 }
 fn replay_profiled_server_hello_extension(
    ext: &TlsExtension,
    extensions: &mut Vec<u8>,
    rng: &SecureRandom,
    saw_supported_versions: &mut bool,
    saw_key_share: &mut bool,
 ) {
    match ext.ext_type {
        EXT_SUPPORTED_VERSIONS if !*saw_supported_versions => {
            push_supported_versions_extension(extensions);
            *saw_supported_versions = true;
        }
        EXT_KEY_SHARE if !*saw_key_share => {
            push_key_share_extension(extensions, rng);
            *saw_key_share = true;
        }
        EXT_ALPN => {}
        _ => {}
    }
 }
 fn build_profiled_server_hello_extensions(cached: &CachedTlsData, rng: &SecureRandom) -> Vec<u8> {
    let capacity = cached
        .server_hello_template
        .extensions
        .iter()
        .map(|ext| 4 + ext.data.len())
        .sum::<usize>()
        .max(44);
    let mut extensions = Vec::with_capacity(capacity);
    let mut saw_supported_versions = false;
    let mut saw_key_share = false;
    for ext in &cached.server_hello_template.extensions {
        replay_profiled_server_hello_extension(
            ext,
            &mut extensions,
            rng,
            &mut saw_supported_versions,
            &mut saw_key_share,
        );
    }
    if !saw_key_share {
        push_key_share_extension(&mut extensions, rng);
    }
    if !saw_supported_versions {
        push_supported_versions_extension(&mut extensions);
    }
    extensions
 }
 /// Build a ServerHello + CCS + ApplicationData sequence using cached TLS metadata.
 pub fn build_emulated_server_hello(
    secret: &[u8],
@@ -194,39 +267,28 @@ pub fn build_emulated_server_hello(
    use_full_cert_payload: bool,
    serverhello_compact: bool,
    client_tls_version: ClientHelloTlsVersion,
    selected_cipher_suite: [u8; 2],
    rng: &SecureRandom,
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    // --- ServerHello ---
-    let mut extensions = Vec::new();
+    let extensions = build_profiled_server_hello_extensions(cached, rng);
    let key = gen_fake_x25519_key(rng);
    extensions.extend_from_slice(&0x0033u16.to_be_bytes());
    extensions.extend_from_slice(&(2 + 2 + 32u16).to_be_bytes());
    extensions.extend_from_slice(&0x001du16.to_be_bytes());
    extensions.extend_from_slice(&(32u16).to_be_bytes());
    extensions.extend_from_slice(&key);
    extensions.extend_from_slice(&0x002bu16.to_be_bytes());
    extensions.extend_from_slice(&(2u16).to_be_bytes());
    extensions.extend_from_slice(&0x0304u16.to_be_bytes());
    let extensions_len = extensions.len() as u16;
-    let body_len = 2 + // version
+    let body_len = 2 + 32 + 1 + session_id.len() + 2 + 1 + 2 + extensions.len();
        32 + // random
        1 + session_id.len() + // session id
        2 + // cipher
        1 + // compression
        2 + extensions.len(); // extensions
    let mut message = Vec::with_capacity(4 + body_len);
-    message.push(0x02); // ServerHello
+    message.push(0x02);
    let len_bytes = (body_len as u32).to_be_bytes();
    message.extend_from_slice(&len_bytes[1..4]);
-    message.extend_from_slice(&cached.server_hello_template.version); // 0x0303
+    message.extend_from_slice(&cached.server_hello_template.version);
-    message.extend_from_slice(&[0u8; 32]); // random placeholder
+    message.extend_from_slice(&[0u8; 32]);
    message.push(session_id.len() as u8);
    message.extend_from_slice(session_id);
-    let cipher = if cached.server_hello_template.cipher_suite == [0, 0] {
+    let cipher = if selected_cipher_suite != [0, 0] {
        selected_cipher_suite
    } else if cached.server_hello_template.cipher_suite == [0, 0] {
        [0x13, 0x01]
    } else {
        cached.server_hello_template.cipher_suite
@@ -303,21 +365,10 @@ pub fn build_emulated_server_hello(
    }
    let mut app_data = Vec::new();
-    let alpn_marker = alpn
+    // ALPN selection is encrypted inside EncryptedExtensions in real TLS 1.3.
-        .as_ref()
+    // Keeping the FakeTLS record body opaque avoids a stable plaintext marker.
-        .filter(|p| !p.is_empty() && p.len() <= u8::MAX as usize)
+    let _ = alpn;
-        .map(|proto| {
+    for size in sizes {
            let proto_list_len = 1usize + proto.len();
            let ext_data_len = 2usize + proto_list_len;
            let mut marker = Vec::with_capacity(4 + ext_data_len);
            marker.extend_from_slice(&0x0010u16.to_be_bytes());
            marker.extend_from_slice(&(ext_data_len as u16).to_be_bytes());
            marker.extend_from_slice(&(proto_list_len as u16).to_be_bytes());
            marker.push(proto.len() as u8);
            marker.extend_from_slice(proto);
            marker
        });
    for (idx, size) in sizes.into_iter().enumerate() {
        let mut rec = Vec::with_capacity(5 + size);
        rec.push(TLS_RECORD_APPLICATION);
        rec.extend_from_slice(&TLS_VERSION);
@@ -334,31 +385,18 @@ pub fn build_emulated_server_hello(
                if body_len > copy_len {
                    rec.extend_from_slice(&rng.bytes(body_len - copy_len));
                }
-                rec.push(0x16); // inner content type marker (handshake)
+                rec.push(0x16);
-                rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
+                rec.extend_from_slice(&rng.bytes(16));
            } else {
                rec.extend_from_slice(&rng.bytes(size));
            }
        } else if size > 17 {
            let body_len = size - 17;
            let mut body = Vec::with_capacity(body_len);
            if idx == 0
                && let Some(marker) = &alpn_marker
            {
                if marker.len() <= body_len {
                    body.extend_from_slice(marker);
                    if body_len > marker.len() {
                        body.extend_from_slice(&rng.bytes(body_len - marker.len()));
                    }
                } else {
            body.extend_from_slice(&rng.bytes(body_len));
                }
            } else {
                body.extend_from_slice(&rng.bytes(body_len));
            }
            rec.extend_from_slice(&body);
-            rec.push(0x16); // inner content type marker (handshake)
+            rec.push(0x16);
-            rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
+            rec.extend_from_slice(&rng.bytes(16));
        } else {
            rec.extend_from_slice(&rng.bytes(size));
        }
@@ -408,7 +446,8 @@ mod tests {
    use std::time::SystemTime;
    use crate::tls_front::types::{
-        CachedTlsData, ParsedServerHello, TlsBehaviorProfile, TlsCertPayload, TlsProfileSource,
+        CachedTlsData, ParsedServerHello, TlsBehaviorProfile, TlsCertPayload, TlsExtension,
        TlsProfileSource,
    };
    use super::{
@@ -432,6 +471,38 @@ mod tests {
        &response[app_start + 5..app_start + 5 + app_len]
    }
    fn server_hello_cipher_suite(response: &[u8]) -> [u8; 2] {
        let mut pos = 5 + 4 + 2 + 32;
        let session_id_len = response[pos] as usize;
        pos += 1 + session_id_len;
        [response[pos], response[pos + 1]]
    }
    fn server_hello_extension_types(response: &[u8]) -> Vec<u16> {
        let record_len = u16::from_be_bytes([response[3], response[4]]) as usize;
        let handshake_end = 5 + record_len;
        let mut pos = 5 + 4 + 2 + 32;
        let session_id_len = response[pos] as usize;
        pos += 1 + session_id_len + 2 + 1;
        let extensions_len = u16::from_be_bytes([response[pos], response[pos + 1]]) as usize;
        pos += 2;
        let extensions_end = (pos + extensions_len).min(handshake_end);
        let mut out = Vec::new();
        while pos + 4 <= extensions_end {
            let ext_type = u16::from_be_bytes([response[pos], response[pos + 1]]);
            let ext_len = u16::from_be_bytes([response[pos + 2], response[pos + 3]]) as usize;
            pos += 4;
            if pos + ext_len > extensions_end {
                break;
            }
            out.push(ext_type);
            pos += ext_len;
        }
        out
    }
    fn make_cached(cert_payload: Option<TlsCertPayload>) -> CachedTlsData {
        CachedTlsData {
            server_hello_template: ParsedServerHello {
@@ -468,6 +539,7 @@ mod tests {
            true,
            true,
            ClientHelloTlsVersion::Tls12,
            [0x13, 0x01],
            &rng,
            None,
            0,
@@ -484,6 +556,65 @@ mod tests {
        assert!(payload.starts_with(&cert_msg));
    }
    #[test]
    fn test_build_emulated_server_hello_uses_selected_cipher_suite() {
        let cached = make_cached(None);
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x10; 32],
            &[0x20; 16],
            &cached,
            false,
            true,
            ClientHelloTlsVersion::Tls13,
            [0x13, 0x03],
            &rng,
            None,
            0,
        );
        assert_eq!(server_hello_cipher_suite(&response), [0x13, 0x03]);
    }
    #[test]
