Bump version

stable-next → oldstable, main-next → stable, dev-next → testing, new unstable

.fpm_pacman

@@ -0,0 +1,23 @@
+-s dir
+--name sing-box
+--category net
+--license GPL-3.0-or-later
+--description "The universal proxy platform."
+--url "https://sing-box.sagernet.org/"
+--maintainer "nekohasekai <contact-git@sekai.icu>"
+--config-files etc/sing-box/config.json
+--after-install release/config/sing-box.postinst
+
+release/config/config.json=/etc/sing-box/config.json
+
+release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
+release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
+release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
+release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
+release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
+release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
+release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
+
+LICENSE=/usr/share/licenses/sing-box/LICENSE

.github/CRONET_GO_VERSION

@@ -1 +1 @@
-dc1cda1fe28740ba069934ab62aeb8ef85388332
+cba7b9ac0399055aa49fbdc57c03c374f58e1597

.github/renovate.json

@@ -6,7 +6,7 @@
     ":disableRateLimiting"
   ],
   "baseBranches": [
-    "dev-next"
+    "unstable"
   ],
   "golang": {
     "enabled": false

.github/workflows/build.yml

@@ -25,8 +25,9 @@ on:
           - publish-android
   push:
     branches:
-      - main-next
-      - dev-next
+      - stable
+      - testing
+      - unstable
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -46,7 +47,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -85,19 +86,27 @@ jobs:
           - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
           - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
 
+          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
+          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: riscv64, naive: true, variant: glibc }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: glibc }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
           - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: softfloat }
           - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mips64le, gomips: hardfloat }
           - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: riscv64 }
+          - { os: linux, arch: loong64 }
 
           - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
           - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
@@ -115,7 +124,7 @@ jobs:
         if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Setup Go 1.24
         if: matrix.legacy_go124
         uses: actions/setup-go@v5
@@ -154,14 +163,23 @@ jobs:
           git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
           git -C ~/cronet-go checkout FETCH_HEAD
           git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
       - name: Cache Chromium toolchain
         if: matrix.naive
         id: cache-chromium-toolchain
         uses: actions/cache@v4
         with:
           path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
           key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
       - name: Download Chromium toolchain
         if: matrix.naive
@@ -190,9 +208,10 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           if [[ "${{ matrix.variant }}" == "purego" ]]; then
             TAGS="${TAGS},with_purego"
@@ -200,13 +219,16 @@ jobs:
             TAGS="${TAGS},with_musl"
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (purego)
         if: matrix.variant == 'purego'
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -228,7 +250,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -236,6 +258,8 @@ jobs:
           GOARCH: ${{ matrix.arch }}
           GO386: ${{ matrix.go386 }}
           GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build (musl)
         if: matrix.variant == 'musl'
@@ -243,7 +267,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -251,6 +275,8 @@ jobs:
           GOARCH: ${{ matrix.arch }}
           GO386: ${{ matrix.go386 }}
           GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build (non-variant)
         if: matrix.os != 'android' && matrix.variant == ''
@@ -258,7 +284,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -278,7 +304,7 @@ jobs:
           export CXX="${CC}++"
           mkdir -p dist
           GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -352,7 +378,7 @@ jobs:
           sudo gem install fpm
           sudo apt-get update
           sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
+          cp .fpm_pacman .fpm
           fpm -t pacman \
             -v "$PKG_VERSION" \
             -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -431,17 +457,21 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -499,9 +529,11 @@ jobs:
       - name: Build
         if: matrix.naive
         run: |
+          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
+          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
           mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -511,9 +543,11 @@ jobs:
       - name: Build
         if: ${{ !matrix.naive }}
         run: |
+          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
+          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
           mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -558,7 +592,7 @@ jobs:
           path: "dist"
   build_android:
     name: Build Android
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -571,7 +605,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -594,12 +628,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
         run: |-
           cd clients/android
           git checkout dev
@@ -648,7 +682,7 @@ jobs:
           path: 'dist'
   publish_android:
     name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -661,7 +695,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -684,12 +718,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
         run: |-
           cd clients/android
           git checkout dev
@@ -760,7 +794,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Set tag
         if: matrix.if
         run: |-
@@ -768,12 +802,12 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/apple
           git checkout main
       - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        if: matrix.if && github.ref == 'refs/heads/testing'
         run: |-
           cd clients/apple
           git checkout dev
@@ -859,7 +893,7 @@ jobs:
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
       - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
         run: |-
           go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
       - name: Build image

.github/workflows/docker.yml

@@ -3,8 +3,8 @@ name: Publish Docker Images
 on:
   #push:
   #  branches:
-  #    - main-next
-  #    - dev-next
+  #    - stable
+  #    - testing
   release:
     types:
       - published
@@ -19,6 +19,7 @@ env:
 jobs:
   build_binary:
     name: Build binary
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
@@ -29,10 +30,12 @@ jobs:
           - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
           - { arch: "386", naive: true, docker_platform: "linux/386" }
           - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
+          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
+          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
+          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
           # Non-naive builds
           - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
           - { arch: ppc64le, docker_platform: "linux/ppc64le" }
-          - { arch: riscv64, docker_platform: "linux/riscv64" }
           - { arch: s390x, docker_platform: "linux/s390x" }
     steps:
       - name: Get commit to build
@@ -53,7 +56,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ~1.25.7
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -64,14 +67,23 @@ jobs:
           git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
           git -C ~/cronet-go checkout FETCH_HEAD
           git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
       - name: Cache Chromium toolchain
         if: matrix.naive
         id: cache-chromium-toolchain
         uses: actions/cache@v4
         with:
           path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
           key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
       - name: Download Chromium toolchain
         if: matrix.naive
@@ -93,29 +105,34 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (naive)
         if: matrix.naive
         run: |
           set -xeuo pipefail
           go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
           GOOS: linux
           GOARCH: ${{ matrix.arch }}
           GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
       - name: Build (non-naive)
         if: ${{ ! matrix.naive }}
         run: |
           set -xeuo pipefail
           go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -148,15 +165,17 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        platform:
-          - linux/amd64
-          - linux/arm/v6
-          - linux/arm/v7
-          - linux/arm64
-          - linux/386
-          - linux/ppc64le
-          - linux/riscv64
-          - linux/s390x
+        include:
+          - { platform: "linux/amd64" }
+          - { platform: "linux/arm/v6" }
+          - { platform: "linux/arm/v7" }
+          - { platform: "linux/arm64" }
+          - { platform: "linux/386" }
+          # mipsle: no base Docker image available for this platform
+          - { platform: "linux/ppc64le" }
+          - { platform: "linux/riscv64" }
+          - { platform: "linux/s390x" }
+          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
     steps:
       - name: Get commit to build
         id: ref
@@ -209,6 +228,8 @@ jobs:
           platforms: ${{ matrix.platform }}
           context: .
           file: Dockerfile.binary
+          build-args: |
+            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
       - name: Export digest
@@ -224,6 +245,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
   merge:
+    if: github.event_name != 'push'
     runs-on: ubuntu-latest
     needs:
       - build_docker

.github/workflows/lint.yml

@@ -3,18 +3,20 @@ name: Lint
 on:
   push:
     branches:
-      - stable-next
-      - main-next
-      - dev-next
+      - oldstable
+      - stable
+      - testing
+      - unstable
     paths-ignore:
       - '**.md'
       - '.github/**'
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - stable-next
-      - main-next
-      - dev-next
+      - oldstable
+      - stable
+      - testing
+      - unstable
 
 jobs:
   build:

.github/workflows/linux.yml

@@ -3,8 +3,8 @@ name: Build Linux Packages
 on:
   #push:
   #  branches:
-  #    - main-next
-  #    - dev-next
+  #    - stable
+  #    - testing
   workflow_dispatch:
     inputs:
       version:
@@ -23,6 +23,7 @@ on:
 jobs:
   calculate_version:
     name: Calculate version
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.outputs.outputs.version }}
@@ -34,7 +35,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -61,14 +62,14 @@ jobs:
           - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
           - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
           - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
+          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
           # Non-naive builds (unsupported architectures)
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
           - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -77,7 +78,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -88,14 +89,23 @@ jobs:
           git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
           git -C ~/cronet-go checkout FETCH_HEAD
           git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
       - name: Cache Chromium toolchain
         if: matrix.naive
         id: cache-chromium-toolchain
         uses: actions/cache@v4
         with:
           path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
           key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
       - name: Download Chromium toolchain
         if: matrix.naive
@@ -116,24 +126,30 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (naive)
         if: matrix.naive
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
           GOOS: linux
           GOARCH: ${{ matrix.arch }}
           GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build (non-naive)
         if: ${{ ! matrix.naive }}
@@ -141,7 +157,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"

.gitignore

@@ -12,6 +12,9 @@
 /*.jar
 /*.aar
 /*.xcframework/
+/experimental/libbox/*.aar
+/experimental/libbox/*.xcframework/
+/experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/

.golangci.yml

@@ -9,6 +9,11 @@ run:
     - with_utls
     - with_acme
     - with_clash_api
+    - with_tailscale
+    - with_ccm
+    - with_ocm
+    - badlinkname
+    - tfogo_checklinkname0
 linters:
   default: none
   enable:

Dockerfile

@@ -12,10 +12,11 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
+    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
+    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
+    && go build -v -trimpath -tags "$TAGS" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

Dockerfile.binary

@@ -1,8 +1,14 @@
-FROM alpine
+ARG BASE_IMAGE=alpine
+FROM ${BASE_IMAGE}
 ARG TARGETARCH
 ARG TARGETVARIANT
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+    && if command -v apk > /dev/null; then \
+        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
+    else \
+        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
+        && rm -rf /var/lib/apt/lists/*; \
+    fi
 COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Makefile

@@ -1,15 +1,18 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
+TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
+LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
+SING_FFI ?= sing-ffi
+LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json
 
 .PHONY: test release docs build
 
@@ -237,15 +240,18 @@ lib_android:
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple
 
+lib_windows:
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp
+
 lib_android_new:
-	go run ./cmd/internal/build_libbox_newffi -target android
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
 
 lib_apple_new:
-	go run ./cmd/internal/build_libbox_newffi -target apple
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.11
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12
 
 docs:
 	venv/bin/mkdocs serve
@@ -254,8 +260,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 
 docs_install:
-	python -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	python3 -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
 
 clean:
 	rm -rf bin dist sing-box

adapter/connections.go

@@ -9,6 +9,10 @@ import (
 
 type ConnectionManager interface {
 	Lifecycle
+	Count() int
+	CloseAll()
+	TrackConn(conn net.Conn) net.Conn
+	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }

adapter/inbound.go

@@ -62,13 +62,10 @@ type InboundContext struct {
 	// cache
 
 	// Deprecated: implement in rule action
-	InboundDetour            string
-	LastInbound              string
-	OriginDestination        M.Socksaddr
-	RouteOriginalDestination M.Socksaddr
-	// Deprecated: to be removed
-	//nolint:staticcheck
-	InboundOptions            option.InboundOptions
+	InboundDetour             string
+	LastInbound               string
+	OriginDestination         M.Socksaddr
+	RouteOriginalDestination  M.Socksaddr
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration

box.go

@@ -125,7 +125,10 @@ func New(options Options) (*Box, error) {
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	if err != nil {
+		return nil, err
+	}
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool

cmd/internal/build_libbox/main.go

@@ -63,7 +63,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
 	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
 	// memcTags = append(memcTags, "with_tailscale")
 	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")

cmd/internal/build_libbox_newffi/main.go

@@ -1,93 +0,0 @@
-package main
-
-import (
-	"flag"
-	"os"
-	"os/exec"
-	"path/filepath"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common/rw"
-)
-
-var target string
-
-func init() {
-	flag.StringVar(&target, "target", "android", "target platform (android or apple)")
-}
-
-func main() {
-	flag.Parse()
-
-	args := []string{
-		"generate",
-		"-v",
-		"--config", "experimental/libbox/ffi.json",
-		"--platform-type", target,
-	}
-	command := exec.Command("sing-ffi", args...)
-	command.Stdout = os.Stdout
-	command.Stderr = os.Stderr
-	err := command.Run()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	copyArtifacts(target)
-}
-
-func copyArtifacts(target string) {
-	switch target {
-	case "android":
-		copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
-		if rw.IsDir(copyPath) {
-			copyPath, _ = filepath.Abs(copyPath)
-			for _, name := range []string{"libbox.aar", "libbox-legacy.aar"} {
-				artifactPath, found := findArtifactPath(name)
-				if !found {
-					continue
-				}
-				targetPath := filepath.Join(target, artifactPath)
-				os.RemoveAll(targetPath)
-				err := os.Rename(artifactPath, targetPath)
-				if err != nil {
-					log.Fatal(err)
-				}
-				log.Info("copied ", name, " to ", copyPath)
-			}
-		}
-	case "apple":
-		copyPath := filepath.Join("..", "sing-box-for-apple")
-		if rw.IsDir(copyPath) {
-			sourceDir, found := findArtifactPath("Libbox.xcframework")
-			if !found {
-				log.Fatal("Libbox.xcframework not found in current directory or experimental/libbox")
-			}
-
-			targetDir := filepath.Join(copyPath, "Libbox.xcframework")
-			targetDir, _ = filepath.Abs(targetDir)
-			err := os.RemoveAll(targetDir)
-			if err != nil {
-				log.Fatal(err)
-			}
-			err = os.Rename(sourceDir, targetDir)
-			if err != nil {
-				log.Fatal(err)
-			}
-			log.Info("copied ", sourceDir, " to ", targetDir)
-		}
-	}
-}
-
-func findArtifactPath(name string) (string, bool) {
-	candidates := []string{
-		name,
-		filepath.Join("experimental", "libbox", name),
-	}
-	for _, candidate := range candidates {
-		if rw.IsFile(candidate) || rw.IsDir(candidate) {
-			return candidate, true
-		}
-	}
-	return "", false
-}

cmd/internal/update_apple_version/main.go

@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
+		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }

common/conntrack/conn.go

@@ -1,54 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Conn struct {
-	net.Conn
-	element *list.Element[io.Closer]
-}
-
-func NewConn(conn net.Conn) (net.Conn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &Conn{
-		Conn:    conn,
-		element: element,
-	}, nil
-}
-
-func (c *Conn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.Conn.Close()
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/killer.go

@@ -1,35 +0,0 @@
-package conntrack
-
-import (
-	runtimeDebug "runtime/debug"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
-)
-
-var (
-	KillerEnabled   bool
-	MemoryLimit     uint64
-	killerLastCheck time.Time
-)
-
-func KillerCheck() error {
-	if !KillerEnabled {
-		return nil
-	}
-	nowTime := time.Now()
-	if nowTime.Sub(killerLastCheck) < 3*time.Second {
-		return nil
-	}
-	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
-		Close()
-		go func() {
-			time.Sleep(time.Second)
-			runtimeDebug.FreeOSMemory()
-		}()
-		return E.New("out of memory")
-	}
-	return nil
-}

common/conntrack/packet_conn.go

@@ -1,55 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type PacketConn struct {
-	net.PacketConn
-	element *list.Element[io.Closer]
-}
-
-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &PacketConn{
-		PacketConn: conn,
-		element:    element,
-	}, nil
-}
-
-func (c *PacketConn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) Upstream() any {
-	return bufio.NewPacketConn(c.PacketConn)
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/track.go

@@ -1,47 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"sync"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-var (
-	connAccess     sync.RWMutex
-	openConnection list.List[io.Closer]
-)
-
-func Count() int {
-	if !Enabled {
-		return 0
-	}
-	return openConnection.Len()
-}
-
-func List() []io.Closer {
-	if !Enabled {
-		return nil
-	}
-	connAccess.RLock()
-	defer connAccess.RUnlock()
-	connList := make([]io.Closer, 0, openConnection.Len())
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		connList = append(connList, element.Value)
-	}
-	return connList
-}
-
-func Close() {
-	if !Enabled {
-		return
-	}
-	connAccess.Lock()
-	defer connAccess.Unlock()
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
-		element.Value = nil
-	}
-	openConnection.Init()
-}

common/conntrack/track_disable.go

@@ -1,5 +0,0 @@
-//go:build !with_conntrack
-
-package conntrack
-
-const Enabled = false

common/conntrack/track_enable.go

@@ -1,5 +0,0 @@
-//go:build with_conntrack
-
-package conntrack
-
-const Enabled = true

common/dialer/default.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -37,6 +36,7 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
+	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,6 +47,7 @@ type DefaultDialer struct {
 }
 
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
+	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 
@@ -89,7 +90,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 
 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" {
+		if defaultOptions.BindInterface != "" && !disableDefaultBind {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -157,8 +158,11 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		dialer.KeepAlive = keepIdle
-		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
+		dialer.KeepAliveConfig = net.KeepAliveConfig{
+			Enable:   true,
+			Idle:     keepIdle,
+			Interval: keepInterval,
+		}
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
@@ -206,6 +210,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
+		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -238,7 +243,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -303,12 +308,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return trackConn(conn, nil)
+	return d.trackConn(conn, nil)
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -360,23 +365,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return trackPacketConn(packetConn, nil)
+	return d.trackPacketConn(packetConn, nil)
 }
 
 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }
 
-func trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if !conntrack.Enabled || err != nil {
+func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewConn(conn)
+	return d.connectionManager.TrackConn(conn), nil
 }
 
-func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if !conntrack.Enabled || err != nil {
+func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewPacketConn(conn)
+	return d.connectionManager.TrackPacketConn(conn), nil
 }

common/dialer/dialer.go

@@ -145,3 +145,7 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
+
+type PacketDialerWithDestination interface {
+	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
+}

common/listener/listener_tcp.go

@@ -99,8 +99,6 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
-		//nolint:staticcheck
-		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)

common/tls/ech.go

@@ -15,7 +15,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -38,7 +37,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -77,7 +76,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	return nil
 }

constant/proxy.go

@@ -30,6 +30,7 @@ const (
 	TypeSSMAPI       = "ssm-api"
 	TypeCCM          = "ccm"
 	TypeOCM          = "ocm"
+	TypeOOMKiller    = "oom-killer"
 )
 
 const (
@@ -85,6 +86,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
+	case TypeTailscale:
+		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

daemon/instance.go

@@ -7,10 +7,12 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
@@ -21,6 +23,7 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
+	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
@@ -84,6 +87,15 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
+	if s.oomKiller && C.IsIos {
+		if !common.Any(options.Services, func(it option.Service) bool {
+			return it.Type == C.TypeOOMKiller
+		}) {
+			options.Services = append(options.Services, option.Service{
+				Type: C.TypeOOMKiller,
+			})
+		}
+	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -101,6 +113,7 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
+	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)

daemon/started_service.go

@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -36,6 +35,7 @@ type StartedService struct {
 	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
+	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -67,6 +67,7 @@ type ServiceOptions struct {
 	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
+	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -81,6 +82,7 @@ func NewStartedService(options ServiceOptions) *StartedService {
 		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
+		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -207,6 +209,14 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	return nil
 }
 
+func (s *StartedService) Close() {
+	s.serviceStatusSubscriber.Close()
+	s.logSubscriber.Close()
+	s.urlTestSubscriber.Close()
+	s.clashModeSubscriber.Close()
+	s.connectionEventSubscriber.Close()
+}
+
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -399,12 +409,14 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server
 
 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Inuse()
+	status.Memory = memory.Total()
 	status.Goroutines = int32(runtime.NumGoroutine())
-	status.ConnectionsOut = int32(conntrack.Count())
 	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
+	if nowService != nil && nowService.connectionManager != nil {
+		status.ConnectionsOut = int32(nowService.connectionManager.Count())
+	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -985,7 +997,12 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }
 
 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	conntrack.Close()
+	s.serviceAccess.RLock()
+	nowService := s.instance
+	s.serviceAccess.RUnlock()
+	if nowService != nil && nowService.connectionManager != nil {
+		nowService.connectionManager.CloseAll()
+	}
 	return &emptypb.Empty{}, nil
 }
 

debug.go

@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func applyDebugOptions(options option.DebugOptions) {
+func applyDebugOptions(options option.DebugOptions) error {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
-		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		conntrack.KillerEnabled = *options.OOMKiller
+		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
 	}
+	return nil
 }

dns/client.go

@@ -240,8 +240,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
+		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
+		} else if len(response.Answer) == 0 {
+			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}

dns/router.go

@@ -272,13 +272,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -377,9 +371,11 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				case *R.RuleActionReject:
 					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
+					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
+						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -392,13 +388,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -426,6 +416,18 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+	if rule == nil || !rule.WithAddressLimit() {
+		return nil
+	}
+	responseMetadata := *metadata
+	return func(responseAddrs []netip.Addr) bool {
+		checkMetadata := responseMetadata
+		checkMetadata.DestinationAddresses = responseAddrs
+		return rule.MatchAddressLimit(&checkMetadata)
+	}
+}
+
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {

dns/transport/fakeip/store.go

@@ -18,6 +18,8 @@ type Store struct {
 	logger     logger.Logger
 	inet4Range netip.Prefix
 	inet6Range netip.Prefix
+	inet4Last  netip.Addr
+	inet6Last  netip.Addr
 	storage    adapter.FakeIPStorage
 
 	addressAccess sync.Mutex
@@ -26,12 +28,35 @@ type Store struct {
 }
 
 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	return &Store{
+	store := &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
+	if inet4Range.IsValid() {
+		store.inet4Last = broadcastAddress(inet4Range)
+	}
+	if inet6Range.IsValid() {
+		store.inet6Last = broadcastAddress(inet6Range)
+	}
+	return store
+}
+
+func broadcastAddress(prefix netip.Prefix) netip.Addr {
+	addr := prefix.Addr()
+	raw := addr.As16()
+	bits := prefix.Bits()
+	if addr.Is4() {
+		bits += 96
+	}
+	for i := bits; i < 128; i++ {
+		raw[i/8] |= 1 << (7 - i%8)
+	}
+	if addr.Is4() {
+		return netip.AddrFrom4([4]byte(raw[12:]))
+	}
+	return netip.AddrFrom16(raw)
 }
 
 func (s *Store) Start() error {
@@ -49,10 +74,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next().Next()
+			s.inet4Current = s.inet4Range.Addr().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next().Next()
+			s.inet6Current = s.inet6Range.Addr().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -98,7 +123,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if !s.inet4Range.Contains(nextAddress) {
+		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -108,7 +133,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if !s.inet6Range.Contains(nextAddress) {
+		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress

dns/transport/local/resolv_windows.go

@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -63,6 +64,9 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
+				if sockaddr.ZoneId != 0 {
+					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
+				}
 			default:
 				// Unexpected type.
 				continue

docs/changelog.md

@@ -2,10 +2,16 @@
 icon: material/alert-decagram
 ---
 
-#### 1.13.0-rc.3
+#### 1.13.1
 
 * Fixes and improvements
 
+#### 1.12.14
+
+* Backport fixes
+
+#### 1.13.0
+
 Important changes since 1.12:
 
 * Add NaiveProxy outbound **1**
@@ -22,7 +28,7 @@ Important changes since 1.12:
 * Improve `local` DNS server **12**
 * Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
 * Add `bind_address_no_port` option for dial fields **14**
-* Add system interface and relay server options for Tailscale endpoint **15**
+* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
 * Add Claude Code Multiplexer service **16**
 * Add OpenAI Codex Multiplexer service **17**
 * Apple/Android: Refactor GUI
@@ -136,6 +142,7 @@ See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
 
 Tailscale endpoint can now create a system TUN interface to handle traffic directly.
 New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
+New `advertise_tags` option for ACL tag advertisement.
 
