[dependencies] Update github-actions

The upstream OpenAI WebSocket endpoint requires the
OpenAI-Beta: responses_websockets=2026-02-06 header. Set it
automatically when the client doesn't provide it.

Also capture and log the response body on non-429 WebSocket
handshake failures to surface the actual error from upstream.

.github/workflows/build.yml

@@ -41,13 +41,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -117,14 +117,14 @@ jobs:
           - { os: android, arch: "386", ndk: "i686-linux-android23" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         if: ${{ ! matrix.legacy_win7 }}
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -458,7 +458,7 @@ jobs:
           - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -551,7 +551,7 @@ jobs:
           - { arch: arm64, naive: true }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -634,14 +634,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -724,14 +724,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -822,7 +822,7 @@ jobs:
     steps:
       - name: Checkout
         if: matrix.if
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -830,7 +830,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Set tag
         if: matrix.if
         run: |-
@@ -976,7 +976,7 @@ jobs:
       - build_apple
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Cache ghr

.github/workflows/docker.yml

@@ -49,14 +49,14 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -188,7 +188,7 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0

.github/workflows/lint.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/linux.yml

@@ -29,13 +29,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -72,13 +72,13 @@ jobs:
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -236,7 +236,7 @@ jobs:
       - build
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Set tag

common/dialer/default.go

@@ -239,7 +239,7 @@ func setMarkWrapper(networkManager adapter.NetworkManager, mark uint32, isDefaul
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
-	} else if address.IsDomain() {
+	} else if address.IsFqdn() {
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {

common/dialer/resolve.go

@@ -96,7 +96,7 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -116,7 +116,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -144,7 +144,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -167,7 +167,7 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)

common/ktls/ktls_read.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"unsafe"
 )
 
 func (c *Conn) Read(b []byte) (int, error) {
@@ -230,7 +229,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
 		return
 	}
 	return

dns/transport/connector.go

@@ -55,12 +55,6 @@ type contextKeyConnecting struct{}
 
 var errRecursiveConnectorDial = E.New("recursive connector dial")
 
-type connectorDialResult[T any] struct {
-	connection T
-	cancel     context.CancelFunc
-	err        error
-}
-
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -106,37 +100,41 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			return zero, err
 		}
 
-		connecting := make(chan struct{})
-		c.connecting = connecting
-		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
-		dialResult := make(chan connectorDialResult[T], 1)
+		c.connecting = make(chan struct{})
 		c.access.Unlock()
 
-		go func() {
-			connection, cancel, err := c.dialWithCancellation(dialContext)
-			dialResult <- connectorDialResult[T]{
-				connection: connection,
-				cancel:     cancel,
-				err:        err,
-			}
-		}()
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		connection, cancel, err := c.dialWithCancellation(dialContext)
 
-		select {
-		case result := <-dialResult:
-			return c.completeDial(ctx, connecting, result)
-		case <-ctx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
-			return zero, ctx.Err()
-		case <-c.closeCtx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
+		c.access.Lock()
+		close(c.connecting)
+		c.connecting = nil
+
+		if err != nil {
+			c.access.Unlock()
+			return zero, err
+		}
+
+		if c.closed {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
 			return zero, ErrTransportClosed
 		}
+		if err = ctx.Err(); err != nil {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
+			return zero, err
+		}
+
+		c.connection = connection
+		c.hasConnection = true
+		c.connectionCancel = cancel
+		result := c.connection
+		c.access.Unlock()
+
+		return result, nil
 	}
 }
 
@@ -145,38 +143,6 @@ func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T
 	return loaded && dialConnector == connector
 }
 
-func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
-	var zero T
-
-	c.access.Lock()
-	defer c.access.Unlock()
-	defer func() {
-		if c.connecting == connecting {
-			c.connecting = nil
-		}
-		close(connecting)
-	}()
-
-	if result.err != nil {
-		return zero, result.err
-	}
-	if c.closed || c.closeCtx.Err() != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, ErrTransportClosed
-	}
-	if err := ctx.Err(); err != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, err
-	}
-
-	c.connection = result.connection
-	c.hasConnection = true
-	c.connectionCancel = result.cancel
-	return c.connection, nil
-}
-
 func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
 	var zero T
 	if err := ctx.Err(); err != nil {

dns/transport/connector_test.go

@@ -188,157 +188,13 @@ func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
 	err := <-result
 	require.ErrorIs(t, err, context.Canceled)
 	require.EqualValues(t, 1, dialCount.Load())
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
+	require.EqualValues(t, 1, closeCount.Load())
 
 	_, err = connector.Get(context.Background())
 	require.NoError(t, err)
 	require.EqualValues(t, 2, dialCount.Load())
 }
 
-func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	dialStarted := make(chan struct{}, 1)
-	releaseDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		select {
-		case dialStarted <- struct{}{}:
-		default:
-		}
-		<-releaseDial
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	result := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		result <- err
-	}()
-
-	<-dialStarted
-	cancel()
-
-	select {
-	case err := <-result:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("Get did not return after request cancel")
-	}
-
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 0, closeCount.Load())
-
-	close(releaseDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	_, err := connector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	firstDialStarted := make(chan struct{}, 1)
-	secondDialStarted := make(chan struct{}, 1)
-	releaseFirstDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		attempt := dialCount.Add(1)
-		switch attempt {
-		case 1:
-			select {
-			case firstDialStarted <- struct{}{}:
-			default:
-			}
-			<-releaseFirstDial
-		case 2:
-			select {
-			case secondDialStarted <- struct{}{}:
-			default:
-			}
-		}
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	firstResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		firstResult <- err
-	}()
-
-	<-firstDialStarted
-	cancel()
-
-	secondResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(context.Background())
-		secondResult <- err
-	}()
-
-	select {
-	case <-secondDialStarted:
-		t.Fatal("second dial started before first dial completed")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	select {
-	case err := <-firstResult:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("first Get did not return after request cancel")
-	}
-
-	close(releaseFirstDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	select {
-	case <-secondDialStarted:
-	case <-time.After(time.Second):
-		t.Fatal("second dial did not start after first dial completed")
-	}
-
-	err := <-secondResult
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
 func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
 	t.Parallel()
 

docs/changelog.md

@@ -2,11 +2,7 @@
 icon: material/alert-decagram
 ---
 
-#### 1.14.0-alpha.3
-
-* Fixes and improvements
-
-#### 1.13.3
+#### 1.14.0-alpha.2
 
 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**
@@ -30,11 +26,7 @@ from [SagerNet/go](https://github.com/SagerNet/go).
 
 See [OCM](/configuration/service/ocm).
 
-#### 1.12.24
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.2
+#### 1.13.3-beta.1
 
 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**

docs/configuration/dns/fakeip.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.12.0 废弃"
 
-    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
 
 ### 结构
 

docs/configuration/dns/rule.zh.md

@@ -267,7 +267,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 匹配 Geosite。
 
@@ -275,7 +275,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 匹配源 GeoIP。
 
@@ -484,7 +484,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! failure "已在 sing-box 1.12.0 废弃"
 
-    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项)。
+    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver)。
 
 匹配出站。
 
@@ -536,7 +536,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 
 与查询响应匹配 GeoIP。

docs/configuration/dns/server/http3.zh.md

@@ -64,7 +64,7 @@ DNS 服务器的路径。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/dns/server/https.zh.md

@@ -64,7 +64,7 @@ DNS 服务器的路径。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/dns/server/legacy.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.12.0"
 
-    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
 
 !!! quote "sing-box 1.9.0 中的更改"
 

docs/configuration/dns/server/quic.zh.md

@@ -51,7 +51,7 @@ DNS 服务器的端口。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/dns/server/tls.zh.md

@@ -51,7 +51,7 @@ DNS 服务器的端口。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/experimental/cache-file.zh.md

@@ -42,7 +42,7 @@
 
 将拒绝的 DNS 响应缓存存储在缓存文件中。
 
-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#地址筛选字段) 的检查结果将被缓存至过期。
+[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
 
 #### rdrc_timeout
 

docs/configuration/experimental/v2ray-api.zh.md

@@ -1,6 +1,6 @@
 !!! quote ""
 
-    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#_5)。
 
 ### 结构
 

docs/configuration/inbound/anytls.zh.md

@@ -58,4 +58,4 @@ AnyTLS 填充方案行数组。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/http.zh.md

@@ -26,7 +26,7 @@
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### users
 

docs/configuration/inbound/hysteria.zh.md

@@ -104,4 +104,4 @@ base64 编码的认证密码。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/hysteria2.zh.md

@@ -38,7 +38,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
     要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
 
 ### 监听字段
@@ -85,7 +85,7 @@ Hysteria 用户
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### masquerade
 

docs/configuration/inbound/naive.zh.md

@@ -60,4 +60,4 @@ QUIC 拥塞控制算法。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/shadowsocks.zh.md

@@ -93,4 +93,4 @@
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

docs/configuration/inbound/trojan.zh.md

@@ -43,7 +43,7 @@ Trojan 用户。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### fallback
 
@@ -61,7 +61,7 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
 
 #### transport
 

docs/configuration/inbound/tuic.zh.md

@@ -75,4 +75,4 @@ QUIC 拥塞控制算法
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/tun.md

@@ -4,8 +4,8 @@ icon: material/new-box
 
 !!! quote "Changes in sing-box 1.14.0"
 
-    :material-plus: [include_mac_address](#include_mac_address)
-    :material-plus: [exclude_mac_address](#exclude_mac_address)
+:material-plus: [include_mac_address](#include_mac_address)
+:material-plus: [exclude_mac_address](#exclude_mac_address)
 
 !!! quote "Changes in sing-box 1.13.3"
 

docs/configuration/inbound/tun.zh.md

@@ -4,7 +4,7 @@ icon: material/new-box
 
 !!! quote "sing-box 1.14.0 中的更改"
 
-    :material-plus: [include_mac_address](#include_mac_address)  
+    :material-plus: [include_mac_address](#include_mac_address)
     :material-plus: [exclude_mac_address](#exclude_mac_address)
 
 !!! quote "sing-box 1.13.3 中的更改"

docs/configuration/inbound/vless.zh.md

@@ -48,11 +48,11 @@ VLESS 子协议。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
 
 #### transport
 

docs/configuration/inbound/vmess.zh.md

@@ -43,11 +43,11 @@ VMess 用户。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
 
 #### transport
 

docs/configuration/outbound/anytls.zh.md

@@ -59,7 +59,7 @@ AnyTLS 密码。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/direct.zh.md

@@ -4,8 +4,8 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.11.0 中的更改"
 
-    :material-delete-clock: [override_address](#override_address)  
-    :material-delete-clock: [override_port](#override_port)
+    :material-alert-decagram: [override_address](#override_address)  
+    :material-alert-decagram: [override_port](#override_port)
 
 `direct` 出站直接发送请求。
 
@@ -29,7 +29,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
 
 覆盖连接目标地址。
 
@@ -37,7 +37,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
 
 覆盖连接目标端口。
 

docs/configuration/outbound/dns.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作). 
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
 
 `dns` 出站是一个内部 DNS 服务器。
 

docs/configuration/outbound/http.zh.md

@@ -51,7 +51,7 @@ HTTP 请求的额外标头。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/hysteria.zh.md

@@ -134,7 +134,7 @@ base64 编码的认证密码。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 
 ### 拨号字段

docs/configuration/outbound/hysteria2.zh.md

@@ -38,7 +38,7 @@
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
     要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
 
 ### 字段
@@ -105,7 +105,7 @@ QUIC 流量混淆器密码.
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### brutal_debug
 

docs/configuration/outbound/naive.zh.md

@@ -105,7 +105,7 @@ QUIC 拥塞控制算法。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 只有 `server_name`、`certificate`、`certificate_path` 和 `ech` 是被支持的。
 

docs/configuration/outbound/selector.zh.md

@@ -17,7 +17,7 @@
 
 !!! quote ""
 
-    选择器目前只能通过 [Clash API](/zh/configuration/experimental/clash-api/) 来控制。
+    选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。
 
 ### 字段
 

docs/configuration/outbound/shadowsocks.zh.md

@@ -95,7 +95,7 @@ UDP over TCP 配置。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/shadowtls.zh.md

@@ -49,7 +49,7 @@ ShadowTLS 协议版本。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/tor.zh.md

@@ -18,7 +18,7 @@
 
 !!! info ""
 
-    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#_5)。
 
 ### 字段
 

docs/configuration/outbound/trojan.zh.md

@@ -47,11 +47,11 @@ Trojan 密码。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport
 

docs/configuration/outbound/tuic.zh.md

@@ -97,7 +97,7 @@ UDP 包中继模式
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/vless.zh.md

@@ -57,7 +57,7 @@ VLESS 子协议。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### packet_encoding
 
@@ -71,7 +71,7 @@ UDP 包编码，默认使用 xudp。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport
 

docs/configuration/outbound/vmess.zh.md

@@ -82,7 +82,7 @@ VMess 用户 ID。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### packet_encoding
 
@@ -96,7 +96,7 @@ UDP 包编码。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport
 

docs/configuration/outbound/wireguard.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-wireguard-出站到端点)。
+    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
 
 !!! quote "sing-box 1.11.0 中的更改"
 

docs/configuration/route/geoip.zh.md

@@ -4,7 +4,7 @@ icon: material/note-remove
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 ### 结构
 

docs/configuration/route/geosite.zh.md

@@ -4,7 +4,7 @@ icon: material/note-remove
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 ### 结构
 

docs/configuration/route/index.zh.md

@@ -17,7 +17,7 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.11.0 中的更改"
 
-    :material-plus: [default_network_strategy](#default_network_strategy)  
+    :material-plus: [network_strategy](#network_strategy)  
     :material-plus: [default_network_type](#default_network_type)  
     :material-plus: [default_fallback_network_type](#default_fallback_network_type)  
     :material-plus: [default_fallback_delay](#default_fallback_delay)
@@ -150,7 +150,7 @@ icon: material/alert-decagram
 
 !!! question "自 sing-box 1.12.0 起"
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#domain_resolver)。
+详情参阅 [拨号字段](/configuration/shared/dial/#domain_resolver)。
 
 可以被 `outbound.domain_resolver` 覆盖。
 
@@ -158,7 +158,7 @@ icon: material/alert-decagram
 
 !!! question "自 sing-box 1.11.0 起"
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_strategy)。
+详情参阅 [拨号字段](/configuration/shared/dial/#network_strategy)。
 
 当 `outbound.bind_interface`, `outbound.inet4_bind_address` 或 `outbound.inet6_bind_address` 已设置时不生效。
 
@@ -170,16 +170,16 @@ icon: material/alert-decagram
 
 !!! question "自 sing-box 1.11.0 起"
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#default_network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#default_network_type)。
 
 #### default_fallback_network_type
 
 !!! question "自 sing-box 1.11.0 起"
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#default_fallback_network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#default_fallback_network_type)。
 
 #### default_fallback_delay
 
 !!! question "自 sing-box 1.11.0 起"
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_delay)。
+详情参阅 [拨号字段](/configuration/shared/dial/#fallback_delay)。

docs/configuration/route/rule.zh.md

@@ -27,7 +27,6 @@ icon: material/new-box
 
     :material-plus: [client](#client)  
     :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
     :material-plus: [process_path_regex](#process_path_regex)
 
 !!! quote "sing-box 1.8.0 中的更改"
@@ -266,7 +265,7 @@ icon: material/new-box
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 匹配 Geosite。
 
@@ -274,7 +273,7 @@ icon: material/new-box
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 匹配源 GeoIP。
 
@@ -282,7 +281,7 @@ icon: material/new-box
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 匹配 GeoIP。
 

docs/configuration/route/rule_action.zh.md

@@ -66,7 +66,7 @@ icon: material/new-box
 
 目标出站的标签。
 
-如果未指定，规则仅在来自 auto redirect 的[预匹配](/zh/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。
+如果未指定，规则仅在来自 auto redirect 的[预匹配](/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。
 
 #### route-options 字段
 
@@ -154,22 +154,22 @@ icon: material/new-box
 
 #### network_strategy
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_strategy)。
+详情参阅 [拨号字段](/configuration/shared/dial/#network_strategy)。
 
 仅当出站为 `direct` 且 `outbound.bind_interface`, `outbound.inet4_bind_address`
 且 `outbound.inet6_bind_address` 未设置时生效。
 
 #### network_type
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#network_type)。
 
 #### fallback_network_type
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#fallback_network_type)。
 
 #### fallback_delay
 
-详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_delay)。
+详情参阅 [拨号字段](/configuration/shared/dial/#fallback_delay)。
 
 #### udp_disable_domain_unmapping
 

docs/configuration/rule-set/headless-rule.zh.md

@@ -10,8 +10,8 @@ icon: material/new-box
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [network_type](#network_type)  
-    :material-plus: [network_is_expensive](#network_is_expensive)  
-    :material-plus: [network_is_constrained](#network_is_constrained)
+    :material-alert: [network_is_expensive](#network_is_expensive)  
+    :material-alert: [network_is_constrained](#network_is_constrained)
 
 ### 结构
 

docs/configuration/service/ccm.md

@@ -10,6 +10,11 @@ CCM (Claude Code Multiplexer) service is a multiplexing service that allows you
 
 It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### Structure
 
 ```json
@@ -19,6 +24,7 @@ It handles OAuth authentication with Claude's API on your local machine while al
   ... // Listen Fields
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -45,6 +51,77 @@ On macOS, credentials are read from the system keychain first, then fall back to
 
 Refreshed tokens are automatically written back to the same location.
 
+When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
+
+On macOS without an explicit `credential_path`, keychain changes are not watched. Automatic reload only applies to the credential file path.
+
+Conflict with `credentials`.
+
+#### credentials
+
+!!! question "Since sing-box 1.14.0"
+
+List of credential configurations for multi-credential mode.
+
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
+
+Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
+
+##### Default Credential
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/.credentials.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
+
+- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
+- `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the Claude API with this credential.
+- `reserve_5h`: Reserve threshold (1-99) for 5-hour window. Credential pauses at (100-N)% utilization.
+- `reserve_weekly`: Reserve threshold (1-99) for weekly window. Credential pauses at (100-N)% utilization.
+
+##### Balancer Credential
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
+
+- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
+- `credentials`: ==Required== List of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
+##### Fallback Credential
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+Uses credentials in order. Falls through to the next when the current one is exhausted.
+
+- `credentials`: ==Required== Ordered list of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
 #### usages_path
 
 Path to the file for storing aggregated API usage statistics.
@@ -60,6 +137,8 @@ Statistics are organized by model, context window (200k standard vs 1M premium),
 
 The statistics file is automatically saved every minute and upon service shutdown.
 
+Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
+
 #### users
 
 List of authorized users for token authentication.
@@ -71,7 +150,8 @@ Object format:
 ```json
 {
   "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```
 
@@ -79,6 +159,7 @@ Object fields:
 
 - `name`: Username identifier for tracking purposes.
 - `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.
 