    fn test_build_emulated_server_hello_replays_profiled_safe_extension_order() {
        let mut cached = make_cached(None);
        cached.server_hello_template.extensions = vec![
            TlsExtension {
                ext_type: 0x002b,
                data: vec![0x03, 0x04],
            },
            TlsExtension {
                ext_type: 0x0010,
                data: vec![0x00, 0x03, 0x02, b'h', b'2'],
            },
            TlsExtension {
                ext_type: 0x0033,
                data: vec![0; 36],
            },
        ];
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x21; 32],
            &[0x22; 16],
            &cached,
            false,
            true,
            ClientHelloTlsVersion::Tls13,
            [0x13, 0x01],
            &rng,
            Some(b"h2".to_vec()),
            0,
        );
        assert_eq!(
            server_hello_extension_types(&response),
            vec![0x002b, 0x0033]
        );
    }
    #[test]
    fn test_build_emulated_server_hello_random_fallback_when_no_cert_payload() {
        let cached = make_cached(None);
@@ -496,6 +627,7 @@ mod tests {
            true,
            true,
            ClientHelloTlsVersion::Tls12,
            [0x13, 0x01],
            &rng,
            None,
            0,
@@ -530,6 +662,7 @@ mod tests {
            false,
            true,
            ClientHelloTlsVersion::Tls12,
            [0x13, 0x01],
            &rng,
            None,
            0,
@@ -570,6 +703,7 @@ mod tests {
            true,
            true,
            ClientHelloTlsVersion::Tls13,
            [0x13, 0x01],
            &rng,
            None,
            0,
@@ -583,7 +717,7 @@ mod tests {
    }
    #[test]
-    fn test_build_emulated_server_hello_compact_disabled_skips_compact_payload() {
+    fn test_build_emulated_server_hello_keeps_alpn_marker_out_of_random_payload() {
        let mut cached = make_cached(None);
        cached.cert_info = Some(crate::tls_front::types::ParsedCertificateInfo {
            not_after_unix: Some(1_900_000_000),
@@ -602,6 +736,7 @@ mod tests {
            false,
            false,
            ClientHelloTlsVersion::Tls12,
            [0x13, 0x01],
            &rng,
            Some(b"h2".to_vec()),
            0,
@@ -610,8 +745,8 @@ mod tests {
        let payload = first_app_data_payload(&response);
        let expected_alpn_marker = [0x00u8, 0x10, 0x00, 0x05, 0x00, 0x03, 0x02, b'h', b'2'];
        assert!(
-            payload.starts_with(&expected_alpn_marker),
+            !payload.starts_with(&expected_alpn_marker),
-            "when compact mode is disabled and no full cert payload exists, the random/alpn path must be used"
+            "random fallback payload must not expose plaintext ALPN marker bytes"
        );
    }
@@ -633,6 +768,7 @@ mod tests {
            false,
            true,
            ClientHelloTlsVersion::Tls13,
            [0x13, 0x01],
            &rng,
            None,
            0,
@@ -65,6 +65,7 @@ fn emulated_server_hello_keeps_single_change_cipher_spec_for_client_compatibilit
        false,
        true,
        ClientHelloTlsVersion::Tls13,
        [0x13, 0x01],
        &rng,
        None,
        0,
@@ -89,6 +90,7 @@ fn emulated_server_hello_does_not_emit_profile_ticket_tail_when_disabled() {
        false,
        true,
        ClientHelloTlsVersion::Tls13,
        [0x13, 0x01],
        &rng,
        None,
        0,
@@ -111,6 +113,7 @@ fn emulated_server_hello_uses_profile_ticket_lengths_when_enabled() {
        false,
        true,
        ClientHelloTlsVersion::Tls13,
        [0x13, 0x01],
        &rng,
        None,
        2,
@@ -58,6 +58,7 @@ fn emulated_server_hello_ignores_oversized_alpn_when_marker_would_not_fit() {
        true,
        true,
        ClientHelloTlsVersion::Tls13,
        [0x13, 0x01],
        &rng,
        Some(oversized_alpn),
        0,
@@ -84,7 +85,7 @@ fn emulated_server_hello_ignores_oversized_alpn_when_marker_would_not_fit() {
 }
 #[test]
-fn emulated_server_hello_embeds_full_alpn_marker_when_body_can_fit() {
+fn emulated_server_hello_keeps_alpn_marker_out_of_appdata() {
    let cached = make_cached(None);
    let rng = SecureRandom::new();
@@ -96,6 +97,7 @@ fn emulated_server_hello_embeds_full_alpn_marker_when_body_can_fit() {
        true,
        true,
        ClientHelloTlsVersion::Tls13,
        [0x13, 0x01],
        &rng,
        Some(b"h2".to_vec()),
        0,
@@ -104,8 +106,8 @@ fn emulated_server_hello_embeds_full_alpn_marker_when_body_can_fit() {
    let payload = first_app_data_payload(&response);
    let expected = [0x00u8, 0x10, 0x00, 0x05, 0x00, 0x03, 0x02, b'h', b'2'];
    assert!(
-        payload.starts_with(&expected),
+        !payload.starts_with(&expected),
-        "when body has enough capacity, emulated first application record must include full ALPN marker"
+        "emulated ApplicationData must not expose plaintext ALPN marker bytes"
    );
 }
@@ -126,6 +128,7 @@ fn emulated_server_hello_prefers_cert_payload_over_alpn_marker() {
        true,
        true,
        ClientHelloTlsVersion::Tls12,
        [0x13, 0x01],
        &rng,
        Some(b"h2".to_vec()),
        0,
@@ -8,6 +8,7 @@ use std::time::{Duration, Instant};
 use bytes::BytesMut;
 use rand::RngExt;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TrySendError;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, info, warn};
@@ -26,6 +27,7 @@ const ME_ACTIVE_PING_JITTER_SECS: i64 = 5;
 const ME_IDLE_KEEPALIVE_MAX_SECS: u64 = 5;
 const ME_RPC_PROXY_REQ_RESPONSE_WAIT_MS: u64 = 700;
 const ME_PING_TRACKER_CLEANUP_EVERY: u32 = 32;
 const ME_SERVICE_SIGNAL_SEND_TIMEOUT_MS: u64 = 50;
 #[derive(Clone, Copy)]
 enum WriterTeardownMode {
@@ -45,6 +47,11 @@ enum WriterLifecycleExit {
    Cancelled,
 }
 enum ServiceWriterCommandSendError {
    Closed,
    TimedOut,
 }
 async fn writer_command_loop(
    mut rx: mpsc::Receiver<WriterCommand>,
    mut rpc_writer: RpcWriter,
@@ -52,6 +59,8 @@ async fn writer_command_loop(
 ) -> Result<()> {
    loop {
        tokio::select! {
            biased;
            _ = cancel.cancelled() => return Ok(()),
            cmd = rx.recv() => {
                match cmd {
                    Some(WriterCommand::Data(payload)) => {
@@ -69,7 +78,27 @@ async fn writer_command_loop(
                    Some(WriterCommand::Close) | None => return Ok(()),
                }
            }
-            _ = cancel.cancelled() => return Ok(()),
+        }
    }
 }
 async fn send_service_writer_command(
    tx: &mpsc::Sender<WriterCommand>,
    cmd: WriterCommand,
 ) -> std::result::Result<(), ServiceWriterCommandSendError> {
    match tx.try_send(cmd) {
        Ok(()) => Ok(()),
        Err(TrySendError::Closed(_)) => Err(ServiceWriterCommandSendError::Closed),
        Err(TrySendError::Full(cmd)) => {
            let wait = Duration::from_millis(ME_SERVICE_SIGNAL_SEND_TIMEOUT_MS);
            match tokio::time::timeout(wait, tx.reserve()).await {
                Ok(Ok(permit)) => {
                    permit.send(cmd);
                    Ok(())
                }
                Ok(Err(_)) => Err(ServiceWriterCommandSendError::Closed),
                Err(_) => Err(ServiceWriterCommandSendError::TimedOut),
            }
        }
    }
 }
@@ -108,6 +137,7 @@ async fn ping_loop(
        Duration::from_secs(wait)
    };
    tokio::select! {
        biased;
        _ = cancel_ping_token.cancelled() => return,
        _ = tokio::time::sleep(startup_jitter) => {}
    }
@@ -131,6 +161,7 @@ async fn ping_loop(
            Duration::from_secs(secs)
        };
        tokio::select! {
            biased;
            _ = cancel_ping_token.cancelled() => return,
            _ = tokio::time::sleep(wait) => {}
        }
@@ -151,15 +182,25 @@ async fn ping_loop(
        }
        ping_id = ping_id.wrapping_add(1);
        stats_ping.increment_me_keepalive_sent();
-        if tx_ping
+        if let Err(error) =
-            .send(WriterCommand::ControlAndFlush(payload))
+            send_service_writer_command(&tx_ping, WriterCommand::ControlAndFlush(payload)).await
            .await
            .is_err()
        {
            {
                let mut tracker = ping_tracker_ping.lock().await;
                tracker.remove(&sent_id);
            }
            stats_ping.increment_me_keepalive_failed();
            match error {
                ServiceWriterCommandSendError::Closed => {
                    debug!("ME ping failed, removing dead writer");
                    return;
                }
                ServiceWriterCommandSendError::TimedOut => {
                    debug!("ME ping skipped: writer command channel is full");
                    continue;
                }
            }
        }
    }
 }
@@ -191,6 +232,7 @@ async fn rpc_proxy_req_signal_loop(
    };
    tokio::select! {
        biased;
        _ = cancel_signal.cancelled() => return,
        _ = tokio::time::sleep(Duration::from_millis(startup_jitter_ms)) => {}
