Bump version

Rename branches and update release workflows
stable-next → oldstable, main-next → stable, dev-next → testing, new unstable
2026-03-05 21:46:27 +08:00 · 2026-03-05 21:12:02 +08:00 · 2026-03-05 20:38:19 +08:00 · 2026-03-04 11:48:22 +08:00 · 2026-03-03 22:06:54 +08:00 · 2026-03-03 21:37:24 +08:00
109 changed files with 2984 additions and 1592 deletions
--- a/.fpm_pacman
+++ b/.fpm_pacman
@@ -0,0 +1,23 @@
 -s dir
 --name sing-box
 --category net
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --config-files etc/sing-box/config.json
 --after-install release/config/sing-box.postinst
 release/config/config.json=/etc/sing-box/config.json
 release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
 release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
 release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
 release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
 release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
 release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
 release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
 release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
 LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-dc1cda1fe28740ba069934ab62aeb8ef85388332
+cba7b9ac0399055aa49fbdc57c03c374f58e1597
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -6,7 +6,7 @@
    ":disableRateLimiting"
  ],
  "baseBranches": [
-    "dev-next"
+    "unstable"
  ],
  "golang": {
    "enabled": false
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,8 +25,9 @@ on:
          - publish-android
  push:
    branches:
-      - main-next
+      - stable
-      - dev-next
+      - testing
      - unstable
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -46,7 +47,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -85,19 +86,27 @@ jobs:
          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: riscv64, naive: true, variant: glibc }
          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
          - { os: linux, arch: loong64, naive: true, variant: glibc }
          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
          - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mipsle, gomips: softfloat }
          - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mips64le, gomips: hardfloat }
          - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: riscv64 }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: loong64 }
          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
@@ -115,7 +124,7 @@ jobs:
        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Setup Go 1.24
        if: matrix.legacy_go124
        uses: actions/setup-go@v5
@@ -154,14 +163,23 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
      - name: Regenerate Debian keyring
        if: matrix.naive
        run: |
          set -xeuo pipefail
          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
          cd ~/cronet-go
          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/gn/out/
            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -190,9 +208,10 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
          fi
          if [[ "${{ matrix.variant }}" == "purego" ]]; then
            TAGS="${TAGS},with_purego"
@@ -200,13 +219,16 @@ jobs:
            TAGS="${TAGS},with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Set shared ldflags
        run: |
          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (purego)
        if: matrix.variant == 'purego'
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -228,7 +250,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -236,6 +258,8 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
          GOMIPS: ${{ matrix.gomips }}
          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (musl)
        if: matrix.variant == 'musl'
@@ -243,7 +267,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -251,6 +275,8 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
          GOMIPS: ${{ matrix.gomips }}
          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-variant)
        if: matrix.os != 'android' && matrix.variant == ''
@@ -258,7 +284,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -278,7 +304,7 @@ jobs:
          export CXX="${CC}++"
          mkdir -p dist
          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -352,7 +378,7 @@ jobs:
          sudo gem install fpm
          sudo apt-get update
          sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
+          cp .fpm_pacman .fpm
          fpm -t pacman \
            -v "$PKG_VERSION" \
            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -431,17 +457,21 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Set shared ldflags
        run: |
          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -499,9 +529,11 @@ jobs:
      - name: Build
        if: matrix.naive
        run: |
          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -511,9 +543,11 @@ jobs:
      - name: Build
        if: ${{ !matrix.naive }}
        run: |
          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -558,7 +592,7 @@ jobs:
          path: "dist"
  build_android:
    name: Build Android
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -571,7 +605,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -594,12 +628,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
        run: |-
          cd clients/android
          git checkout dev
@@ -648,7 +682,7 @@ jobs:
          path: 'dist'
  publish_android:
    name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -661,7 +695,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -684,12 +718,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
        run: |-
          cd clients/android
          git checkout dev
@@ -760,7 +794,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Set tag
        if: matrix.if
        run: |-
@@ -768,12 +802,12 @@ jobs:
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/apple
          git checkout main
      - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        if: matrix.if && github.ref == 'refs/heads/testing'
        run: |-
          cd clients/apple
          git checkout dev
@@ -859,7 +893,7 @@ jobs:
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
      - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
        run: |-
          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
      - name: Build image
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -3,8 +3,8 @@ name: Publish Docker Images
 on:
  #push:
  #  branches:
-  #    - main-next
+  #    - stable
-  #    - dev-next
+  #    - testing
  release:
    types:
      - published
@@ -19,6 +19,7 @@ env:
 jobs:
  build_binary:
    name: Build binary
    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
@@ -29,10 +30,12 @@ jobs:
          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
          - { arch: "386", naive: true, docker_platform: "linux/386" }
          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
          # Non-naive builds
          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
          - { arch: riscv64, docker_platform: "linux/riscv64" }
          - { arch: s390x, docker_platform: "linux/s390x" }
    steps:
      - name: Get commit to build
@@ -53,7 +56,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.4
+          go-version: ~1.25.7
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -64,14 +67,23 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
      - name: Regenerate Debian keyring
        if: matrix.naive
        run: |
          set -xeuo pipefail
          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
          cd ~/cronet-go
          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/gn/out/
            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -93,29 +105,34 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Set shared ldflags
        run: |
          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GOMIPS: ${{ matrix.gomips }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -148,15 +165,17 @@ jobs:
    strategy:
      fail-fast: true
      matrix:
-        platform:
+        include:
-          - linux/amd64
+          - { platform: "linux/amd64" }
-          - linux/arm/v6
+          - { platform: "linux/arm/v6" }
-          - linux/arm/v7
+          - { platform: "linux/arm/v7" }
-          - linux/arm64
+          - { platform: "linux/arm64" }
-          - linux/386
+          - { platform: "linux/386" }
-          - linux/ppc64le
+          # mipsle: no base Docker image available for this platform
-          - linux/riscv64
+          - { platform: "linux/ppc64le" }
-          - linux/s390x
+          - { platform: "linux/riscv64" }
          - { platform: "linux/s390x" }
          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
    steps:
      - name: Get commit to build
        id: ref
@@ -209,6 +228,8 @@ jobs:
          platforms: ${{ matrix.platform }}
          context: .
          file: Dockerfile.binary
          build-args: |
            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
@@ -224,6 +245,7 @@ jobs:
          if-no-files-found: error
          retention-days: 1
  merge:
    if: github.event_name != 'push'
    runs-on: ubuntu-latest
    needs:
      - build_docker
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,18 +3,20 @@ name: Lint
 on:
  push:
    branches:
-      - stable-next
+      - oldstable
-      - main-next
+      - stable
-      - dev-next
+      - testing
      - unstable
    paths-ignore:
      - '**.md'
      - '.github/**'
      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
-      - stable-next
+      - oldstable
-      - main-next
+      - stable
-      - dev-next
+      - testing
      - unstable
 jobs:
  build:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -3,8 +3,8 @@ name: Build Linux Packages
 on:
  #push:
  #  branches:
-  #    - main-next
+  #    - stable
-  #    - dev-next
+  #    - testing
  workflow_dispatch:
    inputs:
      version:
@@ -23,6 +23,7 @@ on:
 jobs:
  calculate_version:
    name: Calculate version
    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
@@ -34,7 +35,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -61,14 +62,14 @@ jobs:
          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
          # Non-naive builds (unsupported architectures)
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -77,7 +78,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.7
+          go-version: ~1.25.7
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -88,14 +89,23 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
      - name: Regenerate Debian keyring
        if: matrix.naive
        run: |
          set -xeuo pipefail
          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
          cd ~/cronet-go
          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/gn/out/
            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -116,24 +126,30 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Set shared ldflags
        run: |
          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GOMIPS: ${{ matrix.gomips }}
          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
@@ -141,7 +157,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,9 @@
 /*.jar
 /*.aar
 /*.xcframework/
 /experimental/libbox/*.aar
 /experimental/libbox/*.xcframework/
 /experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -9,6 +9,11 @@ run:
    - with_utls
    - with_acme
    - with_clash_api
    - with_tailscale
    - with_ccm
    - with_ocm
    - badlinkname
    - tfogo_checklinkname0
 linters:
  default: none
  enable:
--- a/7
+++ b/7
@@ -12,10 +12,11 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags \
+    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
+    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
    && go build -v -trimpath -tags "$TAGS" \
        -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
        ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
--- a/Dockerfile.binary
+++ b/Dockerfile.binary
@@ -1,8 +1,14 @@
-FROM alpine
+ARG BASE_IMAGE=alpine
 FROM ${BASE_IMAGE}
 ARG TARGETARCH
 ARG TARGETVARIANT
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+    && if command -v apk > /dev/null; then \
        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
    else \
        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
        && rm -rf /var/lib/apt/lists/*; \
    fi
 COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/22
+++ b/22
@@ -1,15 +1,18 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
+TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
+LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
 PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 SING_FFI ?= sing-ffi
 LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json
 .PHONY: test release docs build
@@ -237,15 +240,18 @@ lib_android:
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple
 lib_windows:
 	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp
 lib_android_new:
-	go run ./cmd/internal/build_libbox_newffi -target android
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
 lib_apple_new:
-	go run ./cmd/internal/build_libbox_newffi -target apple
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12
 docs:
 	venv/bin/mkdocs serve
@@ -254,8 +260,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 docs_install:
-	python -m venv venv
+	python3 -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
--- a/adapter/connections.go
+++ b/adapter/connections.go
@@ -9,6 +9,10 @@ import (
 type ConnectionManager interface {
 	Lifecycle
 	Count() int
 	CloseAll()
 	TrackConn(conn net.Conn) net.Conn
 	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -62,13 +62,10 @@ type InboundContext struct {
 	// cache
 	// Deprecated: implement in rule action
-	InboundDetour            string
+	InboundDetour             string
-	LastInbound              string
+	LastInbound               string
-	OriginDestination        M.Socksaddr
+	OriginDestination         M.Socksaddr
-	RouteOriginalDestination M.Socksaddr
+	RouteOriginalDestination  M.Socksaddr
 	// Deprecated: to be removed
 	//nolint:staticcheck
 	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration
--- a/box.go
+++ b/box.go
@@ -125,7 +125,10 @@ func New(options Options) (*Box, error) {
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	if err != nil {
 		return nil, err
 	}
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -63,7 +63,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
 	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
 	// memcTags = append(memcTags, "with_tailscale")
 	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
--- a/cmd/internal/build_libbox_newffi/main.go
+++ b/cmd/internal/build_libbox_newffi/main.go
@@ -1,93 +0,0 @@
 package main
 import (
 	"flag"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/rw"
 )
 var target string
 func init() {
 	flag.StringVar(&target, "target", "android", "target platform (android or apple)")
 }
 func main() {
 	flag.Parse()
 	args := []string{
 		"generate",
 		"-v",
 		"--config", "experimental/libbox/ffi.json",
 		"--platform-type", target,
 	}
 	command := exec.Command("sing-ffi", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
 	err := command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
 	copyArtifacts(target)
 }
 func copyArtifacts(target string) {
 	switch target {
 	case "android":
 		copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
 		if rw.IsDir(copyPath) {
 			copyPath, _ = filepath.Abs(copyPath)
 			for _, name := range []string{"libbox.aar", "libbox-legacy.aar"} {
 				artifactPath, found := findArtifactPath(name)
 				if !found {
 					continue
 				}
 				targetPath := filepath.Join(target, artifactPath)
 				os.RemoveAll(targetPath)
 				err := os.Rename(artifactPath, targetPath)
 				if err != nil {
 					log.Fatal(err)
 				}
 				log.Info("copied ", name, " to ", copyPath)
 			}
 		}
 	case "apple":
 		copyPath := filepath.Join("..", "sing-box-for-apple")
 		if rw.IsDir(copyPath) {
 			sourceDir, found := findArtifactPath("Libbox.xcframework")
 			if !found {
 				log.Fatal("Libbox.xcframework not found in current directory or experimental/libbox")
 			}
 			targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 			targetDir, _ = filepath.Abs(targetDir)
 			err := os.RemoveAll(targetDir)
 			if err != nil {
 				log.Fatal(err)
 			}
 			err = os.Rename(sourceDir, targetDir)
 			if err != nil {
 				log.Fatal(err)
 			}
 			log.Info("copied ", sourceDir, " to ", targetDir)
 		}
 	}
 }
 func findArtifactPath(name string) (string, bool) {
 	candidates := []string{
 		name,
 		filepath.Join("experimental", "libbox", name),
 	}
 	for _, candidate := range candidates {
 		if rw.IsFile(candidate) || rw.IsDir(candidate) {
 			return candidate, true
 		}
 	}
 	return "", false
 }
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
+		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }
--- a/common/conntrack/conn.go
+++ b/common/conntrack/conn.go
@@ -1,54 +0,0 @@
 package conntrack
 import (
 	"io"
 	"net"
 	"github.com/sagernet/sing/common/x/list"
 )
 type Conn struct {
 	net.Conn
 	element *list.Element[io.Closer]
 }
 func NewConn(conn net.Conn) (net.Conn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
 		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err
 		}
 	}
 	return &Conn{
 		Conn:    conn,
 		element: element,
 	}, nil
 }
 func (c *Conn) Close() error {
 	if c.element.Value != nil {
 		connAccess.Lock()
 		if c.element.Value != nil {
 			openConnection.Remove(c.element)
 			c.element.Value = nil
 		}
 		connAccess.Unlock()
 	}
 	return c.Conn.Close()
 }
 func (c *Conn) Upstream() any {
 	return c.Conn
 }
 func (c *Conn) ReaderReplaceable() bool {
 	return true
 }
 func (c *Conn) WriterReplaceable() bool {
 	return true
 }
--- a/common/conntrack/killer.go
+++ b/common/conntrack/killer.go
@@ -1,35 +0,0 @@
 package conntrack
 import (
 	runtimeDebug "runtime/debug"
 	"time"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/memory"
 )
 var (
 	KillerEnabled   bool
 	MemoryLimit     uint64
 	killerLastCheck time.Time
 )
 func KillerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
 	nowTime := time.Now()
 	if nowTime.Sub(killerLastCheck) < 3*time.Second {
 		return nil
 	}
 	killerLastCheck = nowTime
 	if memory.Total() > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)
 			runtimeDebug.FreeOSMemory()
 		}()
 		return E.New("out of memory")
 	}
 	return nil
 }
--- a/common/conntrack/packet_conn.go
+++ b/common/conntrack/packet_conn.go
@@ -1,55 +0,0 @@
 package conntrack
 import (
 	"io"
 	"net"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/x/list"
 )
 type PacketConn struct {
 	net.PacketConn
 	element *list.Element[io.Closer]
 }
 func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
 		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err
 		}
 	}
 	return &PacketConn{
 		PacketConn: conn,
 		element:    element,
 	}, nil
 }
 func (c *PacketConn) Close() error {
 	if c.element.Value != nil {
 		connAccess.Lock()
 		if c.element.Value != nil {
 			openConnection.Remove(c.element)
 			c.element.Value = nil
 		}
 		connAccess.Unlock()
 	}
 	return c.PacketConn.Close()
 }
 func (c *PacketConn) Upstream() any {
 	return bufio.NewPacketConn(c.PacketConn)
 }
 func (c *PacketConn) ReaderReplaceable() bool {
 	return true
 }
 func (c *PacketConn) WriterReplaceable() bool {
 	return true
 }
--- a/common/conntrack/track.go
+++ b/common/conntrack/track.go
@@ -1,47 +0,0 @@
 package conntrack
 import (
 	"io"
 	"sync"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/x/list"
 )
 var (
 	connAccess     sync.RWMutex
 	openConnection list.List[io.Closer]
 )
 func Count() int {
 	if !Enabled {
 		return 0
 	}
 	return openConnection.Len()
 }
 func List() []io.Closer {
 	if !Enabled {
 		return nil
 	}
 	connAccess.RLock()
 	defer connAccess.RUnlock()
 	connList := make([]io.Closer, 0, openConnection.Len())
 	for element := openConnection.Front(); element != nil; element = element.Next() {
 		connList = append(connList, element.Value)
 	}
 	return connList
 }
 func Close() {
 	if !Enabled {
 		return
 	}
 	connAccess.Lock()
 	defer connAccess.Unlock()
 	for element := openConnection.Front(); element != nil; element = element.Next() {
 		common.Close(element.Value)
 		element.Value = nil
 	}
 	openConnection.Init()
 }
--- a/common/conntrack/track_disable.go
+++ b/common/conntrack/track_disable.go
@@ -1,5 +0,0 @@
 //go:build !with_conntrack
 package conntrack
 const Enabled = false
--- a/common/conntrack/track_enable.go
+++ b/common/conntrack/track_enable.go
@@ -1,5 +0,0 @@
 //go:build with_conntrack
 package conntrack
 const Enabled = true
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -9,7 +9,6 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -37,6 +36,7 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
 	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,6 +47,7 @@ type DefaultDialer struct {
 }
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
 	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
@@ -89,7 +90,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" {
+		if defaultOptions.BindInterface != "" && !disableDefaultBind {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -157,8 +158,11 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		dialer.KeepAlive = keepIdle
+		dialer.KeepAliveConfig = net.KeepAliveConfig{
-		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
+			Enable:   true,
 			Idle:     keepIdle,
 			Interval: keepInterval,
 		}
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
@@ -206,6 +210,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
 		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -238,7 +243,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -303,12 +308,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return trackConn(conn, nil)
+	return d.trackConn(conn, nil)
 }
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -360,23 +365,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return trackPacketConn(packetConn, nil)
+	return d.trackPacketConn(packetConn, nil)
 }
 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }
-func trackConn(conn net.Conn, err error) (net.Conn, error) {
+func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if !conntrack.Enabled || err != nil {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewConn(conn)
+	return d.connectionManager.TrackConn(conn), nil
 }
-func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if !conntrack.Enabled || err != nil {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewPacketConn(conn)
+	return d.connectionManager.TrackPacketConn(conn), nil
 }
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -145,3 +145,7 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
 type PacketDialerWithDestination interface {
 	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
 }
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -99,8 +99,6 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
 		//nolint:staticcheck
 		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -15,7 +15,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -38,7 +37,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -77,7 +76,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	return nil
 }
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -30,6 +30,7 @@ const (
 	TypeSSMAPI       = "ssm-api"
 	TypeCCM          = "ccm"
 	TypeOCM          = "ocm"
 	TypeOOMKiller    = "oom-killer"
 )
 const (
@@ -85,6 +86,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
 	case TypeTailscale:
 		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -7,10 +7,12 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
@@ -21,6 +23,7 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
 	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
@@ -84,6 +87,15 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
 	if s.oomKiller && C.IsIos {
 		if !common.Any(options.Services, func(it option.Service) bool {
 			return it.Type == C.TypeOOMKiller
 		}) {
 			options.Services = append(options.Services, option.Service{
 				Type: C.TypeOOMKiller,
 			})
 		}
 	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -101,6 +113,7 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
 	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -8,7 +8,6 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -36,6 +35,7 @@ type StartedService struct {
 	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
 	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -67,6 +67,7 @@ type ServiceOptions struct {
 	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
 	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -81,6 +82,7 @@ func NewStartedService(options ServiceOptions) *StartedService {
 		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
 		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -207,6 +209,14 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	return nil
 }
 func (s *StartedService) Close() {
 	s.serviceStatusSubscriber.Close()
 	s.logSubscriber.Close()
 	s.urlTestSubscriber.Close()
 	s.clashModeSubscriber.Close()
 	s.connectionEventSubscriber.Close()
 }
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -399,12 +409,14 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server
 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Inuse()
+	status.Memory = memory.Total()
 	status.Goroutines = int32(runtime.NumGoroutine())
 	status.ConnectionsOut = int32(conntrack.Count())
 	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
 	if nowService != nil && nowService.connectionManager != nil {
 		status.ConnectionsOut = int32(nowService.connectionManager.Count())
 	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -985,7 +997,12 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }
 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	conntrack.Close()
+	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
 	if nowService != nil && nowService.connectionManager != nil {
 		nowService.connectionManager.CloseAll()
 	}
 	return &emptypb.Empty{}, nil
 }
--- a/debug.go
+++ b/debug.go
@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
-func applyDebugOptions(options option.DebugOptions) {
+func applyDebugOptions(options option.DebugOptions) error {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
 		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		conntrack.KillerEnabled = *options.OOMKiller
+		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
 	}
 	return nil
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -240,8 +240,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
+		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
 		} else if len(response.Answer) == 0 {
 			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
--- a/dns/router.go
+++ b/dns/router.go
@@ -272,13 +272,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if rule != nil && rule.WithAddressLimit() {
 				responseCheck = func(responseAddrs []netip.Addr) bool {
 					metadata.DestinationAddresses = responseAddrs
 					return rule.MatchAddressLimit(metadata)
 				}
 			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -377,9 +371,11 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				case *R.RuleActionReject:
 					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
 					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
 						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -392,13 +388,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if rule != nil && rule.WithAddressLimit() {
 				responseCheck = func(responseAddrs []netip.Addr) bool {
 					metadata.DestinationAddresses = responseAddrs
 					return rule.MatchAddressLimit(metadata)
 				}
 			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -426,6 +416,18 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
 	if rule == nil || !rule.WithAddressLimit() {
 		return nil
 	}
 	responseMetadata := *metadata
 	return func(responseAddrs []netip.Addr) bool {
 		checkMetadata := responseMetadata
 		checkMetadata.DestinationAddresses = responseAddrs
 		return rule.MatchAddressLimit(&checkMetadata)
 	}
 }
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {
--- a/dns/transport/fakeip/store.go
+++ b/dns/transport/fakeip/store.go
@@ -18,6 +18,8 @@ type Store struct {
 	logger     logger.Logger
 	inet4Range netip.Prefix
 	inet6Range netip.Prefix
 	inet4Last  netip.Addr
 	inet6Last  netip.Addr
 	storage    adapter.FakeIPStorage
 	addressAccess sync.Mutex
@@ -26,12 +28,35 @@ type Store struct {
 }
 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	return &Store{
+	store := &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
 	if inet4Range.IsValid() {
 		store.inet4Last = broadcastAddress(inet4Range)
 	}
 	if inet6Range.IsValid() {
 		store.inet6Last = broadcastAddress(inet6Range)
 	}
 	return store
 }
 func broadcastAddress(prefix netip.Prefix) netip.Addr {
 	addr := prefix.Addr()
 	raw := addr.As16()
 	bits := prefix.Bits()
 	if addr.Is4() {
 		bits += 96
 	}
 	for i := bits; i < 128; i++ {
 		raw[i/8] |= 1 << (7 - i%8)
 	}
 	if addr.Is4() {
 		return netip.AddrFrom4([4]byte(raw[12:]))
 	}
 	return netip.AddrFrom16(raw)
 }
 func (s *Store) Start() error {
@@ -49,10 +74,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next().Next()
+			s.inet4Current = s.inet4Range.Addr().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next().Next()
+			s.inet6Current = s.inet6Range.Addr().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -98,7 +123,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if !s.inet4Range.Contains(nextAddress) {
+		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -108,7 +133,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if !s.inet6Range.Contains(nextAddress) {
+		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress
--- a/dns/transport/local/resolv_windows.go
+++ b/dns/transport/local/resolv_windows.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
 	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -63,6 +64,9 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
 				if sockaddr.ZoneId != 0 {
 					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
 				}
 			default:
 				// Unexpected type.
 				continue
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,10 +2,16 @@
 icon: material/alert-decagram
 ---
-#### 1.13.0-rc.3
+#### 1.13.1
 * Fixes and improvements
 #### 1.12.14
 * Backport fixes
 #### 1.13.0
 Important changes since 1.12:
 * Add NaiveProxy outbound **1**
@@ -22,7 +28,7 @@ Important changes since 1.12:
 * Improve `local` DNS server **12**
 * Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
 * Add `bind_address_no_port` option for dial fields **14**
-* Add system interface and relay server options for Tailscale endpoint **15**
+* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
 * Add Claude Code Multiplexer service **16**
 * Add OpenAI Codex Multiplexer service **17**
 * Apple/Android: Refactor GUI
@@ -136,6 +142,7 @@ See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
 Tailscale endpoint can now create a system TUN interface to handle traffic directly.