 #### headers
 
@@ -90,6 +171,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the Claude API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
@@ -129,3 +212,52 @@ export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
 
 claude
 ```
+
+### Example with Multiple Credentials
+
+#### Server
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.claude-a/.credentials.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.claude-b/.credentials.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```

docs/configuration/service/ccm.zh.md

@@ -10,6 +10,11 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许
 
 它在本地机器上处理与 Claude API 的 OAuth 身份验证，同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### 结构
 
 ```json
@@ -19,6 +24,7 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许
   ... // 监听字段
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -45,6 +51,77 @@ Claude Code OAuth 凭据文件的路径。
 
 刷新的令牌会自动写回相同位置。
 
+当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
+
+在 macOS 上如果未显式设置 `credential_path`，不会监听钥匙串变化。自动重载只作用于凭据文件路径。
+
+与 `credentials` 冲突。
+
+#### credentials
+
+!!! question "自 sing-box 1.14.0 起"
+
+多凭据模式的凭据配置列表。
+
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
+
+每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
+
+##### 默认凭据
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/.credentials.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
+
+- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
+- `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 Claude API 的出站标签。
+- `reserve_5h`：5 小时窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+- `reserve_weekly`：每周窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+
+##### 均衡凭据
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
+
+- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
+- `credentials`：==必填== 默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
+##### 回退凭据
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+按顺序使用凭据。当前凭据耗尽后切换到下一个。
+
+- `credentials`：==必填== 有序的默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
 #### usages_path
 
 用于存储聚合 API 使用统计信息的文件路径。
@@ -60,6 +137,8 @@ Claude Code OAuth 凭据文件的路径。
 
 统计文件每分钟自动保存一次，并在服务关闭时保存。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
+
 #### users
 
 用于令牌身份验证的授权用户列表。
@@ -71,7 +150,8 @@ Claude Code OAuth 凭据文件的路径。
 ```json
 {
   "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```
 
@@ -79,6 +159,7 @@ Claude Code OAuth 凭据文件的路径。
 
 - `name`：用于跟踪的用户名标识符。
 - `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。
 
 #### headers
 
@@ -90,9 +171,11 @@ Claude Code OAuth 凭据文件的路径。
 
 用于连接 Claude API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 ### 示例
 
@@ -129,3 +212,52 @@ export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
 
 claude
 ```
+
+### 多凭据示例
+
+#### 服务端
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.claude-a/.credentials.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.claude-b/.credentials.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```

docs/configuration/service/derp.zh.md

@@ -36,7 +36,7 @@ DERP 服务是一个 Tailscale DERP 服务器，类似于 [derper](https://pkg.g
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### config_path
 
@@ -96,7 +96,7 @@ Derper 配置文件路径。
 - `server`：**必填** DERP 服务器地址。
 - `server_port`：**必填** DERP 服务器端口。
 - `host`：自定义 DERP 主机名。
-- `tls`：[TLS](/zh/configuration/shared/tls/#出站)
+- `tls`：[TLS](/zh/configuration/shared/tls/#outbound)
 - `拨号字段`：[拨号字段](/zh/configuration/shared/dial/)
 
 #### mesh_psk

docs/configuration/service/ocm.md

@@ -10,6 +10,11 @@ OCM (OpenAI Codex Multiplexer) service is a multiplexing service that allows you
 
 It handles OAuth authentication with OpenAI's API on your local machine while allowing remote clients to authenticate using custom tokens.
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### Structure
 
 ```json
@@ -19,6 +24,7 @@ It handles OAuth authentication with OpenAI's API on your local machine while al
   ... // Listen Fields
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -43,6 +49,75 @@ If not specified, defaults to:
 
 Refreshed tokens are automatically written back to the same location.
 
+When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
+
+Conflict with `credentials`.
+
+#### credentials
+
+!!! question "Since sing-box 1.14.0"
+
+List of credential configurations for multi-credential mode.
+
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
+
+Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
+
+##### Default Credential
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/auth.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
+
+- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
+- `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the OpenAI API with this credential.
+- `reserve_5h`: Reserve threshold (1-99) for primary rate limit window. Credential pauses at (100-N)% utilization.
+- `reserve_weekly`: Reserve threshold (1-99) for secondary (weekly) rate limit window. Credential pauses at (100-N)% utilization.
+
+##### Balancer Credential
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
+
+- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
+- `credentials`: ==Required== List of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
+##### Fallback Credential
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+Uses credentials in order. Falls through to the next when the current one is exhausted.
+
+- `credentials`: ==Required== Ordered list of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
 #### usages_path
 
 Path to the file for storing aggregated API usage statistics.
@@ -58,6 +133,8 @@ Statistics are organized by model and optionally by user when authentication is
 
 The statistics file is automatically saved every minute and upon service shutdown.
 
+Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
+
 #### users
 
 List of authorized users for token authentication.
@@ -69,7 +146,8 @@ Object format:
 ```json
 {
   "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```
 
@@ -77,6 +155,7 @@ Object fields:
 
 - `name`: Username identifier for tracking purposes.
 - `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer <token>` header.
+- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.
 
 #### headers
 
@@ -88,6 +167,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the OpenAI API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
@@ -183,3 +264,52 @@ Then run:
 ```bash
 codex --profile ocm
 ```
+
+### Example with Multiple Credentials
+
+#### Server
+
+```json
+{
+  "services": [
+    {
+      "type": "ocm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.codex-a/auth.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.codex-b/auth.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "sk-ocm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "sk-ocm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```

docs/configuration/service/ocm.zh.md

@@ -10,6 +10,11 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
 
 它在本地机器上处理与 OpenAI API 的 OAuth 身份验证，同时允许远程客户端使用自定义令牌进行身份验证。
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### 结构
 
 ```json
@@ -19,6 +24,7 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
   ... // 监听字段
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -43,6 +49,75 @@ OpenAI OAuth 凭据文件的路径。
 
 刷新的令牌会自动写回相同位置。
 
+当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
+
+与 `credentials` 冲突。
+
+#### credentials
+
+!!! question "自 sing-box 1.14.0 起"
+
+多凭据模式的凭据配置列表。
+
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
+
+每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
+
+##### 默认凭据
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/auth.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
+
+- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
+- `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 OpenAI API 的出站标签。
+- `reserve_5h`：主要速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+- `reserve_weekly`：次要（每周）速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+
+##### 均衡凭据
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
+
+- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
+- `credentials`：==必填== 默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
+##### 回退凭据
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+按顺序使用凭据。当前凭据耗尽后切换到下一个。
+
+- `credentials`：==必填== 有序的默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
 #### usages_path
 
 用于存储聚合 API 使用统计信息的文件路径。
@@ -58,6 +133,8 @@ OpenAI OAuth 凭据文件的路径。
 
 统计文件每分钟自动保存一次，并在服务关闭时保存。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
+
 #### users
 
 用于令牌身份验证的授权用户列表。
@@ -69,7 +146,8 @@ OpenAI OAuth 凭据文件的路径。
 ```json
 {
   "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```
 
@@ -77,6 +155,7 @@ OpenAI OAuth 凭据文件的路径。
 
 - `name`：用于跟踪的用户名标识符。
 - `token`：用于身份验证的 Bearer 令牌。客户端通过设置 `Authorization: Bearer <token>` 头进行身份验证。
+- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。
 
 #### headers
 
@@ -88,9 +167,11 @@ OpenAI OAuth 凭据文件的路径。
 
 用于连接 OpenAI API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 ### 示例
 
@@ -184,3 +265,52 @@ model_provider = "ocm"
 ```bash
 codex --profile ocm
 ```
+
+### 多凭据示例
+
+#### 服务端
+
+```json
+{
+  "services": [
+    {
+      "type": "ocm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.codex-a/auth.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.codex-b/auth.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "sk-ocm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "sk-ocm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```

docs/configuration/service/ssm-api.zh.md

@@ -55,4 +55,4 @@ SSM API 服务是一个用于管理 Shadowsocks 服务器的 RESTful API 服务
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/shared/dial.zh.md

@@ -173,7 +173,7 @@ TCP keep alive 间隔。
 
 用于设置解析域名的域名解析器。
 
-此选项的格式与 [路由 DNS 规则动作](/zh/configuration/dns/rule_action/#route) 相同，但不包含 `action` 字段。  
+此选项的格式与 [路由 DNS 规则动作](/configuration/dns/rule_action/#route) 相同，但不包含 `action` 字段。  
 
 若直接将此选项设置为字符串，则等同于设置该选项的 `server` 字段。
 
@@ -246,7 +246,7 @@ TCP keep alive 间隔。
 
 !!! failure "已在 sing-box 1.12.0 废弃"
 
-    `domain_strategy` 已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移出站域名策略选项到域名解析器)。
+    `domain_strategy` 已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver)。
 
 可选值：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
 

docs/configuration/shared/listen.zh.md

@@ -145,13 +145,13 @@ UDP NAT 过期时间。
 
 如果设置，连接将被转发到指定的入站。
 
-需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#字段)。
+需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#_3)。
 
 #### sniff
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
 
 启用协议探测。
 
@@ -171,7 +171,7 @@ UDP NAT 过期时间。
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
 
 探测超时时间。
 
@@ -181,7 +181,7 @@ UDP NAT 过期时间。
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
 
 可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
 
@@ -193,7 +193,7 @@ UDP NAT 过期时间。
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
 
 如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
 

docs/configuration/shared/pre-match.zh.md

@@ -22,13 +22,13 @@ icon: material/new-box
 
 以 TCP RST / ICMP 不可达拒绝。
 
-详情参阅 [reject](/zh/configuration/route/rule_action/#reject)。
+详情参阅 [reject](/configuration/route/rule_action/#reject)。
 
 #### route
 
 将 ICMP 连接路由到指定出站以直接回复。
 
-详情参阅 [route](/zh/configuration/route/rule_action/#route)。
+详情参阅 [route](/configuration/route/rule_action/#route)。
 
 #### bypass
 
@@ -44,4 +44,4 @@ icon: material/new-box
 
 对于其他所有场景，指定了 `outbound` 的 bypass 行为与 `route` 相同。
 
-详情参阅 [bypass](/zh/configuration/route/rule_action/#bypass)。
+详情参阅 [bypass](/configuration/route/rule_action/#bypass)。

docs/configuration/shared/tls.zh.md

@@ -426,7 +426,7 @@ echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/
     其实现行为无法通过简单复制握手格式来复现，其行为细节必然存在差异，使得检测成为可能。
     此外，此库缺乏积极维护，且代码质量较差，不建议用于反审查场景。
 
-    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/zh/configuration/inbound/naive/)。
+    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/configuration/inbound/naive/)。
 
 uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。
 

docs/configuration/shared/v2ray-transport.zh.md

@@ -144,7 +144,7 @@ HTTP 请求的额外标头
 
 !!! note ""
 