    }
@@ -207,6 +249,7 @@ async fn rpc_proxy_req_signal_loop(
        };
        tokio::select! {
            biased;
            _ = cancel_signal.cancelled() => return,
            _ = tokio::time::sleep(wait) => {}
        }
@@ -233,14 +276,15 @@ async fn rpc_proxy_req_signal_loop(
            meta.proto_flags,
        );
-        if tx_signal
+        if let Err(error) =
-            .send(WriterCommand::DataAndFlush(payload))
+            send_service_writer_command(&tx_signal, WriterCommand::DataAndFlush(payload)).await
            .await
            .is_err()
        {
            stats_signal.increment_me_rpc_proxy_req_signal_failed_total();
            let _ = pool.registry.unregister(conn_id).await;
-            return;
+            match error {
                ServiceWriterCommandSendError::Closed => return,
                ServiceWriterCommandSendError::TimedOut => continue,
            }
        }
        stats_signal.increment_me_rpc_proxy_req_signal_sent_total();
@@ -258,14 +302,16 @@ async fn rpc_proxy_req_signal_loop(
        let close_payload = build_control_payload(RPC_CLOSE_EXT_U32, conn_id);
-        if tx_signal
+        if let Err(error) =
-            .send(WriterCommand::ControlAndFlush(close_payload))
+            send_service_writer_command(&tx_signal, WriterCommand::ControlAndFlush(close_payload))
                .await
            .is_err()
        {
            stats_signal.increment_me_rpc_proxy_req_signal_failed_total();
            let _ = pool.registry.unregister(conn_id).await;
-            return;
+            match error {
                ServiceWriterCommandSendError::Closed => return,
                ServiceWriterCommandSendError::TimedOut => continue,
            }
        }
        stats_signal.increment_me_rpc_proxy_req_signal_close_sent_total();
@@ -242,6 +242,7 @@ pub(crate) async fn reader_loop(
    let mut raw = enc_leftover;
    let mut expected_seq: i32 = 0;
    let mut data_route_queue_full_streak = HashMap::<u64, u8>::new();
    let mut tmp = [0u8; 65_536];
    let mut fairness = WorkerFairnessState::new(
        WorkerFairnessConfig {
            worker_id: (writer_id as u16).saturating_add(1),
@@ -263,18 +264,18 @@ pub(crate) async fn reader_loop(
        let fairshare_enabled = route_fairshare_enabled.load(Ordering::Relaxed);
        fairness.set_backpressure_enabled(backpressure_enabled);
        let fairness_has_backlog = should_schedule_fairness_retry(&fairness_snapshot);
        let mut tmp = [0u8; 65_536];
        let backlog_retry_enabled = fairness_has_backlog;
        let backlog_retry_delay =
            fairness_retry_delay(reader_route_data_wait_ms.load(Ordering::Relaxed));
        let mut retry_only = false;
        let n = tokio::select! {
            biased;
            _ = cancel.cancelled() => return Ok(()),
            res = rd.read(&mut tmp) => res.map_err(ProxyError::Io)?,
            _ = tokio::time::sleep(backlog_retry_delay), if backlog_retry_enabled => {
                retry_only = true;
                0usize
            },
            _ = cancel.cancelled() => return Ok(()),
        };
        if retry_only {
            let route_wait_ms = reader_route_data_wait_ms.load(Ordering::Relaxed);
@@ -77,26 +77,24 @@ struct HotBindingTable {
 struct BindingState {
    inner: Mutex<BindingInner>,
    writer_idle_since_epoch_secs: DashMap<u64, u64>,
    bound_clients_by_writer: DashMap<u64, usize>,
    active_sessions_by_target_dc: DashMap<i16, usize>,
    last_meta_for_writer: DashMap<u64, ConnMeta>,
 }
 struct BindingInner {
    writers: HashMap<u64, mpsc::Sender<WriterCommand>>,
    writer_for_conn: HashMap<u64, u64>,
    conns_for_writer: HashMap<u64, HashSet<u64>>,
    meta: HashMap<u64, ConnMeta>,
    last_meta_for_writer: HashMap<u64, ConnMeta>,
    writer_idle_since_epoch_secs: HashMap<u64, u64>,
 }
 impl BindingInner {
    fn new() -> Self {
        Self {
            writers: HashMap::new(),
            writer_for_conn: HashMap::new(),
            conns_for_writer: HashMap::new(),
            meta: HashMap::new(),
            last_meta_for_writer: HashMap::new(),
            writer_idle_since_epoch_secs: HashMap::new(),
        }
    }
 }
@@ -149,6 +147,10 @@ impl ConnRegistry {
            },
            binding: BindingState {
                inner: Mutex::new(BindingInner::new()),
                writer_idle_since_epoch_secs: DashMap::new(),
                bound_clients_by_writer: DashMap::new(),
                active_sessions_by_target_dc: DashMap::new(),
                last_meta_for_writer: DashMap::new(),
            },
            next_id: AtomicU64::new(start),
            route_channel_capacity,
@@ -13,13 +13,63 @@ use super::{
 };
 impl ConnRegistry {
    fn set_writer_bound_count(&self, writer_id: u64, count: usize) {
        self.binding
            .bound_clients_by_writer
            .insert(writer_id, count);
        if count == 0 {
            self.binding
                .writer_idle_since_epoch_secs
                .entry(writer_id)
                .or_insert_with(Self::now_epoch_secs);
        } else {
            self.binding.writer_idle_since_epoch_secs.remove(&writer_id);
        }
    }
    fn adjust_active_target_dc(&self, target_dc: i16, delta: isize) {
        if target_dc == 0 || delta == 0 {
            return;
        }
        if delta > 0 {
            self.binding
                .active_sessions_by_target_dc
                .entry(target_dc)
                .and_modify(|count| *count = count.saturating_add(delta as usize))
                .or_insert(delta as usize);
            return;
        }
        let remove = if let Some(mut count) = self
            .binding
            .active_sessions_by_target_dc
            .get_mut(&target_dc)
        {
            let decrement = delta.unsigned_abs();
            *count = count.saturating_sub(decrement);
            *count == 0
        } else {
            false
        };
        if remove {
            self.binding.active_sessions_by_target_dc.remove(&target_dc);
        }
    }
    pub async fn register_writer(&self, writer_id: u64, tx: mpsc::Sender<WriterCommand>) {
        let mut binding = self.binding.inner.lock().await;
        binding.writers.insert(writer_id, tx.clone());
        binding
            .conns_for_writer
            .entry(writer_id)
            .or_insert_with(HashSet::new);
        self.binding
            .bound_clients_by_writer
            .entry(writer_id)
            .or_insert(0);
        self.binding
            .writer_idle_since_epoch_secs
            .entry(writer_id)
            .or_insert_with(Self::now_epoch_secs);
        self.writers.map.insert(writer_id, tx);
    }
@@ -29,19 +79,18 @@ impl ConnRegistry {
        self.routing.byte_budget.remove(&id);
        self.hot_binding.map.remove(&id);
        let mut binding = self.binding.inner.lock().await;
-        binding.meta.remove(&id);
+        let previous_meta = binding.meta.remove(&id);
-        if let Some(writer_id) = binding.writer_for_conn.remove(&id) {
+        if let Some(meta) = previous_meta.as_ref() {
-            let became_empty = if let Some(set) = binding.conns_for_writer.get_mut(&writer_id) {
+            self.adjust_active_target_dc(meta.target_dc, -1);
                set.remove(&id);
                set.is_empty()
            } else {
                false
            };
            if became_empty {
                binding
                    .writer_idle_since_epoch_secs
                    .insert(writer_id, Self::now_epoch_secs());
        }
        if let Some(writer_id) = binding.writer_for_conn.remove(&id) {
            let next_count = if let Some(set) = binding.conns_for_writer.get_mut(&writer_id) {
                set.remove(&id);
                set.len()
            } else {
                0
            };
            self.set_writer_bound_count(writer_id, next_count);
            return Some(writer_id);
        }
        None
@@ -248,7 +297,7 @@ impl ConnRegistry {
        if !self.routing.map.contains_key(&conn_id) {
            return false;
        }
-        if !binding.writers.contains_key(&writer_id) {
+        if !self.writers.map.contains_key(&writer_id) {
            return false;
        }
@@ -256,28 +305,32 @@ impl ConnRegistry {
        if let Some(previous_writer_id) = previous_writer_id
            && previous_writer_id != writer_id
        {
-            let became_empty =
+            let next_count =
                if let Some(set) = binding.conns_for_writer.get_mut(&previous_writer_id) {
                    set.remove(&conn_id);
-                    set.is_empty()
+                    set.len()
                } else {
-                    false
+                    0
                };
-            if became_empty {
+            self.set_writer_bound_count(previous_writer_id, next_count);
                binding
                    .writer_idle_since_epoch_secs