 New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
 New `advertise_tags` option for ACL tag advertisement.
 See [Tailscale endpoint](/configuration/endpoint/tailscale/).
@@ -169,6 +176,22 @@ Also, documentation has been updated with a warning about uTLS fingerprinting vu
 uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
 use NaiveProxy instead for TLS fingerprint resistance.
 #### 1.12.23
 * Fixes and improvements
 #### 1.13.0-rc.5
 * Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
 #### 1.12.22
 * Fixes and improvements
 #### 1.13.0-rc.3
 * Fixes and improvements
 #### 1.12.21
 * Fixes and improvements
--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@@ -8,7 +8,8 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
    :material-plus: [advertise_tags](#advertise_tags)
 !!! question "Since sing-box 1.12.0"
@@ -28,6 +29,7 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -102,6 +104,14 @@ Example: `["192.168.1.1/24"]`
 Indicates whether the node should advertise itself as an exit node.
 #### advertise_tags
 !!! question "Since sing-box 1.13.0"
 Tags to advertise for this node, for ACL enforcement purposes.
 Example: `["tag:server"]`
 #### relay_server_port
 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -8,7 +8,8 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
    :material-plus: [advertise_tags](#advertise_tags)
 !!! question "自 sing-box 1.12.0 起"
@@ -28,6 +29,7 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -101,6 +103,14 @@ icon: material/new-box
 指示节点是否应将自己通告为出口节点。
 #### advertise_tags
 !!! question "自 sing-box 1.13.0 起"
 为此节点通告的标签，用于 ACL 执行。
 示例：`["tag:server"]`
 #### relay_server_port
 !!! question "自 sing-box 1.13.0 起"
--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@@ -57,11 +57,35 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale).                                                                                                                                                                                                                                     |
-| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
+| `with_ccm`                         | :material-check:     | Build with Claude Code Multiplexer service support.                                                                                                                                                                                                                                                                            |
 | `with_ocm`                         | :material-check:     | Build with OpenAI Codex Multiplexer service support.                                                                                                                                                                                                                                                                           |
 | `with_naive_outbound`              | :material-check:     | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
 | `badlinkname`                      | :material-check:     | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation.                                 |
 | `tfogo_checklinkname0`             | :material-check:     | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement.                                                                                                                                                       |
 It is not recommended to change the default build tag list unless you really know what you are adding.
 ## :material-wrench: Linker Flags
 The following `-ldflags` are used in official builds:
 | Flag                                                        | Description                                                                                                                                                                                                             |
 |-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
 | `-checklinkname=0`                                          | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag.                                                                            |
 ## :material-package-variant: For Downstream Packagers
 The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
 | File | Description |
 |------|-------------|
 | `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
 | `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
 | `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
 | `release/LDFLAGS` | Required linker flags (see above). |
 ## :material-layers: with_naive_outbound
 NaiveProxy outbound requires special build configurations depending on your target platform.
--- a/docs/installation/build-from-source.zh.md
+++ b/docs/installation/build-from-source.zh.md
@@ -61,11 +61,35 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
-| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |
+| `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
 | `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
 | `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
 | `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
 | `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。
 ## :material-wrench: 链接器标志
 以下 `-ldflags` 在官方构建中使用：
 | 标志                                                          | 说明                                                                                                                                                         |
 |-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 默认为监听器启用 Multipath TCP（`multipathtcp=2`）。这可能在底层 socket 上导致错误，且 sing-box 有自己的 MPTCP 控制（`tcp_multi_path` 选项）。此标志禁用 Go 的默认行为。                             |
 | `-checklinkname=0`                                          | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查，需要与 `badlinkname` 构建标记一起使用。                                                                                   |
 ## :material-package-variant: 下游打包者
 默认构建标签列表和链接器标志以文件形式存放在仓库中，供下游打包者直接引用：
 | 文件 | 说明 |
 |------|------|
 | `release/DEFAULT_BUILD_TAGS` | Linux（常见架构）、Darwin 和 Android 的默认标签。 |
 | `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签（包含 `with_purego`）。 |
 | `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签（不含 `with_naive_outbound`）。 |
 | `release/LDFLAGS` | 必需的链接器标志（参见上文）。 |
 ## :material-layers: with_naive_outbound
 NaiveProxy 出站需要根据目标平台进行特殊的构建配置。
--- a/experimental/clashapi/connections.go
+++ b/experimental/clashapi/connections.go
@@ -2,6 +2,7 @@ package clashapi
 import (
 	"bytes"
 	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -17,15 +18,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )
-func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(trafficManager))
+	r.Get("/", getConnections(ctx, trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }
-func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -67,7 +68,12 @@ func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseW
 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for range tick.C {
+		for {
 			select {
 			case <-ctx.Done():
 				return
 			case <-tick.C:
 			}
 			if err = sendSnapshot(); err != nil {
 				break
 			}
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -116,12 +116,12 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
 		r.Get("/logs", getLogs(logFactory))
-		r.Get("/traffic", traffic(trafficManager))
+		r.Get("/traffic", traffic(s.ctx, trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -303,7 +303,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }
-func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -324,7 +324,12 @@ func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter,
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for range tick.C {
+		for {
 			select {
 			case <-ctx.Done():
 				return
 			case <-tick.C:
 			}
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -57,96 +57,6 @@ func (n Note) MessageWithLink() string {
 	}
 }
 var OptionBadMatchSource = Note{
 	Name:              "bad-match-source",
 	Description:       "legacy match source rule item",
 	DeprecatedVersion: "1.10.0",
 	ScheduledVersion:  "1.11.0",
 	EnvName:           "BAD_MATCH_SOURCE",
 	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
 }
 var OptionGEOIP = Note{
 	Name:              "geoip",
 	Description:       "geoip database",
 	DeprecatedVersion: "1.8.0",
 	ScheduledVersion:  "1.12.0",
 	EnvName:           "GEOIP",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
 }
 var OptionGEOSITE = Note{
 	Name:              "geosite",
 	Description:       "geosite database",
 	DeprecatedVersion: "1.8.0",
 	ScheduledVersion:  "1.12.0",
 	EnvName:           "GEOSITE",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
 }
 var OptionTUNAddressX = Note{
 	Name:              "tun-address-x",
 	Description:       "legacy tun address fields",
 	DeprecatedVersion: "1.10.0",
 	ScheduledVersion:  "1.12.0",
 	EnvName:           "TUN_ADDRESS_X",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
 }
 var OptionSpecialOutbounds = Note{
 	Name:              "special-outbounds",
 	Description:       "legacy special outbounds",
 	DeprecatedVersion: "1.11.0",
 	ScheduledVersion:  "1.13.0",
 	EnvName:           "SPECIAL_OUTBOUNDS",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
 }
 var OptionInboundOptions = Note{
 	Name:              "inbound-options",
 	Description:       "legacy inbound fields",
 	DeprecatedVersion: "1.11.0",
 	ScheduledVersion:  "1.13.0",
 	EnvName:           "INBOUND_OPTIONS",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
 }
 var OptionDestinationOverrideFields = Note{
 	Name:              "destination-override-fields",
 	Description:       "destination override fields in direct outbound",
 	DeprecatedVersion: "1.11.0",
 	ScheduledVersion:  "1.13.0",
 	EnvName:           "DESTINATION_OVERRIDE_FIELDS",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-destination-override-fields-to-route-options",
 }
 var OptionWireGuardOutbound = Note{
 	Name:              "wireguard-outbound",
 	Description:       "legacy wireguard outbound",
 	DeprecatedVersion: "1.11.0",
 	ScheduledVersion:  "1.13.0",
 	EnvName:           "WIREGUARD_OUTBOUND",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
 }
 var OptionWireGuardGSO = Note{
 	Name:              "wireguard-gso",
 	Description:       "GSO option in wireguard outbound",
 	DeprecatedVersion: "1.11.0",
 	ScheduledVersion:  "1.13.0",
 	EnvName:           "WIREGUARD_GSO",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
 }
 var OptionTUNGSO = Note{
 	Name:              "tun-gso",
 	Description:       "GSO option in tun",
 	DeprecatedVersion: "1.11.0",
 	ScheduledVersion:  "1.12.0",
 	EnvName:           "TUN_GSO",
 	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#gso-option-in-tun",
 }
 var OptionLegacyDNSTransport = Note{
 	Name:              "legacy-dns-transport",
 	Description:       "legacy DNS servers",
@@ -183,15 +93,6 @@ var OptionMissingDomainResolver = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-outbound-dns-rule-items-to-domain-resolver",
 }
 var OptionLegacyECHOptions = Note{
 	Name:              "legacy-ech-options",
 	Description:       "legacy ECH options",
 	DeprecatedVersion: "1.12.0",
 	ScheduledVersion:  "1.13.0",
 	EnvName:           "LEGACY_ECH_OPTIONS",
 	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#legacy-ech-fields",
 }
 var OptionLegacyDomainStrategyOptions = Note{
 	Name:              "legacy-domain-strategy-options",
 	Description:       "legacy domain strategy options",
@@ -202,20 +103,9 @@ var OptionLegacyDomainStrategyOptions = Note{
 }
 var Options = []Note{
 	OptionBadMatchSource,
 	OptionGEOIP,
 	OptionGEOSITE,
 	OptionTUNAddressX,
 	OptionSpecialOutbounds,
 	OptionInboundOptions,
 	OptionDestinationOverrideFields,
 	OptionWireGuardOutbound,
 	OptionWireGuardGSO,
 	OptionTUNGSO,
 	OptionLegacyDNSTransport,
 	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
 	OptionLegacyECHOptions,
 	OptionLegacyDomainStrategyOptions,
 }
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -119,7 +119,11 @@ func dialTarget() (string, func(context.Context, string) (net.Conn, error)) {
 		}
 	}
 	if sCommandServerListenPort == 0 {
-		return "unix://" + filepath.Join(sBasePath, "command.sock"), nil
+		socketPath := filepath.Join(sBasePath, "command.sock")
 		return "passthrough:///command-socket", func(ctx context.Context, _ string) (net.Conn, error) {
 			var networkDialer net.Dialer
 			return networkDialer.DialContext(ctx, "unix", socketPath)
 		}
 	}
 	return net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort))), nil
 }
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -60,6 +60,7 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 		Handler:     (*platformHandler)(server),
 		Debug:       sDebug,
 		LogMaxLines: sLogMaxLines,
 		OOMKiller:   memoryLimitEnabled,
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -159,6 +160,7 @@ func (s *CommandServer) Close() {
 		s.grpcServer.Stop()
 	}
 	common.Close(s.listener)
 	s.StartedService.Close()
 }
 type OverrideOptions struct {
--- a/experimental/libbox/ffi.json
+++ b/experimental/libbox/ffi.json
@@ -1,10 +1,19 @@
 {
  "version": 1,
  "variables": {
    "VERSION": "$(go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)",
    "WORKSPACE_ROOT": "../../..",
    "DEPLOY_ANDROID": "${WORKSPACE_ROOT}/sing-box-for-android/app/libs",
    "DEPLOY_APPLE": "${WORKSPACE_ROOT}/sing-box-for-apple",
    "DEPLOY_WINDOWS": "${WORKSPACE_ROOT}/sing-box-for-windows/local-packages"
  },
  "packages": [
    {
      "id": "libbox",
      "path": ".",
      "java_package": "io.nekohasekai.libbox",
      "csharp_namespace": "SagerNet",
      "csharp_entrypoint": "Libbox",
      "apple_prefix": "Libbox"
    }
  ],
@@ -20,7 +29,6 @@
          "with_utls",
          "with_naive_outbound",
          "with_clash_api",
          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
@@ -36,7 +44,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    },
@@ -50,7 +58,6 @@
          "with_wireguard",
          "with_utls",
          "with_clash_api",
          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
@@ -66,7 +73,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    },
@@ -81,7 +88,6 @@
          "with_utls",
          "with_naive_outbound",
          "with_clash_api",
          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_dhcp",
@@ -99,7 +105,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      },
      "overrides": [
@@ -112,6 +118,37 @@
          "tags_append": ["with_low_memory"]
        }
      ]
    },
    {
      "id": "windows",
      "packages": ["libbox"],
      "default": {
        "tags": [
          "with_gvisor",
          "with_quic",
          "with_wireguard",
          "with_utls",
          "with_naive_outbound",
          "with_purego",
          "with_clash_api",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
          "ts_omit_logtail",
          "ts_omit_ssh",
          "ts_omit_drive",
          "ts_omit_taildrop",
          "ts_omit_webclient",
          "ts_omit_doctor",
          "ts_omit_capture",
          "ts_omit_kube",
          "ts_omit_aws",
          "ts_omit_synology",
          "ts_omit_bird"
        ],
        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    }
  ],
  "platforms": [
@@ -119,12 +156,19 @@
      "type": "android",
      "build": "android-main",
      "min_sdk": 23,
      "ndk_version": "28.0.13004108",
      "lib_name": "box",
      "languages": [{ "type": "java" }],
      "artifacts": [
        {
          "type": "aar",
-          "output_path": "libbox.aar"
+          "output_path": "libbox.aar",
          "execute_after": [
            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
            "fi"
          ]
        }
      ]
    },
@@ -132,12 +176,19 @@
      "type": "android",
      "build": "android-legacy",
      "min_sdk": 21,
      "ndk_version": "28.0.13004108",
      "lib_name": "box",
      "languages": [{ "type": "java" }],
      "artifacts": [
        {
          "type": "aar",
-          "output_path": "libbox-legacy.aar"
+          "output_path": "libbox-legacy.aar",
          "execute_after": [
            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
            "fi"
          ]
        }
      ]
    },
@@ -159,7 +210,46 @@
        {
          "type": "xcframework",
          "module_name": "Libbox",
-          "output_path": "Libbox.xcframework"
+          "execute_after": [
            "if [ -d \"${DEPLOY_APPLE}\" ]; then",
            "  rm -rf \"${DEPLOY_APPLE}/${MODULE_NAME}.xcframework\"",
            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_APPLE}/\"",
            "fi"
          ]
        }
      ]
    },
    {
      "type": "csharp",
      "build": "windows",
      "targets": [
        "windows/amd64"
      ],
      "languages": [{ "type": "csharp" }],
      "artifacts": [
        {
          "type": "nuget",
          "package_id": "SagerNet.Libbox",
          "package_version": "0.0.0-local",
          "execute_after": {
            "windows": [
              "$$deployPath = '${DEPLOY_WINDOWS}'",
              "if (Test-Path $$deployPath) {",
              "  Remove-Item \"$$deployPath\\${PACKAGE_ID}.*.nupkg\" -ErrorAction SilentlyContinue",
              "  Move-Item -Force '${OUTPUT_PATH}' \"$$deployPath\\\"",
              "  $$cachePath = if ($$env:NUGET_PACKAGES) { $$env:NUGET_PACKAGES } else { \"$$env:USERPROFILE\\.nuget\\packages\" }",
              "  Remove-Item -Recurse -Force \"$$cachePath\\sagernet.libbox\\${PACKAGE_VERSION}\" -ErrorAction SilentlyContinue",
              "}"
            ],
            "default": [
              "if [ -d \"${DEPLOY_WINDOWS}\" ]; then",
              "  rm -f \"${DEPLOY_WINDOWS}/${PACKAGE_ID}.*.nupkg\"",
              "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_WINDOWS}/\"",
              "  cache_path=\"$${NUGET_PACKAGES:-$${HOME}/.nuget/packages}\"",
              "  rm -rf \"$${cache_path}/sagernet.libbox/${PACKAGE_VERSION}\"",
              "fi"
            ]
          }
        }
      ]
    }
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -4,20 +4,23 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"
-	"github.com/sagernet/sing-box/common/conntrack"
+	C "github.com/sagernet/sing-box/constant"
 )
 var memoryLimitEnabled bool
 func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 45 * 1024 * 1024
+	memoryLimitEnabled = enabled
-	const memoryLimitGo = memoryLimit / 1.5
+	const memoryLimitGo = 45 * 1024 * 1024
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		if C.IsIos {
-		conntrack.KillerEnabled = true
+			runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		conntrack.MemoryLimit = memoryLimit
+		}
 	} else {
 		runtimeDebug.SetGCPercent(100)
-		runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		if C.IsIos {
-		conntrack.KillerEnabled = false
+			runtimeDebug.SetMemoryLimit(math.MaxInt64)
 		}
 	}
 }
--- a/experimental/libbox/semver.go
+++ b/experimental/libbox/semver.go
@@ -0,0 +1,27 @@
 package libbox
 import (
 	"strings"
 	"golang.org/x/mod/semver"
 )
 func CompareSemver(left string, right string) bool {
 	normalizedLeft := normalizeSemver(left)
 	if !semver.IsValid(normalizedLeft) {
 		return false
 	}
 	normalizedRight := normalizeSemver(right)
 	if !semver.IsValid(normalizedRight) {
 		return false
 	}
 	return semver.Compare(normalizedLeft, normalizedRight) > 0
 }
 func normalizeSemver(version string) string {
 	trimmedVersion := strings.TrimSpace(version)
 	if strings.HasPrefix(trimmedVersion, "v") {
 		return trimmedVersion
 	}
 	return "v" + trimmedVersion
 }
--- a/experimental/libbox/semver_test.go
+++ b/experimental/libbox/semver_test.go
@@ -0,0 +1,16 @@
 package libbox
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestCompareSemver(t *testing.T) {
 	t.Parallel()
 	require.False(t, CompareSemver("1.13.0-rc.4", "1.13.0"))
 	require.True(t, CompareSemver("1.13.1", "1.13.0"))
 	require.False(t, CompareSemver("v1.13.0", "1.13.0"))
 	require.False(t, CompareSemver("1.13.0-", "1.13.0"))
 }
--- a/go.mod
+++ b/go.mod
@@ -3,60 +3,60 @@ module github.com/sagernet/sing-box
 go 1.24.7
 require (
-	github.com/anthropics/anthropic-sdk-go v1.19.0
+	github.com/anthropics/anthropic-sdk-go v1.26.0
 	github.com/anytls/sing-anytls v0.0.11
-	github.com/caddyserver/certmagic v0.25.0
+	github.com/caddyserver/certmagic v0.25.2
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
-	github.com/database64128/tfo-go/v2 v2.3.1
+	github.com/database64128/tfo-go/v2 v2.3.2
-	github.com/go-chi/chi/v5 v5.2.3
+	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/render v1.0.3
-	github.com/godbus/dbus/v5 v5.2.1
+	github.com/godbus/dbus/v5 v5.2.2
 	github.com/gofrs/uuid/v5 v5.4.0
-	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167
+	github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
 	github.com/keybase/go-keychain v0.0.1
 	github.com/libdns/acmedns v0.5.0
-	github.com/libdns/alidns v1.0.6-beta.3
+	github.com/libdns/alidns v1.0.6
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/metacubex/utls v1.8.4