-    默认安装不包含标准 gRPC (兼容性好，但性能较差), 参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含标准 gRPC (兼容性好，但性能较差), 参阅 [安装](/zh/installation/build-from-source/#_5)。
 
 ```json
 {

docs/configuration/shared/wifi-state.zh.md

@@ -4,7 +4,7 @@ icon: material/new-box
 
 # Wi-Fi 状态
 
-!!! quote "sing-box 1.13.0 中的更改"
+!!! quote "sing-box 1.13.0 的变更"
 
     :material-plus: Linux 支持  
     :material-plus: Windows 支持

docs/deprecated.zh.md

@@ -7,7 +7,7 @@ icon: material/delete-alert
 #### 旧的 DNS 服务器格式
 
 DNS 服务器已重构，
-参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式).
+参阅 [迁移指南](/migration/#migrate-to-new-dns-servers).
 
 对旧格式的兼容性将在 sing-box 1.14.0 中被移除。
 
@@ -15,7 +15,7 @@ DNS 服务器已重构，
 
 旧的 `outbound` DNS 规则已废弃，
 且可被拨号字段代替，
-参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项).
+参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
 
 #### 旧的 ECH 字段
 
@@ -31,28 +31,28 @@ ECH 支持已在 sing-box 1.12.0 迁移至使用标准库，但标准库不支
 #### 旧的特殊出站
 
 旧的特殊出站（`block` / `dns`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作)。
+参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions)。
 
 旧字段将在 sing-box 1.13.0 中被移除。
 
 #### 旧的入站字段
 
 旧的入站字段（`inbound.<sniff/domain_strategy/...>`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作)。
+参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions)。
 
 旧字段将在 sing-box 1.13.0 中被移除。
 
 #### direct 出站中的目标地址覆盖字段
 
 direct 出站中的目标地址覆盖字段（`override_address` / `override_port`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
 
 旧字段将在 sing-box 1.13.0 中被移除。
 
 #### WireGuard 出站
 
 WireGuard 出站已废弃且可以通过端点替代，
-参阅 [迁移指南](/zh/migration/#迁移-wireguard-出站到端点)。
+参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
 
 旧出站将在 sing-box 1.13.0 中被移除。
 
@@ -86,7 +86,7 @@ GSO 对透明代理场景没有优势，已废弃且在 TUN 中不再起作用
 #### Clash API 中的 Cache file 及相关功能
 
 Clash API 中的 `cache_file` 及相关功能已废弃且已迁移到独立的 `cache_file` 设置，
-参阅 [迁移指南](/zh/migration/#将缓存文件从-clash-api-迁移到独立选项)。
+参阅 [迁移指南](/zh/migration/#clash-api)。
 
 #### GeoIP
 
@@ -96,7 +96,7 @@ maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量
 且现有的实现均存在内存使用大与管理困难的问题。
 
 sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，
-可以完全替代 GeoIP， 参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+可以完全替代 GeoIP， 参阅 [迁移指南](/zh/migration/#geoip)。
 
 #### Geosite
 
@@ -106,7 +106,7 @@ Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。
 
 sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，
-可以完全替代 Geosite，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+可以完全替代 Geosite，参阅 [迁移指南](/zh/migration/#geosite)。
 
 ## 1.6.0
 

docs/installation/build-from-source.zh.md

@@ -51,20 +51,20 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 
 | 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                             |
 |------------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | :material-check:  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/zh/configuration/dns/server/), [Naive inbound](/zh/configuration/inbound/naive/), [Hysteria Inbound](/zh/configuration/inbound/hysteria/), [Hysteria Outbound](/zh/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/zh/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/zh/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
-| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/zh/configuration/dns/server/).                                                                                                                                                                                                                                                 |
-| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/zh/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
-| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/zh/configuration/shared/tls#utls).                                                                                                                                                                                          |
-| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/zh/configuration/shared/tls/).                                                                                                                                                                                                                                         |
-| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/zh/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/zh/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/zh/configuration/inbound/tun#stack) and [WireGuard outbound](/zh/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
-| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/zh/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/zh/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
+| `with_quic`                        | :material-check:  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
+| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
+| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
+| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
+| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
+| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
+| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
 | `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
 | `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
-| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
+| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
 | `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
 | `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
 

docs/migration.zh.md

@@ -518,9 +518,9 @@ DNS 服务器已经重构。
 
 !!! info "参考"
 
-    [DNS 规则](/zh/configuration/dns/rule/#outbound) /
-    [拨号字段](/zh/configuration/shared/dial/#domain_resolver) /
-    [路由](/zh/configuration/route/#default_domain_resolver)
+    [DNS 规则](/configuration/dns/rule/#outbound) /
+    [拨号字段](/configuration/shared/dial/#domain_resolver) /
+    [路由](/configuration/route/#default_domain_resolver)
 
 === ":material-card-remove: 废弃的"
 
@@ -596,7 +596,7 @@ DNS 服务器已经重构。
 
 !!! info "参考"
 
-    [拨号字段](/zh/configuration/shared/dial/#domain_strategy)
+    [拨号字段](/configuration/shared/dial/#domain_strategy)
 
 === ":material-card-remove: 弃用的"
 

go.mod

@@ -35,13 +35,13 @@ require (
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde
+	github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69
 	github.com/sagernet/sing-mux v0.3.4
 	github.com/sagernet/sing-quic v0.6.0
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.4-0.20260315091454-bbe21100c226
+	github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
 	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e
@@ -58,7 +58,7 @@ require (
 	golang.org/x/net v0.50.0
 	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	google.golang.org/grpc v1.79.3
+	google.golang.org/grpc v1.79.1
 	google.golang.org/protobuf v1.36.11
 	howett.net/plist v1.0.1
 )

go.sum

@@ -236,8 +236,8 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde h1:RNQzlpnsXIuu1HGts/fIzJ1PR7RhrzaNlU52MDyiX1c=
-github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69 h1:h6UF2emeydBQMAso99Nr3APV6YustOs+JszVuCkcFy0=
+github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
 github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
@@ -248,8 +248,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnq
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.4-0.20260315091454-bbe21100c226 h1:Shy/fsm+pqVq6OkBAWPaOmOiPT/AwoRxQLiV1357Y0Y=
-github.com/sagernet/sing-tun v0.8.4-0.20260315091454-bbe21100c226/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f h1:uj3rzedphq1AiL0PpuVoob5RtKsPBcMRd8aqo+q0rqA=
+github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
@@ -383,8 +383,8 @@ gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
+google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

log/format.go

@@ -168,7 +168,11 @@ func FormatDuration(duration time.Duration) string {
 		return F.ToString(duration.Milliseconds(), "ms")
 	} else if duration < time.Minute {
 		return F.ToString(int64(duration.Seconds()), ".", int64(duration.Seconds()*100)%100, "s")
-	} else {
+	} else if duration < time.Hour {
 		return F.ToString(int64(duration.Minutes()), "m", int64(duration.Seconds())%60, "s")
+	} else if duration < 24*time.Hour {
+		return F.ToString(int64(duration.Hours()), "h", int64(duration.Minutes())%60, "m")
+	} else {
+		return F.ToString(int64(duration.Hours())/24, "d", int64(duration.Hours())%24, "h")
 	}
 }

mkdocs.yml

@@ -183,10 +183,6 @@ nav:
           - CCM: configuration/service/ccm.md
           - OCM: configuration/service/ocm.md
 markdown_extensions:
-  - toc:
-      slugify: !!python/object/apply:pymdownx.slugs.slugify
-        kwds:
-          case: lower
   - pymdownx.inlinehilite
   - pymdownx.snippets
   - pymdownx.superfences

option/ccm.go

@@ -1,6 +1,9 @@
 package option
 
 import (
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 
@@ -8,6 +11,7 @@ type CCMServiceOptions struct {
 	ListenOptions
 	InboundTLSOptionsContainer
 	CredentialPath string               `json:"credential_path,omitempty"`
+	Credentials    []CCMCredential      `json:"credentials,omitempty"`
 	Users          []CCMUser            `json:"users,omitempty"`
 	Headers        badoption.HTTPHeader `json:"headers,omitempty"`
 	Detour         string               `json:"detour,omitempty"`
@@ -15,6 +19,94 @@ type CCMServiceOptions struct {
 }
 
 type CCMUser struct {
-	Name  string `json:"name,omitempty"`
-	Token string `json:"token,omitempty"`
+	Name               string `json:"name,omitempty"`
+	Token              string `json:"token,omitempty"`
+	Credential         string `json:"credential,omitempty"`
+	ExternalCredential string `json:"external_credential,omitempty"`
+	AllowExternalUsage bool   `json:"allow_external_usage,omitempty"`
+}
+
+type _CCMCredential struct {
+	Type            string                       `json:"type,omitempty"`
+	Tag             string                       `json:"tag"`
+	DefaultOptions  CCMDefaultCredentialOptions  `json:"-"`
+	ExternalOptions CCMExternalCredentialOptions `json:"-"`
+	BalancerOptions CCMBalancerCredentialOptions `json:"-"`
+	FallbackOptions CCMFallbackCredentialOptions `json:"-"`
+}
+
+type CCMCredential _CCMCredential
+
+func (c CCMCredential) MarshalJSON() ([]byte, error) {
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = ""
+		v = c.DefaultOptions
+	case "external":
+		v = c.ExternalOptions
+	case "balancer":
+		v = c.BalancerOptions
+	case "fallback":
+		v = c.FallbackOptions
+	default:
+		return nil, E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.MarshallObjects((_CCMCredential)(c), v)
+}
+
+func (c *CCMCredential) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_CCMCredential)(c))
+	if err != nil {
+		return err
+	}
+	if c.Tag == "" {
+		return E.New("missing credential tag")
+	}
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = "default"
+		v = &c.DefaultOptions
+	case "external":
+		v = &c.ExternalOptions
+	case "balancer":
+		v = &c.BalancerOptions
+	case "fallback":
+		v = &c.FallbackOptions
+	default:
+		return E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.UnmarshallExcluded(bytes, (*_CCMCredential)(c), v)
+}
+
+type CCMDefaultCredentialOptions struct {
+	CredentialPath string `json:"credential_path,omitempty"`
+	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
+	Reserve5h      uint8  `json:"reserve_5h"`
+	ReserveWeekly  uint8  `json:"reserve_weekly"`
+	Limit5h        uint8  `json:"limit_5h,omitempty"`
+	LimitWeekly    uint8  `json:"limit_weekly,omitempty"`
+}
+
+type CCMBalancerCredentialOptions struct {
+	Strategy     string                     `json:"strategy,omitempty"`
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
+}
+
+type CCMExternalCredentialOptions struct {
+	URL string `json:"url,omitempty"`
+	ServerOptions
+	Token        string             `json:"token"`
+	Reverse      bool               `json:"reverse,omitempty"`
+	Detour       string             `json:"detour,omitempty"`
+	UsagesPath   string             `json:"usages_path,omitempty"`
+	PollInterval badoption.Duration `json:"poll_interval,omitempty"`
+}
+
+type CCMFallbackCredentialOptions struct {
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
 }

option/dns.go

@@ -339,7 +339,7 @@ func (o DNSServerAddressOptions) Build() M.Socksaddr {
 }
 
 func (o DNSServerAddressOptions) ServerIsDomain() bool {
-	return o.Build().IsDomain()
+	return M.IsDomainName(o.Server)
 }
 
 func (o *DNSServerAddressOptions) TakeServerOptions() ServerOptions {

option/ocm.go

@@ -1,6 +1,9 @@
 package option
 
 import (
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 
@@ -8,6 +11,7 @@ type OCMServiceOptions struct {
 	ListenOptions
 	InboundTLSOptionsContainer
 	CredentialPath string               `json:"credential_path,omitempty"`
+	Credentials    []OCMCredential      `json:"credentials,omitempty"`
 	Users          []OCMUser            `json:"users,omitempty"`
 	Headers        badoption.HTTPHeader `json:"headers,omitempty"`
 	Detour         string               `json:"detour,omitempty"`
@@ -15,6 +19,94 @@ type OCMServiceOptions struct {
 }
 
 type OCMUser struct {
-	Name  string `json:"name,omitempty"`
-	Token string `json:"token,omitempty"`
+	Name               string `json:"name,omitempty"`
+	Token              string `json:"token,omitempty"`
+	Credential         string `json:"credential,omitempty"`
+	ExternalCredential string `json:"external_credential,omitempty"`
+	AllowExternalUsage bool   `json:"allow_external_usage,omitempty"`
+}
+
+type _OCMCredential struct {
+	Type            string                       `json:"type,omitempty"`
+	Tag             string                       `json:"tag"`
+	DefaultOptions  OCMDefaultCredentialOptions  `json:"-"`
+	ExternalOptions OCMExternalCredentialOptions `json:"-"`
+	BalancerOptions OCMBalancerCredentialOptions `json:"-"`
+	FallbackOptions OCMFallbackCredentialOptions `json:"-"`
+}
+
+type OCMCredential _OCMCredential
+
+func (c OCMCredential) MarshalJSON() ([]byte, error) {
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = ""
+		v = c.DefaultOptions
+	case "external":
+		v = c.ExternalOptions
+	case "balancer":
+		v = c.BalancerOptions
+	case "fallback":
+		v = c.FallbackOptions
+	default:
+		return nil, E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.MarshallObjects((_OCMCredential)(c), v)
+}
+
+func (c *OCMCredential) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_OCMCredential)(c))
+	if err != nil {
+		return err
+	}
+	if c.Tag == "" {
+		return E.New("missing credential tag")
+	}
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = "default"
+		v = &c.DefaultOptions
+	case "external":
+		v = &c.ExternalOptions
+	case "balancer":
+		v = &c.BalancerOptions
+	case "fallback":
+		v = &c.FallbackOptions
+	default:
+		return E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.UnmarshallExcluded(bytes, (*_OCMCredential)(c), v)
+}
+
+type OCMDefaultCredentialOptions struct {
+	CredentialPath string `json:"credential_path,omitempty"`
+	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
+	Reserve5h      uint8  `json:"reserve_5h"`
+	ReserveWeekly  uint8  `json:"reserve_weekly"`
+	Limit5h        uint8  `json:"limit_5h,omitempty"`
+	LimitWeekly    uint8  `json:"limit_weekly,omitempty"`
+}
+
+type OCMBalancerCredentialOptions struct {
+	Strategy     string                     `json:"strategy,omitempty"`
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
+}
+
+type OCMExternalCredentialOptions struct {
+	URL string `json:"url,omitempty"`
+	ServerOptions
+	Token        string             `json:"token"`
+	Reverse      bool               `json:"reverse,omitempty"`
+	Detour       string             `json:"detour,omitempty"`
+	UsagesPath   string             `json:"usages_path,omitempty"`
+	PollInterval badoption.Duration `json:"poll_interval,omitempty"`
+}
+
+type OCMFallbackCredentialOptions struct {
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
 }

option/outbound.go

@@ -155,7 +155,7 @@ func (o ServerOptions) Build() M.Socksaddr {
 }
 
 func (o ServerOptions) ServerIsDomain() bool {
-	return o.Build().IsDomain()
+	return M.IsDomainName(o.Server)
 }
 
 func (o *ServerOptions) TakeServerOptions() ServerOptions {

option/tailscale.go

@@ -61,7 +61,7 @@ func (d DERPVerifyClientURLOptions) ServerIsDomain() bool {
 	if err != nil {
 		return false
 	}
-	return M.ParseSocksaddr(verifyURL.Hostname()).IsDomain()
+	return M.IsDomainName(verifyURL.Host)
 }
 
 func (d DERPVerifyClientURLOptions) MarshalJSON() ([]byte, error) {

protocol/socks/outbound.go

@@ -83,7 +83,7 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	default:
 		return nil, E.Extend(N.ErrUnknownNetwork, network)
 	}
-	if h.resolve && destination.IsDomain() {
+	if h.resolve && destination.IsFqdn() {
 		destinationAddresses, err := h.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
@@ -101,7 +101,7 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 		h.logger.InfoContext(ctx, "outbound UoT packet connection to ", destination)
 		return h.uotClient.ListenPacket(ctx, destination)
 	}
-	if h.resolve && destination.IsDomain() {
+	if h.resolve && destination.IsFqdn() {
 		destinationAddresses, err := h.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err

protocol/tailscale/dns_transport.go

@@ -287,7 +287,7 @@ type DNSDialer struct {
 }
 
 func (d *DNSDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if destination.IsDomain() {
+	if destination.IsFqdn() {
 		panic("invalid request here")
 	}
 	for _, prefix := range d.transport.routePrefixes {
@@ -299,7 +299,7 @@ func (d *DNSDialer) DialContext(ctx context.Context, network string, destination
 }
 
 func (d *DNSDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsDomain() {
+	if destination.IsFqdn() {
 		panic("invalid request here")
 	}
 	for _, prefix := range d.transport.routePrefixes {

protocol/tailscale/endpoint.go

@@ -190,7 +190,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		if err != nil {
 			return nil, E.Cause(err, "parse control URL")
 		}
-		remoteIsDomain = M.ParseSocksaddr(controlURL.Hostname()).IsDomain()
+		remoteIsDomain = M.IsDomainName(controlURL.Hostname())
 	} else {
 		// controlplane.tailscale.com
 		remoteIsDomain = true
@@ -492,7 +492,7 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
-	if destination.IsDomain() {
+	if destination.IsFqdn() {
 		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
@@ -578,7 +578,7 @@ func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.So
 
 func (t *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	if destination.IsDomain() {
+	if destination.IsFqdn() {