 See [Tailscale endpoint](/configuration/endpoint/tailscale/).
 
@@ -169,6 +176,22 @@ Also, documentation has been updated with a warning about uTLS fingerprinting vu
 uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
 use NaiveProxy instead for TLS fingerprint resistance.
 
+#### 1.12.23
+
+* Fixes and improvements
+
+#### 1.13.0-rc.5
+
+* Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
+
+#### 1.12.22
+
+* Fixes and improvements
+
+#### 1.13.0-rc.3
+
+* Fixes and improvements
+
 #### 1.12.21
 
 * Fixes and improvements

docs/configuration/endpoint/tailscale.md

@@ -8,7 +8,8 @@ icon: material/new-box
     :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
     :material-plus: [system_interface](#system_interface)  
     :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
+    :material-plus: [advertise_tags](#advertise_tags)
 
 !!! question "Since sing-box 1.12.0"
 
@@ -28,6 +29,7 @@ icon: material/new-box
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
   "advertise_exit_node": false,
+  "advertise_tags": [],
   "relay_server_port": 0,
   "relay_server_static_endpoints": [],
   "system_interface": false,
@@ -102,6 +104,14 @@ Example: `["192.168.1.1/24"]`
 
 Indicates whether the node should advertise itself as an exit node.
 
+#### advertise_tags
+
+!!! question "Since sing-box 1.13.0"
+
+Tags to advertise for this node, for ACL enforcement purposes.
+
+Example: `["tag:server"]`
+
 #### relay_server_port
 
 !!! question "Since sing-box 1.13.0"

docs/configuration/endpoint/tailscale.zh.md

@@ -8,7 +8,8 @@ icon: material/new-box
     :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
     :material-plus: [system_interface](#system_interface)  
     :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
+    :material-plus: [advertise_tags](#advertise_tags)
 
 !!! question "自 sing-box 1.12.0 起"
 
@@ -28,6 +29,7 @@ icon: material/new-box
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
   "advertise_exit_node": false,
+  "advertise_tags": [],
   "relay_server_port": 0,
   "relay_server_static_endpoints": [],
   "system_interface": false,
@@ -101,6 +103,14 @@ icon: material/new-box
 
 指示节点是否应将自己通告为出口节点。
 
+#### advertise_tags
+
+!!! question "自 sing-box 1.13.0 起"
+
+为此节点通告的标签，用于 ACL 执行。
+
+示例：`["tag:server"]`
+
 #### relay_server_port
 
 !!! question "自 sing-box 1.13.0 起"

docs/installation/build-from-source.md

@@ -57,11 +57,35 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
-| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
+| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale).                                                                                                                                                                                                                                     |
+| `with_ccm`                         | :material-check:     | Build with Claude Code Multiplexer service support.                                                                                                                                                                                                                                                                            |
+| `with_ocm`                         | :material-check:     | Build with OpenAI Codex Multiplexer service support.                                                                                                                                                                                                                                                                           |
+| `with_naive_outbound`              | :material-check:     | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
+| `badlinkname`                      | :material-check:     | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation.                                 |
+| `tfogo_checklinkname0`             | :material-check:     | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement.                                                                                                                                                       |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.
 
+## :material-wrench: Linker Flags
+
+The following `-ldflags` are used in official builds:
+
+| Flag                                                        | Description                                                                                                                                                                                                             |
+|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
+| `-checklinkname=0`                                          | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag.                                                                            |
+
+## :material-package-variant: For Downstream Packagers
+
+The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
+
+| File | Description |
+|------|-------------|
+| `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
+| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
+| `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
+| `release/LDFLAGS` | Required linker flags (see above). |
+
 ## :material-layers: with_naive_outbound
 
 NaiveProxy outbound requires special build configurations depending on your target platform.

docs/installation/build-from-source.zh.md

@@ -61,11 +61,35 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
-| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |
+| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
+| `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
+| `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
+| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
+| `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
+| `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
 
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。
 
+## :material-wrench: 链接器标志
+
+以下 `-ldflags` 在官方构建中使用：
+
+| 标志                                                          | 说明                                                                                                                                                         |
+|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 默认为监听器启用 Multipath TCP（`multipathtcp=2`）。这可能在底层 socket 上导致错误，且 sing-box 有自己的 MPTCP 控制（`tcp_multi_path` 选项）。此标志禁用 Go 的默认行为。                             |
+| `-checklinkname=0`                                          | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查，需要与 `badlinkname` 构建标记一起使用。                                                                                   |
+
+## :material-package-variant: 下游打包者
+
+默认构建标签列表和链接器标志以文件形式存放在仓库中，供下游打包者直接引用：
+
+| 文件 | 说明 |
+|------|------|
+| `release/DEFAULT_BUILD_TAGS` | Linux（常见架构）、Darwin 和 Android 的默认标签。 |
+| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签（包含 `with_purego`）。 |
+| `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签（不含 `with_naive_outbound`）。 |
+| `release/LDFLAGS` | 必需的链接器标志（参见上文）。 |
+
 ## :material-layers: with_naive_outbound
 
 NaiveProxy 出站需要根据目标平台进行特殊的构建配置。

experimental/clashapi/connections.go

@@ -2,6 +2,7 @@ package clashapi
 
 import (
 	"bytes"
+	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -17,15 +18,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )
 
-func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(trafficManager))
+	r.Get("/", getConnections(ctx, trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }
 
-func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -67,7 +68,12 @@ func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseW
 
 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for range tick.C {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-tick.C:
+			}
 			if err = sendSnapshot(); err != nil {
 				break
 			}

experimental/clashapi/server.go

@@ -116,12 +116,12 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
 		r.Get("/logs", getLogs(logFactory))
-		r.Get("/traffic", traffic(trafficManager))
+		r.Get("/traffic", traffic(s.ctx, trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -303,7 +303,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }
 
-func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -324,7 +324,12 @@ func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter,
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for range tick.C {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-tick.C:
+			}
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{

experimental/deprecated/constants.go

@@ -57,96 +57,6 @@ func (n Note) MessageWithLink() string {
 	}
 }
 
-var OptionBadMatchSource = Note{
-	Name:              "bad-match-source",
-	Description:       "legacy match source rule item",
-	DeprecatedVersion: "1.10.0",
-	ScheduledVersion:  "1.11.0",
-	EnvName:           "BAD_MATCH_SOURCE",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
-}
-
-var OptionGEOIP = Note{
-	Name:              "geoip",
-	Description:       "geoip database",
-	DeprecatedVersion: "1.8.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "GEOIP",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
-}
-
-var OptionGEOSITE = Note{
-	Name:              "geosite",
-	Description:       "geosite database",
-	DeprecatedVersion: "1.8.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "GEOSITE",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
-}
-
-var OptionTUNAddressX = Note{
-	Name:              "tun-address-x",
-	Description:       "legacy tun address fields",
-	DeprecatedVersion: "1.10.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "TUN_ADDRESS_X",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
-}
-
-var OptionSpecialOutbounds = Note{
-	Name:              "special-outbounds",
-	Description:       "legacy special outbounds",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "SPECIAL_OUTBOUNDS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
-}
-
-var OptionInboundOptions = Note{
-	Name:              "inbound-options",
-	Description:       "legacy inbound fields",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "INBOUND_OPTIONS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
-}
-
-var OptionDestinationOverrideFields = Note{
-	Name:              "destination-override-fields",
-	Description:       "destination override fields in direct outbound",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "DESTINATION_OVERRIDE_FIELDS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-destination-override-fields-to-route-options",
-}
-
-var OptionWireGuardOutbound = Note{
-	Name:              "wireguard-outbound",
-	Description:       "legacy wireguard outbound",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "WIREGUARD_OUTBOUND",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
-}
-
-var OptionWireGuardGSO = Note{
-	Name:              "wireguard-gso",
-	Description:       "GSO option in wireguard outbound",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "WIREGUARD_GSO",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
-}
-
-var OptionTUNGSO = Note{
-	Name:              "tun-gso",
-	Description:       "GSO option in tun",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "TUN_GSO",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#gso-option-in-tun",
-}
-
 var OptionLegacyDNSTransport = Note{
 	Name:              "legacy-dns-transport",
 	Description:       "legacy DNS servers",
@@ -183,15 +93,6 @@ var OptionMissingDomainResolver = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-outbound-dns-rule-items-to-domain-resolver",
 }
 
-var OptionLegacyECHOptions = Note{
-	Name:              "legacy-ech-options",
-	Description:       "legacy ECH options",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "LEGACY_ECH_OPTIONS",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#legacy-ech-fields",
-}
-
 var OptionLegacyDomainStrategyOptions = Note{
 	Name:              "legacy-domain-strategy-options",
 	Description:       "legacy domain strategy options",
@@ -202,20 +103,9 @@ var OptionLegacyDomainStrategyOptions = Note{
 }
 
 var Options = []Note{
-	OptionBadMatchSource,
-	OptionGEOIP,
-	OptionGEOSITE,
-	OptionTUNAddressX,
-	OptionSpecialOutbounds,
-	OptionInboundOptions,
-	OptionDestinationOverrideFields,
-	OptionWireGuardOutbound,
-	OptionWireGuardGSO,
-	OptionTUNGSO,
 	OptionLegacyDNSTransport,
 	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
-	OptionLegacyECHOptions,
 	OptionLegacyDomainStrategyOptions,
 }

experimental/libbox/command_client.go

@@ -119,7 +119,11 @@ func dialTarget() (string, func(context.Context, string) (net.Conn, error)) {
 		}
 	}
 	if sCommandServerListenPort == 0 {
-		return "unix://" + filepath.Join(sBasePath, "command.sock"), nil
+		socketPath := filepath.Join(sBasePath, "command.sock")
+		return "passthrough:///command-socket", func(ctx context.Context, _ string) (net.Conn, error) {
+			var networkDialer net.Dialer
+			return networkDialer.DialContext(ctx, "unix", socketPath)
+		}
 	}
 	return net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort))), nil
 }

experimental/libbox/command_server.go

@@ -60,6 +60,7 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 		Handler:     (*platformHandler)(server),
 		Debug:       sDebug,
 		LogMaxLines: sLogMaxLines,
+		OOMKiller:   memoryLimitEnabled,
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -159,6 +160,7 @@ func (s *CommandServer) Close() {
 		s.grpcServer.Stop()
 	}
 	common.Close(s.listener)
+	s.StartedService.Close()
 }
 
 type OverrideOptions struct {

experimental/libbox/ffi.json

@@ -1,10 +1,19 @@
 {
   "version": 1,
+  "variables": {
+    "VERSION": "$(go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)",
+    "WORKSPACE_ROOT": "../../..",
+    "DEPLOY_ANDROID": "${WORKSPACE_ROOT}/sing-box-for-android/app/libs",
+    "DEPLOY_APPLE": "${WORKSPACE_ROOT}/sing-box-for-apple",
+    "DEPLOY_WINDOWS": "${WORKSPACE_ROOT}/sing-box-for-windows/local-packages"
+  },
   "packages": [
     {
       "id": "libbox",
       "path": ".",
       "java_package": "io.nekohasekai.libbox",
+      "csharp_namespace": "SagerNet",
+      "csharp_entrypoint": "Libbox",
       "apple_prefix": "Libbox"
     }
   ],
@@ -20,7 +29,6 @@
           "with_utls",
           "with_naive_outbound",
           "with_clash_api",
-          "with_conntrack",
           "badlinkname",
           "tfogo_checklinkname0",
           "with_tailscale",
@@ -36,7 +44,7 @@
           "ts_omit_synology",
           "ts_omit_bird"
         ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
         "trimpath": true
       }
     },
@@ -50,7 +58,6 @@
           "with_wireguard",
           "with_utls",
           "with_clash_api",
-          "with_conntrack",
           "badlinkname",
           "tfogo_checklinkname0",
           "with_tailscale",
@@ -66,7 +73,7 @@
           "ts_omit_synology",
           "ts_omit_bird"
         ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
         "trimpath": true
       }
     },
@@ -81,7 +88,6 @@
           "with_utls",
           "with_naive_outbound",
           "with_clash_api",
-          "with_conntrack",
           "badlinkname",
           "tfogo_checklinkname0",
           "with_dhcp",
@@ -99,7 +105,7 @@
           "ts_omit_synology",
           "ts_omit_bird"
         ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
         "trimpath": true
       },
       "overrides": [
@@ -112,6 +118,37 @@
           "tags_append": ["with_low_memory"]
         }
       ]
+    },
+    {
+      "id": "windows",
+      "packages": ["libbox"],
+      "default": {
+        "tags": [
+          "with_gvisor",
+          "with_quic",
+          "with_wireguard",
+          "with_utls",
+          "with_naive_outbound",
+          "with_purego",
+          "with_clash_api",
+          "badlinkname",
+          "tfogo_checklinkname0",
+          "with_tailscale",
+          "ts_omit_logtail",
+          "ts_omit_ssh",
+          "ts_omit_drive",
+          "ts_omit_taildrop",
+          "ts_omit_webclient",
+          "ts_omit_doctor",
+          "ts_omit_capture",
+          "ts_omit_kube",
+          "ts_omit_aws",
+          "ts_omit_synology",
+          "ts_omit_bird"
+        ],
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "trimpath": true
+      }
     }
   ],
   "platforms": [
@@ -119,12 +156,19 @@
       "type": "android",
       "build": "android-main",
       "min_sdk": 23,
+      "ndk_version": "28.0.13004108",
       "lib_name": "box",
       "languages": [{ "type": "java" }],
       "artifacts": [
         {
           "type": "aar",
-          "output_path": "libbox.aar"
+          "output_path": "libbox.aar",
+          "execute_after": [
+            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
+            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
+            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
+            "fi"
+          ]
         }
       ]
     },
@@ -132,12 +176,19 @@
       "type": "android",
       "build": "android-legacy",
       "min_sdk": 21,
+      "ndk_version": "28.0.13004108",
       "lib_name": "box",
       "languages": [{ "type": "java" }],
       "artifacts": [
         {
           "type": "aar",
-          "output_path": "libbox-legacy.aar"
+          "output_path": "libbox-legacy.aar",
+          "execute_after": [
+            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
+            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
+            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
+            "fi"
+          ]
         }
       ]
     },
@@ -159,7 +210,46 @@
         {
           "type": "xcframework",
           "module_name": "Libbox",
-          "output_path": "Libbox.xcframework"
+          "execute_after": [
+            "if [ -d \"${DEPLOY_APPLE}\" ]; then",
+            "  rm -rf \"${DEPLOY_APPLE}/${MODULE_NAME}.xcframework\"",
+            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_APPLE}/\"",
+            "fi"
+          ]
+        }
+      ]
+    },
+    {
+      "type": "csharp",
+      "build": "windows",
+      "targets": [
+        "windows/amd64"
+      ],
+      "languages": [{ "type": "csharp" }],
+      "artifacts": [
+        {
+          "type": "nuget",
+          "package_id": "SagerNet.Libbox",
+          "package_version": "0.0.0-local",
+          "execute_after": {
+            "windows": [
+              "$$deployPath = '${DEPLOY_WINDOWS}'",
+              "if (Test-Path $$deployPath) {",
+              "  Remove-Item \"$$deployPath\\${PACKAGE_ID}.*.nupkg\" -ErrorAction SilentlyContinue",
+              "  Move-Item -Force '${OUTPUT_PATH}' \"$$deployPath\\\"",
+              "  $$cachePath = if ($$env:NUGET_PACKAGES) { $$env:NUGET_PACKAGES } else { \"$$env:USERPROFILE\\.nuget\\packages\" }",
+              "  Remove-Item -Recurse -Force \"$$cachePath\\sagernet.libbox\\${PACKAGE_VERSION}\" -ErrorAction SilentlyContinue",
+              "}"
+            ],
+            "default": [
+              "if [ -d \"${DEPLOY_WINDOWS}\" ]; then",
+              "  rm -f \"${DEPLOY_WINDOWS}/${PACKAGE_ID}.*.nupkg\"",
+              "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_WINDOWS}/\"",
+              "  cache_path=\"$${NUGET_PACKAGES:-$${HOME}/.nuget/packages}\"",
+              "  rm -rf \"$${cache_path}/sagernet.libbox/${PACKAGE_VERSION}\"",
+              "fi"
+            ]
+          }
         }
       ]
     }

experimental/libbox/memory.go

@@ -4,20 +4,23 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	C "github.com/sagernet/sing-box/constant"
 )
 