-	github.com/mholt/acmez/v3 v3.1.4
+	github.com/mholt/acmez/v3 v3.1.6
-	github.com/miekg/dns v1.1.69
+	github.com/miekg/dns v1.1.72
-	github.com/openai/openai-go/v3 v3.15.0
+	github.com/openai/openai-go/v3 v3.24.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287
+	github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399
-	github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287
+	github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399
 	github.com/sagernet/fswatch v0.1.1
-	github.com/sagernet/gomobile v0.1.11
+	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
-	github.com/sagernet/quic-go v0.59.0-sing-box-mod.2
+	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.0-beta.16
+	github.com/sagernet/sing v0.8.1
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0-beta.12
+	github.com/sagernet/sing-quic v0.6.0
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.0-beta.17
+	github.com/sagernet/sing-tun v0.8.2
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349
-	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288
+	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netns v0.0.5
 	go.uber.org/zap v1.27.1
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.46.0
+	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93
-	golang.org/x/mod v0.31.0
+	golang.org/x/mod v0.33.0
-	golang.org/x/net v0.48.0
+	golang.org/x/net v0.50.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	google.golang.org/grpc v1.77.0
+	google.golang.org/grpc v1.79.1
 	google.golang.org/protobuf v1.36.11
 	howett.net/plist v1.0.1
 )
@@ -67,7 +67,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
@@ -96,7 +96,7 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
-	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
+	github.com/mdlayher/netlink v1.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -105,28 +105,35 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
@@ -147,15 +154,15 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
 code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
 code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -8,16 +10,18 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anthropics/anthropic-sdk-go v1.19.0 h1:mO6E+ffSzLRvR/YUH9KJC0uGw0uV8GjISIuzem//3KE=
+github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY=
-github.com/anthropics/anthropic-sdk-go v1.19.0/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE=
+github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
+github.com/caddyserver/certmagic v0.25.2 h1:D7xcS7ggX/WEY54x0czj7ioTkmDWKIgxtIi2OcQclUc=
-github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
+github.com/caddyserver/certmagic v0.25.2/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
-github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
+github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
-github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
@@ -29,8 +33,8 @@ github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/database64128/netx-go v0.1.1 h1:dT5LG7Gs7zFZBthFBbzWE6K8wAHjSNAaK7wCYZT7NzM=
 github.com/database64128/netx-go v0.1.1/go.mod h1:LNlYVipaYkQArRFDNNJ02VkNV+My9A5XR/IGS7sIBQc=
-github.com/database64128/tfo-go/v2 v2.3.1 h1:EGE+ELd5/AQ0X6YBlQ9RgKs8+kciNhgN3d8lRvfEJQw=
+github.com/database64128/tfo-go/v2 v2.3.2 h1:UhZMKiMq3swZGUiETkLBDzQnZBPSAeBMClpJGlnJ5Fw=
-github.com/database64128/tfo-go/v2 v2.3.1/go.mod h1:k9wcpg/8i5zenspBkc9jUEYehpZZccBnCElzOJB++bU=
+github.com/database64128/tfo-go/v2 v2.3.2/go.mod h1:GC3uB5oa4beGpCUbRb2ZOWP73bJJFmMyAVgQSO7r724=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,6 +42,8 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
@@ -50,10 +56,12 @@ github.com/gaissmai/bart v0.18.0 h1:jQLBT/RduJu0pv/tLwXE+xKPgtWJejbxuXAR+wLJafo=
 github.com/gaissmai/bart v0.18.0/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
-github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
-github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
@@ -66,8 +74,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/godbus/dbus/v5 v5.2.1 h1:I4wwMdWSkmI57ewd+elNGwLRf2/dtSaFz1DujfWYvOk=
+github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
-github.com/godbus/dbus/v5 v5.2.1/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
+github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gofrs/uuid/v5 v5.4.0 h1:EfbpCTjqMuGyq5ZJwxqzn3Cbr2d0rUZU7v5ycAk/e/0=
 github.com/gofrs/uuid/v5 v5.4.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -91,8 +99,8 @@ github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 h1:MEufgJohwIjFi2n3eJv4c/8UdRLQVUwPwSWQPoER+eU=
+github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91 h1:u9i04mGE3iliBh0EFuWaKsmcwrLacqGmq1G3XoaM7gY=
-github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
+github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
@@ -102,32 +110,36 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
 github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
 github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
 github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
 github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
 github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
-github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
+github.com/libdns/alidns v1.0.6 h1:/Ii428ty6WHFJmE24rZxq2taq++gh7rf9jhgLfp8PmM=
-github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
+github.com/libdns/alidns v1.0.6/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
 github.com/libdns/cloudflare v0.2.2/go.mod h1:w9uTmRCDlAoafAsTPnn2nJ0XHK/eaUMh86DUk8BWi60=
 github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
+github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
 github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
-github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
+github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
-github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
-github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
-github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.15.0 h1:hk99rM7YPz+M99/5B/zOQcVwFRLLMdprVGx1vaZ8XMo=
+github.com/openai/openai-go/v3 v3.24.0 h1:08x6GnYiB+AAejTo6yzPY8RkZMJQ8NpreiOyM5QfyYU=
-github.com/openai/openai-go/v3 v3.15.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.24.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -150,88 +162,102 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 h1:0BYNmr0ptjsII948U0oBFmrbo4qEaCFcrE2JPRg3Zlk=
+github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399 h1:x3tVYQHdqqnKbEd9/H4KIGhtHTjA+KfiiaXedI3/w8Q=
-github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 h1:ghxhYSBQpzkakqWqJDvXr/Zmxe0WjTjKuALEGbjGiGY=
+github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399 h1:mD3ehudpYf1IFgCTv25d/B6KnBc/lLFq1jmSQIK24y0=
-github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:M+4ZjPhLJXIvoxcQsbDofmc19Wrig59hZ+hLvj6S3To=
+github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399/go.mod h1:MbYagcGGIaRo9tNrgafbCTO+Qc7eVEh32ZWMprSB8b0=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f h1:8jZbZ4KBTdcXDFLwUBNQt5Xci6ZuAKh255S8TwuBCaM=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6 h1:ghRKgSaswefPwQF8AYtUlNyumILOB0ptJWxgZ8MFrEE=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f h1:tG0hCx+0u5zca7qQ7AMkcv4DCrBG/DKW1ggs/P+BRRI=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:Behr7YCnQP2dsvzAJDIoMd5nTVU9/d6MMtk/S3MctwA=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f h1:ZXp5hKJIA7iJ52ZShJCKMQEPLpp/7dDIVZmPGV9Il40=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6 h1:6UL9XdGU/44oTHj36e+EBDJ0RonFoObmd299NG/qQCU=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f h1:gL7H8HS8s38adz4/HZtRHh79qMwsbLTRRPz4GQ9LcWI=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:Q9apxjtkj6iMIBQlTo71QsOTrNlhHneaXQb1Q0IshU8=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f h1:Dchgc0pAY5Jwb5lzUlE+1nhHIzqLx+YOurXLHgvWd/0=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:0N+xlnMkFEeqgFe3X/PEvHt+/t+BPgxmbx7wzNcYppg=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f h1:+MOLSQoduuKDxF410i1LcSPaQGaiP0eZb0INvMlmjM4=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:7f2vTXtePikBSV1bdD0zs5/WuZM+bRuej3mREpWL/qQ=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:lIZna05Vn6n8k21p8OpSUnhwGm+E57PrMjiI4ZUfMSg=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:HMlnhEYs+axOa0tAJ79se3QsYB8CpRCQo9mewWWFeeg=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f h1:B2aFQ5CRHI20t8YsEizvtguS5W2QfK7D5XV/NzTIxPE=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:Ux/U6vF+1AoGLSJK3jVa9Kqkn64MX4Ivv7fy0ikDrpQ=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:qpSwJ1rFGYCfJDenNCZoWYjoG7N+xEa6ke+E7/JO1i4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:5Dhuere2bQFzfGvKxA7TFgA5MoTtgcZMmJQuKwQKlyA=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f h1:cx7Ipg0tSvTDjS4maMEYz4vuzz93BMPAysmZ1YLrz80=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6 h1:aMRcLow4UpZWZ28fR9FjveTL/4okrigZySIkEVZnlgA=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f h1:4jOHuUiBxD8pJEpBBVQfJqyLmxjpd3t4MLRzU7YLFyg=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6 h1:y4g8oNtEfSdcKrBKsH5vMAjzGthvhHFNU80sanYDQEM=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f h1:OpXBa2WlRU+Mam9oRe9Nn4/zf7gQ+qiBTNK8A5RwbfQ=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:CXN6OPILi5trwffmYiiJ9rqJL3XAWx1menLrBBwA0gU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f h1:nJpGFi+6hI85tl4zoyNFEnFEQ5+xEV5gyvsUoMvd8g0=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:ZphFHQeFOTpqCWPwFcQRnrePXajml8LbKlYFJ5n0isU=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f h1:SEy2rpmgOJgrqcEryJI/RSnqUWIsEsp0cfYoA8y21jc=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6 h1:nKzFK84oANHz7I6bab+25bBY+pdpAbO0b3NJroyLldo=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f h1:EW2TuFMLm0iBGqRZtuGwIZdeYmDtDsDmRcRRJQOMxUo=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:HqqZUGRXcWvvwlbuvjk/efo8TKW1H/aHdqQTde+Xs9Q=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f h1:3U5woxrNCkzfv1+UX+mVoWh1228AE1qAiMG02F9oFbY=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:D2v9lZZG5sm4x/CkG7uqc6ZU3YlhFQ+GmJfvZMK0h/s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f h1:YwFTfuWG3mmctroeDYtFZ6LHjGsedVO+5wInYbbUuUY=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6 h1:TWveNeXHrA5r8XOlf+vw7U2b2M0ip6GNF89jcUi1ogw=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:r4V0ddPCRLgGu0VdgR3aUsO9NjpmyjAf+h+3oTD9D6E=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6 h1:DVCBoXOZI4PNG0cbCLg8lrphRXoLFcAIDLNmzsCVg3I=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f h1:B8yf4gFvEYUnwWmtVK9sdwUsflYZ387MhYmlOP2ohFQ=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:7s5xqNlBUWkIXdruPYi3/txXekQhGWxrYxbnB0cnARo=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:9YyaMg4rO1/jIgrxmNb0LKH+X7frSYWfX2pFgW5JUVM=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6 h1:eyEb+Q7VH4hpE1nV+EmEnN2XX5WilgBpIsfCw4C/7no=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f h1:B0fnGu0sh9yT/9JDN5u/GqThGoOzNN/daOAuGWFLXEk=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6 h1:9F1W7+z1hHST6GSzdpQ8Q0NCkneAL18dkRA1HfxH09A=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f h1:lxPcIXKSSI5JDhc7rx/6yufISWM4vtBS2FY9PavWQTs=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6 h1:MmQIR3iJsdvw1ONBP3geK57i9c3+v9dXPMNdZYcYGKw=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
 github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6 h1:j6Pk1Wsl+PCbKRXtp7a912D2D6zqX5Nk51wDQU9TEDc=
 github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
 github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:0DnFhbRfNqwguNCxiinA7BowQ/RaFt627sjW09JNp80=
 github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
 github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:3CZmlEk2/WW5UHLFJZxXPJ9IJxX3td8U3PyqWSGMl3c=
 github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
 github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:eHkVRptoZf3BuuskkjcclO2dwQrX4zluoVGODMrX7n0=
 github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
 github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:UgFmE0cZo9euu8/7sTAhj1G8lldavwXBdcPNyTE29CQ=
 github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
 github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:xbg3ZB9tLMGDQe4+aewG0Z4bEP/2pLtYBcDzILv5eEc=
 github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
 github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:M0bTSTSTnSMlPY2WaZT6fL5TFICqk8v4cm+QVf8Fcao=
 github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
-github.com/sagernet/gomobile v0.1.11 h1:niMQAspvuThup5eRZQpsGcbM76zAvnsGr7RUIpnQMDQ=
+github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
-github.com/sagernet/gomobile v0.1.11/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
+github.com/sagernet/gomobile v0.1.12/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1 h1:AzCE2RhBjLJ4WIWc/GejpNh+z30d5H1hwaB0nD9eY3o=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1/go.mod h1:NJKBtm9nVEK3iyOYWsUlrDQuoGh4zJ4KOPhSYVidvQ4=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.2 h1:hJUL+HtxEOjxsa0CsucbBVqI/AMS4k52NwNU637zmdw=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.2/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.0-beta.16 h1:Fe+6E9VHYky9Mx4cf0ugbZPWDcXRflpAu7JQ5bWXvaA=
+github.com/sagernet/sing v0.8.1 h1:Li+zg4xdiMsvdX4j50TPqmSG8LF/TB9US2qlAN40izU=
-github.com/sagernet/sing v0.8.0-beta.16/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.1/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0-beta.12 h1:njyU2NYGBITShAu31wJRmqAtx7hQBcXqBPowDv+W0sk=
+github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
-github.com/sagernet/sing-quic v0.6.0-beta.12/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.0-beta.17 h1:6DdbNXeTFYj8Tb4FCh8Mp2boA3rVY6VNqzTOObj7Xis=
+github.com/sagernet/sing-tun v0.8.2 h1:rQr/x3eQCHh3oleIaoJdPdJwqzZp4+QWcJLT0Wz2xKY=
-github.com/sagernet/sing-tun v0.8.0-beta.17/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
+github.com/sagernet/sing-tun v0.8.2/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349 h1:ju7aTbndj2sqK4NplE97ynLdhuCtel5OS4e0NrT71nk=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
@@ -283,16 +309,16 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -307,20 +333,20 @@ go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wus
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 h1:fQsdNF2N+/YewlRZiricy4P1iimyPKZ/xwniHj8Q2a0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
@@ -330,20 +356,20 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -355,15 +381,17 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/include/oom_killer.go
+++ b/include/oom_killer.go
@@ -0,0 +1,10 @@
 package include
 import (
 	"github.com/sagernet/sing-box/adapter/service"
 	"github.com/sagernet/sing-box/service/oomkiller"
 )
 func registerOOMKillerService(registry *service.Registry) {
 	oomkiller.RegisterService(registry)
 }
--- a/include/registry.go
+++ b/include/registry.go
@@ -20,7 +20,6 @@ import (
 	"github.com/sagernet/sing-box/protocol/anytls"
 	"github.com/sagernet/sing-box/protocol/block"
 	"github.com/sagernet/sing-box/protocol/direct"
 	protocolDNS "github.com/sagernet/sing-box/protocol/dns"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/protocol/http"
 	"github.com/sagernet/sing-box/protocol/mixed"
@@ -76,7 +75,6 @@ func OutboundRegistry() *outbound.Registry {
 	direct.RegisterOutbound(registry)
 	block.RegisterOutbound(registry)
 	protocolDNS.RegisterOutbound(registry)
 	group.RegisterSelector(registry)
 	group.RegisterURLTest(registry)
@@ -94,7 +92,6 @@ func OutboundRegistry() *outbound.Registry {
 	anytls.RegisterOutbound(registry)
 	registerQUICOutbounds(registry)
 	registerWireGuardOutbound(registry)
 	registerStubForRemovedOutbounds(registry)
 	return registry
@@ -137,6 +134,7 @@ func ServiceRegistry() *service.Registry {
 	registerDERPService(registry)
 	registerCCMService(registry)
 	registerOCMService(registry)
 	registerOOMKillerService(registry)
 	return registry
 }
@@ -151,4 +149,7 @@ func registerStubForRemovedOutbounds(registry *outbound.Registry) {
 	outbound.Register[option.ShadowsocksROutboundOptions](registry, C.TypeShadowsocksR, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (adapter.Outbound, error) {
 		return nil, E.New("ShadowsocksR is deprecated and removed in sing-box 1.6.0")
 	})
 	outbound.Register[option.StubOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.StubOptions) (adapter.Outbound, error) {
 		return nil, E.New("WireGuard outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use WireGuard endpoint instead")
 	})
 }
--- a/include/wireguard.go
+++ b/include/wireguard.go
@@ -4,14 +4,9 @@ package include
 import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/protocol/wireguard"
 )
 func registerWireGuardOutbound(registry *outbound.Registry) {
 	wireguard.RegisterOutbound(registry)
 }
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	wireguard.RegisterEndpoint(registry)
 }
--- a/include/wireguard_stub.go
+++ b/include/wireguard_stub.go
@@ -7,19 +7,12 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/outbound"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 func registerWireGuardOutbound(registry *outbound.Registry) {
 	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
 		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
 	})
 }
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -1,4 +1,5 @@
 site_name: sing-box
 site_url: https://sing-box.sagernet.org/
 site_author: nekohasekai
 repo_url: https://github.com/SagerNet/sing-box
 repo_name: SagerNet/sing-box
--- a/option/direct.go
+++ b/option/direct.go
@@ -3,7 +3,7 @@ package option
 import (
 	"context"
-	"github.com/sagernet/sing-box/experimental/deprecated"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 )
@@ -31,8 +31,9 @@ func (d *DirectOutboundOptions) UnmarshalJSONContext(ctx context.Context, conten
 	if err != nil {
 		return err
 	}
 	//nolint:staticcheck
 	if d.OverrideAddress != "" || d.OverridePort != 0 {
-		deprecated.Report(ctx, deprecated.OptionDestinationOverrideFields)
+		return E.New("destination override fields in direct outbound are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use route options instead")
 	}
 	return nil
 }
--- a/option/inbound.go
+++ b/option/inbound.go
@@ -55,7 +55,6 @@ type InboundOptions struct {
 	SniffTimeout              badoption.Duration `json:"sniff_timeout,omitempty"`
 	DomainStrategy            DomainStrategy     `json:"domain_strategy,omitempty"`
 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
 	Detour                    string             `json:"detour,omitempty"`
 }
 type ListenOptions struct {
@@ -73,6 +72,7 @@ type ListenOptions struct {
 	UDPFragment          *bool              `json:"udp_fragment,omitempty"`
 	UDPFragmentDefault   bool               `json:"-"`
 	UDPTimeout           UDPTimeoutCompat   `json:"udp_timeout,omitempty"`
 	Detour               string             `json:"detour,omitempty"`
 	// Deprecated: removed
 	ProxyProtocol bool `json:"proxy_protocol,omitempty"`
--- a/option/naive.go
+++ b/option/naive.go
@@ -2,6 +2,7 @@ package option
 import (
 	"github.com/sagernet/sing/common/auth"
 	"github.com/sagernet/sing/common/byteformats"
 	"github.com/sagernet/sing/common/json/badoption"
 )
@@ -26,12 +27,14 @@ type NaiveInboundOptions struct {
 type NaiveOutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	Username              string               `json:"username,omitempty"`
+	Username                 string                   `json:"username,omitempty"`
-	Password              string               `json:"password,omitempty"`
+	Password                 string                   `json:"password,omitempty"`
-	InsecureConcurrency   int                  `json:"insecure_concurrency,omitempty"`
+	InsecureConcurrency      int                      `json:"insecure_concurrency,omitempty"`
-	ExtraHeaders          badoption.HTTPHeader `json:"extra_headers,omitempty"`
+	ExtraHeaders             badoption.HTTPHeader     `json:"extra_headers,omitempty"`
-	UDPOverTCP            *UDPOverTCPOptions   `json:"udp_over_tcp,omitempty"`
+	ReceiveWindow            *byteformats.MemoryBytes `json:"stream_receive_window,omitempty"`
-	QUIC                  bool                 `json:"quic,omitempty"`
+	UDPOverTCP               *UDPOverTCPOptions       `json:"udp_over_tcp,omitempty"`
-	QUICCongestionControl string               `json:"quic_congestion_control,omitempty"`
+	QUIC                     bool                     `json:"quic,omitempty"`
 	QUICCongestionControl    string                   `json:"quic_congestion_control,omitempty"`
 	QUICSessionReceiveWindow *byteformats.MemoryBytes `json:"quic_session_receive_window,omitempty"`
 	OutboundTLSOptionsContainer
 }
--- a/option/oom_killer.go
+++ b/option/oom_killer.go
@@ -0,0 +1,14 @@
 package option
 import (