 		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, netip.Addr{}, err

protocol/vless/outbound.go

@@ -167,7 +167,7 @@ func (h *vlessDialer) DialContext(ctx context.Context, network string, destinati
 		if h.xudp {
 			return h.client.DialEarlyXUDPPacketConn(conn, destination)
 		} else if h.packetAddr {
-			if destination.IsDomain() {
+			if destination.IsFqdn() {
 				return nil, E.New("packetaddr: domain destination is not supported")
 			}
 			packetConn, err := h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress})
@@ -204,7 +204,7 @@ func (h *vlessDialer) ListenPacket(ctx context.Context, destination M.Socksaddr)
 	if h.xudp {
 		return h.client.DialEarlyXUDPPacketConn(conn, destination)
 	} else if h.packetAddr {
-		if destination.IsDomain() {
+		if destination.IsFqdn() {
 			return nil, E.New("packetaddr: domain destination is not supported")
 		}
 		conn, err := h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress})

protocol/vmess/outbound.go

@@ -194,7 +194,7 @@ func (h *vmessDialer) ListenPacket(ctx context.Context, destination M.Socksaddr)
 		return nil, err
 	}
 	if h.packetAddr {
-		if destination.IsDomain() {
+		if destination.IsFqdn() {
 			return nil, E.New("packetaddr: domain destination is not supported")
 		}
 		return packetaddr.NewConn(h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress}), destination), nil

protocol/wireguard/endpoint.go

@@ -210,7 +210,7 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
-	if destination.IsDomain() {
+	if destination.IsFqdn() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
@@ -224,7 +224,7 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 
 func (w *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	if destination.IsDomain() {
+	if destination.IsFqdn() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, netip.Addr{}, err

route/network.go

@@ -51,6 +51,7 @@ type NetworkManager struct {
 	endpoint               adapter.EndpointManager
 	inbound                adapter.InboundManager
 	outbound               adapter.OutboundManager
+	serviceManager         adapter.ServiceManager
 	needWIFIState          bool
 	wifiMonitor            settings.WIFIMonitor
 	wifiState              adapter.WIFIState
@@ -94,6 +95,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, options
 		endpoint:          service.FromContext[adapter.EndpointManager](ctx),
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
+		serviceManager:    service.FromContext[adapter.ServiceManager](ctx),
 		needWIFIState:     hasRule(options.Rules, isWIFIRule) || hasDNSRule(dnsOptions.Rules, isWIFIDNSRule),
 	}
 	if options.DefaultNetworkStrategy != nil {
@@ -475,6 +477,15 @@ func (r *NetworkManager) ResetNetwork() {
 			listener.InterfaceUpdated()
 		}
 	}
+
+	if r.serviceManager != nil {
+		for _, svc := range r.serviceManager.Services() {
+			listener, isListener := svc.(adapter.InterfaceUpdateListener)
+			if isListener {
+				listener.InterfaceUpdated()
+			}
+		}
+	}
 }
 
 func (r *NetworkManager) notifyInterfaceUpdate(defaultInterface *control.Interface, flags int) {

route/route.go

@@ -349,7 +349,7 @@ func (r *Router) PreMatch(metadata adapter.InboundContext, routeContext tun.Dire
 		}
 		directRouteOutbound = defaultOutbound.(adapter.DirectRouteOutbound)
 	}
-	if metadata.Destination.IsDomain() {
+	if metadata.Destination.IsFqdn() {
 		if len(metadata.DestinationAddresses) == 0 {
 			var strategy C.DomainStrategy
 			if metadata.Source.IsIPv4() {
@@ -807,7 +807,7 @@ func (r *Router) actionSniff(
 }
 
 func (r *Router) actionResolve(ctx context.Context, metadata *adapter.InboundContext, action *R.RuleActionResolve) error {
-	if metadata.Destination.IsDomain() {
+	if metadata.Destination.IsFqdn() {
 		var transport adapter.DNSTransport
 		if action.Server != "" {
 			var loaded bool

service/ccm/credential.go

@@ -2,25 +2,74 @@ package ccm
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
 	"os"
 	"os/user"
 	"path/filepath"
+	"runtime"
+	"slices"
+	"sync"
 	"time"
 
+	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 const (
 	oauth2ClientID          = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
-	oauth2TokenURL          = "https://console.anthropic.com/v1/oauth/token"
+	oauth2TokenURL          = "https://platform.claude.com/v1/oauth/token"
 	claudeAPIBaseURL        = "https://api.anthropic.com"
 	tokenRefreshBufferMs    = 60000
 	anthropicBetaOAuthValue = "oauth-2025-04-20"
 )
 
+const ccmUserAgentFallback = "claude-code/2.1.72"
+
+var (
+	ccmUserAgentOnce  sync.Once
+	ccmUserAgentValue string
+)
+
+func initCCMUserAgent(logger log.ContextLogger) {
+	ccmUserAgentOnce.Do(func() {
+		version, err := detectClaudeCodeVersion()
+		if err != nil {
+			logger.Error("detect Claude Code version: ", err)
+			ccmUserAgentValue = ccmUserAgentFallback
+			return
+		}
+		logger.Debug("detected Claude Code version: ", version)
+		ccmUserAgentValue = "claude-code/" + version
+	})
+}
+
+func detectClaudeCodeVersion() (string, error) {
+	userInfo, err := getRealUser()
+	if err != nil {
+		return "", E.Cause(err, "get user")
+	}
+	binaryName := "claude"
+	if runtime.GOOS == "windows" {
+		binaryName = "claude.exe"
+	}
+	linkPath := filepath.Join(userInfo.HomeDir, ".local", "bin", binaryName)
+	target, err := os.Readlink(linkPath)
+	if err != nil {
+		return "", E.Cause(err, "readlink ", linkPath)
+	}
+	if !filepath.IsAbs(target) {
+		target = filepath.Join(filepath.Dir(linkPath), target)
+	}
+	parent := filepath.Base(filepath.Dir(target))
+	if parent != "versions" {
+		return "", E.New("unexpected symlink target: ", target)
+	}
+	return filepath.Base(target), nil
+}
+
 func getRealUser() (*user.User, error) {
 	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
 		sudoUserInfo, err := user.Lookup(sudoUser)
@@ -60,6 +109,14 @@ func readCredentialsFromFile(path string) (*oauthCredentials, error) {
 	return credentialsContainer.ClaudeAIAuth, nil
 }
 
+func checkCredentialFileWritable(path string) error {
+	file, err := os.OpenFile(path, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	return file.Close()
+}
+
 func writeCredentialsToFile(oauthCredentials *oauthCredentials, path string) error {
 	data, err := json.MarshalIndent(map[string]any{
 		"claudeAiOauth": oauthCredentials,
@@ -76,6 +133,7 @@ type oauthCredentials struct {
 	ExpiresAt        int64    `json:"expiresAt"`
 	Scopes           []string `json:"scopes,omitempty"`
 	SubscriptionType string   `json:"subscriptionType,omitempty"`
+	RateLimitTier    string   `json:"rateLimitTier,omitempty"`
 	IsMax            bool     `json:"isMax,omitempty"`
 }
 
@@ -86,7 +144,7 @@ func (c *oauthCredentials) needsRefresh() bool {
 	return time.Now().UnixMilli() >= c.ExpiresAt-tokenRefreshBufferMs
 }
 
-func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
+func refreshToken(ctx context.Context, httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
 	if credentials.RefreshToken == "" {
 		return nil, E.New("refresh token is empty")
 	}
@@ -100,19 +158,24 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 		return nil, E.Cause(err, "marshal request")
 	}
 
-	request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
-	if err != nil {
-		return nil, err
-	}
-	request.Header.Set("Content-Type", "application/json")
-	request.Header.Set("Accept", "application/json")
-
-	response, err := httpClient.Do(request)
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Content-Type", "application/json")
+		request.Header.Set("User-Agent", ccmUserAgentValue)
+		return request, nil
+	})
 	if err != nil {
 		return nil, err
 	}
 	defer response.Body.Close()
 
+	if response.StatusCode == http.StatusTooManyRequests {
+		body, _ := io.ReadAll(response.Body)
+		return nil, E.New("refresh rate limited: ", response.Status, " ", string(body))
+	}
 	if response.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(response.Body)
 		return nil, E.New("refresh failed: ", response.Status, " ", string(body))
@@ -137,3 +200,25 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 
 	return &newCredentials, nil
 }
+
+func cloneCredentials(credentials *oauthCredentials) *oauthCredentials {
+	if credentials == nil {
+		return nil
+	}
+	cloned := *credentials
+	cloned.Scopes = append([]string(nil), credentials.Scopes...)
+	return &cloned
+}
+
+func credentialsEqual(left *oauthCredentials, right *oauthCredentials) bool {
+	if left == nil || right == nil {
+		return left == right
+	}
+	return left.AccessToken == right.AccessToken &&
+		left.RefreshToken == right.RefreshToken &&
+		left.ExpiresAt == right.ExpiresAt &&
+		slices.Equal(left.Scopes, right.Scopes) &&
+		left.SubscriptionType == right.SubscriptionType &&
+		left.RateLimitTier == right.RateLimitTier &&
+		left.IsMax == right.IsMax
+}

service/ccm/credential_darwin.go

@@ -69,6 +69,13 @@ func platformReadCredentials(customPath string) (*oauthCredentials, error) {
 	return readCredentialsFromFile(defaultPath)
 }
 
+func platformCanWriteCredentials(customPath string) error {
+	if customPath == "" {
+		return nil
+	}
+	return checkCredentialFileWritable(customPath)
+}
+
 func platformWriteCredentials(oauthCredentials *oauthCredentials, customPath string) error {
 	if customPath != "" {
 		return writeCredentialsToFile(oauthCredentials, customPath)

service/ccm/credential_external.go

@@ -0,0 +1,676 @@
+package ccm
+
+import (
+	"bytes"
+	"context"
+	stdTLS "crypto/tls"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/hashicorp/yamux"
+)
+
+const reverseProxyBaseURL = "http://reverse-proxy"
+
+type externalCredential struct {
+	tag          string
+	baseURL      string
+	token        string
+	httpClient   *http.Client
+	state        credentialState
+	stateMutex   sync.RWMutex
+	pollAccess   sync.Mutex
+	pollInterval time.Duration
+	usageTracker *AggregatedUsage
+	logger       log.ContextLogger
+
+	onBecameUnusable func()
+	interrupted      bool
+	requestContext   context.Context
+	cancelRequests   context.CancelFunc
+	requestAccess    sync.Mutex
+
+	// Reverse proxy fields
+	reverse              bool
+	reverseSession       *yamux.Session
+	reverseAccess        sync.RWMutex
+	closed               bool
+	reverseContext       context.Context
+	reverseCancel        context.CancelFunc
+	connectorDialer      N.Dialer
+	connectorDestination M.Socksaddr
+	connectorRequestPath string
+	connectorURL         *url.URL
+	connectorTLS         *stdTLS.Config
+	reverseService       http.Handler
+}
+
+func externalCredentialURLPort(parsedURL *url.URL) uint16 {
+	portStr := parsedURL.Port()
+	if portStr != "" {
+		port, err := strconv.ParseUint(portStr, 10, 16)
+		if err == nil {
+			return uint16(port)
+		}
+	}
+	if parsedURL.Scheme == "https" {
+		return 443
+	}
+	return 80
+}
+
+func externalCredentialServerPort(parsedURL *url.URL, configuredPort uint16) uint16 {
+	if configuredPort != 0 {
+		return configuredPort
+	}
+	return externalCredentialURLPort(parsedURL)
+}
+
+func externalCredentialBaseURL(parsedURL *url.URL) string {
+	baseURL := parsedURL.Scheme + "://" + parsedURL.Host
+	if parsedURL.Path != "" && parsedURL.Path != "/" {
+		baseURL += parsedURL.Path
+	}
+	if len(baseURL) > 0 && baseURL[len(baseURL)-1] == '/' {
+		baseURL = baseURL[:len(baseURL)-1]
+	}
+	return baseURL
+}
+
+func externalCredentialReversePath(parsedURL *url.URL, endpointPath string) string {
+	pathPrefix := parsedURL.EscapedPath()
+	if pathPrefix == "/" {
+		pathPrefix = ""
+	} else {
+		pathPrefix = strings.TrimSuffix(pathPrefix, "/")
+	}
+	return pathPrefix + endpointPath
+}
+
+func newExternalCredential(ctx context.Context, tag string, options option.CCMExternalCredentialOptions, logger log.ContextLogger) (*externalCredential, error) {
+	pollInterval := time.Duration(options.PollInterval)
+	if pollInterval <= 0 {
+		pollInterval = 30 * time.Minute
+	}
+
+	requestContext, cancelRequests := context.WithCancel(context.Background())
+	reverseContext, reverseCancel := context.WithCancel(context.Background())
+
+	cred := &externalCredential{
+		tag:            tag,
+		token:          options.Token,
+		pollInterval:   pollInterval,
+		logger:         logger,
+		requestContext: requestContext,
+		cancelRequests: cancelRequests,
+		reverse:        options.Reverse,
+		reverseContext: reverseContext,
+		reverseCancel:  reverseCancel,
+	}
+
+	if options.URL == "" {
+		// Receiver mode: no URL, wait for reverse connection
+		cred.baseURL = reverseProxyBaseURL
+		cred.httpClient = &http.Client{
+			Transport: &http.Transport{
+				ForceAttemptHTTP2: false,
+				DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+					return cred.openReverseConnection(ctx)
+				},
+			},
+		}
+	} else {
+		// Normal or connector mode: has URL
+		parsedURL, err := url.Parse(options.URL)
+		if err != nil {
+			return nil, E.Cause(err, "parse url for credential ", tag)
+		}
+
+		credentialDialer, err := dialer.NewWithOptions(dialer.Options{
+			Context: ctx,
+			Options: option.DialerOptions{
+				Detour: options.Detour,
+			},
+			RemoteIsDomain: true,
+		})
+		if err != nil {
+			return nil, E.Cause(err, "create dialer for credential ", tag)
+		}
+
+		transport := &http.Transport{
+			ForceAttemptHTTP2: true,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				if options.Server != "" {
+					destination := M.ParseSocksaddrHostPort(options.Server, externalCredentialServerPort(parsedURL, options.ServerPort))
+					return credentialDialer.DialContext(ctx, network, destination)
+				}
+				return credentialDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		}
+
+		if parsedURL.Scheme == "https" {
+			transport.TLSClientConfig = &stdTLS.Config{
+				ServerName: parsedURL.Hostname(),
+				RootCAs:    adapter.RootPoolFromContext(ctx),
+				Time:       ntp.TimeFuncFromContext(ctx),
+			}
+		}
+
+		cred.baseURL = externalCredentialBaseURL(parsedURL)
+
+		if options.Reverse {
+			// Connector mode: we dial out to serve, not to proxy
+			cred.connectorDialer = credentialDialer
+			if options.Server != "" {
+				cred.connectorDestination = M.ParseSocksaddrHostPort(options.Server, externalCredentialServerPort(parsedURL, options.ServerPort))
+			} else {
+				cred.connectorDestination = M.ParseSocksaddrHostPort(parsedURL.Hostname(), externalCredentialURLPort(parsedURL))
+			}
+			cred.connectorRequestPath = externalCredentialReversePath(parsedURL, "/ccm/v1/reverse")
+			cred.connectorURL = parsedURL
+			if parsedURL.Scheme == "https" {
+				cred.connectorTLS = &stdTLS.Config{
+					ServerName: parsedURL.Hostname(),
+					RootCAs:    adapter.RootPoolFromContext(ctx),
+					Time:       ntp.TimeFuncFromContext(ctx),
+				}
+			}
+		} else {
+			// Normal mode: standard HTTP client for proxying
+			cred.httpClient = &http.Client{Transport: transport}
+		}
+	}
+
+	if options.UsagesPath != "" {
+		cred.usageTracker = &AggregatedUsage{
+			LastUpdated:  time.Now(),
+			Combinations: make([]CostCombination, 0),
+			filePath:     options.UsagesPath,
+			logger:       logger,
+		}
+	}
+
+	return cred, nil
+}
+
+func (c *externalCredential) start() error {
+	if c.usageTracker != nil {
+		err := c.usageTracker.Load()
+		if err != nil {
+			c.logger.Warn("load usage statistics for ", c.tag, ": ", err)
+		}
+	}
+	if c.reverse && c.connectorURL != nil {
+		go c.connectorLoop()
+	}
+	return nil
+}
+
+func (c *externalCredential) tagName() string {
+	return c.tag
+}
+
+func (c *externalCredential) isExternal() bool {
+	return true
+}
+
+func (c *externalCredential) isAvailable() bool {
+	return c.unavailableError() == nil
+}
+
+func (c *externalCredential) isUsable() bool {
+	if !c.isAvailable() {
+		return false
+	}
+	c.stateMutex.RLock()
+	if c.state.consecutivePollFailures > 0 {
+		c.stateMutex.RUnlock()
+		return false
+	}
+	if c.state.hardRateLimited {
+		if time.Now().Before(c.state.rateLimitResetAt) {
+			c.stateMutex.RUnlock()
+			return false
+		}
+		c.stateMutex.RUnlock()
+		c.stateMutex.Lock()
+		if c.state.hardRateLimited && !time.Now().Before(c.state.rateLimitResetAt) {
+			c.state.hardRateLimited = false
+		}
+		// No reserve for external: only 100% is unusable
+		usable := c.state.fiveHourUtilization < 100 && c.state.weeklyUtilization < 100
+		c.stateMutex.Unlock()
+		return usable
+	}
+	usable := c.state.fiveHourUtilization < 100 && c.state.weeklyUtilization < 100
+	c.stateMutex.RUnlock()
+	return usable
+}
+
+func (c *externalCredential) fiveHourUtilization() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.fiveHourUtilization
+}
+
+func (c *externalCredential) weeklyUtilization() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.weeklyUtilization
+}
+
+func (c *externalCredential) fiveHourCap() float64 {
+	return 100
+}
+
+func (c *externalCredential) weeklyCap() float64 {
+	return 100
+}
+
+func (c *externalCredential) planWeight() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	if c.state.remotePlanWeight > 0 {
+		return c.state.remotePlanWeight
+	}
+	return 10
+}
+
+func (c *externalCredential) weeklyResetTime() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.weeklyReset
+}
+
+func (c *externalCredential) markRateLimited(resetAt time.Time) {
+	c.logger.Warn("rate limited for ", c.tag, ", reset in ", log.FormatDuration(time.Until(resetAt)))
+	c.stateMutex.Lock()
+	c.state.hardRateLimited = true
+	c.state.rateLimitResetAt = resetAt
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) earliestReset() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	if c.state.hardRateLimited {
+		return c.state.rateLimitResetAt
+	}
+	earliest := c.state.fiveHourReset
+	if !c.state.weeklyReset.IsZero() && (earliest.IsZero() || c.state.weeklyReset.Before(earliest)) {
+		earliest = c.state.weeklyReset
+	}
+	return earliest
+}
+
+func (c *externalCredential) unavailableError() error {
+	if c.reverse && c.connectorURL != nil {
+		return E.New("credential ", c.tag, " is unavailable: reverse connector credentials cannot serve local requests")
+	}
+	if c.baseURL == reverseProxyBaseURL {
+		session := c.getReverseSession()
+		if session == nil || session.IsClosed() {
+			return E.New("credential ", c.tag, " is unavailable: reverse connection not established")
+		}
+	}
+	return nil
+}
+
+func (c *externalCredential) getAccessToken() (string, error) {
+	return c.token, nil
+}
+
+func (c *externalCredential) buildProxyRequest(ctx context.Context, original *http.Request, bodyBytes []byte, _ http.Header) (*http.Request, error) {
+	proxyURL := c.baseURL + original.URL.RequestURI()
+	var body io.Reader
+	if bodyBytes != nil {
+		body = bytes.NewReader(bodyBytes)
+	} else {
+		body = original.Body
+	}
+	proxyRequest, err := http.NewRequestWithContext(ctx, original.Method, proxyURL, body)
