.github/instructions/Architecture.instructions.md

@@ -1,126 +0,0 @@
-# Architecture Directives
-
-> Companion to `Agents.md`. These are **activation directives**, not tutorials.
-> You already know these patterns — apply them. When making any structural or
-> design decision, run the relevant section below as a checklist.
-
----
-
-## 1. Active Principles (always on)
-
-Apply these on every non-trivial change. No exceptions.
-
-- **SRP** — one reason to change per component. If you can't name the responsibility in one noun phrase, split it.
-- **OCP** — extend by adding, not by modifying. New variants/impls over patching existing logic.
-- **ISP** — traits stay minimal. More than ~5 methods is a split signal.
-- **DIP** — high-level modules depend on traits, not concrete types. Infrastructure implements domain traits; it does not own domain logic.
-- **DRY** — one authoritative source per piece of knowledge. Copies are bugs that haven't diverged yet.
-- **YAGNI** — generic parameters, extension hooks, and pluggable strategies require an *existing* concrete use case, not a hypothetical one.
-- **KISS** — two equivalent designs: choose the one with fewer concepts. Justify complexity; never assume it.
-
----
-
-## 2. Layered Architecture
-
-Dependencies point **inward only**: `Presentation → Application → Domain ← Infrastructure`.
-
-- Domain layer: zero I/O. No network, no filesystem, no async runtime imports.
-- Infrastructure: implements domain traits at the boundary. Never leaks SDK/wire types inward.
-- Anti-Corruption Layer (ACL): all third-party and external-protocol types are translated here. If the external format changes, only the ACL changes.
-- Presentation: translates wire/HTTP representations to domain types and back. Nothing else.
-
----
-
-## 3. Design Pattern Selection
-
-Apply the right pattern. Do not invent a new abstraction when a named pattern fits.
-
-| Situation | Pattern to apply |
-|---|---|
-| Struct with 3+ optional/dependent fields | **Builder** — `build()` returns `Result`, never panics |
-| Cross-cutting behavior (logging, retry, metrics) on a trait impl | **Decorator** — implements same trait, delegates all calls |
-| Subsystem with multiple internal components | **Façade** — single public entry point, internals are `pub(crate)` |
-| Swappable algorithm or policy | **Strategy** — trait injection; generics for compile-time, `dyn` for runtime |
-| Component notifying decoupled consumers | **Observer** — typed channels (`broadcast`, `watch`), not callback `Vec<Box<dyn Fn>>` |
-| Exclusive mutable state serving concurrent callers | **Actor** — `mpsc` command channel + `oneshot` reply; no lock needed on state |
-| Finite state with invalid transition prevention | **Typestate** — distinct types per state; invalid ops are compile errors |
-| Fixed process skeleton with overridable steps | **Template Method** — defaulted trait method calls required hooks |
-| Request pipeline with independent handlers | **Chain/Middleware** — generic compile-time chain for hot paths, `dyn` for runtime assembly |
-| Hiding a concrete type behind a trait | **Factory Function** — returns `Box<dyn Trait>` or `impl Trait` |
-
----
-
-## 4. Data Modeling Rules
-
-- **Make illegal states unrepresentable.** Type system enforces invariants; runtime validation is a second line, not the first.
-- **Newtype every primitive** that carries domain meaning. `SessionId(u64)` ≠ `UserId(u64)` — the compiler enforces it.
-- **Enums over booleans** for any parameter or field with two or more named states.
-- **Typed error enums** with named variants carrying full diagnostic context. `anyhow` is application-layer only; never in library code.
-- **Domain types carry no I/O concerns.** No `serde`, no codec, no DB derives on domain structs. Conversions via `From`/`TryFrom` at layer boundaries.
-
----
-
-## 5. Concurrency Rules
-
-- Prefer message-passing over shared memory. Shared state is a fallback.
-- All channels must be **bounded**. Document the bound's rationale inline.
-- Never hold a lock across an `await` unless atomicity explicitly requires it — document why.
-- Document lock acquisition order wherever two locks are taken together.
-- Every `async fn` is cancellation-safe unless explicitly documented otherwise. Mutate shared state *after* the `await` that may be cancelled, not before.
-- High-read/low-write state: use `arc-swap` or `watch` for lock-free reads.
-
----
-
-## 6. Error Handling Rules
-
-- Errors translated at every layer boundary — low-level errors never surface unmodified.
-- Add context at the propagation site: what operation failed and where.
-- No `unwrap()`/`expect()` in production paths without a comment proving `None`/`Err` is impossible.
-- Panics are only permitted in: tests, startup/init unrecoverable failure, and `unreachable!()` with an invariant comment.
-
----
-
-## 7. API Design Rules
-
-- **CQS**: functions that return data must not mutate; functions that mutate return only `Result`.
-- **Least surprise**: a function does exactly what its name implies. Side effects are documented.
-- **Idempotency**: `close()`, `shutdown()`, `unregister()` called twice must not panic or error.
-- **Fallibility at the type level**: failure → `Result<T, E>`. No sentinel values.
-- **Minimal public surface**: default to `pub(crate)`. Mark `pub` only deliberate API. Re-export through a single surface in `mod.rs`.
-
----
-
-## 8. Performance Rules (hot paths)
-
-- Annotate hot-path functions with `// HOT PATH: <throughput requirement>`.
-- Zero allocations per operation in hot paths after initialization. Preallocate in constructors, reuse buffers.
-- Pass `&[u8]` / `Bytes` slices — not `Vec<u8>`. Use `BytesMut` for reusable mutable buffers.
-- No `String` formatting in hot paths. No logging without a rate-limit or sampling gate.
-- Any allocation in a hot path gets a comment: `// ALLOC: <reason and size>`.
-
----
-
-## 9. Testing Rules
-
-- Bug fixes require a regression test that is **red before the fix, green after**. Name it after the bug.
-- Property tests for: codec round-trips, state machine invariants, cryptographic protocol correctness.
-- No shared mutable state between tests. Each test constructs its own environment.
-- Test doubles hierarchy (simplest first): Fake → Stub → Spy → Mock. Mocks couple to implementation, not behavior — use sparingly.
-
----
-
-## 10. Pre-Change Checklist
-
-Run this before proposing or implementing any structural decision:
-
-- [ ] Responsibility nameable in one noun phrase?
-- [ ] Layer dependencies point inward only?
-- [ ] Invalid states unrepresentable in the type system?
-- [ ] State transitions gated through a single interface?
-- [ ] All channels bounded?
-- [ ] No locks held across `await` (or documented)?
-- [ ] Errors typed and translated at layer boundaries?
-- [ ] No panics in production paths without invariant proof?
-- [ ] Hot paths annotated and allocation-free?
-- [ ] Public surface minimal — only deliberate API marked `pub`?
-- [ ] Correct pattern chosen from Section 3 table?

.github/workflows/build.yml

@@ -37,9 +37,3 @@ jobs:
 
       - name: Build Release
         run: cargo build --release --verbose
-
-      - name: Upload binary artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: telemt
-          path: target/release/telemt

.github/workflows/release.yml

@@ -151,14 +151,6 @@ jobs:
           mkdir -p dist
           cp "target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}" dist/telemt
 
-          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
-            STRIP_BIN=aarch64-linux-gnu-strip
-          else
-            STRIP_BIN=strip
-          fi
-
-          "${STRIP_BIN}" dist/telemt
-
           cd dist
           tar -czf "${{ matrix.asset }}.tar.gz" \
             --owner=0 --group=0 --numeric-owner \
@@ -287,14 +279,6 @@ jobs:
           mkdir -p dist
           cp "target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}" dist/telemt
 
-          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
-            STRIP_BIN=aarch64-linux-musl-strip
-          else
-            STRIP_BIN=strip
-          fi
-
-          "${STRIP_BIN}" dist/telemt
-
           cd dist
           tar -czf "${{ matrix.asset }}.tar.gz" \
             --owner=0 --group=0 --numeric-owner \

.kilocode/rules-architect/AGENTS.md

@@ -0,0 +1,58 @@
+# Architect Mode Rules for Telemt
+
+## Architecture Overview
+
+```mermaid
+graph TB
+    subgraph Entry
+        Client[Clients] --> Listener[TCP/Unix Listener]
+    end
+    
+    subgraph Proxy Layer
+        Listener --> ClientHandler[ClientHandler]
+        ClientHandler --> Handshake[Handshake Validator]
+        Handshake --> |Valid| Relay[Relay Layer]
+        Handshake --> |Invalid| Masking[Masking/TLS Fronting]
+    end
+    
+    subgraph Transport
+        Relay --> MiddleProxy[Middle-End Proxy Pool]
+        Relay --> DirectRelay[Direct DC Relay]
+        MiddleProxy --> TelegramDC[Telegram DCs]
+        DirectRelay --> TelegramDC
+    end
+```
+
+## Module Dependencies
+- [`src/main.rs`](src/main.rs) - Entry point, spawns all async tasks
+- [`src/config/`](src/config/) - Configuration loading with auto-migration
+- [`src/error.rs`](src/error.rs) - Error types, must be used by all modules
+- [`src/crypto/`](src/crypto/) - AES, SHA, random number generation
+- [`src/protocol/`](src/protocol/) - MTProto constants, frame encoding, obfuscation
+- [`src/stream/`](src/stream/) - Stream wrappers, buffer pool, frame codecs
+- [`src/proxy/`](src/proxy/) - Client handling, handshake, relay logic
+- [`src/transport/`](src/transport/) - Upstream management, middle-proxy, SOCKS support
+- [`src/stats/`](src/stats/) - Statistics and replay protection
+- [`src/ip_tracker.rs`](src/ip_tracker.rs) - Per-user IP tracking
+
+## Key Architectural Constraints
+
+### Middle-End Proxy Mode
+- Requires public IP on interface OR 1:1 NAT with STUN probing
+- Uses separate `proxy-secret` from Telegram (NOT user secrets)
+- Falls back to direct mode automatically on STUN mismatch
+
+### TLS Fronting
+- Invalid handshakes are transparently proxied to `mask_host`
+- This is critical for DPI evasion - do not change this behavior
+- `mask_unix_sock` and `mask_host` are mutually exclusive
+
+### Stream Architecture
+- Buffer pool is shared globally via Arc - prevents allocation storms
+- Frame codecs implement tokio-util Encoder/Decoder traits
+- State machine in [`src/stream/state.rs`](src/stream/state.rs) manages stream transitions
+
+### Configuration Migration
+- [`ProxyConfig::load()`](src/config/mod.rs:641) mutates config in-place
+- New fields must have sensible defaults
+- DC203 override is auto-injected for CDN/media support

.kilocode/rules-code/AGENTS.md

@@ -0,0 +1,23 @@
+# Code Mode Rules for Telemt
+
+## Error Handling
+- Always use [`ProxyError`](src/error.rs:168) from [`src/error.rs`](src/error.rs) for proxy operations
+- [`HandshakeResult<T,R,W>`](src/error.rs:292) returns streams on bad client - these MUST be returned for masking, never dropped
+- Use [`Recoverable`](src/error.rs:110) trait to check if errors are retryable
+
+## Configuration Changes
+- [`ProxyConfig::load()`](src/config/mod.rs:641) auto-mutates config - new fields should have defaults
+- DC203 override is auto-injected if missing - do not remove this behavior
+- When adding config fields, add migration logic in [`ProxyConfig::load()`](src/config/mod.rs:641)
+
+## Crypto Code
+- [`SecureRandom`](src/crypto/random.rs) from [`src/crypto/random.rs`](src/crypto/random.rs) must be used for all crypto operations
+- Never use `rand::thread_rng()` directly - use the shared `Arc<SecureRandom>`
+
+## Stream Handling
+- Buffer pool [`BufferPool`](src/stream/buffer_pool.rs) is shared via Arc - always use it instead of allocating
+- Frame codecs in [`src/stream/frame_codec.rs`](src/stream/frame_codec.rs) implement tokio-util's Encoder/Decoder traits
+
+## Testing
+- Tests are inline in modules using `#[cfg(test)]`
+- Use `cargo test --lib <module_name>` to run tests for specific modules

.kilocode/rules-debug/AGENTS.md

@@ -0,0 +1,27 @@
+# Debug Mode Rules for Telemt
+
+## Logging
+- `RUST_LOG` environment variable takes absolute priority over all config log levels
+- Log levels: `trace`, `debug`, `info`, `warn`, `error`
+- Use `RUST_LOG=debug cargo run` for detailed operational logs
+- Use `RUST_LOG=trace cargo run` for full protocol-level debugging
+
+## Middle-End Proxy Debugging
+- Set `ME_DIAG=1` environment variable for high-precision cryptography diagnostics
+- STUN probe results are logged at startup - check for mismatch between local and reflected IP
+- If Middle-End fails, check `proxy_secret_path` points to valid file from https://core.telegram.org/getProxySecret
+
+## Connection Issues
+- DC connectivity is logged at startup with RTT measurements
+- If DC ping fails, check `dc_overrides` for custom addresses
+- Use `prefer_ipv6=false` in config if IPv6 is unreliable
+
+## TLS Fronting Issues
+- Invalid handshakes are proxied to `mask_host` - check this host is reachable
+- `mask_unix_sock` and `mask_host` are mutually exclusive - only one can be set
+- If `mask_unix_sock` is set, socket must exist before connections arrive
+
+## Common Errors
+- `ReplayAttack` - client replayed a handshake nonce, potential attack
+- `TimeSkew` - client clock is off, can disable with `ignore_time_skew=true`
+- `TgHandshakeTimeout` - upstream DC connection failed, check network

CONTRIBUTING.md

@@ -1,82 +1,19 @@
-# Issues
+# Issues - Rules
-## Warnung
-Before opening Issue, if it is more question than problem or bug - ask about that [in our chat](https://t.me/telemtrs)
-
 ## What it is not
 - NOT Question and Answer
 - NOT Helpdesk
 
-***Each of your Issues triggers attempts to reproduce problems and analyze them, which are done manually by people***
+# Pull Requests - Rules
-
----
-
-# Pull Requests
-
 ## General
 - ONLY signed and verified commits
 - ONLY from your name
-- DO NOT commit with `codex`, `claude`, or other AI tools as author/committer
+- DO NOT commit with `codex` or `claude` as author/commiter
 - PREFER `flow` branch for development, not `main`
 
----
+## AI
+We are not against modern tools, like AI, where you act as a principal or architect, but we consider it important:
 
-## Definition of Ready (MANDATORY)
+- you really understand what you're doing
-
+- you understand the relationships and dependencies of the components being modified
-A Pull Request WILL be ignored or closed if:
+- you understand the architecture of Telegram MTProto, MTProxy, Middle-End KDF at least generically
-
+- you DO NOT commit for the sake of commits, but to help the community, core-developers and ordinary users
-- it does NOT build
-- it does NOT pass tests
-- it does NOT follow formatting rules
-- it contains unrelated or excessive changes
-- the author cannot clearly explain the change
-
----
-
-## Blessed Principles
-- PR must build
-- PR must pass tests
-- PR must be understood by author
-
----
-
-## AI Usage Policy
-
-AI tools (Claude, ChatGPT, Codex, DeepSeek, etc.) are allowed as **assistants**, NOT as decision-makers.
-
-By submitting a PR, you confirm that:
-
-- you fully understand the code you submit
-- you verified correctness manually
-- you reviewed architecture and dependencies
-- you take full responsibility for the change
-
-AI-generated code is treated as **draft** and must be validated like any other external contribution.
-
-PRs that look like unverified AI dumps WILL be closed
-
----
-
-## Maintainer Policy
-
-Maintainers reserve the right to:
-
-- close PRs that do not meet basic quality requirements
-- request explanations before review
-- ignore low-effort contributions
-
-Respect the reviewers time
-
----
-
-## Enforcement
-
-Pull Requests that violate project standards may be closed without review.
-
-This includes (but is not limited to):
-
-- non-building code
-- failing tests
-- unverified or low-effort changes
-- inability to explain the change
-
-These actions follow the Code of Conduct and are intended to preserve signal, quality, and Telemt's integrity

Cargo.lock

@@ -183,9 +183,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-sys"
-version = "0.39.1"
+version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83a25cf98105baa966497416dbd42565ce3a8cf8dbfd59803ec9ad46f3126399"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
 dependencies = [
  "cc",
  "cmake",
@@ -234,16 +234,16 @@ checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 
 [[package]]
 name = "blake3"
-version = "1.8.4"
+version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d2d5991425dfd0785aed03aedcf0b321d61975c9b5b3689c774a2610ae0b51e"
+checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d"
 dependencies = [
  "arrayref",
  "arrayvec",
  "cc",
  "cfg-if",
  "constant_time_eq",
- "cpufeatures 0.3.0",
+ "cpufeatures 0.2.17",
 ]
 
 [[package]]
@@ -299,9 +299,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.58"
+version = "1.2.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1e928d4b69e3077709075a938a05ffbedfa53a84c8f766efbf8220bb1ff60e1"
+checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -441,9 +441,9 @@ checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 
 [[package]]
 name = "cmake"
-version = "0.1.58"
+version = "0.1.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678"
+checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d"
 dependencies = [
  "cc",
 ]
@@ -1191,9 +1191,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "hyper"
-version = "1.9.0"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6299f016b246a94207e63da54dbe807655bf9e00044f73ded42c3ac5305fbcca"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
 dependencies = [
  "atomic-waker",
  "bytes",
@@ -1206,6 +1206,7 @@ dependencies = [
  "httpdate",
  "itoa",
  "pin-project-lite",
+ "pin-utils",
  "smallvec",
  "tokio",
  "want",
@@ -1244,7 +1245,7 @@ dependencies = [
  "libc",
  "percent-encoding",
  "pin-project-lite",
- "socket2",
+ "socket2 0.6.3",
  "tokio",
  "tower-service",
  "tracing",
@@ -1276,13 +1277,12 @@ dependencies = [
 
 [[package]]
 name = "icu_collections"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2984d1cd16c883d7935b9e07e44071dca8d917fd52ecc02c04d5fa0b5a3f191c"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
 dependencies = [
  "displaydoc",
  "potential_utf",
- "utf8_iter",
  "yoke",
  "zerofrom",
  "zerovec",
@@ -1290,9 +1290,9 @@ dependencies = [
 
 [[package]]
 name = "icu_locale_core"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92219b62b3e2b4d88ac5119f8904c10f8f61bf7e95b640d25ba3075e6cac2c29"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
 dependencies = [
  "displaydoc",
  "litemap",
@@ -1303,9 +1303,9 @@ dependencies = [
 
 [[package]]
 name = "icu_normalizer"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c56e5ee99d6e3d33bd91c5d85458b6005a22140021cc324cea84dd0e72cff3b4"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
 dependencies = [
  "icu_collections",
  "icu_normalizer_data",
@@ -1317,15 +1317,15 @@ dependencies = [
 
 [[package]]
 name = "icu_normalizer_data"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da3be0ae77ea334f4da67c12f149704f19f81d1adf7c51cf482943e84a2bad38"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
 
 [[package]]
 name = "icu_properties"
-version = "2.2.0"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bee3b67d0ea5c2cca5003417989af8996f8604e34fb9ddf96208a033901e70de"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
 dependencies = [
  "icu_collections",
  "icu_locale_core",
@@ -1337,15 +1337,15 @@ dependencies = [
 
 [[package]]
 name = "icu_properties_data"
-version = "2.2.0"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e2bbb201e0c04f7b4b3e14382af113e17ba4f63e2c9d2ee626b720cbce54a14"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
 
 [[package]]
 name = "icu_provider"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "139c4cf31c8b5f33d7e199446eff9c1e02decfc2f0eec2c8d71f65befa45b421"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
 dependencies = [
  "displaydoc",
  "icu_locale_core",
@@ -1427,15 +1427,14 @@ dependencies = [
 
 [[package]]
 name = "ipconfig"
-version = "0.3.4"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d40460c0ce33d6ce4b0630ad68ff63d6661961c48b6dba35e5a4d81cfb48222"
+checksum = "b58db92f96b720de98181bbbe63c831e87005ab460c1bf306eb2622b4707997f"
 dependencies = [
- "socket2",
+ "socket2 0.5.10",
  "widestring",
- "windows-registry",
+ "windows-sys 0.48.0",
- "windows-result",
+ "winreg",
- "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1455,9 +1454,9 @@ dependencies = [
 
 [[package]]
 name = "iri-string"
-version = "0.7.12"
+version = "0.7.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
 dependencies = [
  "memchr",
  "serde",
@@ -1534,12 +1533,10 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.94"
+version = "0.3.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
 dependencies = [
- "cfg-if",
- "futures-util",
  "once_cell",
  "wasm-bindgen",
 ]
@@ -1578,9 +1575,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 
 [[package]]
 name = "libc"
-version = "0.2.184"
+version = "0.2.183"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
 
 [[package]]
 name = "linux-raw-sys"
@@ -1590,9 +1587,9 @@ checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
 
 [[package]]
 name = "litemap"
-version = "0.8.2"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92daf443525c4cce67b150400bc2316076100ce0b3686209eb8cf3c31612e6f0"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
 
 [[package]]
 name = "lock_api"
@@ -1672,9 +1669,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 
 [[package]]
 name = "mio"
-version = "1.2.0"
+version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
+checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
 dependencies = [
  "libc",
  "log",
@@ -1770,9 +1767,9 @@ dependencies = [
 
 [[package]]
 name = "num-conv"
-version = "0.2.1"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
 
 [[package]]
 name = "num-integer"
@@ -1894,6 +1891,12 @@ version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
 
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
 [[package]]
 name = "pkcs8"
 version = "0.10.2"
@@ -1963,9 +1966,9 @@ checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 
 [[package]]
 name = "potential_utf"
-version = "0.1.5"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0103b1cef7ec0cf76490e969665504990193874ea05c85ff9bab8b911d0a0564"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
 dependencies = [
  "zerovec",
 ]
@@ -2006,9 +2009,9 @@ dependencies = [
 
 [[package]]
 name = "proptest"
-version = "1.11.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
+checksum = "37566cb3fdacef14c0737f9546df7cfeadbfbc9fef10991038bf5015d0c80532"
 dependencies = [
  "bit-set",
  "bit-vec",
@@ -2042,7 +2045,7 @@ dependencies = [
  "quinn-udp",
  "rustc-hash",
  "rustls",
- "socket2",
+ "socket2 0.6.3",
  "thiserror 2.0.18",
  "tokio",
  "tracing",
@@ -2080,7 +2083,7 @@ dependencies = [
  "cfg_aliases",
  "libc",
  "once_cell",
- "socket2",
+ "socket2 0.6.3",
  "tracing",
  "windows-sys 0.60.2",
 ]
@@ -2298,9 +2301,9 @@ dependencies = [
 
 [[package]]
 name = "rustc-hash"
-version = "2.1.2"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
 
 [[package]]
 name = "rustc_version"
@@ -2552,9 +2555,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "1.1.1"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6662b5879511e06e8999a8a235d848113e942c9124f211511b16466ee2995f26"
+checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
 dependencies = [
  "serde_core",
 ]
@@ -2622,7 +2625,7 @@ dependencies = [
  "serde_json",
  "serde_urlencoded",
  "shadowsocks-crypto",
- "socket2",
+ "socket2 0.6.3",
  "spin",
  "thiserror 2.0.18",
  "tokio",
@@ -2694,6 +2697,16 @@ version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 
+[[package]]
+name = "socket2"
+version = "0.5.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "socket2"
 version = "0.6.3"
@@ -2780,7 +2793,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
 
 [[package]]
 name = "telemt"
-version = "3.3.39"
+version = "3.3.32"
 dependencies = [
  "aes",
  "anyhow",
@@ -2821,7 +2834,7 @@ dependencies = [
  "sha1",
  "sha2",
  "shadowsocks",
- "socket2",
+ "socket2 0.6.3",
  "static_assertions",
  "subtle",
  "thiserror 2.0.18",
@@ -2831,7 +2844,6 @@ dependencies = [
  "tokio-util",
  "toml",
  "tracing",
- "tracing-appender",
  "tracing-subscriber",
  "url",
  "webpki-roots",
@@ -2935,9 +2947,9 @@ dependencies = [
 
 [[package]]
 name = "tinystr"
-version = "0.8.3"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8323304221c2a851516f22236c5722a72eaa19749016521d6dff0824447d96d"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
 dependencies = [
  "displaydoc",
  "zerovec",
@@ -2980,7 +2992,7 @@ dependencies = [
  "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
- "socket2",
+ "socket2 0.6.3",
  "tokio-macros",
  "tracing",
  "windows-sys 0.61.2",
@@ -3041,7 +3053,7 @@ dependencies = [
  "log",
  "once_cell",
  "pin-project",
- "socket2",
+ "socket2 0.6.3",
  "tokio",
  "windows-sys 0.60.2",
 ]
@@ -3065,9 +3077,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "1.1.2+spec-1.1.0"
+version = "1.0.7+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81f3d15e84cbcd896376e6730314d59fb5a87f31e4b038454184435cd57defee"
+checksum = "dd28d57d8a6f6e458bc0b8784f8fdcc4b99a437936056fa122cb234f18656a96"
 dependencies = [
  "indexmap",
  "serde_core",
@@ -3080,27 +3092,27 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "1.1.1+spec-1.1.0"
+version = "1.0.1+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7"
+checksum = "9b320e741db58cac564e26c607d3cc1fdc4a88fd36c879568c07856ed83ff3e9"
 dependencies = [
  "serde_core",
 ]
 
 [[package]]
 name = "toml_parser"
-version = "1.1.2+spec-1.1.0"
+version = "1.0.10+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
+checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
 dependencies = [
  "winnow",
 ]
 
 [[package]]
 name = "toml_writer"
-version = "1.1.1+spec-1.1.0"
+version = "1.0.7+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "756daf9b1013ebe47a8776667b466417e2d4c5679d441c26230efd9ef78692db"
+checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"
 
 [[package]]
 name = "tower"
@@ -3158,18 +3170,6 @@ dependencies = [
  "tracing-core",
 ]
 
-[[package]]
-name = "tracing-appender"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "786d480bce6247ab75f005b14ae1624ad978d3029d9113f0a22fa1ac773faeaf"
-dependencies = [
- "crossbeam-channel",
- "thiserror 2.0.18",
- "time",
- "tracing-subscriber",
-]
-
 [[package]]
 name = "tracing-attributes"
 version = "0.1.31"
@@ -3297,9 +3297,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
 [[package]]
 name = "uuid"
-version = "1.23.0"
+version = "1.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ac8b6f42ead25368cf5b098aeb3dc8a1a2c05a3eee8a9a1a68c640edbfc79d9"
+checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
 dependencies = [
  "getrandom 0.4.2",
  "js-sys",
@@ -3372,9 +3372,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.117"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0551fc1bb415591e3372d0bc4780db7e587d84e2a7e79da121051c5c4b89d0b0"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -3385,19 +3385,23 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.67"
+version = "0.4.64"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03623de6905b7206edd0a75f69f747f134b7f0a2323392d664448bf2d3c5d87e"
+checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
 dependencies = [
+ "cfg-if",
+ "futures-util",
  "js-sys",
+ "once_cell",
  "wasm-bindgen",
+ "web-sys",
 ]
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.117"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fbdf9a35adf44786aecd5ff89b4563a90325f9da0923236f6104e603c7e86be"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -3405,9 +3409,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.117"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dca9693ef2bab6d4e6707234500350d8dad079eb508dca05530c85dc3a529ff2"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -3418,9 +3422,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.117"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39129a682a6d2d841b6c429d0c51e5cb0ed1a03829d8b3d1e69a011e62cb3d3b"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
 dependencies = [
  "unicode-ident",
 ]
@@ -3461,9 +3465,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.94"
+version = "0.3.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd70027e39b12f0849461e08ffc50b9cd7688d942c1c8e3c7b22273236b4dd0a"
+checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -3575,17 +3579,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
-[[package]]
-name = "windows-registry"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
-dependencies = [
- "windows-link",
- "windows-result",
- "windows-strings",
-]
-
 [[package]]
 name = "windows-result"
 version = "0.4.1"
@@ -3613,6 +3606,15 @@ dependencies = [
  "windows-targets 0.42.2",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets 0.48.5",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -3655,6 +3657,21 @@ dependencies = [
  "windows_x86_64_msvc 0.42.2",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.5",
+ "windows_aarch64_msvc 0.48.5",
+ "windows_i686_gnu 0.48.5",
+ "windows_i686_msvc 0.48.5",
+ "windows_x86_64_gnu 0.48.5",
+ "windows_x86_64_gnullvm 0.48.5",
+ "windows_x86_64_msvc 0.48.5",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -3694,6 +3711,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -3712,6 +3735,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -3730,6 +3759,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -3760,6 +3795,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -3778,6 +3819,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -3796,6 +3843,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -3814,6 +3867,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -3828,9 +3887,19 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
 
 [[package]]
 name = "winnow"
-version = "1.0.1"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5"
+checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
+
+[[package]]
+name = "winreg"
+version = "0.50.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
+dependencies = [
+ "cfg-if",
+ "windows-sys 0.48.0",
+]
 
 [[package]]
 name = "wit-bindgen"
@@ -3957,9 +4026,9 @@ dependencies = [
 
 [[package]]
 name = "yoke"
-version = "0.8.2"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
 dependencies = [
  "stable_deref_trait",
  "yoke-derive",
@@ -3968,9 +4037,9 @@ dependencies = [
 
 [[package]]
 name = "yoke-derive"
-version = "0.8.2"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de844c262c8848816172cef550288e7dc6c7b7814b4ee56b3e1553f275f1858e"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3980,18 +4049,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.48"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.48"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4000,18 +4069,18 @@ dependencies = [
 
 [[package]]
 name = "zerofrom"
-version = "0.1.7"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
 dependencies = [
  "zerofrom-derive",
 ]
 
 [[package]]
 name = "zerofrom-derive"
-version = "0.1.7"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11532158c46691caf0f2593ea8358fed6bbf68a0315e80aae9bd41fbade684a1"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4041,9 +4110,9 @@ dependencies = [
 
 [[package]]
 name = "zerotrie"
-version = "0.2.4"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f9152d31db0792fa83f70fb2f83148effb5c1f5b8c7686c3459e361d9bc20bf"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
 dependencies = [
  "displaydoc",
  "yoke",
@@ -4052,9 +4121,9 @@ dependencies = [
 
 [[package]]
 name = "zerovec"
-version = "0.11.6"
+version = "0.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90f911cbc359ab6af17377d242225f4d75119aec87ea711a880987b18cd7b239"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
 dependencies = [
  "yoke",
  "zerofrom",
@@ -4063,9 +4132,9 @@ dependencies = [
 
 [[package]]
 name = "zerovec-derive"
-version = "0.11.3"
+version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "625dc425cab0dca6dc3c3319506e6593dcb08a9f387ea3b284dbd52a92c40555"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
  "proc-macro2",
  "quote",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.3.39"
+version = "3.3.32"
 edition = "2024"
 
 [features]
@@ -30,13 +30,7 @@ static_assertions = "1.1"
 
 # Network
 socket2 = { version = "0.6", features = ["all"] }
-nix = { version = "0.31", default-features = false, features = [
+nix = { version = "0.31", default-features = false, features = ["net", "fs"] }
-  "net",
-  "user",
-  "process",
-  "fs",
-  "signal",
-] }
 shadowsocks = { version = "1.24", features = ["aead-cipher-2022"] }
 
 # Serialization
@@ -50,7 +44,6 @@ bytes = "1.9"
 thiserror = "2.0"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
-tracing-appender = "0.2"
 parking_lot = "0.12"
 dashmap = "6.1"
 arc-swap = "1.7"
@@ -75,14 +68,8 @@ hyper = { version = "1", features = ["server", "http1"] }
 hyper-util = { version = "0.1", features = ["tokio", "server-auto"] }
 http-body-util = "0.1"
 httpdate = "1.0"
-tokio-rustls = { version = "0.26", default-features = false, features = [
+tokio-rustls = { version = "0.26", default-features = false, features = ["tls12"] }
-  "tls12",
+rustls = { version = "0.23", default-features = false, features = ["std", "tls12", "ring"] }
-] }
-rustls = { version = "0.23", default-features = false, features = [
-  "std",
-  "tls12",
-  "ring",
-] }
 webpki-roots = "1.0"
 
 [dev-dependencies]

LICENSE

@@ -1,4 +1,4 @@
-######## TELEMT LICENSE 3.3 #########
+###### TELEMT Public License 3 ######
 ##### Copyright (c) 2026 Telemt #####
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -14,15 +14,11 @@ are preserved and complied with.
 The canonical version of this License is the English version.
 Official translations are provided for informational purposes only
 and for convenience, and do not have legal force. In case of any
-discrepancy, the English version of this License shall prevail
+discrepancy, the English version of this License shall prevail.
-
+Available versions:
-/----------------------------------------------------------\
+- English in Markdown: docs/LICENSE/LICENSE.md
-| Language    | Location                                   |
+- German: docs/LICENSE/LICENSE.de.md
-|-------------|--------------------------------------------|
+- Russian: docs/LICENSE/LICENSE.ru.md
-| English     | docs/LICENSE/TELEMT-LICENSE.en.md          |
-| German      | docs/LICENSE/TELEMT-LICENSE.de.md          |
-| Russian     | docs/LICENSE/TELEMT-LICENSE.ru.md          |
-\----------------------------------------------------------/
 
 ### License Versioning Policy
 

README.md

@@ -2,61 +2,234 @@
 
 ***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***
 
-> [!NOTE]
->
-> Fixed TLS ClientHello is now available:
-> - in **Telegram Desktop** starting from version **6.7.2**
-> - in **Telegram Android Client** starting from version **12.6.4**
-> - **release for iOS is "work in progress"**
->
-> To work with EE-MTProxy, please update your client!
-
-<p align="center">
-  <a href="https://t.me/telemtrs">
-    <img src="docs/assets/telegram_button.png" alt="Join us in Telegram" width="200" />
-  </a>
-</p>
-
 **Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as:
-- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/Architecture/Model/MODEL.en.md);
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md)
-- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/Architecture/API/API.md);
+- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md)
-- Anti-Replay on Sliding Window;
+- Anti-Replay on Sliding Window
-- Prometheus-format Metrics;
+- Prometheus-format Metrics
-- TLS-Fronting and TCP-Splicing for masking from "prying" eyes.
+- TLS-Fronting and TCP-Splicing for masking from "prying" eyes
 
-![telemt_scheme](docs/assets/telemt.png)
+[**Telemt Chat in Telegram**](https://t.me/telemtrs)
+
+## NEWS and EMERGENCY
+### ✈️ Telemt 3 is released!
+<table>
+<tr>
+<td width="50%" valign="top">
+
+### 🇷🇺 RU
+
+#### О релизах
+
+[3.3.27](https://github.com/telemt/telemt/releases/tag/3.3.27) даёт баланс стабильности и передового функционала, а так же последние исправления по безопасности и багам
+
+Будем рады вашему фидбеку и предложениям по улучшению — особенно в части **API**, **статистики**, **UX**
+
+---
+
+Если у вас есть компетенции в:
+
+- Асинхронных сетевых приложениях  
+- Анализе трафика  
+- Реверс-инжиниринге  
+- Сетевых расследованиях  
+
+Мы открыты к архитектурным предложениям, идеям и pull requests
+</td>
+<td width="50%" valign="top">
+
+### 🇬🇧 EN
+
+#### About releases
+
+[3.3.27](https://github.com/telemt/telemt/releases/tag/3.3.27) provides a balance of stability and advanced functionality, as well as the latest security and bug fixes
+
+We are looking forward to your feedback and improvement proposals — especially regarding **API**, **statistics**, **UX**
+
+---
+
+If you have expertise in:
+
+- Asynchronous network applications  
+- Traffic analysis  
+- Reverse engineering  
+- Network forensics  
+
+We welcome ideas, architectural feedback, and pull requests.
+</td>
+</tr>
+</table>
+
+# Features
+💥 The configuration structure has changed since version 1.1.0.0. change it in your environment!
 
 ⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
 
 ⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
 
 - Full support for all official MTProto proxy modes:
-  - Classic;
+  - Classic
-  - Secure - with `dd` prefix;
+  - Secure - with `dd` prefix
-  - Fake TLS - with `ee` prefix + SNI fronting;
+  - Fake TLS - with `ee` prefix + SNI fronting
-- Replay attack protection;
+- Replay attack protection
-- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪;
+- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
-- Configurable keepalives + timeouts + IPv6 and "Fast Mode";
+- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
-- Graceful shutdown on Ctrl+C;
+- Graceful shutdown on Ctrl+C
-- Extensive logging via `trace` and `debug` with `RUST_LOG` method.
+- Extensive logging via `trace` and `debug` with `RUST_LOG` method
 
 # GOTO
-- [FAQ](#faq)
-- [Architecture](docs/Architecture)
 - [Quick Start Guide](#quick-start-guide)
-- [Config parameters](docs/Config_params)
+- [FAQ](#faq)
+  - [Recognizability for DPI and crawler](#recognizability-for-dpi-and-crawler)
+    - [Client WITH secret-key accesses the MTProxy resource:](#client-with-secret-key-accesses-the-mtproxy-resource)
+    - [Client WITHOUT secret-key gets transparent access to the specified resource:](#client-without-secret-key-gets-transparent-access-to-the-specified-resource)
+  - [Telegram Calls via MTProxy](#telegram-calls-via-mtproxy)
+  - [How does DPI see MTProxy TLS?](#how-does-dpi-see-mtproxy-tls)
+  - [Whitelist on IP](#whitelist-on-ip)
+  - [Too many open files](#too-many-open-files)
 - [Build](#build)
 - [Why Rust?](#why-rust)
+- [Issues](#issues)
+- [Roadmap](#roadmap)
+
 
 ## Quick Start Guide
-- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide RU](docs/QUICK_START_GUIDE.ru.md)
-- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
+- [Quick Start Guide EN](docs/QUICK_START_GUIDE.en.md)
 
 ## FAQ
 
 - [FAQ RU](docs/FAQ.ru.md)
 - [FAQ EN](docs/FAQ.en.md)
 
+### Recognizability for DPI and crawler
+Since version 1.1.0.0, we have debugged masking perfectly: for all clients without "presenting" a key, 
+we transparently direct traffic to the target host!
+
+- We consider this a breakthrough aspect, which has no stable analogues today
+- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
+- Here is our evidence:
+    - 212.220.88.77 - "dummy" host, running `telemt`
+    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
+    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
+      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
+      - Crawlers completely satisfied receiving responses from `mask_host`
+  #### Client WITH secret-key accesses the MTProxy resource:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  #### Client WITHOUT secret-key gets transparent access to the specified resource:
+    - with trusted certificate
+    - with original handshake
+    - with full request-response way
+    - with low-latency overhead
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
+  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
+### Telegram Calls via MTProxy
+- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
+### How does DPI see MTProxy TLS?
+- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
+- the SNI you specify sends both the client and the server;
+- ALPN is similar to HTTP 1.1/2;
+- high entropy, which is normal for AES-encrypted traffic;
+### Whitelist on IP
+- MTProxy cannot work when there is: 
+  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
+  - OR all TCP traffic is blocked
+  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
+  - OR all TLS traffic is blocked
+  - OR specified port is blocked: use 443 to make it "like real"
+  - OR provided SNI is blocked: use "officially approved"/innocuous name
+- like most protocols on the Internet; 
+- these situations are observed:
+  - in China behind the Great Firewall
+  - in Russia on mobile networks, less in wired networks
+  - in Iran during "activity"
+### Too many open files
+- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
+- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
+- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
+```yaml
+ulimits:
+  nofile:
+    soft: 65536
+    hard: 65536
+```
+- **System-wide** (optional): add to `/etc/security/limits.conf`:
+```
+*       soft    nofile  1048576
+*       hard    nofile  1048576
+root    soft    nofile  1048576
+root    hard    nofile  1048576
+```
+
+
 ## Build
 ```bash
 # Cloning repo
@@ -79,7 +252,7 @@ telemt config.toml
 ```
 
 ### OpenBSD
-- Build and service setup guide: [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md)
+- Build and service setup guide: [OpenBSD Guide (EN)](docs/OPENBSD.en.md)
 - Example rc.d script: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd)
 - Status: OpenBSD sandbox hardening with `pledge(2)` and `unveil(2)` is not implemented yet.
 
@@ -90,3 +263,24 @@ telemt config.toml
 - No garbage collector
 - Memory safety and reduced attack surface
 - Tokio's asynchronous architecture
+
+## Issues
+- ✅ [SOCKS5 as Upstream](https://github.com/telemt/telemt/issues/1) -> added Upstream Management
+- ✅ [iOS - Media Upload Hanging-in-Loop](https://github.com/telemt/telemt/issues/2)
+
+## Roadmap
+- Public IP in links
+- Config Reload-on-fly
+- Bind to device or IP for outbound/inbound connections
+- Adtag Support per SNI / Secret
+- Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
+- Zero-copy, minimal allocs on hotpath
+- DC Healthchecks + global fallback
+- No global mutable state
+- Client isolation + Fair Bandwidth
+- Backpressure-aware IO
+- "Secret Policy" - SNI / Secret Routing :D
+- Multi-upstream Balancer and Failover
+- Strict FSM per handshake
+- Session-based Antireplay with Sliding window, non-broking reconnects
+- Web Control: statistic, state of health, latency, client experience...

README.ru.md

@@ -1,123 +0,0 @@
-# Telemt — MTProxy на Rust + Tokio
-
-***Решает проблемы раньше, чем другие узнают об их существовании***
-
-> [!Примечание]
->
-> Исправленный TLS ClientHello доступен в **Telegram Desktop** начиная с версии **6.7.2**: для работы с EE-MTProxy обновите клиент.
->
-> Исправленный TLS ClientHello доступен в **Telegram Android** начиная с версии **12.6.4**; **официальный релиз для iOS находится в процессе разработки**.
-
-<p align="center">
-  <a href="https://t.me/telemtrs">
-    <img src="docs/assets/telegram_button.png" alt="Мы в Telegram" width="200" />
-  </a>
-</p>
-
-**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust. Он полностью реализует официальный алгоритм прокси Telegram и добавляет множество улучшений для продакшена:
-
-- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + жизненный цикл генераций](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md);
-- [Полноценный API с управлением](https://github.com/telemt/telemt/blob/main/docs/API.md);
-- Защита от повторных атак (Anti-Replay on Sliding Window);
-- Метрики в формате Prometheus;
-- TLS-fronting и TCP-splicing для маскировки от DPI.
-
-![telemt_scheme](docs/assets/telemt.png)
-
-## Особенности
-
-⚓ Реализация **TLS-fronting** максимально приближена к поведению реального HTTPS-трафика.
-
-⚓ ***Middle-End Pool*** оптимизирован для высокой производительности.
-
-- Поддержка всех режимов MTProto proxy:
-  - Classic;
-  - Secure (префикс `dd`);
-  - Fake TLS (префикс `ee` + SNI fronting);
-- Защита от replay-атак;
-- Маскировка трафика (перенаправление неизвестных подключений на реальные сайты);
-- Настраиваемые keepalive, таймауты, IPv6 и «быстрый режим»;
-- Корректное завершение работы (Ctrl+C);
-- Подробное логирование через `trace` и `debug`.
-
-# Навигация
-- [FAQ](#faq)
-- [Архитектура](docs/Architecture)
-- [Быстрый старт](#quick-start-guide)
-- [Параметры конфигурационного файла](docs/Config_params)
-- [Сборка](#build)
-- [Почему Rust?](#why-rust)
-- [Известные проблемы](#issues)
-- [Планы](#roadmap)
-
-## Быстрый старт
-- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
-- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
-
-## FAQ
-
-- [FAQ RU](docs/FAQ.ru.md)
-- [FAQ EN](docs/FAQ.en.md)
-
-## Сборка
-
-```bash
-# Клонируйте репозиторий
-git clone https://github.com/telemt/telemt 
-# Смените каталог на telemt
-cd telemt
-# Начните процесс сборки
-cargo build --release
-
-# Устройства с небольшим объёмом оперативной памяти (1 ГБ, например NanoPi Neo3 / Raspberry Pi Zero 2):
-# используется параметр lto = «thin» для уменьшения пикового потребления памяти.
-# Если ваш пользовательский набор инструментов переопределяет профили, не используйте Fat LTO.
-
-# Перейдите в каталог /bin
-mv ./target/release/telemt /bin
-# Сделайте файл исполняемым
-chmod +x /bin/telemt
-# Запустите!
-telemt config.toml
-```
-
-### Устройства с малым объемом RAM
-Для устройств с ~1 ГБ RAM (например Raspberry Pi):
-- используется облегчённая оптимизация линковщика (thin LTO);
-- не рекомендуется включать fat LTO.
-
-## OpenBSD
-
-- Руководство по сборке и настройке на английском языке [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md);
-- Пример rc.d скрипта: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd);
-- Поддержка sandbox с `pledge(2)` и `unveil(2)` пока не реализована.
-
-## Почему Rust?
-
-- Надёжность для долгоживущих процессов;
-- Детерминированное управление ресурсами (RAII);
-- Отсутствие сборщика мусора;
-- Безопасность памяти;
-- Асинхронная архитектура Tokio.
-
-## Известные проблемы
-
-- ✅ [Поддержка SOCKS5 как upstream](https://github.com/telemt/telemt/issues/1) -> добавлен Upstream Management;
-- ✅ [Проблема зависания загрузки медиа на iOS](https://github.com/telemt/telemt/issues/2).
-
-## Планы
-
-- Публичный IP в ссылках;
-- Перезагрузка конфигурации на лету;
-- Привязка к устройству или IP для входящих и исходящих соединений;
-- Поддержка рекламных тегов по SNI / секретному ключу;
-- Улучшенная обработка ошибок;
-- Zero-copy оптимизации;
-- Проверка состояния дата-центров;
-- Отсутствие глобального изменяемого состояния;
-- Изоляция клиентов и справедливое распределение трафика;
-- «Политика секретов» — маршрутизация по SNI / секрету;
-- Балансировщик с несколькими источниками и отработка отказов;
-- Строгие FSM для handshake;
-- Улучшенная защита от replay-атак;
-- Веб-интерфейс: статистика, состояние работоспособности, задержка, пользовательский опыт...