+var memoryLimitEnabled bool
+
 func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 45 * 1024 * 1024
-	const memoryLimitGo = memoryLimit / 1.5
+	memoryLimitEnabled = enabled
+	const memoryLimitGo = 45 * 1024 * 1024
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		conntrack.KillerEnabled = true
-		conntrack.MemoryLimit = memoryLimit
+		if C.IsIos {
+			runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		}
 	} else {
 		runtimeDebug.SetGCPercent(100)
-		runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		conntrack.KillerEnabled = false
+		if C.IsIos {
+			runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		}
 	}
 }

experimental/libbox/semver.go

@@ -0,0 +1,27 @@
+package libbox
+
+import (
+	"strings"
+
+	"golang.org/x/mod/semver"
+)
+
+func CompareSemver(left string, right string) bool {
+	normalizedLeft := normalizeSemver(left)
+	if !semver.IsValid(normalizedLeft) {
+		return false
+	}
+	normalizedRight := normalizeSemver(right)
+	if !semver.IsValid(normalizedRight) {
+		return false
+	}
+	return semver.Compare(normalizedLeft, normalizedRight) > 0
+}
+
+func normalizeSemver(version string) string {
+	trimmedVersion := strings.TrimSpace(version)
+	if strings.HasPrefix(trimmedVersion, "v") {
+		return trimmedVersion
+	}
+	return "v" + trimmedVersion
+}

experimental/libbox/semver_test.go

@@ -0,0 +1,16 @@
+package libbox
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCompareSemver(t *testing.T) {
+	t.Parallel()
+
+	require.False(t, CompareSemver("1.13.0-rc.4", "1.13.0"))
+	require.True(t, CompareSemver("1.13.1", "1.13.0"))
+	require.False(t, CompareSemver("v1.13.0", "1.13.0"))
+	require.False(t, CompareSemver("1.13.0-", "1.13.0"))
+}

go.mod

@@ -3,60 +3,60 @@ module github.com/sagernet/sing-box
 go 1.24.7
 
 require (
-	github.com/anthropics/anthropic-sdk-go v1.19.0
+	github.com/anthropics/anthropic-sdk-go v1.26.0
 	github.com/anytls/sing-anytls v0.0.11
-	github.com/caddyserver/certmagic v0.25.0
+	github.com/caddyserver/certmagic v0.25.2
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
-	github.com/database64128/tfo-go/v2 v2.3.1
-	github.com/go-chi/chi/v5 v5.2.3
+	github.com/database64128/tfo-go/v2 v2.3.2
+	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/render v1.0.3
-	github.com/godbus/dbus/v5 v5.2.1
+	github.com/godbus/dbus/v5 v5.2.2
 	github.com/gofrs/uuid/v5 v5.4.0
-	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167
+	github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
 	github.com/keybase/go-keychain v0.0.1
 	github.com/libdns/acmedns v0.5.0
-	github.com/libdns/alidns v1.0.6-beta.3
+	github.com/libdns/alidns v1.0.6
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/metacubex/utls v1.8.4
-	github.com/mholt/acmez/v3 v3.1.4
-	github.com/miekg/dns v1.1.69
-	github.com/openai/openai-go/v3 v3.15.0
+	github.com/mholt/acmez/v3 v3.1.6
+	github.com/miekg/dns v1.1.72
+	github.com/openai/openai-go/v3 v3.24.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287
-	github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287
+	github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399
+	github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399
 	github.com/sagernet/fswatch v0.1.1
-	github.com/sagernet/gomobile v0.1.11
+	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
-	github.com/sagernet/quic-go v0.59.0-sing-box-mod.2
-	github.com/sagernet/sing v0.8.0-beta.16
+	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
+	github.com/sagernet/sing v0.8.1
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0-beta.12
+	github.com/sagernet/sing-quic v0.6.0
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.0-beta.17
+	github.com/sagernet/sing-tun v0.8.2
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6
-	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349
+	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netns v0.0.5
 	go.uber.org/zap v1.27.1
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.46.0
+	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93
-	golang.org/x/mod v0.31.0
-	golang.org/x/net v0.48.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/mod v0.33.0
+	golang.org/x/net v0.50.0
+	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	google.golang.org/grpc v1.77.0
+	google.golang.org/grpc v1.79.1
 	google.golang.org/protobuf v1.36.11
 	howett.net/plist v1.0.1
 )
@@ -67,7 +67,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
@@ -96,7 +96,7 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
-	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
+	github.com/mdlayher/netlink v1.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -105,28 +105,35 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
@@ -147,15 +154,15 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/term v0.38.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )

go.sum

@@ -1,3 +1,5 @@
+code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
+code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -8,16 +10,18 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anthropics/anthropic-sdk-go v1.19.0 h1:mO6E+ffSzLRvR/YUH9KJC0uGw0uV8GjISIuzem//3KE=
-github.com/anthropics/anthropic-sdk-go v1.19.0/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE=
+github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY=
+github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
-github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
-github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
-github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/certmagic v0.25.2 h1:D7xcS7ggX/WEY54x0czj7ioTkmDWKIgxtIi2OcQclUc=
+github.com/caddyserver/certmagic v0.25.2/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
+github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
+github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
@@ -29,8 +33,8 @@ github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/database64128/netx-go v0.1.1 h1:dT5LG7Gs7zFZBthFBbzWE6K8wAHjSNAaK7wCYZT7NzM=
 github.com/database64128/netx-go v0.1.1/go.mod h1:LNlYVipaYkQArRFDNNJ02VkNV+My9A5XR/IGS7sIBQc=
-github.com/database64128/tfo-go/v2 v2.3.1 h1:EGE+ELd5/AQ0X6YBlQ9RgKs8+kciNhgN3d8lRvfEJQw=
-github.com/database64128/tfo-go/v2 v2.3.1/go.mod h1:k9wcpg/8i5zenspBkc9jUEYehpZZccBnCElzOJB++bU=
+github.com/database64128/tfo-go/v2 v2.3.2 h1:UhZMKiMq3swZGUiETkLBDzQnZBPSAeBMClpJGlnJ5Fw=
+github.com/database64128/tfo-go/v2 v2.3.2/go.mod h1:GC3uB5oa4beGpCUbRb2ZOWP73bJJFmMyAVgQSO7r724=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,6 +42,8 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
+github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
+github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
@@ -50,10 +56,12 @@ github.com/gaissmai/bart v0.18.0 h1:jQLBT/RduJu0pv/tLwXE+xKPgtWJejbxuXAR+wLJafo=
 github.com/gaissmai/bart v0.18.0/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
-github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
-github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
+github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
@@ -66,8 +74,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/godbus/dbus/v5 v5.2.1 h1:I4wwMdWSkmI57ewd+elNGwLRf2/dtSaFz1DujfWYvOk=
-github.com/godbus/dbus/v5 v5.2.1/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
+github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
+github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gofrs/uuid/v5 v5.4.0 h1:EfbpCTjqMuGyq5ZJwxqzn3Cbr2d0rUZU7v5ycAk/e/0=
 github.com/gofrs/uuid/v5 v5.4.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -91,8 +99,8 @@ github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 h1:MEufgJohwIjFi2n3eJv4c/8UdRLQVUwPwSWQPoER+eU=
-github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
+github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91 h1:u9i04mGE3iliBh0EFuWaKsmcwrLacqGmq1G3XoaM7gY=
+github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
@@ -102,32 +110,36 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
+github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
+github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
+github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
 github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
 github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
-github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
-github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
+github.com/libdns/alidns v1.0.6 h1:/Ii428ty6WHFJmE24rZxq2taq++gh7rf9jhgLfp8PmM=
+github.com/libdns/alidns v1.0.6/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
 github.com/libdns/cloudflare v0.2.2/go.mod h1:w9uTmRCDlAoafAsTPnn2nJ0XHK/eaUMh86DUk8BWi60=
 github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
+github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
+github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
 github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
-github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
-github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
-github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
-github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
+github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.15.0 h1:hk99rM7YPz+M99/5B/zOQcVwFRLLMdprVGx1vaZ8XMo=
-github.com/openai/openai-go/v3 v3.15.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.24.0 h1:08x6GnYiB+AAejTo6yzPY8RkZMJQ8NpreiOyM5QfyYU=
+github.com/openai/openai-go/v3 v3.24.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -150,88 +162,102 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 h1:0BYNmr0ptjsII948U0oBFmrbo4qEaCFcrE2JPRg3Zlk=
-github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 h1:ghxhYSBQpzkakqWqJDvXr/Zmxe0WjTjKuALEGbjGiGY=
-github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:M+4ZjPhLJXIvoxcQsbDofmc19Wrig59hZ+hLvj6S3To=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f h1:8jZbZ4KBTdcXDFLwUBNQt5Xci6ZuAKh255S8TwuBCaM=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f h1:tG0hCx+0u5zca7qQ7AMkcv4DCrBG/DKW1ggs/P+BRRI=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f h1:ZXp5hKJIA7iJ52ZShJCKMQEPLpp/7dDIVZmPGV9Il40=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f h1:gL7H8HS8s38adz4/HZtRHh79qMwsbLTRRPz4GQ9LcWI=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f h1:Dchgc0pAY5Jwb5lzUlE+1nhHIzqLx+YOurXLHgvWd/0=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f h1:+MOLSQoduuKDxF410i1LcSPaQGaiP0eZb0INvMlmjM4=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:lIZna05Vn6n8k21p8OpSUnhwGm+E57PrMjiI4ZUfMSg=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f h1:B2aFQ5CRHI20t8YsEizvtguS5W2QfK7D5XV/NzTIxPE=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:qpSwJ1rFGYCfJDenNCZoWYjoG7N+xEa6ke+E7/JO1i4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f h1:cx7Ipg0tSvTDjS4maMEYz4vuzz93BMPAysmZ1YLrz80=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f h1:4jOHuUiBxD8pJEpBBVQfJqyLmxjpd3t4MLRzU7YLFyg=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f h1:OpXBa2WlRU+Mam9oRe9Nn4/zf7gQ+qiBTNK8A5RwbfQ=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f h1:nJpGFi+6hI85tl4zoyNFEnFEQ5+xEV5gyvsUoMvd8g0=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f h1:SEy2rpmgOJgrqcEryJI/RSnqUWIsEsp0cfYoA8y21jc=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f h1:EW2TuFMLm0iBGqRZtuGwIZdeYmDtDsDmRcRRJQOMxUo=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f h1:3U5woxrNCkzfv1+UX+mVoWh1228AE1qAiMG02F9oFbY=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f h1:YwFTfuWG3mmctroeDYtFZ6LHjGsedVO+5wInYbbUuUY=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:r4V0ddPCRLgGu0VdgR3aUsO9NjpmyjAf+h+3oTD9D6E=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f h1:B8yf4gFvEYUnwWmtVK9sdwUsflYZ387MhYmlOP2ohFQ=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:9YyaMg4rO1/jIgrxmNb0LKH+X7frSYWfX2pFgW5JUVM=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f h1:B0fnGu0sh9yT/9JDN5u/GqThGoOzNN/daOAuGWFLXEk=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f h1:lxPcIXKSSI5JDhc7rx/6yufISWM4vtBS2FY9PavWQTs=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399 h1:x3tVYQHdqqnKbEd9/H4KIGhtHTjA+KfiiaXedI3/w8Q=
+github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399 h1:mD3ehudpYf1IFgCTv25d/B6KnBc/lLFq1jmSQIK24y0=
+github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399/go.mod h1:MbYagcGGIaRo9tNrgafbCTO+Qc7eVEh32ZWMprSB8b0=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6 h1:ghRKgSaswefPwQF8AYtUlNyumILOB0ptJWxgZ8MFrEE=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:Behr7YCnQP2dsvzAJDIoMd5nTVU9/d6MMtk/S3MctwA=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6 h1:6UL9XdGU/44oTHj36e+EBDJ0RonFoObmd299NG/qQCU=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:Q9apxjtkj6iMIBQlTo71QsOTrNlhHneaXQb1Q0IshU8=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:0N+xlnMkFEeqgFe3X/PEvHt+/t+BPgxmbx7wzNcYppg=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:7f2vTXtePikBSV1bdD0zs5/WuZM+bRuej3mREpWL/qQ=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:HMlnhEYs+axOa0tAJ79se3QsYB8CpRCQo9mewWWFeeg=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:Ux/U6vF+1AoGLSJK3jVa9Kqkn64MX4Ivv7fy0ikDrpQ=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:5Dhuere2bQFzfGvKxA7TFgA5MoTtgcZMmJQuKwQKlyA=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6 h1:aMRcLow4UpZWZ28fR9FjveTL/4okrigZySIkEVZnlgA=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6 h1:y4g8oNtEfSdcKrBKsH5vMAjzGthvhHFNU80sanYDQEM=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:CXN6OPILi5trwffmYiiJ9rqJL3XAWx1menLrBBwA0gU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:ZphFHQeFOTpqCWPwFcQRnrePXajml8LbKlYFJ5n0isU=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6 h1:nKzFK84oANHz7I6bab+25bBY+pdpAbO0b3NJroyLldo=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:HqqZUGRXcWvvwlbuvjk/efo8TKW1H/aHdqQTde+Xs9Q=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:D2v9lZZG5sm4x/CkG7uqc6ZU3YlhFQ+GmJfvZMK0h/s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6 h1:TWveNeXHrA5r8XOlf+vw7U2b2M0ip6GNF89jcUi1ogw=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6 h1:DVCBoXOZI4PNG0cbCLg8lrphRXoLFcAIDLNmzsCVg3I=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:7s5xqNlBUWkIXdruPYi3/txXekQhGWxrYxbnB0cnARo=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6 h1:eyEb+Q7VH4hpE1nV+EmEnN2XX5WilgBpIsfCw4C/7no=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6 h1:9F1W7+z1hHST6GSzdpQ8Q0NCkneAL18dkRA1HfxH09A=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6 h1:MmQIR3iJsdvw1ONBP3geK57i9c3+v9dXPMNdZYcYGKw=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6 h1:j6Pk1Wsl+PCbKRXtp7a912D2D6zqX5Nk51wDQU9TEDc=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:0DnFhbRfNqwguNCxiinA7BowQ/RaFt627sjW09JNp80=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:3CZmlEk2/WW5UHLFJZxXPJ9IJxX3td8U3PyqWSGMl3c=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:eHkVRptoZf3BuuskkjcclO2dwQrX4zluoVGODMrX7n0=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:UgFmE0cZo9euu8/7sTAhj1G8lldavwXBdcPNyTE29CQ=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:xbg3ZB9tLMGDQe4+aewG0Z4bEP/2pLtYBcDzILv5eEc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:M0bTSTSTnSMlPY2WaZT6fL5TFICqk8v4cm+QVf8Fcao=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
-github.com/sagernet/gomobile v0.1.11 h1:niMQAspvuThup5eRZQpsGcbM76zAvnsGr7RUIpnQMDQ=
-github.com/sagernet/gomobile v0.1.11/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
+github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
+github.com/sagernet/gomobile v0.1.12/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1 h1:AzCE2RhBjLJ4WIWc/GejpNh+z30d5H1hwaB0nD9eY3o=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1/go.mod h1:NJKBtm9nVEK3iyOYWsUlrDQuoGh4zJ4KOPhSYVidvQ4=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.2 h1:hJUL+HtxEOjxsa0CsucbBVqI/AMS4k52NwNU637zmdw=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.2/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.0-beta.16 h1:Fe+6E9VHYky9Mx4cf0ugbZPWDcXRflpAu7JQ5bWXvaA=
-github.com/sagernet/sing v0.8.0-beta.16/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
+github.com/sagernet/sing v0.8.1 h1:Li+zg4xdiMsvdX4j50TPqmSG8LF/TB9US2qlAN40izU=
+github.com/sagernet/sing v0.8.1/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0-beta.12 h1:njyU2NYGBITShAu31wJRmqAtx7hQBcXqBPowDv+W0sk=
-github.com/sagernet/sing-quic v0.6.0-beta.12/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
+github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.0-beta.17 h1:6DdbNXeTFYj8Tb4FCh8Mp2boA3rVY6VNqzTOObj7Xis=
-github.com/sagernet/sing-tun v0.8.0-beta.17/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
+github.com/sagernet/sing-tun v0.8.2 h1:rQr/x3eQCHh3oleIaoJdPdJwqzZp4+QWcJLT0Wz2xKY=
+github.com/sagernet/sing-tun v0.8.2/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349 h1:ju7aTbndj2sqK4NplE97ynLdhuCtel5OS4e0NrT71nk=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
@@ -283,16 +309,16 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -307,20 +333,20 @@ go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wus
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 h1:fQsdNF2N+/YewlRZiricy4P1iimyPKZ/xwniHj8Q2a0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
@@ -330,20 +356,20 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -355,15 +381,17 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
+google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

include/oom_killer.go

@@ -0,0 +1,10 @@
+package include
+
+import (
+	"github.com/sagernet/sing-box/adapter/service"
+	"github.com/sagernet/sing-box/service/oomkiller"
+)
+
+func registerOOMKillerService(registry *service.Registry) {
+	oomkiller.RegisterService(registry)
+}

include/registry.go

@@ -20,7 +20,6 @@ import (
 	"github.com/sagernet/sing-box/protocol/anytls"
 	"github.com/sagernet/sing-box/protocol/block"
 	"github.com/sagernet/sing-box/protocol/direct"
-	protocolDNS "github.com/sagernet/sing-box/protocol/dns"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/protocol/http"
 	"github.com/sagernet/sing-box/protocol/mixed"
@@ -76,7 +75,6 @@ func OutboundRegistry() *outbound.Registry {
 	direct.RegisterOutbound(registry)
 
 	block.RegisterOutbound(registry)
-	protocolDNS.RegisterOutbound(registry)
 
 	group.RegisterSelector(registry)
 	group.RegisterURLTest(registry)
@@ -94,7 +92,6 @@ func OutboundRegistry() *outbound.Registry {
 	anytls.RegisterOutbound(registry)
 
 	registerQUICOutbounds(registry)
-	registerWireGuardOutbound(registry)
 	registerStubForRemovedOutbounds(registry)
 
 	return registry
@@ -137,6 +134,7 @@ func ServiceRegistry() *service.Registry {
 	registerDERPService(registry)
 	registerCCMService(registry)
 	registerOCMService(registry)
+	registerOOMKillerService(registry)
 
 	return registry
 }
@@ -151,4 +149,7 @@ func registerStubForRemovedOutbounds(registry *outbound.Registry) {
 	outbound.Register[option.ShadowsocksROutboundOptions](registry, C.TypeShadowsocksR, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (adapter.Outbound, error) {
 		return nil, E.New("ShadowsocksR is deprecated and removed in sing-box 1.6.0")
 	})
+	outbound.Register[option.StubOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.StubOptions) (adapter.Outbound, error) {
+		return nil, E.New("WireGuard outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use WireGuard endpoint instead")
+	})
 }

include/wireguard.go

@@ -4,14 +4,9 @@ package include
 
 import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
-	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/protocol/wireguard"
 )
 
-func registerWireGuardOutbound(registry *outbound.Registry) {
-	wireguard.RegisterOutbound(registry)
-}
-
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	wireguard.RegisterEndpoint(registry)
 }

include/wireguard_stub.go

@@ -7,19 +7,12 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/endpoint"
-	"github.com/sagernet/sing-box/adapter/outbound"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func registerWireGuardOutbound(registry *outbound.Registry) {
-	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
-		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
-	})
-}
-
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)

mkdocs.yml

@@ -1,4 +1,5 @@
 site_name: sing-box
+site_url: https://sing-box.sagernet.org/
 site_author: nekohasekai
 repo_url: https://github.com/SagerNet/sing-box
 repo_name: SagerNet/sing-box

option/direct.go

@@ -3,7 +3,7 @@ package option
 import (
 	"context"
 
-	"github.com/sagernet/sing-box/experimental/deprecated"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 )
 
@@ -31,8 +31,9 @@ func (d *DirectOutboundOptions) UnmarshalJSONContext(ctx context.Context, conten
 	if err != nil {
 		return err
 	}
+	//nolint:staticcheck
 	if d.OverrideAddress != "" || d.OverridePort != 0 {
-		deprecated.Report(ctx, deprecated.OptionDestinationOverrideFields)
+		return E.New("destination override fields in direct outbound are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use route options instead")
 	}
 	return nil
 }

option/inbound.go

@@ -55,7 +55,6 @@ type InboundOptions struct {
 	SniffTimeout              badoption.Duration `json:"sniff_timeout,omitempty"`
 	DomainStrategy            DomainStrategy     `json:"domain_strategy,omitempty"`
 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
-	Detour                    string             `json:"detour,omitempty"`
 }
 
 type ListenOptions struct {
@@ -73,6 +72,7 @@ type ListenOptions struct {
 	UDPFragment          *bool              `json:"udp_fragment,omitempty"`
 	UDPFragmentDefault   bool               `json:"-"`
 	UDPTimeout           UDPTimeoutCompat   `json:"udp_timeout,omitempty"`
+	Detour               string             `json:"detour,omitempty"`
 