+	if err != nil {
+		return nil, err
+	}
+
+	for key, values := range original.Header {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+			proxyRequest.Header[key] = values
+		}
+	}
+
+	proxyRequest.Header.Set("Authorization", "Bearer "+c.token)
+
+	return proxyRequest, nil
+}
+
+func (c *externalCredential) openReverseConnection(ctx context.Context) (net.Conn, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	default:
+	}
+	session := c.getReverseSession()
+	if session == nil || session.IsClosed() {
+		return nil, E.New("reverse connection not established for ", c.tag)
+	}
+	conn, err := session.Open()
+	if err != nil {
+		return nil, err
+	}
+	select {
+	case <-ctx.Done():
+		conn.Close()
+		return nil, ctx.Err()
+	default:
+	}
+	return conn, nil
+}
+
+func (c *externalCredential) updateStateFromHeaders(headers http.Header) {
+	c.stateMutex.Lock()
+	isFirstUpdate := c.state.lastUpdated.IsZero()
+	oldFiveHour := c.state.fiveHourUtilization
+	oldWeekly := c.state.weeklyUtilization
+	hadData := false
+
+	if value, exists := parseOptionalAnthropicResetHeader(headers, "anthropic-ratelimit-unified-5h-reset"); exists {
+		hadData = true
+		c.state.fiveHourReset = value
+	}
+	if utilization := headers.Get("anthropic-ratelimit-unified-5h-utilization"); utilization != "" {
+		value, err := strconv.ParseFloat(utilization, 64)
+		if err == nil {
+			hadData = true
+			c.state.fiveHourUtilization = value * 100
+		}
+	}
+
+	if value, exists := parseOptionalAnthropicResetHeader(headers, "anthropic-ratelimit-unified-7d-reset"); exists {
+		hadData = true
+		c.state.weeklyReset = value
+	}
+	if utilization := headers.Get("anthropic-ratelimit-unified-7d-utilization"); utilization != "" {
+		value, err := strconv.ParseFloat(utilization, 64)
+		if err == nil {
+			hadData = true
+			c.state.weeklyUtilization = value * 100
+		}
+	}
+	if planWeight := headers.Get("X-CCM-Plan-Weight"); planWeight != "" {
+		value, err := strconv.ParseFloat(planWeight, 64)
+		if err == nil && value > 0 {
+			c.state.remotePlanWeight = value
+		}
+	}
+	if hadData {
+		c.state.consecutivePollFailures = 0
+		c.state.lastUpdated = time.Now()
+	}
+	if isFirstUpdate || int(c.state.fiveHourUtilization*100) != int(oldFiveHour*100) || int(c.state.weeklyUtilization*100) != int(oldWeekly*100) {
+		resetSuffix := ""
+		if !c.state.weeklyReset.IsZero() {
+			resetSuffix = ", resets=" + log.FormatDuration(time.Until(c.state.weeklyReset))
+		}
+		c.logger.Debug("usage update for ", c.tag, ": 5h=", c.state.fiveHourUtilization, "%, weekly=", c.state.weeklyUtilization, "%", resetSuffix)
+	}
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) checkTransitionLocked() bool {
+	unusable := c.state.hardRateLimited || c.state.fiveHourUtilization >= 100 || c.state.weeklyUtilization >= 100 || c.state.consecutivePollFailures > 0
+	if unusable && !c.interrupted {
+		c.interrupted = true
+		return true
+	}
+	if !unusable && c.interrupted {
+		c.interrupted = false
+	}
+	return false
+}
+
+func (c *externalCredential) wrapRequestContext(parent context.Context) *credentialRequestContext {
+	c.requestAccess.Lock()
+	credentialContext := c.requestContext
+	c.requestAccess.Unlock()
+	derived, cancel := context.WithCancel(parent)
+	stop := context.AfterFunc(credentialContext, func() {
+		cancel()
+	})
+	return &credentialRequestContext{
+		Context:     derived,
+		releaseFunc: stop,
+		cancelFunc:  cancel,
+	}
+}
+
+func (c *externalCredential) interruptConnections() {
+	c.logger.Warn("interrupting connections for ", c.tag)
+	c.requestAccess.Lock()
+	c.cancelRequests()
+	c.requestContext, c.cancelRequests = context.WithCancel(context.Background())
+	c.requestAccess.Unlock()
+	if c.onBecameUnusable != nil {
+		c.onBecameUnusable()
+	}
+}
+
+func (c *externalCredential) pollUsage(ctx context.Context) {
+	if !c.pollAccess.TryLock() {
+		return
+	}
+	defer c.pollAccess.Unlock()
+	defer c.markUsagePollAttempted()
+
+	statusURL := c.baseURL + "/ccm/v1/status"
+	httpClient := &http.Client{
+		Transport: c.httpClient.Transport,
+		Timeout:   5 * time.Second,
+	}
+
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequestWithContext(ctx, http.MethodGet, statusURL, nil)
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Authorization", "Bearer "+c.token)
+		return request, nil
+	})
+	if err != nil {
+		c.logger.Error("poll usage for ", c.tag, ": ", err)
+		c.incrementPollFailures()
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(response.Body)
+		c.logger.Debug("poll usage for ", c.tag, ": status ", response.StatusCode, " ", string(body))
+		// 404 means the remote does not have a status endpoint yet;
+		// usage will be updated passively from response headers.
+		if response.StatusCode == http.StatusNotFound {
+			c.stateMutex.Lock()
+			c.state.consecutivePollFailures = 0
+			c.checkTransitionLocked()
+			c.stateMutex.Unlock()
+		} else {
+			c.incrementPollFailures()
+		}
+		return
+	}
+
+	var statusResponse struct {
+		FiveHourUtilization float64 `json:"five_hour_utilization"`
+		WeeklyUtilization   float64 `json:"weekly_utilization"`
+		PlanWeight          float64 `json:"plan_weight"`
+	}
+	err = json.NewDecoder(response.Body).Decode(&statusResponse)
+	if err != nil {
+		c.logger.Debug("poll usage for ", c.tag, ": decode: ", err)
+		c.incrementPollFailures()
+		return
+	}
+
+	c.stateMutex.Lock()
+	isFirstUpdate := c.state.lastUpdated.IsZero()
+	oldFiveHour := c.state.fiveHourUtilization
+	oldWeekly := c.state.weeklyUtilization
+	c.state.consecutivePollFailures = 0
+	c.state.fiveHourUtilization = statusResponse.FiveHourUtilization
+	c.state.weeklyUtilization = statusResponse.WeeklyUtilization
+	if statusResponse.PlanWeight > 0 {
+		c.state.remotePlanWeight = statusResponse.PlanWeight
+	}
+	if c.state.hardRateLimited && time.Now().After(c.state.rateLimitResetAt) {
+		c.state.hardRateLimited = false
+	}
+	if isFirstUpdate || int(c.state.fiveHourUtilization*100) != int(oldFiveHour*100) || int(c.state.weeklyUtilization*100) != int(oldWeekly*100) {
+		resetSuffix := ""
+		if !c.state.weeklyReset.IsZero() {
+			resetSuffix = ", resets=" + log.FormatDuration(time.Until(c.state.weeklyReset))
+		}
+		c.logger.Debug("poll usage for ", c.tag, ": 5h=", c.state.fiveHourUtilization, "%, weekly=", c.state.weeklyUtilization, "%", resetSuffix)
+	}
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) lastUpdatedTime() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.lastUpdated
+}
+
+func (c *externalCredential) markUsagePollAttempted() {
+	c.stateMutex.Lock()
+	defer c.stateMutex.Unlock()
+	c.state.lastUpdated = time.Now()
+}
+
+func (c *externalCredential) pollBackoff(baseInterval time.Duration) time.Duration {
+	c.stateMutex.RLock()
+	failures := c.state.consecutivePollFailures
+	c.stateMutex.RUnlock()
+	if failures <= 0 {
+		return baseInterval
+	}
+	return failedPollRetryInterval
+}
+
+func (c *externalCredential) incrementPollFailures() {
+	c.stateMutex.Lock()
+	c.state.consecutivePollFailures++
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) usageTrackerOrNil() *AggregatedUsage {
+	return c.usageTracker
+}
+
+func (c *externalCredential) httpTransport() *http.Client {
+	return c.httpClient
+}
+
+func (c *externalCredential) close() {
+	var session *yamux.Session
+	c.reverseAccess.Lock()
+	if !c.closed {
+		c.closed = true
+		if c.reverseCancel != nil {
+			c.reverseCancel()
+		}
+		session = c.reverseSession
+		c.reverseSession = nil
+	}
+	c.reverseAccess.Unlock()
+	if session != nil {
+		session.Close()
+	}
+	if c.usageTracker != nil {
+		c.usageTracker.cancelPendingSave()
+		err := c.usageTracker.Save()
+		if err != nil {
+			c.logger.Error("save usage statistics for ", c.tag, ": ", err)
+		}
+	}
+}
+
+func (c *externalCredential) getReverseSession() *yamux.Session {
+	c.reverseAccess.RLock()
+	defer c.reverseAccess.RUnlock()
+	return c.reverseSession
+}
+
+func (c *externalCredential) setReverseSession(session *yamux.Session) bool {
+	c.reverseAccess.Lock()
+	if c.closed {
+		c.reverseAccess.Unlock()
+		return false
+	}
+	old := c.reverseSession
+	c.reverseSession = session
+	c.reverseAccess.Unlock()
+	if old != nil {
+		old.Close()
+	}
+	return true
+}
+
+func (c *externalCredential) clearReverseSession(session *yamux.Session) {
+	c.reverseAccess.Lock()
+	if c.reverseSession == session {
+		c.reverseSession = nil
+	}
+	c.reverseAccess.Unlock()
+}
+
+func (c *externalCredential) getReverseContext() context.Context {
+	c.reverseAccess.RLock()
+	defer c.reverseAccess.RUnlock()
+	return c.reverseContext
+}
+
+func (c *externalCredential) resetReverseContext() {
+	c.reverseAccess.Lock()
+	if c.closed {
+		c.reverseAccess.Unlock()
+		return
+	}
+	c.reverseCancel()
+	c.reverseContext, c.reverseCancel = context.WithCancel(context.Background())
+	c.reverseAccess.Unlock()
+}

service/ccm/credential_file.go

@@ -0,0 +1,143 @@
+package ccm
+
+import (
+	"path/filepath"
+	"time"
+
+	"github.com/sagernet/fswatch"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const credentialReloadRetryInterval = 2 * time.Second
+
+func resolveCredentialFilePath(customPath string) (string, error) {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return "", err
+		}
+	}
+	if filepath.IsAbs(customPath) {
+		return customPath, nil
+	}
+	return filepath.Abs(customPath)
+}
+
+func (c *defaultCredential) ensureCredentialWatcher() error {
+	c.watcherAccess.Lock()
+	defer c.watcherAccess.Unlock()
+
+	if c.watcher != nil || c.credentialFilePath == "" {
+		return nil
+	}
+	if !c.watcherRetryAt.IsZero() && time.Now().Before(c.watcherRetryAt) {
+		return nil
+	}
+
+	watcher, err := fswatch.NewWatcher(fswatch.Options{
+		Path:   []string{c.credentialFilePath},
+		Logger: c.logger,
+		Callback: func(string) {
+			err := c.reloadCredentials(true)
+			if err != nil {
+				c.logger.Warn("reload credentials for ", c.tag, ": ", err)
+			}
+		},
+	})
+	if err != nil {
+		c.watcherRetryAt = time.Now().Add(credentialReloadRetryInterval)
+		return err
+	}
+
+	err = watcher.Start()
+	if err != nil {
+		c.watcherRetryAt = time.Now().Add(credentialReloadRetryInterval)
+		return err
+	}
+
+	c.watcher = watcher
+	c.watcherRetryAt = time.Time{}
+	return nil
+}
+
+func (c *defaultCredential) retryCredentialReloadIfNeeded() {
+	c.stateMutex.RLock()
+	unavailable := c.state.unavailable
+	lastAttempt := c.state.lastCredentialLoadAttempt
+	c.stateMutex.RUnlock()
+	if !unavailable {
+		return
+	}
+	if !lastAttempt.IsZero() && time.Since(lastAttempt) < credentialReloadRetryInterval {
+		return
+	}
+
+	err := c.ensureCredentialWatcher()
+	if err != nil {
+		c.logger.Debug("start credential watcher for ", c.tag, ": ", err)
+	}
+	_ = c.reloadCredentials(false)
+}
+
+func (c *defaultCredential) reloadCredentials(force bool) error {
+	c.reloadAccess.Lock()
+	defer c.reloadAccess.Unlock()
+
+	c.stateMutex.RLock()
+	unavailable := c.state.unavailable
+	lastAttempt := c.state.lastCredentialLoadAttempt
+	c.stateMutex.RUnlock()
+	if !force {
+		if !unavailable {
+			return nil
+		}
+		if !lastAttempt.IsZero() && time.Since(lastAttempt) < credentialReloadRetryInterval {
+			return c.unavailableError()
+		}
+	}
+
+	c.stateMutex.Lock()
+	c.state.lastCredentialLoadAttempt = time.Now()
+	c.stateMutex.Unlock()
+
+	credentials, err := platformReadCredentials(c.credentialPath)
+	if err != nil {
+		return c.markCredentialsUnavailable(E.Cause(err, "read credentials"))
+	}
+
+	c.accessMutex.Lock()
+	c.credentials = credentials
+	c.accessMutex.Unlock()
+
+	c.stateMutex.Lock()
+	c.state.unavailable = false
+	c.state.lastCredentialLoadError = ""
+	c.state.accountType = credentials.SubscriptionType
+	c.state.rateLimitTier = credentials.RateLimitTier
+	c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+
+	return nil
+}
+
+func (c *defaultCredential) markCredentialsUnavailable(err error) error {
+	c.accessMutex.Lock()
+	hadCredentials := c.credentials != nil
+	c.credentials = nil
+	c.accessMutex.Unlock()
+
+	c.stateMutex.Lock()
+	c.state.unavailable = true
+	c.state.lastCredentialLoadError = err.Error()
+	c.state.accountType = ""
+	c.state.rateLimitTier = ""
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+
+	if shouldInterrupt && hadCredentials {
+		c.interruptConnections()
+	}
+
+	return err
+}

service/ccm/credential_other.go

@@ -13,6 +13,17 @@ func platformReadCredentials(customPath string) (*oauthCredentials, error) {
 	return readCredentialsFromFile(customPath)
 }
 
+func platformCanWriteCredentials(customPath string) error {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return err
+		}
+	}
+	return checkCredentialFileWritable(customPath)
+}
+
 func platformWriteCredentials(oauthCredentials *oauthCredentials, customPath string) error {
 	if customPath == "" {
 		var err error

service/ccm/reverse.go

@@ -0,0 +1,259 @@
+package ccm
+
+import (
+	"bufio"
+	"context"
+	stdTLS "crypto/tls"
+	"errors"
+	"io"
+	"math/rand/v2"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/hashicorp/yamux"
+)
+
+func reverseYamuxConfig() *yamux.Config {
+	config := yamux.DefaultConfig()
+	config.KeepAliveInterval = 15 * time.Second
+	config.ConnectionWriteTimeout = 10 * time.Second
+	config.MaxStreamWindowSize = 512 * 1024
+	config.LogOutput = io.Discard
+	return config
+}
+
+type bufferedConn struct {
+	reader *bufio.Reader
+	net.Conn
+}
+
+func (c *bufferedConn) Read(p []byte) (int, error) {
+	return c.reader.Read(p)
+}
+
+type yamuxNetListener struct {
+	session *yamux.Session
+}
+
+func (l *yamuxNetListener) Accept() (net.Conn, error) {
+	return l.session.Accept()
+}
+
+func (l *yamuxNetListener) Close() error {
+	return l.session.Close()
+}
+
+func (l *yamuxNetListener) Addr() net.Addr {
+	return l.session.Addr()
+}
+
+func (s *Service) handleReverseConnect(ctx context.Context, w http.ResponseWriter, r *http.Request) {
+	if r.Header.Get("Upgrade") != "reverse-proxy" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error", "missing Upgrade header")
+		return
+	}
+
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
+		return
+	}
+	clientToken := strings.TrimPrefix(authHeader, "Bearer ")
+	if clientToken == authHeader {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
+		return
+	}
+
+	receiverCredential := s.findReceiverCredential(clientToken)
+	if receiverCredential == nil {
+		s.logger.WarnContext(ctx, "reverse connect failed from ", r.RemoteAddr, ": no matching receiver credential")
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid reverse token")
+		return
+	}
+
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		s.logger.ErrorContext(ctx, "reverse connect: hijack not supported")
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "hijack not supported")
+		return
+	}
+
+	conn, bufferedReadWriter, err := hijacker.Hijack()
+	if err != nil {
+		s.logger.ErrorContext(ctx, "reverse connect: hijack: ", err)
+		return
+	}
+
+	response := "HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: reverse-proxy\r\n\r\n"
+	_, err = bufferedReadWriter.WriteString(response)
+	if err != nil {
+		conn.Close()
+		s.logger.ErrorContext(ctx, "reverse connect: write upgrade response: ", err)
+		return
+	}
+	err = bufferedReadWriter.Flush()
+	if err != nil {
+		conn.Close()
+		s.logger.ErrorContext(ctx, "reverse connect: flush upgrade response: ", err)
+		return
+	}
+
+	session, err := yamux.Client(conn, reverseYamuxConfig())
+	if err != nil {
+		conn.Close()
+		s.logger.ErrorContext(ctx, "reverse connect: create yamux client for ", receiverCredential.tagName(), ": ", err)
+		return
+	}
+
+	if !receiverCredential.setReverseSession(session) {
+		session.Close()
+		return
+	}
+	s.logger.InfoContext(ctx, "reverse connection established for ", receiverCredential.tagName(), " from ", r.RemoteAddr)
+
+	go func() {
+		<-session.CloseChan()
+		receiverCredential.clearReverseSession(session)
+		s.logger.WarnContext(ctx, "reverse connection lost for ", receiverCredential.tagName())
+	}()
+}
+
+func (s *Service) findReceiverCredential(token string) *externalCredential {
+	for _, cred := range s.allCredentials {
+		extCred, ok := cred.(*externalCredential)
+		if !ok {
+			continue
+		}
+		if extCred.baseURL == reverseProxyBaseURL && extCred.token == token {
+			return extCred
+		}
+	}
+	return nil
+}
+
+func (c *externalCredential) connectorLoop() {
+	var consecutiveFailures int
+	ctx := c.getReverseContext()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		default:
+		}
+
+		sessionLifetime, err := c.connectorConnect(ctx)
+		if ctx.Err() != nil {
+			return
+		}
+		if sessionLifetime >= connectorBackoffResetThreshold {
+			consecutiveFailures = 0
+		}
+		consecutiveFailures++
+		backoff := connectorBackoff(consecutiveFailures)
+		c.logger.Warn("reverse connection for ", c.tag, " lost: ", err, ", reconnecting in ", backoff)
+		select {
+		case <-time.After(backoff):
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+const connectorBackoffResetThreshold = time.Minute
+
+func connectorBackoff(failures int) time.Duration {
+	if failures > 5 {
+		failures = 5
+	}
+	base := time.Second * time.Duration(1<<failures)
+	if base > 30*time.Second {
+		base = 30 * time.Second
+	}
+	jitter := time.Duration(rand.Int64N(int64(base) / 2))
+	return base + jitter
+}
+
+func (c *externalCredential) connectorConnect(ctx context.Context) (time.Duration, error) {
+	if c.reverseService == nil {
+		return 0, E.New("reverse service not initialized")
+	}
+	destination := c.connectorResolveDestination()
+	conn, err := c.connectorDialer.DialContext(ctx, "tcp", destination)
+	if err != nil {
+		return 0, E.Cause(err, "dial")
+	}
+
+	if c.connectorTLS != nil {
+		tlsConn := stdTLS.Client(conn, c.connectorTLS.Clone())
+		err = tlsConn.HandshakeContext(ctx)
+		if err != nil {
+			conn.Close()
+			return 0, E.Cause(err, "tls handshake")
+		}
+		conn = tlsConn
+	}
+
+	upgradeRequest := "GET " + c.connectorRequestPath + " HTTP/1.1\r\n" +
+		"Host: " + c.connectorURL.Host + "\r\n" +
+		"Connection: Upgrade\r\n" +
+		"Upgrade: reverse-proxy\r\n" +
+		"Authorization: Bearer " + c.token + "\r\n" +
+		"\r\n"
+	_, err = io.WriteString(conn, upgradeRequest)
+	if err != nil {
+		conn.Close()
+		return 0, E.Cause(err, "write upgrade request")
+	}
+
+	reader := bufio.NewReader(conn)
+	statusLine, err := reader.ReadString('\n')
+	if err != nil {
+		conn.Close()
+		return 0, E.Cause(err, "read upgrade response")
+	}
+	if !strings.HasPrefix(statusLine, "HTTP/1.1 101") {
+		conn.Close()
+		return 0, E.New("unexpected upgrade response: ", strings.TrimSpace(statusLine))
+	}
+	for {
+		line, readErr := reader.ReadString('\n')
+		if readErr != nil {
+			conn.Close()
+			return 0, E.Cause(readErr, "read upgrade headers")