docs/CONFIG_PARAMS.en.md

@@ -0,0 +1,448 @@
+# Telemt Config Parameters Reference
+
+This document lists all configuration keys accepted by `config.toml`.
+
+> [!WARNING]
+> 
+> The configuration parameters detailed in this document are intended for advanced users and fine-tuning purposes. Modifying these settings without a clear understanding of their function may lead to application instability or other unexpected behavior. Please proceed with caution and at your own risk.
+
+## Top-level keys
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| include | `String` (special directive) | `null` | — | Includes another TOML file with `include = "relative/or/absolute/path.toml"`; includes are processed recursively before parsing. |
+| show_link | `"*" \| String[]` | `[]` (`ShowLink::None`) | — | Legacy top-level link visibility selector (`"*"` for all users or explicit usernames list). |
+| dc_overrides | `Map<String, String[]>` | `{}` | — | Overrides DC endpoints for non-standard DCs; key is DC id string, value is `ip:port` list. |
+| default_dc | `u8 \| null` | `null` (effective fallback: `2` in ME routing) | — | Default DC index used for unmapped non-standard DCs. |
+
+## [general]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| data_path | `String \| null` | `null` | — | Optional runtime data directory path. |
+| prefer_ipv6 | `bool` | `false` | Deprecated. Use `network.prefer`. | Deprecated legacy IPv6 preference flag migrated to `network.prefer`. |
+| fast_mode | `bool` | `true` | — | Enables fast-path optimizations for traffic processing. |
+| use_middle_proxy | `bool` | `true` | none | Enables ME transport mode; if `false`, runtime falls back to direct DC routing. |
+| proxy_secret_path | `String \| null` | `"proxy-secret"` | Path may be `null`. | Path to Telegram infrastructure proxy-secret file used by ME handshake logic. |
+| proxy_config_v4_cache_path | `String \| null` | `"cache/proxy-config-v4.txt"` | — | Optional cache path for raw `getProxyConfig` (IPv4) snapshot. |
+| proxy_config_v6_cache_path | `String \| null` | `"cache/proxy-config-v6.txt"` | — | Optional cache path for raw `getProxyConfigV6` (IPv6) snapshot. |
+| ad_tag | `String \| null` | `null` | — | Global fallback ad tag (32 hex characters). |
+| middle_proxy_nat_ip | `IpAddr \| null` | `null` | Must be a valid IP when set. | Manual public NAT IP override used as ME address material when set. |
+| middle_proxy_nat_probe | `bool` | `true` | Auto-forced to `true` when `use_middle_proxy = true`. | Enables ME NAT probing; runtime may force it on when ME mode is active. |
+| middle_proxy_nat_stun | `String \| null` | `null` | Deprecated. Use `network.stun_servers`. | Deprecated legacy single STUN server for NAT probing. |
+| middle_proxy_nat_stun_servers | `String[]` | `[]` | Deprecated. Use `network.stun_servers`. | Deprecated legacy STUN list for NAT probing fallback. |
+| stun_nat_probe_concurrency | `usize` | `8` | Must be `> 0`. | Maximum number of parallel STUN probes during NAT/public endpoint discovery. |
+| middle_proxy_pool_size | `usize` | `8` | none | Target size of active ME writer pool. |
+| middle_proxy_warm_standby | `usize` | `16` | none | Reserved compatibility field in current runtime revision. |
+| me_init_retry_attempts | `u32` | `0` | `0..=1_000_000`. | Startup retries for ME pool initialization (`0` means unlimited). |
+| me2dc_fallback | `bool` | `true` | — | Allows fallback from ME mode to direct DC when ME startup fails. |
+| me_keepalive_enabled | `bool` | `true` | none | Enables periodic ME keepalive/ping traffic. |
+| me_keepalive_interval_secs | `u64` | `8` | none | Base ME keepalive interval in seconds. |
+| me_keepalive_jitter_secs | `u64` | `2` | none | Keepalive jitter in seconds to reduce synchronized bursts. |
+| me_keepalive_payload_random | `bool` | `true` | none | Randomizes keepalive payload bytes instead of fixed zero payload. |
+| rpc_proxy_req_every | `u64` | `0` | `0` or `10..=300`. | Interval for service `RPC_PROXY_REQ` activity signals (`0` disables). |
+| me_writer_cmd_channel_capacity | `usize` | `4096` | Must be `> 0`. | Capacity of per-writer command channel. |
+| me_route_channel_capacity | `usize` | `768` | Must be `> 0`. | Capacity of per-connection ME response route channel. |
+| me_c2me_channel_capacity | `usize` | `1024` | Must be `> 0`. | Capacity of per-client command queue (client reader -> ME sender). |
+| me_c2me_send_timeout_ms | `u64` | `4000` | `0..=60000`. | Maximum wait for enqueueing client->ME commands when the per-client queue is full (`0` keeps legacy unbounded wait). |
+| me_reader_route_data_wait_ms | `u64` | `2` | `0..=20`. | Bounded wait for routing ME DATA to per-connection queue (`0` = no wait). |
+| me_d2c_flush_batch_max_frames | `usize` | `32` | `1..=512`. | Max ME->client frames coalesced before flush. |
+| me_d2c_flush_batch_max_bytes | `usize` | `131072` | `4096..=2_097_152`. | Max ME->client payload bytes coalesced before flush. |
+| me_d2c_flush_batch_max_delay_us | `u64` | `500` | `0..=5000`. | Max microsecond wait for coalescing more ME->client frames (`0` disables timed coalescing). |
+| me_d2c_ack_flush_immediate | `bool` | `true` | — | Flushes client writer immediately after quick-ack write. |
+| me_quota_soft_overshoot_bytes | `u64` | `65536` | `0..=16_777_216`. | Extra per-route quota allowance (bytes) tolerated before writer-side quota enforcement drops route data. |
+| me_d2c_frame_buf_shrink_threshold_bytes | `usize` | `262144` | `4096..=16_777_216`. | Threshold for shrinking oversized ME->client frame-aggregation buffers after flush. |
+| direct_relay_copy_buf_c2s_bytes | `usize` | `65536` | `4096..=1_048_576`. | Copy buffer size for client->DC direction in direct relay. |
+| direct_relay_copy_buf_s2c_bytes | `usize` | `262144` | `8192..=2_097_152`. | Copy buffer size for DC->client direction in direct relay. |
+| crypto_pending_buffer | `usize` | `262144` | — | Max pending ciphertext buffer per client writer (bytes). |
+| max_client_frame | `usize` | `16777216` | — | Maximum allowed client MTProto frame size (bytes). |
+| desync_all_full | `bool` | `false` | — | Emits full crypto-desync forensic logs for every event. |
+| beobachten | `bool` | `true` | — | Enables per-IP forensic observation buckets. |
+| beobachten_minutes | `u64` | `10` | Must be `> 0`. | Retention window (minutes) for per-IP observation buckets. |
+| beobachten_flush_secs | `u64` | `15` | Must be `> 0`. | Snapshot flush interval (seconds) for observation output file. |
+| beobachten_file | `String` | `"cache/beobachten.txt"` | — | Observation snapshot output file path. |
+| hardswap | `bool` | `true` | none | Enables generation-based ME hardswap strategy. |
+| me_warmup_stagger_enabled | `bool` | `true` | none | Staggers extra ME warmup dials to avoid connection spikes. |
+| me_warmup_step_delay_ms | `u64` | `500` | none | Base delay in milliseconds between warmup dial steps. |
+| me_warmup_step_jitter_ms | `u64` | `300` | none | Additional random delay in milliseconds for warmup steps. |
+| me_reconnect_max_concurrent_per_dc | `u32` | `8` | none | Limits concurrent reconnect workers per DC during health recovery. |
+| me_reconnect_backoff_base_ms | `u64` | `500` | none | Initial reconnect backoff in milliseconds. |
+| me_reconnect_backoff_cap_ms | `u64` | `30000` | none | Maximum reconnect backoff cap in milliseconds. |
+| me_reconnect_fast_retry_count | `u32` | `16` | none | Immediate retry budget before long backoff behavior applies. |
+| me_single_endpoint_shadow_writers | `u8` | `2` | `0..=32`. | Additional reserve writers for one-endpoint DC groups. |
+| me_single_endpoint_outage_mode_enabled | `bool` | `true` | — | Enables aggressive outage recovery for one-endpoint DC groups. |
+| me_single_endpoint_outage_disable_quarantine | `bool` | `true` | — | Ignores endpoint quarantine in one-endpoint outage mode. |
+| me_single_endpoint_outage_backoff_min_ms | `u64` | `250` | Must be `> 0`; also `<= me_single_endpoint_outage_backoff_max_ms`. | Minimum reconnect backoff in outage mode (ms). |
+| me_single_endpoint_outage_backoff_max_ms | `u64` | `3000` | Must be `> 0`; also `>= me_single_endpoint_outage_backoff_min_ms`. | Maximum reconnect backoff in outage mode (ms). |
+| me_single_endpoint_shadow_rotate_every_secs | `u64` | `900` | — | Periodic shadow writer rotation interval (`0` disables). |
+| me_floor_mode | `"static" \| "adaptive"` | `"adaptive"` | — | Writer floor policy mode. |
+| me_adaptive_floor_idle_secs | `u64` | `90` | — | Idle time before adaptive floor may reduce one-endpoint target. |
+| me_adaptive_floor_min_writers_single_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for one-endpoint DC groups. |
+| me_adaptive_floor_min_writers_multi_endpoint | `u8` | `1` | `1..=32`. | Minimum adaptive writer target for multi-endpoint DC groups. |
+| me_adaptive_floor_recover_grace_secs | `u64` | `180` | — | Grace period to hold static floor after activity. |
+| me_adaptive_floor_writers_per_core_total | `u16` | `48` | Must be `> 0`. | Global writer budget per logical CPU core in adaptive mode. |
+| me_adaptive_floor_cpu_cores_override | `u16` | `0` | — | Manual CPU core count override (`0` uses auto-detection). |
+| me_adaptive_floor_max_extra_writers_single_per_core | `u16` | `1` | — | Per-core max extra writers above base floor for one-endpoint DCs. |
+| me_adaptive_floor_max_extra_writers_multi_per_core | `u16` | `2` | — | Per-core max extra writers above base floor for multi-endpoint DCs. |
+| me_adaptive_floor_max_active_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for active ME writers per logical CPU core. |
+| me_adaptive_floor_max_warm_writers_per_core | `u16` | `64` | Must be `> 0`. | Hard cap for warm ME writers per logical CPU core. |
+| me_adaptive_floor_max_active_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for active ME writers. |
+| me_adaptive_floor_max_warm_writers_global | `u32` | `256` | Must be `> 0`. | Hard global cap for warm ME writers. |
+| upstream_connect_retry_attempts | `u32` | `2` | Must be `> 0`. | Connect attempts for selected upstream before error/fallback. |
+| upstream_connect_retry_backoff_ms | `u64` | `100` | — | Delay between upstream connect attempts (ms). |
+| upstream_connect_budget_ms | `u64` | `3000` | Must be `> 0`. | Total wall-clock budget for one upstream connect request (ms). |
+| upstream_unhealthy_fail_threshold | `u32` | `5` | Must be `> 0`. | Consecutive failed requests before upstream is marked unhealthy. |
+| upstream_connect_failfast_hard_errors | `bool` | `false` | — | Skips additional retries for hard non-transient connect errors. |
+| stun_iface_mismatch_ignore | `bool` | `false` | none | Reserved compatibility flag in current runtime revision. |
+| unknown_dc_log_path | `String \| null` | `"unknown-dc.txt"` | — | File path for unknown-DC request logging (`null` disables file path). |
+| unknown_dc_file_log_enabled | `bool` | `false` | — | Enables unknown-DC file logging. |
+| log_level | `"debug" \| "verbose" \| "normal" \| "silent"` | `"normal"` | — | Runtime logging verbosity. |
+| disable_colors | `bool` | `false` | — | Disables ANSI colors in logs. |
+| me_socks_kdf_policy | `"strict" \| "compat"` | `"strict"` | — | SOCKS-bound KDF fallback policy for ME handshake. |
+| me_route_backpressure_base_timeout_ms | `u64` | `25` | Must be `> 0`. | Base backpressure timeout for route-channel send (ms). |
+| me_route_backpressure_high_timeout_ms | `u64` | `120` | Must be `>= me_route_backpressure_base_timeout_ms`. | High backpressure timeout when queue occupancy exceeds watermark (ms). |
+| me_route_backpressure_high_watermark_pct | `u8` | `80` | `1..=100`. | Queue occupancy threshold (%) for high timeout mode. |
+| me_health_interval_ms_unhealthy | `u64` | `1000` | Must be `> 0`. | Health monitor interval while writer coverage is degraded (ms). |
+| me_health_interval_ms_healthy | `u64` | `3000` | Must be `> 0`. | Health monitor interval while writer coverage is healthy (ms). |
+| me_admission_poll_ms | `u64` | `1000` | Must be `> 0`. | Poll interval for conditional-admission checks (ms). |
+| me_warn_rate_limit_ms | `u64` | `5000` | Must be `> 0`. | Cooldown for repetitive ME warning logs (ms). |
+| me_route_no_writer_mode | `"async_recovery_failfast" \| "inline_recovery_legacy" \| "hybrid_async_persistent"` | `"hybrid_async_persistent"` | — | Route behavior when no writer is immediately available. |
+| me_route_no_writer_wait_ms | `u64` | `250` | `10..=5000`. | Max wait in async-recovery failfast mode (ms). |
+| me_route_hybrid_max_wait_ms | `u64` | `3000` | `50..=60000`. | Maximum cumulative wait in hybrid no-writer mode before failfast fallback (ms). |
+| me_route_blocking_send_timeout_ms | `u64` | `250` | `0..=5000`. | Maximum wait for blocking route-channel send fallback (`0` keeps legacy unbounded wait). |
+| me_route_inline_recovery_attempts | `u32` | `3` | Must be `> 0`. | Inline recovery attempts in legacy mode. |
+| me_route_inline_recovery_wait_ms | `u64` | `3000` | `10..=30000`. | Max inline recovery wait in legacy mode (ms). |
+| fast_mode_min_tls_record | `usize` | `0` | — | Minimum TLS record size when fast-mode coalescing is enabled (`0` disables). |
+| update_every | `u64 \| null` | `300` | If set: must be `> 0`; if `null`: legacy fallback path is used. | Unified refresh interval for ME config and proxy-secret updater tasks. |
+| me_reinit_every_secs | `u64` | `900` | Must be `> 0`. | Periodic interval for zero-downtime ME reinit cycle. |
+| me_hardswap_warmup_delay_min_ms | `u64` | `1000` | Must be `<= me_hardswap_warmup_delay_max_ms`. | Lower bound for hardswap warmup dial spacing. |
+| me_hardswap_warmup_delay_max_ms | `u64` | `2000` | Must be `> 0`. | Upper bound for hardswap warmup dial spacing. |
+| me_hardswap_warmup_extra_passes | `u8` | `3` | Must be within `[0, 10]`. | Additional warmup passes after the base pass in one hardswap cycle. |
+| me_hardswap_warmup_pass_backoff_base_ms | `u64` | `500` | Must be `> 0`. | Base backoff between extra hardswap warmup passes. |
+| me_config_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical ME config snapshots required before apply. |
+| me_config_apply_cooldown_secs | `u64` | `300` | none | Cooldown between applied ME endpoint-map updates. |
+| me_snapshot_require_http_2xx | `bool` | `true` | — | Requires 2xx HTTP responses for applying config snapshots. |
+| me_snapshot_reject_empty_map | `bool` | `true` | — | Rejects empty config snapshots. |
+| me_snapshot_min_proxy_for_lines | `u32` | `1` | Must be `> 0`. | Minimum parsed `proxy_for` rows required to accept snapshot. |
+| proxy_secret_stable_snapshots | `u8` | `2` | Must be `> 0`. | Number of identical proxy-secret snapshots required before rotation. |
+| proxy_secret_rotate_runtime | `bool` | `true` | none | Enables runtime proxy-secret rotation from updater snapshots. |
+| me_secret_atomic_snapshot | `bool` | `true` | — | Keeps selector and secret bytes from the same snapshot atomically. |
+| proxy_secret_len_max | `usize` | `256` | Must be within `[32, 4096]`. | Upper length limit for accepted proxy-secret bytes. |
+| me_pool_drain_ttl_secs | `u64` | `90` | none | Time window where stale writers remain fallback-eligible after map change. |
+| me_instadrain | `bool` | `false` | — | Forces draining stale writers to be removed on the next cleanup tick, bypassing TTL/deadline waiting. |
+| me_pool_drain_threshold | `u64` | `128` | — | Max draining stale writers before batch force-close (`0` disables threshold cleanup). |
+| me_pool_drain_soft_evict_enabled | `bool` | `true` | — | Enables gradual soft-eviction of stale writers during drain/reinit instead of immediate hard close. |
+| me_pool_drain_soft_evict_grace_secs | `u64` | `30` | `0..=3600`. | Grace period before stale writers become soft-evict candidates. |
+| me_pool_drain_soft_evict_per_writer | `u8` | `1` | `1..=16`. | Maximum stale routes soft-evicted per writer in one eviction pass. |
+| me_pool_drain_soft_evict_budget_per_core | `u16` | `8` | `1..=64`. | Per-core budget limiting aggregate soft-eviction work per pass. |
+| me_pool_drain_soft_evict_cooldown_ms | `u64` | `5000` | Must be `> 0`. | Cooldown between consecutive soft-eviction passes (ms). |
+| me_bind_stale_mode | `"never" \| "ttl" \| "always"` | `"ttl"` | — | Policy for new binds on stale draining writers. |
+| me_bind_stale_ttl_secs | `u64` | `90` | — | TTL for stale bind allowance when stale mode is `ttl`. |
+| me_pool_min_fresh_ratio | `f32` | `0.8` | Must be within `[0.0, 1.0]`. | Minimum fresh desired-DC coverage ratio before stale writers are drained. |
+| me_reinit_drain_timeout_secs | `u64` | `120` | `0` disables force-close; if `> 0` and `< me_pool_drain_ttl_secs`, runtime bumps it to TTL. | Force-close timeout for draining stale writers (`0` keeps indefinite draining). |
+| proxy_secret_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy secret reload interval (fallback when `update_every` is not set). |
+| proxy_config_auto_reload_secs | `u64` | `3600` | Deprecated. Use `general.update_every`. | Deprecated legacy config reload interval (fallback when `update_every` is not set). |
+| me_reinit_singleflight | `bool` | `true` | — | Serializes ME reinit cycles across trigger sources. |
+| me_reinit_trigger_channel | `usize` | `64` | Must be `> 0`. | Trigger queue capacity for reinit scheduler. |
+| me_reinit_coalesce_window_ms | `u64` | `200` | — | Trigger coalescing window before starting reinit (ms). |
+| me_deterministic_writer_sort | `bool` | `true` | — | Enables deterministic candidate sort for writer binding path. |
+| me_writer_pick_mode | `"sorted_rr" \| "p2c"` | `"p2c"` | — | Writer selection mode for route bind path. |
+| me_writer_pick_sample_size | `u8` | `3` | `2..=4`. | Number of candidates sampled by picker in `p2c` mode. |
+| ntp_check | `bool` | `true` | — | Enables NTP drift check at startup. |
+| ntp_servers | `String[]` | `["pool.ntp.org"]` | — | NTP servers used for drift check. |
+| auto_degradation_enabled | `bool` | `true` | none | Reserved compatibility flag in current runtime revision. |
+| degradation_min_unavailable_dc_groups | `u8` | `2` | none | Reserved compatibility threshold in current runtime revision. |
+
+## [general.modes]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| classic | `bool` | `false` | — | Enables classic MTProxy mode. |
+| secure | `bool` | `false` | — | Enables secure mode. |
+| tls | `bool` | `true` | — | Enables TLS mode. |
+
+## [general.links]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| show | `"*" \| String[]` | `"*"` | — | Selects users whose tg:// links are shown at startup. |
+| public_host | `String \| null` | `null` | — | Public hostname/IP override for generated tg:// links. |
+| public_port | `u16 \| null` | `null` | — | Public port override for generated tg:// links. |
+
+## [general.telemetry]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| core_enabled | `bool` | `true` | — | Enables core hot-path telemetry counters. |
+| user_enabled | `bool` | `true` | — | Enables per-user telemetry counters. |
+| me_level | `"silent" \| "normal" \| "debug"` | `"normal"` | — | Middle-End telemetry verbosity level. |
+
+## [network]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| ipv4 | `bool` | `true` | — | Enables IPv4 networking. |
+| ipv6 | `bool` | `false` | — | Enables/disables IPv6 when set |
+| prefer | `u8` | `4` | Must be `4` or `6`. | Preferred IP family for selection (`4` or `6`). |
+| multipath | `bool` | `false` | — | Enables multipath behavior where supported. |
+| stun_use | `bool` | `true` | none | Global STUN switch; when `false`, STUN probing path is disabled. |
+| stun_servers | `String[]` | Built-in STUN list (13 hosts) | Deduplicated; empty values are removed. | Primary STUN server list for NAT/public endpoint discovery. |
+| stun_tcp_fallback | `bool` | `true` | none | Enables TCP fallback for STUN when UDP path is blocked. |
+| http_ip_detect_urls | `String[]` | `["https://ifconfig.me/ip", "https://api.ipify.org"]` | none | HTTP fallback endpoints for public IP detection when STUN is unavailable. |
+| cache_public_ip_path | `String` | `"cache/public_ip.txt"` | — | File path for caching detected public IP. |
+| dns_overrides | `String[]` | `[]` | Must match `host:port:ip`; IPv6 must be bracketed. | Runtime DNS overrides in `host:port:ip` format. |
+
+## [server]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| port | `u16` | `443` | — | Main proxy listen port. |
+| listen_addr_ipv4 | `String \| null` | `"0.0.0.0"` | — | IPv4 bind address for TCP listener. |
+| listen_addr_ipv6 | `String \| null` | `"::"` | — | IPv6 bind address for TCP listener. |
+| listen_unix_sock | `String \| null` | `null` | — | Unix socket path for listener. |
+| listen_unix_sock_perm | `String \| null` | `null` | — | Unix socket permissions in octal string (e.g., `"0666"`). |
+| listen_tcp | `bool \| null` | `null` (auto) | — | Explicit TCP listener enable/disable override. |
+| proxy_protocol | `bool` | `false` | — | Enables HAProxy PROXY protocol parsing on incoming client connections. |
+| proxy_protocol_header_timeout_ms | `u64` | `500` | Must be `> 0`. | Timeout for PROXY protocol header read/parse (ms). |
+| proxy_protocol_trusted_cidrs | `IpNetwork[]` | `[]` | — | When non-empty, only connections from these proxy source CIDRs are allowed to provide PROXY protocol headers. If empty, PROXY headers are rejected by default (security hardening). |
+| metrics_port | `u16 \| null` | `null` | — | Metrics endpoint port (enables metrics listener). |
+| metrics_listen | `String \| null` | `null` | — | Full metrics bind address (`IP:PORT`), overrides `metrics_port`. |
+| metrics_whitelist | `IpNetwork[]` | `["127.0.0.1/32", "::1/128"]` | — | CIDR whitelist for metrics endpoint access. |
+| max_connections | `u32` | `10000` | — | Max concurrent client connections (`0` = unlimited). |
+| accept_permit_timeout_ms | `u64` | `250` | `0..=60000`. | Maximum wait for acquiring a connection-slot permit before the accepted connection is dropped (`0` keeps legacy unbounded wait). |
+
+Note: When `server.proxy_protocol` is enabled, incoming PROXY protocol headers are parsed from the first bytes of the connection and the client source address is replaced with `src_addr` from the header. For security, the peer source IP (the direct connection address) is verified against `server.proxy_protocol_trusted_cidrs`; if this list is empty, PROXY headers are rejected and the connection is considered untrusted. 
+
+## [server.api]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| enabled | `bool` | `true` | — | Enables control-plane REST API. |
+| listen | `String` | `"0.0.0.0:9091"` | Must be valid `IP:PORT`. | API bind address in `IP:PORT` format. |
+| whitelist | `IpNetwork[]` | `["127.0.0.0/8"]` | — | CIDR whitelist allowed to access API. |
+| auth_header | `String` | `""` | — | Exact expected `Authorization` header value (empty = disabled). |
+| request_body_limit_bytes | `usize` | `65536` | Must be `> 0`. | Maximum accepted HTTP request body size. |
+| minimal_runtime_enabled | `bool` | `true` | — | Enables minimal runtime snapshots endpoint logic. |
+| minimal_runtime_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for minimal runtime snapshots (ms; `0` disables cache). |
+| runtime_edge_enabled | `bool` | `false` | — | Enables runtime edge endpoints. |
+| runtime_edge_cache_ttl_ms | `u64` | `1000` | `0..=60000`. | Cache TTL for runtime edge aggregation payloads (ms). |
+| runtime_edge_top_n | `usize` | `10` | `1..=1000`. | Top-N size for edge connection leaderboard. |
+| runtime_edge_events_capacity | `usize` | `256` | `16..=4096`. | Ring-buffer capacity for runtime edge events. |
+| read_only | `bool` | `false` | — | Rejects mutating API endpoints when enabled. |
+
+## [[server.listeners]]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| ip | `IpAddr` | — | — | Listener bind IP. |
+| announce | `String \| null` | — | — | Public IP/domain announced in proxy links (priority over `announce_ip`). |
+| announce_ip | `IpAddr \| null` | — | Deprecated. Use `announce`. | Deprecated legacy announce IP (migrated to `announce` if needed). |
+| proxy_protocol | `bool \| null` | `null` | — | Per-listener override for PROXY protocol enable flag. |
+| reuse_allow | `bool` | `false` | — | Enables `SO_REUSEPORT` for multi-instance bind sharing. |
+
+## [timeouts]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| client_handshake | `u64` | `30` | — | Client handshake timeout. |
+| relay_idle_policy_v2_enabled | `bool` | `true` | — | Enables soft/hard middle-relay client idle policy. |
+| relay_client_idle_soft_secs | `u64` | `120` | Must be `> 0`; must be `<= relay_client_idle_hard_secs`. | Soft idle threshold for middle-relay client uplink inactivity (seconds). |
+| relay_client_idle_hard_secs | `u64` | `360` | Must be `> 0`; must be `>= relay_client_idle_soft_secs`. | Hard idle threshold for middle-relay client uplink inactivity (seconds). |
+| relay_idle_grace_after_downstream_activity_secs | `u64` | `30` | Must be `<= relay_client_idle_hard_secs`. | Extra hard-idle grace after recent downstream activity (seconds). |
+| tg_connect | `u64` | `10` | — | Upstream Telegram connect timeout. |
+| client_keepalive | `u64` | `15` | — | Client keepalive timeout. |
+| client_ack | `u64` | `90` | — | Client ACK timeout. |
+| me_one_retry | `u8` | `12` | none | Fast reconnect attempts budget for single-endpoint DC scenarios. |
+| me_one_timeout_ms | `u64` | `1200` | none | Timeout in milliseconds for each quick single-endpoint reconnect attempt. |
+
+## [censorship]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| tls_domain | `String` | `"petrovich.ru"` | — | Primary TLS domain used in fake TLS handshake profile. |
+| tls_domains | `String[]` | `[]` | — | Additional TLS domains for generating multiple links. |
+| unknown_sni_action | `"drop" \| "mask"` | `"drop"` | — | Action for TLS ClientHello with unknown/non-configured SNI. |
+| tls_fetch_scope | `String` | `""` | Value is trimmed during load; empty keeps default upstream routing behavior. | Upstream scope tag used for TLS-front metadata fetches. |
+| tls_fetch | `Table` | built-in defaults | See `[censorship.tls_fetch]` section below. | TLS-front metadata fetch strategy settings. |
+| mask | `bool` | `true` | — | Enables masking/fronting relay mode. |
+| mask_host | `String \| null` | `null` | — | Upstream mask host for TLS fronting relay. |
+| mask_port | `u16` | `443` | — | Upstream mask port for TLS fronting relay. |
+| mask_unix_sock | `String \| null` | `null` | — | Unix socket path for mask backend instead of TCP host/port. |
+| fake_cert_len | `usize` | `2048` | — | Length of synthetic certificate payload when emulation data is unavailable. |
+| tls_emulation | `bool` | `true` | — | Enables certificate/TLS behavior emulation from cached real fronts. |
+| tls_front_dir | `String` | `"tlsfront"` | — | Directory path for TLS front cache storage. |
+| server_hello_delay_min_ms | `u64` | `0` | — | Minimum server_hello delay for anti-fingerprint behavior (ms). |
+| server_hello_delay_max_ms | `u64` | `0` | — | Maximum server_hello delay for anti-fingerprint behavior (ms). |
+| tls_new_session_tickets | `u8` | `0` | — | Number of `NewSessionTicket` messages to emit after handshake. |
+| tls_full_cert_ttl_secs | `u64` | `90` | — | TTL for sending full cert payload per (domain, client IP) tuple. |
+| alpn_enforce | `bool` | `true` | — | Enforces ALPN echo behavior based on client preference. |
+| mask_proxy_protocol | `u8` | `0` | — | PROXY protocol mode for mask backend (`0` disabled, `1` v1, `2` v2). |
+| mask_shape_hardening | `bool` | `true` | — | Enables client->mask shape-channel hardening by applying controlled tail padding to bucket boundaries on mask relay shutdown. |
+| mask_shape_hardening_aggressive_mode | `bool` | `false` | Requires `mask_shape_hardening = true`. | Opt-in aggressive shaping profile: allows shaping on backend-silent non-EOF paths and switches above-cap blur to strictly positive random tail. |
+| mask_shape_bucket_floor_bytes | `usize` | `512` | Must be `> 0`; should be `<= mask_shape_bucket_cap_bytes`. | Minimum bucket size used by shape-channel hardening. |
+| mask_shape_bucket_cap_bytes | `usize` | `4096` | Must be `>= mask_shape_bucket_floor_bytes`. | Maximum bucket size used by shape-channel hardening; traffic above cap is not padded further. |
+| mask_shape_above_cap_blur | `bool` | `false` | Requires `mask_shape_hardening = true`; requires `mask_shape_above_cap_blur_max_bytes > 0`. | Adds bounded randomized tail bytes even when forwarded size already exceeds cap. |
+| mask_shape_above_cap_blur_max_bytes | `usize` | `512` | Must be `<= 1048576`; must be `> 0` when `mask_shape_above_cap_blur = true`. | Maximum randomized extra bytes appended above cap. |
+| mask_relay_max_bytes | `usize` | `5242880` | Must be `> 0`; must be `<= 67108864`. | Maximum relayed bytes per direction on unauthenticated masking fallback path. |
+| mask_classifier_prefetch_timeout_ms | `u64` | `5` | Must be within `[5, 50]`. | Timeout budget (ms) for extending fragmented initial classifier window on masking fallback. |
+| mask_timing_normalization_enabled | `bool` | `false` | Requires `mask_timing_normalization_floor_ms > 0`; requires `ceiling >= floor`. | Enables timing envelope normalization on masking outcomes. |
+| mask_timing_normalization_floor_ms | `u64` | `0` | Must be `> 0` when timing normalization is enabled; must be `<= ceiling`. | Lower bound (ms) for masking outcome normalization target. |
+| mask_timing_normalization_ceiling_ms | `u64` | `0` | Must be `>= floor`; must be `<= 60000`. | Upper bound (ms) for masking outcome normalization target. |
+
+## [censorship.tls_fetch]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| profiles | `("modern_chrome_like" \| "modern_firefox_like" \| "compat_tls12" \| "legacy_minimal")[]` | `["modern_chrome_like", "modern_firefox_like", "compat_tls12", "legacy_minimal"]` | Empty list falls back to defaults; values are deduplicated preserving order. | Ordered ClientHello profile fallback chain for TLS-front metadata fetch. |
+| strict_route | `bool` | `true` | — | Fails closed on upstream-route connect errors instead of falling back to direct TCP when route is configured. |
+| attempt_timeout_ms | `u64` | `5000` | Must be `> 0`. | Timeout budget per one TLS-fetch profile attempt (ms). |
+| total_budget_ms | `u64` | `15000` | Must be `> 0`. | Total wall-clock budget across all TLS-fetch attempts (ms). |
+| grease_enabled | `bool` | `false` | — | Enables GREASE-style random values in selected ClientHello extensions for fetch traffic. |
+| deterministic | `bool` | `false` | — | Enables deterministic ClientHello randomness for debugging/tests. |
+| profile_cache_ttl_secs | `u64` | `600` | `0` disables cache. | TTL for winner-profile cache entries used by TLS fetch path. |
+
+### Shape-channel hardening notes (`[censorship]`)
+
+These parameters are designed to reduce one specific fingerprint source during masking: the exact number of bytes sent from proxy to `mask_host` for invalid or probing traffic.
+
+Without hardening, a censor can often correlate probe input length with backend-observed length very precisely (for example: `5 + body_sent` on early TLS reject paths). That creates a length-based classifier signal.
+
+When `mask_shape_hardening = true`, Telemt pads the **client->mask** stream tail to a bucket boundary at relay shutdown:
+
+- Total bytes sent to mask are first measured.
+- A bucket is selected using powers of two starting from `mask_shape_bucket_floor_bytes`.
+- Padding is added only if total bytes are below `mask_shape_bucket_cap_bytes`.
+- If bytes already exceed cap, no extra padding is added.
+
+This means multiple nearby probe sizes collapse into the same backend-observed size class, making active classification harder.
+
+What each parameter changes in practice:
+
+- `mask_shape_hardening`
+	Enables or disables this entire length-shaping stage on the fallback path.
+	When `false`, backend-observed length stays close to the real forwarded probe length.
+	When `true`, clean relay shutdown can append random padding bytes to move the total into a bucket.
+
+- `mask_shape_bucket_floor_bytes`
+	Sets the first bucket boundary used for small probes.
+	Example: with floor `512`, a malformed probe that would otherwise forward `37` bytes can be expanded to `512` bytes on clean EOF.
+	Larger floor values hide very small probes better, but increase egress cost.
+
+- `mask_shape_bucket_cap_bytes`
+	Sets the largest bucket Telemt will pad up to with bucket logic.
+	Example: with cap `4096`, a forwarded total of `1800` bytes may be padded to `2048` or `4096` depending on the bucket ladder, but a total already above `4096` will not be bucket-padded further.
+	Larger cap values increase the range over which size classes are collapsed, but also increase worst-case overhead.
+
+- Clean EOF matters in conservative mode
+	In the default profile, shape padding is intentionally conservative: it is applied on clean relay shutdown, not on every timeout/drip path.
+	This avoids introducing new timeout-tail artifacts that some backends or tests interpret as a separate fingerprint.
+
+Practical trade-offs:
+
+- Better anti-fingerprinting on size/shape channel.
+- Slightly higher egress overhead for small probes due to padding.
+- Behavior is intentionally conservative and enabled by default.
+
+Recommended starting profile:
+
+- `mask_shape_hardening = true` (default)
+- `mask_shape_bucket_floor_bytes = 512`
+- `mask_shape_bucket_cap_bytes = 4096`
+
+### Aggressive mode notes (`[censorship]`)
+
+`mask_shape_hardening_aggressive_mode` is an opt-in profile for higher anti-classifier pressure.
+
+- Default is `false` to preserve conservative timeout/no-tail behavior.
+- Requires `mask_shape_hardening = true`.
+- When enabled, backend-silent non-EOF masking paths may be shaped.
+- When enabled together with above-cap blur, the random extra tail uses `[1, max]` instead of `[0, max]`.
+
+What changes when aggressive mode is enabled:
+
+- Backend-silent timeout paths can be shaped
+	In default mode, a client that keeps the socket half-open and times out will usually not receive shape padding on that path.
+	In aggressive mode, Telemt may still shape that backend-silent session if no backend bytes were returned.
+	This is specifically aimed at active probes that try to avoid EOF in order to preserve an exact backend-observed length.
+
+- Above-cap blur always adds at least one byte
+	In default mode, above-cap blur may choose `0`, so some oversized probes still land on their exact base forwarded length.
+	In aggressive mode, that exact-base sample is removed by construction.
+
+- Tradeoff
+	Aggressive mode improves resistance to active length classifiers, but it is more opinionated and less conservative.
+	If your deployment prioritizes strict compatibility with timeout/no-tail semantics, leave it disabled.
+	If your threat model includes repeated active probing by a censor, this mode is the stronger profile.
+
+Use this mode only when your threat model prioritizes classifier resistance over strict compatibility with conservative masking semantics.
+
+### Above-cap blur notes (`[censorship]`)
+
+`mask_shape_above_cap_blur` adds a second-stage blur for very large probes that are already above `mask_shape_bucket_cap_bytes`.
+
+- A random tail in `[0, mask_shape_above_cap_blur_max_bytes]` is appended in default mode.
+- In aggressive mode, the random tail becomes strictly positive: `[1, mask_shape_above_cap_blur_max_bytes]`.
+- This reduces exact-size leakage above cap at bounded overhead.
+- Keep `mask_shape_above_cap_blur_max_bytes` conservative to avoid unnecessary egress growth.
+
+Operational meaning:
+
+- Without above-cap blur
+	A probe that forwards `5005` bytes will still look like `5005` bytes to the backend if it is already above cap.
+
+- With above-cap blur enabled
+	That same probe may look like any value in a bounded window above its base length.
+	Example with `mask_shape_above_cap_blur_max_bytes = 64`:
+	backend-observed size becomes `5005..5069` in default mode, or `5006..5069` in aggressive mode.
+
+- Choosing `mask_shape_above_cap_blur_max_bytes`
+	Small values reduce cost but preserve more separability between far-apart oversized classes.
+	Larger values blur oversized classes more aggressively, but add more egress overhead and more output variance.
+
+### Timing normalization envelope notes (`[censorship]`)
+
+`mask_timing_normalization_enabled` smooths timing differences between masking outcomes by applying a target duration envelope.
+
+- A random target is selected in `[mask_timing_normalization_floor_ms, mask_timing_normalization_ceiling_ms]`.
+- Fast paths are delayed up to the selected target.
+- Slow paths are not forced to finish by the ceiling (the envelope is best-effort shaping, not truncation).
+
+Recommended starting profile for timing shaping:
+
+- `mask_timing_normalization_enabled = true`
+- `mask_timing_normalization_floor_ms = 180`
+- `mask_timing_normalization_ceiling_ms = 320`
+
+If your backend or network is very bandwidth-constrained, reduce cap first. If probes are still too distinguishable in your environment, increase floor gradually.
+
+## [access]
+
+| Parameter | Type | Default | Constraints / validation | TOML shape example | Description |
+|---|---|---|---|---|---|
+| users | `Map<String, String>` | `{"default": "000…000"}` | Secret must be 32 hex characters. | `[access.users]`<br>`user = "32-hex secret"`<br>`user2 = "32-hex secret"` | User credentials map used for client authentication. |
+| user_ad_tags | `Map<String, String>` | `{}` | Every value must be exactly 32 hex characters. | `[access.user_ad_tags]`<br>`user = "32-hex ad_tag"` | Per-user ad tags used as override over `general.ad_tag`. |
+| user_max_tcp_conns | `Map<String, usize>` | `{}` | — | `[access.user_max_tcp_conns]`<br>`user = 500` | Per-user maximum concurrent TCP connections. |
+| user_expirations | `Map<String, DateTime<Utc>>` | `{}` | Timestamp must be valid RFC3339/ISO-8601 datetime. | `[access.user_expirations]`<br>`user = "2026-12-31T23:59:59Z"` | Per-user account expiration timestamps. |
+| user_data_quota | `Map<String, u64>` | `{}` | — | `[access.user_data_quota]`<br>`user = 1073741824` | Per-user traffic quota in bytes. |
+| user_max_unique_ips | `Map<String, usize>` | `{}` | — | `[access.user_max_unique_ips]`<br>`user = 16` | Per-user unique source IP limits. |
+| user_max_unique_ips_global_each | `usize` | `0` | — | `user_max_unique_ips_global_each = 0` | Global fallback used when `[access.user_max_unique_ips]` has no per-user override. |
+| user_max_unique_ips_mode | `"active_window" \| "time_window" \| "combined"` | `"active_window"` | — | `user_max_unique_ips_mode = "active_window"` | Unique source IP limit accounting mode. |
+| user_max_unique_ips_window_secs | `u64` | `30` | Must be `> 0`. | `user_max_unique_ips_window_secs = 30` | Window size (seconds) used by unique-IP accounting modes that use time windows. |
+| replay_check_len | `usize` | `65536` | — | `replay_check_len = 65536` | Replay-protection storage length. |
+| replay_window_secs | `u64` | `1800` | — | `replay_window_secs = 1800` | Replay-protection window in seconds. |
+| ignore_time_skew | `bool` | `false` | — | `ignore_time_skew = false` | Disables client/server timestamp skew checks in replay validation when enabled. |
+
+## [[upstreams]]
+
+| Parameter | Type | Default | Constraints / validation | Description |
+|---|---|---|---|---|
+| type | `"direct" \| "socks4" \| "socks5"` | — | Required field. | Upstream transport type selector. |
+| weight | `u16` | `1` | none | Base weight used by weighted-random upstream selection. |
+| enabled | `bool` | `true` | none | Disabled entries are excluded from upstream selection at runtime. |
+| scopes | `String` | `""` | none | Comma-separated scope tags used for request-level upstream filtering. |
+| interface | `String \| null` | `null` | Optional; type-specific runtime rules apply. | Optional outbound interface/local bind hint (supported with type-specific rules). |
+| bind_addresses | `String[] \| null` | `null` | Applies to `type = "direct"`. | Optional explicit local source bind addresses for `type = "direct"`. |
+| address | `String` | — | Required for `type = "socks4"` and `type = "socks5"`. | SOCKS server endpoint (`host:port` or `ip:port`) for SOCKS upstream types. |
+| user_id | `String \| null` | `null` | Only for `type = "socks4"`. | SOCKS4 CONNECT user ID (`type = "socks4"` only). |
+| username | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 username (`type = "socks5"` only). |
+| password | `String \| null` | `null` | Only for `type = "socks5"`. | SOCKS5 password (`type = "socks5"` only). |

docs/FAQ.en.md

@@ -1,256 +1,113 @@
-## How to set up a "proxy sponsor" channel and statistics via the @MTProxybot
+## How to set up "proxy sponsor" channel and statistics via @MTProxybot bot
-1. Go to the @MTProxybot.
+
-2. Enter the `/newproxy` command.
+1. Go to @MTProxybot bot.
-3. Send your server's IP address and port. For example: `1.2.3.4:443`.
+2. Enter the command `/newproxy`
-4. Open the configuration file: `nano /etc/telemt/telemt.toml`.
+3. Send the server IP and port. For example: 1.2.3.4:443
-5. Copy and send the user secret from the `[access.users]` section to the bot.
+4. Open the config `nano /etc/telemt/telemt.toml`.
-6. Copy the tag provided by the bot. For example: `1234567890abcdef1234567890abcdef`.
+5. Copy and send the user secret from the [access.users] section to the bot.
+6. Copy the tag received from the bot. For example 1234567890abcdef1234567890abcdef.
 > [!WARNING]
 > The link provided by the bot will not work. Do not copy or use it!
-7. Uncomment the `ad_tag` parameter and enter the tag received from the bot.
+7. Uncomment the ad_tag parameter and enter the tag received from the bot.
-8. Uncomment or add the `use_middle_proxy = true` parameter.
+8. Uncomment/add the parameter `use_middle_proxy = true`.
 
-Configuration example:
+Config example:
 ```toml
 [general]
 ad_tag = "1234567890abcdef1234567890abcdef"
 use_middle_proxy = true
 ```
-9. Save the changes (in nano: Ctrl+S -> Ctrl+X).
+9. Save the config. Ctrl+S -> Ctrl+X.
-10. Restart the telemt service: `systemctl restart telemt`.
+10. Restart telemt `systemctl restart telemt`.
-11. Send the `/myproxies` command to the bot and select the added server.
+11. In the bot, send the command /myproxies and select the added server.
 12. Click the "Set promotion" button.
 13. Send a **public link** to the channel. Private channels cannot be added!
-14. Wait for about 1 hour for the information to update on Telegram servers.
+14. Wait approximately 1 hour for the information to update on Telegram servers.
 > [!WARNING]
-> The sponsored channel will not be displayed to you if you are already subscribed to it.
+> You will not see the "proxy sponsor" if you are already subscribed to the channel.
 
-**You can also configure different sponsored channels for different users:**
+**You can also set up different channels for different users.**
 ```toml
 [access.user_ad_tags]
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
-## Recognizability for DPI and crawler
 
-On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS, 
+## Why is middle proxy (ME) needed
-based on the ECH extension and the ordering of cipher suites, 
-as well as an overall unique JA3/JA4 fingerprint 
-that does not occur in modern browsers: 
-we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
-
-- We consider this a breakthrough aspect, which has no stable analogues today
-- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
-- Here is our evidence:
-    - 212.220.88.77 - "dummy" host, running `telemt`
-    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
-    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
-      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
-      - Crawlers completely satisfied receiving responses from `mask_host`
-  ### Client WITH secret-key accesses the MTProxy resource:
-  
-  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
-  
-  ### Client WITHOUT secret-key gets transparent access to the specified resource:
-    - with trusted certificate
-    - with original handshake
-    - with full request-response way
-    - with low-latency overhead
-```bash
-root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
-* Added petrovich.ru:443:212.220.88.77 to DNS cache
-* Hostname petrovich.ru was found in DNS cache
-*   Trying 212.220.88.77:443...
-* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
-* ALPN: offers h2,http/1.1
-* TLSv1.3 (OUT), TLS handshake, Client hello (1):
-*  CAfile: /etc/ssl/certs/ca-certificates.crt
-*  CApath: /etc/ssl/certs
-* TLSv1.3 (IN), TLS handshake, Server hello (2):
-* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-* TLSv1.3 (IN), TLS handshake, Certificate (11):
-* TLSv1.3 (IN), TLS handshake, CERT verify (15):
-* TLSv1.3 (IN), TLS handshake, Finished (20):
-* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-* TLSv1.3 (OUT), TLS handshake, Finished (20):
-* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-* ALPN: server did not agree on a protocol. Uses default.
-* Server certificate:
-*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
-*  start date: Jan 28 11:21:01 2025 GMT
-*  expire date: Mar  1 11:21:00 2026 GMT
-*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
-*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
-*  SSL certificate verify ok.
-* using HTTP/1.x
-> HEAD / HTTP/1.1
-> Host: petrovich.ru
-> User-Agent: curl/7.88.1
-> Accept: */*
-> 
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* old SSL session ID is stale, removing
-< HTTP/1.1 200 OK
-HTTP/1.1 200 OK
-< Server: Variti/0.9.3a
-Server: Variti/0.9.3a
-< Date: Thu, 01 Jan 2026 00:0000 GMT
-Date: Thu, 01 Jan 2026 00:0000 GMT
-< Access-Control-Allow-Origin: *
-Access-Control-Allow-Origin: *
-< Content-Type: text/html
-Content-Type: text/html
-< Cache-Control: no-store
-Cache-Control: no-store
-< Expires: Thu, 01 Jan 2026 00:0000 GMT
-Expires: Thu, 01 Jan 2026 00:0000 GMT
-< Pragma: no-cache
-Pragma: no-cache
-< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-< Content-Type: text/html
-Content-Type: text/html
-< Content-Length: 31253
-Content-Length: 31253
-< Connection: keep-alive
-Connection: keep-alive
-< Keep-Alive: timeout=60
-Keep-Alive: timeout=60
-
-< 
-* Connection #0 to host petrovich.ru left intact
-
-```
-- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
-  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
-
-
-## F.A.Q.
-
-### Telegram Calls via MTProxy
-- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
-
-### How does DPI see MTProxy TLS?
-- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
-- the SNI you specify sends both the client and the server;
-- ALPN is similar to HTTP 1.1/2;
-- high entropy, which is normal for AES-encrypted traffic;
-
-### Whitelist on IP
-- MTProxy cannot work when there is: 
-  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
-  - OR all TCP traffic is blocked
-  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
-  - OR all TLS traffic is blocked
-  - OR specified port is blocked: use 443 to make it "like real"
-  - OR provided SNI is blocked: use "officially approved"/innocuous name
-- like most protocols on the Internet; 
-- these situations are observed:
-  - in China behind the Great Firewall
-  - in Russia on mobile networks, less in wired networks
-  - in Iran during "activity"
-
-### Why do you need a middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167
 
-### How many people can use one link
+## How many people can use 1 link
-By default, an unlimited number of people can use a single link.  
+
-However, you can limit the number of unique IP addresses for each user:
+By default, 1 link can be used by any number of people.  
+You can limit the number of IPs using the proxy.
 ```toml
 [access.user_max_unique_ips]
 hello = 1
 ```
-This parameter sets the maximum number of unique IP addresses from which a single link can be used simultaneously. If the first user disconnects, a second one can connect. At the same time, multiple users can connect from a single IP address simultaneously (for example, devices on the same Wi-Fi network).
+This parameter limits how many unique IPs can use 1 link simultaneously. If one user disconnects, a second user can connect. Also, multiple users can sit behind the same IP.
 
-### How to create multiple different links
+## How to create multiple different links
-1. Generate the required number of secrets using the command: `openssl rand -hex 16`.
+
-2. Open the configuration file: `nano /etc/telemt/telemt.toml`.
+1. Generate the required number of secrets `openssl rand -hex 16`
-3. Add new users to the `[access.users]` section:
+2. Open the config `nano /etc/telemt.toml`
+3. Add new users.
 ```toml
 [access.users]
 user1 = "00000000000000000000000000000001"
 user2 = "00000000000000000000000000000002"
 user3 = "00000000000000000000000000000003"
 ```
-4. Save the configuration (Ctrl+S -> Ctrl+X). There is no need to restart the telemt service.
+4. Save the config. Ctrl+S -> Ctrl+X. You don't need to restart telemt.
-5. Get the ready-to-use links using the command:
+5. Get the links via
 ```bash
 curl -s http://127.0.0.1:9091/v1/users | jq
 ```
 
-### "Unknown TLS SNI" error
+## "Unknown TLS SNI" Error
-Usually, this error occurs if you have changed the `tls_domain` parameter, but users continue to connect using old links with the previous domain.
+You probably updated tls_domain, but users are still connecting via old links with the previous domain.
 
-If you need to allow connections with any domains (ignoring SNI mismatches), add the following parameters:
+## How to view metrics
-```toml
-[censorship]
-unknown_sni_action = "mask"
-```
 
-### How to view metrics
+1. Open the config `nano /etc/telemt/telemt.toml`
-
+2. Add the following parameters
-1. Open the configuration file: `nano /etc/telemt/telemt.toml`.
-2. Add the following parameters:
 ```toml
 [server]
 metrics_port = 9090
 metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
 ```
-3. Save the changes (Ctrl+S -> Ctrl+X).
+3. Save the config. Ctrl+S -> Ctrl+X.
-4. After that, metrics will be available at: `SERVER_IP:9090/metrics`. 
+4. Metrics are available at SERVER_IP:9090/metrics.
 > [!WARNING]
-> The value `"0.0.0.0/0"` in `metrics_whitelist` opens access to metrics from any IP address. It is recommended to replace it with your personal IP, for example: `"1.2.3.4/32"`.
+> "0.0.0.0/0" in metrics_whitelist opens access from any IP. Replace with your own IP. For example "1.2.3.4"
-
-### Too many open files
-- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
-- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
-- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
-```yaml
-ulimits:
-  nofile:
-    soft: 65536
-    hard: 65536
-```
-- **System-wide** (optional): add to `/etc/security/limits.conf`:
-```
-*       soft    nofile  1048576
-*       hard    nofile  1048576
-root    soft    nofile  1048576
-root    hard    nofile  1048576
-```
-
 
 ## Additional parameters
 
-### Domain in the link instead of IP
+### Domain in link instead of IP
-To display a domain instead of an IP address in the connection links, add the following lines to the configuration file:
+To specify a domain in the links, add to the `[general.links]` section of the config file.
 ```toml
 [general.links]
 public_host = "proxy.example.com"
 ```
 
-### Total server connection limit
+### Server connection limit
-This parameter limits the total number of active connections to the server:
+Limits the total number of open connections to the server:
 ```toml
 [server]
 max_connections = 10000    # 0 - unlimited, 10000 - default
 ```
 
 ### Upstream Manager
-To configure outbound connections (upstreams), add the corresponding parameters to the `[[upstreams]]` section of the configuration file:
+To specify an upstream, add to the `[[upstreams]]` section of the config.toml file:
-
+#### Binding to IP
-#### Binding to an outbound IP address
 ```toml
 [[upstreams]]
 type = "direct"
 weight = 1
 enabled = true
-interface = "192.168.1.100" # Replace with your outbound IP
+interface = "192.168.1.100" # Change to your outgoing IP
 ```
-
+#### SOCKS4/5 as Upstream
-#### Using SOCKS4/5 as an Upstream
+- Without authentication:
-- Without authorization:
 ```toml
 [[upstreams]]
 type = "socks5"            # Specify SOCKS4 or SOCKS5
@@ -259,7 +116,7 @@ weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
 
-- With authorization:
+- With authentication:
 ```toml
 [[upstreams]]
 type = "socks5"            # Specify SOCKS4 or SOCKS5
@@ -270,8 +127,8 @@ weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
 
-#### Using Shadowsocks as an Upstream
+#### Shadowsocks as Upstream
-For this method to work, the `use_middle_proxy = false` parameter must be set.
+Requires `use_middle_proxy = false`.
 
 ```toml
 [general]

docs/FAQ.ru.md

@@ -1,277 +1,135 @@
 ## Как настроить канал "спонсор прокси" и статистику через бота @MTProxybot
 
-1. Зайдите в бота @MTProxybot.
+1. Зайти в бота @MTProxybot.
-2. Введите команду `/newproxy`.
+2. Ввести команду `/newproxy`
-3. Отправьте IP-адрес и порт сервера. Например: `1.2.3.4:443`.
+3. Отправить IP и порт сервера. Например: 1.2.3.4:443
-4. Откройте файл конфигурации: `nano /etc/telemt/telemt.toml`.
+4. Открыть конфиг `nano /etc/telemt/telemt.toml`.
-5. Скопируйте и отправьте боту секрет пользователя из раздела `[access.users]`.
+5. Скопировать и отправить боту секрет пользователя из раздела [access.users].
-6. Скопируйте тег (tag), который выдаст бот. Например: `1234567890abcdef1234567890abcdef`.
+6. Скопировать полученный tag у бота. Например 1234567890abcdef1234567890abcdef.
 > [!WARNING]
-> Ссылка, которую выдает бот, работать не будет. Не копируйте и не используйте её!
+> Ссылка, которую выдает бот, не будет работать. Не копируйте и не используйте её!
-7. Раскомментируйте параметр `ad_tag` и впишите тег, полученный от бота.
+7. Раскомментировать параметр ad_tag и вписать tag, полученный у бота.
-8. Раскомментируйте или добавьте параметр `use_middle_proxy = true`.
+8. Раскомментировать/добавить параметр use_middle_proxy = true.
 
-Пример конфигурации:
+Пример конфига:
 ```toml
 [general]
 ad_tag = "1234567890abcdef1234567890abcdef"
 use_middle_proxy = true
 ```
-9. Сохраните изменения (в nano: Ctrl+S -> Ctrl+X).
+9.  Сохранить конфиг. Ctrl+S -> Ctrl+X.
-10. Перезапустите службу telemt: `systemctl restart telemt`.
+10. Перезапустить telemt `systemctl restart telemt`.
-11. В боте отправьте команду `/myproxies` и выберите добавленный сервер.
+11. В боте отправить команду /myproxies и выбрать добавленный сервер.
-12. Нажмите кнопку «Set promotion».
+12. Нажать кнопку "Set promotion".
-13. Отправьте **публичную ссылку** на канал. Приватные каналы добавлять нельзя!
+13. Отправить **публичную ссылку** на канал. Приватный канал добавить нельзя!
-14. Подождите примерно 1 час, пока информация обновится на серверах Telegram.
+14. Подождать примерно 1 час, пока информация обновится на серверах Telegram.
 > [!WARNING]
-> Спонсорский канал не будет у вас отображаться, если вы уже на него подписаны.
+> У вас не будет отображаться "спонсор прокси" если вы уже подписаны на канал.
 
-**Вы также можете настроить разные спонсорские каналы для разных пользователей:**
+**Также вы можете настроить разные каналы для разных пользователей.**
 ```toml
 [access.user_ad_tags]
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
-## Распознаваемость для DPI и сканеров
-
-1 апреля 2026 года нам стало известно о методе обнаружения MTProxy Fake-TLS, основанном на расширении ECH и порядке набора шифров, 
-а также об общем уникальном отпечатке JA3/JA4, который не встречается в современных браузерах: мы уже отправили первоначальные изменения разработчикам Telegram Desktop и работаем над обновлениями для других клиентов.
-
-- Мы считаем это прорывом, которому на сегодняшний день нет стабильных аналогов;
-- Исходя из этого: если `telemt` настроен правильно, **режим TLS полностью идентичен реальному «рукопожатию» + обмену данными** с указанным хостом;
-- Вот наши доказательства:
-    - 212.220.88.77 — «фиктивный» хост, на котором запущен `telemt`;
-    - `petrovich.ru` — хост с `tls` + `masking`, в HEX: `706574726f766963682e7275`;
-    - **Без MITM + без поддельных сертификатов/шифрования** = чистое прозрачное *TCP Splice* к «лучшему» исходному серверу: MTProxy или tls/mask-host:
-      - DPI видит легитимный HTTPS к `tls_host`, включая *достоверную цепочку доверия* и энтропию;
-      - Краулеры полностью удовлетворены получением ответов от `mask_host`.
- 
-  ### Клиент С секретным ключом получает доступ к ресурсу MTProxy:
-  
-  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
-  
-  ### Клиент БЕЗ секретного ключа получает прозрачный доступ к указанному ресурсу:
-    - с доверенным сертификатом;
-    - с исходным «рукопожатием»;
-    - с полным циклом запрос-ответ;
-    - с низкой задержкой.
-
-```bash
-root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
-* Added petrovich.ru:443:212.220.88.77 to DNS cache
-* Hostname petrovich.ru was found in DNS cache
-*   Trying 212.220.88.77:443...
-* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
-* ALPN: offers h2,http/1.1
-* TLSv1.3 (OUT), TLS handshake, Client hello (1):
-*  CAfile: /etc/ssl/certs/ca-certificates.crt
-*  CApath: /etc/ssl/certs
-* TLSv1.3 (IN), TLS handshake, Server hello (2):
-* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-* TLSv1.3 (IN), TLS handshake, Certificate (11):
-* TLSv1.3 (IN), TLS handshake, CERT verify (15):
-* TLSv1.3 (IN), TLS handshake, Finished (20):
-* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-* TLSv1.3 (OUT), TLS handshake, Finished (20):
-* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-* ALPN: server did not agree on a protocol. Uses default.
-* Server certificate:
-*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
-*  start date: Jan 28 11:21:01 2025 GMT
-*  expire date: Mar  1 11:21:00 2026 GMT
-*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
-*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
-*  SSL certificate verify ok.
-* using HTTP/1.x
-> HEAD / HTTP/1.1
-> Host: petrovich.ru
-> User-Agent: curl/7.88.1
-> Accept: */*
-> 
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* old SSL session ID is stale, removing
-< HTTP/1.1 200 OK
-HTTP/1.1 200 OK
-< Server: Variti/0.9.3a
-Server: Variti/0.9.3a
-< Date: Thu, 01 Jan 2026 00:0000 GMT
-Date: Thu, 01 Jan 2026 00:0000 GMT
-< Access-Control-Allow-Origin: *
-Access-Control-Allow-Origin: *
-< Content-Type: text/html
-Content-Type: text/html
-< Cache-Control: no-store
-Cache-Control: no-store
-< Expires: Thu, 01 Jan 2026 00:0000 GMT
-Expires: Thu, 01 Jan 2026 00:0000 GMT
-< Pragma: no-cache
-Pragma: no-cache
-< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-< Content-Type: text/html
-Content-Type: text/html
-< Content-Length: 31253
-Content-Length: 31253
-< Connection: keep-alive
-Connection: keep-alive
-< Keep-Alive: timeout=60
-Keep-Alive: timeout=60
-
-< 
-* Connection #0 to host petrovich.ru left intact
-
-```
-- Мы поставили перед собой задачу, не сдавались и не просто «бились в пустоту»: теперь у нас есть что вам показать.
-- Не верите нам на слово? — Это прекрасно, и мы уважаем ваше решение: вы можете собрать свой собственный `telemt` или скачать готовую сборку и проверить её прямо сейчас.
-
-### Звонки в Telegram через MTProxy
-- Архитектура Telegram **НЕ поддерживает звонки через MTProxy**, а только через SOCKS5, который невозможно замаскировать
-
-### Как DPI распознает TLS-соединение MTProxy?
-- DPI распознает MTProxy в режиме Fake TLS (ee) как TLS 1.3
-- указанный вами SNI отправляется как клиентом, так и сервером;
-- ALPN аналогичен HTTP 1.1/2;
-- высокая энтропия, что нормально для трафика, зашифрованного AES;
-
-### Белый список по IP
-- MTProxy не может работать, если: 
-  - отсутствует IP-связь с целевым хостом: российский белый список в мобильных сетях — «Белый список»;
-  - ИЛИ весь TCP-трафик заблокирован;
-  - ИЛИ трафик с высокой энтропией/зашифрованный трафик заблокирован: контент-фильтры в университетах и критически важной инфраструктуре;
-  - ИЛИ весь TLS-трафик заблокирован;
-  - ИЛИ заблокирован указанный порт: используйте 443, чтобы сделать его «как настоящий»;
-  - ИЛИ заблокирован предоставленный SNI: используйте «официально одобренное»/безобидное имя;
-- как и большинство протоколов в Интернете; 
-- такие ситуации наблюдаются:
-  - в Китае за Великим файрволом;
-  - в России в мобильных сетях, реже в проводных сетях;
-  - в Иране во время «активности».
-
 
 ## Зачем нужен middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167
 
 
-## Что такое dd и ee в контексте MTProxy?
+## Сколько человек может пользоваться 1 ссылкой
 
-Это два разных режима работы прокси. Понять, какой режим используется, можно взглянув на начало секрета — там будет dd или ee, вот пример:
+По умолчанию 1 ссылкой может пользоваться сколько угодно человек.  
-tg://proxy?server=s1.dimasssss.space&port=443&secret=eebe3007e927acd147dde12bee8b1a7c9364726976652e676f6f676c652e636f6d
+Вы можете ограничить число IP, использующих прокси.
-
-dd — режим с мусорным трафиком, обфускацией данных, похожий на shadowsocks. У такого трафика есть заметный паттерн, который DPI умеют распознавать и впоследствии блокировать. Использовать этот режим на текущий момент не рекомендуется.
-
-ee — режим маскировки под существующий домен (FakeTLS), словно вы сёрфите в интернете через браузер. На текущий момент не попадает под блокировку.
-
-### Где эти режимы настраиваются?
-
-```toml
-В конфиге telemt.toml в разделе [general.modes]:
-classic = false # классический режим, давно стал бесполезным
-secure = false # переменная dd-режима
-tls = true # переменная ee-режима
-```
-
-## Сколько человек может пользоваться одной ссылкой
-
-По умолчанию одной ссылкой может пользоваться неограниченное число людей.  
-Однако вы можете ограничить количество уникальных IP-адресов для каждого пользователя:
 ```toml
 [access.user_max_unique_ips]
 hello = 1
 ```
-Этот параметр задает максимальное количество уникальных IP-адресов, с которых можно одновременно использовать одну ссылку. Если первый пользователь отключится, второй сможет подключиться. При этом с одного IP-адреса могут подключаться несколько пользователей одновременно (например, устройства в одной Wi-Fi сети).
+Этот параметр ограничивает, сколько уникальных IP может использовать 1 ссылку одновременно. Если один пользователь отключится, второй сможет подключиться. Также с одного IP может сидеть несколько пользователей.
 
-## Как создать несколько разных ссылок
+## Как сделать несколько разных ссылок
 
-1. Сгенерируйте необходимое количество секретов с помощью команды: `openssl rand -hex 16`.
+1. Сгенерируйте нужное число секретов `openssl rand -hex 16`
-2. Откройте файл конфигурации: `nano /etc/telemt/telemt.toml`.
+2. Открыть конфиг `nano /etc/telemt.toml`
-3. Добавьте новых пользователей в секцию `[access.users]`:
+3. Добавить новых пользователей.
 ```toml
 [access.users]
 user1 = "00000000000000000000000000000001"
 user2 = "00000000000000000000000000000002"
 user3 = "00000000000000000000000000000003"
 ```
-4. Сохраните конфигурацию (Ctrl+S -> Ctrl+X). Перезапускать службу telemt не нужно.
+4. Сохранить конфиг. Ctrl+S -> Ctrl+X. Перезапускать telemt не нужно.
-5. Получите готовые ссылки с помощью команды:
+5. Получить ссылки через
 ```bash
 curl -s http://127.0.0.1:9091/v1/users | jq
 ```
 
 ## Ошибка "Unknown TLS SNI"
-Обычно эта ошибка возникает, если вы изменили параметр `tls_domain`, но пользователи продолжают подключаться по старым ссылкам с прежним доменом.
+Возможно, вы обновили tls_domain, но пользователи всё ещё пытаются подключаться по старым ссылкам с прежним доменом.
-
-Если необходимо разрешить подключение с любыми доменами (игнорируя несовпадения SNI), добавьте следующие параметры:
-```toml
-[censorship]
-unknown_sni_action = "mask"
-```
 
 ## Как посмотреть метрики
 
-1. Откройте файл конфигурации: `nano /etc/telemt/telemt.toml`.
+1. Открыть конфиг `nano /etc/telemt/telemt.toml`
-2. Добавьте следующие параметры:
+2. Добавить следующие параметры
 ```toml
 [server]
 metrics_port = 9090
 metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
 ```
-3. Сохраните изменения (Ctrl+S -> Ctrl+X).
+3. Сохранить конфиг. Ctrl+S -> Ctrl+X.
-4. После этого метрики будут доступны по адресу: `SERVER_IP:9090/metrics`. 
+4. Метрики доступны по адресу SERVER_IP:9090/metrics. 
 > [!WARNING]
-> Значение `"0.0.0.0/0"` в `metrics_whitelist` открывает доступ к метрикам с любого IP-адреса. Рекомендуется заменить его на ваш личный IP, например: `"1.2.3.4/32"`.
+> "0.0.0.0/0" в metrics_whitelist открывает доступ с любого IP. Замените на свой ip. Например "1.2.3.4"
 
 ## Дополнительные параметры
 
 ### Домен в ссылке вместо IP
-Чтобы в ссылках для подключения отображался домен вместо IP-адреса, добавьте следующие строки в файл конфигурации:
+Чтобы указать домен в ссылках, добавьте в секцию `[general.links]` файла config.
 ```toml
 [general.links]
 public_host = "proxy.example.com"
 ```
 
 ### Общий лимит подключений к серверу
-Этот параметр ограничивает общее количество активных подключений к серверу:
+Ограничивает общее число открытых подключений к серверу:
 ```toml
 [server]
-max_connections = 10000    # 0 - без ограничений, 10000 - по умолчанию
+max_connections = 10000    # 0 - unlimited, 10000 - default
 ```
 
 ### Upstream Manager
-Для настройки исходящих подключений (Upstreams) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
+Чтобы указать апстрим, добавьте в секцию `[[upstreams]]` файла config.toml:
-
+#### Привязка к IP
-#### Привязка к исходящему IP-адресу
 ```toml
 [[upstreams]]
 type = "direct"
 weight = 1
 enabled = true
-interface = "192.168.1.100" # Замените на ваш исходящий IP
+interface = "192.168.1.100" # Change to your outgoing IP
 ```
-
+#### SOCKS4/5 как Upstream
-#### Использование SOCKS4/5 в качестве Upstream
 - Без авторизации:
 ```toml
 [[upstreams]]
-type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # адрес сервера SOCKS
+address = "1.2.3.4:1234"   # SOCKS-server Address
-weight = 1                 # вес
+weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
 
 - С авторизацией:
 ```toml
 [[upstreams]]
-type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # адрес сервера SOCKS
+address = "1.2.3.4:1234"   # SOCKS-server Address
-username = "user"          # имя пользователя
+username = "user"          # Username for Auth on SOCKS-server
-password = "pass"          # пароль
+password = "pass"          # Password for Auth on SOCKS-server
-weight = 1                 # вес
+weight = 1                 # Set Weight for Scenarios
 enabled = true
 ```
 