                    .insert(previous_writer_id, Self::now_epoch_secs());
            }
        }
-        binding.meta.insert(conn_id, meta.clone());
+        if let Some(previous_meta) = binding.meta.insert(conn_id, meta.clone()) {
-        binding.last_meta_for_writer.insert(writer_id, meta.clone());
+            self.adjust_active_target_dc(previous_meta.target_dc, -1);
-        binding.writer_idle_since_epoch_secs.remove(&writer_id);
+        }
-        binding
+        self.adjust_active_target_dc(meta.target_dc, 1);
        self.binding
            .last_meta_for_writer
            .insert(writer_id, meta.clone());
        let next_count = {
            let set = binding
                .conns_for_writer
                .entry(writer_id)
-            .or_insert_with(HashSet::new)
+                .or_insert_with(HashSet::new);
-            .insert(conn_id);
+            set.insert(conn_id);
            set.len()
        };
        self.set_writer_bound_count(writer_id, next_count);
        self.hot_binding
            .map
            .insert(conn_id, HotConnBinding { writer_id, meta });
@@ -290,27 +343,38 @@ impl ConnRegistry {
            .conns_for_writer
            .entry(writer_id)
            .or_insert_with(HashSet::new);
-        binding
+        let count = binding
-            .writer_idle_since_epoch_secs
+            .conns_for_writer
-            .entry(writer_id)
+            .get(&writer_id)
-            .or_insert(Self::now_epoch_secs());
+            .map(|set| set.len())
            .unwrap_or(0);
        self.set_writer_bound_count(writer_id, count);
    }
    pub async fn get_last_writer_meta(&self, writer_id: u64) -> Option<ConnMeta> {
-        let binding = self.binding.inner.lock().await;
+        self.binding
-        binding.last_meta_for_writer.get(&writer_id).cloned()
+            .last_meta_for_writer
            .get(&writer_id)
            .map(|entry| entry.value().clone())
    }
    pub async fn writer_idle_since_snapshot(&self) -> HashMap<u64, u64> {
-        let binding = self.binding.inner.lock().await;
+        self.binding
-        binding.writer_idle_since_epoch_secs.clone()
+            .writer_idle_since_epoch_secs
            .iter()
            .map(|entry| (*entry.key(), *entry.value()))
            .collect()
    }
    pub async fn writer_idle_since_for_writer_ids(&self, writer_ids: &[u64]) -> HashMap<u64, u64> {
        let binding = self.binding.inner.lock().await;
        let mut out = HashMap::<u64, u64>::with_capacity(writer_ids.len());
        for writer_id in writer_ids {
-            if let Some(idle_since) = binding.writer_idle_since_epoch_secs.get(writer_id).copied() {
+            if let Some(idle_since) = self
                .binding
                .writer_idle_since_epoch_secs
                .get(writer_id)
                .map(|entry| *entry.value())
            {
                out.insert(*writer_id, idle_since);
            }
        }
@@ -320,25 +384,19 @@ impl ConnRegistry {
    pub(in crate::transport::middle_proxy) async fn writer_activity_snapshot(
        &self,
    ) -> WriterActivitySnapshot {
        let binding = self.binding.inner.lock().await;
        let mut bound_clients_by_writer = HashMap::<u64, usize>::new();
        let mut active_sessions_by_target_dc = HashMap::<i16, usize>::new();
        for (writer_id, conn_ids) in &binding.conns_for_writer {
            bound_clients_by_writer.insert(*writer_id, conn_ids.len());
        }
        for conn_meta in binding.meta.values() {
            if conn_meta.target_dc == 0 {
                continue;
            }
            *active_sessions_by_target_dc
                .entry(conn_meta.target_dc)
                .or_insert(0) += 1;
        }
        WriterActivitySnapshot {
-            bound_clients_by_writer,
+            bound_clients_by_writer: self
-            active_sessions_by_target_dc,
+                .binding
                .bound_clients_by_writer
                .iter()
                .map(|entry| (*entry.key(), *entry.value()))
                .collect(),
            active_sessions_by_target_dc: self
                .binding
                .active_sessions_by_target_dc
                .iter()
                .map(|entry| (*entry.key(), *entry.value()))
                .collect(),
        }
    }
@@ -393,10 +451,10 @@ impl ConnRegistry {
    pub async fn writer_lost(&self, writer_id: u64) -> Vec<BoundConn> {
        let mut binding = self.binding.inner.lock().await;
        binding.writers.remove(&writer_id);
        self.writers.map.remove(&writer_id);
-        binding.last_meta_for_writer.remove(&writer_id);
+        self.binding.last_meta_for_writer.remove(&writer_id);
-        binding.writer_idle_since_epoch_secs.remove(&writer_id);
+        self.binding.writer_idle_since_epoch_secs.remove(&writer_id);
        self.binding.bound_clients_by_writer.remove(&writer_id);
        let conns = binding
            .conns_for_writer
            .remove(&writer_id)
@@ -410,6 +468,10 @@ impl ConnRegistry {
                continue;
            }
            binding.writer_for_conn.remove(&conn_id);
            let meta = binding.meta.remove(&conn_id);
            if let Some(meta) = meta.as_ref() {
                self.adjust_active_target_dc(meta.target_dc, -1);
            }
            let remove_hot = self
                .hot_binding
                .map
@@ -419,11 +481,8 @@ impl ConnRegistry {
            if remove_hot {
                self.hot_binding.map.remove(&conn_id);
            }
-            if let Some(m) = binding.meta.get(&conn_id) {
+            if let Some(m) = meta {
-                out.push(BoundConn {
+                out.push(BoundConn { conn_id, meta: m });
                    conn_id,
                    meta: m.clone(),
                });
            }
        }
        out
@@ -438,11 +497,10 @@ impl ConnRegistry {
    }
    pub async fn is_writer_empty(&self, writer_id: u64) -> bool {
-        let binding = self.binding.inner.lock().await;
+        self.binding
-        binding
+            .bound_clients_by_writer
            .conns_for_writer
            .get(&writer_id)
-            .map(|s| s.is_empty())
+            .map(|count| *count.value() == 0)
            .unwrap_or(true)
    }
@@ -457,21 +515,20 @@ impl ConnRegistry {
            return false;
        }
        binding.writers.remove(&writer_id);
        self.writers.map.remove(&writer_id);
-        binding.last_meta_for_writer.remove(&writer_id);
+        self.binding.last_meta_for_writer.remove(&writer_id);
-        binding.writer_idle_since_epoch_secs.remove(&writer_id);
+        self.binding.writer_idle_since_epoch_secs.remove(&writer_id);
        self.binding.bound_clients_by_writer.remove(&writer_id);
        binding.conns_for_writer.remove(&writer_id);
        true
    }
    #[allow(dead_code)]
    pub(super) async fn non_empty_writer_ids(&self, writer_ids: &[u64]) -> HashSet<u64> {
        let binding = self.binding.inner.lock().await;
        let mut out = HashSet::<u64>::with_capacity(writer_ids.len());
        for writer_id in writer_ids {
-            if let Some(conns) = binding.conns_for_writer.get(writer_id)
+            if let Some(count) = self.binding.bound_clients_by_writer.get(writer_id)
-                && !conns.is_empty()
+                && *count.value() > 0
            {
                out.insert(*writer_id);
            }
@@ -6,6 +6,7 @@ use std::sync::Arc;
 use std::sync::atomic::Ordering;
 use std::time::{Duration, Instant};
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TrySendError;
 use tracing::{debug, warn};
@@ -15,7 +16,6 @@ use super::registry::ConnMeta;
 use super::wire::build_proxy_req_payload;
 use crate::config::{MeRouteNoWriterMode, MeWriterPickMode};
 use crate::error::{ProxyError, Result};
 use crate::network::IpFamily;
 use crate::stream::PooledBuffer;
 use rand::seq::SliceRandom;
@@ -34,6 +34,11 @@ mod close;
 mod recovery;
 mod selection;
 enum WriterCommandReserveError {
    Closed,
    TimedOut,
 }
 fn proxy_tag_array(tag: Option<&[u8]>) -> Option<[u8; 16]> {
    tag.and_then(|tag| <[u8; 16]>::try_from(tag).ok())
 }
@@ -45,6 +50,21 @@ fn proxy_req_payload_from_command(cmd: WriterCommand) -> Option<PooledBuffer> {
    }
 }
 async fn reserve_writer_command_slot(
    tx: &mpsc::Sender<WriterCommand>,
    wait: Option<Duration>,
 ) -> std::result::Result<mpsc::OwnedPermit<WriterCommand>, WriterCommandReserveError> {
    let reserve = tx.clone().reserve_owned();
    match wait {
        Some(wait) => match tokio::time::timeout(wait, reserve).await {
            Ok(Ok(permit)) => Ok(permit),
            Ok(Err(_)) => Err(WriterCommandReserveError::Closed),
            Err(_) => Err(WriterCommandReserveError::TimedOut),
        },
        None => reserve.await.map_err(|_| WriterCommandReserveError::Closed),
    }
 }
 impl MePool {
    /// Send RPC_PROXY_REQ. `tag_override`: per-user ad_tag (from access.user_ad_tags); if None, uses pool default.