 	"github.com/sagernet/sing/common/byteformats"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 type OOMKillerServiceOptions struct {
 	MemoryLimit       *byteformats.MemoryBytes `json:"memory_limit,omitempty"`
 	SafetyMargin      *byteformats.MemoryBytes `json:"safety_margin,omitempty"`
 	MinInterval       badoption.Duration       `json:"min_interval,omitempty"`
 	MaxInterval       badoption.Duration       `json:"max_interval,omitempty"`
 	ChecksBeforeLimit int                      `json:"checks_before_limit,omitempty"`
 }
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -40,7 +39,7 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 	}
 	switch h.Type {
 	case C.TypeDNS:
-		deprecated.Report(ctx, deprecated.OptionSpecialOutbounds)
+		return E.New("dns outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
 	}
 	options, loaded := registry.CreateOptions(h.Type)
 	if !loaded {
@@ -51,8 +50,9 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 		return err
 	}
 	if listenWrapper, isListen := options.(ListenOptionsWrapper); isListen {
 		//nolint:staticcheck
 		if listenWrapper.TakeListenOptions().InboundOptions != (InboundOptions{}) {
-			deprecated.Report(ctx, deprecated.OptionInboundOptions)
+			return E.New("legacy inbound fields are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
 		}
 	}
 	h.Options = options
--- a/option/tailscale.go
+++ b/option/tailscale.go
@@ -12,22 +12,23 @@ import (
 type TailscaleEndpointOptions struct {
 	DialerOptions
-	StateDirectory             string           `json:"state_directory,omitempty"`
+	StateDirectory             string                     `json:"state_directory,omitempty"`
-	AuthKey                    string           `json:"auth_key,omitempty"`
+	AuthKey                    string                     `json:"auth_key,omitempty"`
-	ControlURL                 string           `json:"control_url,omitempty"`
+	ControlURL                 string                     `json:"control_url,omitempty"`
-	Ephemeral                  bool             `json:"ephemeral,omitempty"`
+	Ephemeral                  bool                       `json:"ephemeral,omitempty"`
-	Hostname                   string           `json:"hostname,omitempty"`
+	Hostname                   string                     `json:"hostname,omitempty"`
-	AcceptRoutes               bool             `json:"accept_routes,omitempty"`
+	AcceptRoutes               bool                       `json:"accept_routes,omitempty"`
-	ExitNode                   string           `json:"exit_node,omitempty"`
+	ExitNode                   string                     `json:"exit_node,omitempty"`
-	ExitNodeAllowLANAccess     bool             `json:"exit_node_allow_lan_access,omitempty"`
+	ExitNodeAllowLANAccess     bool                       `json:"exit_node_allow_lan_access,omitempty"`
-	AdvertiseRoutes            []netip.Prefix   `json:"advertise_routes,omitempty"`
+	AdvertiseRoutes            []netip.Prefix             `json:"advertise_routes,omitempty"`
-	AdvertiseExitNode          bool             `json:"advertise_exit_node,omitempty"`
+	AdvertiseExitNode          bool                       `json:"advertise_exit_node,omitempty"`
-	RelayServerPort            *uint16          `json:"relay_server_port,omitempty"`
+	AdvertiseTags              badoption.Listable[string] `json:"advertise_tags,omitempty"`
-	RelayServerStaticEndpoints []netip.AddrPort `json:"relay_server_static_endpoints,omitempty"`
+	RelayServerPort            *uint16                    `json:"relay_server_port,omitempty"`
-	SystemInterface            bool             `json:"system_interface,omitempty"`
+	RelayServerStaticEndpoints []netip.AddrPort           `json:"relay_server_static_endpoints,omitempty"`
-	SystemInterfaceName        string           `json:"system_interface_name,omitempty"`
+	SystemInterface            bool                       `json:"system_interface,omitempty"`
-	SystemInterfaceMTU         uint32           `json:"system_interface_mtu,omitempty"`
+	SystemInterfaceName        string                     `json:"system_interface_name,omitempty"`
-	UDPTimeout                 UDPTimeoutCompat `json:"udp_timeout,omitempty"`
+	SystemInterfaceMTU         uint32                     `json:"system_interface_mtu,omitempty"`
 	UDPTimeout                 UDPTimeoutCompat           `json:"udp_timeout,omitempty"`
 }
 type TailscaleDNSServerOptions struct {
--- a/option/wireguard.go
+++ b/option/wireguard.go
@@ -28,28 +28,3 @@ type WireGuardPeer struct {
 	PersistentKeepaliveInterval uint16                           `json:"persistent_keepalive_interval,omitempty"`
 	Reserved                    []uint8                          `json:"reserved,omitempty"`
 }
 type LegacyWireGuardOutboundOptions struct {
 	DialerOptions
 	SystemInterface bool                             `json:"system_interface,omitempty"`
 	GSO             bool                             `json:"gso,omitempty"`
 	InterfaceName   string                           `json:"interface_name,omitempty"`
 	LocalAddress    badoption.Listable[netip.Prefix] `json:"local_address"`
 	PrivateKey      string                           `json:"private_key"`
 	Peers           []LegacyWireGuardPeer            `json:"peers,omitempty"`
 	ServerOptions
 	PeerPublicKey string      `json:"peer_public_key"`
 	PreSharedKey  string      `json:"pre_shared_key,omitempty"`
 	Reserved      []uint8     `json:"reserved,omitempty"`
 	Workers       int         `json:"workers,omitempty"`
 	MTU           uint32      `json:"mtu,omitempty"`
 	Network       NetworkList `json:"network,omitempty"`
 }
 type LegacyWireGuardPeer struct {
 	ServerOptions
 	PublicKey    string                           `json:"public_key,omitempty"`
 	PreSharedKey string                           `json:"pre_shared_key,omitempty"`
 	AllowedIPs   badoption.Listable[netip.Prefix] `json:"allowed_ips,omitempty"`
 	Reserved     []uint8                          `json:"reserved,omitempty"`
 }
--- a/protocol/anytls/inbound.go
+++ b/protocol/anytls/inbound.go
@@ -122,7 +122,6 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination.Unwrap()
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {
--- a/protocol/direct/inbound.go
+++ b/protocol/direct/inbound.go
@@ -111,7 +111,6 @@ func (i *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = i.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = i.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	destination = i.listener.UDPAddr()
 	switch i.overrideOption {
--- a/protocol/direct/outbound.go
+++ b/protocol/direct/outbound.go
@@ -16,7 +16,6 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-tun/ping"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -36,14 +35,12 @@ var (
 type Outbound struct {
 	outbound.Adapter
-	ctx                 context.Context
+	ctx            context.Context
-	logger              logger.ContextLogger
+	logger         logger.ContextLogger
-	dialer              dialer.ParallelInterfaceDialer
+	dialer         dialer.ParallelInterfaceDialer
-	domainStrategy      C.DomainStrategy
+	domainStrategy C.DomainStrategy
-	fallbackDelay       time.Duration
+	fallbackDelay  time.Duration
-	overrideOption      int
+	isEmpty        bool
 	overrideDestination M.Socksaddr
 	isEmpty             bool
 	// loopBack *loopBackDetector
 }
@@ -69,25 +66,13 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		domainStrategy: C.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer.(dialer.ParallelInterfaceDialer),
-		//nolint:staticcheck
+		isEmpty:        reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}),
 		isEmpty: reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}) && options.OverrideAddress == "" && options.OverridePort == 0,
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
 	//nolint:staticcheck
 	if options.OverrideAddress != "" && options.OverridePort != 0 {
 		outbound.overrideOption = 1
 		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
 	} else if options.OverrideAddress != "" {
 		outbound.overrideOption = 2
 		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
 	} else if options.OverridePort != 0 {
 		outbound.overrideOption = 3
 		outbound.overrideDestination = M.Socksaddr{Port: options.OverridePort}
 	}
 	return outbound, nil
 }
@@ -95,16 +80,6 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
 	switch h.overrideOption {
 	case 1:
 		destination = h.overrideDestination
 	case 2:
 		newDestination := h.overrideDestination
 		newDestination.Port = destination.Port
 		destination = newDestination
 	case 3:
 		destination.Port = h.overrideDestination.Port
 	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -124,30 +99,12 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	originDestination := destination
+	h.logger.InfoContext(ctx, "outbound packet connection")
 	switch h.overrideOption {
 	case 1:
 		destination = h.overrideDestination
 	case 2:
 		newDestination := h.overrideDestination
 		newDestination.Port = destination.Port
 		destination = newDestination
 	case 3:
 		destination.Port = h.overrideDestination.Port
 	}
 	if h.overrideOption == 0 {
 		h.logger.InfoContext(ctx, "outbound packet connection")
 	} else {
 		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	conn, err := h.dialer.ListenPacket(ctx, destination)
 	if err != nil {
 		return nil, err
 	}
 	// conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
 	if originDestination != destination {
 		conn = bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, originDestination)
 	}
 	return conn, nil
 }
@@ -165,13 +122,6 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
 	switch h.overrideOption {
 	case 1, 2:
 		// override address
 		return h.DialContext(ctx, network, destination)
 	case 3:
 		destination.Port = h.overrideDestination.Port
 	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -186,13 +136,6 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
 	switch h.overrideOption {
 	case 1, 2:
 		// override address
 		return h.DialContext(ctx, network, destination)
 	case 3:
 		destination.Port = h.overrideDestination.Port
 	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -207,21 +150,7 @@ func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
+	h.logger.InfoContext(ctx, "outbound packet connection")
 	case 1:
 		destination = h.overrideDestination
 	case 2:
 		newDestination := h.overrideDestination
 		newDestination.Port = destination.Port
 		destination = newDestination
 	case 3:
 		destination.Port = h.overrideDestination.Port
 	}
 	if h.overrideOption == 0 {
 		h.logger.InfoContext(ctx, "outbound packet connection")
 	} else {
 		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	conn, newDestination, err := dialer.ListenSerialNetworkPacket(ctx, h.dialer, destination, destinationAddresses, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 	if err != nil {
 		return nil, netip.Addr{}, err
--- a/protocol/hysteria/inbound.go
+++ b/protocol/hysteria/inbound.go
@@ -118,7 +118,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -141,7 +140,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
--- a/protocol/hysteria2/inbound.go
+++ b/protocol/hysteria2/inbound.go
@@ -151,7 +151,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -174,7 +173,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
--- a/protocol/naive/inbound.go
+++ b/protocol/naive/inbound.go
@@ -209,7 +209,6 @@ func (n *Inbound) newConnection(ctx context.Context, waitForClose bool, conn net
 	//nolint:staticcheck
 	metadata.InboundDetour = n.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = n.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
--- a/protocol/naive/outbound.go
+++ b/protocol/naive/outbound.go
@@ -235,7 +235,7 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
-		return h.client.DialEarly(destination)
+		return h.client.DialEarly(ctx, destination)
 	case N.NetworkUDP:
 		if h.uotClient == nil {
 			return nil, E.New("UDP is not supported unless UDP over TCP is enabled")
@@ -254,6 +254,10 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return h.uotClient.ListenPacket(ctx, destination)
 }
 func (h *Outbound) InterfaceUpdated() {
 	h.client.Engine().CloseAllConnections()
 }
 func (h *Outbound) Close() error {
 	return h.client.Close()
 }
@@ -267,5 +271,5 @@ type naiveDialer struct {
 }
 func (d *naiveDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.NaiveClient.DialEarly(destination)
+	return d.NaiveClient.DialEarly(ctx, destination)
 }
--- a/protocol/shadowsocks/inbound_multi.go
+++ b/protocol/shadowsocks/inbound_multi.go
@@ -175,7 +175,6 @@ func (h *MultiInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackConnection(conn, metadata)
 	}
@@ -201,7 +200,6 @@ func (h *MultiInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackPacketConnection(conn, metadata)
 	}
--- a/protocol/shadowsocks/inbound_relay.go
+++ b/protocol/shadowsocks/inbound_relay.go
@@ -135,7 +135,6 @@ func (h *RelayInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RouteConnection(ctx, conn, metadata)
 }
@@ -158,7 +157,6 @@ func (h *RelayInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }
--- a/protocol/shadowtls/inbound.go
+++ b/protocol/shadowtls/inbound.go
@@ -129,7 +129,6 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -63,6 +63,7 @@ import (
 var (
 	_ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
 	_ adapter.DirectRouteOutbound         = (*Endpoint)(nil)
 	_ dialer.PacketDialerWithDestination  = (*Endpoint)(nil)
 )
 func init() {
@@ -97,6 +98,7 @@ type Endpoint struct {
 	exitNodeAllowLANAccess     bool
 	advertiseRoutes            []netip.Prefix
 	advertiseExitNode          bool
 	advertiseTags              []string
 	relayServerPort            *uint16
 	relayServerStaticEndpoints []netip.AddrPort
@@ -209,10 +211,11 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		UserLogf: func(format string, args ...any) {
 			logger.Debug(fmt.Sprintf(format, args...))
 		},
-		Ephemeral:  options.Ephemeral,
+		Ephemeral:     options.Ephemeral,
-		AuthKey:    options.AuthKey,
+		AuthKey:       options.AuthKey,
-		ControlURL: options.ControlURL,
+		ControlURL:    options.ControlURL,
-		Dialer:     &endpointDialer{Dialer: outboundDialer, logger: logger},
+		AdvertiseTags: options.AdvertiseTags,
 		Dialer:        &endpointDialer{Dialer: outboundDialer, logger: logger},
 		LookupHook: func(ctx context.Context, host string) ([]netip.Addr, error) {
 			return dnsRouter.Lookup(ctx, host, outboundDialer.(dialer.ResolveDialer).QueryOptions())
 		},
@@ -244,6 +247,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		exitNodeAllowLANAccess:     options.ExitNodeAllowLANAccess,
 		advertiseRoutes:            options.AdvertiseRoutes,
 		advertiseExitNode:          options.AdvertiseExitNode,
 		advertiseTags:              options.AdvertiseTags,
 		relayServerPort:            options.RelayServerPort,
 		relayServerStaticEndpoints: options.RelayServerStaticEndpoints,
 		udpTimeout:                 udpTimeout,
@@ -359,25 +363,23 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 	localBackend := t.server.ExportLocalBackend()
 	perfs := &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
-			RouteAll: t.acceptRoutes,
+			RouteAll:        t.acceptRoutes,
 			AdvertiseRoutes: t.advertiseRoutes,
 		},
-		RouteAllSet:        true,
+		RouteAllSet:                   true,
-		ExitNodeIPSet:      true,
+		ExitNodeIPSet:                 true,
-		AdvertiseRoutesSet: true,
+		AdvertiseRoutesSet:            true,
-	}
+		RelayServerPortSet:            true,
-	if len(t.advertiseRoutes) > 0 {
+		RelayServerStaticEndpointsSet: true,
 		perfs.AdvertiseRoutes = t.advertiseRoutes
 	}
 	if t.advertiseExitNode {
 		perfs.AdvertiseRoutes = append(perfs.AdvertiseRoutes, tsaddr.ExitRoutes()...)
 	}
 	if t.relayServerPort != nil {
 		perfs.RelayServerPort = t.relayServerPort
 		perfs.RelayServerPortSet = true
 	}
 	if len(t.relayServerStaticEndpoints) > 0 {
 		perfs.RelayServerStaticEndpoints = t.relayServerStaticEndpoints
 		perfs.RelayServerStaticEndpointsSet = true
 	}
 	_, err = localBackend.EditPrefs(perfs)
 	if err != nil {
@@ -517,19 +519,7 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 	}
 }
-func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if destination.IsFqdn() {
 		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
 		}
 		packetConn, _, err := N.ListenSerial(ctx, t, destination, destinationAddresses)
 		if err != nil {
 			return nil, err
 		}
 		return packetConn, err
 	}
 	addr4, addr6 := t.server.TailscaleIPs()
 	bind := tcpip.FullAddress{
 		NIC: 1,
@@ -555,6 +545,44 @@ func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return udpConn, nil
 }
 func (t *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if destination.IsFqdn() {
 		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, netip.Addr{}, err
 		}
 		var errors []error
 		for _, address := range destinationAddresses {
 			packetConn, packetErr := t.listenPacketWithAddress(ctx, M.SocksaddrFrom(address, destination.Port))
 			if packetErr == nil {
 				return packetConn, address, nil
 			}
 			errors = append(errors, packetErr)
 		}
 		return nil, netip.Addr{}, E.Errors(errors...)
 	}
 	packetConn, err := t.listenPacketWithAddress(ctx, destination)
 	if err != nil {
 		return nil, netip.Addr{}, err
 	}
 	if destination.IsIP() {
 		return packetConn, destination.Addr, nil
 	}
 	return packetConn, netip.Addr{}, nil
 }
 func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	packetConn, destinationAddress, err := t.ListenPacketWithDestination(ctx, destination)
 	if err != nil {
 		return nil, err
 	}
 	if destinationAddress.IsValid() && destination != M.SocksaddrFrom(destinationAddress, destination.Port) {
 		return bufio.NewNATPacketConn(bufio.NewPacketConn(packetConn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 	}
 	return packetConn, nil
 }
 func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	tsFilter := t.filter.Load()
 	if tsFilter != nil {
--- a/protocol/trojan/inbound.go
+++ b/protocol/trojan/inbound.go
@@ -257,7 +257,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/protocol/tuic/inbound.go
+++ b/protocol/tuic/inbound.go
@@ -108,7 +108,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -131,7 +130,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
--- a/protocol/tun/inbound.go
+++ b/protocol/tun/inbound.go
@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route/rule"
@@ -36,13 +35,11 @@ func RegisterInbound(registry *inbound.Registry) {
 }
 type Inbound struct {
-	tag            string
+	tag                         string
-	ctx            context.Context
+	ctx                         context.Context
-	router         adapter.Router
+	router                      adapter.Router
-	networkManager adapter.NetworkManager
+	networkManager              adapter.NetworkManager
-	logger         log.ContextLogger
+	logger                      log.ContextLogger
 	//nolint:staticcheck
 	inboundOptions              option.InboundOptions
 	tunOptions                  tun.Options
 	udpTimeout                  time.Duration
 	stack                       string
@@ -60,20 +57,18 @@ type Inbound struct {
 }
 func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions) (adapter.Inbound, error) {
 	//nolint:staticcheck
 	if len(options.Inet4Address) > 0 || len(options.Inet6Address) > 0 ||
 		len(options.Inet4RouteAddress) > 0 || len(options.Inet6RouteAddress) > 0 ||
 		len(options.Inet4RouteExcludeAddress) > 0 || len(options.Inet6RouteExcludeAddress) > 0 {
 		return nil, E.New("legacy tun address fields are deprecated in sing-box 1.10.0 and removed in sing-box 1.12.0")
 	}
 	//nolint:staticcheck
 	if options.GSO {
 		return nil, E.New("GSO option in tun is deprecated in sing-box 1.11.0 and removed in sing-box 1.12.0")
 	}
 	address := options.Address
 	var deprecatedAddressUsed bool
 	//nolint:staticcheck
 	if len(options.Inet4Address) > 0 {
 		address = append(address, options.Inet4Address...)
 		deprecatedAddressUsed = true
 	}
 	//nolint:staticcheck
 	if len(options.Inet6Address) > 0 {
 		address = append(address, options.Inet6Address...)
 		deprecatedAddressUsed = true
 	}
 	inet4Address := common.Filter(address, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -82,18 +77,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	})
 	routeAddress := options.RouteAddress
 	//nolint:staticcheck
 	if len(options.Inet4RouteAddress) > 0 {
 		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
 		deprecatedAddressUsed = true
 	}
 	//nolint:staticcheck
 	if len(options.Inet6RouteAddress) > 0 {
 		routeAddress = append(routeAddress, options.Inet6RouteAddress...)
 		deprecatedAddressUsed = true
 	}
 	inet4RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -102,18 +85,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	})
 	routeExcludeAddress := options.RouteExcludeAddress
 	//nolint:staticcheck
 	if len(options.Inet4RouteExcludeAddress) > 0 {
 		routeExcludeAddress = append(routeExcludeAddress, options.Inet4RouteExcludeAddress...)
 		deprecatedAddressUsed = true
 	}
 	//nolint:staticcheck
 	if len(options.Inet6RouteExcludeAddress) > 0 {
 		routeExcludeAddress = append(routeExcludeAddress, options.Inet6RouteExcludeAddress...)