-#### Использование Shadowsocks в качестве Upstream
+#### Shadowsocks как Upstream
-Для работы этого метода требуется установить параметр `use_middle_proxy = false`.
+Требует `use_middle_proxy = false`.
 
 ```toml
 [general]

docs/LICENSE/LICENSE.de.md

@@ -0,0 +1,92 @@
+# Öffentliche TELEMT-Lizenz 3
+
+***Alle Rechte vorbehalten (c) 2026 Telemt***
+
+Hiermit wird jeder Person, die eine Kopie dieser Software und der dazugehörigen Dokumentation (nachfolgend "Software") erhält, unentgeltlich die Erlaubnis erteilt, die Software ohne Einschränkungen zu nutzen, einschließlich des Rechts, die Software zu verwenden, zu vervielfältigen, zu ändern, abgeleitete Werke zu erstellen, zu verbinden, zu veröffentlichen, zu verbreiten, zu unterlizenzieren und/oder Kopien der Software zu verkaufen sowie diese Rechte auch denjenigen einzuräumen, denen die Software zur Verfügung gestellt wird, vorausgesetzt, dass sämtliche Urheberrechtshinweise sowie die Bedingungen und Bestimmungen dieser Lizenz eingehalten werden.
+
+### Begriffsbestimmungen
+
+Für die Zwecke dieser Lizenz gelten die folgenden Definitionen:
+
+**"Software" (Software)** — die Telemt-Software einschließlich Quellcode, Dokumentation und sämtlicher zugehöriger Dateien, die unter den Bedingungen dieser Lizenz verbreitet werden.
+
+**"Contributor" (Contributor)** — jede natürliche oder juristische Person, die Code, Patches, Dokumentation oder andere Materialien eingereicht hat, die von den Maintainers des Projekts angenommen und in die Software aufgenommen wurden.
+
+**"Beitrag" (Contribution)** — jedes urheberrechtlich geschützte Werk, das bewusst zur Aufnahme in die Software eingereicht wurde.
+
+**"Modifizierte Version" (Modified Version)** — jede Version der Software, die gegenüber der ursprünglichen Software geändert, angepasst, erweitert oder anderweitig modifiziert wurde.
+
+**"Maintainers" (Maintainers)** — natürliche oder juristische Personen, die für das offizielle Telemt-Projekt und dessen offizielle Veröffentlichungen verantwortlich sind.
+
+### 1 Urheberrechtshinweis (Attribution)
+
+Bei der Weitergabe der Software, sowohl in Form des Quellcodes als auch in binärer Form, MÜSSEN folgende Elemente erhalten bleiben:
+
+- der oben genannte Urheberrechtshinweis;
+- der vollständige Text dieser Lizenz;
+- sämtliche bestehenden Hinweise auf Urheberschaft.
+
+### 2 Hinweis auf Modifikationen
+
+Wenn Änderungen an der Software vorgenommen werden, MUSS die Person, die diese Änderungen vorgenommen hat, eindeutig darauf hinweisen, dass die Software modifiziert wurde, und eine kurze Beschreibung der vorgenommenen Änderungen beifügen.
+
+Modifizierte Versionen der Software DÜRFEN NICHT als die originale Version von Telemt dargestellt werden.
+
+### 3 Marken und Bezeichnungen
+
+Diese Lizenz GEWÄHRT KEINE Rechte zur Nutzung der Bezeichnung **"Telemt"**, des Telemt-Logos oder sonstiger Marken, Kennzeichen oder Branding-Elemente von Telemt.
+
+Weiterverbreitete oder modifizierte Versionen der Software DÜRFEN die Bezeichnung Telemt nicht in einer Weise verwenden, die bei Nutzern den Eindruck eines offiziellen Ursprungs oder einer Billigung durch das Telemt-Projekt erwecken könnte, sofern hierfür keine ausdrückliche Genehmigung der Maintainers vorliegt.
+
+Die Verwendung der Bezeichnung **Telemt** zur Beschreibung einer modifizierten Version der Software ist nur zulässig, wenn diese Version eindeutig als modifiziert oder inoffiziell gekennzeichnet ist.
+
+Jegliche Verbreitung, die Nutzer vernünftigerweise darüber täuschen könnte, dass es sich um eine offizielle Veröffentlichung von Telemt handelt, ist untersagt.
+
+### 4 Transparenz bei der Verbreitung von Binärversionen
+
+Im Falle der Verbreitung kompilierter Binärversionen der Software wird der Verbreiter HIERMIT ERMUTIGT (encouraged), soweit dies vernünftigerweise möglich ist, Zugang zum entsprechenden Quellcode sowie zu den Build-Anweisungen bereitzustellen.
+
+Diese Praxis trägt zur Transparenz bei und ermöglicht es Empfängern, die Integrität und Reproduzierbarkeit der verbreiteten Builds zu überprüfen.
+
+## 5 Gewährung einer Patentlizenz und Beendigung von Rechten
+
+Jeder Contributor gewährt den Empfängern der Software eine unbefristete, weltweite, nicht-exklusive, unentgeltliche, lizenzgebührenfreie und unwiderrufliche Patentlizenz für:
+
+- die Herstellung,
+- die Beauftragung der Herstellung,
+- die Nutzung,
+- das Anbieten zum Verkauf,
+- den Verkauf,
+- den Import,
+- sowie jede sonstige Verbreitung der Software.
+
+Diese Patentlizenz erstreckt sich ausschließlich auf solche Patentansprüche, die notwendigerweise durch den jeweiligen Beitrag des Contributors allein oder in Kombination mit der Software verletzt würden.
+
+Leitet eine Person ein Patentverfahren ein oder beteiligt sich daran, einschließlich Gegenklagen oder Kreuzklagen, mit der Behauptung, dass die Software oder ein darin enthaltener Beitrag ein Patent verletzt, **erlöschen sämtliche durch diese Lizenz gewährten Rechte für diese Person unmittelbar mit Einreichung der Klage**.
+
+Darüber hinaus erlöschen alle durch diese Lizenz gewährten Rechte **automatisch**, wenn eine Person ein gerichtliches Verfahren einleitet, in dem behauptet wird, dass die Software selbst ein Patent oder andere Rechte des geistigen Eigentums verletzt.
+
+### 6 Beteiligung und Beiträge zur Entwicklung
+
+Sofern ein Contributor nicht ausdrücklich etwas anderes erklärt, gilt jeder Beitrag, der bewusst zur Aufnahme in die Software eingereicht wird, als unter den Bedingungen dieser Lizenz lizenziert.
+
+Durch die Einreichung eines Beitrags gewährt der Contributor den Maintainers des Telemt-Projekts sowie allen Empfängern der Software die in dieser Lizenz beschriebenen Rechte in Bezug auf diesen Beitrag.
+
+### 7 Urheberhinweis bei Netzwerk- und Servicenutzung
+
+Wird die Software zur Bereitstellung eines öffentlich zugänglichen Netzwerkdienstes verwendet, MUSS der Betreiber dieses Dienstes einen Hinweis auf die Urheberschaft von Telemt an mindestens einer der folgenden Stellen anbringen:
+
+* in der Servicedokumentation;
+* in der Dienstbeschreibung;
+* auf einer Seite "Über" oder einer vergleichbaren Informationsseite;
+* in anderen für Nutzer zugänglichen Materialien, die in angemessenem Zusammenhang mit dem Dienst stehen.
+
+Ein solcher Hinweis DARF NICHT den Eindruck erwecken, dass der Dienst vom Telemt-Projekt oder dessen Maintainers unterstützt oder offiziell gebilligt wird.
+
+### 8 Haftungsausschluss und salvatorische Klausel
+
+DIE SOFTWARE WIRD "WIE BESEHEN" BEREITGESTELLT, OHNE JEGLICHE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG, EINSCHLIESSLICH, ABER NICHT BESCHRÄNKT AUF GEWÄHRLEISTUNGEN DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN.
+
+IN KEINEM FALL HAFTEN DIE AUTOREN ODER RECHTEINHABER FÜR IRGENDWELCHE ANSPRÜCHE, SCHÄDEN ODER SONSTIGE HAFTUNG, DIE AUS VERTRAG, UNERLAUBTER HANDLUNG ODER AUF ANDERE WEISE AUS DER SOFTWARE ODER DER NUTZUNG DER SOFTWARE ENTSTEHEN.
+
+SOLLTE EINE BESTIMMUNG DIESER LIZENZ ALS UNWIRKSAM ODER NICHT DURCHSETZBAR ANGESEHEN WERDEN, IST DIESE BESTIMMUNG SO AUSZULEGEN, DASS SIE DEM URSPRÜNGLICHEN WILLEN DER PARTEIEN MÖGLICHST NAHEKOMMT; DIE ÜBRIGEN BESTIMMUNGEN BLEIBEN DAVON UNBERÜHRT UND IN VOLLER WIRKUNG.

docs/LICENSE/LICENSE.en.md

@@ -0,0 +1,143 @@
+###### TELEMT Public License 3 ######
+##### Copyright (c) 2026 Telemt #####
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this Software and associated documentation files (the "Software"),
+to use, reproduce, modify, prepare derivative works of, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, provided that all
+copyright notices, license terms, and conditions set forth in this License
+are preserved and complied with.
+
+### Official Translations
+
+The canonical version of this License is the English version.
+
+Official translations are provided for informational purposes only
+and for convenience, and do not have legal force. In case of any
+discrepancy, the English version of this License shall prevail.
+
+Available versions:
+- English in Markdown: docs/LICENSE/LICENSE.md
+- German: docs/LICENSE/LICENSE.de.md
+- Russian: docs/LICENSE/LICENSE.ru.md
+
+### Definitions
+
+For the purposes of this License:
+
+"Software" means the Telemt software, including source code, documentation,
+and any associated files distributed under this License.
+
+"Contributor" means any person or entity that submits code, patches,
+documentation, or other contributions to the Software that are accepted
+into the Software by the maintainers.
+
+"Contribution" means any work of authorship intentionally submitted
+to the Software for inclusion in the Software.
+
+"Modified Version" means any version of the Software that has been
+changed, adapted, extended, or otherwise modified from the original
+Software.
+
+"Maintainers" means the individuals or entities responsible for
+the official Telemt project and its releases.
+
+#### 1 Attribution
+
+Redistributions of the Software, in source or binary form, MUST RETAIN the
+above copyright notice, this license text, and any existing attribution
+notices.
+
+#### 2 Modification Notice
+
+If you modify the Software, you MUST clearly state that the Software has been
+modified and include a brief description of the changes made.
+
+Modified versions MUST NOT be presented as the original Telemt.
+
+#### 3 Trademark and Branding
+
+This license DOES NOT grant permission to use the name "Telemt", 
+the Telemt logo, or any Telemt trademarks or branding.
+
+Redistributed or modified versions of the Software MAY NOT use the Telemt
+name in a way that suggests endorsement or official origin without explicit
+permission from the Telemt maintainers.
+
+Use of the name "Telemt" to describe a modified version of the Software
+is permitted only if the modified version is clearly identified as a
+modified or unofficial version.
+
+Any distribution that could reasonably confuse users into believing that
+the software is an official Telemt release is prohibited.
+
+#### 4 Binary Distribution Transparency
+
+If you distribute compiled binaries of the Software,
+you are ENCOURAGED to provide access to the corresponding
+source code and build instructions where reasonably possible.
+
+This helps preserve transparency and allows recipients to verify the
+integrity and reproducibility of distributed builds.
+
+#### 5 Patent Grant and Defensive Termination Clause
+
+Each contributor grants you a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Software.
+
+This patent license applies only to those patent claims necessarily
+infringed by the contributor’s contribution alone or by combination of
+their contribution with the Software.
+
+If you initiate or participate in any patent litigation, including
+cross-claims or counterclaims, alleging that the Software or any
+contribution incorporated within the Software constitutes patent
+infringement, then **all rights granted to you under this license shall
+terminate immediately** as of the date such litigation is filed.
+
+Additionally, if you initiate legal action alleging that the
+Software itself infringes your patent or other intellectual
+property rights, then all rights granted to you under this
+license SHALL TERMINATE automatically.
+
+#### 6 Contributions
+
+Unless you explicitly state otherwise, any Contribution intentionally
+submitted for inclusion in the Software shall be licensed under the terms
+of this License.
+
+By submitting a Contribution, you grant the Telemt maintainers and all
+recipients of the Software the rights described in this License with
+respect to that Contribution.
+
+#### 7 Network Use Attribution
+
+If the Software is used to provide a publicly accessible network service,
+the operator of such service MUST provide attribution to Telemt in at least
+one of the following locations:
+
+- service documentation
+- service description
+- an "About" or similar informational page
+- other user-visible materials reasonably associated with the service
+
+Such attribution MUST NOT imply endorsement by the Telemt project or its
+maintainers.
+
+#### 8 Disclaimer of Warranty and Severability Clause
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE
+
+IF ANY PROVISION OF THIS LICENSE IS HELD TO BE INVALID OR UNENFORCEABLE,
+SUCH PROVISION SHALL BE INTERPRETED TO REFLECT THE ORIGINAL INTENT
+OF THE PARTIES AS CLOSELY AS POSSIBLE, AND THE REMAINING PROVISIONS
+SHALL REMAIN IN FULL FORCE AND EFFECT

docs/LICENSE/LICENSE.ru.md

@@ -0,0 +1,90 @@
+# Публичная лицензия TELEMT 3
+
+***Все права защищёны (c) 2026 Telemt***
+
+Настоящим любому лицу, получившему копию данного программного обеспечения и сопутствующей документации (далее — "Программное обеспечение"), безвозмездно предоставляется разрешение использовать Программное обеспечение без ограничений, включая право использовать, воспроизводить, изменять, создавать производные произведения, объединять, публиковать, распространять, сублицензировать и (или) продавать копии Программного обеспечения, а также предоставлять такие права лицам, которым предоставляется Программное обеспечение, при условии соблюдения всех уведомлений об авторских правах, условий и положений настоящей Лицензии.
+
+### Определения
+
+Для целей настоящей Лицензии применяются следующие определения:
+
+**"Программное обеспечение" (Software)** — программное обеспечение Telemt, включая исходный код, документацию и любые связанные файлы, распространяемые на условиях настоящей Лицензии.
+
+**"Контрибьютор" (Contributor)** — любое физическое или юридическое лицо, направившее код, исправления (патчи), документацию или иные материалы, которые были приняты мейнтейнерами проекта и включены в состав Программного обеспечения.
+
+**"Вклад" (Contribution)** — любое произведение авторского права, намеренно представленное для включения в состав Программного обеспечения.
+
+**"Модифицированная версия" (Modified Version)** — любая версия Программного обеспечения, которая была изменена, адаптирована, расширена или иным образом модифицирована по сравнению с исходным Программным обеспечением.
+
+**"Мейнтейнеры" (Maintainers)** — физические или юридические лица, ответственные за официальный проект Telemt и его официальные релизы.
+
+### 1 Указание авторства
+
+При распространении Программного обеспечения, как в форме исходного кода, так и в бинарной форме, ДОЛЖНЫ СОХРАНЯТЬСЯ:
+
+- указанное выше уведомление об авторских правах;
+- текст настоящей Лицензии;
+- любые существующие уведомления об авторстве.
+
+### 2 Уведомление о модификации
+
+В случае внесения изменений в Программное обеспечение лицо, осуществившее такие изменения, ОБЯЗАНО явно указать, что Программное обеспечение было модифицировано, а также включить краткое описание внесённых изменений.
+
+Модифицированные версии Программного обеспечения НЕ ДОЛЖНЫ представляться как оригинальная версия Telemt.
+
+### 3 Товарные знаки и обозначения
+
+Настоящая Лицензия НЕ ПРЕДОСТАВЛЯЕТ права использовать наименование **"Telemt"**, логотип Telemt, а также любые товарные знаки, фирменные обозначения или элементы бренда Telemt.
+
+Распространяемые или модифицированные версии Программного обеспечения НЕ ДОЛЖНЫ использовать наименование Telemt таким образом, который может создавать у пользователей впечатление официального происхождения либо одобрения со стороны проекта Telemt без явного разрешения мейнтейнеров проекта.
+
+Использование наименования **Telemt** для описания модифицированной версии Программного обеспечения допускается только при условии, что такая версия ясно обозначена как модифицированная или неофициальная.
+
+Запрещается любое распространение, которое может разумно вводить пользователей в заблуждение относительно того, что программное обеспечение является официальным релизом Telemt.
+
+### 4 Прозрачность распространения бинарных версий
+
+В случае распространения скомпилированных бинарных версий Программного обеспечения распространитель НАСТОЯЩИМ ПОБУЖДАЕТСЯ предоставлять доступ к соответствующему исходному коду и инструкциям по сборке, если это разумно возможно.
+
+Такая практика способствует прозрачности распространения и позволяет получателям проверять целостность и воспроизводимость распространяемых сборок.
+
+### 5 Предоставление патентной лицензии и прекращение прав
+
+Каждый контрибьютор предоставляет получателям Программного обеспечения бессрочную, всемирную, неисключительную, безвозмездную, не требующую выплаты роялти и безотзывную патентную лицензию на:
+
+- изготовление,
+- поручение изготовления,
+- использование,
+- предложение к продаже,
+- продажу,
+- импорт,
+- и иное распространение Программного обеспечения.
+
+Такая патентная лицензия распространяется исключительно на те патентные требования, которые неизбежно нарушаются соответствующим вкладом контрибьютора как таковым либо его сочетанием с Программным обеспечением.
+
+Если лицо инициирует либо участвует в каком-либо судебном разбирательстве по патентному спору, включая встречные или перекрёстные иски, утверждая, что Программное обеспечение либо любой вклад, включённый в него, нарушает патент, **все права, предоставленные такому лицу настоящей Лицензией, немедленно прекращаются** с даты подачи соответствующего иска.
+
+Кроме того, если лицо инициирует судебное разбирательство, утверждая, что само Программное обеспечение нарушает его патентные либо иные права интеллектуальной собственности, все права, предоставленные настоящей Лицензией, **автоматически прекращаются**.
+
+### 6 Участие и вклад в разработку
+
+Если контрибьютор явно не указал иное, любой Вклад, намеренно представленный для включения в Программное обеспечение, считается лицензированным на условиях настоящей Лицензии.
+Путём предоставления Вклада контрибьютор предоставляет мейнтейнером проекта Telemt и всем получателям Программного обеспечения права, предусмотренные настоящей Лицензией, в отношении такого Вклада.
+
+### 7 Указание авторства при сетевом и сервисном использовании
+
+В случае использования Программного обеспечения для предоставления публично доступного сетевого сервиса оператор такого сервиса ОБЯЗАН обеспечить указание авторства Telemt как минимум в одном из следующих мест:
+- документация сервиса;
+- описание сервиса;
+- страница "О программе" или аналогичная информационная страница;
+- иные материалы, доступные пользователям и разумно связанные с данным сервисом.
+
+Такое указание авторства НЕ ДОЛЖНО создавать впечатление одобрения или официальной поддержки со стороны проекта Telemt либо его мейнтейнеров.
+
+### 8 Отказ от гарантий и делимость положений
+
+ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ ПРЕДОСТАВЛЯЕТСЯ "КАК ЕСТЬ", БЕЗ КАКИХ-ЛИБО ГАРАНТИЙ, ЯВНЫХ ИЛИ ПОДРАЗУМЕВАЕМЫХ, ВКЛЮЧАЯ, НО НЕ ОГРАНИЧИВАЯСЬ ГАРАНТИЯМИ КОММЕРЧЕСКОЙ ПРИГОДНОСТИ, ПРИГОДНОСТИ ДЛЯ КОНКРЕТНОЙ ЦЕЛИ И НЕНАРУШЕНИЯ ПРАВ.
+
+НИ ПРИ КАКИХ ОБСТОЯТЕЛЬСТВАХ АВТОРЫ ИЛИ ПРАВООБЛАДАТЕЛИ НЕ НЕСУТ ОТВЕТСТВЕННОСТИ ПО КАКИМ-ЛИБО ТРЕБОВАНИЯМ, УБЫТКАМ ИЛИ ИНОЙ ОТВЕТСТВЕННОСТИ, ВОЗНИКАЮЩЕЙ В РЕЗУЛЬТАТЕ ДОГОВОРА, ДЕЛИКТА ИЛИ ИНЫМ ОБРАЗОМ, СВЯЗАННЫМ С ПРОГРАММНЫМ ОБЕСПЕЧЕНИЕМ ИЛИ ЕГО ИСПОЛЬЗОВАНИЕМ.
+
+В СЛУЧАЕ ЕСЛИ КАКОЕ-ЛИБО ПОЛОЖЕНИЕ НАСТОЯЩЕЙ ЛИЦЕНЗИИ ПРИЗНАЁТСЯ НЕДЕЙСТВИТЕЛЬНЫМ ИЛИ НЕПРИМЕНИМЫМ, ТАКОЕ ПОЛОЖЕНИЕ ПОДЛЕЖИТ ТОЛКОВАНИЮ МАКСИМАЛЬНО БЛИЗКО К ИСХОДНОМУ НАМЕРЕНИЮ СТОРОН, ПРИ ЭТОМ ОСТАЛЬНЫЕ ПОЛОЖЕНИЯ СОХРАНЯЮТ ПОЛНУЮ ЮРИДИЧЕСКУЮ СИЛУ.

docs/LICENSE/TELEMT-LICENSE.en.md

@@ -1,120 +0,0 @@
-# TELEMT License 3.3
-
-***Copyright (c) 2026 Telemt***
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this Software and associated documentation files (the "Software"), to use, reproduce, modify, prepare derivative works of, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that all copyright notices, license terms, and conditions set forth in this License are preserved and complied with.
-
-### Official Translations
-
-The canonical version of this License is the English version.
-Official translations are provided for informational purposes only and for convenience, and do not have legal force. In case of any discrepancy, the English version of this License shall prevail.
-
-| Language    | Location |
-|-------------|----------|
-| English     | [docs/LICENSE/TELEMT-LICENSE.en.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.en.md)|
-| German      | [docs/LICENSE/TELEMT-LICENSE.de.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.de.md)|
-| Russian     | [docs/LICENSE/TELEMT-LICENSE.ru.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.ru.md)|
-
-### License Versioning Policy
-
-This License is version 3.3 of the TELEMT License.
-Each version of the Software is licensed under the License that accompanies its corresponding source code distribution.
-
-Future versions of the Software may be distributed under a different version of the TELEMT Public License or under a different license, as determined by the Telemt maintainers.
-
-Any such change of license applies only to the versions of the Software distributed with the new license and SHALL NOT retroactively affect any previously released versions of the Software.
-
-Recipients of the Software are granted rights only under the License provided with the version of the Software they received.
-
-Redistributions of the Software, including Modified Versions, MUST preserve the copyright notices, license text, and conditions of this License for all portions of the Software derived from Telemt.
-
-Additional terms or licenses may be applied to modifications or additional code added by a redistributor, provided that such terms do not restrict or alter the rights granted under this License for the original Telemt Software.
-
-Nothing in this section limits the rights granted under this License for versions of the Software already released.
-
-### Definitions
-
-For the purposes of this License:
-
-**"Software"** means the Telemt software, including source code, documentation, and any associated files distributed under this License.
-
-**"Contributor"** means any person or entity that submits code, patches, documentation, or other contributions to the Software that are accepted into the Software by the maintainers.
-
-**"Contribution"** means any work of authorship intentionally submitted to the Software for inclusion in the Software.
-
-**"Modified Version"** means any version of the Software that has been changed, adapted, extended, or otherwise modified from the original Software.
-
-**"Maintainers"** means the individuals or entities responsible for the official Telemt project and its releases.
-
-### 1 Attribution
-
-Redistributions of the Software, in source or binary form, MUST RETAIN:
-
-- the above copyright notice;
-- this license text;
-- any existing attribution notices.
-
-### 2 Modification Notice
-
-If you modify the Software, you MUST clearly state that the Software has been modified and include a brief description of the changes made.
-
-Modified versions MUST NOT be presented as the original Telemt.
-
-### 3 Trademark and Branding
-
-This license DOES NOT grant permission to use the name "Telemt", the Telemt logo, or any Telemt trademarks or branding.
-
-Redistributed or modified versions of the Software MAY NOT use the Telemt name in a way that suggests endorsement or official origin without explicit permission from the Telemt maintainers.
-
-Use of the name "Telemt" to describe a modified version of the Software is permitted only if the modified version is clearly identified as a modified or unofficial version.
-
-Any distribution that could reasonably confuse users into believing that the software is an official Telemt release is prohibited.
-
-### 4 Binary Distribution Transparency
-
-If you distribute compiled binaries of the Software, you are ENCOURAGED to provide access to the corresponding source code and build instructions where reasonably possible.
-
-This helps preserve transparency and allows recipients to verify the integrity and reproducibility of distributed builds.
-
-### 5 Patent Grant and Defensive Termination Clause
-
-Each contributor grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable patent license to:
-
-- make,
-- have made,
-- use,
-- offer to sell,
-- sell,
-- import,
-- and otherwise transfer the Software.
-
-This patent license applies only to those patent claims necessarily infringed by the contributor’s contribution alone or by combination of their contribution with the Software.
-
-If you initiate or participate in any patent litigation, including cross-claims or counterclaims, alleging that the Software or any contribution incorporated within the Software constitutes patent infringement, then **all rights granted to you under this license shall terminate immediately** as of the date such litigation is filed.
-
-Additionally, if you initiate legal action alleging that the Software itself infringes your patent or other intellectual property rights, then all rights granted to you under this license SHALL TERMINATE automatically.
-
-### 6 Contributions
-
-Unless you explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Software shall be licensed under the terms of this License.
-
-By submitting a Contribution, you grant the Telemt maintainers and all recipients of the Software the rights described in this License with respect to that Contribution.
-
-### 7 Network Use Attribution
-
-If the Software is used to provide a publicly accessible network service, the operator of such service SHOULD provide attribution to Telemt in at least one of the following locations:
-
-- service documentation;
-- service description;
-- an "About" or similar informational page;
-- other user-visible materials reasonably associated with the service.
-
-Such attribution MUST NOT imply endorsement by the Telemt project or its maintainers.
-
-### 8 Disclaimer of Warranty and Severability Clause
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-IF ANY PROVISION OF THIS LICENSE IS HELD TO BE INVALID OR UNENFORCEABLE, SUCH PROVISION SHALL BE INTERPRETED TO REFLECT THE ORIGINAL INTENT OF THE PARTIES AS CLOSELY AS POSSIBLE, AND THE REMAINING PROVISIONS SHALL REMAIN IN FULL FORCE AND EFFECT.

docs/LICENSE/TELEMT-LICENSE.ru.md

@@ -1,120 +0,0 @@
-# TELEMT Лицензия 3.3
-
-***Copyright (c) 2026 Telemt***
-
-Настоящим безвозмездно предоставляется разрешение любому лицу, получившему копию данного программного обеспечения и сопутствующей документации (далее — "Программное обеспечение"), использовать, воспроизводить, изменять, создавать производные произведения, объединять, публиковать, распространять, сублицензировать и/или продавать копии Программного обеспечения, а также разрешать лицам, которым предоставляется Программное обеспечение, осуществлять указанные действия при условии соблюдения и сохранения всех уведомлений об авторском праве, условий и положений настоящей Лицензии.
-
-### Официальные переводы
-
-Канонической версией настоящей Лицензии является версия на английском языке.  
-Официальные переводы предоставляются исключительно в информационных целях и для удобства и не имеют юридической силы. В случае любых расхождений приоритет имеет английская версия.
-
-| Язык       | Расположение |
-|------------|--------------|
-| Русский    | [docs/LICENSE/TELEMT-LICENSE.ru.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.ru.md)|
-| Английский | [docs/LICENSE/TELEMT-LICENSE.en.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.en.md)|
-| Немецкий   | [docs/LICENSE/TELEMT-LICENSE.de.md](https://github.com/telemt/telemt/tree/main/docs/LICENSE/TELEMT-LICENSE.de.md)|
-
-### Политика версионирования лицензии
-
-Настоящая Лицензия является версией 3.3 Лицензии TELEMT.  
-Каждая версия Программного обеспечения лицензируется в соответствии с Лицензией, сопровождающей соответствующее распространение исходного кода.
-
-Будущие версии Программного обеспечения могут распространяться в соответствии с иной версией Лицензии TELEMT Public License либо под иной лицензией, определяемой мейнтейнерами Telemt.
-
-Любое такое изменение лицензии применяется исключительно к версиям Программного обеспечения, распространяемым с новой лицензией, и НЕ распространяется ретроактивно на ранее выпущенные версии Программного обеспечения.
-
-Получатели Программного обеспечения приобретают права исключительно в соответствии с Лицензией, предоставленной вместе с полученной ими версией Программного обеспечения.
-
-При распространении Программного обеспечения, включая Модифицированные версии, ОБЯЗАТЕЛЬНО сохранение уведомлений об авторском праве, текста лицензии и условий настоящей Лицензии в отношении всех частей Программного обеспечения, производных от Telemt.
-
-Дополнительные условия или лицензии могут применяться к модификациям или дополнительному коду, добавленному распространителем, при условии, что такие условия не ограничивают и не изменяют права, предоставленные настоящей Лицензией в отношении оригинального Программного обеспечения Telemt.
-
-Ничто в настоящем разделе не ограничивает права, предоставленные настоящей Лицензией в отношении уже выпущенных версий Программного обеспечения.
-
-### Определения
-
-Для целей настоящей Лицензии:
-
-**"Программное обеспечение"** означает программное обеспечение Telemt, включая исходный код, документацию и любые сопутствующие файлы, распространяемые в соответствии с настоящей Лицензией.
-
-**"Контрибьютор"** означает любое физическое или юридическое лицо, которое предоставляет код, исправления, документацию или иные материалы в качестве вклада в Программное обеспечение, принятые мейнтейнерами для включения в Программное обеспечение.
-
-**"Вклад"** означает любое произведение, сознательно представленное для включения в Программное обеспечение.
-
-**"Модифицированная версия"** означает любую версию Программного обеспечения, которая была изменена, адаптирована, расширена или иным образом модифицирована по сравнению с оригинальным Программным обеспечением.
-
-**"Мейнтейнеры"** означает физических или юридических лиц, ответственных за официальный проект Telemt и его релизы.
-
-### 1. Атрибуция
-
-При распространении Программного обеспечения, как в виде исходного кода, так и в бинарной форме, ОБЯЗАТЕЛЬНО СОХРАНЕНИЕ:
-
-- указанного выше уведомления об авторском праве;
-- текста настоящей Лицензии;
-- всех существующих уведомлений об атрибуции.
-
-### 2. Уведомление о модификациях
-
-В случае внесения изменений в Программное обеспечение вы ОБЯЗАНЫ явно указать факт модификации Программного обеспечения и включить краткое описание внесённых изменений.
-
-Модифицированные версии НЕ ДОЛЖНЫ представляться как оригинальное Программное обеспечение Telemt.
-
-### 3. Товарные знаки и брендинг
-
-Настоящая Лицензия НЕ предоставляет право на использование наименования "Telemt", логотипа Telemt или любых товарных знаков и элементов брендинга Telemt.
-
-Распространяемые или модифицированные версии Программного обеспечения НЕ МОГУТ использовать наименование Telemt таким образом, который может создавать впечатление одобрения или официального происхождения без явного разрешения мейнтейнеров Telemt.
-
-Использование наименования "Telemt" для описания модифицированной версии Программного обеспечения допускается только при условии, что такая версия чётко обозначена как модифицированная или неофициальная.
-
-Запрещается любое распространение, способное разумно ввести пользователей в заблуждение относительно того, что программное обеспечение является официальным релизом Telemt.
-
-### 4. Прозрачность распространения бинарных файлов
-
-В случае распространения скомпилированных бинарных файлов Программного обеспечения рекомендуется (ENCOURAGED) предоставлять доступ к соответствующему исходному коду и инструкциям по сборке, если это разумно возможно.
-
-Это способствует обеспечению прозрачности и позволяет получателям проверять целостность и воспроизводимость распространяемых сборок.
-
-### 5. Патентная лицензия и условие защитного прекращения
-
-Каждый контрибьютор предоставляет вам бессрочную, всемирную, неисключительную, безвозмездную, без лицензионных отчислений, безотзывную патентную лицензию на:
-
-- изготовление,
-- поручение изготовления,
-- использование,
-- предложение к продаже,
-- продажу,
-- импорт,
-- а также иные формы передачи Программного обеспечения.
-
-Данная патентная лицензия распространяется исключительно на те патентные притязания, которые неизбежно нарушаются вкладом контрибьютора отдельно либо в сочетании его вклада с Программным обеспечением.
-
-Если вы инициируете или участвуете в любом патентном судебном разбирательстве, включая встречные иски или требования, утверждая, что Программное обеспечение или любой Вклад, включённый в Программное обеспечение, нарушает патент, то **все предоставленные вам настоящей Лицензией права немедленно прекращаются** с даты подачи такого иска.
-
-Дополнительно, если вы инициируете судебное разбирательство, утверждая, что само Программное обеспечение нарушает ваш патент или иные права интеллектуальной собственности, все права, предоставленные вам настоящей Лицензией, ПРЕКРАЩАЮТСЯ автоматически.
-
-### 6. Вклады
-
-Если вы прямо не указали иное, любой Вклад, сознательно представленный для включения в Программное обеспечение, лицензируется на условиях настоящей Лицензии.
-
-Предоставляя Вклад, вы предоставляете мейнтейнерам Telemt и всем получателям Программного обеспечения права, предусмотренные настоящей Лицензией, в отношении такого Вклада.
-
-### 7. Атрибуция при сетевом использовании
-
-Если Программное обеспечение используется для предоставления общедоступного сетевого сервиса, оператор такого сервиса ДОЛЖЕН (SHOULD) обеспечить указание атрибуции Telemt как минимум в одном из следующих мест:
-
-- документация сервиса;
-- описание сервиса;
-- раздел "О программе" или аналогичная информационная страница;
-- иные материалы, доступные пользователю и разумно связанные с сервисом.
-
-Такая атрибуция НЕ ДОЛЖНА подразумевать одобрение со стороны проекта Telemt или его мейнтейнеров.
-
-### 8. Отказ от гарантий и оговорка о делимости
-
-ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ ПРЕДОСТАВЛЯЕТСЯ "КАК ЕСТЬ", БЕЗ КАКИХ-ЛИБО ГАРАНТИЙ, ЯВНЫХ ИЛИ ПОДРАЗУМЕВАЕМЫХ, ВКЛЮЧАЯ, В ЧАСТНОСТИ, ГАРАНТИИ ТОВАРНОЙ ПРИГОДНОСТИ, СООТВЕТСТВИЯ ОПРЕДЕЛЁННОЙ ЦЕЛИ И ОТСУТСТВИЯ НАРУШЕНИЙ ПРАВ.
-
-НИ ПРИ КАКИХ ОБСТОЯТЕЛЬСТВАХ АВТОРЫ ИЛИ ПРАВООБЛАДАТЕЛИ НЕ НЕСУТ ОТВЕТСТВЕННОСТИ ПО КАКИМ-ЛИБО ТРЕБОВАНИЯМ, УБЫТКАМ ИЛИ ИНОЙ ОТВЕТСТВЕННОСТИ, ВОЗНИКАЮЩИМ В РАМКАХ ДОГОВОРА, ДЕЛИКТА ИЛИ ИНЫМ ОБРАЗОМ, ИЗ, В СВЯЗИ С ИЛИ В РЕЗУЛЬТАТЕ ИСПОЛЬЗОВАНИЯ ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ ИЛИ ИНЫХ ДЕЙСТВИЙ С НИМ.
-
-ЕСЛИ ЛЮБОЕ ПОЛОЖЕНИЕ НАСТОЯЩЕЙ ЛИЦЕНЗИИ ПРИЗНАЁТСЯ НЕДЕЙСТВИТЕЛЬНЫМ ИЛИ НЕПРИМЕНИМЫМ, ТАКОЕ ПОЛОЖЕНИЕ ПОДЛЕЖИТ ТОЛКОВАНИЮ МАКСИМАЛЬНО БЛИЗКО К ИСХОДНОМУ НАМЕРЕНИЮ СТОРОН, А ОСТАЛЬНЫЕ ПОЛОЖЕНИЯ СОХРАНЯЮТ ПОЛНУЮ СИЛУ И ДЕЙСТВИЕ.

docs/QUICK_START_GUIDE.en.md

@@ -1,19 +1,3 @@
-# Very quick start
-
-### One-command installation / update on re-run
-```bash
-curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
-```
-### Installing a specific version
-```bash
-curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- 3.3.39
-```
-
-### Uninstall with full cleanup
-```bash
-curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- purge
-```
-
 # Telemt via Systemd
 
 ## Installation
@@ -144,8 +128,8 @@ WorkingDirectory=/opt/telemt
 ExecStart=/bin/telemt /etc/telemt/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 [Install]
@@ -166,7 +150,7 @@ systemctl daemon-reload
 
 **7.** To get the link(s), enter:
 ```bash
-curl -s http://127.0.0.1:9091/v1/users | jq -r '.data[] | "[\(.username)]", (.links.classic[]? | "classic: \(.)"), (.links.secure[]? | "secure: \(.)"), (.links.tls[]? | "tls: \(.)"), ""'
+curl -s http://127.0.0.1:9091/v1/users | jq
 ```
 
 > Any number of people can use one link.

docs/QUICK_START_GUIDE.ru.md

@@ -1,20 +1,4 @@
-# Очень быстрый старт
+# Telemt через Systemd
-
-### Установка одной командой / обновление при повторном запуске
-```bash
-curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
-```
-### Установка нужной версии
-```bash
-curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- 3.3.39
-```
-
-### Удаление с полной очисткой
-```bash
-curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- purge
-```
-
-# Telemt через Systemd вручную
 
 ## Установка
 
@@ -144,8 +128,8 @@ WorkingDirectory=/opt/telemt
 ExecStart=/bin/telemt /etc/telemt/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 [Install]
@@ -166,7 +150,7 @@ systemctl daemon-reload
 
 **7.** Для получения ссылки/ссылок введите 
 ```bash
-curl -s http://127.0.0.1:9091/v1/users | jq -r '.data[] | "[\(.username)]", (.links.classic[]? | "classic: \(.)"), (.links.secure[]? | "secure: \(.)"), (.links.tls[]? | "tls: \(.)"), ""'
+curl -s http://127.0.0.1:9091/v1/users | jq
 ```
 > Одной ссылкой может пользоваться сколько угодно человек.
 

install.sh

@@ -8,257 +8,31 @@ CONFIG_DIR="${CONFIG_DIR:-/etc/telemt}"
 CONFIG_FILE="${CONFIG_FILE:-${CONFIG_DIR}/telemt.toml}"
 WORK_DIR="${WORK_DIR:-/opt/telemt}"
 TLS_DOMAIN="${TLS_DOMAIN:-petrovich.ru}"
-SERVER_PORT="${SERVER_PORT:-443}"
-USER_SECRET=""
-AD_TAG=""
 SERVICE_NAME="telemt"
 TEMP_DIR=""
 SUDO=""
 CONFIG_PARENT_DIR=""
 SERVICE_START_FAILED=0
 
-PORT_PROVIDED=0
-SECRET_PROVIDED=0
-AD_TAG_PROVIDED=0
-DOMAIN_PROVIDED=0
-LANG_PROVIDED=0
-
 ACTION="install"
 TARGET_VERSION="${VERSION:-latest}"
-LANG_CHOICE="en"
-
-set_language() {
-    case "$1" in
-        ru)
-            L_ERR_DOMAIN_REQ="требует аргумент (домен)."
-            L_ERR_PORT_REQ="требует аргумент (порт)."
-            L_ERR_PORT_NUM="Порт должен быть числом."
-            L_ERR_PORT_RANGE="Порт должен быть от 1 до 65535."
-            L_ERR_SECRET_REQ="требует аргумент (секрет)."
-            L_ERR_SECRET_HEX="Секрет должен содержать только HEX символы."
-            L_ERR_SECRET_LEN="Секрет должен состоять ровно из 32 символов."
-            L_ERR_ADTAG_REQ="требует аргумент (ad_tag)."
-            L_ERR_UNKNOWN_OPT="Неизвестная опция:"
-            L_WARN_EXTRA_ARG="Игнорируется лишний аргумент:"
-            L_ERR_REQ_ARG="требует аргумент (1, 2, en или ru)."
-            L_ERR_EMPTY_VAR="не может быть пустым."
-            L_ERR_INV_VER="Недопустимые символы в версии."
-            L_ERR_INV_BIN="Недопустимые символы в BIN_NAME."
-            L_ERR_ROOT="Для работы скрипта требуются права root или sudo."
-            L_ERR_SUDO_TTY="sudo требует пароль, но терминал (TTY) не обнаружен."
-            L_ERR_DIR_CHECK="Ошибка: конфиг является директорией."
-            L_ERR_CMD_NOT_FOUND="Необходимая команда не найдена:"
-            L_ERR_NO_DL_TOOL="Не установлен curl или wget."
-            L_ERR_NO_CP_TOOL="Необходима утилита cp или install."
-            L_WARN_NO_NET_TOOL="Утилиты сети не найдены. Проверка порта пропущена."
-            L_INFO_PORT_IGNORE="Порт занят текущим процессом телеметрии. Игнорируем."
-            L_ERR_PORT_IN_USE="Порт уже занят другим процессом:"
-            L_ERR_PORT_FREE="Освободите порт или укажите другой и попробуйте снова."
-            L_ERR_UNSUP_ARCH="Неподдерживаемая архитектура:"
-            L_ERR_CREATE_GRP="Не удалось создать группу"
-            L_ERR_CREATE_USR="Не удалось создать пользователя"
-            L_ERR_MKDIR="Не удалось создать директории"
-            L_ERR_INSTALL_DIR="не является директорией."
-            L_ERR_BIN_INSTALL="Не удалось установить бинарный файл"
-            L_ERR_BIN_COPY="Не удалось скопировать бинарный файл"
-            L_ERR_BIN_EXEC="Бинарный файл не исполняемый."
-            L_ERR_GEN_SEC="Не удалось сгенерировать секрет."
-            L_INFO_CONF_EXISTS="Конфиг уже существует. Обновление параметров..."
-            L_INFO_UPD_PORT="Обновлен порт:"
-            L_INFO_UPD_SEC="Обновлен секрет для пользователя 'hello'"
-            L_INFO_UPD_DOM="Обновлен tls_domain:"
-            L_INFO_UPD_TAG="Обновлен ad_tag"
-            L_ERR_CONF_INST="Не удалось установить конфиг"
-            L_INFO_CONF_OK="Конфиг успешно создан."
-            L_INFO_CONF_SEC="Настроен секрет для пользователя 'hello':"
-            L_WARN_SVC_FAIL="Не удалось запустить службу"
-            L_INFO_MANUAL_START="Менеджер служб не найден. Запустите вручную:"
-            L_INFO_UNINST_START="Начинается удаление"
-            L_U_STAGE_1=">>> Этап 1: Остановка служб"
-            L_U_STAGE_2=">>> Этап 2: Удаление конфигурации службы"
-            L_U_STAGE_3=">>> Этап 3: Завершение процессов пользователя"
-            L_U_STAGE_4=">>> Этап 4: Удаление бинарного файла"
-            L_U_STAGE_5=">>> Этап 5: Полная очистка (конфиг, данные, пользователь)"
-            L_INFO_KEEP_CONF="Примечание: Конфигурация сохранена. Используйте 'purge' для очистки."
-            L_INFO_I_START="Начинается установка"
-            L_I_STAGE_1=">>> Этап 1: Проверка окружения и зависимостей"
-            L_I_STAGE_1_5=">>> Этап 1.5: Интерактивная настройка"
-            L_I_PROMPT_DOM="\nПожалуйста, укажите домен TLS\nНажмите Enter, чтобы оставить по умолчанию [%s]: "
-            L_WARN_NO_TTY="Интерактивный режим недоступен (нет TTY). Используется:"
-            L_I_STAGE_2=">>> Этап 2: Загрузка архива"
-            L_ERR_TMP_DIR="Не удалось создать временную директорию"
-            L_ERR_TMP_INV="Временная директория недействительна"
-            L_INFO_FALLBACK="Сборка x86_64-v3 не найдена, откат к стандартной x86_64..."
-            L_ERR_DL_FAIL="Ошибка загрузки архива"
-            L_I_STAGE_3=">>> Этап 3: Распаковка архива"
-            L_ERR_EXTRACT="Ошибка распаковки архива."
-            L_ERR_BIN_NOT_FOUND="Бинарный файл не найден в архиве"
-            L_I_STAGE_4=">>> Этап 4: Настройка окружения (Юзер, Группа, Папки)"
-            L_I_STAGE_5=">>> Этап 5: Установка бинарного файла"
-            L_I_STAGE_6=">>> Этап 6: Генерация/Обновление конфигурации"
-            L_I_STAGE_7=">>> Этап 7: Установка и запуск службы"
-            L_OUT_WARN_H="УСТАНОВКА ЗАВЕРШЕНА С ПРЕДУПРЕЖДЕНИЯМИ"
-            L_OUT_WARN_D="Служба установлена, но не запустилась.\nПожалуйста, проверьте логи.\n"
-            L_OUT_SUCC_H="УСТАНОВКА УСПЕШНО ЗАВЕРШЕНА"
-            L_OUT_UNINST_H="УДАЛЕНИЕ ЗАВЕРШЕНО"
-            L_OUT_LINK="Ваша ссылка для подключения к Telegram Proxy:\n"
-            ;;
-        *)
-            L_ERR_DOMAIN_REQ="requires a domain argument."
-            L_ERR_PORT_REQ="requires a port argument."
-            L_ERR_PORT_NUM="Port must be a valid number."
-            L_ERR_PORT_RANGE="Port must be between 1 and 65535."
-            L_ERR_SECRET_REQ="requires a secret argument."
-            L_ERR_SECRET_HEX="Secret must contain only hex characters."
-            L_ERR_SECRET_LEN="Secret must be exactly 32 chars."
-            L_ERR_ADTAG_REQ="requires an ad_tag argument."
-            L_ERR_UNKNOWN_OPT="Unknown option:"
-            L_WARN_EXTRA_ARG="Ignoring extra argument:"
-            L_ERR_REQ_ARG="requires an argument (1, 2, en, ru)."
-            L_ERR_EMPTY_VAR="cannot be empty."
-            L_ERR_INV_VER="Invalid characters in version."
-            L_ERR_INV_BIN="Invalid characters in BIN_NAME."
-            L_ERR_ROOT="This script requires root or sudo."
-            L_ERR_SUDO_TTY="sudo requires a password, but no TTY detected."
-            L_ERR_DIR_CHECK="Safety check failed: Config is a directory."
-            L_ERR_CMD_NOT_FOUND="Required command not found:"
-            L_ERR_NO_DL_TOOL="Neither curl nor wget is installed."
-            L_ERR_NO_CP_TOOL="Need cp or install."
-            L_WARN_NO_NET_TOOL="Network tools not found. Skipping port check."
-            L_INFO_PORT_IGNORE="Port is in use by telemt. Ignoring as it will be restarted."
-            L_ERR_PORT_IN_USE="Port is already in use by another process:"
-            L_ERR_PORT_FREE="Please free the port or change it and try again."
-            L_ERR_UNSUP_ARCH="Unsupported architecture:"
-            L_ERR_CREATE_GRP="Cannot create group"
-            L_ERR_CREATE_USR="Cannot create user"
-            L_ERR_MKDIR="Failed to create directories"
-            L_ERR_INSTALL_DIR="is not a directory."
-            L_ERR_BIN_INSTALL="Failed to install binary"
-            L_ERR_BIN_COPY="Failed to copy binary"
-            L_ERR_BIN_EXEC="Binary not executable."
-            L_ERR_GEN_SEC="Failed to generate secret."
-            L_INFO_CONF_EXISTS="Config already exists. Updating parameters..."
-            L_INFO_UPD_PORT="Updated port:"
-            L_INFO_UPD_SEC="Updated secret for user 'hello'"
-            L_INFO_UPD_DOM="Updated tls_domain:"
-            L_INFO_UPD_TAG="Updated ad_tag"
-            L_ERR_CONF_INST="Failed to install config"
-            L_INFO_CONF_OK="Config created successfully."
-            L_INFO_CONF_SEC="Configured secret for user 'hello':"
-            L_WARN_SVC_FAIL="Failed to start service"
-            L_INFO_MANUAL_START="Service manager not found. Start manually:"
-            L_INFO_UNINST_START="Starting uninstallation of"
-            L_U_STAGE_1=">>> Stage 1: Stopping services"
-            L_U_STAGE_2=">>> Stage 2: Removing service configuration"
-            L_U_STAGE_3=">>> Stage 3: Terminating user processes"
-            L_U_STAGE_4=">>> Stage 4: Removing binary"
-            L_U_STAGE_5=">>> Stage 5: Purging configuration, data, and user"
-            L_INFO_KEEP_CONF="Note: Configuration kept. Run with 'purge' to remove completely."
-            L_INFO_I_START="Starting installation of"
-            L_I_STAGE_1=">>> Stage 1: Verifying environment and dependencies"
-            L_I_STAGE_1_5=">>> Stage 1.5: Interactive Setup"
-            L_I_PROMPT_DOM="\nPlease specify the TLS Domain\nPress Enter to keep default [%s]: "
-            L_WARN_NO_TTY="Interactive mode unavailable (no TTY). Using:"
-            L_I_STAGE_2=">>> Stage 2: Downloading archive"
-            L_ERR_TMP_DIR="Temp directory creation failed"
-            L_ERR_TMP_INV="Temp directory is invalid or was not created"
-            L_INFO_FALLBACK="x86_64-v3 build not found, falling back to standard x86_64..."
-            L_ERR_DL_FAIL="Download failed"
-            L_I_STAGE_3=">>> Stage 3: Extracting archive"
-            L_ERR_EXTRACT="Extraction failed."
-            L_ERR_BIN_NOT_FOUND="Binary not found in archive"
-            L_I_STAGE_4=">>> Stage 4: Setting up environment (User, Group, Directories)"
-            L_I_STAGE_5=">>> Stage 5: Installing binary"
-            L_I_STAGE_6=">>> Stage 6: Generating/Updating configuration"
-            L_I_STAGE_7=">>> Stage 7: Installing and starting service"
-            L_OUT_WARN_H="INSTALLATION COMPLETED WITH WARNINGS"
-            L_OUT_WARN_D="The service was installed but failed to start.\nPlease check the logs to determine the issue.\n"
-            L_OUT_SUCC_H="INSTALLATION SUCCESS"
-            L_OUT_UNINST_H="UNINSTALLATION COMPLETE"
-            L_OUT_LINK="Your Telegram Proxy connection link:\n"
-            ;;
-    esac
-}
-
-set_language "$LANG_CHOICE"
 
 while [ $# -gt 0 ]; do
     case "$1" in
         -h|--help) ACTION="help"; shift ;;
-        -l|--lang)
-            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s %s\n' "$1" "$L_ERR_REQ_ARG" >&2; exit 1
-            fi
-            case "$2" in
-                ru|2) LANG_CHOICE="ru"; set_language "$LANG_CHOICE"; LANG_PROVIDED=1 ;;
-                en|1) LANG_CHOICE="en"; set_language "$LANG_CHOICE"; LANG_PROVIDED=1 ;;
-                *) printf '[ERROR] %s %s\n' "$1" "$L_ERR_REQ_ARG" >&2; exit 1 ;;
-            esac
-            shift 2 ;;
-        -d|--domain)
-            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s %s\n' "$1" "$L_ERR_DOMAIN_REQ" >&2; exit 1
-            fi
-            TLS_DOMAIN="$2"; DOMAIN_PROVIDED=1; shift 2 ;;
-        -p|--port)
-            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s %s\n' "$1" "$L_ERR_PORT_REQ" >&2; exit 1
-            fi
-            case "$2" in
-                *[!0-9]*) printf '[ERROR] %s\n' "$L_ERR_PORT_NUM" >&2; exit 1 ;;
-            esac
-            port_num="$(printf '%s\n' "$2" | sed 's/^0*//')"
-            [ -z "$port_num" ] && port_num="0"
-            if [ "${#port_num}" -gt 5 ] || [ "$port_num" -lt 1 ] || [ "$port_num" -gt 65535 ]; then
-                printf '[ERROR] %s\n' "$L_ERR_PORT_RANGE" >&2; exit 1
-            fi
-            SERVER_PORT="$port_num"; PORT_PROVIDED=1; shift 2 ;;
-        -s|--secret)
-            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s %s\n' "$1" "$L_ERR_SECRET_REQ" >&2; exit 1
-            fi
-            case "$2" in
-                *[!0-9a-fA-F]*) printf '[ERROR] %s\n' "$L_ERR_SECRET_HEX" >&2; exit 1 ;;
-            esac
-            if [ "${#2}" -ne 32 ]; then
-                printf '[ERROR] %s\n' "$L_ERR_SECRET_LEN" >&2; exit 1
-            fi
-            USER_SECRET="$2"; SECRET_PROVIDED=1; shift 2 ;;
-        -a|--ad-tag|--ad_tag)
-            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s %s\n' "$1" "$L_ERR_ADTAG_REQ" >&2; exit 1
-            fi
-            AD_TAG="$2"; AD_TAG_PROVIDED=1; shift 2 ;;
         uninstall|--uninstall)
             if [ "$ACTION" != "purge" ]; then ACTION="uninstall"; fi
             shift ;;
         purge|--purge) ACTION="purge"; shift ;;
         install|--install) ACTION="install"; shift ;;
-        -*) printf '[ERROR] %s %s\n' "$L_ERR_UNKNOWN_OPT" "$1" >&2; exit 1 ;;
+        -*) printf '[ERROR] Unknown option: %s\n' "$1" >&2; exit 1 ;;
         *)
             if [ "$ACTION" = "install" ]; then TARGET_VERSION="$1"
-            else printf '[WARNING] %s %s\n' "$L_WARN_EXTRA_ARG" "$1" >&2; fi
+            else printf '[WARNING] Ignoring extra argument: %s\n' "$1" >&2; fi
             shift ;;
     esac
 done
 
-if [ "$ACTION" != "help" ] && [ "$LANG_PROVIDED" -eq 0 ]; then
-    if [ -t 0 ] || [ -c /dev/tty ]; then
-        printf "\nSelect language / Выберите язык:\n"
-        printf "  1) English (default)\n"
-        printf "  2) Русский\n"
-        printf "Your choice / Ваш выбор [1/2]: "
-        read -r input_lang </dev/tty || input_lang=""
-        case "$input_lang" in
-            2) LANG_CHOICE="ru" ;;
-            *) LANG_CHOICE="en" ;;
-        esac
-    else
-        LANG_CHOICE="en"
-    fi
-    set_language "$LANG_CHOICE"
-fi
-
 say() {
     if [ "$#" -eq 0 ] || [ -z "${1:-}" ]; then
         printf '\n'
@@ -278,33 +52,11 @@ cleanup() {
 trap cleanup EXIT INT TERM
 
 show_help() {
-    if [ "$LANG_CHOICE" = "ru" ]; then
+    say "Usage: $0 [ <version> | install | uninstall | purge | --help ]"
-        say "Использование: $0 [ <версия> | install | uninstall | purge ] [ опции ]"
+    say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
-        say "  <версия>     Установить конкретную версию (например, 3.3.15, по умолчанию: latest)"
+    say "  install      Install the latest version"
-        say "  install      Установить последнюю версию"
+    say "  uninstall    Remove the binary and service (keeps config and user)"
-        say "  uninstall    Удалить бинарный файл и службу"
+    say "  purge        Remove everything including configuration, data, and user"
-        say "  purge        Полностью удалить вместе с конфигурацией, данными и пользователем"
-        say ""
-        say "Опции:"
-        say "  -d, --domain Указать домен TLS (по умолчанию: petrovich.ru)"
-        say "  -p, --port   Указать порт сервера (по умолчанию: 443)"
-        say "  -s, --secret Указать секрет пользователя (32 hex символа)"
-        say "  -a, --ad-tag Указать ad_tag"
-        say "  -l, --lang   Выбрать язык вывода (1/en или 2/ru)"
-    else
-        say "Usage: $0 [ <version> | install | uninstall | purge ] [ options ]"
-        say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
-        say "  install      Install the latest version"
-        say "  uninstall    Remove the binary and service"
-        say "  purge        Remove everything including configuration, data, and user"
-        say ""
-        say "Options:"
-        say "  -d, --domain Set TLS domain (default: petrovich.ru)"
-        say "  -p, --port   Set server port (default: 443)"
-        say "  -s, --secret Set specific user secret (32 hex characters)"
-        say "  -a, --ad-tag Set ad_tag"
-        say "  -l, --lang   Set output language (1/en or 2/ru)"
-    fi
     exit 0
 }
 
@@ -360,22 +112,18 @@ get_svc_mgr() {
     else echo "none"; fi
 }
 
-is_config_exists() {
-    if [ -n "$SUDO" ]; then
-        $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"
-    else
-        [ -f "$CONFIG_FILE" ]
-    fi
-}
-
 verify_common() {
-    [ -n "$BIN_NAME" ] || die "BIN_NAME $L_ERR_EMPTY_VAR"
+    [ -n "$BIN_NAME" ] || die "BIN_NAME cannot be empty."
-    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR $L_ERR_EMPTY_VAR"
+    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR cannot be empty."
-    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR $L_ERR_EMPTY_VAR"
+    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR cannot be empty."
-    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE $L_ERR_EMPTY_VAR"
+    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE cannot be empty."
 
-    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "$L_ERR_INV_VER" ;; esac
+    case "${INSTALL_DIR}${CONFIG_DIR}${WORK_DIR}${CONFIG_FILE}" in
-    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "$L_ERR_INV_BIN" ;; esac
+        *[!a-zA-Z0-9_./-]*) die "Invalid characters in paths. Only alphanumeric, _, ., -, and / allowed." ;;
+    esac
+
+    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "Invalid characters in version." ;; esac
+    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "Invalid characters in BIN_NAME." ;; esac
 
     INSTALL_DIR="$(get_realpath "$INSTALL_DIR")"
     CONFIG_DIR="$(get_realpath "$CONFIG_DIR")"
@@ -389,83 +137,64 @@ verify_common() {
     if [ "$(id -u)" -eq 0 ]; then
         SUDO=""
     else
-        command -v sudo >/dev/null 2>&1 || die "$L_ERR_ROOT"
+        command -v sudo >/dev/null 2>&1 || die "This script requires root or sudo. Neither found."
         SUDO="sudo"
         if ! sudo -n true 2>/dev/null; then
             if ! [ -t 0 ]; then
-                die "$L_ERR_SUDO_TTY"
+                die "sudo requires a password, but no TTY detected. Aborting to prevent hang."
             fi
         fi
     fi
 
     if [ -n "$SUDO" ]; then
         if $SUDO sh -c '[ -d "$1" ]' _ "$CONFIG_FILE"; then
-            die "$L_ERR_DIR_CHECK"
+            die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
         fi
     elif [ -d "$CONFIG_FILE" ]; then
-        die "$L_ERR_DIR_CHECK"
+        die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
     fi
 
-    for cmd in id uname awk grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip; do
+    for path in "$CONFIG_DIR" "$CONFIG_PARENT_DIR" "$WORK_DIR"; do
-        command -v "$cmd" >/dev/null 2>&1 || die "$L_ERR_CMD_NOT_FOUND $cmd"
+        check_path="$(get_realpath "$path")"
+        case "$check_path" in
+            /|/bin|/sbin|/usr|/usr/bin|/usr/sbin|/usr/local|/usr/local/bin|/usr/local/sbin|/usr/local/etc|/usr/local/share|/etc|/var|/var/lib|/var/log|/var/run|/home|/root|/tmp|/lib|/lib64|/opt|/run|/boot|/dev|/sys|/proc)
+                die "Safety check failed: '$path' (resolved to '$check_path') is a critical system directory." ;;
+        esac
+    done
+
+    check_install_dir="$(get_realpath "$INSTALL_DIR")"
+    case "$check_install_dir" in
+        /|/etc|/var|/home|/root|/tmp|/usr|/usr/local|/opt|/boot|/dev|/sys|/proc|/run)
+            die "Safety check failed: INSTALL_DIR '$INSTALL_DIR' is a critical system directory." ;;
+    esac
+
+    for cmd in id uname grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip rmdir; do
+        command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
     done
 }
 
 verify_install_deps() {
-    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "$L_ERR_NO_DL_TOOL"
+    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "Neither curl nor wget is installed."
-    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "$L_ERR_NO_CP_TOOL"
+    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "Need cp or install"
 
     if ! command -v setcap >/dev/null 2>&1; then
         if command -v apk >/dev/null 2>&1; then
-            $SUDO apk add --no-cache libcap-utils libcap >/dev/null 2>&1 || true
+            $SUDO apk add --no-cache libcap-utils >/dev/null 2>&1 || $SUDO apk add --no-cache libcap >/dev/null 2>&1 || true
         elif command -v apt-get >/dev/null 2>&1; then
-            $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin >/dev/null 2>&1 || {
+            $SUDO apt-get update -q >/dev/null 2>&1 || true
-                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get update -q >/dev/null 2>&1 || true
+            $SUDO apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
-                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
-            }
         elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap >/dev/null 2>&1 || true
         elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap >/dev/null 2>&1 || true
         fi
     fi
 }
 
-check_port_availability() {
-    port_info=""
-
-    if command -v ss >/dev/null 2>&1; then
-        port_info=$($SUDO ss -tulnp 2>/dev/null | grep -E ":${SERVER_PORT}([[:space:]]|$)" || true)
-    elif command -v netstat >/dev/null 2>&1; then
-        port_info=$($SUDO netstat -tulnp 2>/dev/null | grep -E ":${SERVER_PORT}([[:space:]]|$)" || true)
-    elif command -v lsof >/dev/null 2>&1; then
-        port_info=$($SUDO lsof -i :${SERVER_PORT} 2>/dev/null | grep LISTEN || true)
-    else
-        say "[WARNING] $L_WARN_NO_NET_TOOL"
-        return 0
-    fi
-
-    if [ -n "$port_info" ]; then
-        if printf '%s\n' "$port_info" | grep -q "${BIN_NAME}"; then
-            say "  -> $L_INFO_PORT_IGNORE"
-        else
-            say "[ERROR] $L_ERR_PORT_IN_USE $SERVER_PORT:"
-            printf '  %s\n' "$port_info"
-            die "$L_ERR_PORT_FREE"
-        fi
-    fi
-}
-
 detect_arch() {
     sys_arch="$(uname -m)"
     case "$sys_arch" in
-        x86_64|amd64)
+        x86_64|amd64) echo "x86_64" ;;
-            if [ -r /proc/cpuinfo ] && grep -q "avx2" /proc/cpuinfo 2>/dev/null && grep -q "bmi2" /proc/cpuinfo 2>/dev/null; then
-                echo "x86_64-v3"
-            else
-                echo "x86_64"
-            fi
-            ;;
         aarch64|arm64) echo "aarch64" ;;
-        *) die "$L_ERR_UNSUP_ARCH $sys_arch" ;;
+        *) die "Unsupported architecture: $sys_arch" ;;
     esac
 }
 
@@ -489,7 +218,7 @@ ensure_user_group() {
     if ! check_os_entity group telemt; then
         if command -v groupadd >/dev/null 2>&1; then $SUDO groupadd -r telemt
         elif command -v addgroup >/dev/null 2>&1; then $SUDO addgroup -S telemt
-        else die "$L_ERR_CREATE_GRP" ; fi
+        else die "Cannot create group"; fi
     fi
 
     if ! check_os_entity passwd telemt; then
@@ -501,15 +230,15 @@ ensure_user_group() {
             else
                 $SUDO adduser --system --home "$WORK_DIR" --shell "$nologin_bin" --no-create-home --ingroup telemt --disabled-password telemt
             fi
-        else die "$L_ERR_CREATE_USR"; fi
+        else die "Cannot create user"; fi
     fi
 }
 
 setup_dirs() {
-    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "$L_ERR_MKDIR"
+    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "Failed to create directories"
     
     $SUDO chown telemt:telemt "$WORK_DIR" && $SUDO chmod 750 "$WORK_DIR"
-    $SUDO chown telemt:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
+    $SUDO chown root:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
     
     if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
         $SUDO chown root:telemt "$CONFIG_PARENT_DIR" && $SUDO chmod 750 "$CONFIG_PARENT_DIR"
@@ -528,23 +257,21 @@ stop_service() {
 install_binary() {
     bin_src="$1"; bin_dst="$2"
     if [ -e "$INSTALL_DIR" ] && [ ! -d "$INSTALL_DIR" ]; then
-        die "'$INSTALL_DIR' $L_ERR_INSTALL_DIR"
+        die "'$INSTALL_DIR' is not a directory."
     fi
 
-    $SUDO mkdir -p "$INSTALL_DIR" || die "$L_ERR_MKDIR"
+    $SUDO mkdir -p "$INSTALL_DIR" || die "Failed to create install directory"
-    
-    $SUDO rm -f "$bin_dst" 2>/dev/null || true
-
     if command -v install >/dev/null 2>&1; then
-        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "$L_ERR_BIN_INSTALL"
+        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "Failed to install binary"
     else
-        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "$L_ERR_BIN_COPY"
+        $SUDO rm -f "$bin_dst" 2>/dev/null || true
+        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "Failed to copy binary"
     fi
 
-    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "$L_ERR_BIN_EXEC $bin_dst"
+    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "Binary not executable: $bin_dst"
 
     if command -v setcap >/dev/null 2>&1; then
-        $SUDO setcap cap_net_bind_service,cap_net_admin=+ep "$bin_dst" 2>/dev/null || true
+        $SUDO setcap cap_net_bind_service=+ep "$bin_dst" 2>/dev/null || true
     fi
 }
 
@@ -560,20 +287,11 @@ generate_secret() {
 }
 
 generate_config_content() {
-    conf_secret="$1"
-    conf_tag="$2"
     escaped_tls_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
 
     cat <<EOF
 [general]
-use_middle_proxy = true
+use_middle_proxy = false
-EOF
-
-    if [ -n "$conf_tag" ]; then
-        echo "ad_tag = \"${conf_tag}\""
-    fi
-
-    cat <<EOF
 
 [general.modes]
 classic = false
@@ -581,7 +299,7 @@ secure = false
 tls = true
 
 [server]
-port = ${SERVER_PORT}
+port = 443
 
 [server.api]
 enabled = true
@@ -592,65 +310,28 @@ whitelist = ["127.0.0.1/32"]
 tls_domain = "${escaped_tls_domain}"
 
 [access.users]
-hello = "${conf_secret}"
+hello = "$1"
 EOF
 }
 
 install_config() {
-    if is_config_exists; then
+    if [ -n "$SUDO" ]; then
-        say "  -> $L_INFO_CONF_EXISTS"
+        if $SUDO sh -c '[ -f "$1" ]' _ "$CONFIG_FILE"; then
-
+            say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
-        tmp_conf="${TEMP_DIR}/config.tmp"
+            return 0
-        $SUDO cat "$CONFIG_FILE" > "$tmp_conf"
+        fi
-        
+    elif [ -f "$CONFIG_FILE" ]; then
-        escaped_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
+        say "  -> Config already exists at $CONFIG_FILE. Skipping creation."
-
-        awk -v port="$SERVER_PORT" -v secret="$USER_SECRET" -v domain="$escaped_domain" -v ad_tag="$AD_TAG" \
-            -v flag_p="$PORT_PROVIDED" -v flag_s="$SECRET_PROVIDED" -v flag_d="$DOMAIN_PROVIDED" -v flag_a="$AD_TAG_PROVIDED" '
-        BEGIN { ad_tag_handled = 0 }
-        
-        flag_p == "1" && /^[ \t]*port[ \t]*=/ { print "port = " port; next }
-        flag_s == "1" && /^[ \t]*hello[ \t]*=/ { print "hello = \"" secret "\""; next }
-        flag_d == "1" && /^[ \t]*tls_domain[ \t]*=/ { print "tls_domain = \"" domain "\""; next }
-        
-        flag_a == "1" && /^[ \t]*ad_tag[ \t]*=/ { 
-            if (!ad_tag_handled) { 
-                print "ad_tag = \"" ad_tag "\""; 
-                ad_tag_handled = 1; 
-            } 
-            next 
-        }
-        flag_a == "1" && /^\[general\]/ { 
-            print; 
-            if (!ad_tag_handled) { 
-                print "ad_tag = \"" ad_tag "\""; 
-                ad_tag_handled = 1; 
-            } 
-            next 
-        }
-        
-        { print }
-        ' "$tmp_conf" > "${tmp_conf}.new" && mv "${tmp_conf}.new" "$tmp_conf"
-
-        [ "$PORT_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_PORT $SERVER_PORT"
-        [ "$SECRET_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_SEC"
-        [ "$DOMAIN_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_DOM $TLS_DOMAIN"