 	// Deprecated: removed
 	ProxyProtocol bool `json:"proxy_protocol,omitempty"`

option/naive.go

@@ -2,6 +2,7 @@ package option
 
 import (
 	"github.com/sagernet/sing/common/auth"
+	"github.com/sagernet/sing/common/byteformats"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 
@@ -26,12 +27,14 @@ type NaiveInboundOptions struct {
 type NaiveOutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	Username              string               `json:"username,omitempty"`
-	Password              string               `json:"password,omitempty"`
-	InsecureConcurrency   int                  `json:"insecure_concurrency,omitempty"`
-	ExtraHeaders          badoption.HTTPHeader `json:"extra_headers,omitempty"`
-	UDPOverTCP            *UDPOverTCPOptions   `json:"udp_over_tcp,omitempty"`
-	QUIC                  bool                 `json:"quic,omitempty"`
-	QUICCongestionControl string               `json:"quic_congestion_control,omitempty"`
+	Username                 string                   `json:"username,omitempty"`
+	Password                 string                   `json:"password,omitempty"`
+	InsecureConcurrency      int                      `json:"insecure_concurrency,omitempty"`
+	ExtraHeaders             badoption.HTTPHeader     `json:"extra_headers,omitempty"`
+	ReceiveWindow            *byteformats.MemoryBytes `json:"stream_receive_window,omitempty"`
+	UDPOverTCP               *UDPOverTCPOptions       `json:"udp_over_tcp,omitempty"`
+	QUIC                     bool                     `json:"quic,omitempty"`
+	QUICCongestionControl    string                   `json:"quic_congestion_control,omitempty"`
+	QUICSessionReceiveWindow *byteformats.MemoryBytes `json:"quic_session_receive_window,omitempty"`
 	OutboundTLSOptionsContainer
 }

option/oom_killer.go

@@ -0,0 +1,14 @@
+package option
+
+import (
+	"github.com/sagernet/sing/common/byteformats"
+	"github.com/sagernet/sing/common/json/badoption"
+)
+
+type OOMKillerServiceOptions struct {
+	MemoryLimit       *byteformats.MemoryBytes `json:"memory_limit,omitempty"`
+	SafetyMargin      *byteformats.MemoryBytes `json:"safety_margin,omitempty"`
+	MinInterval       badoption.Duration       `json:"min_interval,omitempty"`
+	MaxInterval       badoption.Duration       `json:"max_interval,omitempty"`
+	ChecksBeforeLimit int                      `json:"checks_before_limit,omitempty"`
+}

option/outbound.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -40,7 +39,7 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 	}
 	switch h.Type {
 	case C.TypeDNS:
-		deprecated.Report(ctx, deprecated.OptionSpecialOutbounds)
+		return E.New("dns outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
 	}
 	options, loaded := registry.CreateOptions(h.Type)
 	if !loaded {
@@ -51,8 +50,9 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 		return err
 	}
 	if listenWrapper, isListen := options.(ListenOptionsWrapper); isListen {
+		//nolint:staticcheck
 		if listenWrapper.TakeListenOptions().InboundOptions != (InboundOptions{}) {
-			deprecated.Report(ctx, deprecated.OptionInboundOptions)
+			return E.New("legacy inbound fields are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
 		}
 	}
 	h.Options = options

option/tailscale.go

@@ -12,22 +12,23 @@ import (
 
 type TailscaleEndpointOptions struct {
 	DialerOptions
-	StateDirectory             string           `json:"state_directory,omitempty"`
-	AuthKey                    string           `json:"auth_key,omitempty"`
-	ControlURL                 string           `json:"control_url,omitempty"`
-	Ephemeral                  bool             `json:"ephemeral,omitempty"`
-	Hostname                   string           `json:"hostname,omitempty"`
-	AcceptRoutes               bool             `json:"accept_routes,omitempty"`
-	ExitNode                   string           `json:"exit_node,omitempty"`
-	ExitNodeAllowLANAccess     bool             `json:"exit_node_allow_lan_access,omitempty"`
-	AdvertiseRoutes            []netip.Prefix   `json:"advertise_routes,omitempty"`
-	AdvertiseExitNode          bool             `json:"advertise_exit_node,omitempty"`
-	RelayServerPort            *uint16          `json:"relay_server_port,omitempty"`
-	RelayServerStaticEndpoints []netip.AddrPort `json:"relay_server_static_endpoints,omitempty"`
-	SystemInterface            bool             `json:"system_interface,omitempty"`
-	SystemInterfaceName        string           `json:"system_interface_name,omitempty"`
-	SystemInterfaceMTU         uint32           `json:"system_interface_mtu,omitempty"`
-	UDPTimeout                 UDPTimeoutCompat `json:"udp_timeout,omitempty"`
+	StateDirectory             string                     `json:"state_directory,omitempty"`
+	AuthKey                    string                     `json:"auth_key,omitempty"`
+	ControlURL                 string                     `json:"control_url,omitempty"`
+	Ephemeral                  bool                       `json:"ephemeral,omitempty"`
+	Hostname                   string                     `json:"hostname,omitempty"`
+	AcceptRoutes               bool                       `json:"accept_routes,omitempty"`
+	ExitNode                   string                     `json:"exit_node,omitempty"`
+	ExitNodeAllowLANAccess     bool                       `json:"exit_node_allow_lan_access,omitempty"`
+	AdvertiseRoutes            []netip.Prefix             `json:"advertise_routes,omitempty"`
+	AdvertiseExitNode          bool                       `json:"advertise_exit_node,omitempty"`
+	AdvertiseTags              badoption.Listable[string] `json:"advertise_tags,omitempty"`
+	RelayServerPort            *uint16                    `json:"relay_server_port,omitempty"`
+	RelayServerStaticEndpoints []netip.AddrPort           `json:"relay_server_static_endpoints,omitempty"`
+	SystemInterface            bool                       `json:"system_interface,omitempty"`
+	SystemInterfaceName        string                     `json:"system_interface_name,omitempty"`
+	SystemInterfaceMTU         uint32                     `json:"system_interface_mtu,omitempty"`
+	UDPTimeout                 UDPTimeoutCompat           `json:"udp_timeout,omitempty"`
 }
 
 type TailscaleDNSServerOptions struct {

option/wireguard.go

@@ -28,28 +28,3 @@ type WireGuardPeer struct {
 	PersistentKeepaliveInterval uint16                           `json:"persistent_keepalive_interval,omitempty"`
 	Reserved                    []uint8                          `json:"reserved,omitempty"`
 }
-
-type LegacyWireGuardOutboundOptions struct {
-	DialerOptions
-	SystemInterface bool                             `json:"system_interface,omitempty"`
-	GSO             bool                             `json:"gso,omitempty"`
-	InterfaceName   string                           `json:"interface_name,omitempty"`
-	LocalAddress    badoption.Listable[netip.Prefix] `json:"local_address"`
-	PrivateKey      string                           `json:"private_key"`
-	Peers           []LegacyWireGuardPeer            `json:"peers,omitempty"`
-	ServerOptions
-	PeerPublicKey string      `json:"peer_public_key"`
-	PreSharedKey  string      `json:"pre_shared_key,omitempty"`
-	Reserved      []uint8     `json:"reserved,omitempty"`
-	Workers       int         `json:"workers,omitempty"`
-	MTU           uint32      `json:"mtu,omitempty"`
-	Network       NetworkList `json:"network,omitempty"`
-}
-
-type LegacyWireGuardPeer struct {
-	ServerOptions
-	PublicKey    string                           `json:"public_key,omitempty"`
-	PreSharedKey string                           `json:"pre_shared_key,omitempty"`
-	AllowedIPs   badoption.Listable[netip.Prefix] `json:"allowed_ips,omitempty"`
-	Reserved     []uint8                          `json:"reserved,omitempty"`
-}

protocol/anytls/inbound.go

@@ -122,7 +122,6 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination.Unwrap()
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {

protocol/direct/inbound.go

@@ -111,7 +111,6 @@ func (i *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = i.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = i.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	destination = i.listener.UDPAddr()
 	switch i.overrideOption {

protocol/direct/outbound.go

@@ -16,7 +16,6 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-tun/ping"
 	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -36,14 +35,12 @@ var (
 
 type Outbound struct {
 	outbound.Adapter
-	ctx                 context.Context
-	logger              logger.ContextLogger
-	dialer              dialer.ParallelInterfaceDialer
-	domainStrategy      C.DomainStrategy
-	fallbackDelay       time.Duration
-	overrideOption      int
-	overrideDestination M.Socksaddr
-	isEmpty             bool
+	ctx            context.Context
+	logger         logger.ContextLogger
+	dialer         dialer.ParallelInterfaceDialer
+	domainStrategy C.DomainStrategy
+	fallbackDelay  time.Duration
+	isEmpty        bool
 	// loopBack *loopBackDetector
 }
 
@@ -69,25 +66,13 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		domainStrategy: C.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer.(dialer.ParallelInterfaceDialer),
-		//nolint:staticcheck
-		isEmpty: reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}) && options.OverrideAddress == "" && options.OverridePort == 0,
+		isEmpty:        reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}),
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
-	//nolint:staticcheck
-	if options.OverrideAddress != "" && options.OverridePort != 0 {
-		outbound.overrideOption = 1
-		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
-	} else if options.OverrideAddress != "" {
-		outbound.overrideOption = 2
-		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
-	} else if options.OverridePort != 0 {
-		outbound.overrideOption = 3
-		outbound.overrideDestination = M.Socksaddr{Port: options.OverridePort}
-	}
 	return outbound, nil
 }
 
@@ -95,16 +80,6 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1:
-		destination = h.overrideDestination
-	case 2:
-		newDestination := h.overrideDestination
-		newDestination.Port = destination.Port
-		destination = newDestination
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -124,30 +99,12 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	originDestination := destination
-	switch h.overrideOption {
-	case 1:
-		destination = h.overrideDestination
-	case 2:
-		newDestination := h.overrideDestination
-		newDestination.Port = destination.Port
-		destination = newDestination
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
-	if h.overrideOption == 0 {
-		h.logger.InfoContext(ctx, "outbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	}
+	h.logger.InfoContext(ctx, "outbound packet connection")
 	conn, err := h.dialer.ListenPacket(ctx, destination)
 	if err != nil {
 		return nil, err
 	}
 	// conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
-	if originDestination != destination {
-		conn = bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, originDestination)
-	}
 	return conn, nil
 }
 
@@ -165,13 +122,6 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1, 2:
-		// override address
-		return h.DialContext(ctx, network, destination)
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -186,13 +136,6 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1, 2:
-		// override address
-		return h.DialContext(ctx, network, destination)
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -207,21 +150,7 @@ func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1:
-		destination = h.overrideDestination
-	case 2:
-		newDestination := h.overrideDestination
-		newDestination.Port = destination.Port
-		destination = newDestination
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
-	if h.overrideOption == 0 {
-		h.logger.InfoContext(ctx, "outbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	}
+	h.logger.InfoContext(ctx, "outbound packet connection")
 	conn, newDestination, err := dialer.ListenSerialNetworkPacket(ctx, h.dialer, destination, destinationAddresses, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 	if err != nil {
 		return nil, netip.Addr{}, err

protocol/hysteria/inbound.go

@@ -118,7 +118,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -141,7 +140,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination

protocol/hysteria2/inbound.go

@@ -151,7 +151,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -174,7 +173,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination

protocol/naive/inbound.go

@@ -209,7 +209,6 @@ func (n *Inbound) newConnection(ctx context.Context, waitForClose bool, conn net
 	//nolint:staticcheck
 	metadata.InboundDetour = n.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = n.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()

protocol/naive/outbound.go

@@ -235,7 +235,7 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
-		return h.client.DialEarly(destination)
+		return h.client.DialEarly(ctx, destination)
 	case N.NetworkUDP:
 		if h.uotClient == nil {
 			return nil, E.New("UDP is not supported unless UDP over TCP is enabled")
@@ -254,6 +254,10 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return h.uotClient.ListenPacket(ctx, destination)
 }
 
+func (h *Outbound) InterfaceUpdated() {
+	h.client.Engine().CloseAllConnections()
+}
+
 func (h *Outbound) Close() error {
 	return h.client.Close()
 }
@@ -267,5 +271,5 @@ type naiveDialer struct {
 }
 
 func (d *naiveDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.NaiveClient.DialEarly(destination)
+	return d.NaiveClient.DialEarly(ctx, destination)
 }

protocol/shadowsocks/inbound_multi.go

@@ -175,7 +175,6 @@ func (h *MultiInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackConnection(conn, metadata)
 	}
@@ -201,7 +200,6 @@ func (h *MultiInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackPacketConnection(conn, metadata)
 	}

protocol/shadowsocks/inbound_relay.go

@@ -135,7 +135,6 @@ func (h *RelayInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RouteConnection(ctx, conn, metadata)
 }
 
@@ -158,7 +157,6 @@ func (h *RelayInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }
 

protocol/shadowtls/inbound.go

@@ -129,7 +129,6 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {

protocol/tailscale/endpoint.go

@@ -63,6 +63,7 @@ import (
 var (
 	_ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
 	_ adapter.DirectRouteOutbound         = (*Endpoint)(nil)
+	_ dialer.PacketDialerWithDestination  = (*Endpoint)(nil)
 )
 
 func init() {
@@ -97,6 +98,7 @@ type Endpoint struct {
 	exitNodeAllowLANAccess     bool
 	advertiseRoutes            []netip.Prefix
 	advertiseExitNode          bool
+	advertiseTags              []string
 	relayServerPort            *uint16
 	relayServerStaticEndpoints []netip.AddrPort
 
@@ -209,10 +211,11 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		UserLogf: func(format string, args ...any) {
 			logger.Debug(fmt.Sprintf(format, args...))
 		},
-		Ephemeral:  options.Ephemeral,
-		AuthKey:    options.AuthKey,
-		ControlURL: options.ControlURL,
-		Dialer:     &endpointDialer{Dialer: outboundDialer, logger: logger},
+		Ephemeral:     options.Ephemeral,
+		AuthKey:       options.AuthKey,
+		ControlURL:    options.ControlURL,
+		AdvertiseTags: options.AdvertiseTags,
+		Dialer:        &endpointDialer{Dialer: outboundDialer, logger: logger},
 		LookupHook: func(ctx context.Context, host string) ([]netip.Addr, error) {
 			return dnsRouter.Lookup(ctx, host, outboundDialer.(dialer.ResolveDialer).QueryOptions())
 		},
@@ -244,6 +247,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		exitNodeAllowLANAccess:     options.ExitNodeAllowLANAccess,
 		advertiseRoutes:            options.AdvertiseRoutes,
 		advertiseExitNode:          options.AdvertiseExitNode,
+		advertiseTags:              options.AdvertiseTags,
 		relayServerPort:            options.RelayServerPort,
 		relayServerStaticEndpoints: options.RelayServerStaticEndpoints,
 		udpTimeout:                 udpTimeout,
@@ -359,25 +363,23 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 	localBackend := t.server.ExportLocalBackend()
 	perfs := &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
-			RouteAll: t.acceptRoutes,
+			RouteAll:        t.acceptRoutes,
+			AdvertiseRoutes: t.advertiseRoutes,
 		},
-		RouteAllSet:        true,
-		ExitNodeIPSet:      true,
-		AdvertiseRoutesSet: true,
-	}
-	if len(t.advertiseRoutes) > 0 {
-		perfs.AdvertiseRoutes = t.advertiseRoutes
+		RouteAllSet:                   true,
+		ExitNodeIPSet:                 true,
+		AdvertiseRoutesSet:            true,
+		RelayServerPortSet:            true,
+		RelayServerStaticEndpointsSet: true,
 	}
 	if t.advertiseExitNode {
 		perfs.AdvertiseRoutes = append(perfs.AdvertiseRoutes, tsaddr.ExitRoutes()...)
 	}
 	if t.relayServerPort != nil {
 		perfs.RelayServerPort = t.relayServerPort
-		perfs.RelayServerPortSet = true
 	}
 	if len(t.relayServerStaticEndpoints) > 0 {
 		perfs.RelayServerStaticEndpoints = t.relayServerStaticEndpoints
-		perfs.RelayServerStaticEndpointsSet = true
 	}
 	_, err = localBackend.EditPrefs(perfs)
 	if err != nil {
@@ -517,19 +519,7 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 	}
 }
 
-func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	if destination.IsFqdn() {
-		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		packetConn, _, err := N.ListenSerial(ctx, t, destination, destinationAddresses)
-		if err != nil {
-			return nil, err
-		}
-		return packetConn, err
-	}
+func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	addr4, addr6 := t.server.TailscaleIPs()
 	bind := tcpip.FullAddress{
 		NIC: 1,
@@ -555,6 +545,44 @@ func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return udpConn, nil
 }
 
+func (t *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
+	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	if destination.IsFqdn() {
+		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
+		if err != nil {
+			return nil, netip.Addr{}, err
+		}
+		var errors []error
+		for _, address := range destinationAddresses {
+			packetConn, packetErr := t.listenPacketWithAddress(ctx, M.SocksaddrFrom(address, destination.Port))
+			if packetErr == nil {
+				return packetConn, address, nil
+			}
+			errors = append(errors, packetErr)
+		}
+		return nil, netip.Addr{}, E.Errors(errors...)
+	}
+	packetConn, err := t.listenPacketWithAddress(ctx, destination)
+	if err != nil {
+		return nil, netip.Addr{}, err
+	}
+	if destination.IsIP() {
+		return packetConn, destination.Addr, nil
+	}
+	return packetConn, netip.Addr{}, nil
+}
+
+func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	packetConn, destinationAddress, err := t.ListenPacketWithDestination(ctx, destination)
+	if err != nil {
+		return nil, err
+	}
+	if destinationAddress.IsValid() && destination != M.SocksaddrFrom(destinationAddress, destination.Port) {
+		return bufio.NewNATPacketConn(bufio.NewPacketConn(packetConn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	}
+	return packetConn, nil
+}
+
 func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	tsFilter := t.filter.Load()
 	if tsFilter != nil {

protocol/trojan/inbound.go

@@ -257,7 +257,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/tuic/inbound.go

@@ -108,7 +108,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -131,7 +130,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination

protocol/tun/inbound.go

@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route/rule"
@@ -36,13 +35,11 @@ func RegisterInbound(registry *inbound.Registry) {
 }
 
 type Inbound struct {
-	tag            string
-	ctx            context.Context
-	router         adapter.Router
-	networkManager adapter.NetworkManager
-	logger         log.ContextLogger
-	//nolint:staticcheck
-	inboundOptions              option.InboundOptions
+	tag                         string
+	ctx                         context.Context
+	router                      adapter.Router
+	networkManager              adapter.NetworkManager
+	logger                      log.ContextLogger
 	tunOptions                  tun.Options
 	udpTimeout                  time.Duration
 	stack                       string
@@ -60,20 +57,18 @@ type Inbound struct {
 }
 
 func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions) (adapter.Inbound, error) {
+	//nolint:staticcheck
+	if len(options.Inet4Address) > 0 || len(options.Inet6Address) > 0 ||
+		len(options.Inet4RouteAddress) > 0 || len(options.Inet6RouteAddress) > 0 ||
+		len(options.Inet4RouteExcludeAddress) > 0 || len(options.Inet6RouteExcludeAddress) > 0 {
+		return nil, E.New("legacy tun address fields are deprecated in sing-box 1.10.0 and removed in sing-box 1.12.0")
+	}
+	//nolint:staticcheck
+	if options.GSO {
+		return nil, E.New("GSO option in tun is deprecated in sing-box 1.11.0 and removed in sing-box 1.12.0")
+	}
+
 	address := options.Address
-	var deprecatedAddressUsed bool
-
-	//nolint:staticcheck
-	if len(options.Inet4Address) > 0 {
-		address = append(address, options.Inet4Address...)
-		deprecatedAddressUsed = true
-	}
-
-	//nolint:staticcheck
-	if len(options.Inet6Address) > 0 {
-		address = append(address, options.Inet6Address...)
-		deprecatedAddressUsed = true
-	}
 	inet4Address := common.Filter(address, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -82,18 +77,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	})
 
 	routeAddress := options.RouteAddress
-
-	//nolint:staticcheck
-	if len(options.Inet4RouteAddress) > 0 {
-		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
-		deprecatedAddressUsed = true
-	}
-
-	//nolint:staticcheck
-	if len(options.Inet6RouteAddress) > 0 {
-		routeAddress = append(routeAddress, options.Inet6RouteAddress...)
-		deprecatedAddressUsed = true
-	}
 	inet4RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -102,18 +85,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	})
 
 	routeExcludeAddress := options.RouteExcludeAddress
-
-	//nolint:staticcheck
-	if len(options.Inet4RouteExcludeAddress) > 0 {
-		routeExcludeAddress = append(routeExcludeAddress, options.Inet4RouteExcludeAddress...)
-		deprecatedAddressUsed = true
-	}
-
-	//nolint:staticcheck
-	if len(options.Inet6RouteExcludeAddress) > 0 {
-		routeExcludeAddress = append(routeExcludeAddress, options.Inet6RouteExcludeAddress...)
-		deprecatedAddressUsed = true
-	}
 	inet4RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -121,15 +92,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		return it.Addr().Is6()
 	})
 
-	if deprecatedAddressUsed {
-		deprecated.Report(ctx, deprecated.OptionTUNAddressX)
-	}
-
-	//nolint:staticcheck
-	if options.GSO {
-		deprecated.Report(ctx, deprecated.OptionTUNGSO)
-	}
-
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 	tunMTU := options.MTU
 	enableGSO := C.IsLinux && options.Stack == "gvisor" && platformInterface == nil && tunMTU > 0 && tunMTU < 49152
@@ -202,7 +164,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		router:         router,
 		networkManager: networkManager,
 		logger:         logger,
-		inboundOptions: options.InboundOptions,
 		tunOptions: tun.Options{
 			Name:                                  options.InterfaceName,
 			MTU:                                   tunMTU,
@@ -478,13 +439,12 @@ func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destinat
 		ipVersion = 6
 	}
 	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
-		Inbound:        t.tag,
-		InboundType:    C.TypeTun,
-		IPVersion:      ipVersion,
-		Network:        network,
-		Source:         source,
-		Destination:    destination,
-		InboundOptions: t.inboundOptions,
+		Inbound:     t.tag,
+		InboundType: C.TypeTun,
+		IPVersion:   ipVersion,
+		Network:     network,
+		Source:      source,
+		Destination: destination,
 	}, routeContext, timeout, false)
 	if err != nil {
 		switch {
@@ -508,8 +468,7 @@ func (t *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundOptions = t.inboundOptions
+
 	t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)
@@ -522,8 +481,7 @@ func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundOptions = t.inboundOptions
+
 	t.logger.InfoContext(ctx, "inbound packet connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 	t.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
@@ -539,13 +497,12 @@ func (t *autoRedirectHandler) PrepareConnection(network string, source M.Socksad
 		ipVersion = 6
 	}
 	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
-		Inbound:        t.tag,
-		InboundType:    C.TypeTun,
-		IPVersion:      ipVersion,
-		Network:        network,
-		Source:         source,
-		Destination:    destination,
-		InboundOptions: t.inboundOptions,
+		Inbound:     t.tag,
+		InboundType: C.TypeTun,
+		IPVersion:   ipVersion,
+		Network:     network,
+		Source:      source,
+		Destination: destination,
 	}, routeContext, timeout, true)
 	if err != nil {
 		switch {
@@ -569,8 +526,7 @@ func (t *autoRedirectHandler) NewConnectionEx(ctx context.Context, conn net.Conn
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundOptions = t.inboundOptions
+
 	t.logger.InfoContext(ctx, "inbound redirect connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)

protocol/vless/inbound.go

@@ -217,7 +217,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/vmess/inbound.go

