[dependencies] Update golang Docker tag to v1.26

2026-04-12 01:57:18 +10:00 · 2026-02-11 01:37:12 +00:00
198 changed files with 2293 additions and 14822 deletions
--- a/.fpm_pacman
+++ b/.fpm_pacman
@@ -1,23 +0,0 @@
-s dir
--name sing-box
--category net
--license GPL-3.0-or-later
--description "The universal proxy platform."
--url "https://sing-box.sagernet.org/"
--maintainer "nekohasekai <contact-git@sekai.icu>"
--config-files etc/sing-box/config.json
--after-install release/config/sing-box.postinst
-
-release/config/config.json=/etc/sing-box/config.json
-
-release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
-release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
-release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
-release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
-release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
-release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
-
-LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-ea7cd33752aed62603775af3df946c1b83f4b0b3
+dc1cda1fe28740ba069934ab62aeb8ef85388332
--- a/.github/build_alpine_apk.sh
+++ b/.github/build_alpine_apk.sh
@@ -1,81 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-
-ARCHITECTURE="$1"
-VERSION="$2"
-BINARY_PATH="$3"
-OUTPUT_PATH="$4"
-
-if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
-  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
-  exit 1
-fi
-
-PROJECT=$(cd "$(dirname "$0")/.."; pwd)
-
-# Convert version to APK format:
-#   1.13.0-beta.8  -> 1.13.0_beta8-r0
-#   1.13.0-rc.3    -> 1.13.0_rc3-r0
-#   1.13.0         -> 1.13.0-r0
-APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
-APK_VERSION="${APK_VERSION}-r0"
-
-ROOT_DIR=$(mktemp -d)
-trap 'rm -rf "$ROOT_DIR"' EXIT
-
-# Binary
-install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
-
-# Config files
-install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
-install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
-install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
-
-# Service files
-install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
-install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
-
-# Completions
-install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
-install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
-install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
-
-# License
-install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
-
-# APK metadata
-PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
-mkdir -p "$PACKAGES_DIR"
-
-# .conffiles
-cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
-/etc/conf.d/sing-box
-/etc/init.d/sing-box
-/etc/sing-box/config.json
-EOF
-
-# .conffiles_static (sha256 checksums)
-while IFS= read -r conffile; do
-  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
-  echo "$conffile $sha256"
-done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
-
-# .list (all files, excluding lib/apk/packages/ metadata)
-(cd "$ROOT_DIR" && find . -type f -o -type l) \
-  | sed 's|^\./|/|' \
-  | grep -v '^/lib/apk/packages/' \
-  | sort > "$PACKAGES_DIR/.list"
-
-# Build APK
-apk mkpkg \
-  --info "name:sing-box" \
-  --info "version:${APK_VERSION}" \
-  --info "description:The universal proxy platform." \
-  --info "arch:${ARCHITECTURE}" \
-  --info "license:GPL-3.0-or-later with name use or association addition" \
-  --info "origin:sing-box" \
-  --info "url:https://sing-box.sagernet.org/" \
-  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
-  --files "$ROOT_DIR" \
-  --output "$OUTPUT_PATH"
--- a/.github/build_openwrt_apk.sh
+++ b/.github/build_openwrt_apk.sh
@@ -1,80 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-
-ARCHITECTURE="$1"
-VERSION="$2"
-BINARY_PATH="$3"
-OUTPUT_PATH="$4"
-
-if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
-  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
-  exit 1
-fi
-
-PROJECT=$(cd "$(dirname "$0")/.."; pwd)
-
-# Convert version to APK format:
-#   1.13.0-beta.8  -> 1.13.0_beta8-r0
-#   1.13.0-rc.3    -> 1.13.0_rc3-r0
-#   1.13.0         -> 1.13.0-r0
-APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
-APK_VERSION="${APK_VERSION}-r0"
-
-ROOT_DIR=$(mktemp -d)
-trap 'rm -rf "$ROOT_DIR"' EXIT
-
-# Binary
-install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
-
-# Config files
-install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
-install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
-install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
-install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
-
-# Completions
-install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
-install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
-install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
-
-# License
-install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
-
-# APK metadata
-PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
-mkdir -p "$PACKAGES_DIR"
-
-# .conffiles
-cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
-/etc/config/sing-box
-/etc/sing-box/config.json
-EOF
-
-# .conffiles_static (sha256 checksums)
-while IFS= read -r conffile; do
-  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
-  echo "$conffile $sha256"
-done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
-
-# .list (all files, excluding lib/apk/packages/ metadata)
-(cd "$ROOT_DIR" && find . -type f -o -type l) \
-  | sed 's|^\./|/|' \
-  | grep -v '^/lib/apk/packages/' \
-  | sort > "$PACKAGES_DIR/.list"
-
-# Build APK
-apk mkpkg \
-  --info "name:sing-box" \
-  --info "version:${APK_VERSION}" \
-  --info "description:The universal proxy platform." \
-  --info "arch:${ARCHITECTURE}" \
-  --info "license:GPL-3.0-or-later" \
-  --info "origin:sing-box" \
-  --info "url:https://sing-box.sagernet.org/" \
-  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
-  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
-  --info "provider-priority:100" \
-  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
-  --files "$ROOT_DIR" \
-  --output "$OUTPUT_PATH"
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -6,7 +6,7 @@
    ":disableRateLimiting"
  ],
  "baseBranches": [
-    "unstable"
+    "dev-next"
  ],
  "golang": {
    "enabled": false
--- a/.github/setup_go_for_macos1013.sh
+++ b/.github/setup_go_for_macos1013.sh
@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-VERSION="1.25.8"
-PATCH_COMMITS=(
-  "afe69d3cec1c6dcf0f1797b20546795730850070"
-  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
-)
-CURL_ARGS=(
-  -fL
-  --silent
-  --show-error
-)
-
-if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
-fi
-
-mkdir -p "$HOME/go"
-cd "$HOME/go"
-wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
-tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
-#cp -a go go_bootstrap
-mv go go_osx
-cd go_osx
-
-# these patch URLs only work on golang1.25.x
-# that means after golang1.26 release it must be changed
-# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
-# revert:
-# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
-# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
-
-for patch_commit in "${PATCH_COMMITS[@]}"; do
-  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
-done
-
-# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
-# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
-# stdlib (crypto/x509) is compiled from patched src automatically.
-#cd src
-#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
-#cd ../..
-#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -1,35 +1,16 @@
 #!/usr/bin/env bash

-set -euo pipefail
+VERSION="1.25.7"

-VERSION="1.25.8"
-PATCH_COMMITS=(
-  "466f6c7a29bc098b0d4c987b803c779222894a11"
-  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
-  "a90777dcf692dd2168577853ba743b4338721b06"
-  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
-  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
-  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
-)
-CURL_ARGS=(
-  -fL
-  --silent
-  --show-error
-)
-
-if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
-fi
-
-mkdir -p "$HOME/go"
-cd "$HOME/go"
+mkdir -p $HOME/go
+cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7

 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# these patch URLs only work on golang1.25.x
+# this patch file only works on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -37,10 +18,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-# fixes:
-# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
-# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""

-for patch_commit in "${PATCH_COMMITS[@]}"; do
-  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
-done
+alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+
+curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,9 +25,8 @@ on:
          - publish-android
  push:
    branches:
-      - stable
-      - testing
-      - unstable
+      - main-next
+      - dev-next

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -41,13 +40,13 @@ jobs:
      version: ${{ steps.outputs.outputs.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -72,41 +71,33 @@ jobs:
        include:
          - { os: linux, arch: amd64, variant: purego, naive: true }
          - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }

          - { os: linux, arch: arm64, variant: purego, naive: true }
          - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }

          - { os: linux, arch: "386", go386: sse2 }
          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }

          - { os: linux, arch: arm, goarm: "7" }
          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
-
-          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
-          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }

          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
          - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat }
+          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
          - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat }
+          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64 }
-          - { os: linux, arch: loong64 }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }

          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
@@ -117,26 +108,29 @@ jobs:
          - { os: android, arch: "386", ndk: "i686-linux-android23" }
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! matrix.legacy_win7 }}
-        uses: actions/setup-go@v6
+        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.24.10
      - name: Cache Go for Windows 7
        if: matrix.legacy_win7
        id: cache-go-for-windows7
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/go_win7
-          key: go_win7_1258
+          key: go_win7_1255
      - name: Setup Go for Windows 7
        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
        run: |-
          .github/setup_go_for_windows7.sh
      - name: Setup Go for Windows 7
@@ -160,23 +154,14 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -205,10 +190,9 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound"
          fi
          if [[ "${{ matrix.variant }}" == "purego" ]]; then
            TAGS="${TAGS},with_purego"
@@ -216,16 +200,13 @@ jobs:
            TAGS="${TAGS},with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (purego)
        if: matrix.variant == 'purego'
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -247,7 +228,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -255,8 +236,6 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (musl)
        if: matrix.variant == 'musl'
@@ -264,7 +243,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -272,8 +251,6 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-variant)
        if: matrix.os != 'android' && matrix.variant == ''
@@ -281,7 +258,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -301,7 +278,7 @@ jobs:
          export CXX="${CC}++"
          mkdir -p dist
          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -375,7 +352,7 @@ jobs:
          sudo gem install fpm
          sudo apt-get update
          sudo apt-get install -y libarchive-tools
-          cp .fpm_pacman .fpm
+          cp .fpm_systemd .fpm
          fpm -t pacman \
            -v "$PKG_VERSION" \
            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -396,30 +373,6 @@ jobs:
            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
          done
          rm "dist/openwrt.deb"
-      - name: Install apk-tools
-        if: matrix.openwrt != '' || matrix.alpine != ''
-        run: |-
-          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
-      - name: Package OpenWrt APK
-        if: matrix.openwrt != ''
-        run: |-
-          set -xeuo pipefail
-          for architecture in ${{ matrix.openwrt }}; do
-            .github/build_openwrt_apk.sh \
-              "$architecture" \
-              "${{ needs.calculate_version.outputs.version }}" \
-              "dist/sing-box" \
-              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
-          done
-      - name: Package Alpine APK
-        if: matrix.alpine != ''
-        run: |-
-          set -xeuo pipefail
-          .github/build_alpine_apk.sh \
-            "${{ matrix.alpine }}" \
-            "${{ needs.calculate_version.outputs.version }}" \
-            "dist/sing-box" \
-            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
      - name: Archive
        run: |
          set -xeuo pipefail
@@ -440,7 +393,7 @@ jobs:
      - name: Cleanup
        run: rm -f dist/sing-box dist/libcronet.so
      - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}${{ matrix.variant && format('-{0}', matrix.variant) }}
          path: "dist"
@@ -455,36 +408,22 @@ jobs:
        include:
          - { arch: amd64 }
          - { arch: arm64 }
-          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
+          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! matrix.legacy_osx }}
-        uses: actions/setup-go@v6
+        if: ${{ ! matrix.legacy_go124 }}
+        uses: actions/setup-go@v5
        with:
          go-version: ^1.25.3
-      - name: Cache Go for macOS 10.13
-        if: matrix.legacy_osx
-        id: cache-go-for-macos1013
-        uses: actions/cache@v5
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
        with:
-          path: |
-            ~/go/go_osx
-          key: go_osx_1258
-      - name: Setup Go for macOS 10.13
-        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |-
-          .github/setup_go_for_macos1013.sh
-      - name: Setup Go for macOS 10.13
-        if: matrix.legacy_osx
-        run: |-
-          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
+          go-version: ~1.24.6
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -492,27 +431,22 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
+            TAGS="${TAGS},with_naive_outbound"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: darwin
          GOARCH: ${{ matrix.arch }}
-          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set name
        run: |-
@@ -533,7 +467,7 @@ jobs:
      - name: Cleanup
        run: rm dist/sing-box
      - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-darwin_${{ matrix.arch }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
          path: "dist"
@@ -551,11 +485,11 @@ jobs:
          - { arch: arm64, naive: true }
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version: ^1.25.4
      - name: Set tag
@@ -565,11 +499,9 @@ jobs:
      - name: Build
        if: matrix.naive
        run: |
-          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
-          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -579,11 +511,9 @@ jobs:
      - name: Build
        if: ${{ !matrix.naive }}
        run: |
-          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
-          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -622,26 +552,26 @@ jobs:
        if: ${{ !matrix.naive }}
        run: Remove-Item dist/sing-box.exe
      - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-windows_${{ matrix.arch }}
          path: "dist"
  build_android:
    name: Build Android
-    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
          submodules: 'recursive'
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -664,17 +594,17 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/android
          git checkout dev
      - name: Gradle cache
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
@@ -712,26 +642,26 @@ jobs:
          EOF
          cat dist/SFA-version-metadata.json
      - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-android-apks
          path: 'dist'
  publish_android:
    name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
          submodules: 'recursive'
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -754,17 +684,17 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/android
          git checkout dev
      - name: Gradle cache
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
@@ -822,15 +752,15 @@ jobs:
    steps:
      - name: Checkout
        if: matrix.if
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
          submodules: 'recursive'
      - name: Setup Go
        if: matrix.if
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Set tag
        if: matrix.if
        run: |-
@@ -838,12 +768,12 @@ jobs:
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/apple
          git checkout main
      - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/testing'
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/apple
          git checkout dev
@@ -929,7 +859,7 @@ jobs:
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
      - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
        run: |-
          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
      - name: Build image
@@ -959,7 +889,7 @@ jobs:
          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
      - name: Upload image
        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-macos-dmg
          path: 'dist'
@@ -976,11 +906,11 @@ jobs:
      - build_apple
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Cache ghr
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        id: cache-ghr
        with:
          path: |
@@ -999,7 +929,7 @@ jobs:
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Download builds
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v5
        with:
          path: dist
          merge-multiple: true
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -3,8 +3,8 @@ name: Publish Docker Images
 on:
  #push:
  #  branches:
-  #    - stable
-  #    - testing
+  #    - main-next
+  #    - dev-next
  release:
    types:
      - published
@@ -19,7 +19,6 @@ env:
 jobs:
  build_binary:
    name: Build binary
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
@@ -30,12 +29,10 @@ jobs:
          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
          - { arch: "386", naive: true, docker_platform: "linux/386" }
          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
-          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
-          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
-          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
          # Non-naive builds
          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
+          - { arch: riscv64, docker_platform: "linux/riscv64" }
          - { arch: s390x, docker_platform: "linux/s390x" }
    steps:
      - name: Get commit to build
@@ -49,14 +46,14 @@ jobs:
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.4
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -67,23 +64,14 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -105,34 +93,29 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound,with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -151,7 +134,7 @@ jobs:
          mv sing-box "${BINARY_NAME}"
          echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV
      - name: Upload binary
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ env.PLATFORM_PAIR }}
          path: ${{ env.BINARY_NAME }}
@@ -165,17 +148,15 @@ jobs:
    strategy:
      fail-fast: true
      matrix:
-        include:
-          - { platform: "linux/amd64" }
-          - { platform: "linux/arm/v6" }
-          - { platform: "linux/arm/v7" }
-          - { platform: "linux/arm64" }
-          - { platform: "linux/386" }
-          # mipsle: no base Docker image available for this platform
-          - { platform: "linux/ppc64le" }
-          - { platform: "linux/riscv64" }
-          - { platform: "linux/s390x" }
-          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
+        platform:
+          - linux/amd64
+          - linux/arm/v6
+          - linux/arm/v7
+          - linux/arm64
+          - linux/386
+          - linux/ppc64le
+          - linux/riscv64
+          - linux/s390x
    steps:
      - name: Get commit to build
        id: ref
@@ -188,7 +169,7 @@ jobs:
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
@@ -197,7 +178,7 @@ jobs:
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Download binary
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v5
        with:
          name: binary-${{ env.PLATFORM_PAIR }}
          path: .
@@ -207,29 +188,27 @@ jobs:
          chmod +x sing-box-*
          ls -la sing-box-*
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
      - name: Build and push by digest
        id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
        with:
          platforms: ${{ matrix.platform }}
          context: .
          file: Dockerfile.binary
-          build-args: |
-            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
@@ -238,14 +217,13 @@ jobs:
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  merge:
-    if: github.event_name != 'push'
    runs-on: ubuntu-latest
    needs:
      - build_docker
@@ -268,15 +246,15 @@ jobs:
          echo "latest=$latest"
          echo "latest=$latest" >> $GITHUB_OUTPUT
      - name: Download digests
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v5
        with:
          path: /tmp/digests
          pattern: digests-*
          merge-multiple: true
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,20 +3,18 @@ name: Lint
 on:
  push:
    branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next
    paths-ignore:
      - '**.md'
      - '.github/**'
      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next

 jobs:
  build:
@@ -24,15 +22,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
          go-version: ^1.25
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@v8
        with:
          version: latest
          args: --timeout=30m
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -3,8 +3,8 @@ name: Build Linux Packages
 on:
  #push:
  #  branches:
-  #    - stable
-  #    - testing
+  #    - main-next
+  #    - dev-next
  workflow_dispatch:
    inputs:
      version:
@@ -23,19 +23,18 @@ on:
 jobs:
  calculate_version:
    name: Calculate version
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -62,23 +61,23 @@ jobs:
          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
-          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
-          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
-          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
          # Non-naive builds (unsupported architectures)
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -89,23 +88,14 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
-        uses: actions/cache@v5
+        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -126,30 +116,24 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound,with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
@@ -157,7 +141,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -224,7 +208,7 @@ jobs:
      - name: Cleanup
        run: rm dist/sing-box
      - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
          path: "dist"
@@ -236,7 +220,7 @@ jobs:
      - build
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Set tag
@@ -245,7 +229,7 @@ jobs:
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Download builds
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v5
        with:
          path: dist
          merge-multiple: true
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@v9
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
--- a/.gitignore
+++ b/.gitignore
@@ -12,9 +12,6 @@
 /*.jar
 /*.aar
 /*.xcframework/
-/experimental/libbox/*.aar
-/experimental/libbox/*.xcframework/
-/experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -9,11 +9,6 @@ run:
    - with_utls
    - with_acme
    - with_clash_api
-    - with_tailscale
-    - with_ccm
-    - with_ocm
-    - badlinkname
-    - tfogo_checklinkname0
 linters:
  default: none
  enable:
--- a/9
+++ b/9
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -12,11 +12,10 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
-    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
-    && go build -v -trimpath -tags "$TAGS" \
+    && go build -v -trimpath -tags \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
        -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
        ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
--- a/Dockerfile.binary
+++ b/Dockerfile.binary
@@ -1,14 +1,8 @@
-ARG BASE_IMAGE=alpine
-FROM ${BASE_IMAGE}
+FROM alpine
 ARG TARGETARCH
 ARG TARGETVARIANT
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && if command -v apk > /dev/null; then \
-        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
-    else \
-        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
-        && rm -rf /var/lib/apt/lists/*; \
-    fi
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
 COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/22
+++ b/22
@@ -1,18 +1,15 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0

 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)

-LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
-SING_FFI ?= sing-ffi
-LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json

 .PHONY: test release docs build

@@ -240,18 +237,15 @@ lib_android:
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple

-lib_windows:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp
-
 lib_android_new:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
+	go run ./cmd/internal/build_libbox_newffi -target android

 lib_apple_new:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple
+	go run ./cmd/internal/build_libbox_newffi -target apple

 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.11

 docs:
 	venv/bin/mkdocs serve
@@ -260,8 +254,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history

 docs_install:
-	python3 -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"

 clean:
 	rm -rf bin dist sing-box
--- a/adapter/connections.go
+++ b/adapter/connections.go
@@ -9,10 +9,6 @@ import (

 type ConnectionManager interface {
 	Lifecycle
-	Count() int
-	CloseAll()
-	TrackConn(conn net.Conn) net.Conn
-	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -2,7 +2,6 @@ package adapter

 import (
 	"context"
-	"net"
 	"net/netip"
 	"time"

@@ -63,10 +62,13 @@ type InboundContext struct {
 	// cache

 	// Deprecated: implement in rule action
-	InboundDetour             string
-	LastInbound               string
-	OriginDestination         M.Socksaddr
-	RouteOriginalDestination  M.Socksaddr
+	InboundDetour            string
+	LastInbound              string
+	OriginDestination        M.Socksaddr
+	RouteOriginalDestination M.Socksaddr
+	// Deprecated: to be removed
+	//nolint:staticcheck
+	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration
@@ -83,8 +85,6 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *ConnectionOwner
-	SourceMACAddress     net.HardwareAddr
-	SourceHostname       string
 	QueryType            uint16
 	FakeIP               bool

--- a/adapter/neighbor.go
+++ b/adapter/neighbor.go
@@ -1,23 +0,0 @@
-package adapter
-
-import (
-	"net"
-	"net/netip"
-)
-
-type NeighborEntry struct {
-	Address    netip.Addr
-	MACAddress net.HardwareAddr
-	Hostname   string
-}
-
-type NeighborResolver interface {
-	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
-	LookupHostname(address netip.Addr) (string, bool)
-	Start() error
-	Close() error
-}
-
-type NeighborUpdateListener interface {
-	UpdateNeighborTable(entries []NeighborEntry)
-}
--- a/adapter/platform.go
+++ b/adapter/platform.go
@@ -36,10 +36,6 @@ type PlatformInterface interface {

 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
-
-	UsePlatformNeighborResolver() bool
-	StartNeighborMonitor(listener NeighborUpdateListener) error
-	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }

 type FindConnectionOwnerRequest struct {
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -26,8 +26,6 @@ type Router interface {
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
 	NeedFindProcess() bool
-	NeedFindNeighbor() bool
-	NeighborResolver() NeighborResolver
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }
--- a/box.go
+++ b/box.go
@@ -125,10 +125,7 @@ func New(options Options) (*Box, error) {

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
-	if err != nil {
-		return nil, err
-	}
+	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -63,7 +63,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
 	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
 	// memcTags = append(memcTags, "with_tailscale")
 	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
--- a/cmd/internal/build_libbox_newffi/main.go
+++ b/cmd/internal/build_libbox_newffi/main.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"flag"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/rw"
+)
+
+var target string
+
+func init() {
+	flag.StringVar(&target, "target", "android", "target platform (android or apple)")
+}
+
+func main() {
+	flag.Parse()
+
+	args := []string{
+		"generate",
+		"-v",
+		"--config", "experimental/libbox/ffi.json",
+		"--platform-type", target,
+	}
+	command := exec.Command("sing-ffi", args...)
+	command.Stdout = os.Stdout
+	command.Stderr = os.Stderr
+	err := command.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	copyArtifacts(target)
+}
+
+func copyArtifacts(target string) {
+	switch target {
+	case "android":
+		copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
+		if rw.IsDir(copyPath) {
+			copyPath, _ = filepath.Abs(copyPath)
+			for _, name := range []string{"libbox.aar", "libbox-legacy.aar"} {
+				artifactPath, found := findArtifactPath(name)
+				if !found {
+					continue
+				}
+				targetPath := filepath.Join(target, artifactPath)
+				os.RemoveAll(targetPath)
+				err := os.Rename(artifactPath, targetPath)
+				if err != nil {
+					log.Fatal(err)
+				}
+				log.Info("copied ", name, " to ", copyPath)
+			}
+		}
+	case "apple":
+		copyPath := filepath.Join("..", "sing-box-for-apple")
+		if rw.IsDir(copyPath) {
+			sourceDir, found := findArtifactPath("Libbox.xcframework")
+			if !found {
+				log.Fatal("Libbox.xcframework not found in current directory or experimental/libbox")
+			}
+
+			targetDir := filepath.Join(copyPath, "Libbox.xcframework")
+			targetDir, _ = filepath.Abs(targetDir)
+			err := os.RemoveAll(targetDir)
+			if err != nil {
+				log.Fatal(err)
+			}
+			err = os.Rename(sourceDir, targetDir)
+			if err != nil {
+				log.Fatal(err)
+			}
+			log.Info("copied ", sourceDir, " to ", targetDir)
+		}
+	}
+}
+
+func findArtifactPath(name string) (string, bool) {
+	candidates := []string{
+		name,
+		filepath.Join("experimental", "libbox", name),
+	}
+	for _, candidate := range candidates {
+		if rw.IsFile(candidate) || rw.IsDir(candidate) {
+			return candidate, true
+		}
+	}
+	return "", false
+}
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
+		version := projectContent[versionStart:versionEnd]
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }
--- a/common/conntrack/conn.go
+++ b/common/conntrack/conn.go
@@ -0,0 +1,54 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Conn struct {
+	net.Conn
+	element *list.Element[io.Closer]
+}
+
+func NewConn(conn net.Conn) (net.Conn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &Conn{
+		Conn:    conn,
+		element: element,
+	}, nil
+}
+
+func (c *Conn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.Conn.Close()
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
--- a/common/conntrack/killer.go
+++ b/common/conntrack/killer.go
@@ -0,0 +1,35 @@
+package conntrack
+
+import (
+	runtimeDebug "runtime/debug"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
+)
+
+var (
+	KillerEnabled   bool
+	MemoryLimit     uint64
+	killerLastCheck time.Time
+)
+
+func KillerCheck() error {
+	if !KillerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	killerLastCheck = nowTime
+	if memory.Total() > MemoryLimit {
+		Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}
--- a/common/conntrack/packet_conn.go
+++ b/common/conntrack/packet_conn.go
@@ -0,0 +1,55 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type PacketConn struct {
+	net.PacketConn
+	element *list.Element[io.Closer]
+}
+
+func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &PacketConn{
+		PacketConn: conn,
+		element:    element,
+	}, nil
+}
+
+func (c *PacketConn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) Upstream() any {
+	return bufio.NewPacketConn(c.PacketConn)
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}
--- a/common/conntrack/track.go
+++ b/common/conntrack/track.go
@@ -0,0 +1,47 @@
+package conntrack
+
+import (
+	"io"
+	"sync"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+var (
+	connAccess     sync.RWMutex
+	openConnection list.List[io.Closer]
+)
+
+func Count() int {
+	if !Enabled {
+		return 0
+	}
+	return openConnection.Len()
+}
+
+func List() []io.Closer {
+	if !Enabled {
+		return nil
+	}
+	connAccess.RLock()
+	defer connAccess.RUnlock()
+	connList := make([]io.Closer, 0, openConnection.Len())
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		connList = append(connList, element.Value)
+	}
+	return connList
+}
+
+func Close() {
+	if !Enabled {
+		return
+	}
+	connAccess.Lock()
+	defer connAccess.Unlock()
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		common.Close(element.Value)
+		element.Value = nil
+	}
+	openConnection.Init()
+}
--- a/common/conntrack/track_disable.go
+++ b/common/conntrack/track_disable.go
@@ -0,0 +1,5 @@
+//go:build !with_conntrack
+
+package conntrack
+
+const Enabled = false
--- a/common/conntrack/track_enable.go
+++ b/common/conntrack/track_enable.go
@@ -0,0 +1,5 @@
+//go:build with_conntrack
+
+package conntrack
+
+const Enabled = true
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -36,7 +37,6 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
-	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,7 +47,6 @@ type DefaultDialer struct {
 }

 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
-	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)

@@ -90,7 +89,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial

 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" && !disableDefaultBind {
+		if defaultOptions.BindInterface != "" {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -158,11 +157,8 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		dialer.KeepAliveConfig = net.KeepAliveConfig{
-			Enable:   true,
-			Idle:     keepIdle,
-			Interval: keepInterval,
-		}
+		dialer.KeepAlive = keepIdle
+		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
@@ -210,7 +206,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
-		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -243,7 +238,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -308,12 +303,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return d.trackConn(conn, nil)
+	return trackConn(conn, nil)
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -365,23 +360,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return d.trackPacketConn(packetConn, nil)
+	return trackPacketConn(packetConn, nil)
 }

 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }

-func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if d.connectionManager == nil || err != nil {
+func trackConn(conn net.Conn, err error) (net.Conn, error) {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.connectionManager.TrackConn(conn), nil
+	return conntrack.NewConn(conn)
 }