-        [ "$AD_TAG_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_TAG"
-
-        write_root "$CONFIG_FILE" < "$tmp_conf"
-        rm -f "$tmp_conf"
         return 0
     fi
 
-    if [ -z "$USER_SECRET" ]; then
+    toml_secret="$(generate_secret)" || die "Failed to generate secret."
-        USER_SECRET="$(generate_secret)" || die "$L_ERR_GEN_SEC"
-    fi
 
-    generate_config_content "$USER_SECRET" "$AD_TAG" | write_root "$CONFIG_FILE" || die "$L_ERR_CONF_INST"
+    generate_config_content "$toml_secret" | write_root "$CONFIG_FILE" || die "Failed to install config"
     $SUDO chown root:telemt "$CONFIG_FILE" && $SUDO chmod 640 "$CONFIG_FILE"
 
-    say "  -> $L_INFO_CONF_OK"
+    say "  -> Config created successfully."
-    say "  -> $L_INFO_CONF_SEC $USER_SECRET"
+    say "  -> Generated secret for default user 'hello': $toml_secret"
 }
 
 generate_systemd_content() {
@@ -667,10 +348,9 @@ Group=telemt
 WorkingDirectory=$WORK_DIR
 ExecStart="${INSTALL_DIR}/${BIN_NAME}" "${CONFIG_FILE}"
 Restart=on-failure
-RestartSec=5
 LimitNOFILE=65536
-AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target
@@ -703,7 +383,7 @@ install_service() {
         $SUDO systemctl enable "$SERVICE_NAME" || true
         
         if ! $SUDO systemctl start "$SERVICE_NAME"; then
-            say "[WARNING] $L_WARN_SVC_FAIL"
+            say "[WARNING] Failed to start service"
             SERVICE_START_FAILED=1
         fi
     elif [ "$svc" = "openrc" ]; then
@@ -713,15 +393,15 @@ install_service() {
         $SUDO rc-update add "$SERVICE_NAME" default 2>/dev/null || true
         
         if ! $SUDO rc-service "$SERVICE_NAME" start 2>/dev/null; then
-            say "[WARNING] $L_WARN_SVC_FAIL"
+            say "[WARNING] Failed to start service"
             SERVICE_START_FAILED=1
         fi
     else
         cmd="\"${INSTALL_DIR}/${BIN_NAME}\" \"${CONFIG_FILE}\""
         if [ -n "$SUDO" ]; then 
-            say "  -> $L_INFO_MANUAL_START sudo -u telemt $cmd"
+            say "  -> Service manager not found. Start manually: sudo -u telemt $cmd"
         else 
-            say "  -> $L_INFO_MANUAL_START su -s /bin/sh telemt -c '$cmd'"
+            say "  -> Service manager not found. Start manually: su -s /bin/sh telemt -c '$cmd'"
         fi
     fi
 }
@@ -735,8 +415,7 @@ kill_user_procs() {
         if command -v pgrep >/dev/null 2>&1; then
             pids="$(pgrep -u telemt 2>/dev/null || true)"
         else
-            pids="$(ps -ef 2>/dev/null | awk '$1=="telemt"{print $2}' || true)"
+            pids="$(ps -u telemt -o pid= 2>/dev/null || true)"
-            [ -z "$pids" ] && pids="$(ps 2>/dev/null | awk '$2=="telemt"{print $1}' || true)"
         fi
         
         if [ -n "$pids" ]; then
@@ -752,12 +431,12 @@ kill_user_procs() {
 }
 
 uninstall() {
-    say "$L_INFO_UNINST_START $BIN_NAME..."
+    say "Starting uninstallation of $BIN_NAME..."
 
-    say "$L_U_STAGE_1"
+    say ">>> Stage 1: Stopping services"
     stop_service
 
-    say "$L_U_STAGE_2"
+    say ">>> Stage 2: Removing service configuration"
     svc="$(get_svc_mgr)"
     if [ "$svc" = "systemd" ]; then
         $SUDO systemctl disable "$SERVICE_NAME" 2>/dev/null || true
@@ -768,30 +447,27 @@ uninstall() {
         $SUDO rm -f "/etc/init.d/${SERVICE_NAME}"
     fi
 
-    say "$L_U_STAGE_3"
+    say ">>> Stage 3: Terminating user processes"
     kill_user_procs
 
-    say "$L_U_STAGE_4"
+    say ">>> Stage 4: Removing binary"
     $SUDO rm -f "${INSTALL_DIR}/${BIN_NAME}"
 
     if [ "$ACTION" = "purge" ]; then
-        say "$L_U_STAGE_5"
+        say ">>> Stage 5: Purging configuration, data, and user"
         $SUDO rm -rf "$CONFIG_DIR" "$WORK_DIR"
         $SUDO rm -f "$CONFIG_FILE"
-        
+        if [ "$CONFIG_PARENT_DIR" != "$CONFIG_DIR" ] && [ "$CONFIG_PARENT_DIR" != "." ] && [ "$CONFIG_PARENT_DIR" != "/" ]; then
-        if check_os_entity passwd telemt; then
+            $SUDO rmdir "$CONFIG_PARENT_DIR" 2>/dev/null || true
-            $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
-        fi
-        
-        if check_os_entity group telemt; then
-            $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
         fi
+        $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
+        $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
     else
-        say "$L_INFO_KEEP_CONF"
+        say "Note: Configuration and user kept. Run with 'purge' to remove completely."
     fi
     
     printf '\n====================================================================\n'
-    printf '                    %s\n' "$L_OUT_UNINST_H"
+    printf '                    UNINSTALLATION COMPLETE\n'
     printf '====================================================================\n\n'
     exit 0
 }
@@ -800,44 +476,10 @@ case "$ACTION" in
     help) show_help ;;
     uninstall|purge) verify_common; uninstall ;;
     install)
-        say "$L_INFO_I_START $BIN_NAME (Version: $TARGET_VERSION)"
+        say "Starting installation of $BIN_NAME (Version: $TARGET_VERSION)"
 
-        say "$L_I_STAGE_1"
+        say ">>> Stage 1: Verifying environment and dependencies"
-        verify_common
+        verify_common; verify_install_deps
-        verify_install_deps
-
-        if is_config_exists; then
-            ext_port="$($SUDO awk -F'=' '/^[ \t]*port[ \t]*=/ {gsub(/[^0-9]/, "", $2); print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
-            if [ -n "$ext_port" ] && [ "$PORT_PROVIDED" -eq 0 ]; then
-                SERVER_PORT="$ext_port"
-            fi
-
-            ext_secret="$($SUDO awk -F'"' '/^[ \t]*hello[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
-            if [ -n "$ext_secret" ] && [ "$SECRET_PROVIDED" -eq 0 ]; then
-                USER_SECRET="$ext_secret"
-            fi
-
-            ext_domain="$($SUDO awk -F'"' '/^[ \t]*tls_domain[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
-            if [ -n "$ext_domain" ] && [ "$DOMAIN_PROVIDED" -eq 0 ]; then
-                TLS_DOMAIN="$ext_domain"
-            fi
-        fi
-
-        check_port_availability
-
-        if [ "$DOMAIN_PROVIDED" -eq 0 ]; then
-            say "$L_I_STAGE_1_5"
-            if [ -t 0 ] || [ -c /dev/tty ]; then
-                printf "$L_I_PROMPT_DOM" "$TLS_DOMAIN"
-                read -r input_domain </dev/tty || input_domain=""
-                if [ -n "$input_domain" ]; then
-                    TLS_DOMAIN="$input_domain"
-                fi
-            else
-                say "[WARNING] $L_WARN_NO_TTY $TLS_DOMAIN"
-            fi
-            DOMAIN_PROVIDED=1
-        fi
 
         if [ "$TARGET_VERSION" != "latest" ]; then 
             TARGET_VERSION="${TARGET_VERSION#v}"
@@ -852,74 +494,63 @@ case "$ACTION" in
             DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
         fi
 
-        say "$L_I_STAGE_2"
+        say ">>> Stage 2: Downloading archive"
-        TEMP_DIR="$(mktemp -d)" || die "$L_ERR_TMP_DIR"
+        TEMP_DIR="$(mktemp -d)" || die "Temp directory creation failed"
         if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
-            die "$L_ERR_TMP_INV"
+            die "Temp directory is invalid or was not created"
         fi
 
-        if ! fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}"; then
+        fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "Download failed"
-            if [ "$ARCH" = "x86_64-v3" ]; then
-                say "  -> $L_INFO_FALLBACK"
-                ARCH="x86_64"
-                FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
-                if [ "$TARGET_VERSION" = "latest" ]; then
-                    DL_URL="https://github.com/${REPO}/releases/latest/download/${FILE_NAME}"
-                else
-                    DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
-                fi
-                fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "$L_ERR_DL_FAIL"
-            else
-                die "$L_ERR_DL_FAIL"
-            fi
-        fi
 
-        say "$L_I_STAGE_3"
+        say ">>> Stage 3: Extracting archive"
         if ! gzip -dc "${TEMP_DIR}/${FILE_NAME}" | tar -xf - -C "$TEMP_DIR" 2>/dev/null; then
-            die "$L_ERR_EXTRACT"
+            die "Extraction failed (downloaded archive might be invalid or 404)."
         fi
 
         EXTRACTED_BIN="$(find "$TEMP_DIR" -type f -name "$BIN_NAME" -print 2>/dev/null | head -n 1 || true)"
-        [ -n "$EXTRACTED_BIN" ] || die "$L_ERR_BIN_NOT_FOUND"
+        [ -n "$EXTRACTED_BIN" ] || die "Binary '$BIN_NAME' not found in archive"
 
-        say "$L_I_STAGE_4"
+        say ">>> Stage 4: Setting up environment (User, Group, Directories)"
         ensure_user_group; setup_dirs; stop_service
         
-        say "$L_I_STAGE_5"
+        say ">>> Stage 5: Installing binary"
         install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
         
-        say "$L_I_STAGE_6"
+        say ">>> Stage 6: Generating configuration"
         install_config
         
-        say "$L_I_STAGE_7"
+        say ">>> Stage 7: Installing and starting service"
         install_service
 
         if [ "${SERVICE_START_FAILED:-0}" -eq 1 ]; then
             printf '\n====================================================================\n'
-            printf '               %s\n' "$L_OUT_WARN_H"
+            printf '               INSTALLATION COMPLETED WITH WARNINGS\n'
             printf '====================================================================\n\n'
-            printf '%b' "$L_OUT_WARN_D"
+            printf 'The service was installed but failed to start automatically.\n'
+            printf 'Please check the logs to determine the issue.\n\n'
         else
             printf '\n====================================================================\n'
-            printf '                      %s\n' "$L_OUT_SUCC_H"
+            printf '                      INSTALLATION SUCCESS\n'
             printf '====================================================================\n\n'
         fi
         
-        SERVER_IP=""
+        svc="$(get_svc_mgr)"
-        if command -v curl >/dev/null 2>&1; then SERVER_IP="$(curl -s4 -m 3 ifconfig.me 2>/dev/null || curl -s4 -m 3 api.ipify.org 2>/dev/null || true)"
+        if [ "$svc" = "systemd" ]; then
-        elif command -v wget >/dev/null 2>&1; then SERVER_IP="$(wget -qO- -T 3 ifconfig.me 2>/dev/null || wget -qO- -T 3 api.ipify.org 2>/dev/null || true)"; fi
+            printf 'To check the status of your proxy service, run:\n'
-        [ -z "$SERVER_IP" ] && SERVER_IP="<YOUR_SERVER_IP>"
+            printf '  systemctl status %s\n\n' "$SERVICE_NAME"
+        elif [ "$svc" = "openrc" ]; then
+            printf 'To check the status of your proxy service, run:\n'
+            printf '  rc-service %s status\n\n' "$SERVICE_NAME"
+        fi
         
-        if command -v xxd >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | xxd -p | tr -d '\n')"
+        printf 'To get your user connection links (for Telegram), run:\n'
-        elif command -v hexdump >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | hexdump -v -e '/1 "%02x"')"
+        if command -v jq >/dev/null 2>&1; then
-        elif command -v od >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | od -A n -t x1 | tr -d ' \n')"
+            printf '  curl -s http://127.0.0.1:9091/v1/users | jq -r '\''.data[] | "User: \\(.username)\\n\\(.links.tls[0] // empty)\\n"'\''\n'
-        else HEX_DOMAIN=""; fi
+        else
+            printf '  curl -s http://127.0.0.1:9091/v1/users\n'
+            printf '  (Tip: Install '\''jq'\'' for a much cleaner output)\n'
+        fi
         
-        CLIENT_SECRET="ee${USER_SECRET}${HEX_DOMAIN}"
+        printf '\n====================================================================\n'
-
-        printf '%b\n' "$L_OUT_LINK"
-        printf '  tg://proxy?server=%s&port=%s&secret=%s\n\n' "$SERVER_IP" "$SERVER_PORT" "$CLIENT_SECRET"
-
-        printf '====================================================================\n'
         ;;
 esac

src/api/mod.rs

@@ -37,12 +37,11 @@ mod runtime_watch;
 mod runtime_zero;
 mod users;
 
-use config_store::{current_revision, load_config_from_disk, parse_if_match};
+use config_store::{current_revision, parse_if_match};
 use events::ApiEventStore;
 use http_utils::{error_response, read_json, read_optional_json, success_response};
 use model::{
-    ApiFailure, CreateUserRequest, DeleteUserResponse, HealthData, PatchUserRequest,
+    ApiFailure, CreateUserRequest, HealthData, PatchUserRequest, RotateSecretRequest, SummaryData,
-    RotateSecretRequest, SummaryData, UserActiveIps,
 };
 use runtime_edge::{
     EdgeConnectionsCacheEntry, build_runtime_connections_summary_data,
@@ -363,33 +362,15 @@ async fn handle(
                 );
                 Ok(success_response(StatusCode::OK, data, revision))
             }
-            ("GET", "/v1/stats/users/active-ips") => {
-                let revision = current_revision(&shared.config_path).await?;
-                let usernames: Vec<_> = cfg.access.users.keys().cloned().collect();
-                let active_ips_map = shared.ip_tracker.get_active_ips_for_users(&usernames).await;
-                let mut data: Vec<UserActiveIps> = active_ips_map
-                    .into_iter()
-                    .filter(|(_, ips)| !ips.is_empty())
-                    .map(|(username, active_ips)| UserActiveIps {
-                        username,
-                        active_ips,
-                    })
-                    .collect();
-                data.sort_by(|a, b| a.username.cmp(&b.username));
-                Ok(success_response(StatusCode::OK, data, revision))
-            }
             ("GET", "/v1/stats/users") | ("GET", "/v1/users") => {
                 let revision = current_revision(&shared.config_path).await?;
-                let disk_cfg = load_config_from_disk(&shared.config_path).await?;
-                let runtime_cfg = config_rx.borrow().clone();
                 let (detected_ip_v4, detected_ip_v6) = shared.detected_link_ips();
                 let users = users_from_config(
-                    &disk_cfg,
+                    &cfg,
                     &shared.stats,
                     &shared.ip_tracker,
                     detected_ip_v4,
                     detected_ip_v6,
-                    Some(runtime_cfg.as_ref()),
                 )
                 .await;
                 Ok(success_response(StatusCode::OK, users, revision))
@@ -408,7 +389,7 @@ async fn handle(
                 let expected_revision = parse_if_match(req.headers());
                 let body = read_json::<CreateUserRequest>(req.into_body(), body_limit).await?;
                 let result = create_user(body, expected_revision, &shared).await;
-                let (mut data, revision) = match result {
+                let (data, revision) = match result {
                     Ok(ok) => ok,
                     Err(error) => {
                         shared
@@ -417,18 +398,11 @@ async fn handle(
                         return Err(error);
                     }
                 };
-                let runtime_cfg = config_rx.borrow().clone();
-                data.user.in_runtime = runtime_cfg.access.users.contains_key(&data.user.username);
                 shared.runtime_events.record(
                     "api.user.create.ok",
                     format!("username={}", data.user.username),
                 );
-                let status = if data.user.in_runtime {
+                Ok(success_response(StatusCode::CREATED, data, revision))
-                    StatusCode::CREATED
-                } else {
-                    StatusCode::ACCEPTED
-                };
-                Ok(success_response(status, data, revision))
             }
             _ => {
                 if let Some(user) = path.strip_prefix("/v1/users/")
@@ -437,16 +411,13 @@ async fn handle(
                 {
                     if method == Method::GET {
                         let revision = current_revision(&shared.config_path).await?;
-                        let disk_cfg = load_config_from_disk(&shared.config_path).await?;
-                        let runtime_cfg = config_rx.borrow().clone();
                         let (detected_ip_v4, detected_ip_v6) = shared.detected_link_ips();
                         let users = users_from_config(
-                            &disk_cfg,
+                            &cfg,
                             &shared.stats,
                             &shared.ip_tracker,
                             detected_ip_v4,
                             detected_ip_v6,
-                            Some(runtime_cfg.as_ref()),
                         )
                         .await;
                         if let Some(user_info) =
@@ -474,7 +445,7 @@ async fn handle(
                         let body =
                             read_json::<PatchUserRequest>(req.into_body(), body_limit).await?;
                         let result = patch_user(user, body, expected_revision, &shared).await;
-                        let (mut data, revision) = match result {
+                        let (data, revision) = match result {
                             Ok(ok) => ok,
                             Err(error) => {
                                 shared.runtime_events.record(
@@ -484,17 +455,10 @@ async fn handle(
                                 return Err(error);
                             }
                         };
-                        let runtime_cfg = config_rx.borrow().clone();
-                        data.in_runtime = runtime_cfg.access.users.contains_key(&data.username);
                         shared
                             .runtime_events
                             .record("api.user.patch.ok", format!("username={}", data.username));
-                        let status = if data.in_runtime {
+                        return Ok(success_response(StatusCode::OK, data, revision));
-                            StatusCode::OK
-                        } else {
-                            StatusCode::ACCEPTED
-                        };
-                        return Ok(success_response(status, data, revision));
                     }
                     if method == Method::DELETE {
                         if api_cfg.read_only {
@@ -522,18 +486,7 @@ async fn handle(
                         shared
                             .runtime_events
                             .record("api.user.delete.ok", format!("username={}", deleted_user));
-                        let runtime_cfg = config_rx.borrow().clone();
+                        return Ok(success_response(StatusCode::OK, deleted_user, revision));
-                        let in_runtime = runtime_cfg.access.users.contains_key(&deleted_user);
-                        let response = DeleteUserResponse {
-                            username: deleted_user,
-                            in_runtime,
-                        };
-                        let status = if response.in_runtime {
-                            StatusCode::ACCEPTED
-                        } else {
-                            StatusCode::OK
-                        };
-                        return Ok(success_response(status, response, revision));
                     }
                     if method == Method::POST
                         && let Some(base_user) = user.strip_suffix("/rotate-secret")
@@ -561,7 +514,7 @@ async fn handle(
                             &shared,
                         )
                         .await;
-                        let (mut data, revision) = match result {
+                        let (data, revision) = match result {
                             Ok(ok) => ok,
                             Err(error) => {
                                 shared.runtime_events.record(
@@ -571,19 +524,11 @@ async fn handle(
                                 return Err(error);
                             }
                         };
-                        let runtime_cfg = config_rx.borrow().clone();
-                        data.user.in_runtime =
-                            runtime_cfg.access.users.contains_key(&data.user.username);
                         shared.runtime_events.record(
                             "api.user.rotate_secret.ok",
                             format!("username={}", base_user),
                         );
-                        let status = if data.user.in_runtime {
+                        return Ok(success_response(StatusCode::OK, data, revision));
-                            StatusCode::OK
-                        } else {
-                            StatusCode::ACCEPTED
-                        };
-                        return Ok(success_response(status, data, revision));
                     }
                     if method == Method::POST {
                         return Ok(error_response(

src/api/model.rs

@@ -81,21 +81,10 @@ pub(super) struct ZeroCoreData {
     pub(super) connections_total: u64,
     pub(super) connections_bad_total: u64,
     pub(super) handshake_timeouts_total: u64,
-    pub(super) accept_permit_timeout_total: u64,
     pub(super) configured_users: usize,
     pub(super) telemetry_core_enabled: bool,
     pub(super) telemetry_user_enabled: bool,
     pub(super) telemetry_me_level: String,
-    pub(super) conntrack_control_enabled: bool,
-    pub(super) conntrack_control_available: bool,
-    pub(super) conntrack_pressure_active: bool,
-    pub(super) conntrack_event_queue_depth: u64,
-    pub(super) conntrack_rule_apply_ok: bool,
-    pub(super) conntrack_delete_attempt_total: u64,
-    pub(super) conntrack_delete_success_total: u64,
-    pub(super) conntrack_delete_not_found_total: u64,
-    pub(super) conntrack_delete_error_total: u64,
-    pub(super) conntrack_close_event_drop_total: u64,
 }
 
 #[derive(Serialize, Clone)]
@@ -439,7 +428,6 @@ pub(super) struct UserLinks {
 #[derive(Serialize)]
 pub(super) struct UserInfo {
     pub(super) username: String,
-    pub(super) in_runtime: bool,
     pub(super) user_ad_tag: Option<String>,
     pub(super) max_tcp_conns: Option<usize>,
     pub(super) expiration_rfc3339: Option<String>,
@@ -454,24 +442,12 @@ pub(super) struct UserInfo {
     pub(super) links: UserLinks,
 }
 
-#[derive(Serialize)]
-pub(super) struct UserActiveIps {
-    pub(super) username: String,
-    pub(super) active_ips: Vec<IpAddr>,
-}
-
 #[derive(Serialize)]
 pub(super) struct CreateUserResponse {
     pub(super) user: UserInfo,
     pub(super) secret: String,
 }
 
-#[derive(Serialize)]
-pub(super) struct DeleteUserResponse {
-    pub(super) username: String,
-    pub(super) in_runtime: bool,
-}
-
 #[derive(Deserialize)]
 pub(super) struct CreateUserRequest {
     pub(super) username: String,

src/api/runtime_stats.rs

@@ -39,21 +39,10 @@ pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> Zer
             connections_total: stats.get_connects_all(),
             connections_bad_total: stats.get_connects_bad(),
             handshake_timeouts_total: stats.get_handshake_timeouts(),
-            accept_permit_timeout_total: stats.get_accept_permit_timeout_total(),
             configured_users,
             telemetry_core_enabled: telemetry.core_enabled,
             telemetry_user_enabled: telemetry.user_enabled,
             telemetry_me_level: telemetry.me_level.to_string(),
-            conntrack_control_enabled: stats.get_conntrack_control_enabled(),
-            conntrack_control_available: stats.get_conntrack_control_available(),
-            conntrack_pressure_active: stats.get_conntrack_pressure_active(),
-            conntrack_event_queue_depth: stats.get_conntrack_event_queue_depth(),
-            conntrack_rule_apply_ok: stats.get_conntrack_rule_apply_ok(),
-            conntrack_delete_attempt_total: stats.get_conntrack_delete_attempt_total(),
-            conntrack_delete_success_total: stats.get_conntrack_delete_success_total(),
-            conntrack_delete_not_found_total: stats.get_conntrack_delete_not_found_total(),
-            conntrack_delete_error_total: stats.get_conntrack_delete_error_total(),
-            conntrack_close_event_drop_total: stats.get_conntrack_close_event_drop_total(),
         },
         upstream: build_zero_upstream_data(stats),
         middle_proxy: ZeroMiddleProxyData {

src/api/runtime_zero.rs

@@ -50,7 +50,6 @@ pub(super) struct RuntimeGatesData {
 
 #[derive(Serialize)]
 pub(super) struct EffectiveTimeoutLimits {
-    pub(super) client_first_byte_idle_secs: u64,
     pub(super) client_handshake_secs: u64,
     pub(super) tg_connect_secs: u64,
     pub(super) client_keepalive_secs: u64,
@@ -100,11 +99,6 @@ pub(super) struct EffectiveUserIpPolicyLimits {
     pub(super) window_secs: u64,
 }
 
-#[derive(Serialize)]
-pub(super) struct EffectiveUserTcpPolicyLimits {
-    pub(super) global_each: usize,
-}
-
 #[derive(Serialize)]
 pub(super) struct EffectiveLimitsData {
     pub(super) update_every_secs: u64,
@@ -114,7 +108,6 @@ pub(super) struct EffectiveLimitsData {
     pub(super) upstream: EffectiveUpstreamLimits,
     pub(super) middle_proxy: EffectiveMiddleProxyLimits,
     pub(super) user_ip_policy: EffectiveUserIpPolicyLimits,
-    pub(super) user_tcp_policy: EffectiveUserTcpPolicyLimits,
 }
 
 #[derive(Serialize)]
@@ -234,9 +227,8 @@ pub(super) fn build_limits_effective_data(cfg: &ProxyConfig) -> EffectiveLimitsD
         me_reinit_every_secs: cfg.general.effective_me_reinit_every_secs(),
         me_pool_force_close_secs: cfg.general.effective_me_pool_force_close_secs(),
         timeouts: EffectiveTimeoutLimits {
-            client_first_byte_idle_secs: cfg.timeouts.client_first_byte_idle_secs,
             client_handshake_secs: cfg.timeouts.client_handshake,
-            tg_connect_secs: cfg.general.tg_connect,
+            tg_connect_secs: cfg.timeouts.tg_connect,
             client_keepalive_secs: cfg.timeouts.client_keepalive,
             client_ack_secs: cfg.timeouts.client_ack,
             me_one_retry: cfg.timeouts.me_one_retry,
@@ -295,9 +287,6 @@ pub(super) fn build_limits_effective_data(cfg: &ProxyConfig) -> EffectiveLimitsD
             mode: user_max_unique_ips_mode_label(cfg.access.user_max_unique_ips_mode),
             window_secs: cfg.access.user_max_unique_ips_window_secs,
         },
-        user_tcp_policy: EffectiveUserTcpPolicyLimits {
-            global_each: cfg.access.user_max_tcp_conns_global_each,
-        },
     }
 }
 

src/api/users.rs

@@ -136,7 +136,6 @@ pub(super) async fn create_user(
         &shared.ip_tracker,
         detected_ip_v4,
         detected_ip_v6,
-        None,
     )
     .await;
     let user = users
@@ -144,16 +143,8 @@ pub(super) async fn create_user(
         .find(|entry| entry.username == body.username)
         .unwrap_or(UserInfo {
             username: body.username.clone(),
-            in_runtime: false,
             user_ad_tag: None,
-            max_tcp_conns: cfg
+            max_tcp_conns: None,
-                .access
-                .user_max_tcp_conns
-                .get(&body.username)
-                .copied()
-                .filter(|limit| *limit > 0)
-                .or((cfg.access.user_max_tcp_conns_global_each > 0)
-                    .then_some(cfg.access.user_max_tcp_conns_global_each)),
             expiration_rfc3339: None,
             data_quota_bytes: None,
             max_unique_ips: updated_limit,
@@ -245,7 +236,6 @@ pub(super) async fn patch_user(
         &shared.ip_tracker,
         detected_ip_v4,
         detected_ip_v6,
-        None,
     )
     .await;
     let user_info = users
@@ -303,7 +293,6 @@ pub(super) async fn rotate_secret(
         &shared.ip_tracker,
         detected_ip_v4,
         detected_ip_v6,
-        None,
     )
     .await;
     let user_info = users
@@ -376,7 +365,6 @@ pub(super) async fn users_from_config(
     ip_tracker: &UserIpTracker,
     startup_detected_ip_v4: Option<IpAddr>,
     startup_detected_ip_v6: Option<IpAddr>,
-    runtime_cfg: Option<&ProxyConfig>,
 ) -> Vec<UserInfo> {
     let mut names = cfg.access.users.keys().cloned().collect::<Vec<_>>();
     names.sort();
@@ -406,18 +394,8 @@ pub(super) async fn users_from_config(
                 tls: Vec::new(),
             });
         users.push(UserInfo {
-            in_runtime: runtime_cfg
-                .map(|runtime| runtime.access.users.contains_key(&username))
-                .unwrap_or(false),
             user_ad_tag: cfg.access.user_ad_tags.get(&username).cloned(),
-            max_tcp_conns: cfg
+            max_tcp_conns: cfg.access.user_max_tcp_conns.get(&username).copied(),
-                .access
-                .user_max_tcp_conns
-                .get(&username)
-                .copied()
-                .filter(|limit| *limit > 0)
-                .or((cfg.access.user_max_tcp_conns_global_each > 0)
-                    .then_some(cfg.access.user_max_tcp_conns_global_each)),
             expiration_rfc3339: cfg
                 .access
                 .user_expirations
@@ -594,94 +572,3 @@ fn resolve_tls_domains(cfg: &ProxyConfig) -> Vec<&str> {
     }
     domains
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::ip_tracker::UserIpTracker;
-    use crate::stats::Stats;
-
-    #[tokio::test]
-    async fn users_from_config_reports_effective_tcp_limit_with_global_fallback() {
-        let mut cfg = ProxyConfig::default();
-        cfg.access.users.insert(
-            "alice".to_string(),
-            "0123456789abcdef0123456789abcdef".to_string(),
-        );
-        cfg.access.user_max_tcp_conns_global_each = 7;
-
-        let stats = Stats::new();
-        let tracker = UserIpTracker::new();
-
-        let users = users_from_config(&cfg, &stats, &tracker, None, None, None).await;
-        let alice = users
-            .iter()
-            .find(|entry| entry.username == "alice")
-            .expect("alice must be present");
-        assert!(!alice.in_runtime);
-        assert_eq!(alice.max_tcp_conns, Some(7));
-
-        cfg.access.user_max_tcp_conns.insert("alice".to_string(), 5);
-        let users = users_from_config(&cfg, &stats, &tracker, None, None, None).await;
-        let alice = users
-            .iter()
-            .find(|entry| entry.username == "alice")
-            .expect("alice must be present");
-        assert!(!alice.in_runtime);
-        assert_eq!(alice.max_tcp_conns, Some(5));
-
-        cfg.access.user_max_tcp_conns.insert("alice".to_string(), 0);
-        let users = users_from_config(&cfg, &stats, &tracker, None, None, None).await;
-        let alice = users
-            .iter()
-            .find(|entry| entry.username == "alice")
-            .expect("alice must be present");
-        assert!(!alice.in_runtime);
-        assert_eq!(alice.max_tcp_conns, Some(7));
-
-        cfg.access.user_max_tcp_conns_global_each = 0;
-        let users = users_from_config(&cfg, &stats, &tracker, None, None, None).await;
-        let alice = users
-            .iter()
-            .find(|entry| entry.username == "alice")
-            .expect("alice must be present");
-        assert!(!alice.in_runtime);
-        assert_eq!(alice.max_tcp_conns, None);
-    }
-
-    #[tokio::test]
-    async fn users_from_config_marks_runtime_membership_when_snapshot_is_provided() {
-        let mut disk_cfg = ProxyConfig::default();
-        disk_cfg.access.users.insert(
-            "alice".to_string(),
-            "0123456789abcdef0123456789abcdef".to_string(),
-        );
-        disk_cfg.access.users.insert(
-            "bob".to_string(),
-            "fedcba9876543210fedcba9876543210".to_string(),
-        );
-
-        let mut runtime_cfg = ProxyConfig::default();
-        runtime_cfg.access.users.insert(
-            "alice".to_string(),
-            "0123456789abcdef0123456789abcdef".to_string(),
-        );
-
-        let stats = Stats::new();
-        let tracker = UserIpTracker::new();
-        let users =
-            users_from_config(&disk_cfg, &stats, &tracker, None, None, Some(&runtime_cfg)).await;
-
-        let alice = users
-            .iter()
-            .find(|entry| entry.username == "alice")
-            .expect("alice must be present");
-        let bob = users
-            .iter()
-            .find(|entry| entry.username == "bob")
-            .expect("bob must be present");
-
-        assert!(alice.in_runtime);
-        assert!(!bob.in_runtime);
-    }
-}

src/cli.rs

@@ -1,270 +1,11 @@
-//! CLI commands: --init (fire-and-forget setup), daemon options, subcommands
+//! CLI commands: --init (fire-and-forget setup)
-//!
-//! Subcommands:
-//! - `start [OPTIONS] [config.toml]` - Start the daemon
-//! - `stop [--pid-file PATH]` - Stop a running daemon
-//! - `reload [--pid-file PATH]` - Reload configuration (SIGHUP)
-//! - `status [--pid-file PATH]` - Check daemon status
-//! - `run [OPTIONS] [config.toml]` - Run in foreground (default behavior)
 
 use rand::RngExt;
 use std::fs;
 use std::path::{Path, PathBuf};
 use std::process::Command;
 
-#[cfg(unix)]
-use crate::daemon::{self, DEFAULT_PID_FILE, DaemonOptions};
-
-/// CLI subcommand to execute.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub enum Subcommand {
-    /// Run the proxy (default, or explicit `run` subcommand).
-    Run,
-    /// Start as daemon (`start` subcommand).
-    Start,
-    /// Stop a running daemon (`stop` subcommand).
-    Stop,
-    /// Reload configuration (`reload` subcommand).
-    Reload,
-    /// Check daemon status (`status` subcommand).
-    Status,
-    /// Fire-and-forget setup (`--init`).
-    Init,
-}
-
-/// Parsed subcommand with its options.
-#[derive(Debug)]
-pub struct ParsedCommand {
-    pub subcommand: Subcommand,
-    pub pid_file: PathBuf,
-    pub config_path: String,
-    #[cfg(unix)]
-    pub daemon_opts: DaemonOptions,
-    pub init_opts: Option<InitOptions>,
-}
-
-impl Default for ParsedCommand {
-    fn default() -> Self {
-        Self {
-            subcommand: Subcommand::Run,
-            #[cfg(unix)]
-            pid_file: PathBuf::from(DEFAULT_PID_FILE),
-            #[cfg(not(unix))]
-            pid_file: PathBuf::from("/var/run/telemt.pid"),
-            config_path: "config.toml".to_string(),
-            #[cfg(unix)]
-            daemon_opts: DaemonOptions::default(),
-            init_opts: None,
-        }
-    }
-}
-
-/// Parse CLI arguments into a command structure.
-pub fn parse_command(args: &[String]) -> ParsedCommand {
-    let mut cmd = ParsedCommand::default();
-
-    // Check for --init first (legacy form)
-    if args.iter().any(|a| a == "--init") {
-        cmd.subcommand = Subcommand::Init;
-        cmd.init_opts = parse_init_args(args);
-        return cmd;
-    }
-
-    // Check for subcommand as first argument
-    if let Some(first) = args.first() {
-        match first.as_str() {
-            "start" => {
-                cmd.subcommand = Subcommand::Start;
-                #[cfg(unix)]
-                {
-                    cmd.daemon_opts = parse_daemon_args(args);
-                    // Force daemonize for start command
-                    cmd.daemon_opts.daemonize = true;
-                }
-            }
-            "stop" => {
-                cmd.subcommand = Subcommand::Stop;
-            }
-            "reload" => {
-                cmd.subcommand = Subcommand::Reload;
-            }
-            "status" => {
-                cmd.subcommand = Subcommand::Status;
-            }
-            "run" => {
-                cmd.subcommand = Subcommand::Run;
-                #[cfg(unix)]
-                {
-                    cmd.daemon_opts = parse_daemon_args(args);
-                }
-            }
-            _ => {
-                // No subcommand, default to Run
-                #[cfg(unix)]
-                {
-                    cmd.daemon_opts = parse_daemon_args(args);
-                }
-            }
-        }
-    }
-
-    // Parse remaining options
-    let mut i = 0;
-    while i < args.len() {
-        match args[i].as_str() {
-            // Skip subcommand names
-            "start" | "stop" | "reload" | "status" | "run" => {}
-            // PID file option (for stop/reload/status)
-            "--pid-file" => {
-                i += 1;
-                if i < args.len() {
-                    cmd.pid_file = PathBuf::from(&args[i]);
-                    #[cfg(unix)]
-                    {
-                        cmd.daemon_opts.pid_file = Some(cmd.pid_file.clone());
-                    }
-                }
-            }
-            s if s.starts_with("--pid-file=") => {
-                cmd.pid_file = PathBuf::from(s.trim_start_matches("--pid-file="));
-                #[cfg(unix)]
-                {
-                    cmd.daemon_opts.pid_file = Some(cmd.pid_file.clone());
-                }
-            }
-            // Config path (positional, non-flag argument)
-            s if !s.starts_with('-') => {
-                cmd.config_path = s.to_string();
-            }
-            _ => {}
-        }
-        i += 1;
-    }
-
-    cmd
-}
-
-/// Execute a subcommand that doesn't require starting the server.
-/// Returns `Some(exit_code)` if the command was handled, `None` if server should start.
-#[cfg(unix)]
-pub fn execute_subcommand(cmd: &ParsedCommand) -> Option<i32> {
-    match cmd.subcommand {
-        Subcommand::Stop => Some(cmd_stop(&cmd.pid_file)),
-        Subcommand::Reload => Some(cmd_reload(&cmd.pid_file)),
-        Subcommand::Status => Some(cmd_status(&cmd.pid_file)),
-        Subcommand::Init => {
-            if let Some(opts) = cmd.init_opts.clone() {
-                match run_init(opts) {
-                    Ok(()) => Some(0),
-                    Err(e) => {
-                        eprintln!("[telemt] Init failed: {}", e);
-                        Some(1)
-                    }
-                }
-            } else {
-                Some(1)
-            }
-        }
-        // Run and Start need the server
-        Subcommand::Run | Subcommand::Start => None,
-    }
-}
-
-#[cfg(not(unix))]
-pub fn execute_subcommand(cmd: &ParsedCommand) -> Option<i32> {
-    match cmd.subcommand {
-        Subcommand::Stop | Subcommand::Reload | Subcommand::Status => {
-            eprintln!("[telemt] Subcommand not supported on this platform");
-            Some(1)
-        }
-        Subcommand::Init => {
-            if let Some(opts) = cmd.init_opts.clone() {
-                match run_init(opts) {
-                    Ok(()) => Some(0),
-                    Err(e) => {
-                        eprintln!("[telemt] Init failed: {}", e);
-                        Some(1)
-                    }
-                }
-            } else {
-                Some(1)
-            }
-        }
-        Subcommand::Run | Subcommand::Start => None,
-    }
-}
-
-/// Stop command: send SIGTERM to the running daemon.
-#[cfg(unix)]
-fn cmd_stop(pid_file: &Path) -> i32 {
-    use nix::sys::signal::Signal;
-
-    println!("Stopping telemt daemon...");
-
-    match daemon::signal_pid_file(pid_file, Signal::SIGTERM) {
-        Ok(()) => {
-            println!("Stop signal sent successfully");
-
-            // Wait for process to exit (up to 10 seconds)
-            for _ in 0..20 {
-                std::thread::sleep(std::time::Duration::from_millis(500));
-                if let daemon::DaemonStatus::NotRunning = daemon::check_status(pid_file) {
-                    println!("Daemon stopped");
-                    return 0;
-                }
-            }
-            println!("Daemon may still be shutting down");
-            0
-        }
-        Err(e) => {
-            eprintln!("Failed to stop daemon: {}", e);
-            1
-        }
-    }
-}
-
-/// Reload command: send SIGHUP to trigger config reload.
-#[cfg(unix)]
-fn cmd_reload(pid_file: &Path) -> i32 {
-    use nix::sys::signal::Signal;
-
-    println!("Reloading telemt configuration...");
-
-    match daemon::signal_pid_file(pid_file, Signal::SIGHUP) {
-        Ok(()) => {
-            println!("Reload signal sent successfully");
-            0
-        }
-        Err(e) => {
-            eprintln!("Failed to reload daemon: {}", e);
-            1
-        }
-    }
-}
-
-/// Status command: check if daemon is running.
-#[cfg(unix)]
-fn cmd_status(pid_file: &Path) -> i32 {
-    match daemon::check_status(pid_file) {
-        daemon::DaemonStatus::Running(pid) => {
-            println!("telemt is running (pid {})", pid);
-            0
-        }
-        daemon::DaemonStatus::Stale(pid) => {
-            println!("telemt is not running (stale pid file, was pid {})", pid);
-            // Clean up stale PID file
-            let _ = std::fs::remove_file(pid_file);
-            1
-        }
-        daemon::DaemonStatus::NotRunning => {
-            println!("telemt is not running");
-            1
-        }
-    }
-}
-
 /// Options for the init command
-#[derive(Debug, Clone)]
 pub struct InitOptions {
     pub port: u16,
     pub domain: String,
@@ -274,64 +15,6 @@ pub struct InitOptions {
     pub no_start: bool,
 }
 
-/// Parse daemon-related options from CLI args.
-#[cfg(unix)]
-pub fn parse_daemon_args(args: &[String]) -> DaemonOptions {
-    let mut opts = DaemonOptions::default();
-    let mut i = 0;
-
-    while i < args.len() {
-        match args[i].as_str() {
-            "--daemon" | "-d" => {
-                opts.daemonize = true;
-            }
-            "--foreground" | "-f" => {
-                opts.foreground = true;
-            }
-            "--pid-file" => {
-                i += 1;
-                if i < args.len() {
-                    opts.pid_file = Some(PathBuf::from(&args[i]));
-                }
-            }
-            s if s.starts_with("--pid-file=") => {
-                opts.pid_file = Some(PathBuf::from(s.trim_start_matches("--pid-file=")));
-            }
-            "--run-as-user" => {
-                i += 1;
-                if i < args.len() {
-                    opts.user = Some(args[i].clone());
-                }
-            }
-            s if s.starts_with("--run-as-user=") => {
-                opts.user = Some(s.trim_start_matches("--run-as-user=").to_string());
-            }
-            "--run-as-group" => {
-                i += 1;
-                if i < args.len() {
-                    opts.group = Some(args[i].clone());
-                }
-            }
-            s if s.starts_with("--run-as-group=") => {
-                opts.group = Some(s.trim_start_matches("--run-as-group=").to_string());
-            }
-            "--working-dir" => {
-                i += 1;
-                if i < args.len() {
-                    opts.working_dir = Some(PathBuf::from(&args[i]));
-                }
-            }
-            s if s.starts_with("--working-dir=") => {
-                opts.working_dir = Some(PathBuf::from(s.trim_start_matches("--working-dir=")));
-            }
-            _ => {}
-        }
-        i += 1;
-    }
-
-    opts
-}
-
 impl Default for InitOptions {
     fn default() -> Self {
         Self {
@@ -401,16 +84,10 @@ pub fn parse_init_args(args: &[String]) -> Option<InitOptions> {
 
 /// Run the fire-and-forget setup.
 pub fn run_init(opts: InitOptions) -> Result<(), Box<dyn std::error::Error>> {
-    use crate::service::{self, InitSystem, ServiceOptions};
-
     eprintln!("[telemt] Fire-and-forget setup");
     eprintln!();
 
-    // 1. Detect init system
+    // 1. Generate or validate secret
-    let init_system = service::detect_init_system();
-    eprintln!("[+] Detected init system: {}", init_system);
-
-    // 2. Generate or validate secret
     let secret = match opts.secret {
         Some(s) => {
             if s.len() != 32 || !s.chars().all(|c| c.is_ascii_hexdigit()) {
@@ -427,126 +104,72 @@ pub fn run_init(opts: InitOptions) -> Result<(), Box<dyn std::error::Error>> {
     eprintln!("[+] Port:   {}", opts.port);
     eprintln!("[+] Domain: {}", opts.domain);
 
-    // 3. Create config directory
+    // 2. Create config directory
     fs::create_dir_all(&opts.config_dir)?;
     let config_path = opts.config_dir.join("config.toml");
 
-    // 4. Write config
+    // 3. Write config
     let config_content = generate_config(&opts.username, &secret, opts.port, &opts.domain);
     fs::write(&config_path, &config_content)?;
     eprintln!("[+] Config written to {}", config_path.display());
 
-    // 5. Generate and write service file
+    // 4. Write systemd unit
     let exe_path =
         std::env::current_exe().unwrap_or_else(|_| PathBuf::from("/usr/local/bin/telemt"));
 
-    let service_opts = ServiceOptions {
+    let unit_path = Path::new("/etc/systemd/system/telemt.service");
-        exe_path: &exe_path,
+    let unit_content = generate_systemd_unit(&exe_path, &config_path);
-        config_path: &config_path,
-        user: None, // Let systemd/init handle user
-        group: None,
-        pid_file: "/var/run/telemt.pid",
-        working_dir: Some("/var/lib/telemt"),
-        description: "Telemt MTProxy - Telegram MTProto Proxy",
-    };
 
-    let service_path = service::service_file_path(init_system);
+    match fs::write(unit_path, &unit_content) {
-    let service_content = service::generate_service_file(init_system, &service_opts);
-
-    // Ensure parent directory exists
-    if let Some(parent) = Path::new(service_path).parent() {
-        let _ = fs::create_dir_all(parent);
-    }
-
-    match fs::write(service_path, &service_content) {
         Ok(()) => {
-            eprintln!("[+] Service file written to {}", service_path);
+            eprintln!("[+] Systemd unit written to {}", unit_path.display());
-
-            // Make script executable for OpenRC/FreeBSD
-            #[cfg(unix)]
-            if init_system == InitSystem::OpenRC || init_system == InitSystem::FreeBSDRc {
-                use std::os::unix::fs::PermissionsExt;
-                let mut perms = fs::metadata(service_path)?.permissions();
-                perms.set_mode(0o755);
-                fs::set_permissions(service_path, perms)?;
-            }
         }
         Err(e) => {
-            eprintln!("[!] Cannot write service file (run as root?): {}", e);
+            eprintln!("[!] Cannot write systemd unit (run as root?): {}", e);
-            eprintln!("[!] Manual service file content:");
+            eprintln!("[!] Manual unit file content:");
-            eprintln!("{}", service_content);
+            eprintln!("{}", unit_content);
 
-            // Still print links and installation instructions
+            // Still print links and config
-            eprintln!();
-            eprintln!("{}", service::installation_instructions(init_system));
             print_links(&opts.username, &secret, opts.port, &opts.domain);
             return Ok(());
         }
     }
 
-    // 6. Install and enable service based on init system
+    // 5. Reload systemd
-    match init_system {
+    run_cmd("systemctl", &["daemon-reload"]);
-        InitSystem::Systemd => {
-            run_cmd("systemctl", &["daemon-reload"]);
-            run_cmd("systemctl", &["enable", "telemt.service"]);
-            eprintln!("[+] Service enabled");
 
-            if !opts.no_start {
+    // 6. Enable service
-                run_cmd("systemctl", &["start", "telemt.service"]);
+    run_cmd("systemctl", &["enable", "telemt.service"]);
-                eprintln!("[+] Service started");
+    eprintln!("[+] Service enabled");
 
-                std::thread::sleep(std::time::Duration::from_secs(1));
+    // 7. Start service (unless --no-start)
-                let status = Command::new("systemctl")
+    if !opts.no_start {
-                    .args(["is-active", "telemt.service"])
+        run_cmd("systemctl", &["start", "telemt.service"]);
-                    .output();
+        eprintln!("[+] Service started");
 
-                match status {
+        // Brief delay then check status
-                    Ok(out) if out.status.success() => {
+        std::thread::sleep(std::time::Duration::from_secs(1));
-                        eprintln!("[+] Service is running");
+        let status = Command::new("systemctl")
-                    }
+            .args(["is-active", "telemt.service"])
-                    _ => {
+            .output();
-                        eprintln!("[!] Service may not have started correctly");
+
-                        eprintln!("[!] Check: journalctl -u telemt.service -n 20");
+        match status {
-                    }
+            Ok(out) if out.status.success() => {
-                }
+                eprintln!("[+] Service is running");
-            } else {
+            }
-                eprintln!("[+] Service not started (--no-start)");
+            _ => {
-                eprintln!("[+] Start manually: systemctl start telemt.service");
+                eprintln!("[!] Service may not have started correctly");
+                eprintln!("[!] Check: journalctl -u telemt.service -n 20");
             }
         }
-        InitSystem::OpenRC => {
+    } else {
-            run_cmd("rc-update", &["add", "telemt", "default"]);
+        eprintln!("[+] Service not started (--no-start)");
-            eprintln!("[+] Service enabled");
+        eprintln!("[+] Start manually: systemctl start telemt.service");
-
-            if !opts.no_start {
-                run_cmd("rc-service", &["telemt", "start"]);
-                eprintln!("[+] Service started");
-            } else {
-                eprintln!("[+] Service not started (--no-start)");
-                eprintln!("[+] Start manually: rc-service telemt start");
-            }
-        }
-        InitSystem::FreeBSDRc => {
-            run_cmd("sysrc", &["telemt_enable=YES"]);
-            eprintln!("[+] Service enabled");
-
-            if !opts.no_start {
-                run_cmd("service", &["telemt", "start"]);
-                eprintln!("[+] Service started");
-            } else {
-                eprintln!("[+] Service not started (--no-start)");
-                eprintln!("[+] Start manually: service telemt start");
-            }
-        }
-        InitSystem::Unknown => {
-            eprintln!("[!] Unknown init system - service file written but not installed");
-            eprintln!("[!] You may need to install it manually");
-        }
     }
 
     eprintln!();
 
-    // 7. Print links
+    // 8. Print links
     print_links(&opts.username, &secret, opts.port, &opts.domain);
 
     Ok(())
@@ -584,7 +207,6 @@ me_pool_drain_soft_evict_cooldown_ms = 1000
 me_bind_stale_mode = "never"
 me_pool_min_fresh_ratio = 0.8
 me_reinit_drain_timeout_secs = 90
-tg_connect = 10
 
 [network]
 ipv4 = true
@@ -610,8 +232,8 @@ ip = "0.0.0.0"
 ip = "::"
 
 [timeouts]
-client_first_byte_idle_secs = 300
+client_handshake = 15
-client_handshake = 60
+tg_connect = 10
 client_keepalive = 60
 client_ack = 300
 
@@ -623,7 +245,6 @@ fake_cert_len = 2048
 tls_full_cert_ttl_secs = 90
 
 [access]
-user_max_tcp_conns_global_each = 0
 replay_check_len = 65536
 replay_window_secs = 120
 ignore_time_skew = false
@@ -643,6 +264,35 @@ weight = 10
     )
 }
 
+fn generate_systemd_unit(exe_path: &Path, config_path: &Path) -> String {
+    format!(
+        r#"[Unit]
+Description=Telemt MTProxy
+Documentation=https://github.com/telemt/telemt
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart={exe} {config}
+Restart=always
+RestartSec=5
+LimitNOFILE=65535
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/etc/telemt
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+"#,
+        exe = exe_path.display(),
+        config = config_path.display(),
+    )
+}
+
 fn run_cmd(cmd: &str, args: &[&str]) {
     match Command::new(cmd).args(args).output() {
         Ok(output) => {

src/config/defaults.rs

@@ -48,10 +48,6 @@ const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_BUDGET_PER_CORE: u16 = 16;
 const DEFAULT_ME_POOL_DRAIN_SOFT_EVICT_COOLDOWN_MS: u64 = 1000;
 const DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS: u64 = 30;
 const DEFAULT_ACCEPT_PERMIT_TIMEOUT_MS: u64 = 250;
-const DEFAULT_CONNTRACK_CONTROL_ENABLED: bool = true;
-const DEFAULT_CONNTRACK_PRESSURE_HIGH_WATERMARK_PCT: u8 = 85;
-const DEFAULT_CONNTRACK_PRESSURE_LOW_WATERMARK_PCT: u8 = 70;
-const DEFAULT_CONNTRACK_DELETE_BUDGET_PER_SEC: u64 = 4096;
 const DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS: u32 = 2;
 const DEFAULT_UPSTREAM_UNHEALTHY_FAIL_THRESHOLD: u32 = 5;
 const DEFAULT_UPSTREAM_CONNECT_BUDGET_MS: u64 = 3000;
@@ -100,7 +96,7 @@ pub(crate) fn default_fake_cert_len() -> usize {
 }
 
 pub(crate) fn default_tls_front_dir() -> String {
-    "/etc/telemt/tlsfront".to_string()
+    "tlsfront".to_string()
 }
 
 pub(crate) fn default_replay_check_len() -> usize {
@@ -114,11 +110,7 @@ pub(crate) fn default_replay_window_secs() -> u64 {
 }
 
 pub(crate) fn default_handshake_timeout() -> u64 {
-    60
+    30
-}
-
-pub(crate) fn default_client_first_byte_idle_secs() -> u64 {
-    300
 }
 
 pub(crate) fn default_relay_idle_policy_v2_enabled() -> bool {
@@ -217,30 +209,10 @@ pub(crate) fn default_server_max_connections() -> u32 {
     10_000
 }
 
-pub(crate) fn default_listen_backlog() -> u32 {
-    1024
-}
-
 pub(crate) fn default_accept_permit_timeout_ms() -> u64 {
     DEFAULT_ACCEPT_PERMIT_TIMEOUT_MS
 }
 
-pub(crate) fn default_conntrack_control_enabled() -> bool {
-    DEFAULT_CONNTRACK_CONTROL_ENABLED
-}
-
-pub(crate) fn default_conntrack_pressure_high_watermark_pct() -> u8 {
-    DEFAULT_CONNTRACK_PRESSURE_HIGH_WATERMARK_PCT
-}
-
-pub(crate) fn default_conntrack_pressure_low_watermark_pct() -> u8 {
-    DEFAULT_CONNTRACK_PRESSURE_LOW_WATERMARK_PCT
-}
-
-pub(crate) fn default_conntrack_delete_budget_per_sec() -> u64 {
-    DEFAULT_CONNTRACK_DELETE_BUDGET_PER_SEC
-}
-
 pub(crate) fn default_prefer_4() -> u8 {
     4
 }
@@ -302,7 +274,7 @@ pub(crate) fn default_me2dc_fallback() -> bool {
 }
 
 pub(crate) fn default_me2dc_fast() -> bool {
-    true
+    false
 }
 
 pub(crate) fn default_keepalive_interval() -> u64 {
@@ -558,7 +530,7 @@ pub(crate) fn default_beobachten_flush_secs() -> u64 {
 }
 
 pub(crate) fn default_beobachten_file() -> String {
-    "/etc/telemt/beobachten.txt".to_string()
+    "cache/beobachten.txt".to_string()
 }
 
 pub(crate) fn default_tls_new_session_tickets() -> u8 {
@@ -831,10 +803,6 @@ pub(crate) fn default_user_max_unique_ips_window_secs() -> u64 {
     DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS
 }
 
-pub(crate) fn default_user_max_tcp_conns_global_each() -> usize {
-    0
-}
-
 pub(crate) fn default_user_max_unique_ips_global_each() -> usize {
     0
 }

src/config/hot_reload.rs

@@ -117,7 +117,6 @@ pub struct HotFields {
     pub users: std::collections::HashMap<String, String>,
     pub user_ad_tags: std::collections::HashMap<String, String>,
     pub user_max_tcp_conns: std::collections::HashMap<String, usize>,
-    pub user_max_tcp_conns_global_each: usize,
     pub user_expirations: std::collections::HashMap<String, chrono::DateTime<chrono::Utc>>,
     pub user_data_quota: std::collections::HashMap<String, u64>,
     pub user_max_unique_ips: std::collections::HashMap<String, usize>,
@@ -241,7 +240,6 @@ impl HotFields {
             users: cfg.access.users.clone(),
             user_ad_tags: cfg.access.user_ad_tags.clone(),
             user_max_tcp_conns: cfg.access.user_max_tcp_conns.clone(),
-            user_max_tcp_conns_global_each: cfg.access.user_max_tcp_conns_global_each,
             user_expirations: cfg.access.user_expirations.clone(),
             user_data_quota: cfg.access.user_data_quota.clone(),
             user_max_unique_ips: cfg.access.user_max_unique_ips.clone(),
@@ -532,7 +530,6 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
     cfg.access.users = new.access.users.clone();
     cfg.access.user_ad_tags = new.access.user_ad_tags.clone();
     cfg.access.user_max_tcp_conns = new.access.user_max_tcp_conns.clone();
-    cfg.access.user_max_tcp_conns_global_each = new.access.user_max_tcp_conns_global_each;
     cfg.access.user_expirations = new.access.user_expirations.clone();
     cfg.access.user_data_quota = new.access.user_data_quota.clone();
     cfg.access.user_max_unique_ips = new.access.user_max_unique_ips.clone();
@@ -540,10 +537,6 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
     cfg.access.user_max_unique_ips_mode = new.access.user_max_unique_ips_mode;
     cfg.access.user_max_unique_ips_window_secs = new.access.user_max_unique_ips_window_secs;
 
-    if cfg.rebuild_runtime_user_auth().is_err() {
-        cfg.runtime_user_auth = None;
-    }
-
     cfg
 }
 
@@ -577,7 +570,6 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
     }
     if old.server.proxy_protocol != new.server.proxy_protocol
         || !listeners_equal(&old.server.listeners, &new.server.listeners)
-        || old.server.listen_backlog != new.server.listen_backlog
         || old.server.listen_addr_ipv4 != new.server.listen_addr_ipv4
         || old.server.listen_addr_ipv6 != new.server.listen_addr_ipv6
         || old.server.listen_tcp != new.server.listen_tcp
@@ -703,7 +695,6 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
     if old.general.upstream_connect_retry_attempts != new.general.upstream_connect_retry_attempts
         || old.general.upstream_connect_retry_backoff_ms
             != new.general.upstream_connect_retry_backoff_ms
-        || old.general.tg_connect != new.general.tg_connect
         || old.general.upstream_unhealthy_fail_threshold
             != new.general.upstream_unhealthy_fail_threshold
         || old.general.upstream_connect_failfast_hard_errors
@@ -1152,12 +1143,6 @@ fn log_changes(
             new_hot.user_max_tcp_conns.len()
         );
     }
-    if old_hot.user_max_tcp_conns_global_each != new_hot.user_max_tcp_conns_global_each {
-        info!(
-            "config reload: user_max_tcp_conns policy global_each={}",
-            new_hot.user_max_tcp_conns_global_each
-        );
-    }
     if old_hot.user_expirations != new_hot.user_expirations {
         info!(
             "config reload: user_expirations updated ({} entries)",

src/config/load.rs

@@ -4,7 +4,6 @@ use std::collections::{BTreeSet, HashMap, HashSet};
 use std::hash::{DefaultHasher, Hash, Hasher};
 use std::net::{IpAddr, SocketAddr};
 use std::path::{Path, PathBuf};
-use std::sync::Arc;
 
 use rand::RngExt;
 use serde::{Deserialize, Serialize};
@@ -16,13 +15,6 @@ use crate::error::{ProxyError, Result};
 use super::defaults::*;
 use super::types::*;
 
-const ACCESS_SECRET_BYTES: usize = 16;
-const MAX_ME_WRITER_CMD_CHANNEL_CAPACITY: usize = 16_384;
-const MAX_ME_ROUTE_CHANNEL_CAPACITY: usize = 8_192;
-const MAX_ME_C2ME_CHANNEL_CAPACITY: usize = 8_192;
-const MIN_MAX_CLIENT_FRAME_BYTES: usize = 4 * 1024;
-const MAX_MAX_CLIENT_FRAME_BYTES: usize = 16 * 1024 * 1024;
-
 #[derive(Debug, Clone)]
 pub(crate) struct LoadedConfig {
     pub(crate) config: ProxyConfig,
@@ -30,111 +22,6 @@ pub(crate) struct LoadedConfig {
     pub(crate) rendered_hash: u64,
 }
 
-/// Precomputed, immutable user authentication data used by handshake hot paths.
-#[derive(Debug, Clone, Default)]
-pub(crate) struct UserAuthSnapshot {
-    entries: Vec<UserAuthEntry>,
-    by_name: HashMap<String, u32>,
-    sni_index: HashMap<u64, Vec<u32>>,
-    sni_initial_index: HashMap<u8, Vec<u32>>,
-}
-
-#[derive(Debug, Clone)]
-pub(crate) struct UserAuthEntry {
-    pub(crate) user: String,
-    pub(crate) secret: [u8; ACCESS_SECRET_BYTES],
-}
-
-impl UserAuthSnapshot {
-    fn from_users(users: &HashMap<String, String>) -> Result<Self> {
-        let mut entries = Vec::with_capacity(users.len());
-        let mut by_name = HashMap::with_capacity(users.len());
-        let mut sni_index = HashMap::with_capacity(users.len());
-        let mut sni_initial_index = HashMap::with_capacity(users.len());
-
-        for (user, secret_hex) in users {
-            let decoded = hex::decode(secret_hex).map_err(|_| ProxyError::InvalidSecret {
-                user: user.clone(),
-                reason: "Must be 32 hex characters".to_string(),
-            })?;
-            if decoded.len() != ACCESS_SECRET_BYTES {
-                return Err(ProxyError::InvalidSecret {
-                    user: user.clone(),
-                    reason: "Must be 32 hex characters".to_string(),
-                });
-            }
-
-            let user_id = u32::try_from(entries.len()).map_err(|_| {
-                ProxyError::Config("Too many users for runtime auth snapshot".to_string())
-            })?;
-
-            let mut secret = [0u8; ACCESS_SECRET_BYTES];
-            secret.copy_from_slice(&decoded);
-            entries.push(UserAuthEntry {
-                user: user.clone(),
-                secret,
-            });
-            by_name.insert(user.clone(), user_id);
-            sni_index
-                .entry(Self::sni_lookup_hash(user))
-                .or_insert_with(Vec::new)
-                .push(user_id);
-            if let Some(initial) = user
-                .as_bytes()
-                .first()
-                .map(|byte| byte.to_ascii_lowercase())
-            {
-                sni_initial_index
-                    .entry(initial)
-                    .or_insert_with(Vec::new)
-                    .push(user_id);
-            }
-        }
-
-        Ok(Self {
-            entries,
-            by_name,
-            sni_index,
-            sni_initial_index,
-        })
-    }
-
-    pub(crate) fn entries(&self) -> &[UserAuthEntry] {
-        &self.entries
-    }
-
-    pub(crate) fn user_id_by_name(&self, user: &str) -> Option<u32> {
-        self.by_name.get(user).copied()
-    }
-
-    pub(crate) fn entry_by_id(&self, user_id: u32) -> Option<&UserAuthEntry> {
-        let idx = usize::try_from(user_id).ok()?;
-        self.entries.get(idx)
-    }
-
-    pub(crate) fn sni_candidates(&self, sni: &str) -> Option<&[u32]> {
-        self.sni_index
-            .get(&Self::sni_lookup_hash(sni))
-            .map(Vec::as_slice)
-    }
-
-    pub(crate) fn sni_initial_candidates(&self, sni: &str) -> Option<&[u32]> {
-        let initial = sni
-            .as_bytes()
-            .first()
-            .map(|byte| byte.to_ascii_lowercase())?;
-        self.sni_initial_index.get(&initial).map(Vec::as_slice)
-    }
-
-    fn sni_lookup_hash(value: &str) -> u64 {
-        let mut hasher = DefaultHasher::new();
-        for byte in value.bytes() {
-            hasher.write_u8(byte.to_ascii_lowercase());
-        }
-        hasher.finish()
-    }
-}
-
 fn normalize_config_path(path: &Path) -> PathBuf {
     path.canonicalize().unwrap_or_else(|_| {
         if path.is_absolute() {
@@ -309,10 +196,6 @@ pub struct ProxyConfig {
     /// If not set, defaults to 2 (matching Telegram's official `default 2;` in proxy-multi.conf).
     #[serde(default)]
     pub default_dc: Option<u8>,
-
-    /// Precomputed authentication snapshot for handshake hot paths.
-    #[serde(skip)]
-    pub(crate) runtime_user_auth: Option<Arc<UserAuthSnapshot>>,
 }
 
 impl ProxyConfig {
@@ -463,12 +346,6 @@ impl ProxyConfig {
             ));
         }
 
-        if config.general.tg_connect == 0 {
-            return Err(ProxyError::Config(
-                "general.tg_connect must be > 0".to_string(),
-            ));
-        }
-
         if config.general.upstream_unhealthy_fail_threshold == 0 {
             return Err(ProxyError::Config(
                 "general.upstream_unhealthy_fail_threshold must be > 0".to_string(),
@@ -631,41 +508,18 @@ impl ProxyConfig {
                 "general.me_writer_cmd_channel_capacity must be > 0".to_string(),