    pub async fn send_proxy_req(
@@ -105,10 +125,26 @@ impl MePool {
                        return Ok(());
                    }
                    Err(TrySendError::Full(cmd)) => {
-                        if current.tx.send(cmd).await.is_ok() {
+                        match reserve_writer_command_slot(
                            &current.tx,
                            self.route_runtime.me_route_blocking_send_timeout,
                        )
                        .await
                        {
                            Ok(permit) => {
                                permit.send(cmd);
                                self.note_hybrid_route_success();
                                return Ok(());
                            }
                            Err(WriterCommandReserveError::TimedOut) => {
                                self.stats
                                    .increment_me_writer_pick_full_total(self.writer_pick_mode());
                                return Err(ProxyError::Proxy(
                                    "ME writer channel full within blocking send timeout".into(),
                                ));
                            }
                            Err(WriterCommandReserveError::Closed) => {}
                        }
                        warn!(writer_id = current.writer_id, "ME writer channel closed");
                        self.remove_writer_and_close_clients(current.writer_id)
                            .await;
@@ -124,9 +160,8 @@ impl MePool {
            }
            let mut writers_snapshot = {
-                let ws = self.writers.read().await;
+                let ws = self.writers.snapshot();
                if ws.is_empty() {
                    drop(ws);
                    match no_writer_mode {
                        MeRouteNoWriterMode::AsyncRecoveryFailfast => {
                            let deadline = *no_writer_deadline.get_or_insert_with(|| {
@@ -154,38 +189,28 @@ impl MePool {
                                for _ in
                                    0..self.route_runtime.me_route_inline_recovery_attempts.max(1)
                                {
-                                    for family in self.family_order() {
+                                    let preferred = self.preferred_endpoints_by_dc.load_full();
-                                        let map = match family {
+                                    for (dc, addrs) in preferred.iter() {
-                                            IpFamily::V4 => self.proxy_map_v4.read().await.clone(),
+                                        for addr in addrs {
                                            IpFamily::V6 => self.proxy_map_v6.read().await.clone(),
                                        };
                                        for (dc, addrs) in &map {
                                            for (ip, port) in addrs {
                                                let addr = SocketAddr::new(*ip, *port);
                                            let _ = self
-                                                    .connect_one_for_dc(
+                                                .connect_one_for_dc(*addr, *dc, self.rng.as_ref())
                                                        addr,
                                                        *dc,
                                                        self.rng.as_ref(),
                                                    )
                                                .await;
                                        }
                                    }
-                                    }
+                                    if !self.writers.snapshot().is_empty() {
                                    if !self.writers.read().await.is_empty() {
                                        break;
                                    }
                                }
                            }
-                            if !self.writers.read().await.is_empty() {
+                            if !self.writers.snapshot().is_empty() {
                                continue;
                            }
                            let deadline = *no_writer_deadline.get_or_insert_with(|| {
                                Instant::now() + self.route_runtime.me_route_inline_recovery_wait
                            });
                            if !self.wait_for_writer_until(deadline).await {
-                                if !self.writers.read().await.is_empty() {
+                                if !self.writers.snapshot().is_empty() {
                                    continue;
                                }
                                self.stats.increment_me_no_writer_failfast_total();
@@ -222,7 +247,7 @@ impl MePool {
                        }
                    }
                }
-                ws.clone()
+                ws
            };
            let mut candidate_indices = self
@@ -285,7 +310,12 @@ impl MePool {
                            ));
                        }
                        emergency_attempts += 1;
-                        let mut endpoints = self.endpoint_candidates_for_target_dc(routed_dc).await;
+                        let mut endpoints = self
                            .preferred_endpoints_by_dc
                            .load()
                            .get(&routed_dc)
                            .cloned()
                            .unwrap_or_default();
                        endpoints.shuffle(&mut rand::rng());
                        for addr in endpoints {
                            if self
@@ -298,9 +328,7 @@ impl MePool {
                        }
                        tokio::time::sleep(Duration::from_millis(100 * emergency_attempts as u64))
                            .await;
-                        let ws2 = self.writers.read().await;
+                        writers_snapshot = self.writers.snapshot();
                        writers_snapshot = ws2.clone();
                        drop(ws2);
                        candidate_indices = self
                            .candidate_indices_for_dc(&writers_snapshot, routed_dc, false)
                            .await;
@@ -563,13 +591,27 @@ impl MePool {
                    self.note_hybrid_route_success();
                    return Ok(());
                }
-                Err(TrySendError::Full(cmd)) => match current.tx.send(cmd).await {
+                Err(TrySendError::Full(cmd)) => {
-                    Ok(()) => {
+                    match reserve_writer_command_slot(
                        &current.tx,
                        self.route_runtime.me_route_blocking_send_timeout,
                    )
                    .await
                    {
                        Ok(permit) => {
                            permit.send(cmd);
                            self.note_hybrid_route_success();
                            return Ok(());
                        }
-                    Err(send_err) => {
+                        Err(WriterCommandReserveError::TimedOut) => {
-                        let Some(payload) = proxy_req_payload_from_command(send_err.0) else {
+                            self.stats
                                .increment_me_writer_pick_full_total(self.writer_pick_mode());
                            return Err(ProxyError::Proxy(
                                "ME writer channel full within blocking send timeout".into(),
                            ));
                        }
                        Err(WriterCommandReserveError::Closed) => {
                            let Some(payload) = proxy_req_payload_from_command(cmd) else {
                                return Err(ProxyError::Proxy(
                                    "ME writer rejected unexpected command type".into(),
                                ));
@@ -589,7 +631,8 @@ impl MePool {
                                )
                                .await;
                        }
-                },
+                    }
                }
                Err(TrySendError::Closed(cmd)) => {
                    let Some(payload) = proxy_req_payload_from_command(cmd) else {
                        return Err(ProxyError::Proxy(
@@ -10,19 +10,44 @@ use crate::protocol::constants::{RPC_CLOSE_CONN_U32, RPC_CLOSE_EXT_U32};
 use super::super::MePool;
 use super::super::codec::{WriterCommand, build_control_payload};
 use super::{WriterCommandReserveError, reserve_writer_command_slot};
 const ME_CLOSE_SIGNAL_SEND_TIMEOUT: Duration = Duration::from_millis(50);
 impl MePool {
    /// Sends an extended close signal for a client-bound ME connection.