-func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if d.connectionManager == nil || err != nil {
+func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.connectionManager.TrackPacketConn(conn), nil
+	return conntrack.NewPacketConn(conn)
 }
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -145,7 +145,3 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
-
-type PacketDialerWithDestination interface {
-	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
-}
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -151,7 +151,6 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
-		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -99,6 +99,8 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
+		//nolint:staticcheck
+		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -15,6 +15,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -37,7 +38,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -76,7 +77,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	return nil
 }
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -30,7 +30,6 @@ const (
 	TypeSSMAPI       = "ssm-api"
 	TypeCCM          = "ccm"
 	TypeOCM          = "ocm"
-	TypeOOMKiller    = "oom-killer"
 )

 const (
@@ -86,8 +85,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
-	case TypeTailscale:
-		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -7,12 +7,10 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
@@ -23,7 +21,6 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
-	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
@@ -87,15 +84,6 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKiller && C.IsIos {
-		if !common.Any(options.Services, func(it option.Service) bool {
-			return it.Type == C.TypeOOMKiller
-		}) {
-			options.Services = append(options.Services, option.Service{
-				Type: C.TypeOOMKiller,
-			})
-		}
-	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -113,7 +101,6 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
-	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -35,7 +36,6 @@ type StartedService struct {
 	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
-	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -67,7 +67,6 @@ type ServiceOptions struct {
 	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
-	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -82,7 +81,6 @@ func NewStartedService(options ServiceOptions) *StartedService {
 		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
-		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -209,14 +207,6 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	return nil
 }

-func (s *StartedService) Close() {
-	s.serviceStatusSubscriber.Close()
-	s.logSubscriber.Close()
-	s.urlTestSubscriber.Close()
-	s.clashModeSubscriber.Close()
-	s.connectionEventSubscriber.Close()
-}
-
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -409,14 +399,12 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server

 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Total()
+	status.Memory = memory.Inuse()
 	status.Goroutines = int32(runtime.NumGoroutine())
+	status.ConnectionsOut = int32(conntrack.Count())
 	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
-	if nowService != nil && nowService.connectionManager != nil {
-		status.ConnectionsOut = int32(nowService.connectionManager.Count())
-	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -997,12 +985,7 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }

 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	s.serviceAccess.RLock()
-	nowService := s.instance
-	s.serviceAccess.RUnlock()
-	if nowService != nil && nowService.connectionManager != nil {
-		nowService.connectionManager.CloseAll()
-	}
+	conntrack.Close()
 	return &emptypb.Empty{}, nil
 }

--- a/debug.go
+++ b/debug.go
@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"

+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 )

-func applyDebugOptions(options option.DebugOptions) error {
+func applyDebugOptions(options option.DebugOptions) {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) error {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
+		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
+		conntrack.KillerEnabled = *options.OOMKiller
 	}
-	return nil
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -240,10 +240,8 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
+		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
@@ -324,20 +322,16 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
-	lookupOptions := options
-	if options.LookupStrategy != C.DomainStrategyAsIS {
-		lookupOptions.Strategy = strategy
-	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -345,7 +339,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 		if err != nil {
 			return err
 		}
--- a/dns/router.go
+++ b/dns/router.go
@@ -195,16 +195,7 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	transport := r.transport.Default()
-	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = legacyTransport.LegacyStrategy()
-		}
-		if !options.ClientSubnet.IsValid() {
-			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-		}
-	}
-	return transport, nil, -1
+	return r.transport.Default(), nil, -1
 }

 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -281,7 +272,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -354,7 +351,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
+				options.Strategy = r.defaultDomainStrategy
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
@@ -380,11 +377,9 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				case *R.RuleActionReject:
 					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
-					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
-						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -397,7 +392,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -425,18 +426,6 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }

-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
-	if rule == nil || !rule.WithAddressLimit() {
-		return nil
-	}
-	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
-		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
-	}
-}
-
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {
--- a/dns/transport/connector.go
+++ b/dns/transport/connector.go
@@ -4,9 +4,6 @@ import (
 	"context"
 	"net"
 	"sync"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
 )

 type ConnectorCallbacks[T any] struct {
@@ -19,11 +16,10 @@ type Connector[T any] struct {
 	dial      func(ctx context.Context) (T, error)
 	callbacks ConnectorCallbacks[T]

-	access           sync.Mutex
-	connection       T
-	hasConnection    bool
-	connectionCancel context.CancelFunc
-	connecting       chan struct{}
+	access        sync.Mutex
+	connection    T
+	hasConnection bool
+	connecting    chan struct{}

 	closeCtx context.Context
 	closed   bool
@@ -51,10 +47,6 @@ func NewSingleflightConnector(closeCtx context.Context, dial func(context.Contex
 	})
 }

-type contextKeyConnecting struct{}
-
-var errRecursiveConnectorDial = E.New("recursive connector dial")
-
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -72,14 +64,6 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 		}

 		c.hasConnection = false
-		if c.connectionCancel != nil {
-			c.connectionCancel()
-			c.connectionCancel = nil
-		}
-		if isRecursiveConnectorDial(ctx, c) {
-			c.access.Unlock()
-			return zero, errRecursiveConnectorDial
-		}

 		if c.connecting != nil {
 			connecting := c.connecting
@@ -95,16 +79,10 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			}
 		}

-		if err := ctx.Err(); err != nil {
-			c.access.Unlock()
-			return zero, err
-		}
-
 		c.connecting = make(chan struct{})
 		c.access.Unlock()

-		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
-		connection, cancel, err := c.dialWithCancellation(dialContext)
+		connection, err := c.dialWithCancellation(ctx)

 		c.access.Lock()
 		close(c.connecting)
@@ -116,21 +94,13 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 		}

 		if c.closed {
-			cancel()
 			c.callbacks.Close(connection)
 			c.access.Unlock()
 			return zero, ErrTransportClosed
 		}
-		if err = ctx.Err(); err != nil {
-			cancel()
-			c.callbacks.Close(connection)
-			c.access.Unlock()
-			return zero, err
-		}

 		c.connection = connection
 		c.hasConnection = true
-		c.connectionCancel = cancel
 		result := c.connection
 		c.access.Unlock()

@@ -138,63 +108,19 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	}
 }

-func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T]) bool {
-	dialConnector, loaded := ctx.Value(contextKeyConnecting{}).(*Connector[T])
-	return loaded && dialConnector == connector
-}
+func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, error) {
+	dialCtx, cancel := context.WithCancel(ctx)
+	defer cancel()

-func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
-	var zero T
-	if err := ctx.Err(); err != nil {
-		return zero, nil, err
-	}
-	connCtx, cancel := context.WithCancel(c.closeCtx)
-
-	var (
-		stateAccess  sync.Mutex
-		dialComplete bool
-	)
-	stopCancel := context.AfterFunc(ctx, func() {
-		stateAccess.Lock()
-		if !dialComplete {
+	go func() {
+		select {
+		case <-c.closeCtx.Done():
 			cancel()
+		case <-dialCtx.Done():
 		}
-		stateAccess.Unlock()
-	})
-	select {
-	case <-ctx.Done():
-		stateAccess.Lock()
-		dialComplete = true
-		stateAccess.Unlock()
-		stopCancel()
-		cancel()
-		return zero, nil, ctx.Err()
-	default:
-	}
+	}()

-	connection, err := c.dial(valueContext{connCtx, ctx})
-	stateAccess.Lock()
-	dialComplete = true
-	stateAccess.Unlock()
-	stopCancel()
-	if err != nil {
-		cancel()
-		return zero, nil, err
-	}
-	return connection, cancel, nil
-}
-
-type valueContext struct {
-	context.Context
-	parent context.Context
-}
-
-func (v valueContext) Value(key any) any {
-	return v.parent.Value(key)
-}
-
-func (v valueContext) Deadline() (time.Time, bool) {
-	return v.parent.Deadline()
+	return c.dial(dialCtx)
 }

 func (c *Connector[T]) Close() error {
@@ -206,10 +132,6 @@ func (c *Connector[T]) Close() error {
 	}
 	c.closed = true

-	if c.connectionCancel != nil {
-		c.connectionCancel()
-		c.connectionCancel = nil
-	}
 	if c.hasConnection {
 		c.callbacks.Close(c.connection)
 		c.hasConnection = false
@@ -222,10 +144,6 @@ func (c *Connector[T]) Reset() {
 	c.access.Lock()
 	defer c.access.Unlock()