 		deprecatedAddressUsed = true
 	}
 	inet4RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -121,15 +92,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		return it.Addr().Is6()
 	})
 	if deprecatedAddressUsed {
 		deprecated.Report(ctx, deprecated.OptionTUNAddressX)
 	}
 	//nolint:staticcheck
 	if options.GSO {
 		deprecated.Report(ctx, deprecated.OptionTUNGSO)
 	}
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 	tunMTU := options.MTU
 	enableGSO := C.IsLinux && options.Stack == "gvisor" && platformInterface == nil && tunMTU > 0 && tunMTU < 49152
@@ -202,7 +164,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		router:         router,
 		networkManager: networkManager,
 		logger:         logger,
 		inboundOptions: options.InboundOptions,
 		tunOptions: tun.Options{
 			Name:                                  options.InterfaceName,
 			MTU:                                   tunMTU,
@@ -478,13 +439,12 @@ func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destinat
 		ipVersion = 6
 	}
 	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
-		Inbound:        t.tag,
+		Inbound:     t.tag,
-		InboundType:    C.TypeTun,
+		InboundType: C.TypeTun,
-		IPVersion:      ipVersion,
+		IPVersion:   ipVersion,
-		Network:        network,
+		Network:     network,
-		Source:         source,
+		Source:      source,
-		Destination:    destination,
+		Destination: destination,
 		InboundOptions: t.inboundOptions,
 	}, routeContext, timeout, false)
 	if err != nil {
 		switch {
@@ -508,8 +468,7 @@ func (t *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
+
 	metadata.InboundOptions = t.inboundOptions
 	t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)
@@ -522,8 +481,7 @@ func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
+
 	metadata.InboundOptions = t.inboundOptions
 	t.logger.InfoContext(ctx, "inbound packet connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 	t.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
@@ -539,13 +497,12 @@ func (t *autoRedirectHandler) PrepareConnection(network string, source M.Socksad
 		ipVersion = 6
 	}
 	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
-		Inbound:        t.tag,
+		Inbound:     t.tag,
-		InboundType:    C.TypeTun,
+		InboundType: C.TypeTun,
-		IPVersion:      ipVersion,
+		IPVersion:   ipVersion,
-		Network:        network,
+		Network:     network,
-		Source:         source,
+		Source:      source,
-		Destination:    destination,
+		Destination: destination,
 		InboundOptions: t.inboundOptions,
 	}, routeContext, timeout, true)
 	if err != nil {
 		switch {
@@ -569,8 +526,7 @@ func (t *autoRedirectHandler) NewConnectionEx(ctx context.Context, conn net.Conn
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
+
 	metadata.InboundOptions = t.inboundOptions
 	t.logger.InfoContext(ctx, "inbound redirect connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)
--- a/protocol/vless/inbound.go
+++ b/protocol/vless/inbound.go
@@ -217,7 +217,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/protocol/vmess/inbound.go
+++ b/protocol/vmess/inbound.go
@@ -223,7 +223,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/protocol/wireguard/endpoint.go
+++ b/protocol/wireguard/endpoint.go
@@ -24,7 +24,10 @@ import (
 	"github.com/sagernet/sing/service"
 )
-var _ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
+var (
 	_ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
 	_ dialer.PacketDialerWithDestination  = (*Endpoint)(nil)
 )
 func RegisterEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, NewEndpoint)
@@ -219,20 +222,34 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 	return w.endpoint.DialContext(ctx, network, destination)
 }
-func (w *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (w *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if destination.IsFqdn() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
-			return nil, err
+			return nil, netip.Addr{}, err
 		}
-		packetConn, _, err := N.ListenSerial(ctx, w.endpoint, destination, destinationAddresses)
+		return N.ListenSerial(ctx, w.endpoint, destination, destinationAddresses)
 		if err != nil {
 			return nil, err
 		}
 		return packetConn, err
 	}
-	return w.endpoint.ListenPacket(ctx, destination)
+	packetConn, err := w.endpoint.ListenPacket(ctx, destination)
 	if err != nil {
 		return nil, netip.Addr{}, err
 	}
 	if destination.IsIP() {
 		return packetConn, destination.Addr, nil
 	}
 	return packetConn, netip.Addr{}, nil
 }
 func (w *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	packetConn, destinationAddress, err := w.ListenPacketWithDestination(ctx, destination)
 	if err != nil {
 		return nil, err
 	}
 	if destinationAddress.IsValid() && destination != M.SocksaddrFrom(destinationAddress, destination.Port) {
 		return bufio.NewNATPacketConn(bufio.NewPacketConn(packetConn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 	}
 	return packetConn, nil
 }
 func (w *Endpoint) PreferredDomain(domain string) bool {
--- a/protocol/wireguard/outbound.go
+++ b/protocol/wireguard/outbound.go
@@ -1,176 +0,0 @@
 package wireguard
 import (
 	"context"
 	"net"
 	"net/netip"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/wireguard"
 	tun "github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
 var _ adapter.OutboundWithPreferredRoutes = (*Outbound)(nil)
 func RegisterOutbound(registry *outbound.Registry) {
 	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, NewOutbound)
 }
 type Outbound struct {
 	outbound.Adapter
 	ctx            context.Context
 	dnsRouter      adapter.DNSRouter
 	logger         logger.ContextLogger
 	localAddresses []netip.Prefix
 	endpoint       *wireguard.Endpoint
 }
 func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
 	deprecated.Report(ctx, deprecated.OptionWireGuardOutbound)
 	if options.GSO {
 		deprecated.Report(ctx, deprecated.OptionWireGuardGSO)
 	}
 	outbound := &Outbound{
 		Adapter:        outbound.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, options.DialerOptions),
 		ctx:            ctx,
 		dnsRouter:      service.FromContext[adapter.DNSRouter](ctx),
 		logger:         logger,
 		localAddresses: options.LocalAddress,
 	}
 	if options.Detour != "" && options.GSO {
 		return nil, E.New("gso is conflict with detour")
 	}
 	outboundDialer, err := dialer.NewWithOptions(dialer.Options{
 		Context: ctx,
 		Options: options.DialerOptions,
 		RemoteIsDomain: options.ServerIsDomain() || common.Any(options.Peers, func(it option.LegacyWireGuardPeer) bool {
 			return it.ServerIsDomain()
 		}),
 		ResolverOnDetour: true,
 	})
 	if err != nil {
 		return nil, err
 	}
 	peers := common.Map(options.Peers, func(it option.LegacyWireGuardPeer) wireguard.PeerOptions {
 		return wireguard.PeerOptions{
 			Endpoint:     it.ServerOptions.Build(),
 			PublicKey:    it.PublicKey,
 			PreSharedKey: it.PreSharedKey,
 			AllowedIPs:   it.AllowedIPs,
 			// PersistentKeepaliveInterval: time.Duration(it.PersistentKeepaliveInterval),
 			Reserved: it.Reserved,
 		}
 	})
 	if len(peers) == 0 {
 		peers = []wireguard.PeerOptions{{
 			Endpoint:     options.ServerOptions.Build(),
 			PublicKey:    options.PeerPublicKey,
 			PreSharedKey: options.PreSharedKey,
 			AllowedIPs:   []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0), netip.PrefixFrom(netip.IPv6Unspecified(), 0)},
 			Reserved:     options.Reserved,
 		}}
 	}
 	wgEndpoint, err := wireguard.NewEndpoint(wireguard.EndpointOptions{
 		Context: ctx,
 		Logger:  logger,
 		System:  options.SystemInterface,
 		Dialer:  outboundDialer,
 		CreateDialer: func(interfaceName string) N.Dialer {
 			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
 				BindInterface: interfaceName,
 			}))
 		},
 		Name:       options.InterfaceName,
 		MTU:        options.MTU,
 		Address:    options.LocalAddress,
 		PrivateKey: options.PrivateKey,
 		ResolvePeer: func(domain string) (netip.Addr, error) {
 			endpointAddresses, lookupErr := outbound.dnsRouter.Lookup(ctx, domain, outboundDialer.(dialer.ResolveDialer).QueryOptions())
 			if lookupErr != nil {
 				return netip.Addr{}, lookupErr
 			}
 			return endpointAddresses[0], nil
 		},
 		Peers:   peers,
 		Workers: options.Workers,
 	})
 	if err != nil {
 		return nil, err
 	}
 	outbound.endpoint = wgEndpoint
 	return outbound, nil
 }
 func (o *Outbound) Start(stage adapter.StartStage) error {
 	switch stage {
 	case adapter.StartStateStart:
 		return o.endpoint.Start(false)
 	case adapter.StartStatePostStart:
 		return o.endpoint.Start(true)
 	}
 	return nil
 }
 func (o *Outbound) Close() error {
 	return o.endpoint.Close()
 }
 func (o *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch network {
 	case N.NetworkTCP:
 		o.logger.InfoContext(ctx, "outbound connection to ", destination)
 	case N.NetworkUDP:
 		o.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	if destination.IsFqdn() {
 		destinationAddresses, err := o.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
 		}
 		return N.DialSerial(ctx, o.endpoint, network, destination, destinationAddresses)
 	} else if !destination.Addr.IsValid() {
 		return nil, E.New("invalid destination: ", destination)
 	}
 	return o.endpoint.DialContext(ctx, network, destination)
 }
 func (o *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	o.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if destination.IsFqdn() {
 		destinationAddresses, err := o.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
 		}
 		packetConn, _, err := N.ListenSerial(ctx, o.endpoint, destination, destinationAddresses)
 		if err != nil {
 			return nil, err
 		}
 		return packetConn, err
 	}
 	return o.endpoint.ListenPacket(ctx, destination)
 }
 func (o *Outbound) PreferredDomain(domain string) bool {
 	return false
 }
 func (o *Outbound) PreferredAddress(address netip.Addr) bool {
 	return o.endpoint.Lookup(address) != nil
 }
 func (o *Outbound) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	return o.endpoint.NewDirectRouteConnection(metadata, routeContext, timeout)
 }
--- a/release/DEFAULT_BUILD_TAGS
+++ b/release/DEFAULT_BUILD_TAGS
@@ -0,0 +1 @@
 with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,badlinkname,tfogo_checklinkname0
--- a/release/DEFAULT_BUILD_TAGS_OTHERS
+++ b/release/DEFAULT_BUILD_TAGS_OTHERS
@@ -0,0 +1 @@
 with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
--- a/release/DEFAULT_BUILD_TAGS_WINDOWS
+++ b/release/DEFAULT_BUILD_TAGS_WINDOWS
@@ -0,0 +1 @@
 with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0
--- a/release/LDFLAGS
+++ b/release/LDFLAGS
@@ -0,0 +1 @@
 -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0
--- a/release/local/common.sh
+++ b/release/local/common.sh
@@ -11,7 +11,7 @@ INSTALL_CONFIG_PATH="/usr/local/etc/sing-box"
 INSTALL_DATA_PATH="/var/lib/sing-box"
 SYSTEMD_SERVICE_PATH="/etc/systemd/system"
-DEFAULT_BUILD_TAGS="with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0"
+DEFAULT_BUILD_TAGS="$(cat "$PROJECT_DIR/release/DEFAULT_BUILD_TAGS_OTHERS")"
 setup_environment() {
    if [ -d /usr/local/go ]; then
@@ -44,7 +44,9 @@ get_version() {
 get_ldflags() {
    local version
    version=$(get_version)
-    echo "-X 'github.com/sagernet/sing-box/constant.Version=${version}' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
+    local shared_ldflags
    shared_ldflags=$(cat "$PROJECT_DIR/release/LDFLAGS")
    echo "-X 'github.com/sagernet/sing-box/constant.Version=${version}' ${shared_ldflags} -s -w -buildid="
 }
 build_sing_box() {
--- a/route/conn.go
+++ b/route/conn.go
@@ -44,16 +44,52 @@ func (m *ConnectionManager) Start(stage adapter.StartStage) error {
 	return nil
 }
-func (m *ConnectionManager) Close() error {
+func (m *ConnectionManager) Count() int {
 	return m.connections.Len()
 }
 func (m *ConnectionManager) CloseAll() {
 	m.access.Lock()
-	defer m.access.Unlock()
+	var closers []io.Closer
-	for element := m.connections.Front(); element != nil; element = element.Next() {
+	for element := m.connections.Front(); element != nil; {
-		common.Close(element.Value)
+		nextElement := element.Next()
 		closers = append(closers, element.Value)
 		m.connections.Remove(element)
 		element = nextElement
 	}
-	m.connections.Init()
+	m.access.Unlock()
 	for _, closer := range closers {
 		common.Close(closer)
 	}
 }
 func (m *ConnectionManager) Close() error {
 	m.CloseAll()
 	return nil
 }
 func (m *ConnectionManager) TrackConn(conn net.Conn) net.Conn {
 	m.access.Lock()
 	element := m.connections.PushBack(conn)
 	m.access.Unlock()
 	return &trackedConn{
 		Conn:    conn,
 		manager: m,
 		element: element,
 	}
 }
 func (m *ConnectionManager) TrackPacketConn(conn net.PacketConn) net.PacketConn {
 	m.access.Lock()
 	element := m.connections.PushBack(conn)
 	m.access.Unlock()
 	return &trackedPacketConn{
 		PacketConn: conn,
 		manager:    m,
 		element:    element,
 	}
 }
 func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var (
@@ -92,14 +128,6 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 	if metadata.TLSFragment || metadata.TLSRecordFragment {
 		remoteConn = tf.NewConn(remoteConn, ctx, metadata.TLSFragment, metadata.TLSRecordFragment, metadata.TLSFragmentFallbackDelay)
 	}
 	m.access.Lock()
 	element := m.connections.PushBack(conn)
 	m.access.Unlock()
 	onClose = N.AppendClose(onClose, func(it error) {
 		m.access.Lock()
 		defer m.access.Unlock()
 		m.connections.Remove(element)
 	})
 	var done atomic.Bool
 	if m.kickWriteHandshake(ctx, conn, remoteConn, false, &done, onClose) {
 		return
@@ -160,6 +188,8 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 	} else {
 		if len(metadata.DestinationAddresses) > 0 {
 			remotePacketConn, destinationAddress, err = dialer.ListenSerialNetworkPacket(ctx, this, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
 		} else if packetDialer, withDestination := this.(dialer.PacketDialerWithDestination); withDestination {
 			remotePacketConn, destinationAddress, err = packetDialer.ListenPacketWithDestination(ctx, metadata.Destination)
 		} else {
 			remotePacketConn, err = this.ListenPacket(ctx, metadata.Destination)
 		}
@@ -190,11 +220,16 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
 			natConn.UpdateDestination(destinationAddress)
-		} else if metadata.Destination != M.SocksaddrFrom(destinationAddress, metadata.Destination.Port) {
+		} else {
-			if metadata.UDPDisableDomainUnmapping {
+			destination := M.SocksaddrFrom(destinationAddress, metadata.Destination.Port)
-				remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
+			if metadata.Destination != destination {
-			} else {
+				if metadata.UDPDisableDomainUnmapping {
-				remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
+					remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), destination, originDestination)
 				} else {
 					remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), destination, originDestination)
 				}
 			} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {
 				remotePacketConn = bufio.NewDestinationNATPacketConn(bufio.NewPacketConn(remotePacketConn), metadata.Destination, metadata.RouteOriginalDestination)
 			}
 		}
 	} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {
@@ -216,14 +251,6 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		ctx, conn = canceler.NewPacketConn(ctx, conn, udpTimeout)
 	}
 	destination := bufio.NewPacketConn(remotePacketConn)
 	m.access.Lock()
 	element := m.connections.PushBack(conn)
 	m.access.Unlock()
 	onClose = N.AppendClose(onClose, func(it error) {
 		m.access.Lock()
 		defer m.access.Unlock()
 		m.connections.Remove(element)
 	})
 	var done atomic.Bool
 	go m.packetConnectionCopy(ctx, conn, destination, false, &done, onClose)
 	go m.packetConnectionCopy(ctx, destination, conn, true, &done, onClose)
@@ -242,7 +269,9 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn,
 		destination.Close()
 	}
 	if done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
 			onClose(err)
 		}
 		common.Close(source, destination)
 	}
 	if !direction {
@@ -303,7 +332,9 @@ func (m *ConnectionManager) kickWriteHandshake(ctx context.Context, source net.C
 		return false
 	}
 	if !done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
 			onClose(err)
 		}
 	}
 	common.Close(source, destination)
 	if !direction {
@@ -334,7 +365,59 @@ func (m *ConnectionManager) packetConnectionCopy(ctx context.Context, source N.P
 		}
 	}
 	if !done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
 			onClose(err)
 		}
 	}
 	common.Close(source, destination)
 }
 type trackedConn struct {
 	net.Conn
 	manager *ConnectionManager
 	element *list.Element[io.Closer]
 }
 func (c *trackedConn) Close() error {
 	c.manager.access.Lock()
 	c.manager.connections.Remove(c.element)
 	c.manager.access.Unlock()
 	return c.Conn.Close()
 }
 func (c *trackedConn) Upstream() any {
 	return c.Conn
 }
 func (c *trackedConn) ReaderReplaceable() bool {
 	return true
 }
 func (c *trackedConn) WriterReplaceable() bool {
 	return true
 }
 type trackedPacketConn struct {
 	net.PacketConn
 	manager *ConnectionManager
 	element *list.Element[io.Closer]
 }
 func (c *trackedPacketConn) Close() error {
 	c.manager.access.Lock()
 	c.manager.connections.Remove(c.element)
 	c.manager.access.Unlock()
 	return c.PacketConn.Close()
 }
 func (c *trackedPacketConn) Upstream() any {
 	return bufio.NewPacketConn(c.PacketConn)
 }
 func (c *trackedPacketConn) ReaderReplaceable() bool {
 	return true
 }
 func (c *trackedPacketConn) WriterReplaceable() bool {
 	return true
 }
--- a/route/network.go
+++ b/route/network.go
@@ -13,7 +13,6 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/settings"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
@@ -48,6 +47,7 @@ type NetworkManager struct {
 	powerListener          winpowrprof.EventListener
 	pauseManager           pause.Manager
 	platformInterface      adapter.PlatformInterface
 	connectionManager      adapter.ConnectionManager
 	endpoint               adapter.EndpointManager
 	inbound                adapter.InboundManager
 	outbound               adapter.OutboundManager
@@ -90,6 +90,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, options
 		},
 		pauseManager:      service.FromContext[pause.Manager](ctx),
 		platformInterface: service.FromContext[adapter.PlatformInterface](ctx),
 		connectionManager: service.FromContext[adapter.ConnectionManager](ctx),
 		endpoint:          service.FromContext[adapter.EndpointManager](ctx),
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
@@ -450,7 +451,9 @@ func (r *NetworkManager) UpdateWIFIState() {
 }
 func (r *NetworkManager) ResetNetwork() {
-	conntrack.Close()
+	if r.connectionManager != nil {
 		r.connectionManager.CloseAll()
 	}
 	for _, endpoint := range r.endpoint.Endpoints() {
 		listener, isListener := endpoint.(adapter.InterfaceUpdateListener)
--- a/route/route.go
+++ b/route/route.go
@@ -9,11 +9,9 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
@@ -80,7 +78,6 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 		injectable.NewConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
 	conntrack.KillerCheck()
 	metadata.Network = N.NetworkTCP
 	switch metadata.Destination.Fqdn {
 	case mux.Destination.Fqdn:
@@ -216,8 +213,6 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 		injectable.NewPacketConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
 	conntrack.KillerCheck()
 	// TODO: move to UoT
 	metadata.Network = N.NetworkUDP
@@ -472,37 +467,6 @@ func (r *Router) matchRule(
 		metadata.IPVersion = 6
 	}
 	//nolint:staticcheck
 	if metadata.InboundOptions != common.DefaultValue[option.InboundOptions]() {
 		if !preMatch && metadata.InboundOptions.SniffEnabled {
 			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &R.RuleActionSniff{
 				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
 				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
 			}, inputConn, inputPacketConn, nil, nil)
 			if newBuffer != nil {
 				buffers = []*buf.Buffer{newBuffer}
 			} else if len(newPackerBuffers) > 0 {
 				packetBuffers = newPackerBuffers
 			}
 			if newErr != nil {
 				fatalErr = newErr
 				return
 			}
 		}
 		if C.DomainStrategy(metadata.InboundOptions.DomainStrategy) != C.DomainStrategyAsIS {
 			fatalErr = r.actionResolve(ctx, metadata, &R.RuleActionResolve{
 				Strategy: C.DomainStrategy(metadata.InboundOptions.DomainStrategy),
 			})
 			if fatalErr != nil {
 				return
 			}
 		}
 		if metadata.InboundOptions.UDPDisableDomainUnmapping {
 			metadata.UDPDisableDomainUnmapping = true
 		}
 		metadata.InboundOptions = option.InboundOptions{}
 	}
 match:
 	for currentRuleIndex, currentRule := range r.rules {
 		metadata.ResetRuleCache()
--- a/route/rule/rule_abstract.go
+++ b/route/rule/rule_abstract.go