+		}
+		if strings.TrimSpace(line) == "" {
+			break
+		}
+	}
+
+	session, err := yamux.Server(&bufferedConn{reader: reader, Conn: conn}, reverseYamuxConfig())
+	if err != nil {
+		conn.Close()
+		return 0, E.Cause(err, "create yamux server")
+	}
+	defer session.Close()
+
+	c.logger.Info("reverse connection established for ", c.tag)
+
+	serveStart := time.Now()
+	httpServer := &http.Server{
+		Handler:     c.reverseService,
+		ReadTimeout: 0,
+		IdleTimeout: 120 * time.Second,
+	}
+	err = httpServer.Serve(&yamuxNetListener{session: session})
+	sessionLifetime := time.Since(serveStart)
+	if err != nil && !errors.Is(err, http.ErrServerClosed) && ctx.Err() == nil {
+		return sessionLifetime, E.Cause(err, "serve")
+	}
+	return sessionLifetime, E.New("connection closed")
+}
+
+func (c *externalCredential) connectorResolveDestination() M.Socksaddr {
+	return c.connectorDestination
+}

service/ccm/service.go

@@ -3,12 +3,10 @@ package ccm
 import (
 	"bytes"
 	"context"
-	stdTLS "crypto/tls"
 	"encoding/json"
 	"errors"
 	"io"
 	"mime"
-	"net"
 	"net/http"
 	"strconv"
 	"strings"
@@ -17,7 +15,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	boxService "github.com/sagernet/sing-box/adapter/service"
-	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/listener"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -26,20 +23,20 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
 
 	"github.com/anthropics/anthropic-sdk-go"
 	"github.com/go-chi/chi/v5"
 	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 )
 
 const (
 	contextWindowStandard   = 200000
 	contextWindowPremium    = 1000000
 	premiumContextThreshold = 200000
+	retryableUsageMessage   = "current credential reached its usage limit; retry the request to use another credential"
 )
 
 func RegisterService(registry *boxService.Registry) {
@@ -60,7 +57,6 @@ type errorDetails struct {
 func writeJSONError(w http.ResponseWriter, r *http.Request, statusCode int, errorType string, message string) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(statusCode)
-
 	json.NewEncoder(w).Encode(errorResponse{
 		Type: "error",
 		Error: errorDetails{
@@ -71,6 +67,58 @@ func writeJSONError(w http.ResponseWriter, r *http.Request, statusCode int, erro
 	})
 }
 
+func hasAlternativeCredential(provider credentialProvider, currentCredential credential, filter func(credential) bool) bool {
+	if provider == nil || currentCredential == nil {
+		return false
+	}
+	for _, cred := range provider.allCredentials() {
+		if cred == currentCredential {
+			continue
+		}
+		if filter != nil && !filter(cred) {
+			continue
+		}
+		if cred.isUsable() {
+			return true
+		}
+	}
+	return false
+}
+
+func unavailableCredentialMessage(provider credentialProvider, fallback string) string {
+	if provider == nil {
+		return fallback
+	}
+	message := allCredentialsUnavailableError(provider.allCredentials()).Error()
+	if message == "all credentials unavailable" && fallback != "" {
+		return fallback
+	}
+	return message
+}
+
+func writeRetryableUsageError(w http.ResponseWriter, r *http.Request) {
+	writeJSONError(w, r, http.StatusTooManyRequests, "rate_limit_error", retryableUsageMessage)
+}
+
+func writeNonRetryableCredentialError(w http.ResponseWriter, r *http.Request, message string) {
+	writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error", message)
+}
+
+func writeCredentialUnavailableError(
+	w http.ResponseWriter,
+	r *http.Request,
+	provider credentialProvider,
+	currentCredential credential,
+	filter func(credential) bool,
+	fallback string,
+) {
+	if hasAlternativeCredential(provider, currentCredential, filter) {
+		writeRetryableUsageError(w, r)
+		return
+	}
+	writeNonRetryableCredentialError(w, r, unavailableCredentialMessage(provider, fallback))
+}
+
 func isHopByHopHeader(header string) bool {
 	switch strings.ToLower(header) {
 	case "connection", "keep-alive", "proxy-authenticate", "proxy-authorization", "te", "trailers", "transfer-encoding", "upgrade", "host":
@@ -80,109 +128,111 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 
+func isReverseProxyHeader(header string) bool {
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "cf-") {
+		return true
+	}
+	switch lowerHeader {
+	case "cdn-loop", "true-client-ip", "x-forwarded-for", "x-forwarded-proto", "x-real-ip":
+		return true
+	default:
+		return false
+	}
+}
+
 const (
 	weeklyWindowSeconds = 604800
 	weeklyWindowMinutes = weeklyWindowSeconds / 60
 )
 
-func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
-	headerValue := strings.TrimSpace(headers.Get(headerName))
-	if headerValue == "" {
-		return 0, false
-	}
-	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
-	if parseError != nil {
-		return 0, false
-	}
-	return parsedValue, true
-}
-
 func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
-	resetAtUnix, hasResetAt := parseInt64Header(headers, "anthropic-ratelimit-unified-7d-reset")
-	if !hasResetAt || resetAtUnix <= 0 {
+	resetAt, exists := parseOptionalAnthropicResetHeader(headers, "anthropic-ratelimit-unified-7d-reset")
+	if !exists {
 		return nil
 	}
 
 	return &WeeklyCycleHint{
 		WindowMinutes: weeklyWindowMinutes,
-		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
+		ResetAt:       resetAt.UTC(),
 	}
 }
 
 type Service struct {
 	boxService.Adapter
-	ctx            context.Context
-	logger         log.ContextLogger
-	credentialPath string
-	credentials    *oauthCredentials
-	users          []option.CCMUser
-	httpClient     *http.Client
-	httpHeaders    http.Header
-	listener       *listener.Listener
-	tlsConfig      tls.ServerConfig
-	httpServer     *http.Server
-	userManager    *UserManager
-	accessMutex    sync.RWMutex
-	usageTracker   *AggregatedUsage
-	trackingGroup  sync.WaitGroup
-	shuttingDown   bool
+	ctx           context.Context
+	logger        log.ContextLogger
+	options       option.CCMServiceOptions
+	httpHeaders   http.Header
+	listener      *listener.Listener
+	tlsConfig     tls.ServerConfig
+	httpServer    *http.Server
+	userManager   *UserManager
+	trackingGroup sync.WaitGroup
+	shuttingDown  bool
+
+	// Legacy mode (single credential)
+	legacyCredential *defaultCredential
+	legacyProvider   credentialProvider
+
+	// Multi-credential mode
+	providers      map[string]credentialProvider
+	allCredentials []credential
+	userConfigMap  map[string]*option.CCMUser
 }
 
 func NewService(ctx context.Context, logger log.ContextLogger, tag string, options option.CCMServiceOptions) (adapter.Service, error) {
-	serviceDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context: ctx,
-		Options: option.DialerOptions{
-			Detour: options.Detour,
-		},
-		RemoteIsDomain: true,
-	})
-	if err != nil {
-		return nil, E.Cause(err, "create dialer")
-	}
+	initCCMUserAgent(logger)
 
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2: true,
-			TLSClientConfig: &stdTLS.Config{
-				RootCAs: adapter.RootPoolFromContext(ctx),
-				Time:    ntp.TimeFuncFromContext(ctx),
-			},
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return serviceDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
+	err := validateCCMOptions(options)
+	if err != nil {
+		return nil, E.Cause(err, "validate options")
 	}
 
 	userManager := &UserManager{
 		tokenMap: make(map[string]string),
 	}
 
-	var usageTracker *AggregatedUsage
-	if options.UsagesPath != "" {
-		usageTracker = &AggregatedUsage{
-			LastUpdated:  time.Now(),
-			Combinations: make([]CostCombination, 0),
-			filePath:     options.UsagesPath,
-			logger:       logger,
-		}
-	}
-
 	service := &Service{
-		Adapter:        boxService.NewAdapter(C.TypeCCM, tag),
-		ctx:            ctx,
-		logger:         logger,
-		credentialPath: options.CredentialPath,
-		users:          options.Users,
-		httpClient:     httpClient,
-		httpHeaders:    options.Headers.Build(),
+		Adapter:     boxService.NewAdapter(C.TypeCCM, tag),
+		ctx:         ctx,
+		logger:      logger,
+		options:     options,
+		httpHeaders: options.Headers.Build(),
 		listener: listener.New(listener.Options{
 			Context: ctx,
 			Logger:  logger,
 			Network: []string{N.NetworkTCP},
 			Listen:  options.ListenOptions,
 		}),
-		userManager:  userManager,
-		usageTracker: usageTracker,
+		userManager: userManager,
+	}
+
+	if len(options.Credentials) > 0 {
+		providers, allCredentials, err := buildCredentialProviders(ctx, options, logger)
+		if err != nil {
+			return nil, E.Cause(err, "build credential providers")
+		}
+		service.providers = providers
+		service.allCredentials = allCredentials
+
+		userConfigMap := make(map[string]*option.CCMUser)
+		for i := range options.Users {
+			userConfigMap[options.Users[i].Name] = &options.Users[i]
+		}
+		service.userConfigMap = userConfigMap
+	} else {
+		cred, err := newDefaultCredential(ctx, "default", option.CCMDefaultCredentialOptions{
+			CredentialPath: options.CredentialPath,
+			UsagesPath:     options.UsagesPath,
+			Detour:         options.Detour,
+		}, logger)
+		if err != nil {
+			return nil, err
+		}
+		service.legacyCredential = cred
+		service.legacyProvider = &singleCredentialProvider{cred: cred}
+		service.allCredentials = []credential{cred}
 	}
 
 	if options.TLS != nil {
@@ -201,28 +251,25 @@ func (s *Service) Start(stage adapter.StartStage) error {
 		return nil
 	}
 
-	s.userManager.UpdateUsers(s.users)
+	s.userManager.UpdateUsers(s.options.Users)
 
-	credentials, err := platformReadCredentials(s.credentialPath)
-	if err != nil {
-		return E.Cause(err, "read credentials")
-	}
-	s.credentials = credentials
-
-	if s.usageTracker != nil {
-		err = s.usageTracker.Load()
+	for _, cred := range s.allCredentials {
+		if extCred, ok := cred.(*externalCredential); ok && extCred.reverse && extCred.connectorURL != nil {
+			extCred.reverseService = s
+		}
+		err := cred.start()
 		if err != nil {
-			s.logger.Warn("load usage statistics: ", err)
+			return err
 		}
 	}
 
 	router := chi.NewRouter()
 	router.Mount("/", s)
 
-	s.httpServer = &http.Server{Handler: router}
+	s.httpServer = &http.Server{Handler: h2c.NewHandler(router, &http2.Server{})}
 
 	if s.tlsConfig != nil {
-		err = s.tlsConfig.Start()
+		err := s.tlsConfig.Start()
 		if err != nil {
 			return E.Cause(err, "create TLS config")
 		}
@@ -250,155 +297,257 @@ func (s *Service) Start(stage adapter.StartStage) error {
 	return nil
 }
 
-func (s *Service) getAccessToken() (string, error) {
-	s.accessMutex.RLock()
-	if !s.credentials.needsRefresh() {
-		token := s.credentials.AccessToken
-		s.accessMutex.RUnlock()
-		return token, nil
+func isExtendedContextRequest(betaHeader string) bool {
+	for _, feature := range strings.Split(betaHeader, ",") {
+		if strings.HasPrefix(strings.TrimSpace(feature), "context-1m") {
+			return true
+		}
 	}
-	s.accessMutex.RUnlock()
+	return false
+}
 
-	s.accessMutex.Lock()
-	defer s.accessMutex.Unlock()
-
-	if !s.credentials.needsRefresh() {
-		return s.credentials.AccessToken, nil
+func isFastModeRequest(betaHeader string) bool {
+	for _, feature := range strings.Split(betaHeader, ",") {
+		if strings.HasPrefix(strings.TrimSpace(feature), "fast-mode") {
+			return true
+		}
 	}
-
-	newCredentials, err := refreshToken(s.httpClient, s.credentials)
-	if err != nil {
-		return "", err
-	}
-
-	s.credentials = newCredentials
-
-	err = platformWriteCredentials(newCredentials, s.credentialPath)
-	if err != nil {
-		s.logger.Warn("persist refreshed token: ", err)
-	}
-
-	return newCredentials.AccessToken, nil
+	return false
 }
 
 func detectContextWindow(betaHeader string, totalInputTokens int64) int {
 	if totalInputTokens > premiumContextThreshold {
-		features := strings.Split(betaHeader, ",")
-		for _, feature := range features {
-			if strings.HasPrefix(strings.TrimSpace(feature), "context-1m") {
-				return contextWindowPremium
-			}
+		if isExtendedContextRequest(betaHeader) {
+			return contextWindowPremium
 		}
 	}
 	return contextWindowStandard
 }
 
 func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := log.ContextWithNewID(r.Context())
+	if r.URL.Path == "/ccm/v1/status" {
+		s.handleStatusEndpoint(w, r)
+		return
+	}
+
+	if r.URL.Path == "/ccm/v1/reverse" {
+		s.handleReverseConnect(ctx, w, r)
+		return
+	}
+
 	if !strings.HasPrefix(r.URL.Path, "/v1/") {
 		writeJSONError(w, r, http.StatusNotFound, "not_found_error", "Not found")
 		return
 	}
 
 	var username string
-	if len(s.users) > 0 {
+	if len(s.options.Users) > 0 {
 		authHeader := r.Header.Get("Authorization")
 		if authHeader == "" {
-			s.logger.Warn("authentication failed for request from ", r.RemoteAddr, ": missing Authorization header")
+			s.logger.WarnContext(ctx, "authentication failed for request from ", r.RemoteAddr, ": missing Authorization header")
 			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
 			return
 		}
 		clientToken := strings.TrimPrefix(authHeader, "Bearer ")
 		if clientToken == authHeader {
-			s.logger.Warn("authentication failed for request from ", r.RemoteAddr, ": invalid Authorization format")
+			s.logger.WarnContext(ctx, "authentication failed for request from ", r.RemoteAddr, ": invalid Authorization format")
 			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
 			return
 		}
 		var ok bool
 		username, ok = s.userManager.Authenticate(clientToken)
 		if !ok {
-			s.logger.Warn("authentication failed for request from ", r.RemoteAddr, ": unknown key: ", clientToken)
+			s.logger.WarnContext(ctx, "authentication failed for request from ", r.RemoteAddr, ": unknown key: ", clientToken)
 			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
 			return
 		}
 	}
 
+	// Always read body to extract model and session ID
+	var bodyBytes []byte
 	var requestModel string
 	var messagesCount int
+	var sessionID string
 
-	if s.usageTracker != nil && r.Body != nil {
-		bodyBytes, err := io.ReadAll(r.Body)
-		if err == nil {
-			var request struct {
-				Model    string                   `json:"model"`
-				Messages []anthropic.MessageParam `json:"messages"`
-			}
-			err := json.Unmarshal(bodyBytes, &request)
-			if err == nil {
-				requestModel = request.Model
-				messagesCount = len(request.Messages)
-			}
-			r.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+	if r.Body != nil {
+		var err error
+		bodyBytes, err = io.ReadAll(r.Body)
+		if err != nil {
+			s.logger.ErrorContext(ctx, "read request body: ", err)
+			writeJSONError(w, r, http.StatusInternalServerError, "api_error", "failed to read request body")
+			return
 		}
+
+		var request struct {
+			Model    string                   `json:"model"`
+			Messages []anthropic.MessageParam `json:"messages"`
+		}
+		err = json.Unmarshal(bodyBytes, &request)
+		if err == nil {
+			requestModel = request.Model
+			messagesCount = len(request.Messages)
+		}
+
+		sessionID = extractCCMSessionID(bodyBytes)
+		r.Body = io.NopCloser(bytes.NewReader(bodyBytes))
 	}
 
-	accessToken, err := s.getAccessToken()
-	if err != nil {
-		s.logger.Error("get access token: ", err)
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "Authentication failed")
+	// Resolve credential provider and user config
+	var provider credentialProvider
+	var userConfig *option.CCMUser
+	if len(s.options.Users) > 0 {
+		userConfig = s.userConfigMap[username]
+		var err error
+		provider, err = credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+		if err != nil {
+			s.logger.ErrorContext(ctx, "resolve credential: ", err)
+			writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+			return
+		}
+	} else {
+		provider = noUserCredentialProvider(s.providers, s.legacyProvider, s.options)
+	}
+	if provider == nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "no credential available")
 		return
 	}
 
-	proxyURL := claudeAPIBaseURL + r.URL.RequestURI()
-	proxyRequest, err := http.NewRequestWithContext(r.Context(), r.Method, proxyURL, r.Body)
+	provider.pollIfStale(s.ctx)
+
+	anthropicBetaHeader := r.Header.Get("anthropic-beta")
+	if isFastModeRequest(anthropicBetaHeader) {
+		if _, isSingle := provider.(*singleCredentialProvider); !isSingle {
+			writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+				"fast mode requests will consume Extra usage, please use a default credential directly")
+			return
+		}
+	}
+
+	var credentialFilter func(credential) bool
+	if userConfig != nil && !userConfig.AllowExternalUsage {
+		credentialFilter = func(c credential) bool { return !c.isExternal() }
+	}
+
+	selectedCredential, isNew, err := provider.selectCredential(sessionID, credentialFilter)
 	if err != nil {
-		s.logger.Error("create proxy request: ", err)
+		writeNonRetryableCredentialError(w, r, unavailableCredentialMessage(provider, err.Error()))
+		return
+	}
+	if isNew {
+		logParts := []any{"assigned credential ", selectedCredential.tagName()}
+		if sessionID != "" {
+			logParts = append(logParts, " for session ", sessionID)
+		}
+		if username != "" {
+			logParts = append(logParts, " by user ", username)
+		}
+		if requestModel != "" {
+			modelDisplay := requestModel
+			if isExtendedContextRequest(anthropicBetaHeader) {
+				modelDisplay += "[1m]"
+			}
+			logParts = append(logParts, ", model=", modelDisplay)
+		}
+		s.logger.DebugContext(ctx, logParts...)
+	}
+
+	if isFastModeRequest(anthropicBetaHeader) && selectedCredential.isExternal() {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"fast mode requests cannot be proxied through external credentials")
+		return
+	}
+
+	requestContext := selectedCredential.wrapRequestContext(r.Context())
+	defer func() {
+		requestContext.cancelRequest()
+	}()
+	proxyRequest, err := selectedCredential.buildProxyRequest(requestContext, r, bodyBytes, s.httpHeaders)
+	if err != nil {
+		s.logger.ErrorContext(ctx, "create proxy request: ", err)
 		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "Internal server error")
 		return
 	}
 
-	for key, values := range r.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
-			proxyRequest.Header[key] = values
-		}
-	}
-
-	serviceOverridesAcceptEncoding := len(s.httpHeaders.Values("Accept-Encoding")) > 0
-	if s.usageTracker != nil && !serviceOverridesAcceptEncoding {
-		// Strip Accept-Encoding so Go Transport adds it automatically
-		// and transparently decompresses the response for correct usage counting.
-		proxyRequest.Header.Del("Accept-Encoding")
-	}
-
-	anthropicBetaHeader := proxyRequest.Header.Get("anthropic-beta")
-	if anthropicBetaHeader != "" {
-		proxyRequest.Header.Set("anthropic-beta", anthropicBetaOAuthValue+","+anthropicBetaHeader)
-	} else {
-		proxyRequest.Header.Set("anthropic-beta", anthropicBetaOAuthValue)
-	}
-
-	for key, values := range s.httpHeaders {