-	if c.connectionCancel != nil {
-		c.connectionCancel()
-		c.connectionCancel = nil
-	}
 	if c.hasConnection {
 		c.callbacks.Reset(c.connection)
 		c.hasConnection = false
--- a/dns/transport/connector_test.go
+++ b/dns/transport/connector_test.go
@@ -1,263 +0,0 @@
-package transport
-
-import (
-	"context"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-type testConnectorConnection struct{}
-
-func TestConnectorRecursiveGetFailsFast(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-		connector  *Connector[*testConnectorConnection]
-	)
-
-	dial := func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		_, err := connector.Get(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return &testConnectorConnection{}, nil
-	}
-
-	connector = NewConnector(context.Background(), dial, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-	})
-
-	_, err := connector.Get(context.Background())
-	require.ErrorIs(t, err, errRecursiveConnectorDial)
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 0, closeCount.Load())
-}
-
-func TestConnectorRecursiveGetAcrossConnectorsAllowed(t *testing.T) {
-	t.Parallel()
-
-	var (
-		outerDialCount atomic.Int32
-		innerDialCount atomic.Int32
-		outerConnector *Connector[*testConnectorConnection]
-		innerConnector *Connector[*testConnectorConnection]
-	)
-
-	innerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		innerDialCount.Add(1)
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	outerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		outerDialCount.Add(1)
-		_, err := innerConnector.Get(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	_, err := outerConnector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 1, outerDialCount.Load())
-	require.EqualValues(t, 1, innerDialCount.Load())
-}
-
-func TestConnectorDialContextPreservesValueAndDeadline(t *testing.T) {
-	t.Parallel()
-
-	type contextKey struct{}
-
-	var (
-		dialValue       any
-		dialDeadline    time.Time
-		dialHasDeadline bool
-	)
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialValue = ctx.Value(contextKey{})
-		dialDeadline, dialHasDeadline = ctx.Deadline()
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	deadline := time.Now().Add(time.Minute)
-	requestContext, cancel := context.WithDeadline(context.WithValue(context.Background(), contextKey{}, "test-value"), deadline)
-	defer cancel()
-
-	_, err := connector.Get(requestContext)
-	require.NoError(t, err)
-	require.Equal(t, "test-value", dialValue)
-	require.True(t, dialHasDeadline)
-	require.WithinDuration(t, deadline, dialDeadline, time.Second)
-}
-
-func TestConnectorDialSkipsCanceledRequest(t *testing.T) {
-	t.Parallel()
-
-	var dialCount atomic.Int32
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, err := connector.Get(requestContext)
-	require.ErrorIs(t, err, context.Canceled)
-	require.EqualValues(t, 0, dialCount.Load())
-}
-
-func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	dialStarted := make(chan struct{}, 1)
-	releaseDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		select {
-		case dialStarted <- struct{}{}:
-		default:
-		}
-		<-releaseDial
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	result := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		result <- err
-	}()
-
-	<-dialStarted
-	cancel()
-	close(releaseDial)
-
-	err := <-result
-	require.ErrorIs(t, err, context.Canceled)
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 1, closeCount.Load())
-
-	_, err = connector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
-	t.Parallel()
-
-	var dialContext context.Context
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialContext = ctx
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	_, err := connector.Get(requestContext)
-	require.NoError(t, err)
-	require.NotNil(t, dialContext)
-
-	cancel()
-
-	select {
-	case <-dialContext.Done():
-		t.Fatal("dial context canceled by request context after successful dial")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	err = connector.Close()
-	require.NoError(t, err)
-}
-
-func TestConnectorDialContextCanceledOnClose(t *testing.T) {
-	t.Parallel()
-
-	var dialContext context.Context
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialContext = ctx
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	_, err := connector.Get(context.Background())
-	require.NoError(t, err)
-	require.NotNil(t, dialContext)
-
-	select {
-	case <-dialContext.Done():
-		t.Fatal("dial context canceled before connector close")
-	default:
-	}
-
-	err = connector.Close()
-	require.NoError(t, err)
-
-	select {
-	case <-dialContext.Done():
-	case <-time.After(time.Second):
-		t.Fatal("dial context not canceled after connector close")
-	}
-}
--- a/dns/transport/fakeip/store.go
+++ b/dns/transport/fakeip/store.go
@@ -18,8 +18,6 @@ type Store struct {
 	logger     logger.Logger
 	inet4Range netip.Prefix
 	inet6Range netip.Prefix
-	inet4Last  netip.Addr
-	inet6Last  netip.Addr
 	storage    adapter.FakeIPStorage

 	addressAccess sync.Mutex
@@ -28,35 +26,12 @@ type Store struct {
 }

 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	store := &Store{
+	return &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
-	if inet4Range.IsValid() {
-		store.inet4Last = broadcastAddress(inet4Range)
-	}
-	if inet6Range.IsValid() {
-		store.inet6Last = broadcastAddress(inet6Range)
-	}
-	return store
-}
-
-func broadcastAddress(prefix netip.Prefix) netip.Addr {
-	addr := prefix.Addr()
-	raw := addr.As16()
-	bits := prefix.Bits()
-	if addr.Is4() {
-		bits += 96
-	}
-	for i := bits; i < 128; i++ {
-		raw[i/8] |= 1 << (7 - i%8)
-	}
-	if addr.Is4() {
-		return netip.AddrFrom4([4]byte(raw[12:]))
-	}
-	return netip.AddrFrom16(raw)
 }

 func (s *Store) Start() error {
@@ -74,10 +49,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next()
+			s.inet4Current = s.inet4Range.Addr().Next().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next()
+			s.inet6Current = s.inet6Range.Addr().Next().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -123,7 +98,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
+		if !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -133,7 +108,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
+		if !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -81,7 +81,10 @@ func (t *Transport) Reset() {

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
-		return t.resolved.Exchange(ctx, message)
+		resolverObject := t.resolved.Object()
+		if resolverObject != nil {
+			return t.resolved.Exchange(resolverObject, ctx, message)
+		}
 	}
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
--- a/dns/transport/local/local_resolved.go
+++ b/dns/transport/local/local_resolved.go
@@ -9,5 +9,6 @@ import (
 type ResolvedResolver interface {
 	Start() error
 	Close() error
-	Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+	Object() any
+	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
 }
--- a/dns/transport/local/local_resolved_linux.go
+++ b/dns/transport/local/local_resolved_linux.go
@@ -4,26 +4,19 @@ import (
 	"bufio"
 	"context"
 	"errors"
-	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	dnsTransport "github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/service/resolved"
 	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"

@@ -56,23 +49,13 @@ type DBusResolvedResolver struct {
 	interfaceMonitor  tun.DefaultInterfaceMonitor
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	systemBus         *dbus.Conn
-	savedServerSet    atomic.Pointer[resolvedServerSet]
+	resoledObject     atomic.Pointer[ResolvedObject]
 	closeOnce         sync.Once
 }

-type resolvedServerSet struct {
-	servers []resolvedServer
-}
-
-type resolvedServer struct {
-	primaryTransport  adapter.DNSTransport
-	fallbackTransport adapter.DNSTransport
-}
-
-type resolvedServerSpecification struct {
-	address    netip.Addr
-	port       uint16
-	serverName string
+type ResolvedObject struct {
+	dbus.BusObject
+	InterfaceIndex int32
 }

 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
@@ -99,31 +82,17 @@ func (t *DBusResolvedResolver) Start() error {
 		"org.freedesktop.DBus",
 		"NameOwnerChanged",
 		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1"),
-	).Err
-	if err != nil {
-		return E.Cause(err, "configure resolved restart listener")
-	}
-	err = t.systemBus.BusObject().AddMatchSignal(
-		"org.freedesktop.DBus.Properties",
-		"PropertiesChanged",
-		dbus.WithMatchSender("org.freedesktop.resolve1"),
 		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
 	).Err
 	if err != nil {
-		return E.Cause(err, "configure resolved properties listener")
+		return E.Cause(err, "configure resolved restart listener")
 	}
 	go t.loopUpdateStatus()
 	return nil
 }

 func (t *DBusResolvedResolver) Close() error {
-	var closeErr error
 	t.closeOnce.Do(func() {
-		serverSet := t.savedServerSet.Swap(nil)
-		if serverSet != nil {
-			closeErr = serverSet.Close()
-		}
 		if t.interfaceCallback != nil {
 			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
 		}
@@ -131,97 +100,99 @@ func (t *DBusResolvedResolver) Close() error {
 			_ = t.systemBus.Close()
 		}
 	})
-	return closeErr
+	return nil
 }

-func (t *DBusResolvedResolver) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	serverSet := t.savedServerSet.Load()
-	if serverSet == nil {
-		var err error
-		serverSet, err = t.checkResolved(context.Background())
-		if err != nil {
-			return nil, err
-		}
-		previousServerSet := t.savedServerSet.Swap(serverSet)
-		if previousServerSet != nil {
-			_ = previousServerSet.Close()
+func (t *DBusResolvedResolver) Object() any {
+	return common.PtrOrNil(t.resoledObject.Load())
+}
+
+func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	resolvedObject := object.(*ResolvedObject)
+	call := resolvedObject.CallWithContext(
+		ctx,
+		"org.freedesktop.resolve1.Manager.ResolveRecord",
+		0,
+		resolvedObject.InterfaceIndex,
+		question.Name,
+		question.Qclass,
+		question.Qtype,
+		uint64(0),
+	)
+	if call.Err != nil {
+		var dbusError dbus.Error
+		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
+			t.updateStatus()
 		}
+		return nil, E.Cause(call.Err, " resolve record via resolved")
 	}
-	response, err := t.exchangeServerSet(ctx, message, serverSet)
-	if err == nil {
-		return response, nil
-	}
-	t.updateStatus()
-	refreshedServerSet := t.savedServerSet.Load()
-	if refreshedServerSet == nil || refreshedServerSet == serverSet {
+	var (
+		records  []resolved.ResourceRecord
+		outflags uint64
+	)
+	err := call.Store(&records, &outflags)
+	if err != nil {
 		return nil, err
 	}
-	return t.exchangeServerSet(ctx, message, refreshedServerSet)
+	response := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                 message.Id,
+			Response:           true,
+			Authoritative:      true,
+			RecursionDesired:   true,
+			RecursionAvailable: true,
+			Rcode:              mDNS.RcodeSuccess,
+		},
+		Question: []mDNS.Question{question},
+	}
+	for _, record := range records {
+		var rr mDNS.RR
+		rr, _, err = mDNS.UnpackRR(record.Data, 0)
+		if err != nil {
+			return nil, E.Cause(err, "unpack resource record")
+		}
+		response.Answer = append(response.Answer, rr)
+	}
+	return response, nil
 }

 func (t *DBusResolvedResolver) loopUpdateStatus() {
 	signalChan := make(chan *dbus.Signal, 1)
 	t.systemBus.Signal(signalChan)
 	for signal := range signalChan {
-		switch signal.Name {
-		case "org.freedesktop.DBus.NameOwnerChanged":
-			if len(signal.Body) != 3 {
-				continue
-			}
-			newOwner, loaded := signal.Body[2].(string)
-			if !loaded || newOwner == "" {
-				continue
-			}
-			t.updateStatus()
-		case "org.freedesktop.DBus.Properties.PropertiesChanged":
-			if !shouldUpdateResolvedServerSet(signal) {
+		var restarted bool
+		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
+			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
 				continue
+			} else {
+				restarted = true
 			}
+		}
+		if restarted {
 			t.updateStatus()
 		}
 	}
 }

 func (t *DBusResolvedResolver) updateStatus() {
-	serverSet, err := t.checkResolved(context.Background())
-	oldServerSet := t.savedServerSet.Swap(serverSet)
-	if oldServerSet != nil {
-		_ = oldServerSet.Close()
-	}
+	dbusObject, err := t.checkResolved(context.Background())
+	oldValue := t.resoledObject.Swap(dbusObject)
 	if err != nil {
 		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwner" {
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
 			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
 		}
-		if oldServerSet != nil {
+		if oldValue != nil {
 			t.logger.Debug("systemd-resolved service is gone")
 		}
 		return
-	} else if oldServerSet == nil {
+	} else if oldValue == nil {
 		t.logger.Debug("using systemd-resolved service as resolver")
 	}
 }