@@ -223,7 +223,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/wireguard/endpoint.go

@@ -24,7 +24,10 @@ import (
 	"github.com/sagernet/sing/service"
 )
 
-var _ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
+var (
+	_ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
+	_ dialer.PacketDialerWithDestination  = (*Endpoint)(nil)
+)
 
 func RegisterEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, NewEndpoint)
@@ -219,20 +222,34 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 	return w.endpoint.DialContext(ctx, network, destination)
 }
 
-func (w *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (w *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if destination.IsFqdn() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
-			return nil, err
+			return nil, netip.Addr{}, err
 		}
-		packetConn, _, err := N.ListenSerial(ctx, w.endpoint, destination, destinationAddresses)
-		if err != nil {
-			return nil, err
-		}
-		return packetConn, err
+		return N.ListenSerial(ctx, w.endpoint, destination, destinationAddresses)
 	}
-	return w.endpoint.ListenPacket(ctx, destination)
+	packetConn, err := w.endpoint.ListenPacket(ctx, destination)
+	if err != nil {
+		return nil, netip.Addr{}, err
+	}
+	if destination.IsIP() {
+		return packetConn, destination.Addr, nil
+	}
+	return packetConn, netip.Addr{}, nil
+}
+
+func (w *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	packetConn, destinationAddress, err := w.ListenPacketWithDestination(ctx, destination)
+	if err != nil {
+		return nil, err
+	}
+	if destinationAddress.IsValid() && destination != M.SocksaddrFrom(destinationAddress, destination.Port) {
+		return bufio.NewNATPacketConn(bufio.NewPacketConn(packetConn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	}
+	return packetConn, nil
 }
 
 func (w *Endpoint) PreferredDomain(domain string) bool {

protocol/wireguard/outbound.go

@@ -1,176 +0,0 @@
-package wireguard
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/outbound"
-	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/wireguard"
-	tun "github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-)
-
-var _ adapter.OutboundWithPreferredRoutes = (*Outbound)(nil)
-
-func RegisterOutbound(registry *outbound.Registry) {
-	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, NewOutbound)
-}
-
-type Outbound struct {
-	outbound.Adapter
-	ctx            context.Context
-	dnsRouter      adapter.DNSRouter
-	logger         logger.ContextLogger
-	localAddresses []netip.Prefix
-	endpoint       *wireguard.Endpoint
-}
-
-func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
-	deprecated.Report(ctx, deprecated.OptionWireGuardOutbound)
-	if options.GSO {
-		deprecated.Report(ctx, deprecated.OptionWireGuardGSO)
-	}
-	outbound := &Outbound{
-		Adapter:        outbound.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, options.DialerOptions),
-		ctx:            ctx,
-		dnsRouter:      service.FromContext[adapter.DNSRouter](ctx),
-		logger:         logger,
-		localAddresses: options.LocalAddress,
-	}
-	if options.Detour != "" && options.GSO {
-		return nil, E.New("gso is conflict with detour")
-	}
-	outboundDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context: ctx,
-		Options: options.DialerOptions,
-		RemoteIsDomain: options.ServerIsDomain() || common.Any(options.Peers, func(it option.LegacyWireGuardPeer) bool {
-			return it.ServerIsDomain()
-		}),
-		ResolverOnDetour: true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	peers := common.Map(options.Peers, func(it option.LegacyWireGuardPeer) wireguard.PeerOptions {
-		return wireguard.PeerOptions{
-			Endpoint:     it.ServerOptions.Build(),
-			PublicKey:    it.PublicKey,
-			PreSharedKey: it.PreSharedKey,
-			AllowedIPs:   it.AllowedIPs,
-			// PersistentKeepaliveInterval: time.Duration(it.PersistentKeepaliveInterval),
-			Reserved: it.Reserved,
-		}
-	})
-	if len(peers) == 0 {
-		peers = []wireguard.PeerOptions{{
-			Endpoint:     options.ServerOptions.Build(),
-			PublicKey:    options.PeerPublicKey,
-			PreSharedKey: options.PreSharedKey,
-			AllowedIPs:   []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0), netip.PrefixFrom(netip.IPv6Unspecified(), 0)},
-			Reserved:     options.Reserved,
-		}}
-	}
-	wgEndpoint, err := wireguard.NewEndpoint(wireguard.EndpointOptions{
-		Context: ctx,
-		Logger:  logger,
-		System:  options.SystemInterface,
-		Dialer:  outboundDialer,
-		CreateDialer: func(interfaceName string) N.Dialer {
-			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
-				BindInterface: interfaceName,
-			}))
-		},
-		Name:       options.InterfaceName,
-		MTU:        options.MTU,
-		Address:    options.LocalAddress,
-		PrivateKey: options.PrivateKey,
-		ResolvePeer: func(domain string) (netip.Addr, error) {
-			endpointAddresses, lookupErr := outbound.dnsRouter.Lookup(ctx, domain, outboundDialer.(dialer.ResolveDialer).QueryOptions())
-			if lookupErr != nil {
-				return netip.Addr{}, lookupErr
-			}
-			return endpointAddresses[0], nil
-		},
-		Peers:   peers,
-		Workers: options.Workers,
-	})
-	if err != nil {
-		return nil, err
-	}
-	outbound.endpoint = wgEndpoint
-	return outbound, nil
-}
-
-func (o *Outbound) Start(stage adapter.StartStage) error {
-	switch stage {
-	case adapter.StartStateStart:
-		return o.endpoint.Start(false)
-	case adapter.StartStatePostStart:
-		return o.endpoint.Start(true)
-	}
-	return nil
-}
-
-func (o *Outbound) Close() error {
-	return o.endpoint.Close()
-}
-
-func (o *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch network {
-	case N.NetworkTCP:
-		o.logger.InfoContext(ctx, "outbound connection to ", destination)
-	case N.NetworkUDP:
-		o.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	}
-	if destination.IsFqdn() {
-		destinationAddresses, err := o.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		return N.DialSerial(ctx, o.endpoint, network, destination, destinationAddresses)
-	} else if !destination.Addr.IsValid() {
-		return nil, E.New("invalid destination: ", destination)
-	}
-	return o.endpoint.DialContext(ctx, network, destination)
-}
-
-func (o *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	o.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	if destination.IsFqdn() {
-		destinationAddresses, err := o.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		packetConn, _, err := N.ListenSerial(ctx, o.endpoint, destination, destinationAddresses)
-		if err != nil {
-			return nil, err
-		}
-		return packetConn, err
-	}
-	return o.endpoint.ListenPacket(ctx, destination)
-}
-
-func (o *Outbound) PreferredDomain(domain string) bool {
-	return false
-}
-
-func (o *Outbound) PreferredAddress(address netip.Addr) bool {
-	return o.endpoint.Lookup(address) != nil
-}
-
-func (o *Outbound) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
-	return o.endpoint.NewDirectRouteConnection(metadata, routeContext, timeout)
-}

release/DEFAULT_BUILD_TAGS

@@ -0,0 +1 @@
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,badlinkname,tfogo_checklinkname0

release/DEFAULT_BUILD_TAGS_OTHERS

@@ -0,0 +1 @@
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0

release/DEFAULT_BUILD_TAGS_WINDOWS

@@ -0,0 +1 @@
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0

release/LDFLAGS

@@ -0,0 +1 @@
+-X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0

release/local/common.sh

@@ -11,7 +11,7 @@ INSTALL_CONFIG_PATH="/usr/local/etc/sing-box"
 INSTALL_DATA_PATH="/var/lib/sing-box"
 SYSTEMD_SERVICE_PATH="/etc/systemd/system"
 
-DEFAULT_BUILD_TAGS="with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0"
+DEFAULT_BUILD_TAGS="$(cat "$PROJECT_DIR/release/DEFAULT_BUILD_TAGS_OTHERS")"
 
 setup_environment() {
     if [ -d /usr/local/go ]; then
@@ -44,7 +44,9 @@ get_version() {
 get_ldflags() {
     local version
     version=$(get_version)
-    echo "-X 'github.com/sagernet/sing-box/constant.Version=${version}' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
+    local shared_ldflags
+    shared_ldflags=$(cat "$PROJECT_DIR/release/LDFLAGS")
+    echo "-X 'github.com/sagernet/sing-box/constant.Version=${version}' ${shared_ldflags} -s -w -buildid="
 }
 
 build_sing_box() {

route/conn.go

@@ -44,16 +44,52 @@ func (m *ConnectionManager) Start(stage adapter.StartStage) error {
 	return nil
 }
 
-func (m *ConnectionManager) Close() error {
+func (m *ConnectionManager) Count() int {
+	return m.connections.Len()
+}
+
+func (m *ConnectionManager) CloseAll() {
 	m.access.Lock()
-	defer m.access.Unlock()
-	for element := m.connections.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
+	var closers []io.Closer
+	for element := m.connections.Front(); element != nil; {
+		nextElement := element.Next()
+		closers = append(closers, element.Value)
+		m.connections.Remove(element)
+		element = nextElement
 	}
-	m.connections.Init()
+	m.access.Unlock()
+	for _, closer := range closers {
+		common.Close(closer)
+	}
+}
+
+func (m *ConnectionManager) Close() error {
+	m.CloseAll()
 	return nil
 }
 
+func (m *ConnectionManager) TrackConn(conn net.Conn) net.Conn {
+	m.access.Lock()
+	element := m.connections.PushBack(conn)
+	m.access.Unlock()
+	return &trackedConn{
+		Conn:    conn,
+		manager: m,
+		element: element,
+	}
+}
+
+func (m *ConnectionManager) TrackPacketConn(conn net.PacketConn) net.PacketConn {
+	m.access.Lock()
+	element := m.connections.PushBack(conn)
+	m.access.Unlock()
+	return &trackedPacketConn{
+		PacketConn: conn,
+		manager:    m,
+		element:    element,
+	}
+}
+
 func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var (
@@ -92,14 +128,6 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 	if metadata.TLSFragment || metadata.TLSRecordFragment {
 		remoteConn = tf.NewConn(remoteConn, ctx, metadata.TLSFragment, metadata.TLSRecordFragment, metadata.TLSFragmentFallbackDelay)
 	}
-	m.access.Lock()
-	element := m.connections.PushBack(conn)
-	m.access.Unlock()
-	onClose = N.AppendClose(onClose, func(it error) {
-		m.access.Lock()
-		defer m.access.Unlock()
-		m.connections.Remove(element)
-	})
 	var done atomic.Bool
 	if m.kickWriteHandshake(ctx, conn, remoteConn, false, &done, onClose) {
 		return
@@ -160,6 +188,8 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 	} else {
 		if len(metadata.DestinationAddresses) > 0 {
 			remotePacketConn, destinationAddress, err = dialer.ListenSerialNetworkPacket(ctx, this, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
+		} else if packetDialer, withDestination := this.(dialer.PacketDialerWithDestination); withDestination {
+			remotePacketConn, destinationAddress, err = packetDialer.ListenPacketWithDestination(ctx, metadata.Destination)
 		} else {
 			remotePacketConn, err = this.ListenPacket(ctx, metadata.Destination)
 		}
@@ -190,11 +220,16 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
 			natConn.UpdateDestination(destinationAddress)
-		} else if metadata.Destination != M.SocksaddrFrom(destinationAddress, metadata.Destination.Port) {
-			if metadata.UDPDisableDomainUnmapping {
-				remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
-			} else {
-				remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
+		} else {
+			destination := M.SocksaddrFrom(destinationAddress, metadata.Destination.Port)
+			if metadata.Destination != destination {
+				if metadata.UDPDisableDomainUnmapping {
+					remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), destination, originDestination)
+				} else {
+					remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), destination, originDestination)
+				}
+			} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {
+				remotePacketConn = bufio.NewDestinationNATPacketConn(bufio.NewPacketConn(remotePacketConn), metadata.Destination, metadata.RouteOriginalDestination)
 			}
 		}
 	} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {
@@ -216,14 +251,6 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		ctx, conn = canceler.NewPacketConn(ctx, conn, udpTimeout)
 	}
 	destination := bufio.NewPacketConn(remotePacketConn)
-	m.access.Lock()
-	element := m.connections.PushBack(conn)
-	m.access.Unlock()
-	onClose = N.AppendClose(onClose, func(it error) {
-		m.access.Lock()
-		defer m.access.Unlock()
-		m.connections.Remove(element)
-	})
 	var done atomic.Bool
 	go m.packetConnectionCopy(ctx, conn, destination, false, &done, onClose)
 	go m.packetConnectionCopy(ctx, destination, conn, true, &done, onClose)
@@ -242,7 +269,9 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn,
 		destination.Close()
 	}
 	if done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
+			onClose(err)
+		}
 		common.Close(source, destination)
 	}
 	if !direction {
@@ -303,7 +332,9 @@ func (m *ConnectionManager) kickWriteHandshake(ctx context.Context, source net.C
 		return false
 	}
 	if !done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
+			onClose(err)
+		}
 	}
 	common.Close(source, destination)
 	if !direction {
@@ -334,7 +365,59 @@ func (m *ConnectionManager) packetConnectionCopy(ctx context.Context, source N.P
 		}
 	}
 	if !done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
+			onClose(err)
+		}
 	}
 	common.Close(source, destination)
 }
+
+type trackedConn struct {
+	net.Conn
+	manager *ConnectionManager
+	element *list.Element[io.Closer]
+}
+
+func (c *trackedConn) Close() error {
+	c.manager.access.Lock()
+	c.manager.connections.Remove(c.element)
+	c.manager.access.Unlock()
+	return c.Conn.Close()
+}
+
+func (c *trackedConn) Upstream() any {
+	return c.Conn
+}
+
+func (c *trackedConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *trackedConn) WriterReplaceable() bool {
+	return true
+}
+
+type trackedPacketConn struct {
+	net.PacketConn
+	manager *ConnectionManager
+	element *list.Element[io.Closer]
+}
+
+func (c *trackedPacketConn) Close() error {
+	c.manager.access.Lock()
+	c.manager.connections.Remove(c.element)
+	c.manager.access.Unlock()
+	return c.PacketConn.Close()
+}
+
+func (c *trackedPacketConn) Upstream() any {
+	return bufio.NewPacketConn(c.PacketConn)
+}
+
+func (c *trackedPacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *trackedPacketConn) WriterReplaceable() bool {
+	return true
+}

route/network.go

@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/settings"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
@@ -48,6 +47,7 @@ type NetworkManager struct {
 	powerListener          winpowrprof.EventListener
 	pauseManager           pause.Manager
 	platformInterface      adapter.PlatformInterface
+	connectionManager      adapter.ConnectionManager
 	endpoint               adapter.EndpointManager
 	inbound                adapter.InboundManager
 	outbound               adapter.OutboundManager
@@ -90,6 +90,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, options
 		},
 		pauseManager:      service.FromContext[pause.Manager](ctx),
 		platformInterface: service.FromContext[adapter.PlatformInterface](ctx),
+		connectionManager: service.FromContext[adapter.ConnectionManager](ctx),
 		endpoint:          service.FromContext[adapter.EndpointManager](ctx),
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
@@ -450,7 +451,9 @@ func (r *NetworkManager) UpdateWIFIState() {
 }
 
 func (r *NetworkManager) ResetNetwork() {
-	conntrack.Close()
+	if r.connectionManager != nil {
+		r.connectionManager.CloseAll()
+	}
 
 	for _, endpoint := range r.endpoint.Endpoints() {
 		listener, isListener := endpoint.(adapter.InterfaceUpdateListener)

route/route.go

@@ -9,11 +9,9 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
@@ -80,7 +78,6 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 		injectable.NewConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
-	conntrack.KillerCheck()
 	metadata.Network = N.NetworkTCP
 	switch metadata.Destination.Fqdn {
 	case mux.Destination.Fqdn:
@@ -216,8 +213,6 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 		injectable.NewPacketConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
-	conntrack.KillerCheck()
-
 	// TODO: move to UoT
 	metadata.Network = N.NetworkUDP
 
@@ -472,37 +467,6 @@ func (r *Router) matchRule(
 		metadata.IPVersion = 6
 	}
 
-	//nolint:staticcheck
-	if metadata.InboundOptions != common.DefaultValue[option.InboundOptions]() {
-		if !preMatch && metadata.InboundOptions.SniffEnabled {
-			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &R.RuleActionSniff{
-				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
-				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
-			}, inputConn, inputPacketConn, nil, nil)
-			if newBuffer != nil {
-				buffers = []*buf.Buffer{newBuffer}
-			} else if len(newPackerBuffers) > 0 {
-				packetBuffers = newPackerBuffers
-			}
-			if newErr != nil {
-				fatalErr = newErr
-				return
-			}
-		}
-		if C.DomainStrategy(metadata.InboundOptions.DomainStrategy) != C.DomainStrategyAsIS {
-			fatalErr = r.actionResolve(ctx, metadata, &R.RuleActionResolve{
-				Strategy: C.DomainStrategy(metadata.InboundOptions.DomainStrategy),
-			})
-			if fatalErr != nil {
-				return
-			}
-		}
-		if metadata.InboundOptions.UDPDisableDomainUnmapping {
-			metadata.UDPDisableDomainUnmapping = true
-		}
-		metadata.InboundOptions = option.InboundOptions{}
-	}
-
 match:
 	for currentRuleIndex, currentRule := range r.rules {
 		metadata.ResetRuleCache()

route/rule/rule_abstract.go

@@ -107,9 +107,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 
 	for _, item := range r.items {
-		if _, isRuleSet := item.(*RuleSetItem); !isRuleSet {
-			metadata.DidMatch = true
-		}
+		metadata.DidMatch = true
 		if !item.Match(metadata) {
 			return r.invert
 		}

route/rule/rule_abstract_test.go

@@ -0,0 +1,157 @@
+package rule
+
+import (
+	"context"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common/x/list"
+
+	"github.com/stretchr/testify/require"
+	"go4.org/netipx"
+)
+
+type fakeRuleSet struct {
+	matched bool
+}
+
+func (f *fakeRuleSet) Name() string {
+	return "fake-rule-set"
+}
+
+func (f *fakeRuleSet) StartContext(context.Context, *adapter.HTTPStartContext) error {
+	return nil
+}
+
+func (f *fakeRuleSet) PostStart() error {
+	return nil
+}
+
+func (f *fakeRuleSet) Metadata() adapter.RuleSetMetadata {
+	return adapter.RuleSetMetadata{}
+}
+
+func (f *fakeRuleSet) ExtractIPSet() []*netipx.IPSet {
+	return nil
+}
+
+func (f *fakeRuleSet) IncRef() {}
+
+func (f *fakeRuleSet) DecRef() {}
+
+func (f *fakeRuleSet) Cleanup() {}
+
+func (f *fakeRuleSet) RegisterCallback(adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
+	return nil
+}
+
+func (f *fakeRuleSet) UnregisterCallback(*list.Element[adapter.RuleSetUpdateCallback]) {}
+
+func (f *fakeRuleSet) Close() error {
+	return nil
+}
+
+func (f *fakeRuleSet) Match(*adapter.InboundContext) bool {
+	return f.matched
+}
+
+func (f *fakeRuleSet) String() string {
+	return "fake-rule-set"
+}
+
+type fakeRuleItem struct {
+	matched bool
+}
+
+func (f *fakeRuleItem) Match(*adapter.InboundContext) bool {
+	return f.matched
+}
+
+func (f *fakeRuleItem) String() string {
+	return "fake-rule-item"
+}
+
+func newRuleSetOnlyRule(ruleSetMatched bool, invert bool) *DefaultRule {
+	ruleSetItem := &RuleSetItem{
+		setList: []adapter.RuleSet{&fakeRuleSet{matched: ruleSetMatched}},
+	}
+	return &DefaultRule{
+		abstractDefaultRule: abstractDefaultRule{
+			items:    []RuleItem{ruleSetItem},
+			allItems: []RuleItem{ruleSetItem},
+			invert:   invert,
+		},
+	}
+}
+
+func newSingleItemRule(matched bool) *DefaultRule {
+	item := &fakeRuleItem{matched: matched}
+	return &DefaultRule{
+		abstractDefaultRule: abstractDefaultRule{
+			items:    []RuleItem{item},
+			allItems: []RuleItem{item},
+		},
+	}
+}
+
+func TestAbstractDefaultRule_RuleSetOnly_InvertFalse(t *testing.T) {
+	t.Parallel()
+	require.True(t, newRuleSetOnlyRule(true, false).Match(&adapter.InboundContext{}))
+	require.False(t, newRuleSetOnlyRule(false, false).Match(&adapter.InboundContext{}))
+}
+
+func TestAbstractDefaultRule_RuleSetOnly_InvertTrue(t *testing.T) {
+	t.Parallel()
+	require.False(t, newRuleSetOnlyRule(true, true).Match(&adapter.InboundContext{}))
+	require.True(t, newRuleSetOnlyRule(false, true).Match(&adapter.InboundContext{}))
+}
+
+func TestAbstractLogicalRule_And_WithRuleSetInvert(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name          string
+		aMatched      bool
+		ruleSetBMatch bool
+		expected      bool
+	}{
+		{
+			name:          "A true B true",
+			aMatched:      true,
+			ruleSetBMatch: true,
+			expected:      false,
+		},
+		{
+			name:          "A true B false",
+			aMatched:      true,
+			ruleSetBMatch: false,
+			expected:      true,
+		},
+		{
+			name:          "A false B true",
+			aMatched:      false,
+			ruleSetBMatch: true,
+			expected:      false,
+		},
+		{
+			name:          "A false B false",
+			aMatched:      false,
+			ruleSetBMatch: false,
+			expected:      false,
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			logicalRule := &abstractLogicalRule{
+				mode: C.LogicalTypeAnd,
+				rules: []adapter.HeadlessRule{
+					newSingleItemRule(testCase.aMatched),
+					newRuleSetOnlyRule(testCase.ruleSetBMatch, true),
+				},
+			}
+			require.Equal(t, testCase.expected, logicalRule.Match(&adapter.InboundContext{}))
+		})
+	}
+}