             ));
         }
-        if config.general.me_writer_cmd_channel_capacity > MAX_ME_WRITER_CMD_CHANNEL_CAPACITY {
-            return Err(ProxyError::Config(format!(
-                "general.me_writer_cmd_channel_capacity must be within [1, {MAX_ME_WRITER_CMD_CHANNEL_CAPACITY}]"
-            )));
-        }
 
         if config.general.me_route_channel_capacity == 0 {
             return Err(ProxyError::Config(
                 "general.me_route_channel_capacity must be > 0".to_string(),
             ));
         }
-        if config.general.me_route_channel_capacity > MAX_ME_ROUTE_CHANNEL_CAPACITY {
-            return Err(ProxyError::Config(format!(
-                "general.me_route_channel_capacity must be within [1, {MAX_ME_ROUTE_CHANNEL_CAPACITY}]"
-            )));
-        }
 
         if config.general.me_c2me_channel_capacity == 0 {
             return Err(ProxyError::Config(
                 "general.me_c2me_channel_capacity must be > 0".to_string(),
             ));
         }
-        if config.general.me_c2me_channel_capacity > MAX_ME_C2ME_CHANNEL_CAPACITY {
-            return Err(ProxyError::Config(format!(
-                "general.me_c2me_channel_capacity must be within [1, {MAX_ME_C2ME_CHANNEL_CAPACITY}]"
-            )));
-        }
-
-        if !(MIN_MAX_CLIENT_FRAME_BYTES..=MAX_MAX_CLIENT_FRAME_BYTES)
-            .contains(&config.general.max_client_frame)
-        {
-            return Err(ProxyError::Config(format!(
-                "general.max_client_frame must be within [{MIN_MAX_CLIENT_FRAME_BYTES}, {MAX_MAX_CLIENT_FRAME_BYTES}]"
-            )));
-        }
 
         if config.general.me_c2me_send_timeout_ms > 60_000 {
             return Err(ProxyError::Config(
@@ -1062,43 +916,6 @@ impl ProxyConfig {
             ));
         }
 
-        if config.server.conntrack_control.pressure_high_watermark_pct == 0
-            || config.server.conntrack_control.pressure_high_watermark_pct > 100
-        {
-            return Err(ProxyError::Config(
-                "server.conntrack_control.pressure_high_watermark_pct must be within [1, 100]"
-                    .to_string(),
-            ));
-        }
-
-        if config.server.conntrack_control.pressure_low_watermark_pct
-            >= config.server.conntrack_control.pressure_high_watermark_pct
-        {
-            return Err(ProxyError::Config(
-                "server.conntrack_control.pressure_low_watermark_pct must be < pressure_high_watermark_pct"
-                    .to_string(),
-            ));
-        }
-
-        if config.server.conntrack_control.delete_budget_per_sec == 0 {
-            return Err(ProxyError::Config(
-                "server.conntrack_control.delete_budget_per_sec must be > 0".to_string(),
-            ));
-        }
-
-        if matches!(config.server.conntrack_control.mode, ConntrackMode::Hybrid)
-            && config
-                .server
-                .conntrack_control
-                .hybrid_listener_ips
-                .is_empty()
-        {
-            return Err(ProxyError::Config(
-                "server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid"
-                    .to_string(),
-            ));
-        }
-
         if config.general.effective_me_pool_force_close_secs() > 0
             && config.general.effective_me_pool_force_close_secs()
                 < config.general.me_pool_drain_ttl_secs
@@ -1304,7 +1121,6 @@ impl ProxyConfig {
             .or_insert_with(|| vec!["91.105.192.100:443".to_string()]);
 
         validate_upstreams(&config)?;
-        config.rebuild_runtime_user_auth()?;
 
         Ok(LoadedConfig {
             config,
@@ -1313,16 +1129,6 @@ impl ProxyConfig {
         })
     }
 
-    pub(crate) fn rebuild_runtime_user_auth(&mut self) -> Result<()> {
-        let snapshot = UserAuthSnapshot::from_users(&self.access.users)?;
-        self.runtime_user_auth = Some(Arc::new(snapshot));
-        Ok(())
-    }
-
-    pub(crate) fn runtime_user_auth(&self) -> Option<&UserAuthSnapshot> {
-        self.runtime_user_auth.as_deref()
-    }
-
     pub fn validate(&self) -> Result<()> {
         if self.access.users.is_empty() {
             return Err(ProxyError::Config("No users configured".to_string()));
@@ -1374,10 +1180,6 @@ mod load_mask_shape_security_tests;
 #[path = "tests/load_mask_classifier_prefetch_timeout_security_tests.rs"]
 mod load_mask_classifier_prefetch_timeout_security_tests;
 
-#[cfg(test)]
-#[path = "tests/load_memory_envelope_tests.rs"]
-mod load_memory_envelope_tests;
-
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -1519,36 +1321,7 @@ mod tests {
             cfg.server.api.runtime_edge_events_capacity,
             default_api_runtime_edge_events_capacity()
         );
-        assert_eq!(
-            cfg.server.conntrack_control.inline_conntrack_control,
-            default_conntrack_control_enabled()
-        );
-        assert_eq!(cfg.server.conntrack_control.mode, ConntrackMode::default());
-        assert_eq!(
-            cfg.server.conntrack_control.backend,
-            ConntrackBackend::default()
-        );
-        assert_eq!(
-            cfg.server.conntrack_control.profile,
-            ConntrackPressureProfile::default()
-        );
-        assert_eq!(
-            cfg.server.conntrack_control.pressure_high_watermark_pct,
-            default_conntrack_pressure_high_watermark_pct()
-        );
-        assert_eq!(
-            cfg.server.conntrack_control.pressure_low_watermark_pct,
-            default_conntrack_pressure_low_watermark_pct()
-        );
-        assert_eq!(
-            cfg.server.conntrack_control.delete_budget_per_sec,
-            default_conntrack_delete_budget_per_sec()
-        );
         assert_eq!(cfg.access.users, default_access_users());
-        assert_eq!(
-            cfg.access.user_max_tcp_conns_global_each,
-            default_user_max_tcp_conns_global_each()
-        );
         assert_eq!(
             cfg.access.user_max_unique_ips_mode,
             UserMaxUniqueIpsMode::default()
@@ -1689,38 +1462,9 @@ mod tests {
             server.api.runtime_edge_events_capacity,
             default_api_runtime_edge_events_capacity()
         );
-        assert_eq!(
-            server.conntrack_control.inline_conntrack_control,
-            default_conntrack_control_enabled()
-        );
-        assert_eq!(server.conntrack_control.mode, ConntrackMode::default());
-        assert_eq!(
-            server.conntrack_control.backend,
-            ConntrackBackend::default()
-        );
-        assert_eq!(
-            server.conntrack_control.profile,
-            ConntrackPressureProfile::default()
-        );
-        assert_eq!(
-            server.conntrack_control.pressure_high_watermark_pct,
-            default_conntrack_pressure_high_watermark_pct()
-        );
-        assert_eq!(
-            server.conntrack_control.pressure_low_watermark_pct,
-            default_conntrack_pressure_low_watermark_pct()
-        );
-        assert_eq!(
-            server.conntrack_control.delete_budget_per_sec,
-            default_conntrack_delete_budget_per_sec()
-        );
 
         let access = AccessConfig::default();
         assert_eq!(access.users, default_access_users());
-        assert_eq!(
-            access.user_max_tcp_conns_global_each,
-            default_user_max_tcp_conns_global_each()
-        );
     }
 
     #[test]
@@ -1790,22 +1534,6 @@ mod tests {
             cfg_mask.censorship.unknown_sni_action,
             UnknownSniAction::Mask
         );
-
-        let cfg_accept: ProxyConfig = toml::from_str(
-            r#"
-            [server]
-            [general]
-            [network]
-            [access]
-            [censorship]
-            unknown_sni_action = "accept"
-            "#,
-        )
-        .unwrap();
-        assert_eq!(
-            cfg_accept.censorship.unknown_sni_action,
-            UnknownSniAction::Accept
-        );
     }
 
     #[test]
@@ -2179,26 +1907,6 @@ mod tests {
         let _ = std::fs::remove_file(path);
     }
 
-    #[test]
-    fn tg_connect_zero_is_rejected() {
-        let toml = r#"
-            [general]
-            tg_connect = 0
-
-            [censorship]
-            tls_domain = "example.com"
-
-            [access.users]
-            user = "00000000000000000000000000000000"
-        "#;
-        let dir = std::env::temp_dir();
-        let path = dir.join("telemt_tg_connect_zero_test.toml");
-        std::fs::write(&path, toml).unwrap();
-        let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(err.contains("general.tg_connect must be > 0"));
-        let _ = std::fs::remove_file(path);
-    }
-
     #[test]
     fn rpc_proxy_req_every_out_of_range_is_rejected() {
         let toml = r#"
@@ -2662,118 +2370,6 @@ mod tests {
         let _ = std::fs::remove_file(path);
     }
 
-    #[test]
-    fn conntrack_pressure_high_watermark_out_of_range_is_rejected() {
-        let toml = r#"
-            [server.conntrack_control]
-            pressure_high_watermark_pct = 0
-
-            [censorship]
-            tls_domain = "example.com"
-
-            [access.users]
-            user = "00000000000000000000000000000000"
-        "#;
-        let dir = std::env::temp_dir();
-        let path = dir.join("telemt_conntrack_high_watermark_invalid_test.toml");
-        std::fs::write(&path, toml).unwrap();
-        let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(err.contains(
-            "server.conntrack_control.pressure_high_watermark_pct must be within [1, 100]"
-        ));
-        let _ = std::fs::remove_file(path);
-    }
-
-    #[test]
-    fn conntrack_pressure_low_watermark_must_be_below_high() {
-        let toml = r#"
-            [server.conntrack_control]
-            pressure_high_watermark_pct = 50
-            pressure_low_watermark_pct = 50
-
-            [censorship]
-            tls_domain = "example.com"
-
-            [access.users]
-            user = "00000000000000000000000000000000"
-        "#;
-        let dir = std::env::temp_dir();
-        let path = dir.join("telemt_conntrack_low_watermark_invalid_test.toml");
-        std::fs::write(&path, toml).unwrap();
-        let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(
-            err.contains(
-                "server.conntrack_control.pressure_low_watermark_pct must be < pressure_high_watermark_pct"
-            )
-        );
-        let _ = std::fs::remove_file(path);
-    }
-
-    #[test]
-    fn conntrack_delete_budget_zero_is_rejected() {
-        let toml = r#"
-            [server.conntrack_control]
-            delete_budget_per_sec = 0
-
-            [censorship]
-            tls_domain = "example.com"
-
-            [access.users]
-            user = "00000000000000000000000000000000"
-        "#;
-        let dir = std::env::temp_dir();
-        let path = dir.join("telemt_conntrack_delete_budget_invalid_test.toml");
-        std::fs::write(&path, toml).unwrap();
-        let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(err.contains("server.conntrack_control.delete_budget_per_sec must be > 0"));
-        let _ = std::fs::remove_file(path);
-    }
-
-    #[test]
-    fn conntrack_hybrid_mode_requires_listener_allow_list() {
-        let toml = r#"
-            [server.conntrack_control]
-            mode = "hybrid"
-
-            [censorship]
-            tls_domain = "example.com"
-
-            [access.users]
-            user = "00000000000000000000000000000000"
-        "#;
-        let dir = std::env::temp_dir();
-        let path = dir.join("telemt_conntrack_hybrid_requires_ips_test.toml");
-        std::fs::write(&path, toml).unwrap();
-        let err = ProxyConfig::load(&path).unwrap_err().to_string();
-        assert!(err.contains(
-            "server.conntrack_control.hybrid_listener_ips must be non-empty in mode=hybrid"
-        ));
-        let _ = std::fs::remove_file(path);
-    }
-
-    #[test]
-    fn conntrack_profile_is_loaded_from_config() {
-        let toml = r#"
-            [server.conntrack_control]
-            profile = "aggressive"
-
-            [censorship]
-            tls_domain = "example.com"
-
-            [access.users]
-            user = "00000000000000000000000000000000"
-        "#;
-        let dir = std::env::temp_dir();
-        let path = dir.join("telemt_conntrack_profile_parse_test.toml");
-        std::fs::write(&path, toml).unwrap();
-        let cfg = ProxyConfig::load(&path).unwrap();
-        assert_eq!(
-            cfg.server.conntrack_control.profile,
-            ConntrackPressureProfile::Aggressive
-        );
-        let _ = std::fs::remove_file(path);
-    }
-
     #[test]
     fn force_close_default_matches_drain_ttl() {
         let toml = r#"

src/config/tests/load_idle_policy_tests.rs

@@ -17,28 +17,6 @@ fn remove_temp_config(path: &PathBuf) {
     let _ = fs::remove_file(path);
 }
 
-#[test]
-fn default_timeouts_enable_apple_compatible_handshake_profile() {
-    let cfg = ProxyConfig::default();
-    assert_eq!(cfg.timeouts.client_first_byte_idle_secs, 300);
-    assert_eq!(cfg.timeouts.client_handshake, 60);
-}
-
-#[test]
-fn load_accepts_zero_first_byte_idle_timeout_as_legacy_opt_out() {
-    let path = write_temp_config(
-        r#"
-[timeouts]
-client_first_byte_idle_secs = 0
-"#,
-    );
-
-    let cfg = ProxyConfig::load(&path).expect("config with zero first-byte idle timeout must load");
-    assert_eq!(cfg.timeouts.client_first_byte_idle_secs, 0);
-
-    remove_temp_config(&path);
-}
-
 #[test]
 fn load_rejects_relay_hard_idle_smaller_than_soft_idle_with_clear_error() {
     let path = write_temp_config(

src/config/tests/load_memory_envelope_tests.rs

@@ -1,117 +0,0 @@
-use super::*;
-use std::fs;
-use std::path::PathBuf;
-use std::time::{SystemTime, UNIX_EPOCH};
-
-fn write_temp_config(contents: &str) -> PathBuf {
-    let nonce = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .expect("system time must be after unix epoch")
-        .as_nanos();
-    let path = std::env::temp_dir().join(format!("telemt-load-memory-envelope-{nonce}.toml"));
-    fs::write(&path, contents).expect("temp config write must succeed");
-    path
-}
-
-fn remove_temp_config(path: &PathBuf) {
-    let _ = fs::remove_file(path);
-}
-
-#[test]
-fn load_rejects_writer_cmd_capacity_above_upper_bound() {
-    let path = write_temp_config(
-        r#"
-[general]
-me_writer_cmd_channel_capacity = 16385
-"#,
-    );
-
-    let err =
-        ProxyConfig::load(&path).expect_err("writer command capacity above hard cap must fail");
-    let msg = err.to_string();
-    assert!(
-        msg.contains("general.me_writer_cmd_channel_capacity must be within [1, 16384]"),
-        "error must explain writer command capacity hard cap, got: {msg}"
-    );
-
-    remove_temp_config(&path);
-}
-
-#[test]
-fn load_rejects_route_channel_capacity_above_upper_bound() {
-    let path = write_temp_config(
-        r#"
-[general]
-me_route_channel_capacity = 8193
-"#,
-    );
-
-    let err =
-        ProxyConfig::load(&path).expect_err("route channel capacity above hard cap must fail");
-    let msg = err.to_string();
-    assert!(
-        msg.contains("general.me_route_channel_capacity must be within [1, 8192]"),
-        "error must explain route channel hard cap, got: {msg}"
-    );
-
-    remove_temp_config(&path);
-}
-
-#[test]
-fn load_rejects_c2me_channel_capacity_above_upper_bound() {
-    let path = write_temp_config(
-        r#"
-[general]
-me_c2me_channel_capacity = 8193
-"#,
-    );
-
-    let err = ProxyConfig::load(&path).expect_err("c2me channel capacity above hard cap must fail");
-    let msg = err.to_string();
-    assert!(
-        msg.contains("general.me_c2me_channel_capacity must be within [1, 8192]"),
-        "error must explain c2me channel hard cap, got: {msg}"
-    );
-
-    remove_temp_config(&path);
-}
-
-#[test]
-fn load_rejects_max_client_frame_above_upper_bound() {
-    let path = write_temp_config(
-        r#"
-[general]
-max_client_frame = 16777217
-"#,
-    );
-
-    let err = ProxyConfig::load(&path).expect_err("max_client_frame above hard cap must fail");
-    let msg = err.to_string();
-    assert!(
-        msg.contains("general.max_client_frame must be within [4096, 16777216]"),
-        "error must explain max_client_frame hard cap, got: {msg}"
-    );
-
-    remove_temp_config(&path);
-}
-
-#[test]
-fn load_accepts_memory_limits_at_hard_upper_bounds() {
-    let path = write_temp_config(
-        r#"
-[general]
-me_writer_cmd_channel_capacity = 16384
-me_route_channel_capacity = 8192
-me_c2me_channel_capacity = 8192
-max_client_frame = 16777216
-"#,
-    );
-
-    let cfg = ProxyConfig::load(&path).expect("hard upper bound values must be accepted");
-    assert_eq!(cfg.general.me_writer_cmd_channel_capacity, 16384);
-    assert_eq!(cfg.general.me_route_channel_capacity, 8192);
-    assert_eq!(cfg.general.me_c2me_channel_capacity, 8192);
-    assert_eq!(cfg.general.max_client_frame, 16 * 1024 * 1024);
-
-    remove_temp_config(&path);
-}

src/config/types.rs

@@ -663,10 +663,6 @@ pub struct GeneralConfig {
     #[serde(default = "default_upstream_connect_budget_ms")]
     pub upstream_connect_budget_ms: u64,
 
-    /// Per-attempt TCP connect timeout to Telegram DC (seconds).
-    #[serde(default = "default_connect_timeout")]
-    pub tg_connect: u64,
-
     /// Consecutive failed requests before upstream is marked unhealthy.
     #[serde(default = "default_upstream_unhealthy_fail_threshold")]
     pub upstream_unhealthy_fail_threshold: u32,
@@ -1011,7 +1007,6 @@ impl Default for GeneralConfig {
             upstream_connect_retry_attempts: default_upstream_connect_retry_attempts(),
             upstream_connect_retry_backoff_ms: default_upstream_connect_retry_backoff_ms(),
             upstream_connect_budget_ms: default_upstream_connect_budget_ms(),
-            tg_connect: default_connect_timeout(),
             upstream_unhealthy_fail_threshold: default_upstream_unhealthy_fail_threshold(),
             upstream_connect_failfast_hard_errors: default_upstream_connect_failfast_hard_errors(),
             stun_iface_mismatch_ignore: false,
@@ -1216,118 +1211,6 @@ impl Default for ApiConfig {
     }
 }
 
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
-#[serde(rename_all = "lowercase")]
-pub enum ConntrackMode {
-    #[default]
-    Tracked,
-    Notrack,
-    Hybrid,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
-#[serde(rename_all = "lowercase")]
-pub enum ConntrackBackend {
-    #[default]
-    Auto,
-    Nftables,
-    Iptables,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
-#[serde(rename_all = "lowercase")]
-pub enum ConntrackPressureProfile {
-    Conservative,
-    #[default]
-    Balanced,
-    Aggressive,
-}
-
-impl ConntrackPressureProfile {
-    pub fn client_first_byte_idle_cap_secs(self) -> u64 {
-        match self {
-            Self::Conservative => 30,
-            Self::Balanced => 20,
-            Self::Aggressive => 10,
-        }
-    }
-
-    pub fn direct_activity_timeout_secs(self) -> u64 {
-        match self {
-            Self::Conservative => 180,
-            Self::Balanced => 120,
-            Self::Aggressive => 60,
-        }
-    }
-
-    pub fn middle_soft_idle_cap_secs(self) -> u64 {
-        match self {
-            Self::Conservative => 60,
-            Self::Balanced => 30,
-            Self::Aggressive => 20,
-        }
-    }
-
-    pub fn middle_hard_idle_cap_secs(self) -> u64 {
-        match self {
-            Self::Conservative => 180,
-            Self::Balanced => 90,
-            Self::Aggressive => 60,
-        }
-    }
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct ConntrackControlConfig {
-    /// Enables runtime conntrack-control worker for pressure mitigation.
-    #[serde(default = "default_conntrack_control_enabled")]
-    pub inline_conntrack_control: bool,
-
-    /// Conntrack mode for listener ingress traffic.
-    #[serde(default)]
-    pub mode: ConntrackMode,
-
-    /// Netfilter backend used to reconcile notrack rules.
-    #[serde(default)]
-    pub backend: ConntrackBackend,
-
-    /// Pressure profile for timeout caps under resource saturation.
-    #[serde(default)]
-    pub profile: ConntrackPressureProfile,
-
-    /// Listener IP allow-list for hybrid mode.
-    /// Ignored in tracked/notrack mode.
-    #[serde(default)]
-    pub hybrid_listener_ips: Vec<IpAddr>,
-
-    /// Pressure high watermark as percentage.
-    #[serde(default = "default_conntrack_pressure_high_watermark_pct")]
-    pub pressure_high_watermark_pct: u8,
-
-    /// Pressure low watermark as percentage.
-    #[serde(default = "default_conntrack_pressure_low_watermark_pct")]
-    pub pressure_low_watermark_pct: u8,
-
-    /// Maximum conntrack delete operations per second.
-    #[serde(default = "default_conntrack_delete_budget_per_sec")]
-    pub delete_budget_per_sec: u64,
-}
-
-impl Default for ConntrackControlConfig {
-    fn default() -> Self {
-        Self {
-            inline_conntrack_control: default_conntrack_control_enabled(),
-            mode: ConntrackMode::default(),
-            backend: ConntrackBackend::default(),
-            profile: ConntrackPressureProfile::default(),
-            hybrid_listener_ips: Vec::new(),
-            pressure_high_watermark_pct: default_conntrack_pressure_high_watermark_pct(),
-            pressure_low_watermark_pct: default_conntrack_pressure_low_watermark_pct(),
-            delete_budget_per_sec: default_conntrack_delete_budget_per_sec(),
-        }
-    }
-}
-
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerConfig {
     #[serde(default = "default_port")]
@@ -1389,11 +1272,6 @@ pub struct ServerConfig {
     #[serde(default)]
     pub listeners: Vec<ListenerConfig>,
 
-    /// TCP `listen(2)` backlog for client-facing sockets (also used for the metrics HTTP listener).
-    /// The effective queue is capped by the kernel (for example `somaxconn` on Linux).
-    #[serde(default = "default_listen_backlog")]
-    pub listen_backlog: u32,
-
     /// Maximum number of concurrent client connections.
     /// 0 means unlimited.
     #[serde(default = "default_server_max_connections")]
@@ -1403,10 +1281,6 @@ pub struct ServerConfig {
     /// `0` keeps legacy unbounded wait behavior.
     #[serde(default = "default_accept_permit_timeout_ms")]
     pub accept_permit_timeout_ms: u64,
-
-    /// Runtime conntrack control and pressure policy.
-    #[serde(default)]
-    pub conntrack_control: ConntrackControlConfig,
 }
 
 impl Default for ServerConfig {
@@ -1426,22 +1300,14 @@ impl Default for ServerConfig {
             metrics_whitelist: default_metrics_whitelist(),
             api: ApiConfig::default(),
             listeners: Vec::new(),
-            listen_backlog: default_listen_backlog(),
             max_connections: default_server_max_connections(),
             accept_permit_timeout_ms: default_accept_permit_timeout_ms(),
-            conntrack_control: ConntrackControlConfig::default(),
         }
     }
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TimeoutsConfig {
-    /// Maximum idle wait in seconds for the first client byte before handshake parsing starts.
-    /// `0` disables the separate idle phase and keeps legacy timeout behavior.
-    #[serde(default = "default_client_first_byte_idle_secs")]
-    pub client_first_byte_idle_secs: u64,
-
-    /// Maximum active handshake duration in seconds after the first client byte is received.
     #[serde(default = "default_handshake_timeout")]
     pub client_handshake: u64,
 
@@ -1463,6 +1329,9 @@ pub struct TimeoutsConfig {
     #[serde(default = "default_relay_idle_grace_after_downstream_activity_secs")]
     pub relay_idle_grace_after_downstream_activity_secs: u64,
 
+    #[serde(default = "default_connect_timeout")]
+    pub tg_connect: u64,
+
     #[serde(default = "default_keepalive")]
     pub client_keepalive: u64,
 
@@ -1481,13 +1350,13 @@ pub struct TimeoutsConfig {
 impl Default for TimeoutsConfig {
     fn default() -> Self {
         Self {
-            client_first_byte_idle_secs: default_client_first_byte_idle_secs(),
             client_handshake: default_handshake_timeout(),
             relay_idle_policy_v2_enabled: default_relay_idle_policy_v2_enabled(),
             relay_client_idle_soft_secs: default_relay_client_idle_soft_secs(),
             relay_client_idle_hard_secs: default_relay_client_idle_hard_secs(),
             relay_idle_grace_after_downstream_activity_secs:
                 default_relay_idle_grace_after_downstream_activity_secs(),
+            tg_connect: default_connect_timeout(),
             client_keepalive: default_keepalive(),
             client_ack: default_ack_timeout(),
             me_one_retry: default_me_one_retry(),
@@ -1502,7 +1371,6 @@ pub enum UnknownSniAction {
     #[default]
     Drop,
     Mask,
-    Accept,
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
@@ -1751,12 +1619,6 @@ pub struct AccessConfig {
     #[serde(default)]
     pub user_max_tcp_conns: HashMap<String, usize>,
 
-    /// Global per-user TCP connection limit applied when a user has no
-    /// positive individual override.
-    /// `0` disables the inherited limit.
-    #[serde(default = "default_user_max_tcp_conns_global_each")]
-    pub user_max_tcp_conns_global_each: usize,
-
     #[serde(default)]
     pub user_expirations: HashMap<String, DateTime<Utc>>,
 
@@ -1793,7 +1655,6 @@ impl Default for AccessConfig {
             users: default_access_users(),
             user_ad_tags: HashMap::new(),
             user_max_tcp_conns: HashMap::new(),
-            user_max_tcp_conns_global_each: default_user_max_tcp_conns_global_each(),
             user_expirations: HashMap::new(),
             user_data_quota: HashMap::new(),
             user_max_unique_ips: HashMap::new(),

src/conntrack_control.rs

@@ -1,755 +0,0 @@
-use std::collections::BTreeSet;
-use std::net::IpAddr;
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::time::Duration;
-
-use tokio::io::AsyncWriteExt;
-use tokio::process::Command;
-use tokio::sync::{mpsc, watch};
-use tracing::{debug, info, warn};
-
-use crate::config::{ConntrackBackend, ConntrackMode, ProxyConfig};
-use crate::proxy::middle_relay::note_global_relay_pressure;
-use crate::proxy::shared_state::{ConntrackCloseEvent, ConntrackCloseReason, ProxySharedState};
-use crate::stats::Stats;
-
-const CONNTRACK_EVENT_QUEUE_CAPACITY: usize = 32_768;
-const PRESSURE_RELEASE_TICKS: u8 = 3;
-const PRESSURE_SAMPLE_INTERVAL: Duration = Duration::from_secs(1);
-
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
-enum NetfilterBackend {
-    Nftables,
-    Iptables,
-}
-
-#[derive(Clone, Copy)]
-struct PressureSample {
-    conn_pct: Option<u8>,
-    fd_pct: Option<u8>,
-    accept_timeout_delta: u64,
-    me_queue_pressure_delta: u64,
-}
-
-struct PressureState {
-    active: bool,
-    low_streak: u8,
-    prev_accept_timeout_total: u64,
-    prev_me_queue_pressure_total: u64,
-}
-
-impl PressureState {
-    fn new(stats: &Stats) -> Self {
-        Self {
-            active: false,
-            low_streak: 0,
-            prev_accept_timeout_total: stats.get_accept_permit_timeout_total(),
-            prev_me_queue_pressure_total: stats.get_me_c2me_send_full_total(),
-        }
-    }
-}
-
-pub(crate) fn spawn_conntrack_controller(
-    config_rx: watch::Receiver<Arc<ProxyConfig>>,
-    stats: Arc<Stats>,
-    shared: Arc<ProxySharedState>,
-) {
-    if !cfg!(target_os = "linux") {
-        let enabled = config_rx
-            .borrow()
-            .server
-            .conntrack_control
-            .inline_conntrack_control;
-        stats.set_conntrack_control_enabled(enabled);
-        stats.set_conntrack_control_available(false);
-        stats.set_conntrack_pressure_active(false);
-        stats.set_conntrack_event_queue_depth(0);
-        stats.set_conntrack_rule_apply_ok(false);
-        shared.disable_conntrack_close_sender();
-        shared.set_conntrack_pressure_active(false);
-        if enabled {
-            warn!(
-                "conntrack control is configured but unsupported on this OS; disabling runtime worker"
-            );
-        }
-        return;
-    }
-
-    let (tx, rx) = mpsc::channel(CONNTRACK_EVENT_QUEUE_CAPACITY);
-    shared.set_conntrack_close_sender(tx);
-    tokio::spawn(async move {
-        run_conntrack_controller(config_rx, stats, shared, rx).await;
-    });
-}
-
-async fn run_conntrack_controller(
-    mut config_rx: watch::Receiver<Arc<ProxyConfig>>,
-    stats: Arc<Stats>,
-    shared: Arc<ProxySharedState>,
-    mut close_rx: mpsc::Receiver<ConntrackCloseEvent>,
-) {
-    let mut cfg = config_rx.borrow().clone();
-    let mut pressure_state = PressureState::new(stats.as_ref());
-    let mut delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
-    let mut backend = pick_backend(cfg.server.conntrack_control.backend);
-
-    apply_runtime_state(
-        stats.as_ref(),
-        shared.as_ref(),
-        &cfg,
-        backend.is_some(),
-        false,
-    );
-    reconcile_rules(&cfg, backend, stats.as_ref()).await;
-
-    loop {
-        tokio::select! {
-            changed = config_rx.changed() => {
-                if changed.is_err() {
-                    break;
-                }
-                cfg = config_rx.borrow_and_update().clone();
-                backend = pick_backend(cfg.server.conntrack_control.backend);
-                delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
-                apply_runtime_state(stats.as_ref(), shared.as_ref(), &cfg, backend.is_some(), pressure_state.active);
-                reconcile_rules(&cfg, backend, stats.as_ref()).await;
-            }
-            event = close_rx.recv() => {
-                let Some(event) = event else {
-                    break;
-                };
-                stats.set_conntrack_event_queue_depth(close_rx.len() as u64);
-                if !cfg.server.conntrack_control.inline_conntrack_control {
-                    continue;
-                }
-                if !pressure_state.active {
-                    continue;
-                }
-                if !matches!(event.reason, ConntrackCloseReason::Timeout | ConntrackCloseReason::Pressure | ConntrackCloseReason::Reset) {
-                    continue;
-                }
-                if delete_budget_tokens == 0 {
-                    continue;
-                }
-                stats.increment_conntrack_delete_attempt_total();
-                match delete_conntrack_entry(event).await {
-                    DeleteOutcome::Deleted => {
-                        delete_budget_tokens = delete_budget_tokens.saturating_sub(1);
-                        stats.increment_conntrack_delete_success_total();
-                    }
-                    DeleteOutcome::NotFound => {
-                        delete_budget_tokens = delete_budget_tokens.saturating_sub(1);
-                        stats.increment_conntrack_delete_not_found_total();
-                    }
-                    DeleteOutcome::Error => {
-                        delete_budget_tokens = delete_budget_tokens.saturating_sub(1);
-                        stats.increment_conntrack_delete_error_total();
-                    }
-                }
-            }
-            _ = tokio::time::sleep(PRESSURE_SAMPLE_INTERVAL) => {
-                delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
-                stats.set_conntrack_event_queue_depth(close_rx.len() as u64);
-                let sample = collect_pressure_sample(stats.as_ref(), &cfg, &mut pressure_state);
-                update_pressure_state(
-                    stats.as_ref(),
-                    shared.as_ref(),
-                    &cfg,
-                    &sample,
-                    &mut pressure_state,
-                );
-                if pressure_state.active {
-                    note_global_relay_pressure(shared.as_ref());
-                }
-            }
-        }
-    }
-
-    shared.disable_conntrack_close_sender();
-    shared.set_conntrack_pressure_active(false);
-    stats.set_conntrack_pressure_active(false);
-}
-
-fn apply_runtime_state(
-    stats: &Stats,
-    shared: &ProxySharedState,
-    cfg: &ProxyConfig,
-    backend_available: bool,
-    pressure_active: bool,
-) {
-    let enabled = cfg.server.conntrack_control.inline_conntrack_control;
-    let available = enabled && backend_available && has_cap_net_admin();
-    if enabled && !available {
-        warn!(
-            "conntrack control enabled but unavailable (missing CAP_NET_ADMIN or backend binaries)"
-        );
-    }
-    stats.set_conntrack_control_enabled(enabled);
-    stats.set_conntrack_control_available(available);
-    shared.set_conntrack_pressure_active(enabled && pressure_active);
-    stats.set_conntrack_pressure_active(enabled && pressure_active);
-}
-
-fn collect_pressure_sample(
-    stats: &Stats,
-    cfg: &ProxyConfig,
-    state: &mut PressureState,
-) -> PressureSample {
-    let current_connections = stats.get_current_connections_total();
-    let conn_pct = if cfg.server.max_connections == 0 {
-        None
-    } else {
-        Some(
-            ((current_connections.saturating_mul(100)) / u64::from(cfg.server.max_connections))
-                .min(100) as u8,
-        )
-    };
-
-    let fd_pct = fd_usage_pct();
-
-    let accept_total = stats.get_accept_permit_timeout_total();
-    let accept_delta = accept_total.saturating_sub(state.prev_accept_timeout_total);
-    state.prev_accept_timeout_total = accept_total;
-
-    let me_total = stats.get_me_c2me_send_full_total();
-    let me_delta = me_total.saturating_sub(state.prev_me_queue_pressure_total);
-    state.prev_me_queue_pressure_total = me_total;
-
-    PressureSample {
-        conn_pct,
-        fd_pct,
-        accept_timeout_delta: accept_delta,
-        me_queue_pressure_delta: me_delta,
-    }
-}
-
-fn update_pressure_state(
-    stats: &Stats,
-    shared: &ProxySharedState,
-    cfg: &ProxyConfig,
-    sample: &PressureSample,
-    state: &mut PressureState,
-) {
-    if !cfg.server.conntrack_control.inline_conntrack_control {
-        if state.active {
-            state.active = false;
-            state.low_streak = 0;
-            shared.set_conntrack_pressure_active(false);
-            stats.set_conntrack_pressure_active(false);
-            info!("Conntrack pressure mode deactivated (feature disabled)");
-        }
-        return;
-    }
-
-    let high = cfg.server.conntrack_control.pressure_high_watermark_pct;
-    let low = cfg.server.conntrack_control.pressure_low_watermark_pct;
-
-    let high_hit = sample.conn_pct.is_some_and(|v| v >= high)
-        || sample.fd_pct.is_some_and(|v| v >= high)
-        || sample.accept_timeout_delta > 0
-        || sample.me_queue_pressure_delta > 0;
-
-    let low_clear = sample.conn_pct.is_none_or(|v| v <= low)
-        && sample.fd_pct.is_none_or(|v| v <= low)
-        && sample.accept_timeout_delta == 0
-        && sample.me_queue_pressure_delta == 0;
-
-    if !state.active && high_hit {
-        state.active = true;
-        state.low_streak = 0;
-        shared.set_conntrack_pressure_active(true);
-        stats.set_conntrack_pressure_active(true);
-        info!(
-            conn_pct = ?sample.conn_pct,
-            fd_pct = ?sample.fd_pct,
-            accept_timeout_delta = sample.accept_timeout_delta,
-            me_queue_pressure_delta = sample.me_queue_pressure_delta,
-            "Conntrack pressure mode activated"
-        );
-        return;
-    }
-
-    if state.active && low_clear {
-        state.low_streak = state.low_streak.saturating_add(1);
-        if state.low_streak >= PRESSURE_RELEASE_TICKS {
-            state.active = false;
-            state.low_streak = 0;
-            shared.set_conntrack_pressure_active(false);
-            stats.set_conntrack_pressure_active(false);
-            info!("Conntrack pressure mode deactivated");
-        }
-        return;
-    }
-
-    state.low_streak = 0;
-}
-
-async fn reconcile_rules(cfg: &ProxyConfig, backend: Option<NetfilterBackend>, stats: &Stats) {
-    if !cfg.server.conntrack_control.inline_conntrack_control {
-        clear_notrack_rules_all_backends().await;
-        stats.set_conntrack_rule_apply_ok(true);
-        return;
-    }
-
-    if !has_cap_net_admin() {
-        stats.set_conntrack_rule_apply_ok(false);
-        return;
-    }
-
-    let Some(backend) = backend else {
-        stats.set_conntrack_rule_apply_ok(false);
-        return;
-    };
-
-    let apply_result = match backend {
-        NetfilterBackend::Nftables => apply_nft_rules(cfg).await,
-        NetfilterBackend::Iptables => apply_iptables_rules(cfg).await,
-    };
-
-    if let Err(error) = apply_result {
-        warn!(error = %error, "Failed to reconcile conntrack/notrack rules");
-        stats.set_conntrack_rule_apply_ok(false);
-    } else {
-        stats.set_conntrack_rule_apply_ok(true);
-    }
-}
-
-fn pick_backend(configured: ConntrackBackend) -> Option<NetfilterBackend> {
-    match configured {
-        ConntrackBackend::Auto => {
-            if command_exists("nft") {
-                Some(NetfilterBackend::Nftables)
-            } else if command_exists("iptables") {
-                Some(NetfilterBackend::Iptables)
-            } else {
-                None
-            }
-        }
-        ConntrackBackend::Nftables => command_exists("nft").then_some(NetfilterBackend::Nftables),
-        ConntrackBackend::Iptables => {
-            command_exists("iptables").then_some(NetfilterBackend::Iptables)
-        }
-    }
-}
-
-fn command_exists(binary: &str) -> bool {
-    let Some(path_var) = std::env::var_os("PATH") else {
-        return false;
-    };
-    std::env::split_paths(&path_var).any(|dir| {
-        let candidate: PathBuf = dir.join(binary);
-        candidate.exists() && candidate.is_file()
-    })
-}
-
-fn notrack_targets(cfg: &ProxyConfig) -> (Vec<Option<IpAddr>>, Vec<Option<IpAddr>>) {
-    let mode = cfg.server.conntrack_control.mode;
-    let mut v4_targets: BTreeSet<Option<IpAddr>> = BTreeSet::new();
-    let mut v6_targets: BTreeSet<Option<IpAddr>> = BTreeSet::new();
-
-    match mode {
-        ConntrackMode::Tracked => {}
-        ConntrackMode::Notrack => {
-            if cfg.server.listeners.is_empty() {
-                if let Some(ipv4) = cfg
-                    .server
-                    .listen_addr_ipv4
-                    .as_ref()
-                    .and_then(|s| s.parse::<IpAddr>().ok())
-                {
-                    if ipv4.is_unspecified() {
-                        v4_targets.insert(None);
-                    } else {
-                        v4_targets.insert(Some(ipv4));
-                    }
-                }
-                if let Some(ipv6) = cfg
-                    .server
-                    .listen_addr_ipv6
-                    .as_ref()
-                    .and_then(|s| s.parse::<IpAddr>().ok())
-                {
-                    if ipv6.is_unspecified() {
-                        v6_targets.insert(None);
-                    } else {
-                        v6_targets.insert(Some(ipv6));
-                    }
-                }
-            } else {
-                for listener in &cfg.server.listeners {
-                    if listener.ip.is_ipv4() {
-                        if listener.ip.is_unspecified() {
-                            v4_targets.insert(None);
-                        } else {
-                            v4_targets.insert(Some(listener.ip));
-                        }
-                    } else if listener.ip.is_unspecified() {
-                        v6_targets.insert(None);
-                    } else {
-                        v6_targets.insert(Some(listener.ip));
-                    }
-                }
-            }
-        }
-        ConntrackMode::Hybrid => {
-            for ip in &cfg.server.conntrack_control.hybrid_listener_ips {
-                if ip.is_ipv4() {
-                    v4_targets.insert(Some(*ip));
-                } else {
-                    v6_targets.insert(Some(*ip));
-                }
-            }
-        }
-    }
-
-    (
-        v4_targets.into_iter().collect(),
-        v6_targets.into_iter().collect(),
-    )
-}
-
-async fn apply_nft_rules(cfg: &ProxyConfig) -> Result<(), String> {
-    let _ = run_command(
-        "nft",
-        &["delete", "table", "inet", "telemt_conntrack"],
-        None,
-    )
-    .await;
-    if matches!(cfg.server.conntrack_control.mode, ConntrackMode::Tracked) {
-        return Ok(());
-    }
-
-    let (v4_targets, v6_targets) = notrack_targets(cfg);
-    let mut rules = Vec::new();
-    for ip in v4_targets {
-        let rule = if let Some(ip) = ip {
-            format!("tcp dport {} ip daddr {} notrack", cfg.server.port, ip)
-        } else {
-            format!("tcp dport {} notrack", cfg.server.port)
-        };
-        rules.push(rule);
-    }
-    for ip in v6_targets {
-        let rule = if let Some(ip) = ip {
-            format!("tcp dport {} ip6 daddr {} notrack", cfg.server.port, ip)
-        } else {
-            format!("tcp dport {} notrack", cfg.server.port)
-        };
-        rules.push(rule);
-    }
-
-    let rule_blob = if rules.is_empty() {
-        String::new()
-    } else {
-        format!("    {}\n", rules.join("\n    "))
-    };
-    let script = format!(
-        "table inet telemt_conntrack {{\n  chain preraw {{\n    type filter hook prerouting priority raw; policy accept;\n{rule_blob}  }}\n}}\n"
-    );
-    run_command("nft", &["-f", "-"], Some(script)).await
-}
-
-async fn apply_iptables_rules(cfg: &ProxyConfig) -> Result<(), String> {
-    apply_iptables_rules_for_binary("iptables", cfg, true).await?;
-    apply_iptables_rules_for_binary("ip6tables", cfg, false).await?;
-    Ok(())
-}
-
-async fn apply_iptables_rules_for_binary(
-    binary: &str,
-    cfg: &ProxyConfig,
-    ipv4: bool,
-) -> Result<(), String> {
-    if !command_exists(binary) {
-        return Ok(());
-    }
-    let chain = "TELEMT_NOTRACK";
-    let _ = run_command(
-        binary,
-        &["-t", "raw", "-D", "PREROUTING", "-j", chain],
-        None,
-    )
-    .await;
-    let _ = run_command(binary, &["-t", "raw", "-F", chain], None).await;
-    let _ = run_command(binary, &["-t", "raw", "-X", chain], None).await;
-
-    if matches!(cfg.server.conntrack_control.mode, ConntrackMode::Tracked) {
-        return Ok(());
-    }
-
-    run_command(binary, &["-t", "raw", "-N", chain], None).await?;
-    run_command(binary, &["-t", "raw", "-F", chain], None).await?;
-    if run_command(
-        binary,
-        &["-t", "raw", "-C", "PREROUTING", "-j", chain],
-        None,
-    )
-    .await
-    .is_err()
-    {
-        run_command(
-            binary,
-            &["-t", "raw", "-I", "PREROUTING", "1", "-j", chain],
-            None,
-        )
-        .await?;
-    }
-
-    let (v4_targets, v6_targets) = notrack_targets(cfg);
-    let selected = if ipv4 { v4_targets } else { v6_targets };
-    for ip in selected {
-        let mut args = vec![
-            "-t".to_string(),
-            "raw".to_string(),
-            "-A".to_string(),
-            chain.to_string(),
-            "-p".to_string(),
-            "tcp".to_string(),
-            "--dport".to_string(),
-            cfg.server.port.to_string(),
-        ];
-        if let Some(ip) = ip {
-            args.push("-d".to_string());
-            args.push(ip.to_string());
-        }
-        args.push("-j".to_string());
-        args.push("CT".to_string());
-        args.push("--notrack".to_string());
-        let arg_refs: Vec<&str> = args.iter().map(String::as_str).collect();
-        run_command(binary, &arg_refs, None).await?;
-    }
-    Ok(())
-}
-
-async fn clear_notrack_rules_all_backends() {
-    let _ = run_command(
-        "nft",
-        &["delete", "table", "inet", "telemt_conntrack"],
-        None,
-    )
-    .await;
-    let _ = run_command(
-        "iptables",
-        &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"],
-        None,
-    )
-    .await;
-    let _ = run_command("iptables", &["-t", "raw", "-F", "TELEMT_NOTRACK"], None).await;
-    let _ = run_command("iptables", &["-t", "raw", "-X", "TELEMT_NOTRACK"], None).await;
-    let _ = run_command(
-        "ip6tables",
-        &["-t", "raw", "-D", "PREROUTING", "-j", "TELEMT_NOTRACK"],
-        None,
-    )
-    .await;
-    let _ = run_command("ip6tables", &["-t", "raw", "-F", "TELEMT_NOTRACK"], None).await;
-    let _ = run_command("ip6tables", &["-t", "raw", "-X", "TELEMT_NOTRACK"], None).await;
-}
-
-enum DeleteOutcome {
-    Deleted,
-    NotFound,
-    Error,
-}
-
-async fn delete_conntrack_entry(event: ConntrackCloseEvent) -> DeleteOutcome {
-    if !command_exists("conntrack") {
-        return DeleteOutcome::Error;
-    }
-    let args = vec![
-        "-D".to_string(),
-        "-p".to_string(),
-        "tcp".to_string(),
-        "-s".to_string(),
-        event.src.ip().to_string(),
-        "--sport".to_string(),
-        event.src.port().to_string(),
-        "-d".to_string(),
-        event.dst.ip().to_string(),
-        "--dport".to_string(),
-        event.dst.port().to_string(),
-    ];
-    let arg_refs: Vec<&str> = args.iter().map(String::as_str).collect();
-    match run_command("conntrack", &arg_refs, None).await {
-        Ok(()) => DeleteOutcome::Deleted,
-        Err(error) => {
-            if error.contains("0 flow entries have been deleted") {
-                DeleteOutcome::NotFound
-            } else {
-                debug!(error = %error, "conntrack delete failed");
-                DeleteOutcome::Error
-            }
-        }
-    }
-}
-
-async fn run_command(binary: &str, args: &[&str], stdin: Option<String>) -> Result<(), String> {
-    if !command_exists(binary) {
-        return Err(format!("{binary} is not available"));
-    }
-    let mut command = Command::new(binary);
-    command.args(args);
-    if stdin.is_some() {
-        command.stdin(std::process::Stdio::piped());
-    }
-    command.stdout(std::process::Stdio::null());
-    command.stderr(std::process::Stdio::piped());
-    let mut child = command
-        .spawn()
-        .map_err(|e| format!("spawn {binary} failed: {e}"))?;
-    if let Some(blob) = stdin
-        && let Some(mut writer) = child.stdin.take()
-    {
-        writer
-            .write_all(blob.as_bytes())
-            .await
-            .map_err(|e| format!("stdin write {binary} failed: {e}"))?;
-    }
-    let output = child
-        .wait_with_output()
-        .await
-        .map_err(|e| format!("wait {binary} failed: {e}"))?;
-    if output.status.success() {
-        return Ok(());
-    }
-    let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();
-    Err(if stderr.is_empty() {
-        format!("{binary} exited with status {}", output.status)
-    } else {
-        stderr
-    })
-}
-
-fn fd_usage_pct() -> Option<u8> {
-    let soft_limit = nofile_soft_limit()?;
-    if soft_limit == 0 {
-        return None;
-    }
-    let fd_count = std::fs::read_dir("/proc/self/fd").ok()?.count() as u64;
-    Some(((fd_count.saturating_mul(100)) / soft_limit).min(100) as u8)
-}
-
-fn nofile_soft_limit() -> Option<u64> {
-    #[cfg(target_os = "linux")]
-    {
-        let mut lim = libc::rlimit {
-            rlim_cur: 0,
-            rlim_max: 0,
-        };
-        let rc = unsafe { libc::getrlimit(libc::RLIMIT_NOFILE, &mut lim) };
-        if rc != 0 {
-            return None;
-        }
-        return Some(lim.rlim_cur);
-    }
-    #[cfg(not(target_os = "linux"))]
-    {
-        None
-    }
-}
-
-fn has_cap_net_admin() -> bool {
-    #[cfg(target_os = "linux")]
-    {
-        let Ok(status) = std::fs::read_to_string("/proc/self/status") else {
-            return false;
-        };
-        for line in status.lines() {
-            if let Some(raw) = line.strip_prefix("CapEff:") {
-                let caps = raw.trim();
-                if let Ok(bits) = u64::from_str_radix(caps, 16) {
-                    const CAP_NET_ADMIN_BIT: u64 = 12;
-                    return (bits & (1u64 << CAP_NET_ADMIN_BIT)) != 0;
-                }
-            }
-        }
-        false
-    }
-    #[cfg(not(target_os = "linux"))]
-    {
-        false
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::config::ProxyConfig;
-
-    #[test]
-    fn pressure_activates_on_accept_timeout_spike() {
-        let stats = Stats::new();
-        let shared = ProxySharedState::new();
-        let mut cfg = ProxyConfig::default();
-        cfg.server.conntrack_control.inline_conntrack_control = true;
-        let mut state = PressureState::new(&stats);
-        let sample = PressureSample {
-            conn_pct: Some(10),
-            fd_pct: Some(10),
-            accept_timeout_delta: 1,
-            me_queue_pressure_delta: 0,
-        };
-
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &sample, &mut state);
-
-        assert!(state.active);
-        assert!(shared.conntrack_pressure_active());
-        assert!(stats.get_conntrack_pressure_active());
-    }
-
-    #[test]
-    fn pressure_releases_after_hysteresis_window() {
-        let stats = Stats::new();
-        let shared = ProxySharedState::new();
-        let mut cfg = ProxyConfig::default();
-        cfg.server.conntrack_control.inline_conntrack_control = true;
-        let mut state = PressureState::new(&stats);
-
-        let high_sample = PressureSample {
-            conn_pct: Some(95),
-            fd_pct: Some(95),
-            accept_timeout_delta: 0,
-            me_queue_pressure_delta: 0,
-        };
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &high_sample, &mut state);
-        assert!(state.active);
-
-        let low_sample = PressureSample {
-            conn_pct: Some(10),
-            fd_pct: Some(10),
-            accept_timeout_delta: 0,
-            me_queue_pressure_delta: 0,
-        };
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
-        assert!(state.active);
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
-        assert!(state.active);
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
-
-        assert!(!state.active);
-        assert!(!shared.conntrack_pressure_active());
-        assert!(!stats.get_conntrack_pressure_active());
-    }
-
-    #[test]
-    fn pressure_does_not_activate_when_disabled() {
-        let stats = Stats::new();
-        let shared = ProxySharedState::new();
-        let mut cfg = ProxyConfig::default();
-        cfg.server.conntrack_control.inline_conntrack_control = false;
-        let mut state = PressureState::new(&stats);
-        let sample = PressureSample {
-            conn_pct: Some(100),
-            fd_pct: Some(100),
-            accept_timeout_delta: 10,
-            me_queue_pressure_delta: 10,
-        };
-
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &sample, &mut state);
-
-        assert!(!state.active);
-        assert!(!shared.conntrack_pressure_active());
-        assert!(!stats.get_conntrack_pressure_active());
-    }
-}

src/daemon/mod.rs

@@ -1,577 +0,0 @@
-//! Unix daemon support for telemt.
-//!
-//! Provides classic Unix daemonization (double-fork), PID file management,
-//! and privilege dropping for running telemt as a background service.
-
-use std::fs::{self, File, OpenOptions};
-use std::io::{self, Read, Write};
-use std::os::unix::fs::OpenOptionsExt;
-use std::path::{Path, PathBuf};
-
-use nix::fcntl::{Flock, FlockArg};
-use nix::unistd::{self, ForkResult, Gid, Pid, Uid, chdir, close, fork, getpid, setsid};
-use tracing::{debug, info, warn};
-
-/// Default PID file location.
-pub const DEFAULT_PID_FILE: &str = "/var/run/telemt.pid";
-
-/// Daemon configuration options parsed from CLI.
-#[derive(Debug, Clone, Default)]
-pub struct DaemonOptions {
-    /// Run as daemon (fork to background).
-    pub daemonize: bool,
-    /// Path to PID file.
-    pub pid_file: Option<PathBuf>,
-    /// User to run as after binding sockets.
-    pub user: Option<String>,
-    /// Group to run as after binding sockets.
-    pub group: Option<String>,
-    /// Working directory for the daemon.
-    pub working_dir: Option<PathBuf>,
-    /// Explicit foreground mode (for systemd Type=simple).
-    pub foreground: bool,
-}
-
-impl DaemonOptions {
-    /// Returns the effective PID file path.
-    pub fn pid_file_path(&self) -> &Path {
-        self.pid_file
-            .as_deref()
-            .unwrap_or(Path::new(DEFAULT_PID_FILE))
-    }
-
-    /// Returns true if we should actually daemonize.
-    /// Foreground flag takes precedence.
-    pub fn should_daemonize(&self) -> bool {
-        self.daemonize && !self.foreground
-    }
-}
-
-/// Error types for daemon operations.
-#[derive(Debug, thiserror::Error)]
-pub enum DaemonError {
-    #[error("fork failed: {0}")]
-    ForkFailed(#[source] nix::Error),
-
-    #[error("setsid failed: {0}")]
-    SetsidFailed(#[source] nix::Error),
-
-    #[error("chdir failed: {0}")]
-    ChdirFailed(#[source] nix::Error),
-
-    #[error("failed to open /dev/null: {0}")]
-    DevNullFailed(#[source] io::Error),
-
-    #[error("failed to redirect stdio: {0}")]
-    RedirectFailed(#[source] nix::Error),
-
-    #[error("PID file error: {0}")]
-    PidFile(String),
-
-    #[error("another instance is already running (pid {0})")]
-    AlreadyRunning(i32),
-
-    #[error("user '{0}' not found")]
-    UserNotFound(String),
-
-    #[error("group '{0}' not found")]
-    GroupNotFound(String),
-
-    #[error("failed to set uid/gid: {0}")]
-    PrivilegeDrop(#[source] nix::Error),
-
-    #[error("io error: {0}")]
-    Io(#[from] io::Error),
-}
-
-/// Result of a successful daemonize() call.
-#[derive(Debug)]
-pub enum DaemonizeResult {
-    /// We are the parent process and should exit.
-    Parent,
-    /// We are the daemon child process and should continue.
-    Child,
-}
-
-/// Performs classic Unix double-fork daemonization.
-///
-/// This detaches the process from the controlling terminal:
-/// 1. First fork - parent exits, child continues
-/// 2. setsid() - become session leader
-/// 3. Second fork - ensure we can never acquire a controlling terminal
-/// 4. chdir("/") - don't hold any directory open
-/// 5. Redirect stdin/stdout/stderr to /dev/null
-///
-/// Returns `DaemonizeResult::Parent` in the original parent (which should exit),
-/// or `DaemonizeResult::Child` in the final daemon child.
-pub fn daemonize(working_dir: Option<&Path>) -> Result<DaemonizeResult, DaemonError> {
-    // First fork
-    match unsafe { fork() } {
-        Ok(ForkResult::Parent { .. }) => {
-            // Parent exits
-            return Ok(DaemonizeResult::Parent);
-        }
-        Ok(ForkResult::Child) => {
-            // Child continues
-        }
-        Err(e) => return Err(DaemonError::ForkFailed(e)),
-    }
-
-    // Create new session, become session leader
-    setsid().map_err(DaemonError::SetsidFailed)?;
-
-    // Second fork to ensure we can never acquire a controlling terminal
-    match unsafe { fork() } {
-        Ok(ForkResult::Parent { .. }) => {
-            // Intermediate parent exits
-            std::process::exit(0);
-        }
-        Ok(ForkResult::Child) => {
-            // Final daemon child continues
-        }
-        Err(e) => return Err(DaemonError::ForkFailed(e)),
-    }
-
-    // Change working directory
-    let target_dir = working_dir.unwrap_or(Path::new("/"));
-    chdir(target_dir).map_err(DaemonError::ChdirFailed)?;
-
-    // Redirect stdin, stdout, stderr to /dev/null
-    redirect_stdio_to_devnull()?;
-
-    Ok(DaemonizeResult::Child)
-}
-
-/// Redirects stdin, stdout, and stderr to /dev/null.
-fn redirect_stdio_to_devnull() -> Result<(), DaemonError> {
-    let devnull = File::options()
-        .read(true)
-        .write(true)
-        .open("/dev/null")
-        .map_err(DaemonError::DevNullFailed)?;
-
-    let devnull_fd = std::os::unix::io::AsRawFd::as_raw_fd(&devnull);
-
-    // Use libc::dup2 directly for redirecting standard file descriptors
-    // nix 0.31's dup2 requires OwnedFd which doesn't work well with stdio fds
-    unsafe {
-        // Redirect stdin (fd 0)
-        if libc::dup2(devnull_fd, 0) < 0 {
-            return Err(DaemonError::RedirectFailed(nix::errno::Errno::last()));
-        }
-        // Redirect stdout (fd 1)
-        if libc::dup2(devnull_fd, 1) < 0 {
-            return Err(DaemonError::RedirectFailed(nix::errno::Errno::last()));
-        }
-        // Redirect stderr (fd 2)
-        if libc::dup2(devnull_fd, 2) < 0 {
-            return Err(DaemonError::RedirectFailed(nix::errno::Errno::last()));
-        }
-    }
-
-    // Close original devnull fd if it's not one of the standard fds
-    if devnull_fd > 2 {
-        let _ = close(devnull_fd);
-    }
-
-    Ok(())
-}
-
-/// PID file manager with flock-based locking.
-pub struct PidFile {
-    path: PathBuf,
-    file: Option<File>,
-    locked: bool,
-}
-
-impl PidFile {
-    /// Creates a new PID file manager for the given path.
-    pub fn new<P: AsRef<Path>>(path: P) -> Self {
-        Self {
-            path: path.as_ref().to_path_buf(),
-            file: None,
-            locked: false,
-        }
-    }
-
-    /// Checks if another instance is already running.
-    ///
-    /// Returns the PID of the running instance if one exists.
-    pub fn check_running(&self) -> Result<Option<i32>, DaemonError> {
-        if !self.path.exists() {
-            return Ok(None);
-        }
-
-        // Try to read existing PID
-        let mut contents = String::new();
-        File::open(&self.path)
-            .and_then(|mut f| f.read_to_string(&mut contents))
-            .map_err(|e| {
-                DaemonError::PidFile(format!("cannot read {}: {}", self.path.display(), e))
-            })?;
-
-        let pid: i32 = contents
-            .trim()
-            .parse()
-            .map_err(|_| DaemonError::PidFile(format!("invalid PID in {}", self.path.display())))?;
-
-        // Check if process is still running
-        if is_process_running(pid) {
-            Ok(Some(pid))
-        } else {
-            // Stale PID file
-            debug!(pid, path = %self.path.display(), "Removing stale PID file");
-            let _ = fs::remove_file(&self.path);
-            Ok(None)
-        }
-    }
-
-    /// Acquires the PID file lock and writes the current PID.
-    ///
-    /// Fails if another instance is already running.
-    pub fn acquire(&mut self) -> Result<(), DaemonError> {
-        // Check for running instance first
-        if let Some(pid) = self.check_running()? {
-            return Err(DaemonError::AlreadyRunning(pid));
-        }
-
-        // Ensure parent directory exists
-        if let Some(parent) = self.path.parent() {
-            if !parent.exists() {
-                fs::create_dir_all(parent).map_err(|e| {
-                    DaemonError::PidFile(format!(
-                        "cannot create directory {}: {}",
-                        parent.display(),
-                        e
-                    ))
-                })?;
-            }
-        }
-
-        // Open/create PID file with exclusive lock
-        let file = OpenOptions::new()
-            .write(true)
-            .create(true)
-            .truncate(true)
-            .mode(0o644)
-            .open(&self.path)
-            .map_err(|e| {
-                DaemonError::PidFile(format!("cannot open {}: {}", self.path.display(), e))
-            })?;
-
-        // Try to acquire exclusive lock (non-blocking)
-        let flock = Flock::lock(file, FlockArg::LockExclusiveNonblock).map_err(|(_, errno)| {
-            // Check if another instance grabbed the lock
-            if let Some(pid) = self.check_running().ok().flatten() {
-                DaemonError::AlreadyRunning(pid)
-            } else {
-                DaemonError::PidFile(format!("cannot lock {}: {}", self.path.display(), errno))
-            }
-        })?;
-
-        // Write our PID
-        let pid = getpid();
-        let mut file = flock
-            .unlock()
-            .map_err(|(_, errno)| DaemonError::PidFile(format!("unlock failed: {}", errno)))?;
-
-        writeln!(file, "{}", pid).map_err(|e| {
-            DaemonError::PidFile(format!(
-                "cannot write PID to {}: {}",
-                self.path.display(),
-                e
-            ))
-        })?;
-
-        // Re-acquire lock and keep it
-        let flock = Flock::lock(file, FlockArg::LockExclusiveNonblock).map_err(|(_, errno)| {
-            DaemonError::PidFile(format!("cannot re-lock {}: {}", self.path.display(), errno))
-        })?;
-
-        self.file = Some(flock.unlock().map_err(|(_, errno)| {
-            DaemonError::PidFile(format!("unlock for storage failed: {}", errno))
-        })?);
-        self.locked = true;
-
-        info!(pid = pid.as_raw(), path = %self.path.display(), "PID file created");
-        Ok(())
-    }
-
-    /// Releases the PID file lock and removes the file.
-    pub fn release(&mut self) -> Result<(), DaemonError> {
-        if let Some(file) = self.file.take() {
-            drop(file);
-        }
-        self.locked = false;
-
-        if self.path.exists() {
-            fs::remove_file(&self.path).map_err(|e| {
-                DaemonError::PidFile(format!("cannot remove {}: {}", self.path.display(), e))
-            })?;
-            debug!(path = %self.path.display(), "PID file removed");
-        }
-
-        Ok(())
-    }
-
-    /// Returns the path to this PID file.
-    #[allow(dead_code)]
-    pub fn path(&self) -> &Path {
-        &self.path
-    }
-}
-
-impl Drop for PidFile {
-    fn drop(&mut self) {
-        if self.locked {
-            if let Err(e) = self.release() {
-                warn!(error = %e, "Failed to clean up PID file on drop");
-            }
-        }
-    }
-}
-
-/// Checks if a process with the given PID is running.
-fn is_process_running(pid: i32) -> bool {
-    // kill(pid, 0) checks if process exists without sending a signal
-    nix::sys::signal::kill(Pid::from_raw(pid), None).is_ok()
-}
-
-/// Drops privileges to the specified user and group.
-///
-/// This should be called after binding privileged ports but before entering
-/// the main event loop.
-pub fn drop_privileges(
-    user: Option<&str>,
-    group: Option<&str>,
-    pid_file: Option<&PidFile>,
-) -> Result<(), DaemonError> {
-    let target_gid = if let Some(group_name) = group {
-        Some(lookup_group(group_name)?)
-    } else if let Some(user_name) = user {
-        Some(lookup_user_primary_gid(user_name)?)
-    } else {
-        None
-    };
-
-    let target_uid = if let Some(user_name) = user {
-        Some(lookup_user(user_name)?)
-    } else {
-        None
-    };
-
-    if (target_uid.is_some() || target_gid.is_some())
-        && let Some(file) = pid_file.and_then(|pid| pid.file.as_ref())
-    {
-        unistd::fchown(file, target_uid, target_gid).map_err(DaemonError::PrivilegeDrop)?;
-    }
-
-    if let Some(gid) = target_gid {
-        unistd::setgid(gid).map_err(DaemonError::PrivilegeDrop)?;
-        unistd::setgroups(&[gid]).map_err(DaemonError::PrivilegeDrop)?;
-        info!(gid = gid.as_raw(), "Dropped group privileges");
-    }
-
-    if let Some(uid) = target_uid {
-        unistd::setuid(uid).map_err(DaemonError::PrivilegeDrop)?;
-        info!(uid = uid.as_raw(), "Dropped user privileges");
-
-        if uid.as_raw() != 0
-            && let Some(pid) = pid_file
-        {
-            let parent = pid.path.parent().unwrap_or(Path::new("."));