    pub async fn send_close(self: &Arc<Self>, conn_id: u64) -> Result<()> {
        if let Some(w) = self.registry.get_writer(conn_id).await {
            let payload = build_control_payload(RPC_CLOSE_EXT_U32, conn_id);
-            if w.tx
+            match w.tx.try_send(WriterCommand::ControlAndFlush(payload)) {
-                .send(WriterCommand::ControlAndFlush(payload))
+                Ok(()) => {}
                Err(TrySendError::Full(cmd)) => {
                    match reserve_writer_command_slot(&w.tx, Some(ME_CLOSE_SIGNAL_SEND_TIMEOUT))
                        .await
                .is_err()
                    {
-                debug!("ME close write failed");
+                        Ok(permit) => {
                            permit.send(cmd);
                        }
                        Err(WriterCommandReserveError::TimedOut) => {
                            debug!(conn_id, "ME close skipped: writer command channel is full");
                        }
                        Err(WriterCommandReserveError::Closed) => {
                            debug!(
                                conn_id,
                                "ME close skipped: writer command channel is closed"
                            );
                            self.remove_writer_and_close_clients(w.writer_id).await;
                        }
                    }
                }
                Err(TrySendError::Closed(_)) => {
                    debug!(
                        conn_id,
                        "ME close skipped: writer command channel is closed"
                    );
                    self.remove_writer_and_close_clients(w.writer_id).await;
                }
            }
        } else {
            debug!(conn_id, "ME close skipped (writer missing)");
        }
@@ -31,13 +56,16 @@ impl MePool {
        Ok(())
    }
    /// Sends the compact close signal used by ME-side forced connection teardown.
    pub async fn send_close_conn(self: &Arc<Self>, conn_id: u64) -> Result<()> {
        if let Some(w) = self.registry.get_writer(conn_id).await {
            let payload = build_control_payload(RPC_CLOSE_CONN_U32, conn_id);
            match w.tx.try_send(WriterCommand::ControlAndFlush(payload)) {
                Ok(()) => {}
                Err(TrySendError::Full(cmd)) => {
-                    let _ = tokio::time::timeout(Duration::from_millis(50), w.tx.send(cmd)).await;
+                    let _ = reserve_writer_command_slot(&w.tx, Some(ME_CLOSE_SIGNAL_SEND_TIMEOUT))
                        .await
                        .map(|permit| permit.send(cmd));
                }
                Err(TrySendError::Closed(_)) => {
                    debug!(conn_id, "ME close_conn skipped: writer channel closed");
@@ -51,6 +79,7 @@ impl MePool {
        Ok(())
    }
    /// Sends close signals for all currently registered ME-bound connections during shutdown.
    pub async fn shutdown_send_close_conn_all(self: &Arc<Self>) -> usize {
        let conn_ids = self.registry.active_conn_ids().await;
        let total = conn_ids.len();
@@ -60,6 +89,7 @@ impl MePool {
        total
    }
    /// Returns the current number of active ME writers tracked by the pool.
    pub fn connection_count(&self) -> usize {
        self.conn_count.load(Ordering::Relaxed)
    }
@@ -1,13 +1,9 @@
 use std::collections::HashSet;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
 use std::time::{Duration, Instant};
 use tracing::warn;
 use crate::network::IpFamily;
 use super::super::MePool;
 use super::{
    HYBRID_GLOBAL_BURST_PERIOD_ROUNDS, HYBRID_RECENT_SUCCESS_WINDOW_MS,
@@ -17,18 +13,18 @@ use super::{
 impl MePool {
    pub(super) async fn wait_for_writer_until(&self, deadline: Instant) -> bool {
        let mut rx = self.writer_epoch.subscribe();
-        if !self.writers.read().await.is_empty() {
+        if !self.writers.snapshot().is_empty() {
            return true;
        }
        let now = Instant::now();
        if now >= deadline {
-            return !self.writers.read().await.is_empty();
+            return !self.writers.snapshot().is_empty();
        }
        let timeout = deadline.saturating_duration_since(now);
        if tokio::time::timeout(timeout, rx.changed()).await.is_ok() {
-            return !self.writers.read().await.is_empty();
+            return !self.writers.snapshot().is_empty();
        }
-        !self.writers.read().await.is_empty()
+        !self.writers.snapshot().is_empty()
    }
    pub(super) async fn wait_for_candidate_until(&self, routed_dc: i32, deadline: Instant) -> bool {
@@ -58,11 +54,11 @@ impl MePool {
    pub(super) async fn has_candidate_for_target_dc(&self, routed_dc: i32) -> bool {
        let writers_snapshot = {
-            let ws = self.writers.read().await;
+            let ws = self.writers.snapshot();
            if ws.is_empty() {
                return false;
            }
-            ws.clone()
+            ws
        };
        let mut candidate_indices = self
            .candidate_indices_for_dc(&writers_snapshot, routed_dc, false)
@@ -79,7 +75,7 @@ impl MePool {
        self: &Arc<Self>,
        routed_dc: i32,
    ) -> bool {
-        let endpoints = self.endpoint_candidates_for_target_dc(routed_dc).await;
+        let endpoints = self.preferred_endpoints_for_dc(routed_dc).await;
        if endpoints.is_empty() {
            return false;
        }
@@ -92,32 +88,18 @@ impl MePool {
    pub(super) async fn trigger_async_recovery_global(self: &Arc<Self>) {
        self.stats.increment_me_async_recovery_trigger_total();
-        let mut seen = HashSet::<(i32, SocketAddr)>::new();
+        let preferred = self.preferred_endpoints_by_dc.load();
-        for family in self.family_order() {
+        let mut triggered = 0usize;
-            let map_guard = match family {
+        for (dc, addrs) in preferred.iter() {
-                IpFamily::V4 => self.proxy_map_v4.read().await,
+            for addr in addrs {
-                IpFamily::V6 => self.proxy_map_v6.read().await,
+                self.trigger_immediate_refill_for_dc(*addr, *dc);
-            };
+                triggered = triggered.saturating_add(1);
-            for (dc, addrs) in map_guard.iter() {
+                if triggered >= 8 {
                for (ip, port) in addrs {
                    let addr = SocketAddr::new(*ip, *port);
                    if seen.insert((*dc, addr)) {
                        self.trigger_immediate_refill_for_dc(addr, *dc);
                    }
                    if seen.len() >= 8 {
                    return;
                }
            }
        }
    }
    }
    pub(super) async fn endpoint_candidates_for_target_dc(
        &self,
        routed_dc: i32,
    ) -> Vec<SocketAddr> {
        self.preferred_endpoints_for_dc(routed_dc).await
    }
    pub(super) async fn maybe_trigger_hybrid_recovery(
        self: &Arc<Self>,
@@ -15,7 +15,10 @@ impl MePool {
        routed_dc: i32,
        include_warm: bool,
    ) -> Vec<usize> {
-        let preferred = self.preferred_endpoints_for_dc(routed_dc).await;
+        let preferred_snapshot = self.preferred_endpoints_by_dc.load();
        let Some(preferred) = preferred_snapshot.get(&routed_dc) else {
            return Vec::new();
        };
        if preferred.is_empty() {
            return Vec::new();
        }
@@ -25,7 +28,7 @@ impl MePool {
            if !self.writer_eligible_for_selection(w, include_warm) {
                continue;
            }
-            if w.writer_dc == routed_dc && preferred.contains(&w.addr) {
+            if w.writer_dc == routed_dc && preferred.binary_search(&w.addr).is_ok() {
                out.push(idx);
            }
        }
@@ -9,7 +9,7 @@ use std::io::Result;
 use std::net::{IpAddr, SocketAddr};
 use std::time::Duration;
 use tokio::net::TcpStream;
-use tracing::debug;
+use tracing::{debug, warn};
 const DEFAULT_SOCKET_BUFFER_BYTES: usize = 256 * 1024;
@@ -283,6 +283,8 @@ pub struct ListenOptions {
    pub backlog: u32,
    /// IPv6 only (disable dual-stack)
    pub ipv6_only: bool,
    /// Client-facing TCP MSS to announce on accepted TCP sessions.