route/rule/rule_default.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -267,14 +266,13 @@ func NewDefaultRule(ctx context.Context, logger log.ContextLogger, options optio
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
+		//nolint:staticcheck
+		if options.Deprecated_RulesetIPCIDRMatchSource {
+			return nil, E.New("rule_set_ipcidr_match_source is deprecated in sing-box 1.10.0 and removed in sing-box 1.11.0")
+		}
 		var matchSource bool
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
-		} else
-		//nolint:staticcheck
-		if options.Deprecated_RulesetIPCIDRMatchSource {
-			matchSource = true
-			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
 		}
 		item := NewRuleSetItem(router, options.RuleSet, matchSource, false)
 		rule.items = append(rule.items, item)

route/rule/rule_dns.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -263,14 +262,13 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
+		//nolint:staticcheck
+		if options.Deprecated_RulesetIPCIDRMatchSource {
+			return nil, E.New("rule_set_ipcidr_match_source is deprecated in sing-box 1.10.0 and removed in sing-box 1.11.0")
+		}
 		var matchSource bool
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
-		} else
-		//nolint:staticcheck
-		if options.Deprecated_RulesetIPCIDRMatchSource {
-			matchSource = true
-			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
 		}
 		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty)
 		rule.items = append(rule.items, item)

service/ccm/service.go

@@ -10,6 +10,7 @@ import (
 	"mime"
 	"net"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -79,6 +80,35 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 
+const (
+	weeklyWindowSeconds = 604800
+	weeklyWindowMinutes = weeklyWindowSeconds / 60
+)
+
+func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
+	headerValue := strings.TrimSpace(headers.Get(headerName))
+	if headerValue == "" {
+		return 0, false
+	}
+	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
+	if parseError != nil {
+		return 0, false
+	}
+	return parsedValue, true
+}
+
+func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
+	resetAtUnix, hasResetAt := parseInt64Header(headers, "anthropic-ratelimit-unified-7d-reset")
+	if !hasResetAt || resetAtUnix <= 0 {
+		return nil
+	}
+
+	return &WeeklyCycleHint{
+		WindowMinutes: weeklyWindowMinutes,
+		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
+	}
+}
+
 type Service struct {
 	boxService.Adapter
 	ctx            context.Context
@@ -392,6 +422,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
+	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
 
@@ -417,7 +448,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 		if usage.InputTokens > 0 || usage.OutputTokens > 0 {
 			if responseModel != "" {
 				contextWindow := detectContextWindow(anthropicBetaHeader, usage.InputTokens)
-				s.usageTracker.AddUsage(
+				s.usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					contextWindow,
 					messagesCount,
@@ -425,7 +456,11 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 					usage.OutputTokens,
 					usage.CacheReadInputTokens,
 					usage.CacheCreationInputTokens,
+					usage.CacheCreation.Ephemeral5mInputTokens,
+					usage.CacheCreation.Ephemeral1hInputTokens,
 					username,
+					time.Now(),
+					weeklyCycleHint,
 				)
 			}
 		}
@@ -485,6 +520,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 							accumulatedUsage.InputTokens = messageStart.Message.Usage.InputTokens
 							accumulatedUsage.CacheReadInputTokens = messageStart.Message.Usage.CacheReadInputTokens
 							accumulatedUsage.CacheCreationInputTokens = messageStart.Message.Usage.CacheCreationInputTokens
+							accumulatedUsage.CacheCreation.Ephemeral5mInputTokens = messageStart.Message.Usage.CacheCreation.Ephemeral5mInputTokens
+							accumulatedUsage.CacheCreation.Ephemeral1hInputTokens = messageStart.Message.Usage.CacheCreation.Ephemeral1hInputTokens
 						}
 					case "message_delta":
 						messageDelta := event.AsMessageDelta()
@@ -511,7 +548,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			if accumulatedUsage.InputTokens > 0 || accumulatedUsage.OutputTokens > 0 {
 				if responseModel != "" {
 					contextWindow := detectContextWindow(anthropicBetaHeader, accumulatedUsage.InputTokens)
-					s.usageTracker.AddUsage(
+					s.usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						contextWindow,
 						messagesCount,
@@ -519,7 +556,11 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 						accumulatedUsage.OutputTokens,
 						accumulatedUsage.CacheReadInputTokens,
 						accumulatedUsage.CacheCreationInputTokens,
+						accumulatedUsage.CacheCreation.Ephemeral5mInputTokens,
+						accumulatedUsage.CacheCreation.Ephemeral1hInputTokens,
 						username,
+						time.Now(),
+						weeklyCycleHint,
 					)
 				}
 			}

service/ccm/service_usage.go

@@ -2,6 +2,7 @@ package ccm
 
 import (
 	"encoding/json"
+	"fmt"
 	"math"
 	"os"
 	"regexp"
@@ -13,17 +14,20 @@ import (
 )
 
 type UsageStats struct {
-	RequestCount             int   `json:"request_count"`
-	MessagesCount            int   `json:"messages_count"`
-	InputTokens              int64 `json:"input_tokens"`
-	OutputTokens             int64 `json:"output_tokens"`
-	CacheReadInputTokens     int64 `json:"cache_read_input_tokens"`
-	CacheCreationInputTokens int64 `json:"cache_creation_input_tokens"`
+	RequestCount                    int   `json:"request_count"`
+	MessagesCount                   int   `json:"messages_count"`
+	InputTokens                     int64 `json:"input_tokens"`
+	OutputTokens                    int64 `json:"output_tokens"`
+	CacheReadInputTokens            int64 `json:"cache_read_input_tokens"`
+	CacheCreationInputTokens        int64 `json:"cache_creation_input_tokens"`
+	CacheCreation5MinuteInputTokens int64 `json:"cache_creation_5m_input_tokens,omitempty"`
+	CacheCreation1HourInputTokens   int64 `json:"cache_creation_1h_input_tokens,omitempty"`
 }
 
 type CostCombination struct {
 	Model         string                `json:"model"`
 	ContextWindow int                   `json:"context_window"`
+	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
 	Total         UsageStats            `json:"total"`
 	ByUser        map[string]UsageStats `json:"by_user"`
 }
@@ -41,18 +45,21 @@ type AggregatedUsage struct {
 }
 
 type UsageStatsJSON struct {
-	RequestCount             int     `json:"request_count"`
-	MessagesCount            int     `json:"messages_count"`
-	InputTokens              int64   `json:"input_tokens"`
-	OutputTokens             int64   `json:"output_tokens"`
-	CacheReadInputTokens     int64   `json:"cache_read_input_tokens"`
-	CacheCreationInputTokens int64   `json:"cache_creation_input_tokens"`
-	CostUSD                  float64 `json:"cost_usd"`
+	RequestCount                    int     `json:"request_count"`
+	MessagesCount                   int     `json:"messages_count"`
+	InputTokens                     int64   `json:"input_tokens"`
+	OutputTokens                    int64   `json:"output_tokens"`
+	CacheReadInputTokens            int64   `json:"cache_read_input_tokens"`
+	CacheCreationInputTokens        int64   `json:"cache_creation_input_tokens"`
+	CacheCreation5MinuteInputTokens int64   `json:"cache_creation_5m_input_tokens,omitempty"`
+	CacheCreation1HourInputTokens   int64   `json:"cache_creation_1h_input_tokens,omitempty"`
+	CostUSD                         float64 `json:"cost_usd"`
 }
 
 type CostCombinationJSON struct {
 	Model         string                    `json:"model"`
 	ContextWindow int                       `json:"context_window"`
+	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
 	Total         UsageStatsJSON            `json:"total"`
 	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }
@@ -60,6 +67,7 @@ type CostCombinationJSON struct {
 type CostsSummaryJSON struct {
 	TotalUSD float64            `json:"total_usd"`
 	ByUser   map[string]float64 `json:"by_user"`
+	ByWeek   map[string]float64 `json:"by_week,omitempty"`
 }
 
 type AggregatedUsageJSON struct {
@@ -68,11 +76,17 @@ type AggregatedUsageJSON struct {
 	Combinations []CostCombinationJSON `json:"combinations"`
 }
 
+type WeeklyCycleHint struct {
+	WindowMinutes int64
+	ResetAt       time.Time
+}
+
 type ModelPricing struct {
-	InputPrice      float64
-	OutputPrice     float64
-	CacheReadPrice  float64
-	CacheWritePrice float64
+	InputPrice             float64
+	OutputPrice            float64
+	CacheReadPrice         float64
+	CacheWritePrice5Minute float64
+	CacheWritePrice1Hour   float64
 }
 
 type modelFamily struct {
@@ -82,143 +96,205 @@ type modelFamily struct {
 }
 
 var (
-	opus4Pricing = ModelPricing{
-		InputPrice:      15.0,
-		OutputPrice:     75.0,
-		CacheReadPrice:  1.5,
-		CacheWritePrice: 18.75,
+	opus46StandardPricing = ModelPricing{
+		InputPrice:             5.0,
+		OutputPrice:            25.0,
+		CacheReadPrice:         0.5,
+		CacheWritePrice5Minute: 6.25,
+		CacheWritePrice1Hour:   10.0,
 	}
 
-	sonnet4StandardPricing = ModelPricing{
-		InputPrice:      3.0,
-		OutputPrice:     15.0,
-		CacheReadPrice:  0.3,
-		CacheWritePrice: 3.75,
-	}
-
-	sonnet4PremiumPricing = ModelPricing{
-		InputPrice:      6.0,
-		OutputPrice:     22.5,
-		CacheReadPrice:  0.6,
-		CacheWritePrice: 7.5,
-	}
-
-	haiku4Pricing = ModelPricing{
-		InputPrice:      1.0,
-		OutputPrice:     5.0,
-		CacheReadPrice:  0.1,
-		CacheWritePrice: 1.25,
-	}
-
-	haiku35Pricing = ModelPricing{
-		InputPrice:      0.8,
-		OutputPrice:     4.0,
-		CacheReadPrice:  0.08,
-		CacheWritePrice: 1.0,
-	}
-
-	sonnet35Pricing = ModelPricing{
-		InputPrice:      3.0,
-		OutputPrice:     15.0,
-		CacheReadPrice:  0.3,
-		CacheWritePrice: 3.75,
+	opus46PremiumPricing = ModelPricing{
+		InputPrice:             10.0,
+		OutputPrice:            37.5,
+		CacheReadPrice:         1.0,
+		CacheWritePrice5Minute: 12.5,
+		CacheWritePrice1Hour:   20.0,
 	}
 
 	opus45Pricing = ModelPricing{
-		InputPrice:      5.0,
-		OutputPrice:     25.0,
-		CacheReadPrice:  0.5,
-		CacheWritePrice: 6.25,
+		InputPrice:             5.0,
+		OutputPrice:            25.0,
+		CacheReadPrice:         0.5,
+		CacheWritePrice5Minute: 6.25,
+		CacheWritePrice1Hour:   10.0,
+	}
+
+	opus4Pricing = ModelPricing{
+		InputPrice:             15.0,
+		OutputPrice:            75.0,
+		CacheReadPrice:         1.5,
+		CacheWritePrice5Minute: 18.75,
+		CacheWritePrice1Hour:   30.0,
+	}
+
+	sonnet46StandardPricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
+	}
+
+	sonnet46PremiumPricing = ModelPricing{
+		InputPrice:             6.0,
+		OutputPrice:            22.5,
+		CacheReadPrice:         0.6,
+		CacheWritePrice5Minute: 7.5,
+		CacheWritePrice1Hour:   12.0,
 	}
 
 	sonnet45StandardPricing = ModelPricing{
-		InputPrice:      3.0,
-		OutputPrice:     15.0,
-		CacheReadPrice:  0.3,
-		CacheWritePrice: 3.75,
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
 	}
 
 	sonnet45PremiumPricing = ModelPricing{
-		InputPrice:      6.0,
-		OutputPrice:     22.5,
-		CacheReadPrice:  0.6,
-		CacheWritePrice: 7.5,
+		InputPrice:             6.0,
+		OutputPrice:            22.5,
+		CacheReadPrice:         0.6,
+		CacheWritePrice5Minute: 7.5,
+		CacheWritePrice1Hour:   12.0,
+	}
+
+	sonnet4StandardPricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
+	}
+
+	sonnet4PremiumPricing = ModelPricing{
+		InputPrice:             6.0,
+		OutputPrice:            22.5,
+		CacheReadPrice:         0.6,
+		CacheWritePrice5Minute: 7.5,
+		CacheWritePrice1Hour:   12.0,
+	}
+
+	sonnet37Pricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
+	}
+
+	sonnet35Pricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
 	}
 
 	haiku45Pricing = ModelPricing{
-		InputPrice:      1.0,
-		OutputPrice:     5.0,
-		CacheReadPrice:  0.1,
-		CacheWritePrice: 1.25,
+		InputPrice:             1.0,
+		OutputPrice:            5.0,
+		CacheReadPrice:         0.1,
+		CacheWritePrice5Minute: 1.25,
+		CacheWritePrice1Hour:   2.0,
+	}
+
+	haiku4Pricing = ModelPricing{
+		InputPrice:             1.0,
+		OutputPrice:            5.0,
+		CacheReadPrice:         0.1,
+		CacheWritePrice5Minute: 1.25,
+		CacheWritePrice1Hour:   2.0,
+	}
+
+	haiku35Pricing = ModelPricing{
+		InputPrice:             0.8,
+		OutputPrice:            4.0,
+		CacheReadPrice:         0.08,
+		CacheWritePrice5Minute: 1.0,
+		CacheWritePrice1Hour:   1.6,
 	}
 
 	haiku3Pricing = ModelPricing{
-		InputPrice:      0.25,
-		OutputPrice:     1.25,
-		CacheReadPrice:  0.03,
-		CacheWritePrice: 0.3,
+		InputPrice:             0.25,
+		OutputPrice:            1.25,
+		CacheReadPrice:         0.03,
+		CacheWritePrice5Minute: 0.3,
+		CacheWritePrice1Hour:   0.5,
 	}
 
 	opus3Pricing = ModelPricing{
-		InputPrice:      15.0,
-		OutputPrice:     75.0,
-		CacheReadPrice:  1.5,
-		CacheWritePrice: 18.75,
+		InputPrice:             15.0,
+		OutputPrice:            75.0,
+		CacheReadPrice:         1.5,
+		CacheWritePrice5Minute: 18.75,
+		CacheWritePrice1Hour:   30.0,
 	}
 
 	modelFamilies = []modelFamily{
 		{
-			pattern:         regexp.MustCompile(`^claude-opus-4-5-`),
+			pattern:         regexp.MustCompile(`^claude-opus-4-6(?:-|$)`),
+			standardPricing: opus46StandardPricing,
+			premiumPricing:  &opus46PremiumPricing,
+		},
+		{
+			pattern:         regexp.MustCompile(`^claude-opus-4-5(?:-|$)`),
 			standardPricing: opus45Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:opus-4-|4-opus-|opus-4-1-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:opus-4(?:-|$)|4-opus-)`),
 			standardPricing: opus4Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:opus-3-|3-opus-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:opus-3(?:-|$)|3-opus-)`),
 			standardPricing: opus3Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-5-|4-5-sonnet-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-6(?:-|$)|4-6-sonnet-)`),
+			standardPricing: sonnet46StandardPricing,
+			premiumPricing:  &sonnet46PremiumPricing,
+		},
+		{
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-5(?:-|$)|4-5-sonnet-)`),
 			standardPricing: sonnet45StandardPricing,
 			premiumPricing:  &sonnet45PremiumPricing,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-7-sonnet-`),
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4(?:-|$)|4-sonnet-)`),
 			standardPricing: sonnet4StandardPricing,
 			premiumPricing:  &sonnet4PremiumPricing,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-|4-sonnet-)`),
-			standardPricing: sonnet4StandardPricing,
-			premiumPricing:  &sonnet4PremiumPricing,
+			pattern:         regexp.MustCompile(`^claude-3-7-sonnet(?:-|$)`),
+			standardPricing: sonnet37Pricing,
+			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-5-sonnet-`),
+			pattern:         regexp.MustCompile(`^claude-3-5-sonnet(?:-|$)`),
 			standardPricing: sonnet35Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:haiku-4-5-|4-5-haiku-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:haiku-4-5(?:-|$)|4-5-haiku-)`),
 			standardPricing: haiku45Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-haiku-4-`),
+			pattern:         regexp.MustCompile(`^claude-haiku-4(?:-|$)`),
 			standardPricing: haiku4Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-5-haiku-`),
+			pattern:         regexp.MustCompile(`^claude-3-5-haiku(?:-|$)`),
 			standardPricing: haiku35Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-haiku-`),
+			pattern:         regexp.MustCompile(`^claude-3-haiku(?:-|$)`),
 			standardPricing: haiku3Pricing,
 			premiumPricing:  nil,
 		},
@@ -243,68 +319,211 @@ func getPricing(model string, contextWindow int) ModelPricing {
 func calculateCost(stats UsageStats, model string, contextWindow int) float64 {
 	pricing := getPricing(model, contextWindow)
 