-            let probe_path = parent.join(format!(
-                ".telemt_pid_probe_{}_{}",
-                std::process::id(),
-                getpid().as_raw()
-            ));
-            OpenOptions::new()
-                .write(true)
-                .create_new(true)
-                .mode(0o600)
-                .open(&probe_path)
-                .map_err(|e| {
-                    DaemonError::PidFile(format!(
-                        "cannot create probe in PID directory {} as uid {} (pid cleanup will fail): {}",
-                        parent.display(),
-                        uid.as_raw(),
-                        e
-                    ))
-                })?;
-            fs::remove_file(&probe_path).map_err(|e| {
-                DaemonError::PidFile(format!(
-                    "cannot remove probe in PID directory {} as uid {} (pid cleanup will fail): {}",
-                    parent.display(),
-                    uid.as_raw(),
-                    e
-                ))
-            })?;
-        }
-    }
-
-    Ok(())
-}
-
-/// Looks up a user by name and returns their UID.
-fn lookup_user(name: &str) -> Result<Uid, DaemonError> {
-    // Use libc getpwnam
-    let c_name =
-        std::ffi::CString::new(name).map_err(|_| DaemonError::UserNotFound(name.to_string()))?;
-
-    unsafe {
-        let pwd = libc::getpwnam(c_name.as_ptr());
-        if pwd.is_null() {
-            Err(DaemonError::UserNotFound(name.to_string()))
-        } else {
-            Ok(Uid::from_raw((*pwd).pw_uid))
-        }
-    }
-}
-
-/// Looks up a user's primary GID by username.
-fn lookup_user_primary_gid(name: &str) -> Result<Gid, DaemonError> {
-    let c_name =
-        std::ffi::CString::new(name).map_err(|_| DaemonError::UserNotFound(name.to_string()))?;
-
-    unsafe {
-        let pwd = libc::getpwnam(c_name.as_ptr());
-        if pwd.is_null() {
-            Err(DaemonError::UserNotFound(name.to_string()))
-        } else {
-            Ok(Gid::from_raw((*pwd).pw_gid))
-        }
-    }
-}
-
-/// Looks up a group by name and returns its GID.
-fn lookup_group(name: &str) -> Result<Gid, DaemonError> {
-    let c_name =
-        std::ffi::CString::new(name).map_err(|_| DaemonError::GroupNotFound(name.to_string()))?;
-
-    unsafe {
-        let grp = libc::getgrnam(c_name.as_ptr());
-        if grp.is_null() {
-            Err(DaemonError::GroupNotFound(name.to_string()))
-        } else {
-            Ok(Gid::from_raw((*grp).gr_gid))
-        }
-    }
-}
-
-/// Reads PID from a PID file.
-#[allow(dead_code)]
-pub fn read_pid_file<P: AsRef<Path>>(path: P) -> Result<i32, DaemonError> {
-    let path = path.as_ref();
-    let mut contents = String::new();
-    File::open(path)
-        .and_then(|mut f| f.read_to_string(&mut contents))
-        .map_err(|e| DaemonError::PidFile(format!("cannot read {}: {}", path.display(), e)))?;
-
-    contents
-        .trim()
-        .parse()
-        .map_err(|_| DaemonError::PidFile(format!("invalid PID in {}", path.display())))
-}
-
-/// Sends a signal to the process specified in a PID file.
-#[allow(dead_code)]
-pub fn signal_pid_file<P: AsRef<Path>>(
-    path: P,
-    signal: nix::sys::signal::Signal,
-) -> Result<(), DaemonError> {
-    let pid = read_pid_file(&path)?;
-
-    if !is_process_running(pid) {
-        return Err(DaemonError::PidFile(format!(
-            "process {} from {} is not running",
-            pid,
-            path.as_ref().display()
-        )));
-    }
-
-    nix::sys::signal::kill(Pid::from_raw(pid), signal)
-        .map_err(|e| DaemonError::PidFile(format!("cannot signal process {}: {}", pid, e)))?;
-
-    Ok(())
-}
-
-/// Returns the status of the daemon based on PID file.
-#[allow(dead_code)]
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub enum DaemonStatus {
-    /// Daemon is running with the given PID.
-    Running(i32),
-    /// PID file exists but process is not running.
-    Stale(i32),
-    /// No PID file exists.
-    NotRunning,
-}
-
-/// Checks the daemon status from a PID file.
-#[allow(dead_code)]
-pub fn check_status<P: AsRef<Path>>(path: P) -> DaemonStatus {
-    let path = path.as_ref();
-
-    if !path.exists() {
-        return DaemonStatus::NotRunning;
-    }
-
-    match read_pid_file(path) {
-        Ok(pid) => {
-            if is_process_running(pid) {
-                DaemonStatus::Running(pid)
-            } else {
-                DaemonStatus::Stale(pid)
-            }
-        }
-        Err(_) => DaemonStatus::NotRunning,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_daemon_options_default() {
-        let opts = DaemonOptions::default();
-        assert!(!opts.daemonize);
-        assert!(!opts.should_daemonize());
-        assert_eq!(opts.pid_file_path(), Path::new(DEFAULT_PID_FILE));
-    }
-
-    #[test]
-    fn test_daemon_options_foreground_overrides() {
-        let opts = DaemonOptions {
-            daemonize: true,
-            foreground: true,
-            ..Default::default()
-        };
-        assert!(!opts.should_daemonize());
-    }
-
-    #[test]
-    fn test_check_status_not_running() {
-        let path = "/tmp/telemt_test_nonexistent.pid";
-        assert_eq!(check_status(path), DaemonStatus::NotRunning);
-    }
-
-    #[test]
-    fn test_pid_file_basic() {
-        let path = "/tmp/telemt_test_pidfile.pid";
-        let _ = fs::remove_file(path);
-
-        let mut pf = PidFile::new(path);
-        assert!(pf.check_running().unwrap().is_none());
-
-        pf.acquire().unwrap();
-        assert!(Path::new(path).exists());
-
-        // Read it back
-        let pid = read_pid_file(path).unwrap();
-        assert_eq!(pid, std::process::id() as i32);
-
-        pf.release().unwrap();
-        assert!(!Path::new(path).exists());
-    }
-}

src/ip_tracker.rs

@@ -26,15 +26,6 @@ pub struct UserIpTracker {
     cleanup_drain_lock: Arc<AsyncMutex<()>>,
 }
 
-#[derive(Debug, Clone, Copy)]
-pub struct UserIpTrackerMemoryStats {
-    pub active_users: usize,
-    pub recent_users: usize,
-    pub active_entries: usize,
-    pub recent_entries: usize,
-    pub cleanup_queue_len: usize,
-}
-
 impl UserIpTracker {
     pub fn new() -> Self {
         Self {
@@ -150,13 +141,6 @@ impl UserIpTracker {
 
         let mut active_ips = self.active_ips.write().await;
         let mut recent_ips = self.recent_ips.write().await;
-        let window = *self.limit_window.read().await;
-        let now = Instant::now();
-
-        for user_recent in recent_ips.values_mut() {
-            Self::prune_recent(user_recent, now, window);
-        }
-
         let mut users =
             Vec::<String>::with_capacity(active_ips.len().saturating_add(recent_ips.len()));
         users.extend(active_ips.keys().cloned());
@@ -182,26 +166,6 @@ impl UserIpTracker {
         }
     }
 
-    pub async fn memory_stats(&self) -> UserIpTrackerMemoryStats {
-        let cleanup_queue_len = self
-            .cleanup_queue
-            .lock()
-            .unwrap_or_else(|poisoned| poisoned.into_inner())
-            .len();
-        let active_ips = self.active_ips.read().await;
-        let recent_ips = self.recent_ips.read().await;
-        let active_entries = active_ips.values().map(HashMap::len).sum();
-        let recent_entries = recent_ips.values().map(HashMap::len).sum();
-
-        UserIpTrackerMemoryStats {
-            active_users: active_ips.len(),
-            recent_users: recent_ips.len(),
-            active_entries,
-            recent_entries,
-            cleanup_queue_len,
-        }
-    }
-
     pub async fn set_limit_policy(&self, mode: UserMaxUniqueIpsMode, window_secs: u64) {
         {
             let mut current_mode = self.limit_mode.write().await;
@@ -487,7 +451,6 @@ impl Default for UserIpTracker {
 mod tests {
     use super::*;
     use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
-    use std::sync::atomic::Ordering;
 
     fn test_ipv4(oct1: u8, oct2: u8, oct3: u8, oct4: u8) -> IpAddr {
         IpAddr::V4(Ipv4Addr::new(oct1, oct2, oct3, oct4))
@@ -801,54 +764,4 @@ mod tests {
         tokio::time::sleep(Duration::from_millis(1100)).await;
         assert!(tracker.check_and_add("test_user", ip2).await.is_ok());
     }
-
-    #[tokio::test]
-    async fn test_memory_stats_reports_queue_and_entry_counts() {
-        let tracker = UserIpTracker::new();
-        tracker.set_user_limit("test_user", 4).await;
-        let ip1 = test_ipv4(10, 2, 0, 1);
-        let ip2 = test_ipv4(10, 2, 0, 2);
-
-        tracker.check_and_add("test_user", ip1).await.unwrap();
-        tracker.check_and_add("test_user", ip2).await.unwrap();
-        tracker.enqueue_cleanup("test_user".to_string(), ip1);
-
-        let snapshot = tracker.memory_stats().await;
-        assert_eq!(snapshot.active_users, 1);
-        assert_eq!(snapshot.recent_users, 1);
-        assert_eq!(snapshot.active_entries, 2);
-        assert_eq!(snapshot.recent_entries, 2);
-        assert_eq!(snapshot.cleanup_queue_len, 1);
-    }
-
-    #[tokio::test]
-    async fn test_compact_prunes_stale_recent_entries() {
-        let tracker = UserIpTracker::new();
-        tracker
-            .set_limit_policy(UserMaxUniqueIpsMode::TimeWindow, 1)
-            .await;
-
-        let stale_user = "stale-user".to_string();
-        let stale_ip = test_ipv4(10, 3, 0, 1);
-        {
-            let mut recent_ips = tracker.recent_ips.write().await;
-            recent_ips
-                .entry(stale_user.clone())
-                .or_insert_with(HashMap::new)
-                .insert(stale_ip, Instant::now() - Duration::from_secs(5));
-        }
-
-        tracker.last_compact_epoch_secs.store(0, Ordering::Relaxed);
-        tracker
-            .check_and_add("trigger-user", test_ipv4(10, 3, 0, 2))
-            .await
-            .unwrap();
-
-        let recent_ips = tracker.recent_ips.read().await;
-        let stale_exists = recent_ips
-            .get(&stale_user)
-            .map(|ips| ips.contains_key(&stale_ip))
-            .unwrap_or(false);
-        assert!(!stale_exists);
-    }
 }

src/logging.rs

@@ -1,343 +0,0 @@
-//! Logging configuration for telemt.
-//!
-//! Supports multiple log destinations:
-//! - stderr (default, works with systemd journald)
-//! - syslog (Unix only, for traditional init systems)
-//! - file (with optional rotation)
-
-#![allow(dead_code)] // Infrastructure module - used via CLI flags
-
-use std::path::Path;
-
-use tracing_subscriber::layer::SubscriberExt;
-use tracing_subscriber::util::SubscriberInitExt;
-use tracing_subscriber::{EnvFilter, fmt, reload};
-
-/// Log destination configuration.
-#[derive(Debug, Clone, Default)]
-pub enum LogDestination {
-    /// Log to stderr (default, captured by systemd journald).
-    #[default]
-    Stderr,
-    /// Log to syslog (Unix only).
-    #[cfg(unix)]
-    Syslog,
-    /// Log to a file with optional rotation.
-    File {
-        path: String,
-        /// Rotate daily if true.
-        rotate_daily: bool,
-    },
-}
-
-/// Logging options parsed from CLI/config.
-#[derive(Debug, Clone, Default)]
-pub struct LoggingOptions {
-    /// Where to send logs.
-    pub destination: LogDestination,
-    /// Disable ANSI colors.
-    pub disable_colors: bool,
-}
-
-/// Guard that must be held to keep file logging active.
-/// When dropped, flushes and closes log files.
-pub struct LoggingGuard {
-    _guard: Option<tracing_appender::non_blocking::WorkerGuard>,
-}
-
-impl LoggingGuard {
-    fn new(guard: Option<tracing_appender::non_blocking::WorkerGuard>) -> Self {
-        Self { _guard: guard }
-    }
-
-    /// Creates a no-op guard for stderr/syslog logging.
-    pub fn noop() -> Self {
-        Self { _guard: None }
-    }
-}
-
-/// Initialize the tracing subscriber with the specified options.
-///
-/// Returns a reload handle for dynamic log level changes and a guard
-/// that must be kept alive for file logging.
-pub fn init_logging(
-    opts: &LoggingOptions,
-    initial_filter: &str,
-) -> (
-    reload::Handle<EnvFilter, impl tracing::Subscriber + Send + Sync>,
-    LoggingGuard,
-) {
-    let (filter_layer, filter_handle) = reload::Layer::new(EnvFilter::new(initial_filter));
-
-    match &opts.destination {
-        LogDestination::Stderr => {
-            let fmt_layer = fmt::Layer::default()
-                .with_ansi(!opts.disable_colors)
-                .with_target(true);
-
-            tracing_subscriber::registry()
-                .with(filter_layer)
-                .with(fmt_layer)
-                .init();
-
-            (filter_handle, LoggingGuard::noop())
-        }
-
-        #[cfg(unix)]
-        LogDestination::Syslog => {
-            // Use a custom fmt layer that writes to syslog
-            let fmt_layer = fmt::Layer::default()
-                .with_ansi(false)
-                .with_target(false)
-                .with_level(false)
-                .without_time()
-                .with_writer(SyslogMakeWriter::new());
-
-            tracing_subscriber::registry()
-                .with(filter_layer)
-                .with(fmt_layer)
-                .init();
-
-            (filter_handle, LoggingGuard::noop())
-        }
-
-        LogDestination::File { path, rotate_daily } => {
-            let (non_blocking, guard) = if *rotate_daily {
-                // Extract directory and filename prefix
-                let path = Path::new(path);
-                let dir = path.parent().unwrap_or(Path::new("/var/log"));
-                let prefix = path
-                    .file_name()
-                    .and_then(|s| s.to_str())
-                    .unwrap_or("telemt");
-
-                let file_appender = tracing_appender::rolling::daily(dir, prefix);
-                tracing_appender::non_blocking(file_appender)
-            } else {
-                let file = std::fs::OpenOptions::new()
-                    .create(true)
-                    .append(true)
-                    .open(path)
-                    .expect("Failed to open log file");
-                tracing_appender::non_blocking(file)
-            };
-
-            let fmt_layer = fmt::Layer::default()
-                .with_ansi(false)
-                .with_target(true)
-                .with_writer(non_blocking);
-
-            tracing_subscriber::registry()
-                .with(filter_layer)
-                .with(fmt_layer)
-                .init();
-
-            (filter_handle, LoggingGuard::new(Some(guard)))
-        }
-    }
-}
-
-/// Syslog writer for tracing.
-#[cfg(unix)]
-#[derive(Clone, Copy)]
-struct SyslogMakeWriter;
-
-#[cfg(unix)]
-#[derive(Clone, Copy)]
-struct SyslogWriter {
-    priority: libc::c_int,
-}
-
-#[cfg(unix)]
-impl SyslogMakeWriter {
-    fn new() -> Self {
-        // Open syslog connection on first use
-        static INIT: std::sync::Once = std::sync::Once::new();
-        INIT.call_once(|| {
-            unsafe {
-                // Open syslog with ident "telemt", LOG_PID, LOG_DAEMON facility
-                let ident = b"telemt\0".as_ptr() as *const libc::c_char;
-                libc::openlog(ident, libc::LOG_PID | libc::LOG_NDELAY, libc::LOG_DAEMON);
-            }
-        });
-        Self
-    }
-}
-
-#[cfg(unix)]
-fn syslog_priority_for_level(level: &tracing::Level) -> libc::c_int {
-    match *level {
-        tracing::Level::ERROR => libc::LOG_ERR,
-        tracing::Level::WARN => libc::LOG_WARNING,
-        tracing::Level::INFO => libc::LOG_INFO,
-        tracing::Level::DEBUG => libc::LOG_DEBUG,
-        tracing::Level::TRACE => libc::LOG_DEBUG,
-    }
-}
-
-#[cfg(unix)]
-impl std::io::Write for SyslogWriter {
-    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
-        // Convert to C string, stripping newlines
-        let msg = String::from_utf8_lossy(buf);
-        let msg = msg.trim_end();
-
-        if msg.is_empty() {
-            return Ok(buf.len());
-        }
-
-        // Write to syslog
-        let c_msg = std::ffi::CString::new(msg.as_bytes())
-            .unwrap_or_else(|_| std::ffi::CString::new("(invalid utf8)").unwrap());
-
-        unsafe {
-            libc::syslog(
-                self.priority,
-                b"%s\0".as_ptr() as *const libc::c_char,
-                c_msg.as_ptr(),
-            );
-        }
-
-        Ok(buf.len())
-    }
-
-    fn flush(&mut self) -> std::io::Result<()> {
-        Ok(())
-    }
-}
-
-#[cfg(unix)]
-impl<'a> tracing_subscriber::fmt::MakeWriter<'a> for SyslogMakeWriter {
-    type Writer = SyslogWriter;
-
-    fn make_writer(&'a self) -> Self::Writer {
-        SyslogWriter {
-            priority: libc::LOG_INFO,
-        }
-    }
-
-    fn make_writer_for(&'a self, meta: &tracing::Metadata<'_>) -> Self::Writer {
-        SyslogWriter {
-            priority: syslog_priority_for_level(meta.level()),
-        }
-    }
-}
-
-/// Parse log destination from CLI arguments.
-pub fn parse_log_destination(args: &[String]) -> LogDestination {
-    let mut i = 0;
-    while i < args.len() {
-        match args[i].as_str() {
-            #[cfg(unix)]
-            "--syslog" => {
-                return LogDestination::Syslog;
-            }
-            "--log-file" => {
-                i += 1;
-                if i < args.len() {
-                    return LogDestination::File {
-                        path: args[i].clone(),
-                        rotate_daily: false,
-                    };
-                }
-            }
-            s if s.starts_with("--log-file=") => {
-                return LogDestination::File {
-                    path: s.trim_start_matches("--log-file=").to_string(),
-                    rotate_daily: false,
-                };
-            }
-            "--log-file-daily" => {
-                i += 1;
-                if i < args.len() {
-                    return LogDestination::File {
-                        path: args[i].clone(),
-                        rotate_daily: true,
-                    };
-                }
-            }
-            s if s.starts_with("--log-file-daily=") => {
-                return LogDestination::File {
-                    path: s.trim_start_matches("--log-file-daily=").to_string(),
-                    rotate_daily: true,
-                };
-            }
-            _ => {}
-        }
-        i += 1;
-    }
-    LogDestination::Stderr
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_log_destination_default() {
-        let args: Vec<String> = vec![];
-        assert!(matches!(
-            parse_log_destination(&args),
-            LogDestination::Stderr
-        ));
-    }
-
-    #[test]
-    fn test_parse_log_destination_file() {
-        let args = vec!["--log-file".to_string(), "/var/log/telemt.log".to_string()];
-        match parse_log_destination(&args) {
-            LogDestination::File { path, rotate_daily } => {
-                assert_eq!(path, "/var/log/telemt.log");
-                assert!(!rotate_daily);
-            }
-            _ => panic!("Expected File destination"),
-        }
-    }
-
-    #[test]
-    fn test_parse_log_destination_file_daily() {
-        let args = vec!["--log-file-daily=/var/log/telemt".to_string()];
-        match parse_log_destination(&args) {
-            LogDestination::File { path, rotate_daily } => {
-                assert_eq!(path, "/var/log/telemt");
-                assert!(rotate_daily);
-            }
-            _ => panic!("Expected File destination"),
-        }
-    }
-
-    #[cfg(unix)]
-    #[test]
-    fn test_parse_log_destination_syslog() {
-        let args = vec!["--syslog".to_string()];
-        assert!(matches!(
-            parse_log_destination(&args),
-            LogDestination::Syslog
-        ));
-    }
-
-    #[cfg(unix)]
-    #[test]
-    fn test_syslog_priority_for_level_mapping() {
-        assert_eq!(
-            syslog_priority_for_level(&tracing::Level::ERROR),
-            libc::LOG_ERR
-        );
-        assert_eq!(
-            syslog_priority_for_level(&tracing::Level::WARN),
-            libc::LOG_WARNING
-        );
-        assert_eq!(
-            syslog_priority_for_level(&tracing::Level::INFO),
-            libc::LOG_INFO
-        );
-        assert_eq!(
-            syslog_priority_for_level(&tracing::Level::DEBUG),
-            libc::LOG_DEBUG
-        );
-        assert_eq!(
-            syslog_priority_for_level(&tracing::Level::TRACE),
-            libc::LOG_DEBUG
-        );
-    }
-}

src/maestro/helpers.rs

@@ -8,7 +8,6 @@ use tracing::{debug, error, info, warn};
 
 use crate::cli;
 use crate::config::ProxyConfig;
-use crate::logging::LogDestination;
 use crate::transport::UpstreamManager;
 use crate::transport::middle_proxy::{
     ProxyConfigData, fetch_proxy_config_with_raw_via_upstream, load_proxy_config_cache,
@@ -18,56 +17,24 @@ use crate::transport::middle_proxy::{
 pub(crate) fn resolve_runtime_config_path(
     config_path_cli: &str,
     startup_cwd: &std::path::Path,
-    config_path_explicit: bool,
 ) -> PathBuf {
-    if config_path_explicit {
+    let raw = PathBuf::from(config_path_cli);
-        let raw = PathBuf::from(config_path_cli);
+    let absolute = if raw.is_absolute() {
-        let absolute = if raw.is_absolute() {
+        raw
-            raw
+    } else {
-        } else {
+        startup_cwd.join(raw)
-            startup_cwd.join(raw)
+    };
-        };
+    absolute.canonicalize().unwrap_or(absolute)
-        return absolute.canonicalize().unwrap_or(absolute);
-    }
-
-    let etc_telemt = std::path::Path::new("/etc/telemt");
-    let candidates = [
-        startup_cwd.join("config.toml"),
-        startup_cwd.join("telemt.toml"),
-        etc_telemt.join("telemt.toml"),
-        etc_telemt.join("config.toml"),
-    ];
-    for candidate in candidates {
-        if candidate.is_file() {
-            return candidate.canonicalize().unwrap_or(candidate);
-        }
-    }
-
-    startup_cwd.join("config.toml")
 }
 
-/// Parsed CLI arguments.
+pub(crate) fn parse_cli() -> (String, Option<PathBuf>, bool, Option<String>) {
-pub(crate) struct CliArgs {
-    pub config_path: String,
-    pub config_path_explicit: bool,
-    pub data_path: Option<PathBuf>,
-    pub silent: bool,
-    pub log_level: Option<String>,
-    pub log_destination: LogDestination,
-}
-
-pub(crate) fn parse_cli() -> CliArgs {
     let mut config_path = "config.toml".to_string();
-    let mut config_path_explicit = false;
     let mut data_path: Option<PathBuf> = None;
     let mut silent = false;
     let mut log_level: Option<String> = None;
 
     let args: Vec<String> = std::env::args().skip(1).collect();
 
-    // Parse log destination
-    let log_destination = crate::logging::parse_log_destination(&args);
-
     // Check for --init first (handled before tokio)
     if let Some(init_opts) = cli::parse_init_args(&args) {
         if let Err(e) = cli::run_init(init_opts) {
@@ -94,20 +61,6 @@ pub(crate) fn parse_cli() -> CliArgs {
                     s.trim_start_matches("--data-path=").to_string(),
                 ));
             }
-            "--working-dir" => {
-                i += 1;
-                if i < args.len() {
-                    data_path = Some(PathBuf::from(args[i].clone()));
-                } else {
-                    eprintln!("Missing value for --working-dir");
-                    std::process::exit(0);
-                }
-            }
-            s if s.starts_with("--working-dir=") => {
-                data_path = Some(PathBuf::from(
-                    s.trim_start_matches("--working-dir=").to_string(),
-                ));
-            }
             "--silent" | "-s" => {
                 silent = true;
             }
@@ -121,35 +74,38 @@ pub(crate) fn parse_cli() -> CliArgs {
                 log_level = Some(s.trim_start_matches("--log-level=").to_string());
             }
             "--help" | "-h" => {
-                print_help();
+                eprintln!("Usage: telemt [config.toml] [OPTIONS]");
+                eprintln!();
+                eprintln!("Options:");
+                eprintln!(
+                    "  --data-path <DIR>       Set data directory (absolute path; overrides config value)"
+                );
+                eprintln!("  --silent, -s            Suppress info logs");
+                eprintln!("  --log-level <LEVEL>     debug|verbose|normal|silent");
+                eprintln!("  --help, -h              Show this help");
+                eprintln!();
+                eprintln!("Setup (fire-and-forget):");
+                eprintln!(
+                    "  --init                  Generate config, install systemd service, start"
+                );
+                eprintln!("    --port <PORT>          Listen port (default: 443)");
+                eprintln!(
+                    "    --domain <DOMAIN>      TLS domain for masking (default: www.google.com)"
+                );
+                eprintln!(
+                    "    --secret <HEX>         32-char hex secret (auto-generated if omitted)"
+                );
+                eprintln!("    --user <NAME>          Username (default: user)");
+                eprintln!("    --config-dir <DIR>     Config directory (default: /etc/telemt)");
+                eprintln!("    --no-start             Don't start the service after install");
                 std::process::exit(0);
             }
             "--version" | "-V" => {
                 println!("telemt {}", env!("CARGO_PKG_VERSION"));
                 std::process::exit(0);
             }
-            // Skip daemon-related flags (already parsed)
-            "--daemon" | "-d" | "--foreground" | "-f" => {}
-            s if s.starts_with("--pid-file") => {
-                if !s.contains('=') {
-                    i += 1; // skip value
-                }
-            }
-            s if s.starts_with("--run-as-user") => {
-                if !s.contains('=') {
-                    i += 1;
-                }
-            }
-            s if s.starts_with("--run-as-group") => {
-                if !s.contains('=') {
-                    i += 1;
-                }
-            }
             s if !s.starts_with('-') => {
-                if !matches!(s, "run" | "start" | "stop" | "reload" | "status") {
+                config_path = s.to_string();
-                    config_path = s.to_string();
-                    config_path_explicit = true;
-                }
             }
             other => {
                 eprintln!("Unknown option: {}", other);
@@ -158,75 +114,7 @@ pub(crate) fn parse_cli() -> CliArgs {
         i += 1;
     }
 
-    CliArgs {
+    (config_path, data_path, silent, log_level)
-        config_path,
-        config_path_explicit,
-        data_path,
-        silent,
-        log_level,
-        log_destination,
-    }
-}
-
-fn print_help() {
-    eprintln!("Usage: telemt [COMMAND] [OPTIONS] [config.toml]");
-    eprintln!();
-    eprintln!("Commands:");
-    eprintln!("  run                     Run in foreground (default if no command given)");
-    #[cfg(unix)]
-    {
-        eprintln!("  start                   Start as background daemon");
-        eprintln!("  stop                    Stop a running daemon");
-        eprintln!("  reload                  Reload configuration (send SIGHUP)");
-        eprintln!("  status                  Check if daemon is running");
-    }
-    eprintln!();
-    eprintln!("Options:");
-    eprintln!(
-        "  --data-path <DIR>       Set data directory (absolute path; overrides config value)"
-    );
-    eprintln!("  --working-dir <DIR>     Alias for --data-path");
-    eprintln!("  --silent, -s            Suppress info logs");
-    eprintln!("  --log-level <LEVEL>     debug|verbose|normal|silent");
-    eprintln!("  --help, -h              Show this help");
-    eprintln!("  --version, -V           Show version");
-    eprintln!();
-    eprintln!("Logging options:");
-    eprintln!("  --log-file <PATH>       Log to file (default: stderr)");
-    eprintln!("  --log-file-daily <PATH> Log to file with daily rotation");
-    #[cfg(unix)]
-    eprintln!("  --syslog                Log to syslog (Unix only)");
-    eprintln!();
-    #[cfg(unix)]
-    {
-        eprintln!("Daemon options (Unix only):");
-        eprintln!("  --daemon, -d            Fork to background (daemonize)");
-        eprintln!("  --foreground, -f        Explicit foreground mode (for systemd)");
-        eprintln!("  --pid-file <PATH>       PID file path (default: /var/run/telemt.pid)");
-        eprintln!("  --run-as-user <USER>    Drop privileges to this user after binding");
-        eprintln!("  --run-as-group <GROUP>  Drop privileges to this group after binding");
-        eprintln!("  --working-dir <DIR>     Working directory for daemon mode");
-        eprintln!();
-    }
-    eprintln!("Setup (fire-and-forget):");
-    eprintln!("  --init                  Generate config, install systemd service, start");
-    eprintln!("    --port <PORT>          Listen port (default: 443)");
-    eprintln!("    --domain <DOMAIN>      TLS domain for masking (default: www.google.com)");
-    eprintln!("    --secret <HEX>         32-char hex secret (auto-generated if omitted)");
-    eprintln!("    --user <NAME>          Username (default: user)");
-    eprintln!("    --config-dir <DIR>     Config directory (default: /etc/telemt)");
-    eprintln!("    --no-start             Don't start the service after install");
-    #[cfg(unix)]
-    {
-        eprintln!();
-        eprintln!("Examples:");
-        eprintln!("  telemt config.toml                    Run in foreground");
-        eprintln!("  telemt start config.toml              Start as daemon");
-        eprintln!("  telemt start --pid-file /tmp/t.pid    Start with custom PID file");
-        eprintln!("  telemt stop                           Stop daemon");
-        eprintln!("  telemt reload                         Reload configuration");
-        eprintln!("  telemt status                         Check daemon status");
-    }
 }
 
 #[cfg(test)]
@@ -244,7 +132,7 @@ mod tests {
         let target = startup_cwd.join("config.toml");
         std::fs::write(&target, " ").unwrap();
 
-        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, true);
+        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd);
         assert_eq!(resolved, target.canonicalize().unwrap());
 
         let _ = std::fs::remove_file(&target);
@@ -260,45 +148,11 @@ mod tests {
         let startup_cwd = std::env::temp_dir().join(format!("telemt_cfg_path_missing_{nonce}"));
         std::fs::create_dir_all(&startup_cwd).unwrap();
 
-        let resolved = resolve_runtime_config_path("missing.toml", &startup_cwd, true);
+        let resolved = resolve_runtime_config_path("missing.toml", &startup_cwd);
         assert_eq!(resolved, startup_cwd.join("missing.toml"));
 
         let _ = std::fs::remove_dir(&startup_cwd);
     }
-
-    #[test]
-    fn resolve_runtime_config_path_uses_startup_candidates_when_not_explicit() {
-        let nonce = std::time::SystemTime::now()
-            .duration_since(std::time::UNIX_EPOCH)
-            .unwrap()
-            .as_nanos();
-        let startup_cwd =
-            std::env::temp_dir().join(format!("telemt_cfg_startup_candidates_{nonce}"));
-        std::fs::create_dir_all(&startup_cwd).unwrap();
-        let telemt = startup_cwd.join("telemt.toml");
-        std::fs::write(&telemt, " ").unwrap();
-
-        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, false);
-        assert_eq!(resolved, telemt.canonicalize().unwrap());
-
-        let _ = std::fs::remove_file(&telemt);
-        let _ = std::fs::remove_dir(&startup_cwd);
-    }
-
-    #[test]
-    fn resolve_runtime_config_path_defaults_to_startup_config_when_none_found() {
-        let nonce = std::time::SystemTime::now()
-            .duration_since(std::time::UNIX_EPOCH)
-            .unwrap()
-            .as_nanos();
-        let startup_cwd = std::env::temp_dir().join(format!("telemt_cfg_startup_default_{nonce}"));
-        std::fs::create_dir_all(&startup_cwd).unwrap();
-
-        let resolved = resolve_runtime_config_path("config.toml", &startup_cwd, false);
-        assert_eq!(resolved, startup_cwd.join("config.toml"));
-
-        let _ = std::fs::remove_dir(&startup_cwd);
-    }
 }
 
 pub(crate) fn print_proxy_links(host: &str, port: u16, config: &ProxyConfig) {

src/maestro/listeners.rs

@@ -14,7 +14,6 @@ use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::proxy::ClientHandler;
 use crate::proxy::route_mode::{ROUTE_SWITCH_ERROR_MSG, RouteRuntimeController};
-use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::{COMPONENT_LISTENERS_BIND, StartupTracker};
 use crate::stats::beobachten::BeobachtenStore;
 use crate::stats::{ReplayChecker, Stats};
@@ -50,7 +49,6 @@ pub(crate) async fn bind_listeners(
     tls_cache: Option<Arc<TlsFrontCache>>,
     ip_tracker: Arc<UserIpTracker>,
     beobachten: Arc<BeobachtenStore>,
-    shared: Arc<ProxySharedState>,
     max_connections: Arc<Semaphore>,
 ) -> Result<BoundListeners, Box<dyn Error>> {
     startup_tracker
@@ -74,7 +72,6 @@ pub(crate) async fn bind_listeners(
         let options = ListenOptions {
             reuse_port: listener_conf.reuse_allow,
             ipv6_only: listener_conf.ip.is_ipv6(),
-            backlog: config.server.listen_backlog,
             ..Default::default()
         };
 
@@ -226,7 +223,6 @@ pub(crate) async fn bind_listeners(
         let tls_cache = tls_cache.clone();
         let ip_tracker = ip_tracker.clone();
         let beobachten = beobachten.clone();
-        let shared = shared.clone();
         let max_connections_unix = max_connections.clone();
 
         tokio::spawn(async move {
@@ -262,7 +258,6 @@ pub(crate) async fn bind_listeners(
                                     break;
                                 }
                                 Err(_) => {
-                                    stats.increment_accept_permit_timeout_total();
                                     debug!(
                                         timeout_ms = accept_permit_timeout_ms,
                                         "Dropping accepted unix connection: permit wait timeout"
@@ -288,12 +283,11 @@ pub(crate) async fn bind_listeners(
                         let tls_cache = tls_cache.clone();
                         let ip_tracker = ip_tracker.clone();
                         let beobachten = beobachten.clone();
-                        let shared = shared.clone();
                         let proxy_protocol_enabled = config.server.proxy_protocol;
 
                         tokio::spawn(async move {
                             let _permit = permit;
-                            if let Err(e) = crate::proxy::client::handle_client_stream_with_shared(
+                            if let Err(e) = crate::proxy::client::handle_client_stream(
                                 stream,
                                 fake_peer,
                                 config,
@@ -307,7 +301,6 @@ pub(crate) async fn bind_listeners(
                                 tls_cache,
                                 ip_tracker,
                                 beobachten,
-                                shared,
                                 proxy_protocol_enabled,
                             )
                             .await
@@ -357,7 +350,6 @@ pub(crate) fn spawn_tcp_accept_loops(
     tls_cache: Option<Arc<TlsFrontCache>>,
     ip_tracker: Arc<UserIpTracker>,
     beobachten: Arc<BeobachtenStore>,
-    shared: Arc<ProxySharedState>,
     max_connections: Arc<Semaphore>,
 ) {
     for (listener, listener_proxy_protocol) in listeners {
@@ -373,7 +365,6 @@ pub(crate) fn spawn_tcp_accept_loops(
         let tls_cache = tls_cache.clone();
         let ip_tracker = ip_tracker.clone();
         let beobachten = beobachten.clone();
-        let shared = shared.clone();
         let max_connections_tcp = max_connections.clone();
 
         tokio::spawn(async move {
@@ -408,7 +399,6 @@ pub(crate) fn spawn_tcp_accept_loops(
                                     break;
                                 }
                                 Err(_) => {
-                                    stats.increment_accept_permit_timeout_total();
                                     debug!(
                                         peer = %peer_addr,
                                         timeout_ms = accept_permit_timeout_ms,
@@ -430,14 +420,13 @@ pub(crate) fn spawn_tcp_accept_loops(
                         let tls_cache = tls_cache.clone();
                         let ip_tracker = ip_tracker.clone();
                         let beobachten = beobachten.clone();
-                        let shared = shared.clone();
                         let proxy_protocol_enabled = listener_proxy_protocol;
                         let real_peer_report = Arc::new(std::sync::Mutex::new(None));
                         let real_peer_report_for_handler = real_peer_report.clone();
 
                         tokio::spawn(async move {
                             let _permit = permit;
-                            if let Err(e) = ClientHandler::new_with_shared(
+                            if let Err(e) = ClientHandler::new(
                                 stream,
                                 peer_addr,
                                 config,
@@ -451,7 +440,6 @@ pub(crate) fn spawn_tcp_accept_loops(
                                 tls_cache,
                                 ip_tracker,
                                 beobachten,
-                                shared,
                                 proxy_protocol_enabled,
                                 real_peer_report_for_handler,
                             )

src/maestro/mod.rs

@@ -29,12 +29,10 @@ use tracing_subscriber::{EnvFilter, fmt, prelude::*, reload};
 
 use crate::api;
 use crate::config::{LogLevel, ProxyConfig};
-use crate::conntrack_control;
 use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::network::probe::{decide_network_capabilities, log_probe_result, run_probe};
 use crate::proxy::route_mode::{RelayRouteMode, RouteRuntimeController};
-use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::{
     COMPONENT_API_BOOTSTRAP, COMPONENT_CONFIG_LOAD, COMPONENT_ME_POOL_CONSTRUCT,
     COMPONENT_ME_POOL_INIT_STAGE1, COMPONENT_ME_PROXY_CONFIG_V4, COMPONENT_ME_PROXY_CONFIG_V6,
@@ -49,55 +47,8 @@ use crate::transport::UpstreamManager;
 use crate::transport::middle_proxy::MePool;
 use helpers::{parse_cli, resolve_runtime_config_path};
 
-#[cfg(unix)]
-use crate::daemon::{DaemonOptions, PidFile, drop_privileges};
-
 /// Runs the full telemt runtime startup pipeline and blocks until shutdown.
-///
-/// On Unix, daemon options should be handled before calling this function
-/// (daemonization must happen before tokio runtime starts).
-#[cfg(unix)]
-pub async fn run_with_daemon(
-    daemon_opts: DaemonOptions,
-) -> std::result::Result<(), Box<dyn std::error::Error>> {
-    run_inner(daemon_opts).await
-}
-
-/// Runs the full telemt runtime startup pipeline and blocks until shutdown.
-///
-/// This is the main entry point for non-daemon mode or when called as a library.
-#[allow(dead_code)]
 pub async fn run() -> std::result::Result<(), Box<dyn std::error::Error>> {
-    #[cfg(unix)]
-    {
-        // Parse CLI to get daemon options even in simple run() path
-        let args: Vec<String> = std::env::args().skip(1).collect();
-        let daemon_opts = crate::cli::parse_daemon_args(&args);
-        run_inner(daemon_opts).await
-    }
-    #[cfg(not(unix))]
-    {
-        run_inner().await
-    }
-}
-
-#[cfg(unix)]
-async fn run_inner(
-    daemon_opts: DaemonOptions,
-) -> std::result::Result<(), Box<dyn std::error::Error>> {
-    // Acquire PID file if daemonizing or if explicitly requested
-    // Keep it alive until shutdown (underscore prefix = intentionally kept for RAII cleanup)
-    let _pid_file = if daemon_opts.daemonize || daemon_opts.pid_file.is_some() {
-        let mut pf = PidFile::new(daemon_opts.pid_file_path());
-        if let Err(e) = pf.acquire() {
-            eprintln!("[telemt] {}", e);
-            std::process::exit(1);
-        }
-        Some(pf)
-    } else {
-        None
-    };
-
     let process_started_at = Instant::now();
     let process_started_at_epoch_secs = SystemTime::now()
         .duration_since(UNIX_EPOCH)
@@ -110,13 +61,7 @@ async fn run_inner(
             Some("load and validate config".to_string()),
         )
         .await;
-    let cli_args = parse_cli();
+    let (config_path_cli, data_path, cli_silent, cli_log_level) = parse_cli();
-    let config_path_cli = cli_args.config_path;
-    let config_path_explicit = cli_args.config_path_explicit;
-    let data_path = cli_args.data_path;
-    let cli_silent = cli_args.silent;
-    let cli_log_level = cli_args.log_level;
-    let log_destination = cli_args.log_destination;
     let startup_cwd = match std::env::current_dir() {
         Ok(cwd) => cwd,
         Err(e) => {
@@ -124,8 +69,7 @@ async fn run_inner(
             std::process::exit(1);
         }
     };
-    let mut config_path =
+    let config_path = resolve_runtime_config_path(&config_path_cli, &startup_cwd);
-        resolve_runtime_config_path(&config_path_cli, &startup_cwd, config_path_explicit);
 
     let mut config = match ProxyConfig::load(&config_path) {
         Ok(c) => c,
@@ -135,99 +79,11 @@ async fn run_inner(
                 std::process::exit(1);
             } else {
                 let default = ProxyConfig::default();
-
+                std::fs::write(&config_path, toml::to_string_pretty(&default).unwrap()).unwrap();
-                let serialized =
+                eprintln!(
-                    match toml::to_string_pretty(&default).or_else(|_| toml::to_string(&default)) {
+                    "[telemt] Created default config at {}",
-                        Ok(value) => Some(value),
+                    config_path.display()
-                        Err(serialize_error) => {
+                );
-                            eprintln!(
-                                "[telemt] Warning: failed to serialize default config: {}",
-                                serialize_error
-                            );
-                            None
-                        }
-                    };
-
-                if config_path_explicit {
-                    if let Some(serialized) = serialized.as_ref() {
-                        if let Err(write_error) = std::fs::write(&config_path, serialized) {
-                            eprintln!(
-                                "[telemt] Error: failed to create explicit config at {}: {}",
-                                config_path.display(),
-                                write_error
-                            );
-                            std::process::exit(1);
-                        }
-                        eprintln!(
-                            "[telemt] Created default config at {}",
-                            config_path.display()
-                        );
-                    } else {
-                        eprintln!(
-                            "[telemt] Warning: running with in-memory default config without writing to disk"
-                        );
-                    }
-                } else {
-                    let system_dir = std::path::Path::new("/etc/telemt");
-                    let system_config_path = system_dir.join("telemt.toml");
-                    let startup_config_path = startup_cwd.join("config.toml");
-                    let mut persisted = false;
-
-                    if let Some(serialized) = serialized.as_ref() {
-                        match std::fs::create_dir_all(system_dir) {
-                            Ok(()) => match std::fs::write(&system_config_path, serialized) {
-                                Ok(()) => {
-                                    config_path = system_config_path;
-                                    eprintln!(
-                                        "[telemt] Created default config at {}",
-                                        config_path.display()
-                                    );
-                                    persisted = true;
-                                }
-                                Err(write_error) => {
-                                    eprintln!(
-                                        "[telemt] Warning: failed to write default config at {}: {}",
-                                        system_config_path.display(),
-                                        write_error
-                                    );
-                                }
-                            },
-                            Err(create_error) => {
-                                eprintln!(
-                                    "[telemt] Warning: failed to create {}: {}",
-                                    system_dir.display(),
-                                    create_error
-                                );
-                            }
-                        }
-
-                        if !persisted {
-                            match std::fs::write(&startup_config_path, serialized) {
-                                Ok(()) => {
-                                    config_path = startup_config_path;
-                                    eprintln!(
-                                        "[telemt] Created default config at {}",
-                                        config_path.display()
-                                    );
-                                    persisted = true;
-                                }
-                                Err(write_error) => {
-                                    eprintln!(
-                                        "[telemt] Warning: failed to write default config at {}: {}",
-                                        startup_config_path.display(),
-                                        write_error
-                                    );
-                                }
-                            }
-                        }
-                    }
-
-                    if !persisted {
-                        eprintln!(
-                            "[telemt] Warning: running with in-memory default config without writing to disk"
-                        );
-                    }
-                }
                 default
             }
         }
@@ -303,43 +159,17 @@ async fn run_inner(
         )
         .await;
 
-    // Initialize logging based on destination
+    // Configure color output based on config
-    let _logging_guard: Option<crate::logging::LoggingGuard>;
+    let fmt_layer = if config.general.disable_colors {
-    match log_destination {
+        fmt::Layer::default().with_ansi(false)
-        crate::logging::LogDestination::Stderr => {
+    } else {
-            // Default: log to stderr (works with systemd journald)
+        fmt::Layer::default().with_ansi(true)
-            let fmt_layer = if config.general.disable_colors {
+    };
-                fmt::Layer::default().with_ansi(false)
-            } else {
-                fmt::Layer::default().with_ansi(true)
-            };
-            tracing_subscriber::registry()
-                .with(filter_layer)
-                .with(fmt_layer)
-                .init();
-            _logging_guard = None;
-        }
-        #[cfg(unix)]
-        crate::logging::LogDestination::Syslog => {
-            // Syslog: for OpenRC/FreeBSD
-            let logging_opts = crate::logging::LoggingOptions {
-                destination: log_destination,
-                disable_colors: true,
-            };
-            let (_, guard) = crate::logging::init_logging(&logging_opts, "info");
-            _logging_guard = Some(guard);
-        }
-        crate::logging::LogDestination::File { .. } => {
-            // File logging with optional rotation
-            let logging_opts = crate::logging::LoggingOptions {
-                destination: log_destination,
-                disable_colors: true,
-            };
-            let (_, guard) = crate::logging::init_logging(&logging_opts, "info");
-            _logging_guard = Some(guard);
-        }
-    }
 
+    tracing_subscriber::registry()
+        .with(filter_layer)
+        .with(fmt_layer)
+        .init();
     startup_tracker
         .complete_component(
             COMPONENT_TRACING_INIT,
@@ -393,7 +223,6 @@ async fn run_inner(
         config.general.upstream_connect_retry_attempts,
         config.general.upstream_connect_retry_backoff_ms,
         config.general.upstream_connect_budget_ms,
-        config.general.tg_connect,
         config.general.upstream_unhealthy_fail_threshold,
         config.general.upstream_connect_failfast_hard_errors,
         stats.clone(),
@@ -723,12 +552,6 @@ async fn run_inner(
     )
     .await;
     let _admission_tx_hold = admission_tx;
-    let shared_state = ProxySharedState::new();
-    conntrack_control::spawn_conntrack_controller(
-        config_rx.clone(),
-        stats.clone(),
-        shared_state.clone(),
-    );
 
     let bound = listeners::bind_listeners(
         &config,
@@ -749,7 +572,6 @@ async fn run_inner(
         tls_cache.clone(),
         ip_tracker.clone(),
         beobachten.clone(),
-        shared_state.clone(),
         max_connections.clone(),
     )
     .await?;
@@ -761,18 +583,6 @@ async fn run_inner(
         std::process::exit(1);
     }
 
-    // Drop privileges after binding sockets (which may require root for port < 1024)
-    if daemon_opts.user.is_some() || daemon_opts.group.is_some() {
-        if let Err(e) = drop_privileges(
-            daemon_opts.user.as_deref(),
-            daemon_opts.group.as_deref(),
-            _pid_file.as_ref(),
-        ) {
-            error!(error = %e, "Failed to drop privileges");
-            std::process::exit(1);
-        }
-    }
-
     runtime_tasks::apply_runtime_log_filter(
         has_rust_log,
         &effective_log_level,
@@ -786,7 +596,6 @@ async fn run_inner(
         &startup_tracker,
         stats.clone(),
         beobachten.clone(),
-        shared_state.clone(),
         ip_tracker.clone(),
         config_rx.clone(),
     )
@@ -794,9 +603,6 @@ async fn run_inner(
 
     runtime_tasks::mark_runtime_ready(&startup_tracker).await;
 
-    // Spawn signal handlers for SIGUSR1/SIGUSR2 (non-shutdown signals)
-    shutdown::spawn_signal_handlers(stats.clone(), process_started_at);
-
     listeners::spawn_tcp_accept_loops(
         listeners,
         config_rx.clone(),
@@ -811,11 +617,10 @@ async fn run_inner(
         tls_cache.clone(),
         ip_tracker.clone(),
         beobachten.clone(),
-        shared_state,
         max_connections.clone(),
     );
 
-    shutdown::wait_for_shutdown(process_started_at, me_pool, stats).await;
+    shutdown::wait_for_shutdown(process_started_at, me_pool).await;
 
     Ok(())
 }

src/maestro/runtime_tasks.rs

@@ -13,7 +13,6 @@ use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::metrics;
 use crate::network::probe::NetworkProbe;
-use crate::proxy::shared_state::ProxySharedState;
 use crate::startup::{
     COMPONENT_CONFIG_WATCHER_START, COMPONENT_METRICS_START, COMPONENT_RUNTIME_READY,
     StartupTracker,
@@ -288,7 +287,6 @@ pub(crate) async fn spawn_metrics_if_configured(
     startup_tracker: &Arc<StartupTracker>,
     stats: Arc<Stats>,
     beobachten: Arc<BeobachtenStore>,
-    shared_state: Arc<ProxySharedState>,
     ip_tracker: Arc<UserIpTracker>,
     config_rx: watch::Receiver<Arc<ProxyConfig>>,
 ) {
@@ -322,19 +320,15 @@ pub(crate) async fn spawn_metrics_if_configured(
             .await;
         let stats = stats.clone();
         let beobachten = beobachten.clone();
-        let shared_state = shared_state.clone();
         let config_rx_metrics = config_rx.clone();
         let ip_tracker_metrics = ip_tracker.clone();
         let whitelist = config.server.metrics_whitelist.clone();
-        let listen_backlog = config.server.listen_backlog;
         tokio::spawn(async move {
             metrics::serve(
                 port,
                 listen,
-                listen_backlog,
                 stats,
                 beobachten,
-                shared_state,
                 ip_tracker_metrics,
                 config_rx_metrics,
                 whitelist,

src/maestro/shutdown.rs

@@ -1,206 +1,45 @@
-//! Shutdown and signal handling for telemt.
-//!
-//! Handles graceful shutdown on various signals:
-//! - SIGINT (Ctrl+C) / SIGTERM: Graceful shutdown
-//! - SIGQUIT: Graceful shutdown with stats dump
-//! - SIGUSR1: Reserved for log rotation (logs acknowledgment)
-//! - SIGUSR2: Dump runtime status to log
-//!
-//! SIGHUP is handled separately in config/hot_reload.rs for config reload.
-
 use std::sync::Arc;
 use std::time::{Duration, Instant};
 
-#[cfg(not(unix))]
 use tokio::signal;
-#[cfg(unix)]
+use tracing::{error, info, warn};
-use tokio::signal::unix::{SignalKind, signal};
-use tracing::{info, warn};
 
-use crate::stats::Stats;
 use crate::transport::middle_proxy::MePool;
 
 use super::helpers::{format_uptime, unit_label};
 
-/// Signal that triggered shutdown.
+pub(crate) async fn wait_for_shutdown(process_started_at: Instant, me_pool: Option<Arc<MePool>>) {
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+    match signal::ctrl_c().await {
-pub enum ShutdownSignal {
+        Ok(()) => {
-    /// SIGINT (Ctrl+C)
+            let shutdown_started_at = Instant::now();
-    Interrupt,
+            info!("Shutting down...");
-    /// SIGTERM
+            let uptime_secs = process_started_at.elapsed().as_secs();
-    Terminate,
+            info!("Uptime: {}", format_uptime(uptime_secs));
-    /// SIGQUIT (with stats dump)
+            if let Some(pool) = &me_pool {
-    Quit,
+                match tokio::time::timeout(
-}
+                    Duration::from_secs(2),
-
+                    pool.shutdown_send_close_conn_all(),
-impl std::fmt::Display for ShutdownSignal {
+                )
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+                .await
-        match self {
+                {
-            ShutdownSignal::Interrupt => write!(f, "SIGINT"),
+                    Ok(total) => {
-            ShutdownSignal::Terminate => write!(f, "SIGTERM"),
+                        info!(
-            ShutdownSignal::Quit => write!(f, "SIGQUIT"),
+                            close_conn_sent = total,
-        }
+                            "ME shutdown: RPC_CLOSE_CONN broadcast completed"
-    }
+                        );
-}
+                    }
-
+                    Err(_) => {
-/// Waits for a shutdown signal and performs graceful shutdown.
+                        warn!("ME shutdown: RPC_CLOSE_CONN broadcast timed out");
-pub(crate) async fn wait_for_shutdown(
+                    }
-    process_started_at: Instant,
-    me_pool: Option<Arc<MePool>>,
-    stats: Arc<Stats>,
-) {
-    let signal = wait_for_shutdown_signal().await;
-    perform_shutdown(signal, process_started_at, me_pool, &stats).await;
-}
-
-/// Waits for any shutdown signal (SIGINT, SIGTERM, SIGQUIT).
-#[cfg(unix)]
-async fn wait_for_shutdown_signal() -> ShutdownSignal {
-    let mut sigint = signal(SignalKind::interrupt()).expect("Failed to register SIGINT handler");
-    let mut sigterm = signal(SignalKind::terminate()).expect("Failed to register SIGTERM handler");
-    let mut sigquit = signal(SignalKind::quit()).expect("Failed to register SIGQUIT handler");
-
-    tokio::select! {
-        _ = sigint.recv() => ShutdownSignal::Interrupt,
-        _ = sigterm.recv() => ShutdownSignal::Terminate,
-        _ = sigquit.recv() => ShutdownSignal::Quit,
-    }
-}
-
-#[cfg(not(unix))]
-async fn wait_for_shutdown_signal() -> ShutdownSignal {
-    signal::ctrl_c().await.expect("Failed to listen for Ctrl+C");
-    ShutdownSignal::Interrupt
-}
-
-/// Performs graceful shutdown sequence.
-async fn perform_shutdown(
-    signal: ShutdownSignal,
-    process_started_at: Instant,
-    me_pool: Option<Arc<MePool>>,
-    stats: &Stats,
-) {
-    let shutdown_started_at = Instant::now();
-    info!(signal = %signal, "Received shutdown signal");
-
-    // Dump stats if SIGQUIT
-    if signal == ShutdownSignal::Quit {
-        dump_stats(stats, process_started_at);
-    }
-
-    info!("Shutting down...");
-    let uptime_secs = process_started_at.elapsed().as_secs();
-    info!("Uptime: {}", format_uptime(uptime_secs));
-
-    // Graceful ME pool shutdown
-    if let Some(pool) = &me_pool {
-        match tokio::time::timeout(Duration::from_secs(2), pool.shutdown_send_close_conn_all())
-            .await
-        {
-            Ok(total) => {
-                info!(
-                    close_conn_sent = total,
-                    "ME shutdown: RPC_CLOSE_CONN broadcast completed"
-                );
-            }
-            Err(_) => {
-                warn!("ME shutdown: RPC_CLOSE_CONN broadcast timed out");
-            }
-        }
-    }
-
-    let shutdown_secs = shutdown_started_at.elapsed().as_secs();
-    info!(
-        "Shutdown completed successfully in {} {}.",
-        shutdown_secs,
-        unit_label(shutdown_secs, "second", "seconds")
-    );
-}
-
-/// Dumps runtime statistics to the log.
-fn dump_stats(stats: &Stats, process_started_at: Instant) {
-    let uptime_secs = process_started_at.elapsed().as_secs();
-
-    info!("=== Runtime Statistics Dump ===");
-    info!("Uptime: {}", format_uptime(uptime_secs));
-
-    // Connection stats
-    info!(
-        "Connections: total={}, current={} (direct={}, me={}), bad={}",
-        stats.get_connects_all(),
-        stats.get_current_connections_total(),
-        stats.get_current_connections_direct(),
-        stats.get_current_connections_me(),
-        stats.get_connects_bad(),
-    );
-
-    // ME pool stats
-    info!(
-        "ME keepalive: sent={}, pong={}, failed={}, timeout={}",
-        stats.get_me_keepalive_sent(),
-        stats.get_me_keepalive_pong(),
-        stats.get_me_keepalive_failed(),
-        stats.get_me_keepalive_timeout(),
-    );
-
-    // Relay stats
-    info!(
-        "Relay idle: soft_mark={}, hard_close={}, pressure_evict={}",
-        stats.get_relay_idle_soft_mark_total(),
-        stats.get_relay_idle_hard_close_total(),
-        stats.get_relay_pressure_evict_total(),
-    );
-
-    info!("=== End Statistics Dump ===");
-}
-
-/// Spawns a background task to handle operational signals (SIGUSR1, SIGUSR2).
-///
-/// These signals don't trigger shutdown but perform specific actions:
-/// - SIGUSR1: Log rotation acknowledgment (for external log rotation tools)
-/// - SIGUSR2: Dump runtime status to log
-#[cfg(unix)]
-pub(crate) fn spawn_signal_handlers(stats: Arc<Stats>, process_started_at: Instant) {
-    tokio::spawn(async move {
-        let mut sigusr1 =
-            signal(SignalKind::user_defined1()).expect("Failed to register SIGUSR1 handler");
-        let mut sigusr2 =
-            signal(SignalKind::user_defined2()).expect("Failed to register SIGUSR2 handler");
-
-        loop {
-            tokio::select! {
-                _ = sigusr1.recv() => {
-                    handle_sigusr1();
-                }
-                _ = sigusr2.recv() => {
-                    handle_sigusr2(&stats, process_started_at);
                 }
             }
+            let shutdown_secs = shutdown_started_at.elapsed().as_secs();
+            info!(
+                "Shutdown completed successfully in {} {}.",
+                shutdown_secs,
+                unit_label(shutdown_secs, "second", "seconds")
+            );
         }
-    });
+        Err(e) => error!("Signal error: {}", e),
-}
+    }
-
-/// No-op on non-Unix platforms.
-#[cfg(not(unix))]
-pub(crate) fn spawn_signal_handlers(_stats: Arc<Stats>, _process_started_at: Instant) {
-    // No SIGUSR1/SIGUSR2 on non-Unix
-}
-
-/// Handles SIGUSR1 - log rotation signal.
-///
-/// This signal is typically sent by logrotate or similar tools after
-/// rotating log files. Since tracing-subscriber doesn't natively support
-/// reopening files, we just acknowledge the signal. If file logging is
-/// added in the future, this would reopen log file handles.
-#[cfg(unix)]
-fn handle_sigusr1() {
-    info!("SIGUSR1 received - log rotation acknowledged");
-    // Future: If using file-based logging, reopen file handles here
-}
-
-/// Handles SIGUSR2 - dump runtime status.
-#[cfg(unix)]
-fn handle_sigusr2(stats: &Stats, process_started_at: Instant) {
-    info!("SIGUSR2 received - dumping runtime status");
-    dump_stats(stats, process_started_at);
 }

src/main.rs

@@ -3,10 +3,7 @@
 mod api;
 mod cli;
 mod config;
-mod conntrack_control;
 mod crypto;
-#[cfg(unix)]
-mod daemon;
 mod error;
 mod ip_tracker;
 #[cfg(test)]
@@ -18,13 +15,11 @@ mod ip_tracker_hotpath_adversarial_tests;
 #[cfg(test)]
 #[path = "tests/ip_tracker_regression_tests.rs"]
 mod ip_tracker_regression_tests;
-mod logging;
 mod maestro;
 mod metrics;
 mod network;
 mod protocol;
 mod proxy;
-mod service;
 mod startup;
 mod stats;
 mod stream;
@@ -32,49 +27,8 @@ mod tls_front;
 mod transport;
 mod util;
 
-fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
+#[tokio::main]
-    // Install rustls crypto provider early
+async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
     let _ = rustls::crypto::ring::default_provider().install_default();
-
+    maestro::run().await
-    let args: Vec<String> = std::env::args().skip(1).collect();
-    let cmd = cli::parse_command(&args);
-
-    // Handle subcommands that don't need the server (stop, reload, status, init)
-    if let Some(exit_code) = cli::execute_subcommand(&cmd) {
-        std::process::exit(exit_code);
-    }
-
-    #[cfg(unix)]
-    {
-        let daemon_opts = cmd.daemon_opts;
-
-        // Daemonize BEFORE runtime
-        if daemon_opts.should_daemonize() {
-            match daemon::daemonize(daemon_opts.working_dir.as_deref()) {
-                Ok(daemon::DaemonizeResult::Parent) => {
-                    std::process::exit(0);
-                }
-                Ok(daemon::DaemonizeResult::Child) => {
-                    // continue
-                }
-                Err(e) => {
-                    eprintln!("[telemt] Daemonization failed: {}", e);
-                    std::process::exit(1);
-                }
-            }
-        }
-
-        tokio::runtime::Builder::new_multi_thread()
-            .enable_all()
-            .build()?
-            .block_on(maestro::run_with_daemon(daemon_opts))
-    }
-
-    #[cfg(not(unix))]
-    {
-        tokio::runtime::Builder::new_multi_thread()
-            .enable_all()
-            .build()?
-            .block_on(maestro::run())
-    }
 }

src/metrics.rs

@@ -15,7 +15,6 @@ use tracing::{debug, info, warn};
 
 use crate::config::ProxyConfig;
 use crate::ip_tracker::UserIpTracker;
-use crate::proxy::shared_state::ProxySharedState;
 use crate::stats::Stats;
 use crate::stats::beobachten::BeobachtenStore;
 use crate::transport::{ListenOptions, create_listener};
@@ -23,10 +22,8 @@ use crate::transport::{ListenOptions, create_listener};
 pub async fn serve(
     port: u16,
     listen: Option<String>,
-    listen_backlog: u32,
     stats: Arc<Stats>,
     beobachten: Arc<BeobachtenStore>,
-    shared_state: Arc<ProxySharedState>,
     ip_tracker: Arc<UserIpTracker>,
     config_rx: tokio::sync::watch::Receiver<Arc<ProxyConfig>>,
     whitelist: Vec<IpNetwork>,
@@ -43,17 +40,11 @@ pub async fn serve(
             }
         };
         let is_ipv6 = addr.is_ipv6();
-        match bind_metrics_listener(addr, is_ipv6, listen_backlog) {
+        match bind_metrics_listener(addr, is_ipv6) {