    pub client_mss: Option<u16>,
 }
 impl Default for ListenOptions {
@@ -292,6 +294,7 @@ impl Default for ListenOptions {
            reuse_port: true,
            backlog: 1024,
            ipv6_only: false,
            client_mss: None,
        }
    }
 }
@@ -319,6 +322,19 @@ pub fn create_listener(addr: SocketAddr, options: &ListenOptions) -> Result<Sock
        socket.set_only_v6(true)?;
    }
    if let Some(client_mss) = options.client_mss {
        if let Err(error) = socket.set_tcp_mss(u32::from(client_mss)) {
            warn!(
                addr = %addr,
                client_mss,
                error = %error,
                "Failed to apply listener client MSS; continuing with kernel default"
            );
        } else {
            debug!(addr = %addr, client_mss, "Applied listener client MSS");
        }
    }
    socket.set_nonblocking(true)?;
    socket.bind(&addr.into())?;
    socket.listen(options.backlog as i32)?;
@@ -637,5 +653,28 @@ mod tests {
        assert!(opts.reuse_addr);
        assert!(opts.reuse_port);
        assert_eq!(opts.backlog, 1024);
        assert_eq!(opts.client_mss, None);
    }
    #[cfg(target_os = "linux")]
    #[test]
    fn test_create_listener_applies_client_mss() {
        let addr: SocketAddr = "127.0.0.1:0".parse().unwrap();
        let options = ListenOptions {
            reuse_port: false,
            client_mss: Some(256),
            ..Default::default()
        };
        let socket = match create_listener(addr, &options) {
            Ok(socket) => socket,
            Err(e) if e.kind() == ErrorKind::PermissionDenied => return,
            Err(e) => panic!("create_listener failed: {e}"),
        };
        let mss = match socket.tcp_mss() {
            Ok(mss) => mss,
            Err(e) if e.kind() == ErrorKind::PermissionDenied => return,
            Err(e) => panic!("tcp_mss failed: {e}"),
        };
        assert_eq!(mss, 256);
    }
 }
@@ -169,6 +169,7 @@ pub struct StartupPingResult {
    pub v6_results: Vec<DcPingResult>,
    pub v4_results: Vec<DcPingResult>,
    pub upstream_name: String,
    pub prefer_ipv6: bool,
    /// True if both IPv6 and IPv4 have at least one working DC
    pub both_available: bool,
 }
@@ -313,8 +314,8 @@ pub struct UpstreamEgressInfo {
 #[derive(Debug, Clone)]
 struct HealthCheckGroup {
    dc_idx: i16,
-    primary: Vec<SocketAddr>,
+    v4_endpoints: Vec<SocketAddr>,
-    fallback: Vec<SocketAddr>,
+    v6_endpoints: Vec<SocketAddr>,
 }
 // ============= Upstream Manager =============
@@ -532,6 +533,31 @@ impl UpstreamManager {
        dc_preference: IpPreference,
    ) -> Result<SocketAddr> {
        let (allow_ipv4, allow_ipv6) = Self::resolve_runtime_dc_families(upstream, dc_preference);
        let preferred_ipv6 = match dc_preference {
            IpPreference::PreferV6 => Some(true),
            IpPreference::PreferV4 => Some(false),
            IpPreference::BothWork | IpPreference::Unknown | IpPreference::Unavailable => {
                upstream.prefer.map(|prefer| prefer == 6)
            }
        };
        if let Some(preferred_ipv6) = preferred_ipv6
            && target.is_ipv6() != preferred_ipv6
        {
            let preferred_allowed = if preferred_ipv6 {
                allow_ipv6
            } else {
                allow_ipv4
            };
            if preferred_allowed {
                if let Some(dc_idx) = dc_idx
                    && let Some(remapped) =
                        Self::dc_table_addr(dc_idx, preferred_ipv6, target.port())
                {
                    return Ok(remapped);
                }
            }
        }
        if (target.is_ipv4() && allow_ipv4) || (target.is_ipv6() && allow_ipv6) {
            return Ok(target);
        }
@@ -1327,7 +1353,7 @@ impl UpstreamManager {
    /// Tests BOTH IPv6 and IPv4, returns separate results for each.
    pub async fn ping_all_dcs(
        &self,
-        _prefer_ipv6: bool,
+        prefer_ipv6: bool,
        dc_overrides: &HashMap<String, Vec<String>>,
        ipv4_enabled: bool,
        ipv6_enabled: bool,
@@ -1355,6 +1381,7 @@ impl UpstreamManager {
            let (upstream_ipv4_enabled, upstream_ipv6_enabled) =
                Self::resolve_probe_dc_families(upstream_config, ipv4_enabled, ipv6_enabled);
            let upstream_prefer_ipv6 = upstream_config.prefer_ipv6(prefer_ipv6);
            let upstream_name = match &upstream_config.upstream_type {
                UpstreamType::Direct {
                    interface,
@@ -1600,6 +1627,7 @@ impl UpstreamManager {
                v6_results,
                v4_results,
                upstream_name,
                prefer_ipv6: upstream_prefer_ipv6,
                both_available,
            });
        }
@@ -1636,7 +1664,6 @@ impl UpstreamManager {
    }
    fn build_health_check_groups(
        prefer_ipv6: bool,
        ipv4_enabled: bool,
        ipv6_enabled: bool,
        dc_overrides: &HashMap<String, Vec<String>>,
@@ -1713,26 +1740,32 @@ impl UpstreamManager {
        for dc_idx in all_dcs {
            let v4_endpoints = v4_by_dc.remove(&dc_idx).unwrap_or_default();
            let v6_endpoints = v6_by_dc.remove(&dc_idx).unwrap_or_default();
            let (primary, fallback) = if prefer_ipv6 {
                (v6_endpoints, v4_endpoints)
            } else {
                (v4_endpoints, v6_endpoints)
            };
-            if primary.is_empty() && fallback.is_empty() {
+            if v4_endpoints.is_empty() && v6_endpoints.is_empty() {
                continue;
            }
            groups.push(HealthCheckGroup {
                dc_idx,
-                primary,
+                v4_endpoints,
-                fallback,
+                v6_endpoints,
            });
        }
        groups
    }
    fn health_check_endpoint_order(
        group: &HealthCheckGroup,
        prefer_ipv6: bool,
    ) -> [(bool, &[SocketAddr]); 2] {
        if prefer_ipv6 {
            [(true, &group.v6_endpoints), (false, &group.v4_endpoints)]
        } else {
            [(true, &group.v4_endpoints), (false, &group.v6_endpoints)]
        }
    }
    // ============= Health Checks =============
    /// Background health check based on reachable DC groups through each upstream.
@@ -1744,8 +1777,24 @@ impl UpstreamManager {
        ipv6_enabled: bool,
        dc_overrides: HashMap<String, Vec<String>>,
    ) {
-        let groups =
+        let (health_ipv4_enabled, health_ipv6_enabled) = {
-            Self::build_health_check_groups(prefer_ipv6, ipv4_enabled, ipv6_enabled, &dc_overrides);
+            let guard = self.upstreams.read().await;
            (
                ipv4_enabled
                    || guard
                        .iter()
                        .any(|upstream| upstream.config.ipv4 == Some(true)),
                ipv6_enabled
                    || guard
                        .iter()
                        .any(|upstream| upstream.config.ipv6 == Some(true)),
            )
        };
        let groups = Self::build_health_check_groups(
            health_ipv4_enabled,
            health_ipv6_enabled,
            &dc_overrides,
        );
        let required_healthy_groups = Self::required_healthy_group_count(groups.len());
        let mut endpoint_rotation: HashMap<(usize, i16, bool), usize> = HashMap::new();
@@ -1786,6 +1835,7 @@ impl UpstreamManager {
                };
                let (upstream_ipv4_enabled, upstream_ipv6_enabled) =
                    Self::resolve_probe_dc_families(&config, ipv4_enabled, ipv6_enabled);
                let upstream_prefer_ipv6 = config.prefer_ipv6(prefer_ipv6);
                let mut healthy_groups = 0usize;
                let mut latency_updates: Vec<(usize, f64)> = Vec::new();
@@ -1795,7 +1845,7 @@ impl UpstreamManager {
                    let mut group_rtt_ms = None;
                    for (is_primary, endpoints) in
-                        [(true, &group.primary), (false, &group.fallback)]
+                        Self::health_check_endpoint_order(group, upstream_prefer_ipv6)
                    {
                        if endpoints.is_empty() {
                            continue;
@@ -1990,26 +2040,30 @@ mod tests {
            ],
        );