-		proxyRequest.Header.Del(key)
-		proxyRequest.Header[key] = values
-	}
-
-	proxyRequest.Header.Set("Authorization", "Bearer "+accessToken)
-
-	response, err := s.httpClient.Do(proxyRequest)
+	response, err := selectedCredential.httpTransport().Do(proxyRequest)
 	if err != nil {
+		if r.Context().Err() != nil {
+			return
+		}
+		if requestContext.Err() != nil {
+			writeCredentialUnavailableError(w, r, provider, selectedCredential, credentialFilter, "credential became unavailable while processing the request")
+			return
+		}
 		writeJSONError(w, r, http.StatusBadGateway, "api_error", err.Error())
 		return
 	}
+	requestContext.releaseCredentialInterrupt()
+
+	// Transparent 429 retry
+	for response.StatusCode == http.StatusTooManyRequests {
+		resetAt := parseRateLimitResetFromHeaders(response.Header)
+		nextCredential := provider.onRateLimited(sessionID, selectedCredential, resetAt, credentialFilter)
+		selectedCredential.updateStateFromHeaders(response.Header)
+		if bodyBytes == nil || nextCredential == nil {
+			response.Body.Close()
+			writeCredentialUnavailableError(w, r, provider, selectedCredential, credentialFilter, "all credentials rate-limited")
+			return
+		}
+		response.Body.Close()
+		s.logger.InfoContext(ctx, "retrying with credential ", nextCredential.tagName(), " after 429 from ", selectedCredential.tagName())
+		requestContext.cancelRequest()
+		requestContext = nextCredential.wrapRequestContext(r.Context())
+		retryRequest, buildErr := nextCredential.buildProxyRequest(requestContext, r, bodyBytes, s.httpHeaders)
+		if buildErr != nil {
+			s.logger.ErrorContext(ctx, "retry request: ", buildErr)
+			writeJSONError(w, r, http.StatusBadGateway, "api_error", buildErr.Error())
+			return
+		}
+		retryResponse, retryErr := nextCredential.httpTransport().Do(retryRequest)
+		if retryErr != nil {
+			if r.Context().Err() != nil {
+				return
+			}
+			if requestContext.Err() != nil {
+				writeCredentialUnavailableError(w, r, provider, nextCredential, credentialFilter, "credential became unavailable while retrying the request")
+				return
+			}
+			s.logger.ErrorContext(ctx, "retry request: ", retryErr)
+			writeJSONError(w, r, http.StatusBadGateway, "api_error", retryErr.Error())
+			return
+		}
+		requestContext.releaseCredentialInterrupt()
+		response = retryResponse
+		selectedCredential = nextCredential
+	}
 	defer response.Body.Close()
 
+	selectedCredential.updateStateFromHeaders(response.Header)
+
+	if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusTooManyRequests {
+		body, _ := io.ReadAll(response.Body)
+		s.logger.ErrorContext(ctx, "upstream error from ", selectedCredential.tagName(), ": status ", response.StatusCode, " ", string(body))
+		go selectedCredential.pollUsage(s.ctx)
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error",
+			"proxy request (status "+strconv.Itoa(response.StatusCode)+"): "+string(body))
+		return
+	}
+
+	// Rewrite response headers for external users
+	if userConfig != nil && userConfig.ExternalCredential != "" {
+		s.rewriteResponseHeadersForExternalUser(response.Header, userConfig)
+	}
+
 	for key, values := range response.Header {
-		if !isHopByHopHeader(key) {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) {
 			w.Header()[key] = values
 		}
 	}
 	w.WriteHeader(response.StatusCode)
 
-	if s.usageTracker != nil && response.StatusCode == http.StatusOK {
-		s.handleResponseWithTracking(w, response, requestModel, anthropicBetaHeader, messagesCount, username)
+	usageTracker := selectedCredential.usageTrackerOrNil()
+	if usageTracker != nil && response.StatusCode == http.StatusOK {
+		s.handleResponseWithTracking(ctx, w, response, usageTracker, requestModel, anthropicBetaHeader, messagesCount, username)
 	} else {
 		mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 		if err == nil && mediaType != "text/event-stream" {
@@ -407,7 +556,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		flusher, ok := w.(http.Flusher)
 		if !ok {
-			s.logger.Error("streaming not supported")
+			s.logger.ErrorContext(ctx, "streaming not supported")
 			return
 		}
 		buffer := make([]byte, buf.BufferSize)
@@ -416,7 +565,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			if n > 0 {
 				_, writeError := w.Write(buffer[:n])
 				if writeError != nil {
-					s.logger.Error("write streaming response: ", writeError)
+					s.logger.ErrorContext(ctx, "write streaming response: ", writeError)
 					return
 				}
 				flusher.Flush()
@@ -428,7 +577,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
+func (s *Service) handleResponseWithTracking(ctx context.Context, writer http.ResponseWriter, response *http.Response, usageTracker *AggregatedUsage, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
 	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
@@ -436,7 +585,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	if !isStreaming {
 		bodyBytes, err := io.ReadAll(response.Body)
 		if err != nil {
-			s.logger.Error("read response body: ", err)
+			s.logger.ErrorContext(ctx, "read response body: ", err)
 			return
 		}
 
@@ -456,7 +605,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			if responseModel != "" {
 				totalInputTokens := usage.InputTokens + usage.CacheCreationInputTokens + usage.CacheReadInputTokens
 				contextWindow := detectContextWindow(anthropicBetaHeader, totalInputTokens)
-				s.usageTracker.AddUsageWithCycleHint(
+				usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					contextWindow,
 					messagesCount,
@@ -479,7 +628,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 	flusher, ok := writer.(http.Flusher)
 	if !ok {
-		s.logger.Error("streaming not supported")
+		s.logger.ErrorContext(ctx, "streaming not supported")
 		return
 	}
 
@@ -542,7 +691,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 			_, writeError := writer.Write(buffer[:n])
 			if writeError != nil {
-				s.logger.Error("write streaming response: ", writeError)
+				s.logger.ErrorContext(ctx, "write streaming response: ", writeError)
 				return
 			}
 			flusher.Flush()
@@ -557,7 +706,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 				if responseModel != "" {
 					totalInputTokens := accumulatedUsage.InputTokens + accumulatedUsage.CacheCreationInputTokens + accumulatedUsage.CacheReadInputTokens
 					contextWindow := detectContextWindow(anthropicBetaHeader, totalInputTokens)
-					s.usageTracker.AddUsageWithCycleHint(
+					usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						contextWindow,
 						messagesCount,
@@ -578,6 +727,120 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	}
 }
 
+func (s *Service) handleStatusEndpoint(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		writeJSONError(w, r, http.StatusMethodNotAllowed, "invalid_request_error", "method not allowed")
+		return
+	}
+
+	if len(s.options.Users) == 0 {
+		writeJSONError(w, r, http.StatusForbidden, "authentication_error", "status endpoint requires user authentication")
+		return
+	}
+
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
+		return
+	}
+	clientToken := strings.TrimPrefix(authHeader, "Bearer ")
+	if clientToken == authHeader {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
+		return
+	}
+	username, ok := s.userManager.Authenticate(clientToken)
+	if !ok {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
+		return
+	}
+
+	userConfig := s.userConfigMap[username]
+	if userConfig == nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "user config not found")
+		return
+	}
+
+	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+	if err != nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+		return
+	}
+
+	provider.pollIfStale(r.Context())
+	avgFiveHour, avgWeekly, totalWeight := s.computeAggregatedUtilization(provider, userConfig)
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(map[string]float64{
+		"five_hour_utilization": avgFiveHour,
+		"weekly_utilization":    avgWeekly,
+		"plan_weight":           totalWeight,
+	})
+}
+
+func (s *Service) computeAggregatedUtilization(provider credentialProvider, userConfig *option.CCMUser) (float64, float64, float64) {
+	var totalWeightedRemaining5h, totalWeightedRemainingWeekly, totalWeight float64
+	for _, cred := range provider.allCredentials() {
+		if !cred.isAvailable() {
+			continue
+		}
+		if userConfig.ExternalCredential != "" && cred.tagName() == userConfig.ExternalCredential {
+			continue
+		}
+		if !userConfig.AllowExternalUsage && cred.isExternal() {
+			continue
+		}
+		weight := cred.planWeight()
+		remaining5h := cred.fiveHourCap() - cred.fiveHourUtilization()
+		if remaining5h < 0 {
+			remaining5h = 0
+		}
+		remainingWeekly := cred.weeklyCap() - cred.weeklyUtilization()
+		if remainingWeekly < 0 {
+			remainingWeekly = 0
+		}
+		totalWeightedRemaining5h += remaining5h * weight
+		totalWeightedRemainingWeekly += remainingWeekly * weight
+		totalWeight += weight
+	}
+	if totalWeight == 0 {
+		return 100, 100, 0
+	}
+	return 100 - totalWeightedRemaining5h/totalWeight,
+		100 - totalWeightedRemainingWeekly/totalWeight,
+		totalWeight
+}
+
+func (s *Service) rewriteResponseHeadersForExternalUser(headers http.Header, userConfig *option.CCMUser) {
+	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, userConfig.Name)
+	if err != nil {
+		return
+	}
+
+	avgFiveHour, avgWeekly, totalWeight := s.computeAggregatedUtilization(provider, userConfig)
+
+	// Rewrite utilization headers to aggregated average (convert back to 0.0-1.0 range)
+	headers.Set("anthropic-ratelimit-unified-5h-utilization", strconv.FormatFloat(avgFiveHour/100, 'f', 6, 64))
+	headers.Set("anthropic-ratelimit-unified-7d-utilization", strconv.FormatFloat(avgWeekly/100, 'f', 6, 64))
+	if totalWeight > 0 {
+		headers.Set("X-CCM-Plan-Weight", strconv.FormatFloat(totalWeight, 'f', -1, 64))
+	}
+}
+
+func (s *Service) InterfaceUpdated() {
+	for _, cred := range s.allCredentials {
+		extCred, ok := cred.(*externalCredential)
+		if !ok {
+			continue
+		}
+		if extCred.reverse && extCred.connectorURL != nil {
+			extCred.reverseService = s
+			extCred.resetReverseContext()
+			go extCred.connectorLoop()
+		}
+	}
+}
+
 func (s *Service) Close() error {
 	err := common.Close(
 		common.PtrOrNil(s.httpServer),
@@ -585,12 +848,8 @@ func (s *Service) Close() error {
 		s.tlsConfig,
 	)
 
-	if s.usageTracker != nil {
-		s.usageTracker.cancelPendingSave()
-		saveErr := s.usageTracker.Save()
-		if saveErr != nil {
-			s.logger.Error("save usage statistics: ", saveErr)
-		}
+	for _, cred := range s.allCredentials {
+		cred.close()
 	}
 
 	return err

service/ocm/credential.go

@@ -2,6 +2,7 @@ package ocm
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -55,6 +56,14 @@ func readCredentialsFromFile(path string) (*oauthCredentials, error) {
 	return &credentials, nil
 }
 
+func checkCredentialFileWritable(path string) error {
+	file, err := os.OpenFile(path, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	return file.Close()
+}
+
 func writeCredentialsToFile(credentials *oauthCredentials, path string) error {
 	data, err := json.MarshalIndent(credentials, "", "  ")
 	if err != nil {
@@ -110,7 +119,7 @@ func (c *oauthCredentials) needsRefresh() bool {
 	return time.Since(*c.LastRefresh) >= time.Duration(tokenRefreshIntervalDays)*24*time.Hour
 }
 
-func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
+func refreshToken(ctx context.Context, httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
 	if credentials.Tokens == nil || credentials.Tokens.RefreshToken == "" {
 		return nil, E.New("refresh token is empty")
 	}
@@ -125,19 +134,24 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 		return nil, E.Cause(err, "marshal request")
 	}
 
-	request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
-	if err != nil {
-		return nil, err
-	}
-	request.Header.Set("Content-Type", "application/json")
-	request.Header.Set("Accept", "application/json")
-
-	response, err := httpClient.Do(request)
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Content-Type", "application/json")
+		request.Header.Set("Accept", "application/json")
+		return request, nil
+	})
 	if err != nil {
 		return nil, err
 	}
 	defer response.Body.Close()
 
+	if response.StatusCode == http.StatusTooManyRequests {
+		body, _ := io.ReadAll(response.Body)
+		return nil, E.New("refresh rate limited: ", response.Status, " ", string(body))
+	}
 	if response.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(response.Body)
 		return nil, E.New("refresh failed: ", response.Status, " ", string(body))
@@ -171,3 +185,41 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 
 	return &newCredentials, nil
 }
+
+func cloneCredentials(credentials *oauthCredentials) *oauthCredentials {
+	if credentials == nil {
+		return nil
+	}
+	cloned := *credentials
+	if credentials.Tokens != nil {
+		clonedTokens := *credentials.Tokens
+		cloned.Tokens = &clonedTokens
+	}
+	if credentials.LastRefresh != nil {
+		lastRefresh := *credentials.LastRefresh
+		cloned.LastRefresh = &lastRefresh
+	}
+	return &cloned
+}
+
+func credentialsEqual(left *oauthCredentials, right *oauthCredentials) bool {
+	if left == nil || right == nil {
+		return left == right
+	}
+	if left.APIKey != right.APIKey {
+		return false
+	}
+	if (left.Tokens == nil) != (right.Tokens == nil) {
+		return false
+	}
+	if left.Tokens != nil && *left.Tokens != *right.Tokens {
+		return false
+	}
+	if (left.LastRefresh == nil) != (right.LastRefresh == nil) {
+		return false
+	}
+	if left.LastRefresh != nil && !left.LastRefresh.Equal(*right.LastRefresh) {
+		return false
+	}
+	return true
+}

service/ocm/credential_darwin.go

@@ -13,6 +13,17 @@ func platformReadCredentials(customPath string) (*oauthCredentials, error) {
 	return readCredentialsFromFile(customPath)
 }
 
+func platformCanWriteCredentials(customPath string) error {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return err
+		}
+	}
+	return checkCredentialFileWritable(customPath)
+}
+
 func platformWriteCredentials(credentials *oauthCredentials, customPath string) error {
 	if customPath == "" {
 		var err error

service/ocm/credential_external.go

@@ -0,0 +1,729 @@
+package ocm
+
+import (
+	"bytes"
+	"context"
+	stdTLS "crypto/tls"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/hashicorp/yamux"
+)
+
+const reverseProxyBaseURL = "http://reverse-proxy"
+
+type externalCredential struct {
+	tag          string
+	baseURL      string
+	token        string
+	credDialer   N.Dialer
+	httpClient   *http.Client
+	state        credentialState
+	stateMutex   sync.RWMutex
+	pollAccess   sync.Mutex
+	pollInterval time.Duration
+	usageTracker *AggregatedUsage
+	logger       log.ContextLogger
+
+	onBecameUnusable func()
+	interrupted      bool
+	requestContext   context.Context
+	cancelRequests   context.CancelFunc
+	requestAccess    sync.Mutex
+
+	// Reverse proxy fields
+	reverse              bool
+	reverseSession       *yamux.Session
+	reverseAccess        sync.RWMutex
+	closed               bool
+	reverseContext       context.Context
+	reverseCancel        context.CancelFunc
+	connectorDialer      N.Dialer
+	connectorDestination M.Socksaddr
+	connectorRequestPath string
+	connectorURL         *url.URL
+	connectorTLS         *stdTLS.Config
+	reverseService       http.Handler
+}
+
+type reverseSessionDialer struct {
+	credential *externalCredential
+}
+
+func (d reverseSessionDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if N.NetworkName(network) != N.NetworkTCP {
+		return nil, os.ErrInvalid
+	}
+	return d.credential.openReverseConnection(ctx)
+}
+
+func (d reverseSessionDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}
+
+func externalCredentialURLPort(parsedURL *url.URL) uint16 {
+	portStr := parsedURL.Port()
+	if portStr != "" {
+		port, err := strconv.ParseUint(portStr, 10, 16)
+		if err == nil {
+			return uint16(port)
+		}
+	}
+	if parsedURL.Scheme == "https" {
+		return 443
+	}
+	return 80
+}
+
+func externalCredentialServerPort(parsedURL *url.URL, configuredPort uint16) uint16 {
+	if configuredPort != 0 {
+		return configuredPort
+	}
+	return externalCredentialURLPort(parsedURL)
+}
+
+func externalCredentialBaseURL(parsedURL *url.URL) string {
+	baseURL := parsedURL.Scheme + "://" + parsedURL.Host
+	if parsedURL.Path != "" && parsedURL.Path != "/" {
+		baseURL += parsedURL.Path
+	}
+	if len(baseURL) > 0 && baseURL[len(baseURL)-1] == '/' {
+		baseURL = baseURL[:len(baseURL)-1]
+	}
+	return baseURL
+}
+
+func externalCredentialReversePath(parsedURL *url.URL, endpointPath string) string {
+	pathPrefix := parsedURL.EscapedPath()
+	if pathPrefix == "/" {
+		pathPrefix = ""
+	} else {
+		pathPrefix = strings.TrimSuffix(pathPrefix, "/")
+	}
+	return pathPrefix + endpointPath
+}
+
+func newExternalCredential(ctx context.Context, tag string, options option.OCMExternalCredentialOptions, logger log.ContextLogger) (*externalCredential, error) {
+	pollInterval := time.Duration(options.PollInterval)
+	if pollInterval <= 0 {
+		pollInterval = 30 * time.Minute
+	}
+
+	requestContext, cancelRequests := context.WithCancel(context.Background())
+	reverseContext, reverseCancel := context.WithCancel(context.Background())
+
+	cred := &externalCredential{
+		tag:            tag,
+		token:          options.Token,
+		pollInterval:   pollInterval,
+		logger:         logger,
+		requestContext: requestContext,
+		cancelRequests: cancelRequests,
+		reverse:        options.Reverse,
+		reverseContext: reverseContext,
+		reverseCancel:  reverseCancel,
+	}
+
+	if options.URL == "" {
+		// Receiver mode: no URL, wait for reverse connection
+		cred.baseURL = reverseProxyBaseURL
+		cred.credDialer = reverseSessionDialer{credential: cred}
+		cred.httpClient = &http.Client{
+			Transport: &http.Transport{
+				ForceAttemptHTTP2: false,
+				DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+					return cred.openReverseConnection(ctx)
+				},
+			},
+		}
+	} else {
+		// Normal or connector mode: has URL
+		parsedURL, err := url.Parse(options.URL)
+		if err != nil {
+			return nil, E.Cause(err, "parse url for credential ", tag)
+		}
+
+		credentialDialer, err := dialer.NewWithOptions(dialer.Options{
+			Context: ctx,
+			Options: option.DialerOptions{
+				Detour: options.Detour,
+			},
+			RemoteIsDomain: true,
+		})
+		if err != nil {
+			return nil, E.Cause(err, "create dialer for credential ", tag)
+		}
+
+		transport := &http.Transport{
+			ForceAttemptHTTP2: true,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				if options.Server != "" {
+					destination := M.ParseSocksaddrHostPort(options.Server, externalCredentialServerPort(parsedURL, options.ServerPort))