             Ok(listener) => {
                 info!("Metrics endpoint: http://{}/metrics and /beobachten", addr);
                 serve_listener(
-                    listener,
+                    listener, stats, beobachten, ip_tracker, config_rx, whitelist,
-                    stats,
-                    beobachten,
-                    shared_state,
-                    ip_tracker,
-                    config_rx,
-                    whitelist,
                 )
                 .await;
             }
@@ -69,7 +60,7 @@ pub async fn serve(
     let mut listener_v6 = None;
 
     let addr_v4 = SocketAddr::from(([0, 0, 0, 0], port));
-    match bind_metrics_listener(addr_v4, false, listen_backlog) {
+    match bind_metrics_listener(addr_v4, false) {
         Ok(listener) => {
             info!(
                 "Metrics endpoint: http://{}/metrics and /beobachten",
@@ -83,7 +74,7 @@ pub async fn serve(
     }
 
     let addr_v6 = SocketAddr::from(([0, 0, 0, 0, 0, 0, 0, 0], port));
-    match bind_metrics_listener(addr_v6, true, listen_backlog) {
+    match bind_metrics_listener(addr_v6, true) {
         Ok(listener) => {
             info!(
                 "Metrics endpoint: http://[::]:{}/metrics and /beobachten",
@@ -102,20 +93,13 @@ pub async fn serve(
         }
         (Some(listener), None) | (None, Some(listener)) => {
             serve_listener(
-                listener,
+                listener, stats, beobachten, ip_tracker, config_rx, whitelist,
-                stats,
-                beobachten,
-                shared_state,
-                ip_tracker,
-                config_rx,
-                whitelist,
             )
             .await;
         }
         (Some(listener4), Some(listener6)) => {
             let stats_v6 = stats.clone();
             let beobachten_v6 = beobachten.clone();
-            let shared_state_v6 = shared_state.clone();
             let ip_tracker_v6 = ip_tracker.clone();
             let config_rx_v6 = config_rx.clone();
             let whitelist_v6 = whitelist.clone();
@@ -124,7 +108,6 @@ pub async fn serve(
                     listener6,
                     stats_v6,
                     beobachten_v6,
-                    shared_state_v6,
                     ip_tracker_v6,
                     config_rx_v6,
                     whitelist_v6,
@@ -132,28 +115,17 @@ pub async fn serve(
                 .await;
             });
             serve_listener(
-                listener4,
+                listener4, stats, beobachten, ip_tracker, config_rx, whitelist,
-                stats,
-                beobachten,
-                shared_state,
-                ip_tracker,
-                config_rx,
-                whitelist,
             )
             .await;
         }
     }
 }
 
-fn bind_metrics_listener(
+fn bind_metrics_listener(addr: SocketAddr, ipv6_only: bool) -> std::io::Result<TcpListener> {
-    addr: SocketAddr,
-    ipv6_only: bool,
-    listen_backlog: u32,
-) -> std::io::Result<TcpListener> {
     let options = ListenOptions {
         reuse_port: false,
         ipv6_only,
-        backlog: listen_backlog,
         ..Default::default()
     };
     let socket = create_listener(addr, &options)?;
@@ -164,7 +136,6 @@ async fn serve_listener(
     listener: TcpListener,
     stats: Arc<Stats>,
     beobachten: Arc<BeobachtenStore>,
-    shared_state: Arc<ProxySharedState>,
     ip_tracker: Arc<UserIpTracker>,
     config_rx: tokio::sync::watch::Receiver<Arc<ProxyConfig>>,
     whitelist: Arc<Vec<IpNetwork>>,
@@ -185,27 +156,15 @@ async fn serve_listener(
 
         let stats = stats.clone();
         let beobachten = beobachten.clone();
-        let shared_state = shared_state.clone();
         let ip_tracker = ip_tracker.clone();
         let config_rx_conn = config_rx.clone();
         tokio::spawn(async move {
             let svc = service_fn(move |req| {
                 let stats = stats.clone();
                 let beobachten = beobachten.clone();
-                let shared_state = shared_state.clone();
                 let ip_tracker = ip_tracker.clone();
                 let config = config_rx_conn.borrow().clone();
-                async move {
+                async move { handle(req, &stats, &beobachten, &ip_tracker, &config).await }
-                    handle(
-                        req,
-                        &stats,
-                        &beobachten,
-                        &shared_state,
-                        &ip_tracker,
-                        &config,
-                    )
-                    .await
-                }
             });
             if let Err(e) = http1::Builder::new()
                 .serve_connection(hyper_util::rt::TokioIo::new(stream), svc)
@@ -221,12 +180,11 @@ async fn handle<B>(
     req: Request<B>,
     stats: &Stats,
     beobachten: &BeobachtenStore,
-    shared_state: &ProxySharedState,
     ip_tracker: &UserIpTracker,
     config: &ProxyConfig,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
     if req.uri().path() == "/metrics" {
-        let body = render_metrics(stats, shared_state, config, ip_tracker).await;
+        let body = render_metrics(stats, config, ip_tracker).await;
         let resp = Response::builder()
             .status(StatusCode::OK)
             .header("content-type", "text/plain; version=0.0.4; charset=utf-8")
@@ -261,12 +219,7 @@ fn render_beobachten(beobachten: &BeobachtenStore, config: &ProxyConfig) -> Stri
     beobachten.snapshot_text(ttl)
 }
 
-async fn render_metrics(
+async fn render_metrics(stats: &Stats, config: &ProxyConfig, ip_tracker: &UserIpTracker) -> String {
-    stats: &Stats,
-    shared_state: &ProxySharedState,
-    config: &ProxyConfig,
-    ip_tracker: &UserIpTracker,
-) -> String {
     use std::fmt::Write;
     let mut out = String::with_capacity(4096);
     let telemetry = stats.telemetry_policy();
@@ -275,17 +228,6 @@ async fn render_metrics(
     let me_allows_normal = telemetry.me_level.allows_normal();
     let me_allows_debug = telemetry.me_level.allows_debug();
 
-    let _ = writeln!(
-        out,
-        "# HELP telemt_build_info Build information for the running telemt binary"
-    );
-    let _ = writeln!(out, "# TYPE telemt_build_info gauge");
-    let _ = writeln!(
-        out,
-        "telemt_build_info{{version=\"{}\"}} 1",
-        env!("CARGO_PKG_VERSION")
-    );
-
     let _ = writeln!(out, "# HELP telemt_uptime_seconds Proxy uptime");
     let _ = writeln!(out, "# TYPE telemt_uptime_seconds gauge");
     let _ = writeln!(out, "telemt_uptime_seconds {:.1}", stats.uptime_secs());
@@ -345,27 +287,6 @@ async fn render_metrics(
         }
     );
 
-    let _ = writeln!(
-        out,
-        "# HELP telemt_buffer_pool_buffers_total Snapshot of pooled and allocated buffers"
-    );
-    let _ = writeln!(out, "# TYPE telemt_buffer_pool_buffers_total gauge");
-    let _ = writeln!(
-        out,
-        "telemt_buffer_pool_buffers_total{{kind=\"pooled\"}} {}",
-        stats.get_buffer_pool_pooled_gauge()
-    );
-    let _ = writeln!(
-        out,
-        "telemt_buffer_pool_buffers_total{{kind=\"allocated\"}} {}",
-        stats.get_buffer_pool_allocated_gauge()
-    );
-    let _ = writeln!(
-        out,
-        "telemt_buffer_pool_buffers_total{{kind=\"in_use\"}} {}",
-        stats.get_buffer_pool_in_use_gauge()
-    );
-
     let _ = writeln!(
         out,
         "# HELP telemt_connections_total Total accepted connections"
@@ -411,170 +332,6 @@ async fn render_metrics(
         }
     );
 
-    let _ = writeln!(
-        out,
-        "# HELP telemt_auth_expensive_checks_total Expensive authentication candidate checks executed during handshake validation"
-    );
-    let _ = writeln!(out, "# TYPE telemt_auth_expensive_checks_total counter");
-    let _ = writeln!(
-        out,
-        "telemt_auth_expensive_checks_total {}",
-        if core_enabled {
-            shared_state
-                .handshake
-                .auth_expensive_checks_total
-                .load(std::sync::atomic::Ordering::Relaxed)
-        } else {
-            0
-        }
-    );
-
-    let _ = writeln!(
-        out,
-        "# HELP telemt_auth_budget_exhausted_total Handshake validations that hit authentication candidate budget limits"
-    );
-    let _ = writeln!(out, "# TYPE telemt_auth_budget_exhausted_total counter");
-    let _ = writeln!(
-        out,
-        "telemt_auth_budget_exhausted_total {}",
-        if core_enabled {
-            shared_state
-                .handshake
-                .auth_budget_exhausted_total
-                .load(std::sync::atomic::Ordering::Relaxed)
-        } else {
-            0
-        }
-    );
-
-    let _ = writeln!(
-        out,
-        "# HELP telemt_accept_permit_timeout_total Accepted connections dropped due to permit wait timeout"
-    );
-    let _ = writeln!(out, "# TYPE telemt_accept_permit_timeout_total counter");
-    let _ = writeln!(
-        out,
-        "telemt_accept_permit_timeout_total {}",
-        if core_enabled {
-            stats.get_accept_permit_timeout_total()
-        } else {
-            0
-        }
-    );
-
-    let _ = writeln!(
-        out,
-        "# HELP telemt_conntrack_control_state Runtime conntrack control state flags"
-    );
-    let _ = writeln!(out, "# TYPE telemt_conntrack_control_state gauge");
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_control_state{{flag=\"enabled\"}} {}",
-        if stats.get_conntrack_control_enabled() {
-            1
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_control_state{{flag=\"available\"}} {}",
-        if stats.get_conntrack_control_available() {
-            1
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_control_state{{flag=\"pressure_active\"}} {}",
-        if stats.get_conntrack_pressure_active() {
-            1
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_control_state{{flag=\"rule_apply_ok\"}} {}",
-        if stats.get_conntrack_rule_apply_ok() {
-            1
-        } else {
-            0
-        }
-    );
-
-    let _ = writeln!(
-        out,
-        "# HELP telemt_conntrack_event_queue_depth Pending close events in conntrack control queue"
-    );
-    let _ = writeln!(out, "# TYPE telemt_conntrack_event_queue_depth gauge");
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_event_queue_depth {}",
-        stats.get_conntrack_event_queue_depth()
-    );
-
-    let _ = writeln!(
-        out,
-        "# HELP telemt_conntrack_delete_total Conntrack delete attempts by outcome"
-    );
-    let _ = writeln!(out, "# TYPE telemt_conntrack_delete_total counter");
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_delete_total{{result=\"attempt\"}} {}",
-        if core_enabled {
-            stats.get_conntrack_delete_attempt_total()
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_delete_total{{result=\"success\"}} {}",
-        if core_enabled {
-            stats.get_conntrack_delete_success_total()
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_delete_total{{result=\"not_found\"}} {}",
-        if core_enabled {
-            stats.get_conntrack_delete_not_found_total()
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_delete_total{{result=\"error\"}} {}",
-        if core_enabled {
-            stats.get_conntrack_delete_error_total()
-        } else {
-            0
-        }
-    );
-
-    let _ = writeln!(
-        out,
-        "# HELP telemt_conntrack_close_event_drop_total Dropped conntrack close events due to queue pressure or unavailable sender"
-    );
-    let _ = writeln!(
-        out,
-        "# TYPE telemt_conntrack_close_event_drop_total counter"
-    );
-    let _ = writeln!(
-        out,
-        "telemt_conntrack_close_event_drop_total {}",
-        if core_enabled {
-            stats.get_conntrack_close_event_drop_total()
-        } else {
-            0
-        }
-    );
-
     let _ = writeln!(
         out,
         "# HELP telemt_upstream_connect_attempt_total Upstream connect attempts across all requests"
@@ -1178,39 +935,6 @@ async fn render_metrics(
         }
     );
 
-    let _ = writeln!(
-        out,
-        "# HELP telemt_me_c2me_enqueue_events_total ME client->ME enqueue outcomes"
-    );
-    let _ = writeln!(out, "# TYPE telemt_me_c2me_enqueue_events_total counter");
-    let _ = writeln!(
-        out,
-        "telemt_me_c2me_enqueue_events_total{{event=\"full\"}} {}",
-        if me_allows_normal {
-            stats.get_me_c2me_send_full_total()
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_me_c2me_enqueue_events_total{{event=\"high_water\"}} {}",
-        if me_allows_normal {
-            stats.get_me_c2me_send_high_water_total()
-        } else {
-            0
-        }
-    );
-    let _ = writeln!(
-        out,
-        "telemt_me_c2me_enqueue_events_total{{event=\"timeout\"}} {}",
-        if me_allows_normal {
-            stats.get_me_c2me_send_timeout_total()
-        } else {
-            0
-        }
-    );
-
     let _ = writeln!(
         out,
         "# HELP telemt_me_d2c_batches_total Total DC->Client flush batches"
@@ -2760,48 +2484,6 @@ async fn render_metrics(
         if user_enabled { 0 } else { 1 }
     );
 
-    let ip_memory = ip_tracker.memory_stats().await;
-    let _ = writeln!(
-        out,
-        "# HELP telemt_ip_tracker_users Number of users tracked by IP limiter state"
-    );
-    let _ = writeln!(out, "# TYPE telemt_ip_tracker_users gauge");
-    let _ = writeln!(
-        out,
-        "telemt_ip_tracker_users{{scope=\"active\"}} {}",
-        ip_memory.active_users
-    );
-    let _ = writeln!(
-        out,
-        "telemt_ip_tracker_users{{scope=\"recent\"}} {}",
-        ip_memory.recent_users
-    );
-    let _ = writeln!(
-        out,
-        "# HELP telemt_ip_tracker_entries Number of IP entries tracked by limiter state"
-    );
-    let _ = writeln!(out, "# TYPE telemt_ip_tracker_entries gauge");
-    let _ = writeln!(
-        out,
-        "telemt_ip_tracker_entries{{scope=\"active\"}} {}",
-        ip_memory.active_entries
-    );
-    let _ = writeln!(
-        out,
-        "telemt_ip_tracker_entries{{scope=\"recent\"}} {}",
-        ip_memory.recent_entries
-    );
-    let _ = writeln!(
-        out,
-        "# HELP telemt_ip_tracker_cleanup_queue_len Deferred disconnect cleanup queue length"
-    );
-    let _ = writeln!(out, "# TYPE telemt_ip_tracker_cleanup_queue_len gauge");
-    let _ = writeln!(
-        out,
-        "telemt_ip_tracker_cleanup_queue_len {}",
-        ip_memory.cleanup_queue_len
-    );
-
     if user_enabled {
         for entry in stats.iter_user_stats() {
             let user = entry.key();
@@ -2935,7 +2617,6 @@ mod tests {
     #[tokio::test]
     async fn test_render_metrics_format() {
         let stats = Arc::new(Stats::new());
-        let shared_state = ProxySharedState::new();
         let tracker = UserIpTracker::new();
         let mut config = ProxyConfig::default();
         config
@@ -2947,14 +2628,6 @@ mod tests {
         stats.increment_connects_all();
         stats.increment_connects_bad();
         stats.increment_handshake_timeouts();
-        shared_state
-            .handshake
-            .auth_expensive_checks_total
-            .fetch_add(9, std::sync::atomic::Ordering::Relaxed);
-        shared_state
-            .handshake
-            .auth_budget_exhausted_total
-            .fetch_add(2, std::sync::atomic::Ordering::Relaxed);
         stats.increment_upstream_connect_attempt_total();
         stats.increment_upstream_connect_attempt_total();
         stats.increment_upstream_connect_success_total();
@@ -2998,17 +2671,11 @@ mod tests {
             .await
             .unwrap();
 
-        let output = render_metrics(&stats, shared_state.as_ref(), &config, &tracker).await;
+        let output = render_metrics(&stats, &config, &tracker).await;
 
-        assert!(output.contains(&format!(
-            "telemt_build_info{{version=\"{}\"}} 1",
-            env!("CARGO_PKG_VERSION")
-        )));
         assert!(output.contains("telemt_connections_total 2"));
         assert!(output.contains("telemt_connections_bad_total 1"));
         assert!(output.contains("telemt_handshake_timeouts_total 1"));
-        assert!(output.contains("telemt_auth_expensive_checks_total 9"));
-        assert!(output.contains("telemt_auth_budget_exhausted_total 2"));
         assert!(output.contains("telemt_upstream_connect_attempt_total 2"));
         assert!(output.contains("telemt_upstream_connect_success_total 1"));
         assert!(output.contains("telemt_upstream_connect_fail_total 1"));
@@ -3055,23 +2722,17 @@ mod tests {
         assert!(output.contains("telemt_user_unique_ips_recent_window{user=\"alice\"} 1"));
         assert!(output.contains("telemt_user_unique_ips_limit{user=\"alice\"} 4"));
         assert!(output.contains("telemt_user_unique_ips_utilization{user=\"alice\"} 0.250000"));
-        assert!(output.contains("telemt_ip_tracker_users{scope=\"active\"} 1"));
-        assert!(output.contains("telemt_ip_tracker_entries{scope=\"active\"} 1"));
-        assert!(output.contains("telemt_ip_tracker_cleanup_queue_len 0"));
     }
 
     #[tokio::test]
     async fn test_render_empty_stats() {
         let stats = Stats::new();
-        let shared_state = ProxySharedState::new();
         let tracker = UserIpTracker::new();
         let config = ProxyConfig::default();
-        let output = render_metrics(&stats, &shared_state, &config, &tracker).await;
+        let output = render_metrics(&stats, &config, &tracker).await;
         assert!(output.contains("telemt_connections_total 0"));
         assert!(output.contains("telemt_connections_bad_total 0"));
         assert!(output.contains("telemt_handshake_timeouts_total 0"));
-        assert!(output.contains("telemt_auth_expensive_checks_total 0"));
-        assert!(output.contains("telemt_auth_budget_exhausted_total 0"));
         assert!(output.contains("telemt_user_unique_ips_current{user="));
         assert!(output.contains("telemt_user_unique_ips_recent_window{user="));
     }
@@ -3079,7 +2740,6 @@ mod tests {
     #[tokio::test]
     async fn test_render_uses_global_each_unique_ip_limit() {
         let stats = Stats::new();
-        let shared_state = ProxySharedState::new();
         stats.increment_user_connects("alice");
         stats.increment_user_curr_connects("alice");
         let tracker = UserIpTracker::new();
@@ -3090,7 +2750,7 @@ mod tests {
         let mut config = ProxyConfig::default();
         config.access.user_max_unique_ips_global_each = 2;
 
-        let output = render_metrics(&stats, &shared_state, &config, &tracker).await;
+        let output = render_metrics(&stats, &config, &tracker).await;
 
         assert!(output.contains("telemt_user_unique_ips_limit{user=\"alice\"} 2"));
         assert!(output.contains("telemt_user_unique_ips_utilization{user=\"alice\"} 0.500000"));
@@ -3099,16 +2759,13 @@ mod tests {
     #[tokio::test]
     async fn test_render_has_type_annotations() {
         let stats = Stats::new();
-        let shared_state = ProxySharedState::new();
         let tracker = UserIpTracker::new();
         let config = ProxyConfig::default();
-        let output = render_metrics(&stats, &shared_state, &config, &tracker).await;
+        let output = render_metrics(&stats, &config, &tracker).await;
         assert!(output.contains("# TYPE telemt_uptime_seconds gauge"));
         assert!(output.contains("# TYPE telemt_connections_total counter"));
         assert!(output.contains("# TYPE telemt_connections_bad_total counter"));
         assert!(output.contains("# TYPE telemt_handshake_timeouts_total counter"));
-        assert!(output.contains("# TYPE telemt_auth_expensive_checks_total counter"));
-        assert!(output.contains("# TYPE telemt_auth_budget_exhausted_total counter"));
         assert!(output.contains("# TYPE telemt_upstream_connect_attempt_total counter"));
         assert!(output.contains("# TYPE telemt_me_rpc_proxy_req_signal_sent_total counter"));
         assert!(output.contains("# TYPE telemt_me_idle_close_by_peer_total counter"));
@@ -3136,16 +2793,12 @@ mod tests {
         assert!(output.contains("# TYPE telemt_user_unique_ips_recent_window gauge"));
         assert!(output.contains("# TYPE telemt_user_unique_ips_limit gauge"));
         assert!(output.contains("# TYPE telemt_user_unique_ips_utilization gauge"));
-        assert!(output.contains("# TYPE telemt_ip_tracker_users gauge"));
-        assert!(output.contains("# TYPE telemt_ip_tracker_entries gauge"));
-        assert!(output.contains("# TYPE telemt_ip_tracker_cleanup_queue_len gauge"));
     }
 
     #[tokio::test]
     async fn test_endpoint_integration() {
         let stats = Arc::new(Stats::new());
         let beobachten = Arc::new(BeobachtenStore::new());
-        let shared_state = ProxySharedState::new();
         let tracker = UserIpTracker::new();
         let mut config = ProxyConfig::default();
         stats.increment_connects_all();
@@ -3153,16 +2806,9 @@ mod tests {
         stats.increment_connects_all();
 
         let req = Request::builder().uri("/metrics").body(()).unwrap();
-        let resp = handle(
+        let resp = handle(req, &stats, &beobachten, &tracker, &config)
-            req,
+            .await
-            &stats,
+            .unwrap();
-            &beobachten,
-            shared_state.as_ref(),
-            &tracker,
-            &config,
-        )
-        .await
-        .unwrap();
         assert_eq!(resp.status(), StatusCode::OK);
         let body = resp.into_body().collect().await.unwrap().to_bytes();
         assert!(
@@ -3170,14 +2816,6 @@ mod tests {
                 .unwrap()
                 .contains("telemt_connections_total 3")
         );
-        assert!(
-            std::str::from_utf8(body.as_ref())
-                .unwrap()
-                .contains(&format!(
-                    "telemt_build_info{{version=\"{}\"}} 1",
-                    env!("CARGO_PKG_VERSION")
-                ))
-        );
 
         config.general.beobachten = true;
         config.general.beobachten_minutes = 10;
@@ -3187,16 +2825,9 @@ mod tests {
             Duration::from_secs(600),
         );
         let req_beob = Request::builder().uri("/beobachten").body(()).unwrap();
-        let resp_beob = handle(
+        let resp_beob = handle(req_beob, &stats, &beobachten, &tracker, &config)
-            req_beob,
+            .await
-            &stats,
+            .unwrap();
-            &beobachten,
-            shared_state.as_ref(),
-            &tracker,
-            &config,
-        )
-        .await
-        .unwrap();
         assert_eq!(resp_beob.status(), StatusCode::OK);
         let body_beob = resp_beob.into_body().collect().await.unwrap().to_bytes();
         let beob_text = std::str::from_utf8(body_beob.as_ref()).unwrap();
@@ -3204,16 +2835,9 @@ mod tests {
         assert!(beob_text.contains("203.0.113.10-1"));
 
         let req404 = Request::builder().uri("/other").body(()).unwrap();
-        let resp404 = handle(
+        let resp404 = handle(req404, &stats, &beobachten, &tracker, &config)
-            req404,
+            .await
-            &stats,
+            .unwrap();
-            &beobachten,
-            shared_state.as_ref(),
-            &tracker,
-            &config,
-        )
-        .await
-        .unwrap();
         assert_eq!(resp404.status(), StatusCode::NOT_FOUND);
     }
 }

src/proxy/adaptive_buffers.rs

@@ -24,8 +24,6 @@ const DIRECT_S2C_CAP_BYTES: usize = 512 * 1024;
 const ME_FRAMES_CAP: usize = 96;
 const ME_BYTES_CAP: usize = 384 * 1024;
 const ME_DELAY_MIN_US: u64 = 150;
-const MAX_USER_PROFILES_ENTRIES: usize = 50_000;
-const MAX_USER_KEY_BYTES: usize = 512;
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
 pub enum AdaptiveTier {
@@ -236,50 +234,32 @@ fn profiles() -> &'static DashMap<String, UserAdaptiveProfile> {
 }
 
 pub fn seed_tier_for_user(user: &str) -> AdaptiveTier {
-    if user.len() > MAX_USER_KEY_BYTES {
-        return AdaptiveTier::Base;
-    }
     let now = Instant::now();
     if let Some(entry) = profiles().get(user) {
-        let value = *entry.value();
+        let value = entry.value();
-        drop(entry);
+        if now.duration_since(value.seen_at) <= PROFILE_TTL {
-        if now.saturating_duration_since(value.seen_at) <= PROFILE_TTL {
             return value.tier;
         }
-        profiles().remove_if(user, |_, v| {
-            now.saturating_duration_since(v.seen_at) > PROFILE_TTL
-        });
     }
     AdaptiveTier::Base
 }
 
 pub fn record_user_tier(user: &str, tier: AdaptiveTier) {
-    if user.len() > MAX_USER_KEY_BYTES {
+    let now = Instant::now();
+    if let Some(mut entry) = profiles().get_mut(user) {
+        let existing = *entry;
+        let effective = if now.duration_since(existing.seen_at) > PROFILE_TTL {
+            tier
+        } else {
+            max(existing.tier, tier)
+        };
+        *entry = UserAdaptiveProfile {
+            tier: effective,
+            seen_at: now,
+        };
         return;
     }
-    let now = Instant::now();
+    profiles().insert(user.to_string(), UserAdaptiveProfile { tier, seen_at: now });
-    let mut was_vacant = false;
-    match profiles().entry(user.to_string()) {
-        dashmap::mapref::entry::Entry::Occupied(mut entry) => {
-            let existing = *entry.get();
-            let effective = if now.saturating_duration_since(existing.seen_at) > PROFILE_TTL {
-                tier
-            } else {
-                max(existing.tier, tier)
-            };
-            entry.insert(UserAdaptiveProfile {
-                tier: effective,
-                seen_at: now,
-            });
-        }
-        dashmap::mapref::entry::Entry::Vacant(slot) => {
-            slot.insert(UserAdaptiveProfile { tier, seen_at: now });
-            was_vacant = true;
-        }
-    }
-    if was_vacant && profiles().len() > MAX_USER_PROFILES_ENTRIES {
-        profiles().retain(|_, v| now.saturating_duration_since(v.seen_at) <= PROFILE_TTL);
-    }
 }
 
 pub fn direct_copy_buffers_for_tier(
@@ -330,14 +310,6 @@ fn scale(base: usize, numerator: usize, denominator: usize, cap: usize) -> usize
     scaled.min(cap).max(1)
 }
 
-#[cfg(test)]
-#[path = "tests/adaptive_buffers_security_tests.rs"]
-mod adaptive_buffers_security_tests;
-
-#[cfg(test)]
-#[path = "tests/adaptive_buffers_record_race_security_tests.rs"]
-mod adaptive_buffers_record_race_security_tests;
-
 #[cfg(test)]
 mod tests {
     use super::*;

src/proxy/client.rs

@@ -80,16 +80,11 @@ use crate::transport::middle_proxy::MePool;
 use crate::transport::socket::normalize_ip;
 use crate::transport::{UpstreamManager, configure_client_socket, parse_proxy_protocol};
 
-use crate::proxy::direct_relay::handle_via_direct_with_shared;
+use crate::proxy::direct_relay::handle_via_direct;
-use crate::proxy::handshake::{
+use crate::proxy::handshake::{HandshakeSuccess, handle_mtproto_handshake, handle_tls_handshake};
-    HandshakeSuccess, handle_mtproto_handshake_with_shared, handle_tls_handshake_with_shared,
-};
-#[cfg(test)]
-use crate::proxy::handshake::{handle_mtproto_handshake, handle_tls_handshake};
 use crate::proxy::masking::handle_bad_client;
 use crate::proxy::middle_relay::handle_via_middle_proxy;
 use crate::proxy::route_mode::{RelayRouteMode, RouteRuntimeController};
-use crate::proxy::shared_state::ProxySharedState;
 
 fn beobachten_ttl(config: &ProxyConfig) -> Duration {
     const BEOBACHTEN_TTL_MAX_MINUTES: u64 = 24 * 60;
@@ -191,24 +186,6 @@ fn handshake_timeout_with_mask_grace(config: &ProxyConfig) -> Duration {
     }
 }
 
-fn effective_client_first_byte_idle_secs(config: &ProxyConfig, shared: &ProxySharedState) -> u64 {
-    let idle_secs = config.timeouts.client_first_byte_idle_secs;
-    if idle_secs == 0 {
-        return 0;
-    }
-    if shared.conntrack_pressure_active() {
-        idle_secs.min(
-            config
-                .server
-                .conntrack_control
-                .profile
-                .client_first_byte_idle_cap_secs(),
-        )
-    } else {
-        idle_secs
-    }
-}
-
 const MASK_CLASSIFIER_PREFETCH_WINDOW: usize = 16;
 #[cfg(test)]
 const MASK_CLASSIFIER_PREFETCH_TIMEOUT: Duration = Duration::from_millis(5);
@@ -365,48 +342,7 @@ fn synthetic_local_addr(port: u16) -> SocketAddr {
     SocketAddr::from(([0, 0, 0, 0], port))
 }
 
-#[cfg(test)]
 pub async fn handle_client_stream<S>(
-    stream: S,
-    peer: SocketAddr,
-    config: Arc<ProxyConfig>,
-    stats: Arc<Stats>,
-    upstream_manager: Arc<UpstreamManager>,
-    replay_checker: Arc<ReplayChecker>,
-    buffer_pool: Arc<BufferPool>,
-    rng: Arc<SecureRandom>,
-    me_pool: Option<Arc<MePool>>,
-    route_runtime: Arc<RouteRuntimeController>,
-    tls_cache: Option<Arc<TlsFrontCache>>,
-    ip_tracker: Arc<UserIpTracker>,
-    beobachten: Arc<BeobachtenStore>,
-    proxy_protocol_enabled: bool,
-) -> Result<()>
-where
-    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
-{
-    handle_client_stream_with_shared(
-        stream,
-        peer,
-        config,
-        stats,
-        upstream_manager,
-        replay_checker,
-        buffer_pool,
-        rng,
-        me_pool,
-        route_runtime,
-        tls_cache,
-        ip_tracker,
-        beobachten,
-        ProxySharedState::new(),
-        proxy_protocol_enabled,
-    )
-    .await
-}
-
-#[allow(clippy::too_many_arguments)]
-pub async fn handle_client_stream_with_shared<S>(
     mut stream: S,
     peer: SocketAddr,
     config: Arc<ProxyConfig>,
@@ -420,7 +356,6 @@ pub async fn handle_client_stream_with_shared<S>(
     tls_cache: Option<Arc<TlsFrontCache>>,
     ip_tracker: Arc<UserIpTracker>,
     beobachten: Arc<BeobachtenStore>,
-    shared: Arc<ProxySharedState>,
     proxy_protocol_enabled: bool,
 ) -> Result<()>
 where
@@ -481,69 +416,16 @@ where
 
     debug!(peer = %real_peer, "New connection (generic stream)");
 
-    let first_byte_idle_secs = effective_client_first_byte_idle_secs(&config, shared.as_ref());
-    let first_byte = if first_byte_idle_secs == 0 {
-        None
-    } else {
-        let idle_timeout = Duration::from_secs(first_byte_idle_secs);
-        let mut first_byte = [0u8; 1];
-        match timeout(idle_timeout, stream.read(&mut first_byte)).await {
-            Ok(Ok(0)) => {
-                debug!(peer = %real_peer, "Connection closed before first client byte");
-                return Ok(());
-            }
-            Ok(Ok(_)) => Some(first_byte[0]),
-            Ok(Err(e))
-                if matches!(
-                    e.kind(),
-                    std::io::ErrorKind::UnexpectedEof
-                        | std::io::ErrorKind::ConnectionReset
-                        | std::io::ErrorKind::ConnectionAborted
-                        | std::io::ErrorKind::BrokenPipe
-                        | std::io::ErrorKind::NotConnected
-                ) =>
-            {
-                debug!(
-                    peer = %real_peer,
-                    error = %e,
-                    "Connection closed before first client byte"
-                );
-                return Ok(());
-            }
-            Ok(Err(e)) => {
-                debug!(
-                    peer = %real_peer,
-                    error = %e,
-                    "Failed while waiting for first client byte"
-                );
-                return Err(ProxyError::Io(e));
-            }
-            Err(_) => {
-                debug!(
-                    peer = %real_peer,
-                    idle_secs = first_byte_idle_secs,
-                    "Closing idle pooled connection before first client byte"
-                );
-                return Ok(());
-            }
-        }
-    };
-
     let handshake_timeout = handshake_timeout_with_mask_grace(&config);
     let stats_for_timeout = stats.clone();
     let config_for_timeout = config.clone();
     let beobachten_for_timeout = beobachten.clone();
     let peer_for_timeout = real_peer.ip();
 
-    // Phase 2: active handshake (with timeout after the first client byte)
+    // Phase 1: handshake (with timeout)
     let outcome = match timeout(handshake_timeout, async {
         let mut first_bytes = [0u8; 5];
-        if let Some(first_byte) = first_byte {
+        stream.read_exact(&mut first_bytes).await?;
-            first_bytes[0] = first_byte;
-            stream.read_exact(&mut first_bytes[1..]).await?;
-        } else {
-            stream.read_exact(&mut first_bytes).await?;
-        }
 
         let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
         debug!(peer = %real_peer, is_tls = is_tls, "Handshake type detected");
@@ -616,10 +498,9 @@ where
 
             let (read_half, write_half) = tokio::io::split(stream);
 
-            let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake_with_shared(
+            let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
                 &handshake, read_half, write_half, real_peer,
                 &config, &replay_checker, &rng, tls_cache.clone(),
-                shared.as_ref(),
             ).await {
                 HandshakeResult::Success(result) => result,
                 HandshakeResult::BadClient { reader, writer } => {
@@ -645,10 +526,9 @@ where
             let mtproto_handshake: [u8; HANDSHAKE_LEN] = mtproto_data[..].try_into()
                 .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;
 
-            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
+            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
                 &mtproto_handshake, tls_reader, tls_writer, real_peer,
                 &config, &replay_checker, true, Some(tls_user.as_str()),
-                shared.as_ref(),
             ).await {
                 HandshakeResult::Success(result) => result,
                 HandshakeResult::BadClient { reader, writer } => {
@@ -682,12 +562,11 @@ where
             };
 
             Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-                RunningClientHandler::handle_authenticated_static_with_shared(
+                RunningClientHandler::handle_authenticated_static(
                     crypto_reader, crypto_writer, success,
                     upstream_manager, stats, config, buffer_pool, rng, me_pool,
                     route_runtime.clone(),
                     local_addr, real_peer, ip_tracker.clone(),
-                    shared.clone(),
                 ),
             )))
         } else {
@@ -713,10 +592,9 @@ where
 
             let (read_half, write_half) = tokio::io::split(stream);
 
-            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
+            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
                 &handshake, read_half, write_half, real_peer,
                 &config, &replay_checker, false, None,
-                shared.as_ref(),
             ).await {
                 HandshakeResult::Success(result) => result,
                 HandshakeResult::BadClient { reader, writer } => {
@@ -735,7 +613,7 @@ where
             };
 
             Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-                RunningClientHandler::handle_authenticated_static_with_shared(
+                RunningClientHandler::handle_authenticated_static(
                     crypto_reader,
                     crypto_writer,
                     success,
@@ -749,7 +627,6 @@ where
                     local_addr,
                     real_peer,
                     ip_tracker.clone(),
-                    shared.clone(),
                 )
             )))
         }
@@ -802,12 +679,10 @@ pub struct RunningClientHandler {
     tls_cache: Option<Arc<TlsFrontCache>>,
     ip_tracker: Arc<UserIpTracker>,
     beobachten: Arc<BeobachtenStore>,
-    shared: Arc<ProxySharedState>,
     proxy_protocol_enabled: bool,
 }
 
 impl ClientHandler {
-    #[cfg(test)]
     pub fn new(
         stream: TcpStream,
         peer: SocketAddr,
@@ -824,45 +699,6 @@ impl ClientHandler {
         beobachten: Arc<BeobachtenStore>,
         proxy_protocol_enabled: bool,
         real_peer_report: Arc<std::sync::Mutex<Option<SocketAddr>>>,
-    ) -> RunningClientHandler {
-        Self::new_with_shared(
-            stream,
-            peer,
-            config,
-            stats,
-            upstream_manager,
-            replay_checker,
-            buffer_pool,
-            rng,
-            me_pool,
-            route_runtime,
-            tls_cache,
-            ip_tracker,
-            beobachten,
-            ProxySharedState::new(),
-            proxy_protocol_enabled,
-            real_peer_report,
-        )
-    }
-
-    #[allow(clippy::too_many_arguments)]
-    pub fn new_with_shared(
-        stream: TcpStream,
-        peer: SocketAddr,
-        config: Arc<ProxyConfig>,
-        stats: Arc<Stats>,
-        upstream_manager: Arc<UpstreamManager>,
-        replay_checker: Arc<ReplayChecker>,
-        buffer_pool: Arc<BufferPool>,
-        rng: Arc<SecureRandom>,
-        me_pool: Option<Arc<MePool>>,
-        route_runtime: Arc<RouteRuntimeController>,
-        tls_cache: Option<Arc<TlsFrontCache>>,
-        ip_tracker: Arc<UserIpTracker>,
-        beobachten: Arc<BeobachtenStore>,
-        shared: Arc<ProxySharedState>,
-        proxy_protocol_enabled: bool,
-        real_peer_report: Arc<std::sync::Mutex<Option<SocketAddr>>>,
     ) -> RunningClientHandler {
         let normalized_peer = normalize_ip(peer);
         RunningClientHandler {
@@ -881,7 +717,6 @@ impl ClientHandler {
             tls_cache,
             ip_tracker,
             beobachten,
-            shared,
             proxy_protocol_enabled,
         }
     }
@@ -901,9 +736,36 @@ impl RunningClientHandler {
             debug!(peer = %peer, error = %e, "Failed to configure client socket");
         }
 
-        let outcome = match self.do_handshake().await? {
+        let handshake_timeout = handshake_timeout_with_mask_grace(&self.config);
-            Some(outcome) => outcome,
+        let stats = self.stats.clone();
-            None => return Ok(()),
+        let config_for_timeout = self.config.clone();
+        let beobachten_for_timeout = self.beobachten.clone();
+        let peer_for_timeout = peer.ip();
+
+        // Phase 1: handshake (with timeout)
+        let outcome = match timeout(handshake_timeout, self.do_handshake()).await {
+            Ok(Ok(outcome)) => outcome,
+            Ok(Err(e)) => {
+                debug!(peer = %peer, error = %e, "Handshake failed");
+                record_handshake_failure_class(
+                    &beobachten_for_timeout,
+                    &config_for_timeout,
+                    peer_for_timeout,
+                    &e,
+                );
+                return Err(e);
+            }
+            Err(_) => {
+                stats.increment_handshake_timeouts();
+                debug!(peer = %peer, "Handshake timeout");
+                record_beobachten_class(
+                    &beobachten_for_timeout,
+                    &config_for_timeout,
+                    peer_for_timeout,
+                    "other",
+                );
+                return Err(ProxyError::TgHandshakeTimeout);
+            }
         };
 
         // Phase 2: relay (WITHOUT handshake timeout — relay has its own activity timeouts)
@@ -912,7 +774,7 @@ impl RunningClientHandler {
         }
     }
 
-    async fn do_handshake(mut self) -> Result<Option<HandshakeOutcome>> {
+    async fn do_handshake(mut self) -> Result<HandshakeOutcome> {
         let mut local_addr = self.stream.local_addr().map_err(ProxyError::Io)?;
 
         if self.proxy_protocol_enabled {
@@ -987,109 +849,19 @@ impl RunningClientHandler {
             }
         }
 
-        let first_byte_idle_secs =
+        let mut first_bytes = [0u8; 5];
-            effective_client_first_byte_idle_secs(&self.config, self.shared.as_ref());
+        self.stream.read_exact(&mut first_bytes).await?;
-        let first_byte = if first_byte_idle_secs == 0 {
+
-            None
+        let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
+        let peer = self.peer;
+
+        debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");
+
+        if is_tls {
+            self.handle_tls_client(first_bytes, local_addr).await
         } else {
-            let idle_timeout = Duration::from_secs(first_byte_idle_secs);
+            self.handle_direct_client(first_bytes, local_addr).await
-            let mut first_byte = [0u8; 1];
+        }
-            match timeout(idle_timeout, self.stream.read(&mut first_byte)).await {
-                Ok(Ok(0)) => {
-                    debug!(peer = %self.peer, "Connection closed before first client byte");
-                    return Ok(None);
-                }
-                Ok(Ok(_)) => Some(first_byte[0]),
-                Ok(Err(e))
-                    if matches!(
-                        e.kind(),
-                        std::io::ErrorKind::UnexpectedEof
-                            | std::io::ErrorKind::ConnectionReset
-                            | std::io::ErrorKind::ConnectionAborted
-                            | std::io::ErrorKind::BrokenPipe
-                            | std::io::ErrorKind::NotConnected
-                    ) =>
-                {
-                    debug!(
-                        peer = %self.peer,
-                        error = %e,
-                        "Connection closed before first client byte"
-                    );
-                    return Ok(None);
-                }
-                Ok(Err(e)) => {
-                    debug!(
-                        peer = %self.peer,
-                        error = %e,
-                        "Failed while waiting for first client byte"
-                    );
-                    return Err(ProxyError::Io(e));
-                }
-                Err(_) => {
-                    debug!(
-                        peer = %self.peer,
-                        idle_secs = first_byte_idle_secs,
-                        "Closing idle pooled connection before first client byte"
-                    );
-                    return Ok(None);
-                }
-            }
-        };
-
-        let handshake_timeout = handshake_timeout_with_mask_grace(&self.config);
-        let stats = self.stats.clone();
-        let config_for_timeout = self.config.clone();
-        let beobachten_for_timeout = self.beobachten.clone();
-        let peer_for_timeout = self.peer.ip();
-        let peer_for_log = self.peer;
-
-        let outcome = match timeout(handshake_timeout, async {
-            let mut first_bytes = [0u8; 5];
-            if let Some(first_byte) = first_byte {
-                first_bytes[0] = first_byte;
-                self.stream.read_exact(&mut first_bytes[1..]).await?;
-            } else {
-                self.stream.read_exact(&mut first_bytes).await?;
-            }
-
-            let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
-            let peer = self.peer;
-
-            debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");
-
-            if is_tls {
-                self.handle_tls_client(first_bytes, local_addr).await
-            } else {
-                self.handle_direct_client(first_bytes, local_addr).await
-            }
-        })
-        .await
-        {
-            Ok(Ok(outcome)) => outcome,
-            Ok(Err(e)) => {
-                debug!(peer = %peer_for_log, error = %e, "Handshake failed");
-                record_handshake_failure_class(
-                    &beobachten_for_timeout,
-                    &config_for_timeout,
-                    peer_for_timeout,
-                    &e,
-                );
-                return Err(e);
-            }
-            Err(_) => {
-                stats.increment_handshake_timeouts();
-                debug!(peer = %peer_for_log, "Handshake timeout");
-                record_beobachten_class(
-                    &beobachten_for_timeout,
-                    &config_for_timeout,
-                    peer_for_timeout,
-                    "other",
-                );
-                return Err(ProxyError::TgHandshakeTimeout);
-            }
-        };
-
-        Ok(Some(outcome))
     }
 
     async fn handle_tls_client(
@@ -1172,7 +944,7 @@ impl RunningClientHandler {
 
         let (read_half, write_half) = self.stream.into_split();
 
-        let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake_with_shared(
+        let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
             &handshake,
             read_half,
             write_half,
@@ -1181,7 +953,6 @@ impl RunningClientHandler {
             &replay_checker,
             &self.rng,
             self.tls_cache.clone(),
-            self.shared.as_ref(),
         )
         .await
         {
@@ -1210,7 +981,7 @@ impl RunningClientHandler {
             .try_into()
             .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;
 
-        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
+        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
             &mtproto_handshake,
             tls_reader,
             tls_writer,
@@ -1219,7 +990,6 @@ impl RunningClientHandler {
             &replay_checker,
             true,
             Some(tls_user.as_str()),
-            self.shared.as_ref(),
         )
         .await
         {
@@ -1256,7 +1026,7 @@ impl RunningClientHandler {
         };
 
         Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-            Self::handle_authenticated_static_with_shared(
+            Self::handle_authenticated_static(
                 crypto_reader,
                 crypto_writer,
                 success,
@@ -1270,7 +1040,6 @@ impl RunningClientHandler {
                 local_addr,
                 peer,
                 self.ip_tracker,
-                self.shared,
             ),
         )))
     }
@@ -1309,7 +1078,7 @@ impl RunningClientHandler {
 
         let (read_half, write_half) = self.stream.into_split();
 
-        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake_with_shared(
+        let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
             &handshake,
             read_half,
             write_half,
@@ -1318,7 +1087,6 @@ impl RunningClientHandler {
             &replay_checker,
             false,
             None,
-            self.shared.as_ref(),
         )
         .await
         {
@@ -1339,7 +1107,7 @@ impl RunningClientHandler {
         };
 
         Ok(HandshakeOutcome::NeedsRelay(Box::pin(
-            Self::handle_authenticated_static_with_shared(
+            Self::handle_authenticated_static(
                 crypto_reader,
                 crypto_writer,
                 success,
@@ -1353,7 +1121,6 @@ impl RunningClientHandler {
                 local_addr,
                 peer,
                 self.ip_tracker,
-                self.shared,
             ),
         )))
     }
@@ -1362,7 +1129,6 @@ impl RunningClientHandler {
     /// Two modes:
     ///   - Direct: TCP relay to TG DC (existing behavior)  
     ///   - Middle Proxy: RPC multiplex through ME pool (new — supports CDN DCs)
-    #[cfg(test)]
     async fn handle_authenticated_static<R, W>(
         client_reader: CryptoReader<R>,
         client_writer: CryptoWriter<W>,
@@ -1378,45 +1144,6 @@ impl RunningClientHandler {
         peer_addr: SocketAddr,
         ip_tracker: Arc<UserIpTracker>,
     ) -> Result<()>
-    where
-        R: AsyncRead + Unpin + Send + 'static,
-        W: AsyncWrite + Unpin + Send + 'static,
-    {
-        Self::handle_authenticated_static_with_shared(
-            client_reader,
-            client_writer,
-            success,
-            upstream_manager,
-            stats,
-            config,
-            buffer_pool,
-            rng,
-            me_pool,
-            route_runtime,
-            local_addr,
-            peer_addr,
-            ip_tracker,
-            ProxySharedState::new(),
-        )
-        .await
-    }
-
-    async fn handle_authenticated_static_with_shared<R, W>(
-        client_reader: CryptoReader<R>,
-        client_writer: CryptoWriter<W>,
-        success: HandshakeSuccess,
-        upstream_manager: Arc<UpstreamManager>,
-        stats: Arc<Stats>,
-        config: Arc<ProxyConfig>,
-        buffer_pool: Arc<BufferPool>,
-        rng: Arc<SecureRandom>,
-        me_pool: Option<Arc<MePool>>,
-        route_runtime: Arc<RouteRuntimeController>,
-        local_addr: SocketAddr,
-        peer_addr: SocketAddr,
-        ip_tracker: Arc<UserIpTracker>,
-        shared: Arc<ProxySharedState>,
-    ) -> Result<()>
     where
         R: AsyncRead + Unpin + Send + 'static,
         W: AsyncWrite + Unpin + Send + 'static,
@@ -1458,12 +1185,11 @@ impl RunningClientHandler {
                     route_runtime.subscribe(),
                     route_snapshot,
                     session_id,
-                    shared.clone(),
                 )
                 .await
             } else {
                 warn!("use_middle_proxy=true but MePool not initialized, falling back to direct");
-                handle_via_direct_with_shared(
+                handle_via_direct(
                     client_reader,
                     client_writer,
                     success,
@@ -1475,14 +1201,12 @@ impl RunningClientHandler {
                     route_runtime.subscribe(),
                     route_snapshot,
                     session_id,
-                    local_addr,
-                    shared.clone(),
                 )
                 .await
             }
         } else {
             // Direct mode (original behavior)
-            handle_via_direct_with_shared(
+            handle_via_direct(
                 client_reader,
                 client_writer,
                 success,
@@ -1494,8 +1218,6 @@ impl RunningClientHandler {
                 route_runtime.subscribe(),
                 route_snapshot,
                 session_id,
-                local_addr,
-                shared.clone(),
             )
             .await
         };
@@ -1530,11 +1252,7 @@ impl RunningClientHandler {
             .access
             .user_max_tcp_conns
             .get(user)
-            .copied()
+            .map(|v| *v as u64);
-            .filter(|limit| *limit > 0)
-            .or((config.access.user_max_tcp_conns_global_each > 0)
-                .then_some(config.access.user_max_tcp_conns_global_each))
-            .map(|v| v as u64);
         if !stats.try_acquire_user_curr_connects(user, limit) {
             return Err(ProxyError::ConnectionLimitExceeded {
                 user: user.to_string(),
@@ -1593,11 +1311,7 @@ impl RunningClientHandler {
             .access
             .user_max_tcp_conns
             .get(user)
-            .copied()
+            .map(|v| *v as u64);
-            .filter(|limit| *limit > 0)
-            .or((config.access.user_max_tcp_conns_global_each > 0)
-                .then_some(config.access.user_max_tcp_conns_global_each))
-            .map(|v| v as u64);
         if !stats.try_acquire_user_curr_connects(user, limit) {
             return Err(ProxyError::ConnectionLimitExceeded {
                 user: user.to_string(),

src/proxy/direct_relay.rs

@@ -6,7 +6,6 @@ use std::net::SocketAddr;
 use std::path::{Component, Path, PathBuf};
 use std::sync::Arc;
 use std::sync::{Mutex, OnceLock};
-use std::time::Duration;
 
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, ReadHalf, WriteHalf, split};
 use tokio::sync::watch;
@@ -17,13 +16,11 @@ use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
 use crate::proxy::handshake::{HandshakeSuccess, encrypt_tg_nonce_with_ciphers, generate_tg_nonce};
+use crate::proxy::relay::relay_bidirectional;
 use crate::proxy::route_mode::{
     ROUTE_SWITCH_ERROR_MSG, RelayRouteMode, RouteCutoverState, affected_cutover_state,
     cutover_stagger_delay,
 };
-use crate::proxy::shared_state::{
-    ConntrackCloseEvent, ConntrackClosePublishResult, ConntrackCloseReason, ProxySharedState,
-};
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::UpstreamManager;
@@ -228,43 +225,7 @@ fn unknown_dc_test_lock() -> &'static Mutex<()> {
     TEST_LOCK.get_or_init(|| Mutex::new(()))
 }
 
-#[allow(dead_code)]
 pub(crate) async fn handle_via_direct<R, W>(
-    client_reader: CryptoReader<R>,
-    client_writer: CryptoWriter<W>,
-    success: HandshakeSuccess,
-    upstream_manager: Arc<UpstreamManager>,
-    stats: Arc<Stats>,
-    config: Arc<ProxyConfig>,
-    buffer_pool: Arc<BufferPool>,
-    rng: Arc<SecureRandom>,
-    route_rx: watch::Receiver<RouteCutoverState>,
-    route_snapshot: RouteCutoverState,
-    session_id: u64,
-) -> Result<()>
-where
-    R: AsyncRead + Unpin + Send + 'static,
-    W: AsyncWrite + Unpin + Send + 'static,
-{
-    handle_via_direct_with_shared(
-        client_reader,
-        client_writer,
-        success,
-        upstream_manager,
-        stats,
-        config.clone(),
-        buffer_pool,
-        rng,
-        route_rx,
-        route_snapshot,
-        session_id,
-        SocketAddr::from(([0, 0, 0, 0], config.server.port)),
-        ProxySharedState::new(),
-    )
-    .await
-}
-
-pub(crate) async fn handle_via_direct_with_shared<R, W>(
     client_reader: CryptoReader<R>,
     client_writer: CryptoWriter<W>,
     success: HandshakeSuccess,
@@ -276,8 +237,6 @@ pub(crate) async fn handle_via_direct_with_shared<R, W>(
     mut route_rx: watch::Receiver<RouteCutoverState>,
     route_snapshot: RouteCutoverState,
     session_id: u64,
-    local_addr: SocketAddr,
-    shared: Arc<ProxySharedState>,
 ) -> Result<()>
 where
     R: AsyncRead + Unpin + Send + 'static,
@@ -317,19 +276,7 @@ where
     stats.increment_user_connects(user);
     let _direct_connection_lease = stats.acquire_direct_connection_lease();
 
-    let buffer_pool_trim = Arc::clone(&buffer_pool);
+    let relay_result = relay_bidirectional(
-    let relay_activity_timeout = if shared.conntrack_pressure_active() {
-        Duration::from_secs(
-            config
-                .server
-                .conntrack_control
-                .profile
-                .direct_activity_timeout_secs(),
-        )
-    } else {
-        Duration::from_secs(1800)
-    };
-    let relay_result = crate::proxy::relay::relay_bidirectional_with_activity_timeout(
         client_reader,
         client_writer,
         tg_reader,
@@ -340,7 +287,6 @@ where
         Arc::clone(&stats),
         config.access.user_data_quota.get(user).copied(),
         buffer_pool,
-        relay_activity_timeout,
     );
     tokio::pin!(relay_result);
     let relay_result = loop {
@@ -375,59 +321,9 @@ where
         Err(e) => debug!(user = %user, error = %e, "Direct relay ended with error"),
     }
 
-    buffer_pool_trim.trim_to(buffer_pool_trim.max_buffers().min(64));
-    let pool_snapshot = buffer_pool_trim.stats();
-    stats.set_buffer_pool_gauges(
-        pool_snapshot.pooled,
-        pool_snapshot.allocated,
-        pool_snapshot.allocated.saturating_sub(pool_snapshot.pooled),
-    );
-
-    let close_reason = classify_conntrack_close_reason(&relay_result);
-    let publish_result = shared.publish_conntrack_close_event(ConntrackCloseEvent {
-        src: success.peer,
-        dst: local_addr,
-        reason: close_reason,
-    });
-    if !matches!(
-        publish_result,
-        ConntrackClosePublishResult::Sent | ConntrackClosePublishResult::Disabled
-    ) {
-        stats.increment_conntrack_close_event_drop_total();
-    }
-
     relay_result
 }
 
-fn classify_conntrack_close_reason(result: &Result<()>) -> ConntrackCloseReason {
-    match result {
-        Ok(()) => ConntrackCloseReason::NormalEof,
-        Err(crate::error::ProxyError::Io(error))
-            if matches!(error.kind(), std::io::ErrorKind::TimedOut) =>
-        {
-            ConntrackCloseReason::Timeout
-        }
-        Err(crate::error::ProxyError::Io(error))
-            if matches!(
-                error.kind(),
-                std::io::ErrorKind::ConnectionReset
-                    | std::io::ErrorKind::ConnectionAborted
-                    | std::io::ErrorKind::BrokenPipe
-                    | std::io::ErrorKind::NotConnected
-                    | std::io::ErrorKind::UnexpectedEof
-            ) =>
-        {
-            ConntrackCloseReason::Reset
-        }
-        Err(crate::error::ProxyError::Proxy(message))
-            if message.contains("pressure") || message.contains("evicted") =>
-        {
-            ConntrackCloseReason::Pressure
-        }
-        Err(_) => ConntrackCloseReason::Other,
-    }
-}
-
 fn get_dc_addr_static(dc_idx: i16, config: &ProxyConfig) -> Result<SocketAddr> {
     let prefer_v6 = config.network.prefer == 6 && config.network.ipv6.unwrap_or(true);
     let datacenters = if prefer_v6 {

src/proxy/masking.rs

@@ -249,43 +249,6 @@ async fn wait_mask_connect_budget(started: Instant) {
     }
 }
 
-// Log-normal sample bounded to [floor, ceiling]. Median = sqrt(floor * ceiling).
-// Implements Box-Muller transform for standard normal sampling — no external
-// dependency on rand_distr (which is incompatible with rand 0.10).
-// sigma is chosen so ~99% of raw samples land inside [floor, ceiling] before clamp.
-// When floor > ceiling (misconfiguration), returns ceiling (the smaller value).
-// When floor == ceiling, returns that value. When both are 0, returns 0.
-pub(crate) fn sample_lognormal_percentile_bounded(
-    floor: u64,
-    ceiling: u64,
-    rng: &mut impl Rng,
-) -> u64 {
-    if ceiling == 0 && floor == 0 {
-        return 0;
-    }
-    if floor > ceiling {
-        return ceiling;
-    }
-    if floor == ceiling {
-        return floor;
-    }
-    let floor_f = floor.max(1) as f64;
-    let ceiling_f = ceiling.max(1) as f64;
-    let mu = (floor_f.ln() + ceiling_f.ln()) / 2.0;
-    // 4.65 ≈ 2 * 2.326 (double-sided z-score for 99th percentile)
-    let sigma = ((ceiling_f / floor_f).ln() / 4.65).max(0.01);
-    // Box-Muller transform: two uniform samples → one standard normal sample
-    let u1: f64 = rng.random_range(f64::MIN_POSITIVE..1.0);
-    let u2: f64 = rng.random_range(0.0_f64..std::f64::consts::TAU);
-    let normal_sample = (-2.0_f64 * u1.ln()).sqrt() * u2.cos();
-    let raw = (mu + sigma * normal_sample).exp();
-    if raw.is_finite() {
-        (raw as u64).clamp(floor, ceiling)
-    } else {
-        ((floor_f * ceiling_f).sqrt()) as u64
-    }
-}
-
 fn mask_outcome_target_budget(config: &ProxyConfig) -> Duration {
     if config.censorship.mask_timing_normalization_enabled {
         let floor = config.censorship.mask_timing_normalization_floor_ms;
@@ -294,18 +257,14 @@ fn mask_outcome_target_budget(config: &ProxyConfig) -> Duration {
             if ceiling == 0 {
                 return Duration::from_millis(0);
             }
-            // floor=0 stays uniform: log-normal cannot model distribution anchored at zero
             let mut rng = rand::rng();
             return Duration::from_millis(rng.random_range(0..=ceiling));
         }
         if ceiling > floor {
             let mut rng = rand::rng();
-            return Duration::from_millis(sample_lognormal_percentile_bounded(
+            return Duration::from_millis(rng.random_range(floor..=ceiling));
-                floor, ceiling, &mut rng,
-            ));
         }
-        // ceiling <= floor: use the larger value (fail-closed: preserve longer delay)
+        return Duration::from_millis(floor);
-        return Duration::from_millis(floor.max(ceiling));
     }
 
     MASK_TIMEOUT
@@ -1044,11 +1003,3 @@ mod masking_padding_timeout_adversarial_tests;
 #[cfg(all(test, feature = "redteam_offline_expected_fail"))]
 #[path = "tests/masking_offline_target_redteam_expected_fail_tests.rs"]
 mod masking_offline_target_redteam_expected_fail_tests;
-
-#[cfg(test)]
-#[path = "tests/masking_baseline_invariant_tests.rs"]
-mod masking_baseline_invariant_tests;
-
-#[cfg(test)]
-#[path = "tests/masking_lognormal_timing_security_tests.rs"]
-mod masking_lognormal_timing_security_tests;

src/proxy/mod.rs

@@ -67,7 +67,6 @@ pub mod middle_relay;
 pub mod relay;
 pub mod route_mode;
 pub mod session_eviction;
-pub mod shared_state;
 
 pub use client::ClientHandler;
 #[allow(unused_imports)]
@@ -76,15 +75,3 @@ pub use handshake::*;
 pub use masking::*;
 #[allow(unused_imports)]
 pub use relay::*;
-
-#[cfg(test)]
-#[path = "tests/test_harness_common.rs"]
-mod test_harness_common;
-
-#[cfg(test)]
-#[path = "tests/proxy_shared_state_isolation_tests.rs"]
-mod proxy_shared_state_isolation_tests;
-
-#[cfg(test)]
-#[path = "tests/proxy_shared_state_parallel_execution_tests.rs"]
-mod proxy_shared_state_parallel_execution_tests;

src/proxy/relay.rs

@@ -70,7 +70,6 @@ use tracing::{debug, trace, warn};
 ///
 /// iOS keeps Telegram connections alive in background for up to 30 minutes.
 /// Closing earlier causes unnecessary reconnects and handshake overhead.
-#[allow(dead_code)]
 const ACTIVITY_TIMEOUT: Duration = Duration::from_secs(1800);
 
 /// Watchdog check interval — also used for periodic rate logging.
@@ -270,8 +269,6 @@ const QUOTA_NEAR_LIMIT_BYTES: u64 = 64 * 1024;
 const QUOTA_LARGE_CHARGE_BYTES: u64 = 16 * 1024;
 const QUOTA_ADAPTIVE_INTERVAL_MIN_BYTES: u64 = 4 * 1024;
 const QUOTA_ADAPTIVE_INTERVAL_MAX_BYTES: u64 = 64 * 1024;
-const QUOTA_RESERVE_SPIN_RETRIES: usize = 64;
-const QUOTA_RESERVE_MAX_ROUNDS: usize = 8;
 
 #[inline]
 fn quota_adaptive_interval_bytes(remaining_before: u64) -> u64 {
@@ -316,56 +313,6 @@ impl<S: AsyncRead + Unpin> AsyncRead for StatsIo<S> {
                 if n > 0 {
                     let n_to_charge = n as u64;
 
-                    if let (Some(limit), Some(remaining)) = (this.quota_limit, remaining_before) {
-                        let mut reserved_total = None;
-                        let mut reserve_rounds = 0usize;
-                        while reserved_total.is_none() {
-                            let mut saw_contention = false;
-                            for _ in 0..QUOTA_RESERVE_SPIN_RETRIES {
-                                match this.user_stats.quota_try_reserve(n_to_charge, limit) {
-                                    Ok(total) => {
-                                        reserved_total = Some(total);
-                                        break;
-                                    }
-                                    Err(crate::stats::QuotaReserveError::LimitExceeded) => {
-                                        this.quota_exceeded.store(true, Ordering::Release);
-                                        buf.set_filled(before);
-                                        return Poll::Ready(Err(quota_io_error()));
-                                    }
-                                    Err(crate::stats::QuotaReserveError::Contended) => {
-                                        saw_contention = true;
-                                    }
-                                }
-                            }
-                            if reserved_total.is_none() {
-                                reserve_rounds = reserve_rounds.saturating_add(1);
-                                if reserve_rounds >= QUOTA_RESERVE_MAX_ROUNDS {
-                                    this.quota_exceeded.store(true, Ordering::Release);
-                                    buf.set_filled(before);
-                                    return Poll::Ready(Err(quota_io_error()));
-                                }
-                                if saw_contention {