-        let groups = UpstreamManager::build_health_check_groups(true, true, true, &overrides);
+        let groups = UpstreamManager::build_health_check_groups(true, true, &overrides);
        let dc2 = groups
            .iter()
            .find(|g| g.dc_idx == 2)
            .expect("dc2 must be present");
-        assert!(dc2.primary.iter().all(|addr| addr.is_ipv6()));
+        assert!(dc2.v6_endpoints.iter().all(|addr| addr.is_ipv6()));
-        assert!(dc2.fallback.iter().all(|addr| addr.is_ipv4()));
+        assert!(dc2.v4_endpoints.iter().all(|addr| addr.is_ipv4()));
        assert!(
-            dc2.primary
+            dc2.v6_endpoints
                .contains(&"[2001:db8::10]:443".parse::<SocketAddr>().unwrap())
        );
        assert!(
-            dc2.fallback
+            dc2.v4_endpoints
                .contains(&"203.0.113.10:443".parse::<SocketAddr>().unwrap())
        );
        assert!(
-            dc2.fallback
+            dc2.v4_endpoints
                .contains(&"203.0.113.11:443".parse::<SocketAddr>().unwrap())
        );
        let ordered = UpstreamManager::health_check_endpoint_order(dc2, true);
        assert!(ordered[0].1.iter().all(|addr| addr.is_ipv6()));
        assert!(ordered[1].1.iter().all(|addr| addr.is_ipv4()));
    }
    #[test]
@@ -2024,22 +2078,22 @@ mod tests {
            ],
        );
-        let groups = UpstreamManager::build_health_check_groups(false, true, false, &overrides);
+        let groups = UpstreamManager::build_health_check_groups(true, false, &overrides);
        let dc9 = groups
            .iter()
            .find(|g| g.dc_idx == 9)
            .expect("override-only dc group must be present");
-        assert_eq!(dc9.primary.len(), 2);
+        assert_eq!(dc9.v4_endpoints.len(), 2);
        assert!(
-            dc9.primary
+            dc9.v4_endpoints
                .contains(&"198.51.100.1:443".parse::<SocketAddr>().unwrap())
        );
        assert!(
-            dc9.primary
+            dc9.v4_endpoints
                .contains(&"198.51.100.2:443".parse::<SocketAddr>().unwrap())
        );
-        assert!(dc9.fallback.is_empty());
+        assert!(dc9.v6_endpoints.is_empty());
    }
    #[test]
@@ -2072,6 +2126,7 @@ mod tests {
            selected_scope: String::new(),
            ipv4: None,
            ipv6: None,
            prefer: None,
        };
        assert!(UpstreamManager::is_unscoped_upstream(&upstream));
@@ -2127,6 +2182,7 @@ mod tests {
                selected_scope: String::new(),
                ipv4: None,
                ipv6: None,
                prefer: None,
            }],
            1,
            100,
Author	SHA1	Message	Date
Alexey	504cafb129	Merge pull request #824 from telemt/flow MSS Tuning	2026-06-06 12:25:33 +03:00
Alexey	1096e38854	Docs for MSS Tuning Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-06 12:24:27 +03:00
Alexey	9bbdf796d8	Rustfmt	2026-06-06 12:17:19 +03:00
Alexey	27a5f5a4ec	MSS Tuning with config Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-06 12:11:05 +03:00
Alexey	a8adc9fe54	API hardening + Dual-stack fixes + JA3/JA4 observability + Test Stabilization: merge pull request #822 from telemt/flow API hardening + Dual-stack fixes + JA3/JA4 observability + Test Stabilization	2026-06-05 14:36:00 +03:00
Alexey	44be585ee3	Update Cargo.toml	2026-06-05 14:24:27 +03:00
Alexey	cb89d3f4fe	Merge branch 'flow' of https://github.com/telemt/telemt into flow	2026-06-05 14:21:34 +03:00
Alexey	c4e522a16d	Bump -> 3.4.14 Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-05 14:21:29 +03:00
Alexey	8e5f73a86b	Merge branch 'main' into flow	2026-06-05 13:01:05 +03:00
Alexey	7d543aeb67	Fixes for Adversarial Timing Profile Latency-flake by #761 Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-05 12:59:50 +03:00
Alexey	89a885c25f	Reset Interface Cache in Masking timing test Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-05 12:51:54 +03:00
Alexey	54e40fd073	Fixes for Load mask shape security test Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-05 12:43:30 +03:00
Alexey	1934c1279c	Update README.md	2026-06-05 06:54:53 +03:00
Alexey	0bc99b9f74	Merge pull request #820 from groozchique/main [docs] README updates	2026-06-04 18:45:01 +03:00
Alexey	1d8e8890a4	Update README.md	2026-06-04 18:43:04 +03:00
Alexey	d1680a7a80	Update README.md	2026-06-04 18:42:27 +03:00
Alexey	b027608282	JA3 + JA4 Docs Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-03 15:32:32 +03:00
Nick Parfyonov	2f2c9b336c	[docs] make dashes great again	2026-06-03 15:11:52 +03:00
Nick Parfyonov	b9ebfdcd7b	[docs] update RU README to match EN README	2026-06-03 15:10:17 +03:00
Alexey	34b48325fd	JA3+JA4 Pitfall in API + Beobachten Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-02 08:17:56 +03:00
Alexey	5c573a926b	Update Docs after Dualstack + Disable User adding Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-01 20:03:56 +03:00
Alexey	462215b53c	Dual-stack fixes for Upstreams by #798 Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-06-01 19:50:26 +03:00
Alexey	2264980926	User Disabler in API by #814 + Consistent Listeners in API by #800	2026-05-31 11:17:18 +03:00
Alexey	3d0d575b94	Normalize rlimit type on 32-bit targets in Conntrack Control #815	2026-05-30 18:13:54 +03:00
Alexey	b720906fbc	Merge pull request #813 from telemt/flow Flow	2026-05-29 16:50:37 +03:00
Alexey	ac244962ed	Merge branch 'main' into flow	2026-05-29 16:07:29 +03:00
Aleksei K	752a2f5012	Bump -> 3.4.13	2026-05-29 14:05:19 +03:00
Aleksei K	a77aedfd7a	Atomically claim pressure eviction budget in MR	2026-05-29 13:17:47 +03:00
Alexey	8575d0ee5d	Merge pull request #809 from Dimasssss/install.sh Add interactive prompt for server port during installation	2026-05-29 10:38:00 +03:00
Alexey	213aba5dc9	Update README.md	2026-05-29 08:54:03 +03:00
Aleksei K	a79aaee166	Merge branch 'flow' of https://github.com/telemt/telemt into flow	2026-05-28 16:11:27 +03:00
Aleksei K	2a0fcd6e35	Align ServerHello cipher and opaque ALPN behavior in TLS-F	2026-05-28 16:11:25 +03:00
Dimasssss	54a53e9ff0	Update install.sh	2026-05-28 12:26:46 +03:00
Alexey	63bcd7b3d0	Merge pull request #780 from temandroid/main fix(docker): mount config as directory to allow atomic API writes	2026-05-27 08:33:43 +03:00
Alexey	b68b10790c	Merge pull request #799 from groozchique/main [docs] more CONFIG_PARAMS.md fixes	2026-05-27 08:30:33 +03:00
Alexey	383d4318fe	Add logging configuration to docker-compose: merge pull request #804 from Iv/main Add logging configuration to docker-compose	2026-05-27 08:30:00 +03:00
Kravchenko Ivan	d293861351	Add logging configuration to docker-compose There was a disk full problem.	2026-05-26 20:43:26 +03:00
Alexey	31da0a1356	Fixes for Disable Colors	2026-05-26 12:20:28 +03:00
Nick Parfyonov	34bc1d943a	[docs] add Hot-Reload column back to [general] Re-adding Hot-Reload column to the [general] which was removed by mistake in my previous changes	2026-05-25 10:19:01 +03:00
Nick Parfyonov	50dee40dd2	[docs] remove duplicated parameters in [censorship]	2026-05-25 10:16:11 +03:00
Alexey	d4adf0ef9a	ME: Bound writer queue waits under backpressure	2026-05-25 00:28:29 +03:00
Alexey	dc8951eae8	Reduce MR + ME Routing hot-path contention	2026-05-22 20:19:09 +03:00
Alexey	77a7f89075	Reuse ME reader scratch buffer across read loop iterations	2026-05-22 19:56:38 +03:00
Alexey	31b9504464	Merge pull request #797 from groozchique/main Remove duplicated config params in [general] + some clarifications in FAQ + fix grammar mistake in RU FAQ	2026-05-22 19:23:40 +03:00
Nick Parfyonov	54cb4d0f29	[docs] some clarification in client-to-DC section in FAQ Made some clarification about MTProxy requiremnt to reach all DCs to work properly for every client	2026-05-22 18:20:37 +03:00
Nick Parfyonov	d449fc080c	[docs] fix grammar mistake in FAQ.ru.md	2026-05-22 18:15:49 +03:00
Nick Parfyonov	3b8d16bee5	[docs] remove duplicated parameters in CONFIG_PARAMS.md	2026-05-22 18:14:10 +03:00
Alexey	9abaf9006c	Prioritize Cancellation in MP select paths	2026-05-22 16:47:54 +03:00
TEMAndroid	855c5eef8b	Merge branch 'main' into main	2026-05-18 10:41:24 +03:00
TEMAndroid	b175927324	fix(docker): mount config as directory to allow atomic API writes	2026-05-11 20:50:31 +00:00