-func (t *DBusResolvedResolver) exchangeServerSet(ctx context.Context, message *mDNS.Msg, serverSet *resolvedServerSet) (*mDNS.Msg, error) {
-	if serverSet == nil || len(serverSet.servers) == 0 {
-		return nil, E.New("link has no DNS servers configured")
-	}
-	var lastError error
-	for _, server := range serverSet.servers {
-		response, err := server.primaryTransport.Exchange(ctx, message)
-		if err != nil && server.fallbackTransport != nil {
-			response, err = server.fallbackTransport.Exchange(ctx, message)
-		}
-		if err != nil {
-			lastError = err
-			continue
-		}
-		return response, nil
-	}
-	return nil, lastError
-}
-
-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServerSet, error) {
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
 	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
 	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
 	if err != nil {
@@ -249,19 +220,16 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServ
 	if linkObject == nil {
 		return nil, E.New("missing link object for default interface")
 	}
-	dnsOverTLSMode, err := loadResolvedLinkDNSOverTLS(linkObject)
+	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
 	if err != nil {
 		return nil, err
 	}
-	linkDNSEx, err := loadResolvedLinkDNSEx(linkObject)
+	var linkDNS []resolved.LinkDNS
+	err = dnsProp.Store(&linkDNS)
 	if err != nil {
 		return nil, err
 	}
-	linkDNS, err := loadResolvedLinkDNS(linkObject)
-	if err != nil {
-		return nil, err
-	}
-	if len(linkDNSEx) == 0 && len(linkDNS) == 0 {
+	if len(linkDNS) == 0 {
 		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
 			if inbound.Type() == C.TypeTun {
 				return nil, E.New("No appropriate name servers or networks for name found")
@@ -269,233 +237,12 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServ
 		}
 		return nil, E.New("link has no DNS servers configured")
 	}
-	serverDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
-		BindInterface:      defaultInterface.Name,
-		UDPFragmentDefault: true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	var serverSpecifications []resolvedServerSpecification
-	if len(linkDNSEx) > 0 {
-		for _, entry := range linkDNSEx {
-			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, entry.Port, entry.Name)
-			if !loaded {
-				continue
-			}
-			serverSpecifications = append(serverSpecifications, serverSpecification)
-		}
-	} else {
-		for _, entry := range linkDNS {
-			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, 0, "")
-			if !loaded {
-				continue
-			}
-			serverSpecifications = append(serverSpecifications, serverSpecification)
-		}
-	}
-	if len(serverSpecifications) == 0 {
-		return nil, E.New("no valid DNS servers on link")
-	}
-	serverSet := &resolvedServerSet{
-		servers: make([]resolvedServer, 0, len(serverSpecifications)),
-	}
-	for _, serverSpecification := range serverSpecifications {
-		server, createErr := t.createResolvedServer(serverDialer, dnsOverTLSMode, serverSpecification)
-		if createErr != nil {
-			_ = serverSet.Close()
-			return nil, createErr
-		}
-		serverSet.servers = append(serverSet.servers, server)
-	}
-	return serverSet, nil
-}
-
-func (t *DBusResolvedResolver) createResolvedServer(serverDialer N.Dialer, dnsOverTLSMode string, serverSpecification resolvedServerSpecification) (resolvedServer, error) {
-	if dnsOverTLSMode == "yes" {
-		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
-		if err != nil {
-			return resolvedServer{}, err
-		}
-		return resolvedServer{
-			primaryTransport: primaryTransport,
-		}, nil
-	}
-	if dnsOverTLSMode == "opportunistic" {
-		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
-		if err != nil {
-			return resolvedServer{}, err
-		}
-		fallbackTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
-		if err != nil {
-			_ = primaryTransport.Close()
-			return resolvedServer{}, err
-		}
-		return resolvedServer{
-			primaryTransport:  primaryTransport,
-			fallbackTransport: fallbackTransport,
-		}, nil
-	}
-	primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
-	if err != nil {
-		return resolvedServer{}, err
-	}
-	return resolvedServer{
-		primaryTransport: primaryTransport,
+	return &ResolvedObject{
+		BusObject:      dbusObject,
+		InterfaceIndex: int32(defaultInterface.Index),
 	}, nil
 }

-func (t *DBusResolvedResolver) createResolvedTransport(serverDialer N.Dialer, serverSpecification resolvedServerSpecification, useTLS bool) (adapter.DNSTransport, error) {
-	serverAddress := M.SocksaddrFrom(serverSpecification.address, resolvedServerPort(serverSpecification.port, useTLS))
-	if useTLS {
-		tlsAddress := serverSpecification.address
-		if tlsAddress.Zone() != "" {
-			tlsAddress = tlsAddress.WithZone("")
-		}
-		serverName := serverSpecification.serverName
-		if serverName == "" {
-			serverName = tlsAddress.String()
-		}
-		tlsConfig, err := tls.NewClient(t.ctx, t.logger, tlsAddress.String(), option.OutboundTLSOptions{
-			Enabled:    true,
-			ServerName: serverName,
-		})
-		if err != nil {
-			return nil, err
-		}
-		serverTransport := dnsTransport.NewTLSRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeTLS, "", nil), serverDialer, serverAddress, tlsConfig)
-		err = serverTransport.Start(adapter.StartStateStart)
-		if err != nil {
-			_ = serverTransport.Close()
-			return nil, err
-		}
-		return serverTransport, nil
-	}
-	serverTransport := dnsTransport.NewUDPRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeUDP, "", nil), serverDialer, serverAddress)
-	err := serverTransport.Start(adapter.StartStateStart)
-	if err != nil {
-		_ = serverTransport.Close()
-		return nil, err
-	}
-	return serverTransport, nil
-}
-
-func (s *resolvedServerSet) Close() error {
-	var errors []error
-	for _, server := range s.servers {
-		errors = append(errors, server.primaryTransport.Close())
-		if server.fallbackTransport != nil {
-			errors = append(errors, server.fallbackTransport.Close())
-		}
-	}
-	return E.Errors(errors...)
-}
-
-func buildResolvedServerSpecification(interfaceName string, rawAddress []byte, port uint16, serverName string) (resolvedServerSpecification, bool) {
-	address, loaded := netip.AddrFromSlice(rawAddress)
-	if !loaded {
-		return resolvedServerSpecification{}, false
-	}
-	if address.Is6() && address.IsLinkLocalUnicast() && address.Zone() == "" {
-		address = address.WithZone(interfaceName)
-	}
-	return resolvedServerSpecification{
-		address:    address,
-		port:       port,
-		serverName: serverName,
-	}, true
-}
-
-func resolvedServerPort(port uint16, useTLS bool) uint16 {
-	if port > 0 {
-		return port
-	}
-	if useTLS {
-		return 853
-	}
-	return 53
-}
-
-func loadResolvedLinkDNS(linkObject dbus.BusObject) ([]resolved.LinkDNS, error) {
-	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
-	if err != nil {
-		if isResolvedUnknownPropertyError(err) {
-			return nil, nil
-		}
-		return nil, err
-	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProperty.Store(&linkDNS)
-	if err != nil {
-		return nil, err
-	}
-	return linkDNS, nil
-}
-
-func loadResolvedLinkDNSEx(linkObject dbus.BusObject) ([]resolved.LinkDNSEx, error) {
-	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSEx")
-	if err != nil {
-		if isResolvedUnknownPropertyError(err) {
-			return nil, nil
-		}
-		return nil, err
-	}
-	var linkDNSEx []resolved.LinkDNSEx
-	err = dnsProperty.Store(&linkDNSEx)
-	if err != nil {
-		return nil, err
-	}
-	return linkDNSEx, nil
-}
-
-func loadResolvedLinkDNSOverTLS(linkObject dbus.BusObject) (string, error) {
-	dnsOverTLSProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSOverTLS")
-	if err != nil {
-		if isResolvedUnknownPropertyError(err) {
-			return "", nil
-		}
-		return "", err
-	}
-	var dnsOverTLSMode string
-	err = dnsOverTLSProperty.Store(&dnsOverTLSMode)
-	if err != nil {
-		return "", err
-	}
-	return dnsOverTLSMode, nil
-}
-
-func isResolvedUnknownPropertyError(err error) bool {
-	var dbusError dbus.Error
-	return errors.As(err, &dbusError) && dbusError.Name == "org.freedesktop.DBus.Error.UnknownProperty"
-}
-
-func shouldUpdateResolvedServerSet(signal *dbus.Signal) bool {
-	if len(signal.Body) != 3 {
-		return true
-	}
-	changedProperties, loaded := signal.Body[1].(map[string]dbus.Variant)
-	if !loaded {
-		return true
-	}
-	for propertyName := range changedProperties {
-		switch propertyName {
-		case "DNS", "DNSEx", "DNSOverTLS":
-			return true
-		}
-	}
-	invalidatedProperties, loaded := signal.Body[2].([]string)
-	if !loaded {
-		return true
-	}
-	for _, propertyName := range invalidatedProperties {
-		switch propertyName {
-		case "DNS", "DNSEx", "DNSOverTLS":
-			return true
-		}
-	}
-	return false
-}
-
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
 	t.updateStatus()
 }
--- a/dns/transport/local/resolv_windows.go
+++ b/dns/transport/local/resolv_windows.go
@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -64,9 +63,6 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
-				if sockaddr.ZoneId != 0 {
-					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
-				}
 			default:
 				// Unexpected type.
 				continue
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,93 +2,10 @@
 icon: material/alert-decagram
 ---