@@ -107,9 +107,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	for _, item := range r.items {
-		if _, isRuleSet := item.(*RuleSetItem); !isRuleSet {
+		metadata.DidMatch = true
 			metadata.DidMatch = true
 		}
 		if !item.Match(metadata) {
 			return r.invert
 		}
--- a/route/rule/rule_abstract_test.go
+++ b/route/rule/rule_abstract_test.go
@@ -0,0 +1,157 @@
 package rule
 import (
 	"context"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/stretchr/testify/require"
 	"go4.org/netipx"
 )
 type fakeRuleSet struct {
 	matched bool
 }
 func (f *fakeRuleSet) Name() string {
 	return "fake-rule-set"
 }
 func (f *fakeRuleSet) StartContext(context.Context, *adapter.HTTPStartContext) error {
 	return nil
 }
 func (f *fakeRuleSet) PostStart() error {
 	return nil
 }
 func (f *fakeRuleSet) Metadata() adapter.RuleSetMetadata {
 	return adapter.RuleSetMetadata{}
 }
 func (f *fakeRuleSet) ExtractIPSet() []*netipx.IPSet {
 	return nil
 }
 func (f *fakeRuleSet) IncRef() {}
 func (f *fakeRuleSet) DecRef() {}
 func (f *fakeRuleSet) Cleanup() {}
 func (f *fakeRuleSet) RegisterCallback(adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
 	return nil
 }
 func (f *fakeRuleSet) UnregisterCallback(*list.Element[adapter.RuleSetUpdateCallback]) {}
 func (f *fakeRuleSet) Close() error {
 	return nil
 }
 func (f *fakeRuleSet) Match(*adapter.InboundContext) bool {
 	return f.matched
 }
 func (f *fakeRuleSet) String() string {
 	return "fake-rule-set"
 }
 type fakeRuleItem struct {
 	matched bool
 }
 func (f *fakeRuleItem) Match(*adapter.InboundContext) bool {
 	return f.matched
 }
 func (f *fakeRuleItem) String() string {
 	return "fake-rule-item"
 }
 func newRuleSetOnlyRule(ruleSetMatched bool, invert bool) *DefaultRule {
 	ruleSetItem := &RuleSetItem{
 		setList: []adapter.RuleSet{&fakeRuleSet{matched: ruleSetMatched}},
 	}
 	return &DefaultRule{
 		abstractDefaultRule: abstractDefaultRule{
 			items:    []RuleItem{ruleSetItem},
 			allItems: []RuleItem{ruleSetItem},
 			invert:   invert,
 		},
 	}
 }
 func newSingleItemRule(matched bool) *DefaultRule {
 	item := &fakeRuleItem{matched: matched}
 	return &DefaultRule{
 		abstractDefaultRule: abstractDefaultRule{
 			items:    []RuleItem{item},
 			allItems: []RuleItem{item},
 		},
 	}
 }
 func TestAbstractDefaultRule_RuleSetOnly_InvertFalse(t *testing.T) {
 	t.Parallel()
 	require.True(t, newRuleSetOnlyRule(true, false).Match(&adapter.InboundContext{}))
 	require.False(t, newRuleSetOnlyRule(false, false).Match(&adapter.InboundContext{}))
 }
 func TestAbstractDefaultRule_RuleSetOnly_InvertTrue(t *testing.T) {
 	t.Parallel()
 	require.False(t, newRuleSetOnlyRule(true, true).Match(&adapter.InboundContext{}))
 	require.True(t, newRuleSetOnlyRule(false, true).Match(&adapter.InboundContext{}))
 }
 func TestAbstractLogicalRule_And_WithRuleSetInvert(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name          string
 		aMatched      bool
 		ruleSetBMatch bool
 		expected      bool
 	}{
 		{
 			name:          "A true B true",
 			aMatched:      true,
 			ruleSetBMatch: true,
 			expected:      false,
 		},
 		{
 			name:          "A true B false",
 			aMatched:      true,
 			ruleSetBMatch: false,
 			expected:      true,
 		},
 		{
 			name:          "A false B true",
 			aMatched:      false,
 			ruleSetBMatch: true,
 			expected:      false,
 		},
 		{
 			name:          "A false B false",
 			aMatched:      false,
 			ruleSetBMatch: false,
 			expected:      false,
 		},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 			logicalRule := &abstractLogicalRule{
 				mode: C.LogicalTypeAnd,
 				rules: []adapter.HeadlessRule{
 					newSingleItemRule(testCase.aMatched),
 					newRuleSetOnlyRule(testCase.ruleSetBMatch, true),
 				},
 			}
 			require.Equal(t, testCase.expected, logicalRule.Match(&adapter.InboundContext{}))
 		})
 	}
 }
--- a/route/rule/rule_default.go
+++ b/route/rule/rule_default.go
@@ -5,7 +5,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -267,14 +266,13 @@ func NewDefaultRule(ctx context.Context, logger log.ContextLogger, options optio
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
 		//nolint:staticcheck
 		if options.Deprecated_RulesetIPCIDRMatchSource {
 			return nil, E.New("rule_set_ipcidr_match_source is deprecated in sing-box 1.10.0 and removed in sing-box 1.11.0")
 		}
 		var matchSource bool
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
 		} else
 		//nolint:staticcheck
 		if options.Deprecated_RulesetIPCIDRMatchSource {
 			matchSource = true
 			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
 		}
 		item := NewRuleSetItem(router, options.RuleSet, matchSource, false)
 		rule.items = append(rule.items, item)
--- a/route/rule/rule_dns.go
+++ b/route/rule/rule_dns.go
@@ -5,7 +5,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -263,14 +262,13 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
 		//nolint:staticcheck
 		if options.Deprecated_RulesetIPCIDRMatchSource {
 			return nil, E.New("rule_set_ipcidr_match_source is deprecated in sing-box 1.10.0 and removed in sing-box 1.11.0")
 		}
 		var matchSource bool
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
 		} else
 		//nolint:staticcheck
 		if options.Deprecated_RulesetIPCIDRMatchSource {
 			matchSource = true
 			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
 		}
 		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty)
 		rule.items = append(rule.items, item)
--- a/service/ccm/service.go
+++ b/service/ccm/service.go
@@ -10,6 +10,7 @@ import (
 	"mime"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -79,6 +80,35 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 const (
 	weeklyWindowSeconds = 604800
 	weeklyWindowMinutes = weeklyWindowSeconds / 60
 )
 func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
 	headerValue := strings.TrimSpace(headers.Get(headerName))
 	if headerValue == "" {
 		return 0, false
 	}
 	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
 	if parseError != nil {
 		return 0, false
 	}
 	return parsedValue, true
 }
 func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
 	resetAtUnix, hasResetAt := parseInt64Header(headers, "anthropic-ratelimit-unified-7d-reset")
 	if !hasResetAt || resetAtUnix <= 0 {
 		return nil
 	}
 	return &WeeklyCycleHint{
 		WindowMinutes: weeklyWindowMinutes,
 		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
 	}
 }
 type Service struct {
 	boxService.Adapter
 	ctx            context.Context
@@ -392,6 +422,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
 	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
@@ -417,7 +448,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 		if usage.InputTokens > 0 || usage.OutputTokens > 0 {
 			if responseModel != "" {
 				contextWindow := detectContextWindow(anthropicBetaHeader, usage.InputTokens)
-				s.usageTracker.AddUsage(
+				s.usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					contextWindow,
 					messagesCount,
@@ -425,7 +456,11 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 					usage.OutputTokens,
 					usage.CacheReadInputTokens,
 					usage.CacheCreationInputTokens,
 					usage.CacheCreation.Ephemeral5mInputTokens,
 					usage.CacheCreation.Ephemeral1hInputTokens,
 					username,
 					time.Now(),
 					weeklyCycleHint,
 				)
 			}
 		}
@@ -485,6 +520,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 							accumulatedUsage.InputTokens = messageStart.Message.Usage.InputTokens
 							accumulatedUsage.CacheReadInputTokens = messageStart.Message.Usage.CacheReadInputTokens
 							accumulatedUsage.CacheCreationInputTokens = messageStart.Message.Usage.CacheCreationInputTokens
 							accumulatedUsage.CacheCreation.Ephemeral5mInputTokens = messageStart.Message.Usage.CacheCreation.Ephemeral5mInputTokens
 							accumulatedUsage.CacheCreation.Ephemeral1hInputTokens = messageStart.Message.Usage.CacheCreation.Ephemeral1hInputTokens
 						}
 					case "message_delta":
 						messageDelta := event.AsMessageDelta()
@@ -511,7 +548,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			if accumulatedUsage.InputTokens > 0 || accumulatedUsage.OutputTokens > 0 {
 				if responseModel != "" {
 					contextWindow := detectContextWindow(anthropicBetaHeader, accumulatedUsage.InputTokens)
-					s.usageTracker.AddUsage(
+					s.usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						contextWindow,
 						messagesCount,
@@ -519,7 +556,11 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 						accumulatedUsage.OutputTokens,
 						accumulatedUsage.CacheReadInputTokens,
 						accumulatedUsage.CacheCreationInputTokens,
 						accumulatedUsage.CacheCreation.Ephemeral5mInputTokens,
 						accumulatedUsage.CacheCreation.Ephemeral1hInputTokens,
 						username,
 						time.Now(),
 						weeklyCycleHint,
 					)
 				}
 			}
--- a/service/ccm/service_usage.go
+++ b/service/ccm/service_usage.go
@@ -2,6 +2,7 @@ package ccm
 import (
 	"encoding/json"
 	"fmt"
 	"math"
 	"os"
 	"regexp"
@@ -13,17 +14,20 @@ import (
 )
 type UsageStats struct {
-	RequestCount             int   `json:"request_count"`
+	RequestCount                    int   `json:"request_count"`
-	MessagesCount            int   `json:"messages_count"`
+	MessagesCount                   int   `json:"messages_count"`
-	InputTokens              int64 `json:"input_tokens"`
+	InputTokens                     int64 `json:"input_tokens"`
-	OutputTokens             int64 `json:"output_tokens"`
+	OutputTokens                    int64 `json:"output_tokens"`
-	CacheReadInputTokens     int64 `json:"cache_read_input_tokens"`
+	CacheReadInputTokens            int64 `json:"cache_read_input_tokens"`
-	CacheCreationInputTokens int64 `json:"cache_creation_input_tokens"`
+	CacheCreationInputTokens        int64 `json:"cache_creation_input_tokens"`
 	CacheCreation5MinuteInputTokens int64 `json:"cache_creation_5m_input_tokens,omitempty"`
 	CacheCreation1HourInputTokens   int64 `json:"cache_creation_1h_input_tokens,omitempty"`
 }
 type CostCombination struct {
 	Model         string                `json:"model"`
 	ContextWindow int                   `json:"context_window"`
 	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
 	Total         UsageStats            `json:"total"`
 	ByUser        map[string]UsageStats `json:"by_user"`
 }
@@ -41,18 +45,21 @@ type AggregatedUsage struct {
 }
 type UsageStatsJSON struct {
-	RequestCount             int     `json:"request_count"`
+	RequestCount                    int     `json:"request_count"`
-	MessagesCount            int     `json:"messages_count"`
+	MessagesCount                   int     `json:"messages_count"`
-	InputTokens              int64   `json:"input_tokens"`
+	InputTokens                     int64   `json:"input_tokens"`
-	OutputTokens             int64   `json:"output_tokens"`
+	OutputTokens                    int64   `json:"output_tokens"`
-	CacheReadInputTokens     int64   `json:"cache_read_input_tokens"`
+	CacheReadInputTokens            int64   `json:"cache_read_input_tokens"`
-	CacheCreationInputTokens int64   `json:"cache_creation_input_tokens"`
+	CacheCreationInputTokens        int64   `json:"cache_creation_input_tokens"`
-	CostUSD                  float64 `json:"cost_usd"`
+	CacheCreation5MinuteInputTokens int64   `json:"cache_creation_5m_input_tokens,omitempty"`
 	CacheCreation1HourInputTokens   int64   `json:"cache_creation_1h_input_tokens,omitempty"`
 	CostUSD                         float64 `json:"cost_usd"`
 }
 type CostCombinationJSON struct {
 	Model         string                    `json:"model"`
 	ContextWindow int                       `json:"context_window"`
 	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
 	Total         UsageStatsJSON            `json:"total"`
 	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }
@@ -60,6 +67,7 @@ type CostCombinationJSON struct {
 type CostsSummaryJSON struct {
 	TotalUSD float64            `json:"total_usd"`
 	ByUser   map[string]float64 `json:"by_user"`
 	ByWeek   map[string]float64 `json:"by_week,omitempty"`
 }
 type AggregatedUsageJSON struct {
@@ -68,11 +76,17 @@ type AggregatedUsageJSON struct {
 	Combinations []CostCombinationJSON `json:"combinations"`
 }
 type WeeklyCycleHint struct {
 	WindowMinutes int64
 	ResetAt       time.Time
 }
 type ModelPricing struct {
-	InputPrice      float64
+	InputPrice             float64
-	OutputPrice     float64
+	OutputPrice            float64
-	CacheReadPrice  float64
+	CacheReadPrice         float64
-	CacheWritePrice float64
+	CacheWritePrice5Minute float64
 	CacheWritePrice1Hour   float64
 }
 type modelFamily struct {
@@ -82,143 +96,205 @@ type modelFamily struct {
 }
 var (
-	opus4Pricing = ModelPricing{
+	opus46StandardPricing = ModelPricing{
-		InputPrice:      15.0,
+		InputPrice:             5.0,
-		OutputPrice:     75.0,
+		OutputPrice:            25.0,
-		CacheReadPrice:  1.5,
+		CacheReadPrice:         0.5,
-		CacheWritePrice: 18.75,
+		CacheWritePrice5Minute: 6.25,
 		CacheWritePrice1Hour:   10.0,
 	}
-	sonnet4StandardPricing = ModelPricing{
+	opus46PremiumPricing = ModelPricing{
-		InputPrice:      3.0,
+		InputPrice:             10.0,
-		OutputPrice:     15.0,
+		OutputPrice:            37.5,
-		CacheReadPrice:  0.3,
+		CacheReadPrice:         1.0,
-		CacheWritePrice: 3.75,
+		CacheWritePrice5Minute: 12.5,
-	}
+		CacheWritePrice1Hour:   20.0,
 	sonnet4PremiumPricing = ModelPricing{
 		InputPrice:      6.0,
 		OutputPrice:     22.5,
 		CacheReadPrice:  0.6,
 		CacheWritePrice: 7.5,
 	}
 	haiku4Pricing = ModelPricing{
 		InputPrice:      1.0,
 		OutputPrice:     5.0,
 		CacheReadPrice:  0.1,
 		CacheWritePrice: 1.25,
 	}
 	haiku35Pricing = ModelPricing{
 		InputPrice:      0.8,
 		OutputPrice:     4.0,
 		CacheReadPrice:  0.08,
 		CacheWritePrice: 1.0,
 	}
 	sonnet35Pricing = ModelPricing{
 		InputPrice:      3.0,
 		OutputPrice:     15.0,
 		CacheReadPrice:  0.3,
 		CacheWritePrice: 3.75,
 	}
 	opus45Pricing = ModelPricing{
-		InputPrice:      5.0,
+		InputPrice:             5.0,
-		OutputPrice:     25.0,
+		OutputPrice:            25.0,
-		CacheReadPrice:  0.5,
+		CacheReadPrice:         0.5,
-		CacheWritePrice: 6.25,
+		CacheWritePrice5Minute: 6.25,
 		CacheWritePrice1Hour:   10.0,
 	}
 	opus4Pricing = ModelPricing{
 		InputPrice:             15.0,
 		OutputPrice:            75.0,
 		CacheReadPrice:         1.5,
 		CacheWritePrice5Minute: 18.75,
 		CacheWritePrice1Hour:   30.0,
 	}
 	sonnet46StandardPricing = ModelPricing{
 		InputPrice:             3.0,
 		OutputPrice:            15.0,
 		CacheReadPrice:         0.3,
 		CacheWritePrice5Minute: 3.75,
 		CacheWritePrice1Hour:   6.0,
 	}
 	sonnet46PremiumPricing = ModelPricing{
 		InputPrice:             6.0,
 		OutputPrice:            22.5,
 		CacheReadPrice:         0.6,
 		CacheWritePrice5Minute: 7.5,
 		CacheWritePrice1Hour:   12.0,
 	}
 	sonnet45StandardPricing = ModelPricing{
-		InputPrice:      3.0,
+		InputPrice:             3.0,
-		OutputPrice:     15.0,
+		OutputPrice:            15.0,
-		CacheReadPrice:  0.3,
+		CacheReadPrice:         0.3,
-		CacheWritePrice: 3.75,
+		CacheWritePrice5Minute: 3.75,
 		CacheWritePrice1Hour:   6.0,
 	}
 	sonnet45PremiumPricing = ModelPricing{
-		InputPrice:      6.0,
+		InputPrice:             6.0,
-		OutputPrice:     22.5,
+		OutputPrice:            22.5,
-		CacheReadPrice:  0.6,
+		CacheReadPrice:         0.6,
-		CacheWritePrice: 7.5,
+		CacheWritePrice5Minute: 7.5,
 		CacheWritePrice1Hour:   12.0,
 	}
 	sonnet4StandardPricing = ModelPricing{
 		InputPrice:             3.0,
 		OutputPrice:            15.0,
 		CacheReadPrice:         0.3,
 		CacheWritePrice5Minute: 3.75,
 		CacheWritePrice1Hour:   6.0,
 	}
 	sonnet4PremiumPricing = ModelPricing{
 		InputPrice:             6.0,
 		OutputPrice:            22.5,
 		CacheReadPrice:         0.6,
 		CacheWritePrice5Minute: 7.5,
 		CacheWritePrice1Hour:   12.0,
 	}
 	sonnet37Pricing = ModelPricing{
 		InputPrice:             3.0,
 		OutputPrice:            15.0,
 		CacheReadPrice:         0.3,
 		CacheWritePrice5Minute: 3.75,
 		CacheWritePrice1Hour:   6.0,
 	}
 	sonnet35Pricing = ModelPricing{
 		InputPrice:             3.0,
 		OutputPrice:            15.0,
 		CacheReadPrice:         0.3,
 		CacheWritePrice5Minute: 3.75,
 		CacheWritePrice1Hour:   6.0,
 	}
 	haiku45Pricing = ModelPricing{
-		InputPrice:      1.0,
+		InputPrice:             1.0,
-		OutputPrice:     5.0,
+		OutputPrice:            5.0,
-		CacheReadPrice:  0.1,
+		CacheReadPrice:         0.1,
-		CacheWritePrice: 1.25,
+		CacheWritePrice5Minute: 1.25,
 		CacheWritePrice1Hour:   2.0,
 	}
 	haiku4Pricing = ModelPricing{
 		InputPrice:             1.0,
 		OutputPrice:            5.0,
 		CacheReadPrice:         0.1,
 		CacheWritePrice5Minute: 1.25,
 		CacheWritePrice1Hour:   2.0,
 	}
 	haiku35Pricing = ModelPricing{
 		InputPrice:             0.8,
 		OutputPrice:            4.0,
 		CacheReadPrice:         0.08,
 		CacheWritePrice5Minute: 1.0,
 		CacheWritePrice1Hour:   1.6,
 	}
 	haiku3Pricing = ModelPricing{
-		InputPrice:      0.25,
+		InputPrice:             0.25,
-		OutputPrice:     1.25,
+		OutputPrice:            1.25,
-		CacheReadPrice:  0.03,
+		CacheReadPrice:         0.03,
-		CacheWritePrice: 0.3,
+		CacheWritePrice5Minute: 0.3,
 		CacheWritePrice1Hour:   0.5,
 	}
 	opus3Pricing = ModelPricing{
-		InputPrice:      15.0,
+		InputPrice:             15.0,
-		OutputPrice:     75.0,
+		OutputPrice:            75.0,
-		CacheReadPrice:  1.5,
+		CacheReadPrice:         1.5,
-		CacheWritePrice: 18.75,
+		CacheWritePrice5Minute: 18.75,
 		CacheWritePrice1Hour:   30.0,
 	}
 	modelFamilies = []modelFamily{
 		{
-			pattern:         regexp.MustCompile(`^claude-opus-4-5-`),
+			pattern:         regexp.MustCompile(`^claude-opus-4-6(?:-|$)`),
 			standardPricing: opus46StandardPricing,
 			premiumPricing:  &opus46PremiumPricing,
 		},
 		{
 			pattern:         regexp.MustCompile(`^claude-opus-4-5(?:-|$)`),
 			standardPricing: opus45Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:opus-4-|4-opus-|opus-4-1-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:opus-4(?:-|$)|4-opus-)`),
 			standardPricing: opus4Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:opus-3-|3-opus-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:opus-3(?:-|$)|3-opus-)`),
 			standardPricing: opus3Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-5-|4-5-sonnet-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-6(?:-|$)|4-6-sonnet-)`),
 			standardPricing: sonnet46StandardPricing,
 			premiumPricing:  &sonnet46PremiumPricing,
 		},
 		{
 			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-5(?:-|$)|4-5-sonnet-)`),
 			standardPricing: sonnet45StandardPricing,
 			premiumPricing:  &sonnet45PremiumPricing,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-7-sonnet-`),
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4(?:-|$)|4-sonnet-)`),
 			standardPricing: sonnet4StandardPricing,
 			premiumPricing:  &sonnet4PremiumPricing,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-|4-sonnet-)`),
+			pattern:         regexp.MustCompile(`^claude-3-7-sonnet(?:-|$)`),
-			standardPricing: sonnet4StandardPricing,
+			standardPricing: sonnet37Pricing,
-			premiumPricing:  &sonnet4PremiumPricing,
+			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-5-sonnet-`),
+			pattern:         regexp.MustCompile(`^claude-3-5-sonnet(?:-|$)`),
 			standardPricing: sonnet35Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:haiku-4-5-|4-5-haiku-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:haiku-4-5(?:-|$)|4-5-haiku-)`),
 			standardPricing: haiku45Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-haiku-4-`),
+			pattern:         regexp.MustCompile(`^claude-haiku-4(?:-|$)`),
 			standardPricing: haiku4Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-5-haiku-`),
+			pattern:         regexp.MustCompile(`^claude-3-5-haiku(?:-|$)`),
 			standardPricing: haiku35Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-haiku-`),
+			pattern:         regexp.MustCompile(`^claude-3-haiku(?:-|$)`),
 			standardPricing: haiku3Pricing,
 			premiumPricing:  nil,
 		},
@@ -243,68 +319,211 @@ func getPricing(model string, contextWindow int) ModelPricing {
 func calculateCost(stats UsageStats, model string, contextWindow int) float64 {
 	pricing := getPricing(model, contextWindow)
 	cacheCreationCost := 0.0
 	if stats.CacheCreation5MinuteInputTokens > 0 || stats.CacheCreation1HourInputTokens > 0 {
 		cacheCreationCost = float64(stats.CacheCreation5MinuteInputTokens)*pricing.CacheWritePrice5Minute +
 			float64(stats.CacheCreation1HourInputTokens)*pricing.CacheWritePrice1Hour
 	} else {
 		// Backward compatibility for usage files generated before TTL split tracking.