+	cacheCreationCost := 0.0
+	if stats.CacheCreation5MinuteInputTokens > 0 || stats.CacheCreation1HourInputTokens > 0 {
+		cacheCreationCost = float64(stats.CacheCreation5MinuteInputTokens)*pricing.CacheWritePrice5Minute +
+			float64(stats.CacheCreation1HourInputTokens)*pricing.CacheWritePrice1Hour
+	} else {
+		// Backward compatibility for usage files generated before TTL split tracking.
+		cacheCreationCost = float64(stats.CacheCreationInputTokens) * pricing.CacheWritePrice5Minute
+	}
+
 	cost := (float64(stats.InputTokens)*pricing.InputPrice +
 		float64(stats.OutputTokens)*pricing.OutputPrice +
 		float64(stats.CacheReadInputTokens)*pricing.CacheReadPrice +
-		float64(stats.CacheCreationInputTokens)*pricing.CacheWritePrice) / 1_000_000
+		cacheCreationCost) / 1_000_000
 
 	return math.Round(cost*100) / 100
 }
 
+func roundCost(cost float64) float64 {
+	return math.Round(cost*100) / 100
+}
+
+func normalizeCombinations(combinations []CostCombination) {
+	for index := range combinations {
+		if combinations[index].ByUser == nil {
+			combinations[index].ByUser = make(map[string]UsageStats)
+		}
+	}
+}
+
+func addUsageToCombinations(
+	combinations *[]CostCombination,
+	model string,
+	contextWindow int,
+	weekStartUnix int64,
+	messagesCount int,
+	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
+	user string,
+) {
+	var matchedCombination *CostCombination
+	for index := range *combinations {
+		combination := &(*combinations)[index]
+		if combination.Model == model && combination.ContextWindow == contextWindow && combination.WeekStartUnix == weekStartUnix {
+			matchedCombination = combination
+			break
+		}
+	}
+
+	if matchedCombination == nil {
+		newCombination := CostCombination{
+			Model:         model,
+			ContextWindow: contextWindow,
+			WeekStartUnix: weekStartUnix,
+			Total:         UsageStats{},
+			ByUser:        make(map[string]UsageStats),
+		}
+		*combinations = append(*combinations, newCombination)
+		matchedCombination = &(*combinations)[len(*combinations)-1]
+	}
+
+	if cacheCreationTokens == 0 {
+		cacheCreationTokens = cacheCreation5MinuteTokens + cacheCreation1HourTokens
+	}
+
+	matchedCombination.Total.RequestCount++
+	matchedCombination.Total.MessagesCount += messagesCount
+	matchedCombination.Total.InputTokens += inputTokens
+	matchedCombination.Total.OutputTokens += outputTokens
+	matchedCombination.Total.CacheReadInputTokens += cacheReadTokens
+	matchedCombination.Total.CacheCreationInputTokens += cacheCreationTokens
+	matchedCombination.Total.CacheCreation5MinuteInputTokens += cacheCreation5MinuteTokens
+	matchedCombination.Total.CacheCreation1HourInputTokens += cacheCreation1HourTokens
+
+	if user != "" {
+		userStats := matchedCombination.ByUser[user]
+		userStats.RequestCount++
+		userStats.MessagesCount += messagesCount
+		userStats.InputTokens += inputTokens
+		userStats.OutputTokens += outputTokens
+		userStats.CacheReadInputTokens += cacheReadTokens
+		userStats.CacheCreationInputTokens += cacheCreationTokens
+		userStats.CacheCreation5MinuteInputTokens += cacheCreation5MinuteTokens
+		userStats.CacheCreation1HourInputTokens += cacheCreation1HourTokens
+		matchedCombination.ByUser[user] = userStats
+	}
+}
+
+func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map[string]float64) ([]CostCombinationJSON, float64) {
+	result := make([]CostCombinationJSON, len(combinations))
+	var totalCost float64
+
+	for index, combination := range combinations {
+		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ContextWindow)
+		totalCost += combinationTotalCost
+
+		combinationJSON := CostCombinationJSON{
+			Model:         combination.Model,
+			ContextWindow: combination.ContextWindow,
+			WeekStartUnix: combination.WeekStartUnix,
+			Total: UsageStatsJSON{
+				RequestCount:                    combination.Total.RequestCount,
+				MessagesCount:                   combination.Total.MessagesCount,
+				InputTokens:                     combination.Total.InputTokens,
+				OutputTokens:                    combination.Total.OutputTokens,
+				CacheReadInputTokens:            combination.Total.CacheReadInputTokens,
+				CacheCreationInputTokens:        combination.Total.CacheCreationInputTokens,
+				CacheCreation5MinuteInputTokens: combination.Total.CacheCreation5MinuteInputTokens,
+				CacheCreation1HourInputTokens:   combination.Total.CacheCreation1HourInputTokens,
+				CostUSD:                         combinationTotalCost,
+			},
+			ByUser: make(map[string]UsageStatsJSON),
+		}
+
+		for user, userStats := range combination.ByUser {
+			userCost := calculateCost(userStats, combination.Model, combination.ContextWindow)
+			if aggregateUserCosts != nil {
+				aggregateUserCosts[user] += userCost
+			}
+
+			combinationJSON.ByUser[user] = UsageStatsJSON{
+				RequestCount:                    userStats.RequestCount,
+				MessagesCount:                   userStats.MessagesCount,
+				InputTokens:                     userStats.InputTokens,
+				OutputTokens:                    userStats.OutputTokens,
+				CacheReadInputTokens:            userStats.CacheReadInputTokens,
+				CacheCreationInputTokens:        userStats.CacheCreationInputTokens,
+				CacheCreation5MinuteInputTokens: userStats.CacheCreation5MinuteInputTokens,
+				CacheCreation1HourInputTokens:   userStats.CacheCreation1HourInputTokens,
+				CostUSD:                         userCost,
+			}
+		}
+
+		result[index] = combinationJSON
+	}
+
+	return result, roundCost(totalCost)
+}
+
+func formatUTCOffsetLabel(timestamp time.Time) string {
+	_, offsetSeconds := timestamp.Zone()
+	sign := "+"
+	if offsetSeconds < 0 {
+		sign = "-"
+		offsetSeconds = -offsetSeconds
+	}
+	offsetHours := offsetSeconds / 3600
+	offsetMinutes := (offsetSeconds % 3600) / 60
+	if offsetMinutes == 0 {
+		return fmt.Sprintf("UTC%s%d", sign, offsetHours)
+	}
+	return fmt.Sprintf("UTC%s%d:%02d", sign, offsetHours, offsetMinutes)
+}
+
+func formatWeekStartKey(cycleStartAt time.Time) string {
+	localCycleStart := cycleStartAt.In(time.Local)
+	return fmt.Sprintf("%s %s", localCycleStart.Format("2006-01-02 15:04:05"), formatUTCOffsetLabel(localCycleStart))
+}
+
+func buildByWeekCost(combinations []CostCombination) map[string]float64 {
+	byWeek := make(map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ContextWindow)
+	}
+	for weekKey, weekCost := range byWeek {
+		byWeek[weekKey] = roundCost(weekCost)
+	}
+	return byWeek
+}
+
+func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
+	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
+		return 0
+	}
+	windowDuration := time.Duration(cycleHint.WindowMinutes) * time.Minute
+	return cycleHint.ResetAt.UTC().Add(-windowDuration).Unix()
+}
+
 func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 
 	result := &AggregatedUsageJSON{
-		LastUpdated:  u.LastUpdated,
-		Combinations: make([]CostCombinationJSON, len(u.Combinations)),
+		LastUpdated: u.LastUpdated,
 		Costs: CostsSummaryJSON{
 			TotalUSD: 0,
 			ByUser:   make(map[string]float64),
+			ByWeek:   make(map[string]float64),
 		},
 	}
 
-	for i, combo := range u.Combinations {
-		totalCost := calculateCost(combo.Total, combo.Model, combo.ContextWindow)
+	globalCombinationsJSON, totalCost := buildCombinationJSON(u.Combinations, result.Costs.ByUser)
+	result.Combinations = globalCombinationsJSON
+	result.Costs.TotalUSD = totalCost
+	result.Costs.ByWeek = buildByWeekCost(u.Combinations)
 
-		result.Costs.TotalUSD += totalCost
-
-		comboJSON := CostCombinationJSON{
-			Model:         combo.Model,
-			ContextWindow: combo.ContextWindow,
-			Total: UsageStatsJSON{
-				RequestCount:             combo.Total.RequestCount,
-				MessagesCount:            combo.Total.MessagesCount,
-				InputTokens:              combo.Total.InputTokens,
-				OutputTokens:             combo.Total.OutputTokens,
-				CacheReadInputTokens:     combo.Total.CacheReadInputTokens,
-				CacheCreationInputTokens: combo.Total.CacheCreationInputTokens,
-				CostUSD:                  totalCost,
-			},
-			ByUser: make(map[string]UsageStatsJSON),
-		}
-
-		for user, userStats := range combo.ByUser {
-			userCost := calculateCost(userStats, combo.Model, combo.ContextWindow)
-			result.Costs.ByUser[user] += userCost
-
-			comboJSON.ByUser[user] = UsageStatsJSON{
-				RequestCount:             userStats.RequestCount,
-				MessagesCount:            userStats.MessagesCount,
-				InputTokens:              userStats.InputTokens,
-				OutputTokens:             userStats.OutputTokens,
-				CacheReadInputTokens:     userStats.CacheReadInputTokens,
-				CacheCreationInputTokens: userStats.CacheCreationInputTokens,
-				CostUSD:                  userCost,
-			}
-		}
-
-		result.Combinations[i] = comboJSON
+	if len(result.Costs.ByWeek) == 0 {
+		result.Costs.ByWeek = nil
 	}
 
-	result.Costs.TotalUSD = math.Round(result.Costs.TotalUSD*100) / 100
 	for user, cost := range result.Costs.ByUser {
-		result.Costs.ByUser[user] = math.Round(cost*100) / 100
+		result.Costs.ByUser[user] = roundCost(cost)
 	}
 
 	return result
@@ -314,6 +533,9 @@ func (u *AggregatedUsage) Load() error {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 
+	u.LastUpdated = time.Time{}
+	u.Combinations = nil
+
 	data, err := os.ReadFile(u.filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -334,12 +556,7 @@ func (u *AggregatedUsage) Load() error {
 
 	u.LastUpdated = temp.LastUpdated
 	u.Combinations = temp.Combinations
-
-	for i := range u.Combinations {
-		if u.Combinations[i].ByUser == nil {
-			u.Combinations[i].ByUser = make(map[string]UsageStats)
-		}
-	}
+	normalizeCombinations(u.Combinations)
 
 	return nil
 }
@@ -367,58 +584,42 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }
 
-func (u *AggregatedUsage) AddUsage(model string, contextWindow int, messagesCount int, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens int64, user string) error {
+func (u *AggregatedUsage) AddUsage(
+	model string,
+	contextWindow int,
+	messagesCount int,
+	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
+	user string,
+) error {
+	return u.AddUsageWithCycleHint(model, contextWindow, messagesCount, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens, user, time.Now(), nil)
+}
+
+func (u *AggregatedUsage) AddUsageWithCycleHint(
+	model string,
+	contextWindow int,
+	messagesCount int,
+	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
+	user string,
+	observedAt time.Time,
+	cycleHint *WeeklyCycleHint,
+) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}
 	if contextWindow <= 0 {
 		return E.New("contextWindow must be positive")
 	}
+	if observedAt.IsZero() {
+		observedAt = time.Now()
+	}
 
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 
-	u.LastUpdated = time.Now()
+	u.LastUpdated = observedAt
+	weekStartUnix := deriveWeekStartUnix(cycleHint)
 
-	// Find or create combination
-	var combo *CostCombination
-	for i := range u.Combinations {
-		if u.Combinations[i].Model == model && u.Combinations[i].ContextWindow == contextWindow {
-			combo = &u.Combinations[i]
-			break
-		}
-	}
-
-	if combo == nil {
-		newCombo := CostCombination{
-			Model:         model,
-			ContextWindow: contextWindow,
-			Total:         UsageStats{},
-			ByUser:        make(map[string]UsageStats),
-		}
-		u.Combinations = append(u.Combinations, newCombo)
-		combo = &u.Combinations[len(u.Combinations)-1]
-	}
-
-	// Update total stats
-	combo.Total.RequestCount++
-	combo.Total.MessagesCount += messagesCount
-	combo.Total.InputTokens += inputTokens
-	combo.Total.OutputTokens += outputTokens
-	combo.Total.CacheReadInputTokens += cacheReadTokens
-	combo.Total.CacheCreationInputTokens += cacheCreationTokens
-
-	// Update per-user stats if user is specified
-	if user != "" {
-		userStats := combo.ByUser[user]
-		userStats.RequestCount++
-		userStats.MessagesCount += messagesCount
-		userStats.InputTokens += inputTokens
-		userStats.OutputTokens += outputTokens
-		userStats.CacheReadInputTokens += cacheReadTokens
-		userStats.CacheCreationInputTokens += cacheCreationTokens
-		combo.ByUser[user] = userStats
-	}
+	addUsageToCombinations(&u.Combinations, model, contextWindow, weekStartUnix, messagesCount, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens, user)
 
 	go u.scheduleSave()
 

service/ocm/service.go

@@ -10,6 +10,7 @@ import (
 	"mime"
 	"net"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -71,6 +72,57 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 
+func normalizeRateLimitIdentifier(limitIdentifier string) string {
+	trimmedIdentifier := strings.TrimSpace(strings.ToLower(limitIdentifier))
+	if trimmedIdentifier == "" {
+		return ""
+	}
+	return strings.ReplaceAll(trimmedIdentifier, "_", "-")
+}
+
+func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
+	headerValue := strings.TrimSpace(headers.Get(headerName))
+	if headerValue == "" {
+		return 0, false
+	}
+	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
+	if parseError != nil {
+		return 0, false
+	}
+	return parsedValue, true
+}
+
+func weeklyCycleHintForLimit(headers http.Header, limitIdentifier string) *WeeklyCycleHint {
+	normalizedLimitIdentifier := normalizeRateLimitIdentifier(limitIdentifier)
+	if normalizedLimitIdentifier == "" {
+		return nil
+	}
+
+	windowHeader := "x-" + normalizedLimitIdentifier + "-secondary-window-minutes"
+	resetHeader := "x-" + normalizedLimitIdentifier + "-secondary-reset-at"
+
+	windowMinutes, hasWindowMinutes := parseInt64Header(headers, windowHeader)
+	resetAtUnix, hasResetAt := parseInt64Header(headers, resetHeader)
+	if !hasWindowMinutes || !hasResetAt || windowMinutes <= 0 || resetAtUnix <= 0 {
+		return nil
+	}
+
+	return &WeeklyCycleHint{
+		WindowMinutes: windowMinutes,
+		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
+	}
+}
+
+func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
+	activeLimitIdentifier := normalizeRateLimitIdentifier(headers.Get("x-codex-active-limit"))
+	if activeLimitIdentifier != "" {
+		if activeHint := weeklyCycleHintForLimit(headers, activeLimitIdentifier); activeHint != nil {
+			return activeHint
+		}
+	}
+	return weeklyCycleHintForLimit(headers, "codex")
+}
+
 type Service struct {
 	boxService.Adapter
 	ctx            context.Context
@@ -404,9 +456,12 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, path string, requestModel string, username string) {
 	isChatCompletions := path == "/v1/chat/completions"
+	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
-
+	if !isStreaming && !isChatCompletions && response.Header.Get("Content-Type") == "" {
+		isStreaming = true
+	}
 	if !isStreaming {
 		bodyBytes, err := io.ReadAll(response.Body)
 		if err != nil {
@@ -414,13 +469,14 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			return
 		}
 
-		var responseModel string
+		var responseModel, serviceTier string
 		var inputTokens, outputTokens, cachedTokens int64
 
 		if isChatCompletions {
 			var chatCompletion openai.ChatCompletion
 			if json.Unmarshal(bodyBytes, &chatCompletion) == nil {
 				responseModel = chatCompletion.Model
+				serviceTier = string(chatCompletion.ServiceTier)
 				inputTokens = chatCompletion.Usage.PromptTokens
 				outputTokens = chatCompletion.Usage.CompletionTokens
 				cachedTokens = chatCompletion.Usage.PromptTokensDetails.CachedTokens
@@ -429,6 +485,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			var responsesResponse responses.Response
 			if json.Unmarshal(bodyBytes, &responsesResponse) == nil {
 				responseModel = string(responsesResponse.Model)
+				serviceTier = string(responsesResponse.ServiceTier)
 				inputTokens = responsesResponse.Usage.InputTokens
 				outputTokens = responsesResponse.Usage.OutputTokens
 				cachedTokens = responsesResponse.Usage.InputTokensDetails.CachedTokens
@@ -440,7 +497,16 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 				responseModel = requestModel
 			}
 			if responseModel != "" {
-				s.usageTracker.AddUsage(responseModel, inputTokens, outputTokens, cachedTokens, username)
+				s.usageTracker.AddUsageWithCycleHint(
+					responseModel,
+					inputTokens,
+					outputTokens,
+					cachedTokens,
+					serviceTier,
+					username,
+					time.Now(),
+					weeklyCycleHint,
+				)
 			}
 		}
 
@@ -455,7 +521,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	}
 
 	var inputTokens, outputTokens, cachedTokens int64
-	var responseModel string
+	var responseModel, serviceTier string
 	buffer := make([]byte, buf.BufferSize)
 	var leftover []byte
 
@@ -490,6 +556,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 							if chatChunk.Model != "" {
 								responseModel = chatChunk.Model
 							}
+							if chatChunk.ServiceTier != "" {
+								serviceTier = string(chatChunk.ServiceTier)
+							}
 							if chatChunk.Usage.PromptTokens > 0 {
 								inputTokens = chatChunk.Usage.PromptTokens
 								cachedTokens = chatChunk.Usage.PromptTokensDetails.CachedTokens
@@ -506,6 +575,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 								if string(completedEvent.Response.Model) != "" {
 									responseModel = string(completedEvent.Response.Model)
 								}
+								if completedEvent.Response.ServiceTier != "" {
+									serviceTier = string(completedEvent.Response.ServiceTier)
+								}
 								if completedEvent.Response.Usage.InputTokens > 0 {
 									inputTokens = completedEvent.Response.Usage.InputTokens
 									cachedTokens = completedEvent.Response.Usage.InputTokensDetails.CachedTokens
@@ -534,7 +606,16 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 			if inputTokens > 0 || outputTokens > 0 {
 				if responseModel != "" {
-					s.usageTracker.AddUsage(responseModel, inputTokens, outputTokens, cachedTokens, username)
+					s.usageTracker.AddUsageWithCycleHint(
+						responseModel,
+						inputTokens,
+						outputTokens,
+						cachedTokens,
+						serviceTier,
+						username,
+						time.Now(),
+						weeklyCycleHint,
+					)
 				}
 			}
 			return

service/ocm/service_usage.go

@@ -2,9 +2,11 @@ package ocm
 
 import (
 	"encoding/json"
+	"fmt"
 	"math"
 	"os"
 	"regexp"
+	"strings"
 	"sync"
 	"time"
 
@@ -42,9 +44,11 @@ func (u *UsageStats) UnmarshalJSON(data []byte) error {
 }
 
 type CostCombination struct {
-	Model  string                `json:"model"`
-	Total  UsageStats            `json:"total"`
-	ByUser map[string]UsageStats `json:"by_user"`
+	Model         string                `json:"model"`
+	ServiceTier   string                `json:"service_tier,omitempty"`
+	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
+	Total         UsageStats            `json:"total"`
+	ByUser        map[string]UsageStats `json:"by_user"`
 }
 
 type AggregatedUsage struct {
@@ -68,14 +72,17 @@ type UsageStatsJSON struct {
 }
 
 type CostCombinationJSON struct {
-	Model  string                    `json:"model"`
-	Total  UsageStatsJSON            `json:"total"`
-	ByUser map[string]UsageStatsJSON `json:"by_user"`
+	Model         string                    `json:"model"`
+	ServiceTier   string                    `json:"service_tier,omitempty"`
+	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
+	Total         UsageStatsJSON            `json:"total"`
+	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }
 
 type CostsSummaryJSON struct {
 	TotalUSD float64            `json:"total_usd"`
 	ByUser   map[string]float64 `json:"by_user"`
+	ByWeek   map[string]float64 `json:"by_week,omitempty"`
 }
 
 type AggregatedUsageJSON struct {
@@ -84,6 +91,11 @@ type AggregatedUsageJSON struct {
 	Combinations []CostCombinationJSON `json:"combinations"`
 }
 
+type WeeklyCycleHint struct {
+	WindowMinutes int64
+	ResetAt       time.Time
+}
+
 type ModelPricing struct {
 	InputPrice       float64
 	OutputPrice      float64
@@ -95,7 +107,123 @@ type modelFamily struct {
 	pricing ModelPricing
 }
 
+const (
+	serviceTierAuto     = "auto"
+	serviceTierDefault  = "default"
+	serviceTierFlex     = "flex"
+	serviceTierPriority = "priority"
+	serviceTierScale    = "scale"
+)
+
 var (
+	gpt52Pricing = ModelPricing{
+		InputPrice:       1.75,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.175,
+	}
+
+	gpt5Pricing = ModelPricing{
+		InputPrice:       1.25,
+		OutputPrice:      10.0,
+		CachedInputPrice: 0.125,
+	}
+
+	gpt5MiniPricing = ModelPricing{
+		InputPrice:       0.25,
+		OutputPrice:      2.0,
+		CachedInputPrice: 0.025,
+	}
+
+	gpt5NanoPricing = ModelPricing{
+		InputPrice:       0.05,
+		OutputPrice:      0.4,
+		CachedInputPrice: 0.005,
+	}
+
+	gpt52CodexPricing = ModelPricing{
+		InputPrice:       1.75,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.175,
+	}
+
+	gpt51CodexPricing = ModelPricing{
+		InputPrice:       1.25,
+		OutputPrice:      10.0,
+		CachedInputPrice: 0.125,
+	}
+
+	gpt51CodexMiniPricing = ModelPricing{
+		InputPrice:       0.25,
+		OutputPrice:      2.0,
+		CachedInputPrice: 0.025,
+	}
+
+	gpt52ProPricing = ModelPricing{
+		InputPrice:       21.0,
+		OutputPrice:      168.0,
+		CachedInputPrice: 21.0,
+	}
+
+	gpt5ProPricing = ModelPricing{
+		InputPrice:       15.0,
+		OutputPrice:      120.0,
+		CachedInputPrice: 15.0,
+	}
+
+	gpt52FlexPricing = ModelPricing{
+		InputPrice:       0.875,
+		OutputPrice:      7.0,
+		CachedInputPrice: 0.0875,
+	}
+
+	gpt5FlexPricing = ModelPricing{
+		InputPrice:       0.625,
+		OutputPrice:      5.0,
+		CachedInputPrice: 0.0625,
+	}
+
+	gpt5MiniFlexPricing = ModelPricing{
+		InputPrice:       0.125,
+		OutputPrice:      1.0,
+		CachedInputPrice: 0.0125,
+	}
+
+	gpt5NanoFlexPricing = ModelPricing{
+		InputPrice:       0.025,
+		OutputPrice:      0.2,
+		CachedInputPrice: 0.0025,
+	}
+
+	gpt52PriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      28.0,
+		CachedInputPrice: 0.35,
+	}
+
+	gpt5PriorityPricing = ModelPricing{
+		InputPrice:       2.5,
+		OutputPrice:      20.0,
+		CachedInputPrice: 0.25,
+	}
+
+	gpt5MiniPriorityPricing = ModelPricing{
+		InputPrice:       0.45,
+		OutputPrice:      3.6,
+		CachedInputPrice: 0.045,
+	}
+
+	gpt52CodexPriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      28.0,
+		CachedInputPrice: 0.35,
+	}
+
+	gpt51CodexPriorityPricing = ModelPricing{
+		InputPrice:       2.5,
+		OutputPrice:      20.0,
+		CachedInputPrice: 0.25,
+	}
+
 	gpt4oPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      10.0,
@@ -111,7 +239,19 @@ var (
 	gpt4oAudioPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      10.0,
-		CachedInputPrice: 1.25,
+		CachedInputPrice: 2.5,
+	}
+
+	gpt4oMiniAudioPricing = ModelPricing{
+		InputPrice:       0.15,
+		OutputPrice:      0.6,
+		CachedInputPrice: 0.15,
+	}
+
+	gptAudioMiniPricing = ModelPricing{
+		InputPrice:       0.6,
+		OutputPrice:      2.4,
+		CachedInputPrice: 0.6,
 	}
 
 	o1Pricing = ModelPricing{
@@ -120,6 +260,12 @@ var (
 		CachedInputPrice: 7.5,
 	}
 