-#### 1.14.0-alpha.2
-
-* Add OpenWrt and Alpine APK packages to release **1**
-* Backport to macOS 10.13 High Sierra **2**
-* OCM service: Add WebSocket support for Responses API **3**
-* Fixes and improvements
-
-**1**:
-
-Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
-
- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
- Alpine: `sing-box_{version}_linux_{architecture}.apk`
-
-**2**:
-
-Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
-macOS 10.13 High Sierra, built using Go 1.25 with patches
-from [SagerNet/go](https://github.com/SagerNet/go).
-
-**3**:
-
-See [OCM](/configuration/service/ocm).
-
-#### 1.13.3-beta.1
-
-* Add OpenWrt and Alpine APK packages to release **1**
-* Backport to macOS 10.13 High Sierra **2**
-* OCM service: Add WebSocket support for Responses API **3**
-* Fixes and improvements
-
-**1**:
-
-Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
-
- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
- Alpine: `sing-box_{version}_linux_{architecture}.apk`
-
-**2**:
-
-Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
-macOS 10.13 High Sierra, built using Go 1.25 with patches
-from [SagerNet/go](https://github.com/SagerNet/go).
-
-**3**:
-
-See [OCM](/configuration/service/ocm).
-
-#### 1.14.0-alpha.1
-
-* Add `source_mac_address` and `source_hostname` rule items **1**
-* Add `include_mac_address` and `exclude_mac_address` TUN options **2**
-* Update NaiveProxy to 145.0.7632.159 **3**
-* Fixes and improvements
-
-**1**:
-
-New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
-Supported on Linux, macOS, or in graphical clients on Android and macOS.
-
-See [Route Rule](/configuration/route/rule/#source_mac_address), [DNS Rule](/configuration/dns/rule/#source_mac_address) and [Neighbor Resolution](/configuration/shared/neighbor/).
-
-**2**:
-
-Limit or exclude devices from TUN routing by MAC address.
-Only supported on Linux with `auto_route` and `auto_redirect` enabled.
-
-See [TUN](/configuration/inbound/tun/#include_mac_address).
-
-**3**:
-
-This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
-
-#### 1.13.2
+#### 1.13.0-rc.3

 * Fixes and improvements

-#### 1.13.1
-
-* Fixes and improvements
-
-#### 1.12.14
-
-* Backport fixes
-
-#### 1.13.0
-
 Important changes since 1.12:

 * Add NaiveProxy outbound **1**
@@ -105,7 +22,7 @@ Important changes since 1.12:
 * Improve `local` DNS server **12**
 * Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
 * Add `bind_address_no_port` option for dial fields **14**
-* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
+* Add system interface and relay server options for Tailscale endpoint **15**
 * Add Claude Code Multiplexer service **16**
 * Add OpenAI Codex Multiplexer service **17**
 * Apple/Android: Refactor GUI
@@ -219,7 +136,6 @@ See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).

 Tailscale endpoint can now create a system TUN interface to handle traffic directly.
 New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
-New `advertise_tags` option for ACL tag advertisement.

 See [Tailscale endpoint](/configuration/endpoint/tailscale/).

@@ -253,22 +169,6 @@ Also, documentation has been updated with a warning about uTLS fingerprinting vu
 uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
 use NaiveProxy instead for TLS fingerprint resistance.

-#### 1.12.23
-
-* Fixes and improvements
-
-#### 1.13.0-rc.5
-
-* Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
-
-#### 1.12.22
-
-* Fixes and improvements
-
-#### 1.13.0-rc.3
-
-* Fixes and improvements
-
 #### 1.12.21

 * Fixes and improvements
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)
-
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [interface_address](#interface_address)  
@@ -154,12 +149,6 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
-        "source_mac_address": [
-          "00:11:22:33:44:55"
-        ],
-        "source_hostname": [
-          "my-device"
-        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -419,26 +408,6 @@ Matches network interface (same values as `network_type`) address.

 Match default interface address.

-#### source_mac_address
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
-
-Match source device MAC address.
-
-#### source_hostname
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
-
-Match source device hostname from DHCP leases.
-
 #### wifi_ssid

 !!! quote ""
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)
-
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [interface_address](#interface_address)  
@@ -154,12 +149,6 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
-        "source_mac_address": [
-          "00:11:22:33:44:55"
-        ],
-        "source_hostname": [
-          "my-device"
-        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -418,26 +407,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 匹配默认接口地址。

-#### source_mac_address
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
-
-匹配源设备 MAC 地址。
-
-#### source_hostname
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
-
-匹配源设备从 DHCP 租约获取的主机名。
-
 #### wifi_ssid

 !!! quote ""
--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@@ -8,8 +8,7 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)  
-    :material-plus: [advertise_tags](#advertise_tags)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)

 !!! question "Since sing-box 1.12.0"

@@ -29,7 +28,6 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
-  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -104,14 +102,6 @@ Example: `["192.168.1.1/24"]`

 Indicates whether the node should advertise itself as an exit node.

-#### advertise_tags
-
-!!! question "Since sing-box 1.13.0"
-
-Tags to advertise for this node, for ACL enforcement purposes.
-
-Example: `["tag:server"]`
-
 #### relay_server_port

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -8,8 +8,7 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)  
-    :material-plus: [advertise_tags](#advertise_tags)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)

 !!! question "自 sing-box 1.12.0 起"

@@ -29,7 +28,6 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
-  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -103,14 +101,6 @@ icon: material/new-box

 指示节点是否应将自己通告为出口节点。

-#### advertise_tags
-
-!!! question "自 sing-box 1.13.0 起"
-
-为此节点通告的标签，用于 ACL 执行。
-
-示例：`["tag:server"]`
-
 #### relay_server_port

 !!! question "自 sing-box 1.13.0 起"
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -2,15 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-:material-plus: [include_mac_address](#include_mac_address)
-:material-plus: [exclude_mac_address](#exclude_mac_address)
-
-!!! quote "Changes in sing-box 1.13.3"
-
-    :material-alert: [strict_route](#strict_route)
-
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -134,12 +125,6 @@ icon: material/new-box
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
-  "include_mac_address": [
-    "00:11:22:33:44:55"
-  ],
-  "exclude_mac_address": [
-    "66:77:88:99:aa:bb"
-  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
@@ -363,9 +348,6 @@ Enforce strict routing rules when `auto_route` is enabled:

 * Let unsupported network unreachable
 * For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
-* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
-    * Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
-    * Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.

 *In Windows*:

@@ -566,30 +548,6 @@ Limit android packages in route.

 Exclude android packages in route.

-#### include_mac_address
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
-
-Limit MAC addresses in route. Not limited by default.
-
-Conflict with `exclude_mac_address`.
-
-#### exclude_mac_address
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
-
-Exclude MAC addresses in route.
-
-Conflict with `include_mac_address`.
-
 #### platform

 Platform-specific settings, provided by client applications.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,15 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [include_mac_address](#include_mac_address)
-    :material-plus: [exclude_mac_address](#exclude_mac_address)
-
-!!! quote "sing-box 1.13.3 中的更改"
-
-    :material-alert: [strict_route](#strict_route)
-
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -135,12 +126,6 @@ icon: material/new-box
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
-  "include_mac_address": [
-    "00:11:22:33:44:55"
-  ],
-  "exclude_mac_address": [
-    "66:77:88:99:aa:bb"
-  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
@@ -362,9 +347,6 @@ tun 接口的 IPv6 前缀。

 * 使不支持的网络不可达。
 * 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
-* 当启用 `auto_redirect` 时，`strict_route` 也影响 `SO_BINDTODEVICE` 流量：
-    * 启用：`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
-    * 禁用：`SO_BINDTODEVICE` 流量绕过 sing-box。

 *在 Windows 中*：

@@ -554,30 +536,6 @@ TCP/IP 栈。

 排除路由的 Android 应用包名。

-#### include_mac_address
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
-
-限制被路由的 MAC 地址。默认不限制。
-
-与 `exclude_mac_address` 冲突。
-
-#### exclude_mac_address
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
-
-排除路由的 MAC 地址。
-
-与 `include_mac_address` 冲突。
-
 #### platform