 		cacheCreationCost = float64(stats.CacheCreationInputTokens) * pricing.CacheWritePrice5Minute
 	}
 	cost := (float64(stats.InputTokens)*pricing.InputPrice +
 		float64(stats.OutputTokens)*pricing.OutputPrice +
 		float64(stats.CacheReadInputTokens)*pricing.CacheReadPrice +
-		float64(stats.CacheCreationInputTokens)*pricing.CacheWritePrice) / 1_000_000
+		cacheCreationCost) / 1_000_000
 	return math.Round(cost*100) / 100
 }
 func roundCost(cost float64) float64 {
 	return math.Round(cost*100) / 100
 }
 func normalizeCombinations(combinations []CostCombination) {
 	for index := range combinations {
 		if combinations[index].ByUser == nil {
 			combinations[index].ByUser = make(map[string]UsageStats)
 		}
 	}
 }
 func addUsageToCombinations(
 	combinations *[]CostCombination,
 	model string,
 	contextWindow int,
 	weekStartUnix int64,
 	messagesCount int,
 	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
 	user string,
 ) {
 	var matchedCombination *CostCombination
 	for index := range *combinations {
 		combination := &(*combinations)[index]
 		if combination.Model == model && combination.ContextWindow == contextWindow && combination.WeekStartUnix == weekStartUnix {
 			matchedCombination = combination
 			break
 		}
 	}
 	if matchedCombination == nil {
 		newCombination := CostCombination{
 			Model:         model,
 			ContextWindow: contextWindow,
 			WeekStartUnix: weekStartUnix,
 			Total:         UsageStats{},
 			ByUser:        make(map[string]UsageStats),
 		}
 		*combinations = append(*combinations, newCombination)
 		matchedCombination = &(*combinations)[len(*combinations)-1]
 	}
 	if cacheCreationTokens == 0 {
 		cacheCreationTokens = cacheCreation5MinuteTokens + cacheCreation1HourTokens
 	}
 	matchedCombination.Total.RequestCount++
 	matchedCombination.Total.MessagesCount += messagesCount
 	matchedCombination.Total.InputTokens += inputTokens
 	matchedCombination.Total.OutputTokens += outputTokens
 	matchedCombination.Total.CacheReadInputTokens += cacheReadTokens
 	matchedCombination.Total.CacheCreationInputTokens += cacheCreationTokens
 	matchedCombination.Total.CacheCreation5MinuteInputTokens += cacheCreation5MinuteTokens
 	matchedCombination.Total.CacheCreation1HourInputTokens += cacheCreation1HourTokens
 	if user != "" {
 		userStats := matchedCombination.ByUser[user]
 		userStats.RequestCount++
 		userStats.MessagesCount += messagesCount
 		userStats.InputTokens += inputTokens
 		userStats.OutputTokens += outputTokens
 		userStats.CacheReadInputTokens += cacheReadTokens
 		userStats.CacheCreationInputTokens += cacheCreationTokens
 		userStats.CacheCreation5MinuteInputTokens += cacheCreation5MinuteTokens
 		userStats.CacheCreation1HourInputTokens += cacheCreation1HourTokens
 		matchedCombination.ByUser[user] = userStats
 	}
 }
 func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map[string]float64) ([]CostCombinationJSON, float64) {
 	result := make([]CostCombinationJSON, len(combinations))
 	var totalCost float64
 	for index, combination := range combinations {
 		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ContextWindow)
 		totalCost += combinationTotalCost
 		combinationJSON := CostCombinationJSON{
 			Model:         combination.Model,
 			ContextWindow: combination.ContextWindow,
 			WeekStartUnix: combination.WeekStartUnix,
 			Total: UsageStatsJSON{
 				RequestCount:                    combination.Total.RequestCount,
 				MessagesCount:                   combination.Total.MessagesCount,
 				InputTokens:                     combination.Total.InputTokens,
 				OutputTokens:                    combination.Total.OutputTokens,
 				CacheReadInputTokens:            combination.Total.CacheReadInputTokens,
 				CacheCreationInputTokens:        combination.Total.CacheCreationInputTokens,
 				CacheCreation5MinuteInputTokens: combination.Total.CacheCreation5MinuteInputTokens,
 				CacheCreation1HourInputTokens:   combination.Total.CacheCreation1HourInputTokens,
 				CostUSD:                         combinationTotalCost,
 			},
 			ByUser: make(map[string]UsageStatsJSON),
 		}
 		for user, userStats := range combination.ByUser {
 			userCost := calculateCost(userStats, combination.Model, combination.ContextWindow)
 			if aggregateUserCosts != nil {
 				aggregateUserCosts[user] += userCost
 			}
 			combinationJSON.ByUser[user] = UsageStatsJSON{
 				RequestCount:                    userStats.RequestCount,
 				MessagesCount:                   userStats.MessagesCount,
 				InputTokens:                     userStats.InputTokens,
 				OutputTokens:                    userStats.OutputTokens,
 				CacheReadInputTokens:            userStats.CacheReadInputTokens,
 				CacheCreationInputTokens:        userStats.CacheCreationInputTokens,
 				CacheCreation5MinuteInputTokens: userStats.CacheCreation5MinuteInputTokens,
 				CacheCreation1HourInputTokens:   userStats.CacheCreation1HourInputTokens,
 				CostUSD:                         userCost,
 			}
 		}
 		result[index] = combinationJSON
 	}
 	return result, roundCost(totalCost)
 }
 func formatUTCOffsetLabel(timestamp time.Time) string {
 	_, offsetSeconds := timestamp.Zone()
 	sign := "+"
 	if offsetSeconds < 0 {
 		sign = "-"
 		offsetSeconds = -offsetSeconds
 	}
 	offsetHours := offsetSeconds / 3600
 	offsetMinutes := (offsetSeconds % 3600) / 60
 	if offsetMinutes == 0 {
 		return fmt.Sprintf("UTC%s%d", sign, offsetHours)
 	}
 	return fmt.Sprintf("UTC%s%d:%02d", sign, offsetHours, offsetMinutes)
 }
 func formatWeekStartKey(cycleStartAt time.Time) string {
 	localCycleStart := cycleStartAt.In(time.Local)
 	return fmt.Sprintf("%s %s", localCycleStart.Format("2006-01-02 15:04:05"), formatUTCOffsetLabel(localCycleStart))
 }
 func buildByWeekCost(combinations []CostCombination) map[string]float64 {
 	byWeek := make(map[string]float64)
 	for _, combination := range combinations {
 		if combination.WeekStartUnix <= 0 {
 			continue
 		}
 		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
 		weekKey := formatWeekStartKey(weekStartAt)
 		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ContextWindow)
 	}
 	for weekKey, weekCost := range byWeek {
 		byWeek[weekKey] = roundCost(weekCost)
 	}
 	return byWeek
 }
 func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
 	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
 		return 0
 	}
 	windowDuration := time.Duration(cycleHint.WindowMinutes) * time.Minute
 	return cycleHint.ResetAt.UTC().Add(-windowDuration).Unix()
 }
 func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 	result := &AggregatedUsageJSON{
-		LastUpdated:  u.LastUpdated,
+		LastUpdated: u.LastUpdated,
 		Combinations: make([]CostCombinationJSON, len(u.Combinations)),
 		Costs: CostsSummaryJSON{
 			TotalUSD: 0,
 			ByUser:   make(map[string]float64),
 			ByWeek:   make(map[string]float64),
 		},
 	}
-	for i, combo := range u.Combinations {
+	globalCombinationsJSON, totalCost := buildCombinationJSON(u.Combinations, result.Costs.ByUser)
-		totalCost := calculateCost(combo.Total, combo.Model, combo.ContextWindow)
+	result.Combinations = globalCombinationsJSON
 	result.Costs.TotalUSD = totalCost
 	result.Costs.ByWeek = buildByWeekCost(u.Combinations)
-		result.Costs.TotalUSD += totalCost
+	if len(result.Costs.ByWeek) == 0 {
-
+		result.Costs.ByWeek = nil
 		comboJSON := CostCombinationJSON{
 			Model:         combo.Model,
 			ContextWindow: combo.ContextWindow,
 			Total: UsageStatsJSON{
 				RequestCount:             combo.Total.RequestCount,
 				MessagesCount:            combo.Total.MessagesCount,
 				InputTokens:              combo.Total.InputTokens,
 				OutputTokens:             combo.Total.OutputTokens,
 				CacheReadInputTokens:     combo.Total.CacheReadInputTokens,
 				CacheCreationInputTokens: combo.Total.CacheCreationInputTokens,
 				CostUSD:                  totalCost,
 			},
 			ByUser: make(map[string]UsageStatsJSON),
 		}
 		for user, userStats := range combo.ByUser {
 			userCost := calculateCost(userStats, combo.Model, combo.ContextWindow)
 			result.Costs.ByUser[user] += userCost
 			comboJSON.ByUser[user] = UsageStatsJSON{
 				RequestCount:             userStats.RequestCount,
 				MessagesCount:            userStats.MessagesCount,
 				InputTokens:              userStats.InputTokens,
 				OutputTokens:             userStats.OutputTokens,
 				CacheReadInputTokens:     userStats.CacheReadInputTokens,
 				CacheCreationInputTokens: userStats.CacheCreationInputTokens,
 				CostUSD:                  userCost,
 			}
 		}
 		result.Combinations[i] = comboJSON
 	}
 	result.Costs.TotalUSD = math.Round(result.Costs.TotalUSD*100) / 100
 	for user, cost := range result.Costs.ByUser {
-		result.Costs.ByUser[user] = math.Round(cost*100) / 100
+		result.Costs.ByUser[user] = roundCost(cost)
 	}
 	return result
@@ -314,6 +533,9 @@ func (u *AggregatedUsage) Load() error {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 	u.LastUpdated = time.Time{}
 	u.Combinations = nil
 	data, err := os.ReadFile(u.filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -334,12 +556,7 @@ func (u *AggregatedUsage) Load() error {
 	u.LastUpdated = temp.LastUpdated
 	u.Combinations = temp.Combinations
-
+	normalizeCombinations(u.Combinations)
 	for i := range u.Combinations {
 		if u.Combinations[i].ByUser == nil {
 			u.Combinations[i].ByUser = make(map[string]UsageStats)
 		}
 	}
 	return nil
 }
@@ -367,58 +584,42 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }
-func (u *AggregatedUsage) AddUsage(model string, contextWindow int, messagesCount int, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens int64, user string) error {
+func (u *AggregatedUsage) AddUsage(
 	model string,
 	contextWindow int,
 	messagesCount int,
 	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
 	user string,
 ) error {
 	return u.AddUsageWithCycleHint(model, contextWindow, messagesCount, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens, user, time.Now(), nil)
 }
 func (u *AggregatedUsage) AddUsageWithCycleHint(
 	model string,
 	contextWindow int,
 	messagesCount int,
 	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
 	user string,
 	observedAt time.Time,
 	cycleHint *WeeklyCycleHint,
 ) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}
 	if contextWindow <= 0 {
 		return E.New("contextWindow must be positive")
 	}
 	if observedAt.IsZero() {
 		observedAt = time.Now()
 	}
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
-	u.LastUpdated = time.Now()
+	u.LastUpdated = observedAt
 	weekStartUnix := deriveWeekStartUnix(cycleHint)
-	// Find or create combination
+	addUsageToCombinations(&u.Combinations, model, contextWindow, weekStartUnix, messagesCount, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens, user)
 	var combo *CostCombination
 	for i := range u.Combinations {
 		if u.Combinations[i].Model == model && u.Combinations[i].ContextWindow == contextWindow {
 			combo = &u.Combinations[i]
 			break
 		}
 	}
 	if combo == nil {
 		newCombo := CostCombination{
 			Model:         model,
 			ContextWindow: contextWindow,
 			Total:         UsageStats{},
 			ByUser:        make(map[string]UsageStats),
 		}
 		u.Combinations = append(u.Combinations, newCombo)
 		combo = &u.Combinations[len(u.Combinations)-1]
 	}
 	// Update total stats
 	combo.Total.RequestCount++
 	combo.Total.MessagesCount += messagesCount
 	combo.Total.InputTokens += inputTokens
 	combo.Total.OutputTokens += outputTokens
 	combo.Total.CacheReadInputTokens += cacheReadTokens
 	combo.Total.CacheCreationInputTokens += cacheCreationTokens
 	// Update per-user stats if user is specified
 	if user != "" {
 		userStats := combo.ByUser[user]
 		userStats.RequestCount++
 		userStats.MessagesCount += messagesCount
 		userStats.InputTokens += inputTokens
 		userStats.OutputTokens += outputTokens
 		userStats.CacheReadInputTokens += cacheReadTokens
 		userStats.CacheCreationInputTokens += cacheCreationTokens
 		combo.ByUser[user] = userStats
 	}
 	go u.scheduleSave()
--- a/service/ocm/service.go
+++ b/service/ocm/service.go
@@ -10,6 +10,7 @@ import (
 	"mime"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -71,6 +72,57 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 func normalizeRateLimitIdentifier(limitIdentifier string) string {
 	trimmedIdentifier := strings.TrimSpace(strings.ToLower(limitIdentifier))
 	if trimmedIdentifier == "" {
 		return ""
 	}
 	return strings.ReplaceAll(trimmedIdentifier, "_", "-")
 }
 func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
 	headerValue := strings.TrimSpace(headers.Get(headerName))
 	if headerValue == "" {
 		return 0, false
 	}
 	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
 	if parseError != nil {
 		return 0, false
 	}
 	return parsedValue, true
 }
 func weeklyCycleHintForLimit(headers http.Header, limitIdentifier string) *WeeklyCycleHint {
 	normalizedLimitIdentifier := normalizeRateLimitIdentifier(limitIdentifier)
 	if normalizedLimitIdentifier == "" {
 		return nil
 	}
 	windowHeader := "x-" + normalizedLimitIdentifier + "-secondary-window-minutes"
 	resetHeader := "x-" + normalizedLimitIdentifier + "-secondary-reset-at"
 	windowMinutes, hasWindowMinutes := parseInt64Header(headers, windowHeader)
 	resetAtUnix, hasResetAt := parseInt64Header(headers, resetHeader)
 	if !hasWindowMinutes || !hasResetAt || windowMinutes <= 0 || resetAtUnix <= 0 {
 		return nil
 	}
 	return &WeeklyCycleHint{
 		WindowMinutes: windowMinutes,
 		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
 	}
 }
 func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
 	activeLimitIdentifier := normalizeRateLimitIdentifier(headers.Get("x-codex-active-limit"))
 	if activeLimitIdentifier != "" {
 		if activeHint := weeklyCycleHintForLimit(headers, activeLimitIdentifier); activeHint != nil {
 			return activeHint
 		}
 	}
 	return weeklyCycleHintForLimit(headers, "codex")
 }
 type Service struct {
 	boxService.Adapter
 	ctx            context.Context
@@ -404,9 +456,12 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, path string, requestModel string, username string) {
 	isChatCompletions := path == "/v1/chat/completions"
 	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
-
+	if !isStreaming && !isChatCompletions && response.Header.Get("Content-Type") == "" {
 		isStreaming = true
 	}
 	if !isStreaming {
 		bodyBytes, err := io.ReadAll(response.Body)
 		if err != nil {
@@ -414,13 +469,14 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			return
 		}
-		var responseModel string
+		var responseModel, serviceTier string
 		var inputTokens, outputTokens, cachedTokens int64
 		if isChatCompletions {
 			var chatCompletion openai.ChatCompletion
 			if json.Unmarshal(bodyBytes, &chatCompletion) == nil {
 				responseModel = chatCompletion.Model
 				serviceTier = string(chatCompletion.ServiceTier)
 				inputTokens = chatCompletion.Usage.PromptTokens
 				outputTokens = chatCompletion.Usage.CompletionTokens
 				cachedTokens = chatCompletion.Usage.PromptTokensDetails.CachedTokens
@@ -429,6 +485,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			var responsesResponse responses.Response
 			if json.Unmarshal(bodyBytes, &responsesResponse) == nil {
 				responseModel = string(responsesResponse.Model)
 				serviceTier = string(responsesResponse.ServiceTier)
 				inputTokens = responsesResponse.Usage.InputTokens
 				outputTokens = responsesResponse.Usage.OutputTokens
 				cachedTokens = responsesResponse.Usage.InputTokensDetails.CachedTokens
@@ -440,7 +497,16 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 				responseModel = requestModel
 			}
 			if responseModel != "" {
-				s.usageTracker.AddUsage(responseModel, inputTokens, outputTokens, cachedTokens, username)
+				s.usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					inputTokens,
 					outputTokens,
 					cachedTokens,
 					serviceTier,
 					username,
 					time.Now(),
 					weeklyCycleHint,
 				)
 			}
 		}
@@ -455,7 +521,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	}
 	var inputTokens, outputTokens, cachedTokens int64
-	var responseModel string
+	var responseModel, serviceTier string
 	buffer := make([]byte, buf.BufferSize)
 	var leftover []byte
@@ -490,6 +556,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 							if chatChunk.Model != "" {
 								responseModel = chatChunk.Model
 							}
 							if chatChunk.ServiceTier != "" {
 								serviceTier = string(chatChunk.ServiceTier)
 							}
 							if chatChunk.Usage.PromptTokens > 0 {
 								inputTokens = chatChunk.Usage.PromptTokens
 								cachedTokens = chatChunk.Usage.PromptTokensDetails.CachedTokens
@@ -506,6 +575,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 								if string(completedEvent.Response.Model) != "" {
 									responseModel = string(completedEvent.Response.Model)
 								}
 								if completedEvent.Response.ServiceTier != "" {
 									serviceTier = string(completedEvent.Response.ServiceTier)
 								}
 								if completedEvent.Response.Usage.InputTokens > 0 {
 									inputTokens = completedEvent.Response.Usage.InputTokens
 									cachedTokens = completedEvent.Response.Usage.InputTokensDetails.CachedTokens
@@ -534,7 +606,16 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			if inputTokens > 0 || outputTokens > 0 {
 				if responseModel != "" {
-					s.usageTracker.AddUsage(responseModel, inputTokens, outputTokens, cachedTokens, username)
+					s.usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						inputTokens,
 						outputTokens,
 						cachedTokens,
 						serviceTier,
 						username,
 						time.Now(),
 						weeklyCycleHint,
 					)
 				}
 			}
 			return
--- a/service/ocm/service_usage.go
+++ b/service/ocm/service_usage.go
@@ -2,9 +2,11 @@ package ocm
 import (
 	"encoding/json"
 	"fmt"
 	"math"
 	"os"
 	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -42,9 +44,11 @@ func (u *UsageStats) UnmarshalJSON(data []byte) error {
 }
 type CostCombination struct {
-	Model  string                `json:"model"`
+	Model         string                `json:"model"`
-	Total  UsageStats            `json:"total"`
+	ServiceTier   string                `json:"service_tier,omitempty"`
-	ByUser map[string]UsageStats `json:"by_user"`
+	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
 	Total         UsageStats            `json:"total"`
 	ByUser        map[string]UsageStats `json:"by_user"`
 }
 type AggregatedUsage struct {
@@ -68,14 +72,17 @@ type UsageStatsJSON struct {
 }
 type CostCombinationJSON struct {
-	Model  string                    `json:"model"`
+	Model         string                    `json:"model"`
-	Total  UsageStatsJSON            `json:"total"`
+	ServiceTier   string                    `json:"service_tier,omitempty"`
-	ByUser map[string]UsageStatsJSON `json:"by_user"`
+	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
 	Total         UsageStatsJSON            `json:"total"`
 	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }
 type CostsSummaryJSON struct {
 	TotalUSD float64            `json:"total_usd"`
 	ByUser   map[string]float64 `json:"by_user"`
 	ByWeek   map[string]float64 `json:"by_week,omitempty"`
 }
 type AggregatedUsageJSON struct {
@@ -84,6 +91,11 @@ type AggregatedUsageJSON struct {
 	Combinations []CostCombinationJSON `json:"combinations"`
 }
 type WeeklyCycleHint struct {
 	WindowMinutes int64
 	ResetAt       time.Time
 }
 type ModelPricing struct {
 	InputPrice       float64
 	OutputPrice      float64
@@ -95,7 +107,123 @@ type modelFamily struct {
 	pricing ModelPricing
 }
 const (
 	serviceTierAuto     = "auto"
 	serviceTierDefault  = "default"
 	serviceTierFlex     = "flex"
 	serviceTierPriority = "priority"
 	serviceTierScale    = "scale"
 )
 var (
 	gpt52Pricing = ModelPricing{
 		InputPrice:       1.75,
 		OutputPrice:      14.0,
 		CachedInputPrice: 0.175,
 	}
 	gpt5Pricing = ModelPricing{
 		InputPrice:       1.25,
 		OutputPrice:      10.0,
 		CachedInputPrice: 0.125,
 	}
 	gpt5MiniPricing = ModelPricing{
 		InputPrice:       0.25,
 		OutputPrice:      2.0,
 		CachedInputPrice: 0.025,
 	}
 	gpt5NanoPricing = ModelPricing{
 		InputPrice:       0.05,
 		OutputPrice:      0.4,
 		CachedInputPrice: 0.005,
 	}
 	gpt52CodexPricing = ModelPricing{
 		InputPrice:       1.75,
 		OutputPrice:      14.0,
 		CachedInputPrice: 0.175,
 	}
 	gpt51CodexPricing = ModelPricing{
 		InputPrice:       1.25,
 		OutputPrice:      10.0,
 		CachedInputPrice: 0.125,
 	}
 	gpt51CodexMiniPricing = ModelPricing{
 		InputPrice:       0.25,
 		OutputPrice:      2.0,
 		CachedInputPrice: 0.025,
 	}
 	gpt52ProPricing = ModelPricing{
 		InputPrice:       21.0,
 		OutputPrice:      168.0,
 		CachedInputPrice: 21.0,
 	}
 	gpt5ProPricing = ModelPricing{
 		InputPrice:       15.0,
 		OutputPrice:      120.0,
 		CachedInputPrice: 15.0,
 	}
 	gpt52FlexPricing = ModelPricing{
 		InputPrice:       0.875,
 		OutputPrice:      7.0,
 		CachedInputPrice: 0.0875,
 	}
 	gpt5FlexPricing = ModelPricing{
 		InputPrice:       0.625,
 		OutputPrice:      5.0,
 		CachedInputPrice: 0.0625,
 	}
 	gpt5MiniFlexPricing = ModelPricing{
 		InputPrice:       0.125,
 		OutputPrice:      1.0,
 		CachedInputPrice: 0.0125,
 	}
 	gpt5NanoFlexPricing = ModelPricing{
 		InputPrice:       0.025,
 		OutputPrice:      0.2,
 		CachedInputPrice: 0.0025,
 	}
 	gpt52PriorityPricing = ModelPricing{
 		InputPrice:       3.5,
 		OutputPrice:      28.0,
 		CachedInputPrice: 0.35,
 	}
 	gpt5PriorityPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      20.0,
 		CachedInputPrice: 0.25,
 	}
 	gpt5MiniPriorityPricing = ModelPricing{
 		InputPrice:       0.45,
 		OutputPrice:      3.6,
 		CachedInputPrice: 0.045,
 	}
 	gpt52CodexPriorityPricing = ModelPricing{
 		InputPrice:       3.5,
 		OutputPrice:      28.0,
 		CachedInputPrice: 0.35,
 	}
 	gpt51CodexPriorityPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      20.0,
 		CachedInputPrice: 0.25,
 	}
 	gpt4oPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      10.0,
@@ -111,7 +239,19 @@ var (
 	gpt4oAudioPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      10.0,
-		CachedInputPrice: 1.25,
+		CachedInputPrice: 2.5,
 	}
 	gpt4oMiniAudioPricing = ModelPricing{
 		InputPrice:       0.15,
 		OutputPrice:      0.6,
 		CachedInputPrice: 0.15,
 	}
 	gptAudioMiniPricing = ModelPricing{
 		InputPrice:       0.6,
 		OutputPrice:      2.4,
 		CachedInputPrice: 0.6,
 	}
 	o1Pricing = ModelPricing{
@@ -120,6 +260,12 @@ var (
 		CachedInputPrice: 7.5,
 	}
 	o1ProPricing = ModelPricing{
 		InputPrice:       150.0,
 		OutputPrice:      600.0,
 		CachedInputPrice: 150.0,
 	}
 	o1MiniPricing = ModelPricing{
 		InputPrice:       1.1,
 		OutputPrice:      4.4,
@@ -135,13 +281,55 @@ var (
 	o3Pricing = ModelPricing{
 		InputPrice:       2.0,
 		OutputPrice:      8.0,
-		CachedInputPrice: 1.0,
+		CachedInputPrice: 0.5,
 	}
 	o3ProPricing = ModelPricing{
 		InputPrice:       20.0,
 		OutputPrice:      80.0,
 		CachedInputPrice: 20.0,
 	}
 	o3DeepResearchPricing = ModelPricing{
 		InputPrice:       10.0,
 		OutputPrice:      40.0,
 		CachedInputPrice: 2.5,
 	}
 	o4MiniPricing = ModelPricing{
 		InputPrice:       1.1,
 		OutputPrice:      4.4,
-		CachedInputPrice: 0.55,
+		CachedInputPrice: 0.275,
 	}
 	o4MiniDeepResearchPricing = ModelPricing{
 		InputPrice:       2.0,
 		OutputPrice:      8.0,
 		CachedInputPrice: 0.5,
 	}
 	o3FlexPricing = ModelPricing{
 		InputPrice:       1.0,
 		OutputPrice:      4.0,
 		CachedInputPrice: 0.25,
 	}
 	o4MiniFlexPricing = ModelPricing{
 		InputPrice:       0.55,
 		OutputPrice:      2.2,
 		CachedInputPrice: 0.138,
 	}
 	o3PriorityPricing = ModelPricing{
 		InputPrice:       3.5,
 		OutputPrice:      14.0,
 		CachedInputPrice: 0.875,
 	}
 	o4MiniPriorityPricing = ModelPricing{
 		InputPrice:       2.0,
 		OutputPrice:      8.0,
 		CachedInputPrice: 0.5,
 	}
 	gpt41Pricing = ModelPricing{
@@ -162,69 +350,374 @@ var (
 		CachedInputPrice: 0.025,
 	}
-	modelFamilies = []modelFamily{
+	gpt41PriorityPricing = ModelPricing{
 		InputPrice:       3.5,
 		OutputPrice:      14.0,
 		CachedInputPrice: 0.875,
 	}
 	gpt41MiniPriorityPricing = ModelPricing{
 		InputPrice:       0.7,
 		OutputPrice:      2.8,
 		CachedInputPrice: 0.175,
 	}
 	gpt41NanoPriorityPricing = ModelPricing{
 		InputPrice:       0.2,
 		OutputPrice:      0.8,
 		CachedInputPrice: 0.05,
 	}
 	gpt4oPriorityPricing = ModelPricing{
 		InputPrice:       4.25,
 		OutputPrice:      17.0,
 		CachedInputPrice: 2.125,
 	}
 	gpt4oMiniPriorityPricing = ModelPricing{
 		InputPrice:       0.25,
 		OutputPrice:      1.0,
 		CachedInputPrice: 0.125,
 	}
 	standardModelFamilies = []modelFamily{
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1-nano`),
+			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
-			pricing: gpt41NanoPricing,
+			pricing: gpt52CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1-mini`),
+			pattern: regexp.MustCompile(`^gpt-5\.2-codex(?:$|-)`),
-			pricing: gpt41MiniPricing,
+			pricing: gpt52CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1`),
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-max(?:$|-)`),
-			pricing: gpt41Pricing,
+			pricing: gpt51CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o4-mini`),
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-mini(?:$|-)`),
 			pricing: gpt51CodexMiniPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1-codex(?:$|-)`),
 			pricing: gpt51CodexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-codex-mini(?:$|-)`),
 			pricing: gpt51CodexMiniPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-codex(?:$|-)`),
 			pricing: gpt51CodexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.2-chat-latest$`),
 			pricing: gpt52Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1-chat-latest$`),
 			pricing: gpt5Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-chat-latest$`),
 			pricing: gpt5Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.2-pro(?:$|-)`),
 			pricing: gpt52ProPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-pro(?:$|-)`),
 			pricing: gpt5ProPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
 			pricing: gpt5MiniPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-nano(?:$|-)`),
 			pricing: gpt5NanoPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
 			pricing: gpt52Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
 			pricing: gpt5Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
 			pricing: gpt5Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o4-mini-deep-research(?:$|-)`),
 			pricing: o4MiniDeepResearchPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
 			pricing: o4MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o3-mini`),
+			pattern: regexp.MustCompile(`^o3-pro(?:$|-)`),
 			pricing: o3ProPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o3-deep-research(?:$|-)`),
 			pricing: o3DeepResearchPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o3-mini(?:$|-)`),
 			pricing: o3MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o3`),
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
 			pricing: o3Pricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o1-mini`),
+			pattern: regexp.MustCompile(`^o1-pro(?:$|-)`),
 			pricing: o1ProPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o1-mini(?:$|-)`),
 			pricing: o1MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o1`),
+			pattern: regexp.MustCompile(`^o1(?:$|-)`),
 			pricing: o1Pricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o-audio`),
+			pattern: regexp.MustCompile(`^gpt-4o-mini-audio(?:$|-)`),
 			pricing: gpt4oMiniAudioPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-audio-mini(?:$|-)`),
 			pricing: gptAudioMiniPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^(?:gpt-4o-audio|gpt-audio)(?:$|-)`),
 			pricing: gpt4oAudioPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o-mini`),
+			pattern: regexp.MustCompile(`^gpt-4\.1-nano(?:$|-)`),
 			pricing: gpt41NanoPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4\.1-mini(?:$|-)`),
 			pricing: gpt41MiniPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4\.1(?:$|-)`),
 			pricing: gpt41Pricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4o-mini(?:$|-)`),
 			pricing: gpt4oMiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o`),
+			pattern: regexp.MustCompile(`^gpt-4o(?:$|-)`),
 			pricing: gpt4oPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^chatgpt-4o`),
+			pattern: regexp.MustCompile(`^chatgpt-4o(?:$|-)`),
 			pricing: gpt4oPricing,
 		},
 	}
 	flexModelFamilies = []modelFamily{
 		{
 			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
 			pricing: gpt5MiniFlexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-nano(?:$|-)`),
 			pricing: gpt5NanoFlexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
 			pricing: gpt52FlexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
 			pricing: gpt5FlexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
 			pricing: gpt5FlexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
 			pricing: o4MiniFlexPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o3(?:$|-)`),
 			pricing: o3FlexPricing,
 		},
 	}
 	priorityModelFamilies = []modelFamily{
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
 			pricing: gpt52CodexPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.2-codex(?:$|-)`),
 			pricing: gpt52CodexPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1-codex-max(?:$|-)`),
 			pricing: gpt51CodexPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1-codex(?:$|-)`),
 			pricing: gpt51CodexPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-codex-mini(?:$|-)`),
 			pricing: gpt5MiniPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-codex(?:$|-)`),
 			pricing: gpt51CodexPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
 			pricing: gpt5MiniPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
 			pricing: gpt52PriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
 			pricing: gpt5PriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
 			pricing: gpt5PriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
 			pricing: o4MiniPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^o3(?:$|-)`),
 			pricing: o3PriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4\.1-nano(?:$|-)`),
 			pricing: gpt41NanoPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4\.1-mini(?:$|-)`),
 			pricing: gpt41MiniPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4\.1(?:$|-)`),
 			pricing: gpt41PriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4o-mini(?:$|-)`),
 			pricing: gpt4oMiniPriorityPricing,
 		},
 		{
 			pattern: regexp.MustCompile(`^gpt-4o(?:$|-)`),
 			pricing: gpt4oPriorityPricing,
 		},
 	}
 )
-func getPricing(model string) ModelPricing {
+func modelFamiliesForTier(serviceTier string) []modelFamily {
 	switch serviceTier {
 	case serviceTierFlex:
 		return flexModelFamilies
 	case serviceTierPriority:
 		return priorityModelFamilies
 	default:
 		return standardModelFamilies
 	}
 }
 func findPricingInFamilies(model string, modelFamilies []modelFamily) (ModelPricing, bool) {
 	for _, family := range modelFamilies {
 		if family.pattern.MatchString(model) {
-			return family.pricing
+			return family.pricing, true
 		}
 	}
 	return ModelPricing{}, false
 }
 func normalizeServiceTier(serviceTier string) string {
 	switch strings.ToLower(strings.TrimSpace(serviceTier)) {
 	case "", serviceTierAuto, serviceTierDefault:
 		return serviceTierDefault
 	case serviceTierFlex:
 		return serviceTierFlex
 	case serviceTierPriority:
 		return serviceTierPriority
 	case serviceTierScale:
 		// Scale-tier requests are prepaid differently and not listed in this usage file.