+					return credentialDialer.DialContext(ctx, network, destination)
+				}
+				return credentialDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		}
+
+		if parsedURL.Scheme == "https" {
+			transport.TLSClientConfig = &stdTLS.Config{
+				ServerName: parsedURL.Hostname(),
+				RootCAs:    adapter.RootPoolFromContext(ctx),
+				Time:       ntp.TimeFuncFromContext(ctx),
+			}
+		}
+
+		cred.baseURL = externalCredentialBaseURL(parsedURL)
+
+		if options.Reverse {
+			// Connector mode: we dial out to serve, not to proxy
+			cred.connectorDialer = credentialDialer
+			if options.Server != "" {
+				cred.connectorDestination = M.ParseSocksaddrHostPort(options.Server, externalCredentialServerPort(parsedURL, options.ServerPort))
+			} else {
+				cred.connectorDestination = M.ParseSocksaddrHostPort(parsedURL.Hostname(), externalCredentialURLPort(parsedURL))
+			}
+			cred.connectorRequestPath = externalCredentialReversePath(parsedURL, "/ocm/v1/reverse")
+			cred.connectorURL = parsedURL
+			if parsedURL.Scheme == "https" {
+				cred.connectorTLS = &stdTLS.Config{
+					ServerName: parsedURL.Hostname(),
+					RootCAs:    adapter.RootPoolFromContext(ctx),
+					Time:       ntp.TimeFuncFromContext(ctx),
+				}
+			}
+		} else {
+			// Normal mode: standard HTTP client for proxying
+			cred.credDialer = credentialDialer
+			cred.httpClient = &http.Client{Transport: transport}
+		}
+	}
+
+	if options.UsagesPath != "" {
+		cred.usageTracker = &AggregatedUsage{
+			LastUpdated:  time.Now(),
+			Combinations: make([]CostCombination, 0),
+			filePath:     options.UsagesPath,
+			logger:       logger,
+		}
+	}
+
+	return cred, nil
+}
+
+func (c *externalCredential) start() error {
+	if c.usageTracker != nil {
+		err := c.usageTracker.Load()
+		if err != nil {
+			c.logger.Warn("load usage statistics for ", c.tag, ": ", err)
+		}
+	}
+	if c.reverse && c.connectorURL != nil {
+		go c.connectorLoop()
+	}
+	return nil
+}
+
+func (c *externalCredential) setOnBecameUnusable(fn func()) {
+	c.onBecameUnusable = fn
+}
+
+func (c *externalCredential) tagName() string {
+	return c.tag
+}
+
+func (c *externalCredential) isExternal() bool {
+	return true
+}
+
+func (c *externalCredential) isAvailable() bool {
+	return c.unavailableError() == nil
+}
+
+func (c *externalCredential) isUsable() bool {
+	if !c.isAvailable() {
+		return false
+	}
+	c.stateMutex.RLock()
+	if c.state.consecutivePollFailures > 0 {
+		c.stateMutex.RUnlock()
+		return false
+	}
+	if c.state.hardRateLimited {
+		if time.Now().Before(c.state.rateLimitResetAt) {
+			c.stateMutex.RUnlock()
+			return false
+		}
+		c.stateMutex.RUnlock()
+		c.stateMutex.Lock()
+		if c.state.hardRateLimited && !time.Now().Before(c.state.rateLimitResetAt) {
+			c.state.hardRateLimited = false
+		}
+		usable := c.state.fiveHourUtilization < 100 && c.state.weeklyUtilization < 100
+		c.stateMutex.Unlock()
+		return usable
+	}
+	usable := c.state.fiveHourUtilization < 100 && c.state.weeklyUtilization < 100
+	c.stateMutex.RUnlock()
+	return usable
+}
+
+func (c *externalCredential) fiveHourUtilization() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.fiveHourUtilization
+}
+
+func (c *externalCredential) weeklyUtilization() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.weeklyUtilization
+}
+
+func (c *externalCredential) fiveHourCap() float64 {
+	return 100
+}
+
+func (c *externalCredential) weeklyCap() float64 {
+	return 100
+}
+
+func (c *externalCredential) planWeight() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	if c.state.remotePlanWeight > 0 {
+		return c.state.remotePlanWeight
+	}
+	return 10
+}
+
+func (c *externalCredential) weeklyResetTime() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.weeklyReset
+}
+
+func (c *externalCredential) markRateLimited(resetAt time.Time) {
+	c.logger.Warn("rate limited for ", c.tag, ", reset in ", log.FormatDuration(time.Until(resetAt)))
+	c.stateMutex.Lock()
+	c.state.hardRateLimited = true
+	c.state.rateLimitResetAt = resetAt
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) earliestReset() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	if c.state.hardRateLimited {
+		return c.state.rateLimitResetAt
+	}
+	earliest := c.state.fiveHourReset
+	if !c.state.weeklyReset.IsZero() && (earliest.IsZero() || c.state.weeklyReset.Before(earliest)) {
+		earliest = c.state.weeklyReset
+	}
+	return earliest
+}
+
+func (c *externalCredential) unavailableError() error {
+	if c.reverse && c.connectorURL != nil {
+		return E.New("credential ", c.tag, " is unavailable: reverse connector credentials cannot serve local requests")
+	}
+	if c.baseURL == reverseProxyBaseURL {
+		session := c.getReverseSession()
+		if session == nil || session.IsClosed() {
+			return E.New("credential ", c.tag, " is unavailable: reverse connection not established")
+		}
+	}
+	return nil
+}
+
+func (c *externalCredential) getAccessToken() (string, error) {
+	return c.token, nil
+}
+
+func (c *externalCredential) buildProxyRequest(ctx context.Context, original *http.Request, bodyBytes []byte, _ http.Header) (*http.Request, error) {
+	proxyURL := c.baseURL + original.URL.RequestURI()
+	var body io.Reader
+	if bodyBytes != nil {
+		body = bytes.NewReader(bodyBytes)
+	} else {
+		body = original.Body
+	}
+	proxyRequest, err := http.NewRequestWithContext(ctx, original.Method, proxyURL, body)
+	if err != nil {
+		return nil, err
+	}
+
+	for key, values := range original.Header {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+			proxyRequest.Header[key] = values
+		}
+	}
+
+	proxyRequest.Header.Set("Authorization", "Bearer "+c.token)
+
+	return proxyRequest, nil
+}
+
+func (c *externalCredential) openReverseConnection(ctx context.Context) (net.Conn, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	default:
+	}
+	session := c.getReverseSession()
+	if session == nil || session.IsClosed() {
+		return nil, E.New("reverse connection not established for ", c.tag)
+	}
+	conn, err := session.Open()
+	if err != nil {
+		return nil, err
+	}
+	select {
+	case <-ctx.Done():
+		conn.Close()
+		return nil, ctx.Err()
+	default:
+	}
+	return conn, nil
+}
+
+func (c *externalCredential) updateStateFromHeaders(headers http.Header) {
+	c.stateMutex.Lock()
+	isFirstUpdate := c.state.lastUpdated.IsZero()
+	oldFiveHour := c.state.fiveHourUtilization
+	oldWeekly := c.state.weeklyUtilization
+	hadData := false
+
+	activeLimitIdentifier := normalizeRateLimitIdentifier(headers.Get("x-codex-active-limit"))
+	if activeLimitIdentifier == "" {
+		activeLimitIdentifier = "codex"
+	}
+
+	fiveHourResetAt := headers.Get("x-" + activeLimitIdentifier + "-primary-reset-at")
+	if fiveHourResetAt != "" {
+		value, err := strconv.ParseInt(fiveHourResetAt, 10, 64)
+		if err == nil {
+			hadData = true
+			c.state.fiveHourReset = time.Unix(value, 0)
+		}
+	}
+	fiveHourPercent := headers.Get("x-" + activeLimitIdentifier + "-primary-used-percent")
+	if fiveHourPercent != "" {
+		value, err := strconv.ParseFloat(fiveHourPercent, 64)
+		if err == nil {
+			hadData = true
+			c.state.fiveHourUtilization = value
+		}
+	}
+
+	weeklyResetAt := headers.Get("x-" + activeLimitIdentifier + "-secondary-reset-at")
+	if weeklyResetAt != "" {
+		value, err := strconv.ParseInt(weeklyResetAt, 10, 64)
+		if err == nil {
+			hadData = true
+			c.state.weeklyReset = time.Unix(value, 0)
+		}
+	}
+	weeklyPercent := headers.Get("x-" + activeLimitIdentifier + "-secondary-used-percent")
+	if weeklyPercent != "" {
+		value, err := strconv.ParseFloat(weeklyPercent, 64)
+		if err == nil {
+			hadData = true
+			c.state.weeklyUtilization = value
+		}
+	}
+	if planWeight := headers.Get("X-OCM-Plan-Weight"); planWeight != "" {
+		value, err := strconv.ParseFloat(planWeight, 64)
+		if err == nil && value > 0 {
+			c.state.remotePlanWeight = value
+		}
+	}
+	if hadData {
+		c.state.consecutivePollFailures = 0
+		c.state.lastUpdated = time.Now()
+	}
+	if isFirstUpdate || int(c.state.fiveHourUtilization*100) != int(oldFiveHour*100) || int(c.state.weeklyUtilization*100) != int(oldWeekly*100) {
+		resetSuffix := ""
+		if !c.state.weeklyReset.IsZero() {
+			resetSuffix = ", resets=" + log.FormatDuration(time.Until(c.state.weeklyReset))
+		}
+		c.logger.Debug("usage update for ", c.tag, ": 5h=", c.state.fiveHourUtilization, "%, weekly=", c.state.weeklyUtilization, "%", resetSuffix)
+	}
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) checkTransitionLocked() bool {
+	unusable := c.state.hardRateLimited || c.state.fiveHourUtilization >= 100 || c.state.weeklyUtilization >= 100 || c.state.consecutivePollFailures > 0
+	if unusable && !c.interrupted {
+		c.interrupted = true
+		return true
+	}
+	if !unusable && c.interrupted {
+		c.interrupted = false
+	}
+	return false
+}
+
+func (c *externalCredential) wrapRequestContext(parent context.Context) *credentialRequestContext {
+	c.requestAccess.Lock()
+	credentialContext := c.requestContext
+	c.requestAccess.Unlock()
+	derived, cancel := context.WithCancel(parent)
+	stop := context.AfterFunc(credentialContext, func() {
+		cancel()
+	})
+	return &credentialRequestContext{
+		Context:     derived,
+		releaseFunc: stop,
+		cancelFunc:  cancel,
+	}
+}
+
+func (c *externalCredential) interruptConnections() {
+	c.logger.Warn("interrupting connections for ", c.tag)
+	c.requestAccess.Lock()
+	c.cancelRequests()
+	c.requestContext, c.cancelRequests = context.WithCancel(context.Background())
+	c.requestAccess.Unlock()
+	if c.onBecameUnusable != nil {
+		c.onBecameUnusable()
+	}
+}
+
+func (c *externalCredential) pollUsage(ctx context.Context) {
+	if !c.pollAccess.TryLock() {
+		return
+	}
+	defer c.pollAccess.Unlock()
+	defer c.markUsagePollAttempted()
+
+	statusURL := c.baseURL + "/ocm/v1/status"
+	httpClient := &http.Client{
+		Transport: c.httpClient.Transport,
+		Timeout:   5 * time.Second,
+	}
+
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequestWithContext(ctx, http.MethodGet, statusURL, nil)
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Authorization", "Bearer "+c.token)
+		return request, nil
+	})
+	if err != nil {
+		c.logger.Error("poll usage for ", c.tag, ": ", err)
+		c.incrementPollFailures()
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(response.Body)
+		c.logger.Debug("poll usage for ", c.tag, ": status ", response.StatusCode, " ", string(body))
+		// 404 means the remote does not have a status endpoint yet;
+		// usage will be updated passively from response headers.
+		if response.StatusCode == http.StatusNotFound {
+			c.stateMutex.Lock()
+			c.state.consecutivePollFailures = 0
+			c.checkTransitionLocked()
+			c.stateMutex.Unlock()
+		} else {
+			c.incrementPollFailures()
+		}
+		return
+	}
+
+	var statusResponse struct {
+		FiveHourUtilization float64 `json:"five_hour_utilization"`
+		WeeklyUtilization   float64 `json:"weekly_utilization"`
+		PlanWeight          float64 `json:"plan_weight"`
+	}
+	err = json.NewDecoder(response.Body).Decode(&statusResponse)
+	if err != nil {
+		c.logger.Debug("poll usage for ", c.tag, ": decode: ", err)
+		c.incrementPollFailures()
+		return
+	}
+
+	c.stateMutex.Lock()
+	isFirstUpdate := c.state.lastUpdated.IsZero()
+	oldFiveHour := c.state.fiveHourUtilization
+	oldWeekly := c.state.weeklyUtilization
+	c.state.consecutivePollFailures = 0
+	c.state.fiveHourUtilization = statusResponse.FiveHourUtilization
+	c.state.weeklyUtilization = statusResponse.WeeklyUtilization
+	if statusResponse.PlanWeight > 0 {
+		c.state.remotePlanWeight = statusResponse.PlanWeight
+	}
+	if c.state.hardRateLimited && time.Now().After(c.state.rateLimitResetAt) {
+		c.state.hardRateLimited = false
+	}
+	if isFirstUpdate || int(c.state.fiveHourUtilization*100) != int(oldFiveHour*100) || int(c.state.weeklyUtilization*100) != int(oldWeekly*100) {
+		resetSuffix := ""
+		if !c.state.weeklyReset.IsZero() {
+			resetSuffix = ", resets=" + log.FormatDuration(time.Until(c.state.weeklyReset))
+		}
+		c.logger.Debug("poll usage for ", c.tag, ": 5h=", c.state.fiveHourUtilization, "%, weekly=", c.state.weeklyUtilization, "%", resetSuffix)
+	}
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) lastUpdatedTime() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.lastUpdated
+}
+
+func (c *externalCredential) markUsagePollAttempted() {
+	c.stateMutex.Lock()
+	defer c.stateMutex.Unlock()
+	c.state.lastUpdated = time.Now()
+}
+
+func (c *externalCredential) pollBackoff(baseInterval time.Duration) time.Duration {
+	c.stateMutex.RLock()
+	failures := c.state.consecutivePollFailures
+	c.stateMutex.RUnlock()
+	if failures <= 0 {
+		return baseInterval
+	}
+	return failedPollRetryInterval
+}
+
+func (c *externalCredential) incrementPollFailures() {
+	c.stateMutex.Lock()
+	c.state.consecutivePollFailures++
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) usageTrackerOrNil() *AggregatedUsage {
+	return c.usageTracker
+}
+
+func (c *externalCredential) httpTransport() *http.Client {
+	return c.httpClient
+}
+
+func (c *externalCredential) ocmDialer() N.Dialer {
+	return c.credDialer
+}
+
+func (c *externalCredential) ocmIsAPIKeyMode() bool {
+	return false
+}
+
+func (c *externalCredential) ocmGetAccountID() string {
+	return ""
+}
+
+func (c *externalCredential) ocmGetBaseURL() string {
+	return c.baseURL
+}
+
+func (c *externalCredential) close() {
+	var session *yamux.Session
+	c.reverseAccess.Lock()
+	if !c.closed {
+		c.closed = true
+		if c.reverseCancel != nil {
+			c.reverseCancel()
+		}
+		session = c.reverseSession
+		c.reverseSession = nil
+	}
+	c.reverseAccess.Unlock()
+	if session != nil {
+		session.Close()
+	}
+	if c.usageTracker != nil {
+		c.usageTracker.cancelPendingSave()
+		err := c.usageTracker.Save()
+		if err != nil {
+			c.logger.Error("save usage statistics for ", c.tag, ": ", err)
+		}
+	}
+}
+
+func (c *externalCredential) getReverseSession() *yamux.Session {
+	c.reverseAccess.RLock()
+	defer c.reverseAccess.RUnlock()
+	return c.reverseSession
+}
+
+func (c *externalCredential) setReverseSession(session *yamux.Session) bool {
+	c.reverseAccess.Lock()
+	if c.closed {
+		c.reverseAccess.Unlock()
+		return false
+	}
+	old := c.reverseSession
+	c.reverseSession = session
+	c.reverseAccess.Unlock()
+	if old != nil {
+		old.Close()
+	}
+	return true
+}
+
+func (c *externalCredential) clearReverseSession(session *yamux.Session) {
+	c.reverseAccess.Lock()
+	if c.reverseSession == session {
+		c.reverseSession = nil
+	}
+	c.reverseAccess.Unlock()
+}
+
+func (c *externalCredential) getReverseContext() context.Context {
+	c.reverseAccess.RLock()
+	defer c.reverseAccess.RUnlock()
+	return c.reverseContext
+}
+
+func (c *externalCredential) resetReverseContext() {
+	c.reverseAccess.Lock()
+	if c.closed {
+		c.reverseAccess.Unlock()
+		return
+	}
+	c.reverseCancel()
+	c.reverseContext, c.reverseCancel = context.WithCancel(context.Background())
+	c.reverseAccess.Unlock()
+}

service/ocm/credential_file.go

@@ -0,0 +1,139 @@
+package ocm
+
+import (
+	"path/filepath"
+	"time"
+
+	"github.com/sagernet/fswatch"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const credentialReloadRetryInterval = 2 * time.Second
+
+func resolveCredentialFilePath(customPath string) (string, error) {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return "", err
+		}
+	}
+	if filepath.IsAbs(customPath) {
+		return customPath, nil
+	}
+	return filepath.Abs(customPath)
+}
+
+func (c *defaultCredential) ensureCredentialWatcher() error {
+	c.watcherAccess.Lock()
+	defer c.watcherAccess.Unlock()
+
+	if c.watcher != nil || c.credentialFilePath == "" {
+		return nil
+	}
+	if !c.watcherRetryAt.IsZero() && time.Now().Before(c.watcherRetryAt) {
+		return nil
+	}
+
+	watcher, err := fswatch.NewWatcher(fswatch.Options{
+		Path:   []string{c.credentialFilePath},
+		Logger: c.logger,
+		Callback: func(string) {
+			err := c.reloadCredentials(true)
+			if err != nil {
+				c.logger.Warn("reload credentials for ", c.tag, ": ", err)
+			}
+		},
+	})
+	if err != nil {
+		c.watcherRetryAt = time.Now().Add(credentialReloadRetryInterval)
+		return err
+	}
+
+	err = watcher.Start()
+	if err != nil {
+		c.watcherRetryAt = time.Now().Add(credentialReloadRetryInterval)
+		return err
+	}
+
+	c.watcher = watcher
+	c.watcherRetryAt = time.Time{}
+	return nil
+}
+
+func (c *defaultCredential) retryCredentialReloadIfNeeded() {
+	c.stateMutex.RLock()
+	unavailable := c.state.unavailable
+	lastAttempt := c.state.lastCredentialLoadAttempt
+	c.stateMutex.RUnlock()
+	if !unavailable {
+		return
+	}
+	if !lastAttempt.IsZero() && time.Since(lastAttempt) < credentialReloadRetryInterval {
+		return
+	}
+
+	err := c.ensureCredentialWatcher()
+	if err != nil {
+		c.logger.Debug("start credential watcher for ", c.tag, ": ", err)
+	}
+	_ = c.reloadCredentials(false)
+}
+
+func (c *defaultCredential) reloadCredentials(force bool) error {
+	c.reloadAccess.Lock()
+	defer c.reloadAccess.Unlock()
+
+	c.stateMutex.RLock()
+	unavailable := c.state.unavailable
+	lastAttempt := c.state.lastCredentialLoadAttempt
+	c.stateMutex.RUnlock()
+	if !force {
+		if !unavailable {
+			return nil
+		}
+		if !lastAttempt.IsZero() && time.Since(lastAttempt) < credentialReloadRetryInterval {
+			return c.unavailableError()
+		}
+	}
+
+	c.stateMutex.Lock()
+	c.state.lastCredentialLoadAttempt = time.Now()
+	c.stateMutex.Unlock()
+
+	credentials, err := platformReadCredentials(c.credentialPath)
+	if err != nil {
+		return c.markCredentialsUnavailable(E.Cause(err, "read credentials"))
+	}
+
+	c.accessMutex.Lock()
+	c.credentials = credentials
+	c.accessMutex.Unlock()
+
+	c.stateMutex.Lock()
+	c.state.unavailable = false
+	c.state.lastCredentialLoadError = ""
+	c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+
+	return nil
+}
+
+func (c *defaultCredential) markCredentialsUnavailable(err error) error {
+	c.accessMutex.Lock()
+	hadCredentials := c.credentials != nil
+	c.credentials = nil
+	c.accessMutex.Unlock()
+
+	c.stateMutex.Lock()
+	c.state.unavailable = true
+	c.state.lastCredentialLoadError = err.Error()
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+
+	if shouldInterrupt && hadCredentials {
+		c.interruptConnections()
+	}
+
+	return err
+}

service/ocm/credential_other.go

@@ -13,6 +13,17 @@ func platformReadCredentials(customPath string) (*oauthCredentials, error) {
 	return readCredentialsFromFile(customPath)
 }
 
+func platformCanWriteCredentials(customPath string) error {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return err
+		}
+	}
+	return checkCredentialFileWritable(customPath)
+}
+
 func platformWriteCredentials(credentials *oauthCredentials, customPath string) error {
 	if customPath == "" {
 		var err error