+	o1ProPricing = ModelPricing{
+		InputPrice:       150.0,
+		OutputPrice:      600.0,
+		CachedInputPrice: 150.0,
+	}
+
 	o1MiniPricing = ModelPricing{
 		InputPrice:       1.1,
 		OutputPrice:      4.4,
@@ -135,13 +281,55 @@ var (
 	o3Pricing = ModelPricing{
 		InputPrice:       2.0,
 		OutputPrice:      8.0,
-		CachedInputPrice: 1.0,
+		CachedInputPrice: 0.5,
+	}
+
+	o3ProPricing = ModelPricing{
+		InputPrice:       20.0,
+		OutputPrice:      80.0,
+		CachedInputPrice: 20.0,
+	}
+
+	o3DeepResearchPricing = ModelPricing{
+		InputPrice:       10.0,
+		OutputPrice:      40.0,
+		CachedInputPrice: 2.5,
 	}
 
 	o4MiniPricing = ModelPricing{
 		InputPrice:       1.1,
 		OutputPrice:      4.4,
-		CachedInputPrice: 0.55,
+		CachedInputPrice: 0.275,
+	}
+
+	o4MiniDeepResearchPricing = ModelPricing{
+		InputPrice:       2.0,
+		OutputPrice:      8.0,
+		CachedInputPrice: 0.5,
+	}
+
+	o3FlexPricing = ModelPricing{
+		InputPrice:       1.0,
+		OutputPrice:      4.0,
+		CachedInputPrice: 0.25,
+	}
+
+	o4MiniFlexPricing = ModelPricing{
+		InputPrice:       0.55,
+		OutputPrice:      2.2,
+		CachedInputPrice: 0.138,
+	}
+
+	o3PriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.875,
+	}
+
+	o4MiniPriorityPricing = ModelPricing{
+		InputPrice:       2.0,
+		OutputPrice:      8.0,
+		CachedInputPrice: 0.5,
 	}
 
 	gpt41Pricing = ModelPricing{
@@ -162,69 +350,374 @@ var (
 		CachedInputPrice: 0.025,
 	}
 
-	modelFamilies = []modelFamily{
+	gpt41PriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.875,
+	}
+
+	gpt41MiniPriorityPricing = ModelPricing{
+		InputPrice:       0.7,
+		OutputPrice:      2.8,
+		CachedInputPrice: 0.175,
+	}
+
+	gpt41NanoPriorityPricing = ModelPricing{
+		InputPrice:       0.2,
+		OutputPrice:      0.8,
+		CachedInputPrice: 0.05,
+	}
+
+	gpt4oPriorityPricing = ModelPricing{
+		InputPrice:       4.25,
+		OutputPrice:      17.0,
+		CachedInputPrice: 2.125,
+	}
+
+	gpt4oMiniPriorityPricing = ModelPricing{
+		InputPrice:       0.25,
+		OutputPrice:      1.0,
+		CachedInputPrice: 0.125,
+	}
+
+	standardModelFamilies = []modelFamily{
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1-nano`),
-			pricing: gpt41NanoPricing,
+			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
+			pricing: gpt52CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1-mini`),
-			pricing: gpt41MiniPricing,
+			pattern: regexp.MustCompile(`^gpt-5\.2-codex(?:$|-)`),
+			pricing: gpt52CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1`),
-			pricing: gpt41Pricing,
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-max(?:$|-)`),
+			pricing: gpt51CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o4-mini`),
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-mini(?:$|-)`),
+			pricing: gpt51CodexMiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex(?:$|-)`),
+			pricing: gpt51CodexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex-mini(?:$|-)`),
+			pricing: gpt51CodexMiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex(?:$|-)`),
+			pricing: gpt51CodexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2-chat-latest$`),
+			pricing: gpt52Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-chat-latest$`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-chat-latest$`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2-pro(?:$|-)`),
+			pricing: gpt52ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-pro(?:$|-)`),
+			pricing: gpt5ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
+			pricing: gpt5MiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-nano(?:$|-)`),
+			pricing: gpt5NanoPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
+			pricing: gpt52Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini-deep-research(?:$|-)`),
+			pricing: o4MiniDeepResearchPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
 			pricing: o4MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o3-mini`),
+			pattern: regexp.MustCompile(`^o3-pro(?:$|-)`),
+			pricing: o3ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3-deep-research(?:$|-)`),
+			pricing: o3DeepResearchPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3-mini(?:$|-)`),
 			pricing: o3MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o3`),
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
 			pricing: o3Pricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o1-mini`),
+			pattern: regexp.MustCompile(`^o1-pro(?:$|-)`),
+			pricing: o1ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o1-mini(?:$|-)`),
 			pricing: o1MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o1`),
+			pattern: regexp.MustCompile(`^o1(?:$|-)`),
 			pricing: o1Pricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o-audio`),
+			pattern: regexp.MustCompile(`^gpt-4o-mini-audio(?:$|-)`),
+			pricing: gpt4oMiniAudioPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-audio-mini(?:$|-)`),
+			pricing: gptAudioMiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^(?:gpt-4o-audio|gpt-audio)(?:$|-)`),
 			pricing: gpt4oAudioPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o-mini`),
+			pattern: regexp.MustCompile(`^gpt-4\.1-nano(?:$|-)`),
+			pricing: gpt41NanoPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1-mini(?:$|-)`),
+			pricing: gpt41MiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1(?:$|-)`),
+			pricing: gpt41Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4o-mini(?:$|-)`),
 			pricing: gpt4oMiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o`),
+			pattern: regexp.MustCompile(`^gpt-4o(?:$|-)`),
 			pricing: gpt4oPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^chatgpt-4o`),
+			pattern: regexp.MustCompile(`^chatgpt-4o(?:$|-)`),
 			pricing: gpt4oPricing,
 		},
 	}
+
+	flexModelFamilies = []modelFamily{
+		{
+			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
+			pricing: gpt5MiniFlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-nano(?:$|-)`),
+			pricing: gpt5NanoFlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
+			pricing: gpt52FlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
+			pricing: gpt5FlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
+			pricing: gpt5FlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
+			pricing: o4MiniFlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
+			pricing: o3FlexPricing,
+		},
+	}
+
+	priorityModelFamilies = []modelFamily{
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
+			pricing: gpt52CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2-codex(?:$|-)`),
+			pricing: gpt52CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-max(?:$|-)`),
+			pricing: gpt51CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex(?:$|-)`),
+			pricing: gpt51CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex-mini(?:$|-)`),
+			pricing: gpt5MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex(?:$|-)`),
+			pricing: gpt51CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
+			pricing: gpt5MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
+			pricing: gpt52PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
+			pricing: gpt5PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
+			pricing: gpt5PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
+			pricing: o4MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
+			pricing: o3PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1-nano(?:$|-)`),
+			pricing: gpt41NanoPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1-mini(?:$|-)`),
+			pricing: gpt41MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1(?:$|-)`),
+			pricing: gpt41PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4o-mini(?:$|-)`),
+			pricing: gpt4oMiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4o(?:$|-)`),
+			pricing: gpt4oPriorityPricing,
+		},
+	}
 )
 
-func getPricing(model string) ModelPricing {
+func modelFamiliesForTier(serviceTier string) []modelFamily {
+	switch serviceTier {
+	case serviceTierFlex:
+		return flexModelFamilies
+	case serviceTierPriority:
+		return priorityModelFamilies
+	default:
+		return standardModelFamilies
+	}
+}
+
+func findPricingInFamilies(model string, modelFamilies []modelFamily) (ModelPricing, bool) {
 	for _, family := range modelFamilies {
 		if family.pattern.MatchString(model) {
-			return family.pricing
+			return family.pricing, true
 		}
 	}
+	return ModelPricing{}, false
+}
+
+func normalizeServiceTier(serviceTier string) string {
+	switch strings.ToLower(strings.TrimSpace(serviceTier)) {
+	case "", serviceTierAuto, serviceTierDefault:
+		return serviceTierDefault
+	case serviceTierFlex:
+		return serviceTierFlex
+	case serviceTierPriority:
+		return serviceTierPriority
+	case serviceTierScale:
+		// Scale-tier requests are prepaid differently and not listed in this usage file.
+		return serviceTierDefault
+	default:
+		return serviceTierDefault
+	}
+}
+
+func getPricing(model string, serviceTier string) ModelPricing {
+	normalizedServiceTier := normalizeServiceTier(serviceTier)
+	modelFamilies := modelFamiliesForTier(normalizedServiceTier)
+
+	if pricing, found := findPricingInFamilies(model, modelFamilies); found {
+		return pricing
+	}
+
+	normalizedModel := normalizeGPT5Model(model)
+	if normalizedModel != model {
+		if pricing, found := findPricingInFamilies(normalizedModel, modelFamilies); found {
+			return pricing
+		}
+	}
+
+	if normalizedServiceTier != serviceTierDefault {
+		if pricing, found := findPricingInFamilies(model, standardModelFamilies); found {
+			return pricing
+		}
+		if normalizedModel != model {
+			if pricing, found := findPricingInFamilies(normalizedModel, standardModelFamilies); found {
+				return pricing
+			}
+		}
+	}
+
 	return gpt4oPricing
 }
 
-func calculateCost(stats UsageStats, model string) float64 {
-	pricing := getPricing(model)
+func normalizeGPT5Model(model string) string {
+	if !strings.HasPrefix(model, "gpt-5.") {
+		return model
+	}
+
+	switch {
+	case strings.Contains(model, "-codex-mini"):
+		return "gpt-5.1-codex-mini"
+	case strings.Contains(model, "-codex-max"):
+		return "gpt-5.1-codex-max"
+	case strings.Contains(model, "-codex"):
+		return "gpt-5.3-codex"
+	case strings.Contains(model, "-chat-latest"):
+		return "gpt-5.2-chat-latest"
+	case strings.Contains(model, "-pro"):
+		return "gpt-5.2-pro"
+	case strings.Contains(model, "-mini"):
+		return "gpt-5-mini"
+	case strings.Contains(model, "-nano"):
+		return "gpt-5-nano"
+	default:
+		return "gpt-5.2"
+	}
+}
+
+func calculateCost(stats UsageStats, model string, serviceTier string) float64 {
+	pricing := getPricing(model, serviceTier)
 
 	regularInputTokens := stats.InputTokens - stats.CachedTokens
 	if regularInputTokens < 0 {
@@ -238,41 +731,89 @@ func calculateCost(stats UsageStats, model string) float64 {
 	return math.Round(cost*100) / 100
 }
 
-func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
+func roundCost(cost float64) float64 {
+	return math.Round(cost*100) / 100
+}
 
-	result := &AggregatedUsageJSON{
-		LastUpdated:  u.LastUpdated,
-		Combinations: make([]CostCombinationJSON, len(u.Combinations)),
-		Costs: CostsSummaryJSON{
-			TotalUSD: 0,
-			ByUser:   make(map[string]float64),
-		},
+func normalizeCombinations(combinations []CostCombination) {
+	for index := range combinations {
+		combinations[index].ServiceTier = normalizeServiceTier(combinations[index].ServiceTier)
+		if combinations[index].ByUser == nil {
+			combinations[index].ByUser = make(map[string]UsageStats)
+		}
+	}
+}
+
+func addUsageToCombinations(combinations *[]CostCombination, model string, serviceTier string, weekStartUnix int64, user string, inputTokens, outputTokens, cachedTokens int64) {
+	var matchedCombination *CostCombination
+	for index := range *combinations {
+		combination := &(*combinations)[index]
+		combinationServiceTier := normalizeServiceTier(combination.ServiceTier)
+		if combination.ServiceTier != combinationServiceTier {
+			combination.ServiceTier = combinationServiceTier
+		}
+		if combination.Model == model && combinationServiceTier == serviceTier && combination.WeekStartUnix == weekStartUnix {
+			matchedCombination = combination
+			break
+		}
 	}
 
-	for i, combo := range u.Combinations {
-		totalCost := calculateCost(combo.Total, combo.Model)
+	if matchedCombination == nil {
+		newCombination := CostCombination{
+			Model:         model,
+			ServiceTier:   serviceTier,
+			WeekStartUnix: weekStartUnix,
+			Total:         UsageStats{},
+			ByUser:        make(map[string]UsageStats),
+		}
+		*combinations = append(*combinations, newCombination)
+		matchedCombination = &(*combinations)[len(*combinations)-1]
+	}
 
-		result.Costs.TotalUSD += totalCost
+	matchedCombination.Total.RequestCount++
+	matchedCombination.Total.InputTokens += inputTokens
+	matchedCombination.Total.OutputTokens += outputTokens
+	matchedCombination.Total.CachedTokens += cachedTokens
 
-		comboJSON := CostCombinationJSON{
-			Model: combo.Model,
+	if user != "" {
+		userStats := matchedCombination.ByUser[user]
+		userStats.RequestCount++
+		userStats.InputTokens += inputTokens
+		userStats.OutputTokens += outputTokens
+		userStats.CachedTokens += cachedTokens
+		matchedCombination.ByUser[user] = userStats
+	}
+}
+
+func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map[string]float64) ([]CostCombinationJSON, float64) {
+	result := make([]CostCombinationJSON, len(combinations))
+	var totalCost float64
+
+	for index, combination := range combinations {
+		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ServiceTier)
+		totalCost += combinationTotalCost
+
+		combinationJSON := CostCombinationJSON{
+			Model:         combination.Model,
+			ServiceTier:   combination.ServiceTier,
+			WeekStartUnix: combination.WeekStartUnix,
 			Total: UsageStatsJSON{
-				RequestCount: combo.Total.RequestCount,
-				InputTokens:  combo.Total.InputTokens,
-				OutputTokens: combo.Total.OutputTokens,
-				CachedTokens: combo.Total.CachedTokens,
-				CostUSD:      totalCost,
+				RequestCount: combination.Total.RequestCount,
+				InputTokens:  combination.Total.InputTokens,
+				OutputTokens: combination.Total.OutputTokens,
+				CachedTokens: combination.Total.CachedTokens,
+				CostUSD:      combinationTotalCost,
 			},
 			ByUser: make(map[string]UsageStatsJSON),
 		}
 
-		for user, userStats := range combo.ByUser {
-			userCost := calculateCost(userStats, combo.Model)
-			result.Costs.ByUser[user] += userCost
+		for user, userStats := range combination.ByUser {
+			userCost := calculateCost(userStats, combination.Model, combination.ServiceTier)
+			if aggregateUserCosts != nil {
+				aggregateUserCosts[user] += userCost
+			}
 
-			comboJSON.ByUser[user] = UsageStatsJSON{
+			combinationJSON.ByUser[user] = UsageStatsJSON{
 				RequestCount: userStats.RequestCount,
 				InputTokens:  userStats.InputTokens,
 				OutputTokens: userStats.OutputTokens,
@@ -281,12 +822,80 @@ func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 			}
 		}
 
-		result.Combinations[i] = comboJSON
+		result[index] = combinationJSON
+	}
+
+	return result, roundCost(totalCost)
+}
+
+func formatUTCOffsetLabel(timestamp time.Time) string {
+	_, offsetSeconds := timestamp.Zone()
+	sign := "+"
+	if offsetSeconds < 0 {
+		sign = "-"
+		offsetSeconds = -offsetSeconds
+	}
+	offsetHours := offsetSeconds / 3600
+	offsetMinutes := (offsetSeconds % 3600) / 60
+	if offsetMinutes == 0 {
+		return fmt.Sprintf("UTC%s%d", sign, offsetHours)
+	}
+	return fmt.Sprintf("UTC%s%d:%02d", sign, offsetHours, offsetMinutes)
+}
+
+func formatWeekStartKey(cycleStartAt time.Time) string {
+	localCycleStart := cycleStartAt.In(time.Local)
+	return fmt.Sprintf("%s %s", localCycleStart.Format("2006-01-02 15:04:05"), formatUTCOffsetLabel(localCycleStart))
+}
+
+func buildByWeekCost(combinations []CostCombination) map[string]float64 {
+	byWeek := make(map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ServiceTier)
+	}
+	for weekKey, weekCost := range byWeek {
+		byWeek[weekKey] = roundCost(weekCost)
+	}
+	return byWeek
+}
+
+func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
+	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
+		return 0
+	}
+	windowDuration := time.Duration(cycleHint.WindowMinutes) * time.Minute
+	return cycleHint.ResetAt.UTC().Add(-windowDuration).Unix()
+}
+
+func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+
+	result := &AggregatedUsageJSON{
+		LastUpdated: u.LastUpdated,
+		Costs: CostsSummaryJSON{
+			TotalUSD: 0,
+			ByUser:   make(map[string]float64),
+			ByWeek:   make(map[string]float64),
+		},
+	}
+
+	globalCombinationsJSON, totalCost := buildCombinationJSON(u.Combinations, result.Costs.ByUser)
+	result.Combinations = globalCombinationsJSON
+	result.Costs.TotalUSD = totalCost
+	result.Costs.ByWeek = buildByWeekCost(u.Combinations)
+
+	if len(result.Costs.ByWeek) == 0 {
+		result.Costs.ByWeek = nil
 	}
 
-	result.Costs.TotalUSD = math.Round(result.Costs.TotalUSD*100) / 100
 	for user, cost := range result.Costs.ByUser {
-		result.Costs.ByUser[user] = math.Round(cost*100) / 100
+		result.Costs.ByUser[user] = roundCost(cost)
 	}
 
 	return result
@@ -296,6 +905,9 @@ func (u *AggregatedUsage) Load() error {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 
+	u.LastUpdated = time.Time{}
+	u.Combinations = nil
+
 	data, err := os.ReadFile(u.filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -316,12 +928,7 @@ func (u *AggregatedUsage) Load() error {
 
 	u.LastUpdated = temp.LastUpdated
 	u.Combinations = temp.Combinations
-
-	for i := range u.Combinations {
-		if u.Combinations[i].ByUser == nil {
-			u.Combinations[i].ByUser = make(map[string]UsageStats)
-		}
-	}
+	normalizeCombinations(u.Combinations)
 
 	return nil
 }
@@ -349,47 +956,27 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }
 
-func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, user string) error {
+func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string) error {
+	return u.AddUsageWithCycleHint(model, inputTokens, outputTokens, cachedTokens, serviceTier, user, time.Now(), nil)
+}
+
+func (u *AggregatedUsage) AddUsageWithCycleHint(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string, observedAt time.Time, cycleHint *WeeklyCycleHint) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}
 
+	normalizedServiceTier := normalizeServiceTier(serviceTier)
+	if observedAt.IsZero() {
+		observedAt = time.Now()
+	}
+
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 
-	u.LastUpdated = time.Now()
+	u.LastUpdated = observedAt
+	weekStartUnix := deriveWeekStartUnix(cycleHint)
 
-	var combo *CostCombination
-	for i := range u.Combinations {
-		if u.Combinations[i].Model == model {
-			combo = &u.Combinations[i]
-			break
-		}
-	}
-
-	if combo == nil {
-		newCombo := CostCombination{
-			Model:  model,
-			Total:  UsageStats{},
-			ByUser: make(map[string]UsageStats),
-		}
-		u.Combinations = append(u.Combinations, newCombo)
-		combo = &u.Combinations[len(u.Combinations)-1]
-	}
-
-	combo.Total.RequestCount++
-	combo.Total.InputTokens += inputTokens
-	combo.Total.OutputTokens += outputTokens
-	combo.Total.CachedTokens += cachedTokens
-
-	if user != "" {
-		userStats := combo.ByUser[user]
-		userStats.RequestCount++
-		userStats.InputTokens += inputTokens
-		userStats.OutputTokens += outputTokens
-		userStats.CachedTokens += cachedTokens
-		combo.ByUser[user] = userStats
-	}
+	addUsageToCombinations(&u.Combinations, model, normalizedServiceTier, weekStartUnix, user, inputTokens, outputTokens, cachedTokens)
 
 	go u.scheduleSave()