 		return serviceTierDefault
 	default:
 		return serviceTierDefault
 	}
 }
 func getPricing(model string, serviceTier string) ModelPricing {
 	normalizedServiceTier := normalizeServiceTier(serviceTier)
 	modelFamilies := modelFamiliesForTier(normalizedServiceTier)
 	if pricing, found := findPricingInFamilies(model, modelFamilies); found {
 		return pricing
 	}
 	normalizedModel := normalizeGPT5Model(model)
 	if normalizedModel != model {
 		if pricing, found := findPricingInFamilies(normalizedModel, modelFamilies); found {
 			return pricing
 		}
 	}
 	if normalizedServiceTier != serviceTierDefault {
 		if pricing, found := findPricingInFamilies(model, standardModelFamilies); found {
 			return pricing
 		}
 		if normalizedModel != model {
 			if pricing, found := findPricingInFamilies(normalizedModel, standardModelFamilies); found {
 				return pricing
 			}
 		}
 	}
 	return gpt4oPricing
 }
-func calculateCost(stats UsageStats, model string) float64 {
+func normalizeGPT5Model(model string) string {
-	pricing := getPricing(model)
+	if !strings.HasPrefix(model, "gpt-5.") {
 		return model
 	}
 	switch {
 	case strings.Contains(model, "-codex-mini"):
 		return "gpt-5.1-codex-mini"
 	case strings.Contains(model, "-codex-max"):
 		return "gpt-5.1-codex-max"
 	case strings.Contains(model, "-codex"):
 		return "gpt-5.3-codex"
 	case strings.Contains(model, "-chat-latest"):
 		return "gpt-5.2-chat-latest"
 	case strings.Contains(model, "-pro"):
 		return "gpt-5.2-pro"
 	case strings.Contains(model, "-mini"):
 		return "gpt-5-mini"
 	case strings.Contains(model, "-nano"):
 		return "gpt-5-nano"
 	default:
 		return "gpt-5.2"
 	}
 }
 func calculateCost(stats UsageStats, model string, serviceTier string) float64 {
 	pricing := getPricing(model, serviceTier)
 	regularInputTokens := stats.InputTokens - stats.CachedTokens
 	if regularInputTokens < 0 {
@@ -238,41 +731,89 @@ func calculateCost(stats UsageStats, model string) float64 {
 	return math.Round(cost*100) / 100
 }
-func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
+func roundCost(cost float64) float64 {
-	u.mutex.Lock()
+	return math.Round(cost*100) / 100
-	defer u.mutex.Unlock()
+}
-	result := &AggregatedUsageJSON{
+func normalizeCombinations(combinations []CostCombination) {
-		LastUpdated:  u.LastUpdated,
+	for index := range combinations {
-		Combinations: make([]CostCombinationJSON, len(u.Combinations)),
+		combinations[index].ServiceTier = normalizeServiceTier(combinations[index].ServiceTier)
-		Costs: CostsSummaryJSON{
+		if combinations[index].ByUser == nil {
-			TotalUSD: 0,
+			combinations[index].ByUser = make(map[string]UsageStats)
-			ByUser:   make(map[string]float64),
+		}
-		},
+	}
 }
 func addUsageToCombinations(combinations *[]CostCombination, model string, serviceTier string, weekStartUnix int64, user string, inputTokens, outputTokens, cachedTokens int64) {
 	var matchedCombination *CostCombination
 	for index := range *combinations {
 		combination := &(*combinations)[index]
 		combinationServiceTier := normalizeServiceTier(combination.ServiceTier)
 		if combination.ServiceTier != combinationServiceTier {
 			combination.ServiceTier = combinationServiceTier
 		}
 		if combination.Model == model && combinationServiceTier == serviceTier && combination.WeekStartUnix == weekStartUnix {
 			matchedCombination = combination
 			break
 		}
 	}
-	for i, combo := range u.Combinations {
+	if matchedCombination == nil {
-		totalCost := calculateCost(combo.Total, combo.Model)
+		newCombination := CostCombination{
 			Model:         model,
 			ServiceTier:   serviceTier,
 			WeekStartUnix: weekStartUnix,
 			Total:         UsageStats{},
 			ByUser:        make(map[string]UsageStats),
 		}
 		*combinations = append(*combinations, newCombination)
 		matchedCombination = &(*combinations)[len(*combinations)-1]
 	}
-		result.Costs.TotalUSD += totalCost
+	matchedCombination.Total.RequestCount++
 	matchedCombination.Total.InputTokens += inputTokens
 	matchedCombination.Total.OutputTokens += outputTokens
 	matchedCombination.Total.CachedTokens += cachedTokens
-		comboJSON := CostCombinationJSON{
+	if user != "" {
-			Model: combo.Model,
+		userStats := matchedCombination.ByUser[user]
 		userStats.RequestCount++
 		userStats.InputTokens += inputTokens
 		userStats.OutputTokens += outputTokens
 		userStats.CachedTokens += cachedTokens
 		matchedCombination.ByUser[user] = userStats
 	}
 }
 func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map[string]float64) ([]CostCombinationJSON, float64) {
 	result := make([]CostCombinationJSON, len(combinations))
 	var totalCost float64
 	for index, combination := range combinations {
 		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ServiceTier)
 		totalCost += combinationTotalCost
 		combinationJSON := CostCombinationJSON{
 			Model:         combination.Model,
 			ServiceTier:   combination.ServiceTier,
 			WeekStartUnix: combination.WeekStartUnix,
 			Total: UsageStatsJSON{
-				RequestCount: combo.Total.RequestCount,
+				RequestCount: combination.Total.RequestCount,
-				InputTokens:  combo.Total.InputTokens,
+				InputTokens:  combination.Total.InputTokens,
-				OutputTokens: combo.Total.OutputTokens,
+				OutputTokens: combination.Total.OutputTokens,
-				CachedTokens: combo.Total.CachedTokens,
+				CachedTokens: combination.Total.CachedTokens,
-				CostUSD:      totalCost,
+				CostUSD:      combinationTotalCost,
 			},
 			ByUser: make(map[string]UsageStatsJSON),
 		}
-		for user, userStats := range combo.ByUser {
+		for user, userStats := range combination.ByUser {
-			userCost := calculateCost(userStats, combo.Model)
+			userCost := calculateCost(userStats, combination.Model, combination.ServiceTier)
-			result.Costs.ByUser[user] += userCost
+			if aggregateUserCosts != nil {
 				aggregateUserCosts[user] += userCost
 			}
-			comboJSON.ByUser[user] = UsageStatsJSON{
+			combinationJSON.ByUser[user] = UsageStatsJSON{
 				RequestCount: userStats.RequestCount,
 				InputTokens:  userStats.InputTokens,
 				OutputTokens: userStats.OutputTokens,
@@ -281,12 +822,80 @@ func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 			}
 		}
-		result.Combinations[i] = comboJSON
+		result[index] = combinationJSON
 	}
 	return result, roundCost(totalCost)
 }
 func formatUTCOffsetLabel(timestamp time.Time) string {
 	_, offsetSeconds := timestamp.Zone()
 	sign := "+"
 	if offsetSeconds < 0 {
 		sign = "-"
 		offsetSeconds = -offsetSeconds
 	}
 	offsetHours := offsetSeconds / 3600
 	offsetMinutes := (offsetSeconds % 3600) / 60
 	if offsetMinutes == 0 {
 		return fmt.Sprintf("UTC%s%d", sign, offsetHours)
 	}
 	return fmt.Sprintf("UTC%s%d:%02d", sign, offsetHours, offsetMinutes)
 }
 func formatWeekStartKey(cycleStartAt time.Time) string {
 	localCycleStart := cycleStartAt.In(time.Local)
 	return fmt.Sprintf("%s %s", localCycleStart.Format("2006-01-02 15:04:05"), formatUTCOffsetLabel(localCycleStart))
 }
 func buildByWeekCost(combinations []CostCombination) map[string]float64 {
 	byWeek := make(map[string]float64)
 	for _, combination := range combinations {
 		if combination.WeekStartUnix <= 0 {
 			continue
 		}
 		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
 		weekKey := formatWeekStartKey(weekStartAt)
 		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ServiceTier)
 	}
 	for weekKey, weekCost := range byWeek {
 		byWeek[weekKey] = roundCost(weekCost)
 	}
 	return byWeek
 }
 func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
 	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
 		return 0
 	}
 	windowDuration := time.Duration(cycleHint.WindowMinutes) * time.Minute
 	return cycleHint.ResetAt.UTC().Add(-windowDuration).Unix()
 }
 func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 	result := &AggregatedUsageJSON{
 		LastUpdated: u.LastUpdated,
 		Costs: CostsSummaryJSON{
 			TotalUSD: 0,
 			ByUser:   make(map[string]float64),
 			ByWeek:   make(map[string]float64),
 		},
 	}
 	globalCombinationsJSON, totalCost := buildCombinationJSON(u.Combinations, result.Costs.ByUser)
 	result.Combinations = globalCombinationsJSON
 	result.Costs.TotalUSD = totalCost
 	result.Costs.ByWeek = buildByWeekCost(u.Combinations)
 	if len(result.Costs.ByWeek) == 0 {
 		result.Costs.ByWeek = nil
 	}
 	result.Costs.TotalUSD = math.Round(result.Costs.TotalUSD*100) / 100
 	for user, cost := range result.Costs.ByUser {
-		result.Costs.ByUser[user] = math.Round(cost*100) / 100
+		result.Costs.ByUser[user] = roundCost(cost)
 	}
 	return result
@@ -296,6 +905,9 @@ func (u *AggregatedUsage) Load() error {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
 	u.LastUpdated = time.Time{}
 	u.Combinations = nil
 	data, err := os.ReadFile(u.filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -316,12 +928,7 @@ func (u *AggregatedUsage) Load() error {
 	u.LastUpdated = temp.LastUpdated
 	u.Combinations = temp.Combinations
-
+	normalizeCombinations(u.Combinations)
 	for i := range u.Combinations {
 		if u.Combinations[i].ByUser == nil {
 			u.Combinations[i].ByUser = make(map[string]UsageStats)
 		}
 	}
 	return nil
 }
@@ -349,47 +956,27 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }
-func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, user string) error {
+func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string) error {
 	return u.AddUsageWithCycleHint(model, inputTokens, outputTokens, cachedTokens, serviceTier, user, time.Now(), nil)
 }
 func (u *AggregatedUsage) AddUsageWithCycleHint(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string, observedAt time.Time, cycleHint *WeeklyCycleHint) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}
 	normalizedServiceTier := normalizeServiceTier(serviceTier)
 	if observedAt.IsZero() {
 		observedAt = time.Now()
 	}
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
-	u.LastUpdated = time.Now()
+	u.LastUpdated = observedAt
 	weekStartUnix := deriveWeekStartUnix(cycleHint)
-	var combo *CostCombination
+	addUsageToCombinations(&u.Combinations, model, normalizedServiceTier, weekStartUnix, user, inputTokens, outputTokens, cachedTokens)
 	for i := range u.Combinations {
 		if u.Combinations[i].Model == model {
 			combo = &u.Combinations[i]
 			break
 		}
 	}
 	if combo == nil {
 		newCombo := CostCombination{
 			Model:  model,
 			Total:  UsageStats{},
 			ByUser: make(map[string]UsageStats),
 		}
 		u.Combinations = append(u.Combinations, newCombo)
 		combo = &u.Combinations[len(u.Combinations)-1]
 	}
 	combo.Total.RequestCount++
 	combo.Total.InputTokens += inputTokens
 	combo.Total.OutputTokens += outputTokens
 	combo.Total.CachedTokens += cachedTokens
 	if user != "" {
 		userStats := combo.ByUser[user]
 		userStats.RequestCount++
 		userStats.InputTokens += inputTokens
 		userStats.OutputTokens += outputTokens
 		userStats.CachedTokens += cachedTokens
 		combo.ByUser[user] = userStats
 	}
 	go u.scheduleSave()
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	7fd21f8bf4	Bump version	2026-03-05 21:46:27 +08:00
世界	88695b0d1f	Rename branches and update release workflows stable-next → oldstable, main-next → stable, dev-next → testing, new unstable	2026-03-05 21:12:02 +08:00
世界	fb269c9032	tun: Fix darwin batch loop not exit on EBADF	2026-03-05 20:38:19 +08:00
世界	e62dc7bfa2	Fix rule_set_ip_cidr_accept_empty not working	2026-03-04 11:48:22 +08:00
世界	f295e195b5	tailscale: Fix netstack TCP connections with system interface	2026-03-03 22:06:54 +08:00
世界	ab76062a41	Fix fake-ip address allocation	2026-03-03 21:37:24 +08:00
世界	d14417d392	Fix naive client close	2026-03-03 21:21:09 +08:00
世界	96c5c27610	sing: reject IP literals in IsDomainName	2026-03-03 21:21:09 +08:00
世界	91f92bee49	release: Unify default build tags and linker flags into shared files Move hardcoded build tags and ldflags from Makefile, Dockerfile, CI workflows, and local build scripts into canonical files under release/: - release/DEFAULT_BUILD_TAGS (Linux common archs, Darwin, Android) - release/DEFAULT_BUILD_TAGS_WINDOWS (includes with_purego) - release/DEFAULT_BUILD_TAGS_OTHERS (no with_naive_outbound) - release/LDFLAGS (shared linker flags)	2026-03-03 21:21:09 +08:00
世界	1803471e02	endpoint: Fix UDP resolved destination	2026-03-02 13:55:26 +08:00
世界	3de56d344e	Update external dependencies	2026-03-02 06:53:10 +08:00
世界	c71abbdfb8	Update dependencies	2026-03-02 06:52:35 +08:00
世界	ed15121e95	sing: Relax domain name validation to support non-standard characters	2026-03-01 19:45:19 +08:00
世界	46c6945da5	documentation: Update mkdcos-material	2026-03-01 18:37:31 +08:00
traitman	1beb4cb002	clash-api: Fix websocket connection not closed after config reload via SIGHUP Co-authored-by: TraitMan <traitman@maildog.top> Co-authored-by: Cursor <cursoragent@cursor.com>	2026-03-01 12:30:43 +08:00
dyhkwong	4c65fea1ac	Fix IPv6 local DNS on Windows	2026-03-01 12:30:43 +08:00
世界	8ae93a98e5	Remove overdue deprecated features	2026-03-01 12:30:43 +08:00
世界	6da7e538e1	Bump version	2026-02-28 14:42:39 +08:00
世界	13e6ba4cb2	Update tfo-go	2026-02-27 19:55:32 +08:00
世界	93b7328c3f	Fix missing Tailscale in ProxyDisplayName	2026-02-27 19:39:52 +08:00
世界	11dc5bcbe1	Fixes in cronet-go	2026-02-27 19:39:52 +08:00
世界	fa3ab87b11	platform: Fix gorelease build	2026-02-27 15:07:16 +08:00
世界	9bd9e9a58b	dialer: use KeepAliveConfig for TCP keepalive	2026-02-27 14:58:06 +08:00
世界	9d6dee7451	release: Fix pacman package	2026-02-27 14:58:06 +08:00
世界	9c2cdc7203	Fix per-outbound bind_interface	2026-02-27 14:58:06 +08:00
世界	65150f5cc3	platform: Improve OOM killer for iOS	2026-02-27 14:58:06 +08:00
世界	21a1512e6c	tailscale: Fix AdvertiseTags	2026-02-27 14:58:06 +08:00
世界	cf4791f1ad	platform: Improve iOS OOM killer	2026-02-26 14:13:32 +08:00
世界	0bc66e5a56	service/ccm,ocm: Fixes and improvements	2026-02-26 13:36:46 +08:00
世界	d48236da94	Fix wireguard reserved	2026-02-24 15:49:52 +08:00
世界	4c05d7b888	Add advertise tags support for Tailscale endpoint	2026-02-24 15:31:57 +08:00
世界	94ed42caf1	Bump version	2026-02-23 18:17:47 +08:00
世界	e0c18cc3d4	tun: Fix nftablesCreateLocalAddressSets	2026-02-23 18:17:47 +08:00
世界	0817c25f4c	release: Fix Docker build for loong64 and mipsle	2026-02-23 16:31:19 +08:00
世界	7745a97cca	daemon: Fix started service leak	2026-02-23 14:49:58 +08:00
世界	9bcd715d31	Bump version	2026-02-21 13:55:31 +08:00
世界	6a95c66bc7	Pin Go version to 1.25.7	2026-02-21 13:55:31 +08:00
世界	b5800847ae	More linux builds for naive	2026-02-21 13:55:31 +08:00
世界	aa85cbb86e	Treat H3 RequestCanceled as closed	2026-02-21 09:31:11 +08:00
世界	c59991420e	Minor fixes for naive	2026-02-18 01:26:29 +08:00
世界	c0304b8362	Bump version	2026-02-16 12:46:43 +08:00
世界	d1f1271a02	quic-go: Minor fixes	2026-02-16 12:46:29 +08:00
世界	de4fdbe553	platform: Add semver helper	2026-02-16 11:28:54 +08:00
世界	804606042f	Bump version	2026-02-15 21:13:55 +08:00
世界	53f2db3f97	platform: Add windows build	2026-02-15 21:10:44 +08:00
世界	1f2fdec89d	release: Fix update_apple_version command	2026-02-15 21:09:14 +08:00
世界	8714c157c9	Fix matching multi predefined	2026-02-15 21:09:06 +08:00
世界	657fba4ca5	Fix matching rule-set invert	2026-02-15 21:08:33 +08:00
世界	0a69621207	wireguard: Fix missing fallback for gso	2026-02-15 21:08:26 +08:00
`@@ -1 +1 @@`
	`dc1cda1fe28740ba069934ab62aeb8ef85388332`	`cba7b9ac0399055aa49fbdc57c03c374f58e1597`
		`@@ -0,0 +1 @@`
							`with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,badlinkname,tfogo_checklinkname0`
		`@@ -0,0 +1 @@`
							`-X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0`