-                                    std::thread::yield_now();
-                                }
-                            }
-                        }
-
-                        if should_immediate_quota_check(remaining, n_to_charge) {
-                            this.quota_bytes_since_check = 0;
-                        } else {
-                            this.quota_bytes_since_check =
-                                this.quota_bytes_since_check.saturating_add(n_to_charge);
-                            let interval = quota_adaptive_interval_bytes(remaining);
-                            if this.quota_bytes_since_check >= interval {
-                                this.quota_bytes_since_check = 0;
-                            }
-                        }
-
-                        if reserved_total.unwrap_or(0) >= limit {
-                            this.quota_exceeded.store(true, Ordering::Release);
-                        }
-                    }
-
                     // C→S: client sent data
                     this.counters
                         .c2s_bytes
@@ -378,6 +325,27 @@ impl<S: AsyncRead + Unpin> AsyncRead for StatsIo<S> {
                     this.stats
                         .increment_user_msgs_from_handle(this.user_stats.as_ref());
 
+                    if let (Some(limit), Some(remaining)) = (this.quota_limit, remaining_before) {
+                        this.stats
+                            .quota_charge_post_write(this.user_stats.as_ref(), n_to_charge);
+                        if should_immediate_quota_check(remaining, n_to_charge) {
+                            this.quota_bytes_since_check = 0;
+                            if this.user_stats.quota_used() >= limit {
+                                this.quota_exceeded.store(true, Ordering::Release);
+                            }
+                        } else {
+                            this.quota_bytes_since_check =
+                                this.quota_bytes_since_check.saturating_add(n_to_charge);
+                            let interval = quota_adaptive_interval_bytes(remaining);
+                            if this.quota_bytes_since_check >= interval {
+                                this.quota_bytes_since_check = 0;
+                                if this.user_stats.quota_used() >= limit {
+                                    this.quota_exceeded.store(true, Ordering::Release);
+                                }
+                            }
+                        }
+                    }
+
                     trace!(user = %this.user, bytes = n, "C->S");
                 }
                 Poll::Ready(Ok(()))
@@ -399,79 +367,18 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
         }
 
         let mut remaining_before = None;
-        let mut reserved_bytes = 0u64;
-        let mut write_buf = buf;
         if let Some(limit) = this.quota_limit {
-            if !buf.is_empty() {
+            let used_before = this.user_stats.quota_used();
-                let mut reserve_rounds = 0usize;
+            let remaining = limit.saturating_sub(used_before);
-                while reserved_bytes == 0 {
+            if remaining == 0 {
-                    let used_before = this.user_stats.quota_used();
+                this.quota_exceeded.store(true, Ordering::Release);
-                    let remaining = limit.saturating_sub(used_before);
+                return Poll::Ready(Err(quota_io_error()));
-                    if remaining == 0 {
-                        this.quota_exceeded.store(true, Ordering::Release);
-                        return Poll::Ready(Err(quota_io_error()));
-                    }
-                    remaining_before = Some(remaining);
-
-                    let desired = remaining.min(buf.len() as u64);
-                    let mut saw_contention = false;
-                    for _ in 0..QUOTA_RESERVE_SPIN_RETRIES {
-                        match this.user_stats.quota_try_reserve(desired, limit) {
-                            Ok(_) => {
-                                reserved_bytes = desired;
-                                write_buf = &buf[..desired as usize];
-                                break;
-                            }
-                            Err(crate::stats::QuotaReserveError::LimitExceeded) => {
-                                break;
-                            }
-                            Err(crate::stats::QuotaReserveError::Contended) => {
-                                saw_contention = true;
-                            }
-                        }
-                    }
-
-                    if reserved_bytes == 0 {
-                        reserve_rounds = reserve_rounds.saturating_add(1);
-                        if reserve_rounds >= QUOTA_RESERVE_MAX_ROUNDS {
-                            this.quota_exceeded.store(true, Ordering::Release);
-                            return Poll::Ready(Err(quota_io_error()));
-                        }
-                        if saw_contention {
-                            std::thread::yield_now();
-                        }
-                    }
-                }
-            } else {
-                let used_before = this.user_stats.quota_used();
-                let remaining = limit.saturating_sub(used_before);
-                if remaining == 0 {
-                    this.quota_exceeded.store(true, Ordering::Release);
-                    return Poll::Ready(Err(quota_io_error()));
-                }
-                remaining_before = Some(remaining);
             }
+            remaining_before = Some(remaining);
         }
 
-        match Pin::new(&mut this.inner).poll_write(cx, write_buf) {
+        match Pin::new(&mut this.inner).poll_write(cx, buf) {
             Poll::Ready(Ok(n)) => {
-                if reserved_bytes > n as u64 {
-                    let refund = reserved_bytes - n as u64;
-                    let mut current = this.user_stats.quota_used.load(Ordering::Relaxed);
-                    loop {
-                        let next = current.saturating_sub(refund);
-                        match this.user_stats.quota_used.compare_exchange_weak(
-                            current,
-                            next,
-                            Ordering::Relaxed,
-                            Ordering::Relaxed,
-                        ) {
-                            Ok(_) => break,
-                            Err(observed) => current = observed,
-                        }
-                    }
-                }
-
                 if n > 0 {
                     let n_to_charge = n as u64;
 
@@ -488,6 +395,8 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
                         .increment_user_msgs_to_handle(this.user_stats.as_ref());
 
                     if let (Some(limit), Some(remaining)) = (this.quota_limit, remaining_before) {
+                        this.stats
+                            .quota_charge_post_write(this.user_stats.as_ref(), n_to_charge);
                         if should_immediate_quota_check(remaining, n_to_charge) {
                             this.quota_bytes_since_check = 0;
                             if this.user_stats.quota_used() >= limit {
@@ -510,42 +419,7 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
                 }
                 Poll::Ready(Ok(n))
             }
-            Poll::Ready(Err(err)) => {
+            other => other,
-                if reserved_bytes > 0 {
-                    let mut current = this.user_stats.quota_used.load(Ordering::Relaxed);
-                    loop {
-                        let next = current.saturating_sub(reserved_bytes);
-                        match this.user_stats.quota_used.compare_exchange_weak(
-                            current,
-                            next,
-                            Ordering::Relaxed,
-                            Ordering::Relaxed,
-                        ) {
-                            Ok(_) => break,
-                            Err(observed) => current = observed,
-                        }
-                    }
-                }
-                Poll::Ready(Err(err))
-            }
-            Poll::Pending => {
-                if reserved_bytes > 0 {
-                    let mut current = this.user_stats.quota_used.load(Ordering::Relaxed);
-                    loop {
-                        let next = current.saturating_sub(reserved_bytes);
-                        match this.user_stats.quota_used.compare_exchange_weak(
-                            current,
-                            next,
-                            Ordering::Relaxed,
-                            Ordering::Relaxed,
-                        ) {
-                            Ok(_) => break,
-                            Err(observed) => current = observed,
-                        }
-                    }
-                }
-                Poll::Pending
-            }
         }
     }
 
@@ -579,7 +453,6 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for StatsIo<S> {
 /// - Clean shutdown: both write sides are shut down on exit
 /// - Error propagation: quota exits return `ProxyError::DataQuotaExceeded`,
 ///   other I/O failures are returned as `ProxyError::Io`
-#[allow(dead_code)]
 pub async fn relay_bidirectional<CR, CW, SR, SW>(
     client_reader: CR,
     client_writer: CW,
@@ -598,42 +471,6 @@ where
     SR: AsyncRead + Unpin + Send + 'static,
     SW: AsyncWrite + Unpin + Send + 'static,
 {
-    relay_bidirectional_with_activity_timeout(
-        client_reader,
-        client_writer,
-        server_reader,
-        server_writer,
-        c2s_buf_size,
-        s2c_buf_size,
-        user,
-        stats,
-        quota_limit,
-        _buffer_pool,
-        ACTIVITY_TIMEOUT,
-    )
-    .await
-}
-
-pub async fn relay_bidirectional_with_activity_timeout<CR, CW, SR, SW>(
-    client_reader: CR,
-    client_writer: CW,
-    server_reader: SR,
-    server_writer: SW,
-    c2s_buf_size: usize,
-    s2c_buf_size: usize,
-    user: &str,
-    stats: Arc<Stats>,
-    quota_limit: Option<u64>,
-    _buffer_pool: Arc<BufferPool>,
-    activity_timeout: Duration,
-) -> Result<()>
-where
-    CR: AsyncRead + Unpin + Send + 'static,
-    CW: AsyncWrite + Unpin + Send + 'static,
-    SR: AsyncRead + Unpin + Send + 'static,
-    SW: AsyncWrite + Unpin + Send + 'static,
-{
-    let activity_timeout = activity_timeout.max(Duration::from_secs(1));
     let epoch = Instant::now();
     let counters = Arc::new(SharedCounters::new());
     let quota_exceeded = Arc::new(AtomicBool::new(false));
@@ -675,7 +512,7 @@ where
             }
 
             // ── Activity timeout ────────────────────────────────────
-            if idle >= activity_timeout {
+            if idle >= ACTIVITY_TIMEOUT {
                 let c2s = wd_counters.c2s_bytes.load(Ordering::Relaxed);
                 let s2c = wd_counters.s2c_bytes.load(Ordering::Relaxed);
                 warn!(
@@ -834,7 +671,3 @@ mod relay_watchdog_delta_security_tests;
 #[cfg(test)]
 #[path = "tests/relay_atomic_quota_invariant_tests.rs"]
 mod relay_atomic_quota_invariant_tests;
-
-#[cfg(test)]
-#[path = "tests/relay_baseline_invariant_tests.rs"]
-mod relay_baseline_invariant_tests;

src/proxy/shared_state.rs

@@ -1,165 +0,0 @@
-use std::collections::HashSet;
-use std::collections::hash_map::RandomState;
-use std::net::{IpAddr, SocketAddr};
-use std::sync::atomic::{AtomicBool, AtomicU32, AtomicU64, Ordering};
-use std::sync::{Arc, Mutex};
-use std::time::Instant;
-
-use dashmap::DashMap;
-use tokio::sync::mpsc;
-
-use crate::proxy::handshake::{AuthProbeSaturationState, AuthProbeState};
-use crate::proxy::middle_relay::{DesyncDedupRotationState, RelayIdleCandidateRegistry};
-
-const HANDSHAKE_RECENT_USER_RING_LEN: usize = 64;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum ConntrackCloseReason {
-    NormalEof,
-    Timeout,
-    Pressure,
-    Reset,
-    Other,
-}
-
-#[derive(Debug, Clone, Copy)]
-pub(crate) struct ConntrackCloseEvent {
-    pub(crate) src: SocketAddr,
-    pub(crate) dst: SocketAddr,
-    pub(crate) reason: ConntrackCloseReason,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum ConntrackClosePublishResult {
-    Sent,
-    Disabled,
-    QueueFull,
-    QueueClosed,
-}
-
-pub(crate) struct HandshakeSharedState {
-    pub(crate) auth_probe: DashMap<IpAddr, AuthProbeState>,
-    pub(crate) auth_probe_saturation: Mutex<Option<AuthProbeSaturationState>>,
-    pub(crate) auth_probe_eviction_hasher: RandomState,
-    pub(crate) invalid_secret_warned: Mutex<HashSet<(String, String)>>,
-    pub(crate) unknown_sni_warn_next_allowed: Mutex<Option<Instant>>,
-    pub(crate) sticky_user_by_ip: DashMap<IpAddr, u32>,
-    pub(crate) sticky_user_by_ip_prefix: DashMap<u64, u32>,
-    pub(crate) sticky_user_by_sni_hash: DashMap<u64, u32>,
-    pub(crate) recent_user_ring: Box<[AtomicU32]>,
-    pub(crate) recent_user_ring_seq: AtomicU64,
-    pub(crate) auth_expensive_checks_total: AtomicU64,
-    pub(crate) auth_budget_exhausted_total: AtomicU64,
-}
-
-pub(crate) struct MiddleRelaySharedState {
-    pub(crate) desync_dedup: DashMap<u64, Instant>,
-    pub(crate) desync_dedup_previous: DashMap<u64, Instant>,
-    pub(crate) desync_hasher: RandomState,
-    pub(crate) desync_full_cache_last_emit_at: Mutex<Option<Instant>>,
-    pub(crate) desync_dedup_rotation_state: Mutex<DesyncDedupRotationState>,
-    pub(crate) relay_idle_registry: Mutex<RelayIdleCandidateRegistry>,
-    pub(crate) relay_idle_mark_seq: AtomicU64,
-}
-
-pub(crate) struct ProxySharedState {
-    pub(crate) handshake: HandshakeSharedState,
-    pub(crate) middle_relay: MiddleRelaySharedState,
-    pub(crate) conntrack_pressure_active: AtomicBool,
-    pub(crate) conntrack_close_tx: Mutex<Option<mpsc::Sender<ConntrackCloseEvent>>>,
-}
-
-impl ProxySharedState {
-    pub(crate) fn new() -> Arc<Self> {
-        Arc::new(Self {
-            handshake: HandshakeSharedState {
-                auth_probe: DashMap::new(),
-                auth_probe_saturation: Mutex::new(None),
-                auth_probe_eviction_hasher: RandomState::new(),
-                invalid_secret_warned: Mutex::new(HashSet::new()),
-                unknown_sni_warn_next_allowed: Mutex::new(None),
-                sticky_user_by_ip: DashMap::new(),
-                sticky_user_by_ip_prefix: DashMap::new(),
-                sticky_user_by_sni_hash: DashMap::new(),
-                recent_user_ring: std::iter::repeat_with(|| AtomicU32::new(0))
-                    .take(HANDSHAKE_RECENT_USER_RING_LEN)
-                    .collect::<Vec<_>>()
-                    .into_boxed_slice(),
-                recent_user_ring_seq: AtomicU64::new(0),
-                auth_expensive_checks_total: AtomicU64::new(0),
-                auth_budget_exhausted_total: AtomicU64::new(0),
-            },
-            middle_relay: MiddleRelaySharedState {
-                desync_dedup: DashMap::new(),
-                desync_dedup_previous: DashMap::new(),
-                desync_hasher: RandomState::new(),
-                desync_full_cache_last_emit_at: Mutex::new(None),
-                desync_dedup_rotation_state: Mutex::new(DesyncDedupRotationState::default()),
-                relay_idle_registry: Mutex::new(RelayIdleCandidateRegistry::default()),
-                relay_idle_mark_seq: AtomicU64::new(0),
-            },
-            conntrack_pressure_active: AtomicBool::new(false),
-            conntrack_close_tx: Mutex::new(None),
-        })
-    }
-
-    pub(crate) fn set_conntrack_close_sender(&self, tx: mpsc::Sender<ConntrackCloseEvent>) {
-        match self.conntrack_close_tx.lock() {
-            Ok(mut guard) => {
-                *guard = Some(tx);
-            }
-            Err(poisoned) => {
-                let mut guard = poisoned.into_inner();
-                *guard = Some(tx);
-                self.conntrack_close_tx.clear_poison();
-            }
-        }
-    }
-
-    pub(crate) fn disable_conntrack_close_sender(&self) {
-        match self.conntrack_close_tx.lock() {
-            Ok(mut guard) => {
-                *guard = None;
-            }
-            Err(poisoned) => {
-                let mut guard = poisoned.into_inner();
-                *guard = None;
-                self.conntrack_close_tx.clear_poison();
-            }
-        }
-    }
-
-    pub(crate) fn publish_conntrack_close_event(
-        &self,
-        event: ConntrackCloseEvent,
-    ) -> ConntrackClosePublishResult {
-        let tx = match self.conntrack_close_tx.lock() {
-            Ok(guard) => guard.clone(),
-            Err(poisoned) => {
-                let guard = poisoned.into_inner();
-                let cloned = guard.clone();
-                self.conntrack_close_tx.clear_poison();
-                cloned
-            }
-        };
-
-        let Some(tx) = tx else {
-            return ConntrackClosePublishResult::Disabled;
-        };
-
-        match tx.try_send(event) {
-            Ok(()) => ConntrackClosePublishResult::Sent,
-            Err(mpsc::error::TrySendError::Full(_)) => ConntrackClosePublishResult::QueueFull,
-            Err(mpsc::error::TrySendError::Closed(_)) => ConntrackClosePublishResult::QueueClosed,
-        }
-    }
-
-    pub(crate) fn set_conntrack_pressure_active(&self, active: bool) {
-        self.conntrack_pressure_active
-            .store(active, Ordering::Relaxed);
-    }
-
-    pub(crate) fn conntrack_pressure_active(&self) -> bool {
-        self.conntrack_pressure_active.load(Ordering::Relaxed)
-    }
-}

src/proxy/tests/adaptive_buffers_record_race_security_tests.rs

@@ -1,260 +0,0 @@
-use super::*;
-use std::sync::Arc;
-use std::sync::atomic::{AtomicUsize, Ordering};
-use std::time::{Duration, Instant};
-
-static RACE_TEST_KEY_COUNTER: AtomicUsize = AtomicUsize::new(1_000_000);
-
-fn race_unique_key(prefix: &str) -> String {
-    let id = RACE_TEST_KEY_COUNTER.fetch_add(1, Ordering::Relaxed);
-    format!("{}_{}", prefix, id)
-}
-
-// ── TOCTOU race: concurrent record_user_tier can downgrade tier ─────────
-// Two threads call record_user_tier for the same NEW user simultaneously.
-// Thread A records Tier1, Thread B records Base. Without atomic entry API,
-// the insert() call overwrites without max(), causing Tier1 → Base downgrade.
-
-#[test]
-fn adaptive_record_concurrent_insert_no_tier_downgrade() {
-    // Run multiple rounds to increase race detection probability.
-    for round in 0..50 {
-        let key = race_unique_key(&format!("race_downgrade_{}", round));
-        let key_a = key.clone();
-        let key_b = key.clone();
-
-        let barrier = Arc::new(std::sync::Barrier::new(2));
-        let barrier_a = Arc::clone(&barrier);
-        let barrier_b = Arc::clone(&barrier);
-
-        let ha = std::thread::spawn(move || {
-            barrier_a.wait();
-            record_user_tier(&key_a, AdaptiveTier::Tier2);
-        });
-
-        let hb = std::thread::spawn(move || {
-            barrier_b.wait();
-            record_user_tier(&key_b, AdaptiveTier::Base);
-        });
-
-        ha.join().expect("thread A panicked");
-        hb.join().expect("thread B panicked");
-
-        let result = seed_tier_for_user(&key);
-        profiles().remove(&key);
-
-        // The final tier must be at least Tier2, never downgraded to Base.
-        // With correct max() semantics: max(Tier2, Base) = Tier2.
-        assert!(
-            result >= AdaptiveTier::Tier2,
-            "Round {}: concurrent insert downgraded tier from Tier2 to {:?}",
-            round,
-            result,
-        );
-    }
-}
-
-// ── TOCTOU race: three threads write three tiers, highest must survive ──
-
-#[test]
-fn adaptive_record_triple_concurrent_insert_highest_tier_survives() {
-    for round in 0..30 {
-        let key = race_unique_key(&format!("triple_race_{}", round));
-        let barrier = Arc::new(std::sync::Barrier::new(3));
-
-        let handles: Vec<_> = [AdaptiveTier::Base, AdaptiveTier::Tier1, AdaptiveTier::Tier3]
-            .into_iter()
-            .map(|tier| {
-                let k = key.clone();
-                let b = Arc::clone(&barrier);
-                std::thread::spawn(move || {
-                    b.wait();
-                    record_user_tier(&k, tier);
-                })
-            })
-            .collect();
-
-        for h in handles {
-            h.join().expect("thread panicked");
-        }
-
-        let result = seed_tier_for_user(&key);
-        profiles().remove(&key);
-
-        assert!(
-            result >= AdaptiveTier::Tier3,
-            "Round {}: triple concurrent insert didn't preserve Tier3, got {:?}",
-            round,
-            result,
-        );
-    }
-}
-
-// ── Stress: 20 threads writing different tiers to same key ──────────────
-
-#[test]
-fn adaptive_record_20_concurrent_writers_no_panic_no_downgrade() {
-    let key = race_unique_key("stress_20");
-    let barrier = Arc::new(std::sync::Barrier::new(20));
-
-    let handles: Vec<_> = (0..20u32)
-        .map(|i| {
-            let k = key.clone();
-            let b = Arc::clone(&barrier);
-            std::thread::spawn(move || {
-                b.wait();
-                let tier = match i % 4 {
-                    0 => AdaptiveTier::Base,
-                    1 => AdaptiveTier::Tier1,
-                    2 => AdaptiveTier::Tier2,
-                    _ => AdaptiveTier::Tier3,
-                };
-                for _ in 0..100 {
-                    record_user_tier(&k, tier);
-                }
-            })
-        })
-        .collect();
-
-    for h in handles {
-        h.join().expect("thread panicked");
-    }
-
-    let result = seed_tier_for_user(&key);
-    profiles().remove(&key);
-
-    // At least one thread writes Tier3, max() should preserve it
-    assert!(
-        result >= AdaptiveTier::Tier3,
-        "20 concurrent writers: expected at least Tier3, got {:?}",
-        result,
-    );
-}
-
-// ── TOCTOU: seed reads stale, concurrent record inserts fresh ───────────
-// Verifies remove_if predicate preserves fresh insertions.
-
-#[test]
-fn adaptive_seed_and_record_race_preserves_fresh_entry() {
-    for round in 0..30 {
-        let key = race_unique_key(&format!("seed_record_race_{}", round));
-
-        // Plant a stale entry
-        let stale_time = Instant::now() - Duration::from_secs(600);
-        profiles().insert(
-            key.clone(),
-            UserAdaptiveProfile {
-                tier: AdaptiveTier::Tier1,
-                seen_at: stale_time,
-            },
-        );
-
-        let key_seed = key.clone();
-        let key_record = key.clone();
-        let barrier = Arc::new(std::sync::Barrier::new(2));
-        let barrier_s = Arc::clone(&barrier);
-        let barrier_r = Arc::clone(&barrier);
-
-        let h_seed = std::thread::spawn(move || {
-            barrier_s.wait();
-            seed_tier_for_user(&key_seed)
-        });
-
-        let h_record = std::thread::spawn(move || {
-            barrier_r.wait();
-            record_user_tier(&key_record, AdaptiveTier::Tier3);
-        });
-
-        let _seed_result = h_seed.join().expect("seed thread panicked");
-        h_record.join().expect("record thread panicked");
-
-        let final_result = seed_tier_for_user(&key);
-        profiles().remove(&key);
-
-        // Fresh Tier3 entry should survive the stale-removal race.
-        // Due to non-deterministic scheduling, the outcome depends on ordering:
-        // - If record wins: Tier3 is present, seed returns Tier3
-        // - If seed wins: stale entry removed, then record inserts Tier3
-        // Either way, Tier3 should be visible after both complete.
-        assert!(
-            final_result == AdaptiveTier::Tier3 || final_result == AdaptiveTier::Base,
-            "Round {}: unexpected tier after seed+record race: {:?}",
-            round,
-            final_result,
-        );
-    }
-}
-
-// ── Eviction safety: retain() during concurrent inserts ─────────────────
-
-#[test]
-fn adaptive_eviction_during_concurrent_inserts_no_panic() {
-    let prefix = race_unique_key("evict_conc");
-    let stale_time = Instant::now() - Duration::from_secs(600);
-
-    // Pre-fill with stale entries to push past the eviction threshold
-    for i in 0..100 {
-        let k = format!("{}_{}", prefix, i);
-        profiles().insert(
-            k,
-            UserAdaptiveProfile {
-                tier: AdaptiveTier::Base,
-                seen_at: stale_time,
-            },
-        );
-    }
-
-    let barrier = Arc::new(std::sync::Barrier::new(10));
-    let handles: Vec<_> = (0..10)
-        .map(|t| {
-            let b = Arc::clone(&barrier);
-            let pfx = prefix.clone();
-            std::thread::spawn(move || {
-                b.wait();
-                for i in 0..50 {
-                    let k = format!("{}_t{}_{}", pfx, t, i);
-                    record_user_tier(&k, AdaptiveTier::Tier1);
-                }
-            })
-        })
-        .collect();
-
-    for h in handles {
-        h.join().expect("eviction thread panicked");
-    }
-
-    // Cleanup
-    profiles().retain(|k, _| !k.starts_with(&prefix));
-}
-
-// ── Adversarial: attacker races insert+seed in tight loop ───────────────
-
-#[test]
-fn adaptive_tight_loop_insert_seed_race_no_panic() {
-    let key = race_unique_key("tight_loop");
-    let key_w = key.clone();
-    let key_r = key.clone();
-
-    let done = Arc::new(std::sync::atomic::AtomicBool::new(false));
-    let done_w = Arc::clone(&done);
-    let done_r = Arc::clone(&done);
-
-    let writer = std::thread::spawn(move || {
-        while !done_w.load(Ordering::Relaxed) {
-            record_user_tier(&key_w, AdaptiveTier::Tier2);
-        }
-    });
-
-    let reader = std::thread::spawn(move || {
-        while !done_r.load(Ordering::Relaxed) {
-            let _ = seed_tier_for_user(&key_r);
-        }
-    });
-
-    std::thread::sleep(Duration::from_millis(100));
-    done.store(true, Ordering::Relaxed);
-
-    writer.join().expect("writer panicked");
-    reader.join().expect("reader panicked");
-    profiles().remove(&key);
-}

src/proxy/tests/adaptive_buffers_security_tests.rs

@@ -1,453 +0,0 @@
-use super::*;
-use std::sync::atomic::{AtomicUsize, Ordering};
-use std::time::{Duration, Instant};
-
-// Unique key generator to avoid test interference through the global DashMap.
-static TEST_KEY_COUNTER: AtomicUsize = AtomicUsize::new(0);
-
-fn unique_key(prefix: &str) -> String {
-    let id = TEST_KEY_COUNTER.fetch_add(1, Ordering::Relaxed);
-    format!("{}_{}", prefix, id)
-}
-
-// ── Positive / Lifecycle ────────────────────────────────────────────────
-
-#[test]
-fn adaptive_seed_unknown_user_returns_base() {
-    let key = unique_key("seed_unknown");
-    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Base);
-}
-
-#[test]
-fn adaptive_record_then_seed_returns_recorded_tier() {
-    let key = unique_key("record_seed");
-    record_user_tier(&key, AdaptiveTier::Tier1);
-    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Tier1);
-}
-
-#[test]
-fn adaptive_separate_users_have_independent_tiers() {
-    let key_a = unique_key("indep_a");
-    let key_b = unique_key("indep_b");
-    record_user_tier(&key_a, AdaptiveTier::Tier1);
-    record_user_tier(&key_b, AdaptiveTier::Tier2);
-    assert_eq!(seed_tier_for_user(&key_a), AdaptiveTier::Tier1);
-    assert_eq!(seed_tier_for_user(&key_b), AdaptiveTier::Tier2);
-}
-
-#[test]
-fn adaptive_record_upgrades_tier_within_ttl() {
-    let key = unique_key("upgrade");
-    record_user_tier(&key, AdaptiveTier::Base);
-    record_user_tier(&key, AdaptiveTier::Tier1);
-    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Tier1);
-}
-
-#[test]
-fn adaptive_record_does_not_downgrade_within_ttl() {
-    let key = unique_key("no_downgrade");
-    record_user_tier(&key, AdaptiveTier::Tier2);
-    record_user_tier(&key, AdaptiveTier::Base);
-    // max(Tier2, Base) = Tier2 — within TTL the higher tier is retained
-    assert_eq!(seed_tier_for_user(&key), AdaptiveTier::Tier2);
-}
-
-// ── Edge Cases ──────────────────────────────────────────────────────────
-
-#[test]
-fn adaptive_base_tier_buffers_unchanged() {
-    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Base, 65536, 262144);
-    assert_eq!(c2s, 65536);
-    assert_eq!(s2c, 262144);
-}
-
-#[test]
-fn adaptive_tier1_buffers_within_caps() {
-    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier1, 65536, 262144);
-    assert!(c2s > 65536, "Tier1 c2s should exceed Base");
-    assert!(
-        c2s <= 128 * 1024,
-        "Tier1 c2s should not exceed DIRECT_C2S_CAP_BYTES"
-    );
-    assert!(s2c > 262144, "Tier1 s2c should exceed Base");
-    assert!(
-        s2c <= 512 * 1024,
-        "Tier1 s2c should not exceed DIRECT_S2C_CAP_BYTES"
-    );
-}
-
-#[test]
-fn adaptive_tier3_buffers_capped() {
-    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier3, 65536, 262144);
-    assert!(c2s <= 128 * 1024, "Tier3 c2s must not exceed cap");
-    assert!(s2c <= 512 * 1024, "Tier3 s2c must not exceed cap");
-}
-
-#[test]
-fn adaptive_scale_zero_base_returns_at_least_one() {
-    // scale(0, num, den, cap) should return at least 1 (the .max(1) guard)
-    let (c2s, s2c) = direct_copy_buffers_for_tier(AdaptiveTier::Tier1, 0, 0);
-    assert!(c2s >= 1);
-    assert!(s2c >= 1);
-}
-
-// ── Stale Entry Handling ────────────────────────────────────────────────
-
-#[test]
-fn adaptive_stale_profile_returns_base_tier() {
-    let key = unique_key("stale_base");
-    // Manually insert a stale entry with seen_at in the far past.
-    // PROFILE_TTL = 300s, so 600s ago is well past expiry.
-    let stale_time = Instant::now() - Duration::from_secs(600);
-    profiles().insert(
-        key.clone(),
-        UserAdaptiveProfile {
-            tier: AdaptiveTier::Tier3,
-            seen_at: stale_time,
-        },
-    );
-    assert_eq!(
-        seed_tier_for_user(&key),
-        AdaptiveTier::Base,
-        "Stale profile should return Base"
-    );
-}
-
-// RED TEST: exposes the stale entry leak bug.
-// After seed_tier_for_user returns Base for a stale entry, the entry should be
-// removed from the cache. Currently it is NOT removed — stale entries accumulate
-// indefinitely, consuming memory.
-#[test]
-fn adaptive_stale_entry_removed_after_seed() {
-    let key = unique_key("stale_removal");
-    let stale_time = Instant::now() - Duration::from_secs(600);
-    profiles().insert(
-        key.clone(),
-        UserAdaptiveProfile {
-            tier: AdaptiveTier::Tier2,
-            seen_at: stale_time,
-        },
-    );
-    let _ = seed_tier_for_user(&key);
-    // After seeding, the stale entry should have been removed.
-    assert!(
-        !profiles().contains_key(&key),
-        "Stale entry should be removed from cache after seed_tier_for_user"
-    );
-}
-
-// ── Cardinality Attack / Unbounded Growth ───────────────────────────────
-
-// RED TEST: exposes the missing eviction cap.
-// An attacker who can trigger record_user_tier with arbitrary user keys can
-// grow the global DashMap without bound, exhausting server memory.
-// After inserting MAX_USER_PROFILES_ENTRIES + 1 stale entries, record_user_tier
-// must trigger retain()-based eviction that purges all stale entries.
-#[test]
-fn adaptive_profile_cache_bounded_under_cardinality_attack() {
-    let prefix = unique_key("cardinality");
-    let stale_time = Instant::now() - Duration::from_secs(600);
-    let n = MAX_USER_PROFILES_ENTRIES + 1;
-    for i in 0..n {
-        let key = format!("{}_{}", prefix, i);
-        profiles().insert(
-            key,
-            UserAdaptiveProfile {
-                tier: AdaptiveTier::Base,
-                seen_at: stale_time,
-            },
-        );
-    }
-    // This insert should push the cache over MAX_USER_PROFILES_ENTRIES and trigger eviction.
-    let trigger_key = unique_key("cardinality_trigger");
-    record_user_tier(&trigger_key, AdaptiveTier::Base);
-
-    // Count surviving stale entries.
-    let mut surviving_stale = 0;
-    for i in 0..n {
-        let key = format!("{}_{}", prefix, i);
-        if profiles().contains_key(&key) {
-            surviving_stale += 1;
-        }
-    }
-    // Cleanup: remove anything that survived + the trigger key.
-    for i in 0..n {
-        let key = format!("{}_{}", prefix, i);
-        profiles().remove(&key);
-    }
-    profiles().remove(&trigger_key);
-
-    // All stale entries (600s past PROFILE_TTL=300s) should have been evicted.
-    assert_eq!(
-        surviving_stale, 0,
-        "All {} stale entries should be evicted, but {} survived",
-        n, surviving_stale
-    );
-}
-
-// ── Key Length Validation ────────────────────────────────────────────────
-
-// RED TEST: exposes missing key length validation.
-// An attacker can submit arbitrarily large user keys, each consuming memory
-// for the String allocation in the DashMap key.
-#[test]
-fn adaptive_oversized_user_key_rejected_on_record() {
-    let oversized_key: String = "X".repeat(1024); // 1KB key — should be rejected
-    record_user_tier(&oversized_key, AdaptiveTier::Tier1);
-    // With key length validation, the oversized key should NOT be stored.
-    let stored = profiles().contains_key(&oversized_key);
-    // Cleanup regardless
-    profiles().remove(&oversized_key);
-    assert!(
-        !stored,
-        "Oversized user key (1024 bytes) should be rejected by record_user_tier"
-    );
-}
-
-#[test]
-fn adaptive_oversized_user_key_rejected_on_seed() {
-    let oversized_key: String = "X".repeat(1024);
-    // Insert it directly to test seed behavior
-    profiles().insert(
-        oversized_key.clone(),
-        UserAdaptiveProfile {
-            tier: AdaptiveTier::Tier3,
-            seen_at: Instant::now(),
-        },
-    );
-    let result = seed_tier_for_user(&oversized_key);
-    profiles().remove(&oversized_key);
-    assert_eq!(
-        result,
-        AdaptiveTier::Base,
-        "Oversized user key should return Base from seed_tier_for_user"
-    );
-}
-
-#[test]
-fn adaptive_empty_user_key_safe() {
-    // Empty string is a valid (if unusual) key — should not panic
-    record_user_tier("", AdaptiveTier::Tier1);
-    let tier = seed_tier_for_user("");
-    profiles().remove("");
-    assert_eq!(tier, AdaptiveTier::Tier1);
-}
-
-#[test]
-fn adaptive_max_length_key_accepted() {
-    // A key at exactly 512 bytes should be accepted
-    let key: String = "K".repeat(512);
-    record_user_tier(&key, AdaptiveTier::Tier1);
-    let tier = seed_tier_for_user(&key);
-    profiles().remove(&key);
-    assert_eq!(tier, AdaptiveTier::Tier1);
-}
-
-// ── Concurrent Access Safety ────────────────────────────────────────────
-
-#[test]
-fn adaptive_concurrent_record_and_seed_no_torn_read() {
-    let key = unique_key("concurrent_rw");
-    let key_clone = key.clone();
-
-    // Record from multiple threads simultaneously
-    let handles: Vec<_> = (0..10)
-        .map(|i| {
-            let k = key_clone.clone();
-            std::thread::spawn(move || {
-                let tier = if i % 2 == 0 {
-                    AdaptiveTier::Tier1
-                } else {
-                    AdaptiveTier::Tier2
-                };
-                record_user_tier(&k, tier);
-            })
-        })
-        .collect();
-
-    for h in handles {
-        h.join().expect("thread panicked");
-    }
-
-    let result = seed_tier_for_user(&key);
-    profiles().remove(&key);
-    // Result must be one of the recorded tiers, not a corrupted value
-    assert!(
-        result == AdaptiveTier::Tier1 || result == AdaptiveTier::Tier2,
-        "Concurrent writes produced unexpected tier: {:?}",
-        result
-    );
-}
-
-#[test]
-fn adaptive_concurrent_seed_does_not_panic() {
-    let key = unique_key("concurrent_seed");
-    record_user_tier(&key, AdaptiveTier::Tier1);
-    let key_clone = key.clone();
-
-    let handles: Vec<_> = (0..20)
-        .map(|_| {
-            let k = key_clone.clone();
-            std::thread::spawn(move || {
-                for _ in 0..100 {
-                    let _ = seed_tier_for_user(&k);
-                }
-            })
-        })
-        .collect();
-
-    for h in handles {
-        h.join().expect("concurrent seed panicked");
-    }
-    profiles().remove(&key);
-}
-
-// ── TOCTOU: Concurrent seed + record race ───────────────────────────────
-
-// RED TEST: seed_tier_for_user reads a stale entry, drops the reference,
-// then another thread inserts a fresh entry. If seed then removes unconditionally
-// (without atomic predicate), the fresh entry is lost. With remove_if, the
-// fresh entry survives.
-#[test]
-fn adaptive_remove_if_does_not_delete_fresh_concurrent_insert() {
-    let key = unique_key("toctou");
-    let stale_time = Instant::now() - Duration::from_secs(600);
-    profiles().insert(
-        key.clone(),
-        UserAdaptiveProfile {
-            tier: AdaptiveTier::Tier1,
-            seen_at: stale_time,
-        },
-    );
-
-    // Thread A: seed_tier (will see stale, should attempt removal)
-    // Thread B: record_user_tier (inserts fresh entry concurrently)
-    let key_a = key.clone();
-    let key_b = key.clone();
-
-    let handle_b = std::thread::spawn(move || {
-        // Small yield to increase chance of interleaving
-        std::thread::yield_now();
-        record_user_tier(&key_b, AdaptiveTier::Tier3);
-    });
-
-    let _ = seed_tier_for_user(&key_a);
-
-    handle_b.join().expect("thread B panicked");
-
-    // After both operations, the fresh Tier3 entry should survive.
-    // With a correct remove_if predicate, the fresh entry is NOT deleted.
-    // Without remove_if (current code), the entry may be lost.
-    let final_tier = seed_tier_for_user(&key);
-    profiles().remove(&key);
-
-    // The fresh Tier3 entry should survive the stale-removal race.
-    // Note: Due to non-deterministic scheduling, this test may pass even
-    // without the fix if thread B wins the race. Run with --test-threads=1
-    // or multiple iterations for reliable detection.
-    assert!(
-        final_tier == AdaptiveTier::Tier3 || final_tier == AdaptiveTier::Base,
-        "Unexpected tier after TOCTOU race: {:?}",
-        final_tier
-    );
-}
-
-// ── Fuzz: Random keys ──────────────────────────────────────────────────
-
-#[test]
-fn adaptive_fuzz_random_keys_no_panic() {
-    use rand::{Rng, RngExt};
-    let mut rng = rand::rng();
-    let mut keys = Vec::new();
-    for _ in 0..200 {
-        let len: usize = rng.random_range(0..=256);
-        let key: String = (0..len)
-            .map(|_| {
-                let c: u8 = rng.random_range(0x20..=0x7E);
-                c as char
-            })
-            .collect();
-        record_user_tier(&key, AdaptiveTier::Tier1);
-        let _ = seed_tier_for_user(&key);
-        keys.push(key);
-    }
-    // Cleanup
-    for key in &keys {
-        profiles().remove(key);
-    }
-}
-
-// ── average_throughput_to_tier (proposed function, tests the mapping) ────
-
-// These tests verify the function that will be added in PR-D.
-// They are written against the current code's constant definitions.
-
-#[test]
-fn adaptive_throughput_mapping_below_threshold_is_base() {
-    // 7 Mbps < 8 Mbps threshold → Base
-    // 7 Mbps = 7_000_000 bps = 875_000 bytes/s over 10s = 8_750_000 bytes
-    // max(c2s, s2c) determines direction
-    let c2s_bytes: u64 = 8_750_000;
-    let s2c_bytes: u64 = 1_000_000;
-    let duration_secs: f64 = 10.0;
-    let avg_bps = (c2s_bytes.max(s2c_bytes) as f64 * 8.0) / duration_secs;
-    // 8_750_000 * 8 / 10 = 7_000_000 bps = 7 Mbps → Base
-    assert!(
-        avg_bps < THROUGHPUT_UP_BPS,
-        "Should be below threshold: {} < {}",
-        avg_bps,
-        THROUGHPUT_UP_BPS,
-    );
-}
-
-#[test]
-fn adaptive_throughput_mapping_above_threshold_is_tier1() {
-    // 10 Mbps > 8 Mbps threshold → Tier1
-    let bytes_10mbps_10s: u64 = 12_500_000; // 10 Mbps * 10s / 8 = 12_500_000 bytes
-    let duration_secs: f64 = 10.0;
-    let avg_bps = (bytes_10mbps_10s as f64 * 8.0) / duration_secs;
-    assert!(
-        avg_bps >= THROUGHPUT_UP_BPS,
-        "Should be above threshold: {} >= {}",
-        avg_bps,
-        THROUGHPUT_UP_BPS,
-    );
-}
-
-#[test]
-fn adaptive_throughput_short_session_should_return_base() {
-    // Sessions shorter than 1 second should not promote (too little data to judge)
-    let duration_secs: f64 = 0.5;
-    // Even with high throughput, short sessions should return Base
-    assert!(
-        duration_secs < 1.0,
-        "Short session duration guard should activate"
-    );
-}
-
-// ── me_flush_policy_for_tier ────────────────────────────────────────────
-
-#[test]
-fn adaptive_me_flush_base_unchanged() {
-    let (frames, bytes, delay) =
-        me_flush_policy_for_tier(AdaptiveTier::Base, 32, 65536, Duration::from_micros(1000));
-    assert_eq!(frames, 32);
-    assert_eq!(bytes, 65536);
-    assert_eq!(delay, Duration::from_micros(1000));
-}
-
-#[test]
-fn adaptive_me_flush_tier1_delay_reduced() {
-    let (_, _, delay) =
-        me_flush_policy_for_tier(AdaptiveTier::Tier1, 32, 65536, Duration::from_micros(1000));
-    // Tier1: delay * 7/10 = 700 µs
-    assert_eq!(delay, Duration::from_micros(700));
-}
-
-#[test]
-fn adaptive_me_flush_delay_never_below_minimum() {
-    let (_, _, delay) =
-        me_flush_policy_for_tier(AdaptiveTier::Tier3, 32, 65536, Duration::from_micros(200));
-    // Tier3: 200 * 3/10 = 60, but min is ME_DELAY_MIN_US = 150
-    assert!(delay.as_micros() >= 150, "Delay must respect minimum");
-}

src/proxy/tests/client_clever_advanced_tests.rs

@@ -94,7 +94,6 @@ async fn adversarial_tls_handshake_timeout_during_masking_delay() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -142,7 +141,6 @@ async fn blackhat_proxy_protocol_slowloris_timeout() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -195,7 +193,6 @@ async fn negative_proxy_protocol_enabled_but_client_sends_tls_hello() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -242,7 +239,6 @@ async fn edge_client_stream_exactly_4_bytes_eof() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -286,7 +282,6 @@ async fn edge_client_stream_tls_header_valid_but_body_1_byte_short_eof() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -333,7 +328,6 @@ async fn integration_non_tls_modes_disabled_immediately_masks() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),

src/proxy/tests/client_deep_invariants_tests.rs

@@ -47,7 +47,6 @@ async fn invariant_tls_clienthello_truncation_exact_boundary_triggers_masking()
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -178,7 +177,6 @@ async fn invariant_direct_mode_partial_header_eof_is_error_not_bad_connect() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),

src/proxy/tests/client_masking_blackhat_campaign_tests.rs

@@ -40,7 +40,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_budget_security_tests.rs

@@ -36,7 +36,6 @@ fn build_harness(config: ProxyConfig) -> PipelineHarness {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),

src/proxy/tests/client_masking_diagnostics_security_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_fragmented_classifier_security_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_hard_adversarial_tests.rs

@@ -34,7 +34,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_http2_fragmented_preface_security_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_prefetch_config_pipeline_integration_security_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_prefetch_invariant_security_tests.rs

@@ -47,7 +47,6 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> PipelineHarness {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),

src/proxy/tests/client_masking_probe_evasion_blackhat_tests.rs

@@ -25,7 +25,6 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_redteam_expected_fail_tests.rs

@@ -48,7 +48,6 @@ fn build_harness(secret_hex: &str, mask_port: u16) -> RedTeamHarness {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -238,7 +237,6 @@ async fn redteam_03_masking_duration_must_be_less_than_1ms_when_backend_down() {
             1,
             1,
             1,
-            10,
             1,
             false,
             Arc::new(Stats::new()),
@@ -479,7 +477,6 @@ async fn measure_invalid_probe_duration_ms(delay_ms: u64, tls_len: u16, body_sen
             1,
             1,
             1,
-            10,
             1,
             false,
             Arc::new(Stats::new()),
@@ -553,7 +550,6 @@ async fn capture_forwarded_probe_len(tls_len: u16, body_sent: usize) -> usize {
             1,
             1,
             1,
-            10,
             1,
             false,
             Arc::new(Stats::new()),

src/proxy/tests/client_masking_replay_timing_security_tests.rs

@@ -22,7 +22,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_shape_classifier_fuzz_redteam_expected_fail_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_shape_hardening_adversarial_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_shape_hardening_redteam_expected_fail_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_shape_hardening_security_tests.rs

@@ -20,7 +20,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_masking_stress_adversarial_tests.rs

@@ -34,7 +34,6 @@ fn new_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,

src/proxy/tests/client_more_advanced_tests.rs

@@ -100,7 +100,6 @@ async fn blackhat_proxy_protocol_massive_garbage_rejected_quickly() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -147,7 +146,6 @@ async fn edge_tls_body_immediate_eof_triggers_masking_and_bad_connect() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -197,7 +195,6 @@ async fn security_classic_mode_disabled_masks_valid_length_payload() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),

src/proxy/tests/client_security_tests.rs

@@ -1,10 +1,8 @@
 use super::*;
 use crate::config::{UpstreamConfig, UpstreamType};
-use crate::crypto::{AesCtr, sha256, sha256_hmac};
+use crate::crypto::AesCtr;
-use crate::protocol::constants::{
+use crate::crypto::sha256_hmac;
-    DC_IDX_POS, HANDSHAKE_LEN, IV_LEN, PREKEY_LEN, PROTO_TAG_POS, ProtoTag, SKIP_LEN,
+use crate::protocol::constants::ProtoTag;
-    TLS_RECORD_CHANGE_CIPHER,
-};
 use crate::protocol::tls;
 use crate::proxy::handshake::HandshakeSuccess;
 use crate::stream::{CryptoReader, CryptoWriter};
@@ -341,7 +339,6 @@ async fn relay_task_abort_releases_user_gate_and_ip_reservation() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -455,7 +452,6 @@ async fn relay_cutover_releases_user_gate_and_ip_reservation() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -579,7 +575,6 @@ async fn integration_route_cutover_and_quota_overlap_fails_closed_and_releases_s
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -749,7 +744,6 @@ async fn proxy_protocol_header_is_rejected_when_trust_list_is_empty() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -826,7 +820,6 @@ async fn proxy_protocol_header_from_untrusted_peer_range_is_rejected_under_load(
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -986,7 +979,6 @@ async fn short_tls_probe_is_masked_through_client_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -1074,7 +1066,6 @@ async fn tls12_record_probe_is_masked_through_client_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -1160,7 +1151,6 @@ async fn handle_client_stream_increments_connects_all_exactly_once() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -1253,7 +1243,6 @@ async fn running_client_handler_increments_connects_all_exactly_once() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -1321,163 +1310,6 @@ async fn running_client_handler_increments_connects_all_exactly_once() {
     );
 }
 
-#[tokio::test(start_paused = true)]
-async fn idle_pooled_connection_closes_cleanly_in_generic_stream_path() {
-    let mut cfg = ProxyConfig::default();
-    cfg.general.beobachten = false;
-    cfg.timeouts.client_first_byte_idle_secs = 1;
-
-    let config = Arc::new(cfg);
-    let stats = Arc::new(Stats::new());
-    let upstream_manager = Arc::new(UpstreamManager::new(
-        vec![UpstreamConfig {
-            upstream_type: UpstreamType::Direct {
-                interface: None,
-                bind_addresses: None,
-            },
-            weight: 1,
-            enabled: true,
-            scopes: String::new(),
-            selected_scope: String::new(),
-        }],
-        1,
-        1,
-        1,
-        10,
-        1,
-        false,
-        stats.clone(),
-    ));
-    let replay_checker = Arc::new(ReplayChecker::new(128, Duration::from_secs(60)));
-    let buffer_pool = Arc::new(BufferPool::new());
-    let rng = Arc::new(SecureRandom::new());
-    let route_runtime = Arc::new(RouteRuntimeController::new(RelayRouteMode::Direct));
-    let ip_tracker = Arc::new(UserIpTracker::new());
-    let beobachten = Arc::new(BeobachtenStore::new());
-
-    let (server_side, _client_side) = duplex(4096);
-    let peer: SocketAddr = "198.51.100.169:55200".parse().unwrap();
-
-    let handler = tokio::spawn(handle_client_stream(
-        server_side,
-        peer,
-        config,
-        stats.clone(),
-        upstream_manager,
-        replay_checker,
-        buffer_pool,
-        rng,
-        None,
-        route_runtime,
-        None,
-        ip_tracker,
-        beobachten,
-        false,
-    ));
-
-    // Let the spawned handler arm the idle-phase timeout before advancing paused time.
-    tokio::task::yield_now().await;
-    tokio::time::advance(Duration::from_secs(2)).await;
-    tokio::task::yield_now().await;
-
-    let result = tokio::time::timeout(Duration::from_secs(1), handler)
-        .await
-        .unwrap()
-        .unwrap();
-    assert!(result.is_ok());
-    assert_eq!(stats.get_handshake_timeouts(), 0);
-    assert_eq!(stats.get_connects_bad(), 0);
-}
-
-#[tokio::test(start_paused = true)]
-async fn idle_pooled_connection_closes_cleanly_in_client_handler_path() {
-    let front_listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
-    let front_addr = front_listener.local_addr().unwrap();
-
-    let mut cfg = ProxyConfig::default();
-    cfg.general.beobachten = false;
-    cfg.timeouts.client_first_byte_idle_secs = 1;
-
-    let config = Arc::new(cfg);
-    let stats = Arc::new(Stats::new());
-    let upstream_manager = Arc::new(UpstreamManager::new(
-        vec![UpstreamConfig {
-            upstream_type: UpstreamType::Direct {
-                interface: None,
-                bind_addresses: None,
-            },
-            weight: 1,
-            enabled: true,
-            scopes: String::new(),
-            selected_scope: String::new(),
-        }],
-        1,
-        1,
-        1,
-        10,
-        1,
-        false,
-        stats.clone(),
-    ));
-    let replay_checker = Arc::new(ReplayChecker::new(128, Duration::from_secs(60)));
-    let buffer_pool = Arc::new(BufferPool::new());
-    let rng = Arc::new(SecureRandom::new());
-    let route_runtime = Arc::new(RouteRuntimeController::new(RelayRouteMode::Direct));
-    let ip_tracker = Arc::new(UserIpTracker::new());
-    let beobachten = Arc::new(BeobachtenStore::new());
-
-    let server_task = {
-        let config = config.clone();
-        let stats = stats.clone();
-        let upstream_manager = upstream_manager.clone();
-        let replay_checker = replay_checker.clone();
-        let buffer_pool = buffer_pool.clone();
-        let rng = rng.clone();
-        let route_runtime = route_runtime.clone();
-        let ip_tracker = ip_tracker.clone();
-        let beobachten = beobachten.clone();
-
-        tokio::spawn(async move {
-            let (stream, peer) = front_listener.accept().await.unwrap();
-            let real_peer_report = Arc::new(std::sync::Mutex::new(None));
-            ClientHandler::new(
-                stream,
-                peer,
-                config,
-                stats,
-                upstream_manager,
-                replay_checker,
-                buffer_pool,
-                rng,
-                None,
-                route_runtime,
-                None,
-                ip_tracker,
-                beobachten,
-                false,
-                real_peer_report,
-            )
-            .run()
-            .await
-        })
-    };
-
-    let _client = TcpStream::connect(front_addr).await.unwrap();
-
-    // Let the accepted connection reach the idle wait before advancing paused time.
-    tokio::task::yield_now().await;
-    tokio::time::advance(Duration::from_secs(2)).await;
-    tokio::task::yield_now().await;
-
-    let result = tokio::time::timeout(Duration::from_secs(1), server_task)
-        .await
-        .unwrap()
-        .unwrap();
-    assert!(result.is_ok());
-    assert_eq!(stats.get_handshake_timeouts(), 0);
-    assert_eq!(stats.get_connects_bad(), 0);
-}
-
 #[tokio::test]
 async fn partial_tls_header_stall_triggers_handshake_timeout() {
     let mut cfg = ProxyConfig::default();
@@ -1500,7 +1332,6 @@ async fn partial_tls_header_stall_triggers_handshake_timeout() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -1646,148 +1477,6 @@ fn wrap_tls_application_data(payload: &[u8]) -> Vec<u8> {
     record
 }
 
-fn wrap_tls_ccs_record() -> Vec<u8> {
-    let mut record = Vec::with_capacity(6);
-    record.push(TLS_RECORD_CHANGE_CIPHER);
-    record.extend_from_slice(&[0x03, 0x03]);
-    record.extend_from_slice(&1u16.to_be_bytes());
-    record.push(0x01);
-    record
-}
-
-fn make_valid_mtproto_handshake(
-    secret_hex: &str,
-    proto_tag: ProtoTag,
-    dc_idx: i16,
-) -> [u8; HANDSHAKE_LEN] {
-    let secret = hex::decode(secret_hex).expect("secret hex must decode for mtproto test helper");
-
-    let mut handshake = [0x5Au8; HANDSHAKE_LEN];
-    for (idx, b) in handshake[SKIP_LEN..SKIP_LEN + PREKEY_LEN + IV_LEN]
-        .iter_mut()
-        .enumerate()
-    {
-        *b = (idx as u8).wrapping_add(1);
-    }
-
-    let dec_prekey = &handshake[SKIP_LEN..SKIP_LEN + PREKEY_LEN];
-    let dec_iv_bytes = &handshake[SKIP_LEN + PREKEY_LEN..SKIP_LEN + PREKEY_LEN + IV_LEN];
-
-    let mut dec_key_input = Vec::with_capacity(PREKEY_LEN + secret.len());
-    dec_key_input.extend_from_slice(dec_prekey);
-    dec_key_input.extend_from_slice(&secret);
-    let dec_key = sha256(&dec_key_input);
-
-    let mut dec_iv_arr = [0u8; IV_LEN];
-    dec_iv_arr.copy_from_slice(dec_iv_bytes);
-    let dec_iv = u128::from_be_bytes(dec_iv_arr);
-
-    let mut stream = AesCtr::new(&dec_key, dec_iv);
-    let keystream = stream.encrypt(&[0u8; HANDSHAKE_LEN]);
-
-    let mut target_plain = [0u8; HANDSHAKE_LEN];
-    target_plain[PROTO_TAG_POS..PROTO_TAG_POS + 4].copy_from_slice(&proto_tag.to_bytes());
-    target_plain[DC_IDX_POS..DC_IDX_POS + 2].copy_from_slice(&dc_idx.to_le_bytes());
-
-    for idx in PROTO_TAG_POS..HANDSHAKE_LEN {
-        handshake[idx] = target_plain[idx] ^ keystream[idx];
-    }
-
-    handshake
-}
-
-#[tokio::test]
-async fn fragmented_tls_mtproto_with_interleaved_ccs_is_accepted() {
-    let secret_hex = "55555555555555555555555555555555";
-    let secret = [0x55u8; 16];
-    let client_hello = make_valid_tls_client_hello(&secret, 0);
-    let mtproto_handshake = make_valid_mtproto_handshake(secret_hex, ProtoTag::Secure, 2);
-
-    let mut cfg = ProxyConfig::default();
-    cfg.general.beobachten = false;
-    cfg.access.ignore_time_skew = true;
-    cfg.access
-        .users
-        .insert("user".to_string(), secret_hex.to_string());
-
-    let config = Arc::new(cfg);
-    let replay_checker = Arc::new(ReplayChecker::new(128, Duration::from_secs(60)));
-    let rng = SecureRandom::new();
-
-    let (server_side, mut client_side) = duplex(131072);
-    let peer: SocketAddr = "198.51.100.85:55007".parse().unwrap();
-    let (read_half, write_half) = tokio::io::split(server_side);
-
-    let (mut tls_reader, tls_writer, tls_user) = match handle_tls_handshake(
-        &client_hello,
-        read_half,
-        write_half,
-        peer,
-        &config,
-        &replay_checker,
-        &rng,
-        None,
-    )
-    .await
-    {
-        HandshakeResult::Success(result) => result,
-        _ => panic!("expected successful TLS handshake"),
-    };
-
-    let mut tls_response_head = [0u8; 5];
-    client_side
-        .read_exact(&mut tls_response_head)
-        .await
-        .unwrap();
-    assert_eq!(tls_response_head[0], 0x16);
-    let tls_response_len =
-        u16::from_be_bytes([tls_response_head[3], tls_response_head[4]]) as usize;
-    let mut tls_response_body = vec![0u8; tls_response_len];
-    client_side
-        .read_exact(&mut tls_response_body)
-        .await
-        .unwrap();
-
-    client_side
-        .write_all(&wrap_tls_application_data(&mtproto_handshake[..13]))
-        .await
-        .unwrap();
-    client_side.write_all(&wrap_tls_ccs_record()).await.unwrap();
-    client_side
-        .write_all(&wrap_tls_application_data(&mtproto_handshake[13..37]))
-        .await
-        .unwrap();
-    client_side.write_all(&wrap_tls_ccs_record()).await.unwrap();
-    client_side
-        .write_all(&wrap_tls_application_data(&mtproto_handshake[37..]))
-        .await
-        .unwrap();
-
-    let mtproto_data = tls_reader.read_exact(HANDSHAKE_LEN).await.unwrap();
-    assert_eq!(&mtproto_data[..], &mtproto_handshake);
-
-    let mtproto_handshake: [u8; HANDSHAKE_LEN] = mtproto_data[..].try_into().unwrap();
-    let (_, _, success) = match handle_mtproto_handshake(
-        &mtproto_handshake,
-        tls_reader,
-        tls_writer,
-        peer,
-        &config,
-        &replay_checker,
-        true,
-        Some(tls_user.as_str()),
-    )
-    .await
-    {
-        HandshakeResult::Success(result) => result,
-        _ => panic!("expected successful MTProto handshake"),
-    };
-
-    assert_eq!(success.user, "user");
-    assert_eq!(success.proto_tag, ProtoTag::Secure);
-    assert_eq!(success.dc_idx, 2);
-}
-
 #[tokio::test]
 async fn valid_tls_path_does_not_fall_back_to_mask_backend() {
     let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
@@ -1825,7 +1514,6 @@ async fn valid_tls_path_does_not_fall_back_to_mask_backend() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -1934,7 +1622,6 @@ async fn valid_tls_with_invalid_mtproto_falls_back_to_mask_backend() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -2041,7 +1728,6 @@ async fn client_handler_tls_bad_mtproto_is_forwarded_to_mask_backend() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -2163,7 +1849,6 @@ async fn alpn_mismatch_tls_probe_is_masked_through_client_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -2256,7 +1941,6 @@ async fn invalid_hmac_tls_probe_is_masked_through_client_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -2355,7 +2039,6 @@ async fn burst_invalid_tls_probes_are_masked_verbatim() {
             1,
             1,
             1,
-            10,
             1,
             false,
             stats.clone(),
@@ -2534,16 +2217,14 @@ async fn tcp_limit_rejection_does_not_reserve_ip_or_trigger_rollback() {
 }
 
 #[tokio::test]
-async fn zero_tcp_limit_uses_global_fallback_and_rejects_without_side_effects() {
+async fn zero_tcp_limit_rejects_without_ip_or_counter_side_effects() {
     let mut config = ProxyConfig::default();
     config
         .access
         .user_max_tcp_conns
         .insert("user".to_string(), 0);
-    config.access.user_max_tcp_conns_global_each = 1;
 
     let stats = Stats::new();
-    stats.increment_user_curr_connects("user");
     let ip_tracker = UserIpTracker::new();
     let peer_addr: SocketAddr = "198.51.100.211:50001".parse().unwrap();
 
@@ -2560,75 +2241,10 @@ async fn zero_tcp_limit_uses_global_fallback_and_rejects_without_side_effects()
         result,
         Err(ProxyError::ConnectionLimitExceeded { user }) if user == "user"
     ));
-    assert_eq!(
-        stats.get_user_curr_connects("user"),
-        1,
-        "TCP-limit rejection must keep pre-existing in-flight connection count unchanged"
-    );
-    assert_eq!(ip_tracker.get_active_ip_count("user").await, 0);
-}
-
-#[tokio::test]
-async fn zero_tcp_limit_with_disabled_global_fallback_is_unlimited() {
-    let mut config = ProxyConfig::default();
-    config
-        .access
-        .user_max_tcp_conns
-        .insert("user".to_string(), 0);
-    config.access.user_max_tcp_conns_global_each = 0;
-
-    let stats = Stats::new();
-    let ip_tracker = UserIpTracker::new();
-    let peer_addr: SocketAddr = "198.51.100.212:50002".parse().unwrap();
-
-    let result = RunningClientHandler::check_user_limits_static(
-        "user",
-        &config,
-        &stats,
-        peer_addr,
-        &ip_tracker,
-    )
-    .await;
-
-    assert!(
-        result.is_ok(),
-        "per-user zero with global fallback disabled must not enforce a TCP limit"
-    );
     assert_eq!(stats.get_user_curr_connects("user"), 0);
     assert_eq!(ip_tracker.get_active_ip_count("user").await, 0);
 }
 
-#[tokio::test]
-async fn global_tcp_fallback_applies_when_per_user_limit_is_missing() {
-    let mut config = ProxyConfig::default();
-    config.access.user_max_tcp_conns_global_each = 1;
-
-    let stats = Stats::new();
-    stats.increment_user_curr_connects("user");
-    let ip_tracker = UserIpTracker::new();
-    let peer_addr: SocketAddr = "198.51.100.213:50003".parse().unwrap();
-
-    let result = RunningClientHandler::check_user_limits_static(
-        "user",
-        &config,
-        &stats,
-        peer_addr,
-        &ip_tracker,
-    )
-    .await;
-
-    assert!(matches!(
-        result,
-        Err(ProxyError::ConnectionLimitExceeded { user }) if user == "user"
-    ));
-    assert_eq!(
-        stats.get_user_curr_connects("user"),
-        1,
-        "Global fallback TCP-limit rejection must keep pre-existing counter unchanged"
-    );
-    assert_eq!(ip_tracker.get_active_ip_count("user").await, 0);
-}
-
 #[tokio::test]
 async fn check_user_limits_static_success_does_not_leak_counter_or_ip_reservation() {
     let user = "check-helper-user";
@@ -3260,7 +2876,6 @@ async fn relay_connect_error_releases_user_and_ip_before_return() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -3821,7 +3436,6 @@ async fn untrusted_proxy_header_source_is_rejected() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -3891,7 +3505,6 @@ async fn empty_proxy_trusted_cidrs_rejects_proxy_header_by_default() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -3988,7 +3601,6 @@ async fn oversized_tls_record_is_masked_in_generic_stream_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -4091,7 +3703,6 @@ async fn oversized_tls_record_is_masked_in_client_handler_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -4208,7 +3819,6 @@ async fn tls_record_len_min_minus_1_is_rejected_in_generic_stream_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -4311,7 +3921,6 @@ async fn tls_record_len_min_minus_1_is_rejected_in_client_handler_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -4417,7 +4026,6 @@ async fn tls_record_len_16384_is_accepted_in_generic_stream_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),
@@ -4518,7 +4126,6 @@ async fn tls_record_len_16384_is_accepted_in_client_handler_pipeline() {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats.clone(),

src/proxy/tests/client_timing_profile_adversarial_tests.rs

@@ -33,7 +33,6 @@ fn make_test_upstream_manager(stats: Arc<Stats>) -> Arc<UpstreamManager> {
         1,
         1,
         1,
-        10,
         1,
         false,
         stats,