diff --git a/clients/android b/clients/android
index d03668392..223b5899c 160000
--- a/clients/android
+++ b/clients/android
@@ -1 +1 @@
-Subproject commit d036683923f41871196125a640bc1211b6878d82
+Subproject commit 223b5899c5be6a5035ad5bce771901babf02b1a0
diff --git a/clients/apple b/clients/apple
index 9d4ce37e9..38e8b3eda 160000
--- a/clients/apple
+++ b/clients/apple
@@ -1 +1 @@
-Subproject commit 9d4ce37e94e3df16b71ba3156ee45faf96241478
+Subproject commit 38e8b3eda9f0203dbe63c543f9c5f731ce7961c5
diff --git a/docs/changelog.md b/docs/changelog.md
index 54e5f7e87..b03a9d21b 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,140 @@
 icon: material/alert-decagram
 ---
 
+#### 1.13.0-rc.1
+
+* Fixes and improvements
+
+Important changes since 1.12:
+
+* Add NaiveProxy outbound **1**
+* Add pre-match support for `auto_redirect` **2**
+* Improve `auto_redirect` **3**
+* Add Chrome Root Store certificate option **4**
+* Add new options for ACME DNS-01 challenge providers **5**
+* Add Wi-Fi state support for Linux and Windows **6**
+* Add curve preferences, pinned public key SHA256, mTLS and ECH `query_server_name` for TLS options **7**
+* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for dial fields **8**
+* Add `bind_address_no_port` option for dial fields **9**
+* Add system interface support for Tailscale endpoint **10**
+* Add Claude Code Multiplexer service **11**
+* Add OpenAI Codex Multiplexer service **12**
+* Apple/Android: Refactor GUI
+* Apple/Android: Add support for sharing configurations via [QRS](https://github.com/qifi-dev/qrs)
+* Android: Add support for resisting VPN detection via Xposed
+* Drop support for go1.23 **13**
+* Drop support for Android 5.0 **14**
+* Update uTLS to v1.8.2 **15**
+* Update quic-go to v0.59.0
+* Update gVisor to v20250811
+* Update Tailscale to v1.92.4
+
+**1**:
+
+NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
+
+Only available on Apple platforms, Android, Windows and some Linux architectures.
+Each Windows release includes `libcronet.dll` —
+ensure this file is in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
+
+See [NaiveProxy outbound](/configuration/outbound/naive/).
+
+**2**:
+
+`auto_redirect` now allows you to bypass sing-box for connections based on routing rules.
+
+A new rule action `bypass` is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
+
+This feature requires Linux with `auto_redirect` enabled.
+
+See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
+
+**3**:
+
+`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues.
+You can change it to bypass sing-box via the new `exclude_mptcp` option.
+
+Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
+ensuring traffic is routed to the sing-box table when no route is found in system tables.
+The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
+
+See [TUN](/configuration/inbound/tun/#exclude_mptcp).
+
+**4**:
+
+Adds `chrome` as a new certificate store option alongside `mozilla`.
+Both stores filter out China-based CA certificates.
+
+See [Certificate](/configuration/certificate/#store).
+
+**5**:
+
+See [DNS-01 Challenge](/configuration/shared/dns01_challenge/).
+
+**6**:
+
+sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
+
+See [Wi-Fi State](/configuration/shared/wifi-state/).
+
+**7**:
+
+See [TLS](/configuration/shared/tls/).
+
+**8**:
+
+The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
+
+See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
+
+**9**:
+
+Adds the Linux socket option `IP_BIND_ADDRESS_NO_PORT` support when explicitly binding to a source address.
+
+This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
+
+See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
+
+**10**:
+
+Tailscale endpoint can now create a system TUN interface to handle traffic directly.
+
+See [Tailscale endpoint](/configuration/endpoint/tailscale/#system_interface).
+
+**11**:
+
+CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
+
+See [CCM](/configuration/service/ccm).
+
+**12**:
+
+See [OCM](/configuration/service/ocm).
+
+**13**:
+
+Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
+
+**14**:
+
+Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
+and only through a separate legacy build (with `-legacy-android-5` suffix).
+
+For standalone binaries, the minimum Android version has been raised to Android 6.0,
+since Termux requires Android 7.0 or later.
+
+**15**:
+
+This update fixes missing padding extension for Chrome 120+ fingerprints.
+
+Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
+uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
+use NaiveProxy instead for TLS fingerprint resistance.
+
+#### 1.12.19
+
+* Fixes and improvements
+
 #### 1.13.0-beta.8
 
 * Add fallback routing rule for `auto_redirect` **1**