 平台特定的设置，由客户端应用提供。
--- a/docs/configuration/outbound/naive.md
+++ b/docs/configuration/outbound/naive.md
@@ -34,12 +34,10 @@ icon: material/new-box

    | Build Variant | Platforms | Description |
    |---------------|-----------|-------------|
-    | (no suffix) | Linux amd64/arm64 | purego build, `libcronet.so` included |
-    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO build, dynamically linked with glibc, requires glibc >= 2.31 (loong64: >= 2.36) |
-    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO build, statically linked with musl |
-    | (no suffix) | Windows amd64/arm64 | purego build, `libcronet.dll` included |
-
-    For Linux, choose the glibc or musl variant based on your distribution's libc type.
+    | (default)     | Linux amd64/arm64 | purego build with `libcronet.so` included |
+    | `-glibc`      | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
+    | `-musl`       | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
+    | (default)     | Windows amd64/arm64 | purego build with `libcronet.dll` included |

    **Runtime Requirements:**

--- a/docs/configuration/outbound/naive.zh.md
+++ b/docs/configuration/outbound/naive.zh.md
@@ -32,14 +32,12 @@ icon: material/new-box

    **官方发布版本区别：**

-    | 构建变体 | 平台 | 说明 |
-    |---|---|---|
-    | (无后缀) | Linux amd64/arm64 | purego 构建，包含 `libcronet.so` |
-    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31（loong64: >= 2.36） |
-    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO 构建，静态链接 musl |
-    | (无后缀) | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll` |
-
-    对于 Linux，请根据发行版的 libc 类型选择 glibc 或 musl 变体。
+    | 构建变体      | 平台                     | 说明                                       |
+    |-----------|------------------------|------------------------------------------|
+    | (默认)      | Linux amd64/arm64      | purego 构建，包含 `libcronet.so`              |
+    | `-glibc`  | Linux 386/amd64/arm/arm64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31       |
+    | `-musl`   | Linux 386/amd64/arm/arm64 | CGO 构建，静态链接 musl，无系统要求                   |
+    | (默认)      | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll`             |

    **运行时要求：**

--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@@ -4,11 +4,6 @@ icon: material/alert-decagram

 # Route

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [find_neighbor](#find_neighbor)  
-    :material-plus: [dhcp_lease_files](#dhcp_lease_files)
-
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [default_domain_resolver](#default_domain_resolver)  
@@ -40,9 +35,6 @@ icon: material/alert-decagram
    "override_android_vpn": false,
    "default_interface": "",
    "default_mark": 0,
-    "find_process": false,
-    "find_neighbor": false,
-    "dhcp_lease_files": [],
    "default_domain_resolver": "", // or {}
    "default_network_strategy": "",
    "default_network_type": [],
@@ -115,38 +107,6 @@ Set routing mark by default.

 Takes no effect if `outbound.routing_mark` is set.

-#### find_process
-
-!!! quote ""
-
-    Only supported on Linux, Windows, and macOS.
-
-Enable process search for logging when no `process_name`, `process_path`, `package_name`, `user` or `user_id` rules exist.
-
-#### find_neighbor
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux and macOS.
-
-Enable neighbor resolution for logging when no `source_mac_address` or `source_hostname` rules exist.
-
-See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
-
-#### dhcp_lease_files
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux and macOS.
-
-Custom DHCP lease file paths for hostname and MAC address resolution.
-
-Automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea) if empty.
-
 #### default_domain_resolver

 !!! question "Since sing-box 1.12.0"
--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@@ -4,11 +4,6 @@ icon: material/alert-decagram

 # 路由

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [find_neighbor](#find_neighbor)  
-    :material-plus: [dhcp_lease_files](#dhcp_lease_files)
-
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [default_domain_resolver](#default_domain_resolver)  
@@ -42,9 +37,6 @@ icon: material/alert-decagram
    "override_android_vpn": false,
    "default_interface": "",
    "default_mark": 0,
-    "find_process": false,
-    "find_neighbor": false,
-    "dhcp_lease_files": [],
    "default_network_strategy": "",
    "default_fallback_delay": ""
  }
@@ -114,38 +106,6 @@ icon: material/alert-decagram

 如果设置了 `outbound.routing_mark` 设置，则不生效。

-#### find_process
-
-!!! quote ""
-
-    仅支持 Linux、Windows 和 macOS。
-
-在没有 `process_name`、`process_path`、`package_name`、`user` 或 `user_id` 规则时启用进程搜索以输出日志。
-
-#### find_neighbor
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux 和 macOS。
-
-在没有 `source_mac_address` 或 `source_hostname` 规则时启用邻居解析以输出日志。
-
-参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
-
-#### dhcp_lease_files
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux 和 macOS。
-
-用于主机名和 MAC 地址解析的自定义 DHCP 租约文件路径。
-
-为空时自动从常见 DHCP 服务器（dnsmasq、odhcpd、ISC dhcpd、Kea）检测。
-
 #### default_domain_resolver

 !!! question "自 sing-box 1.12.0 起"
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -2,11 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)
-
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [interface_address](#interface_address)  
@@ -164,12 +159,6 @@ icon: material/new-box
          "tailscale",
          "wireguard"
        ],
-        "source_mac_address": [
-          "00:11:22:33:44:55"
-        ],
-        "source_hostname": [
-          "my-device"
-        ],
        "rule_set": [
          "geoip-cn",
          "geosite-cn"
@@ -460,26 +449,6 @@ Match specified outbounds' preferred routes.
 | `tailscale` | Match MagicDNS domains and peers' allowed IPs |
 | `wireguard` | Match peers's allowed IPs                     |

-#### source_mac_address
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
-
-Match source device MAC address.
-
-#### source_hostname
-
-!!! question "Since sing-box 1.14.0"
-
-!!! quote ""
-
-    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
-
-Match source device hostname from DHCP leases.
-
 #### rule_set

 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -2,11 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)
-
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [interface_address](#interface_address)  
@@ -161,12 +156,6 @@ icon: material/new-box
          "tailscale",
          "wireguard"
        ],
-        "source_mac_address": [
-          "00:11:22:33:44:55"
-        ],
-        "source_hostname": [
-          "my-device"
-        ],
        "rule_set": [
          "geoip-cn",
          "geosite-cn"
@@ -457,26 +446,6 @@ icon: material/new-box
 | `tailscale` | 匹配 MagicDNS 域名和对端的 allowed IPs |
 | `wireguard` | 匹配对端的 allowed IPs              |

-#### source_mac_address
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
-
-匹配源设备 MAC 地址。
-
-#### source_hostname
-
-!!! question "自 sing-box 1.14.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
-
-匹配源设备从 DHCP 租约获取的主机名。
-
 #### rule_set

 !!! question "自 sing-box 1.8.0 起"
--- a/docs/configuration/service/ccm.md
+++ b/docs/configuration/service/ccm.md
@@ -10,11 +10,6 @@ CCM (Claude Code Multiplexer) service is a multiplexing service that allows you

 It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [credentials](#credentials)  
-    :material-alert: [users](#users)
-
 ### Structure

 ```json
@@ -24,7 +19,6 @@ It handles OAuth authentication with Claude's API on your local machine while al
  ... // Listen Fields

  "credential_path": "",
-  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -51,77 +45,6 @@ On macOS, credentials are read from the system keychain first, then fall back to

 Refreshed tokens are automatically written back to the same location.

-When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
-
-On macOS without an explicit `credential_path`, keychain changes are not watched. Automatic reload only applies to the credential file path.
-
-Conflict with `credentials`.
-
-#### credentials
-
-!!! question "Since sing-box 1.14.0"
-
-List of credential configurations for multi-credential mode.
-
-When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
-
-Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
-
-##### Default Credential
-
-```json
-{
-  "tag": "a",
-  "credential_path": "/path/to/.credentials.json",
-  "usages_path": "/path/to/usages.json",
-  "detour": "",
-  "reserve_5h": 20,
-  "reserve_weekly": 20
-}
-```
-
-A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
-
- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
- `usages_path`: Optional usage tracking file for this credential.
- `detour`: Outbound tag for connecting to the Claude API with this credential.
- `reserve_5h`: Reserve threshold (1-99) for 5-hour window. Credential pauses at (100-N)% utilization.
- `reserve_weekly`: Reserve threshold (1-99) for weekly window. Credential pauses at (100-N)% utilization.
-
-##### Balancer Credential
-
-```json
-{
-  "tag": "pool",
-  "type": "balancer",
-  "strategy": "",
-  "credentials": ["a", "b"],
-  "poll_interval": "60s"
-}
-```
-
-Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
-
- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
- `credentials`: ==Required== List of default credential tags.
- `poll_interval`: How often to poll upstream usage API. Default `60s`.
-
-##### Fallback Credential
-
-```json
-{
-  "tag": "backup",
-  "type": "fallback",
-  "credentials": ["a", "b"],
-  "poll_interval": "30s"
-}
-```
-
-Uses credentials in order. Falls through to the next when the current one is exhausted.
-
- `credentials`: ==Required== Ordered list of default credential tags.
- `poll_interval`: How often to poll upstream usage API. Default `60s`.
-
 #### usages_path

 Path to the file for storing aggregated API usage statistics.
@@ -137,29 +60,13 @@ Statistics are organized by model, context window (200k standard vs 1M premium),

 The statistics file is automatically saved every minute and upon service shutdown.

-Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
-
 #### users

 List of authorized users for token authentication.

 If empty, no authentication is required.

-Object format:
-
-```json
-{
-  "name": "",
-  "token": "",
-  "credential": ""
-}
-```
-
-Object fields:
-
- `name`: Username identifier for tracking purposes.
- `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.
+Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.

 #### headers

@@ -171,93 +78,29 @@ These headers will override any existing headers with the same name.

 Outbound tag for connecting to the Claude API.

-Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
-
 #### tls

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

 ### Example

-#### Server
-
 ```json
 {
  "services": [
    {
      "type": "ccm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "usages_path": "./claude-usages.json",
-      "users": [
-        {
-          "name": "alice",
-          "token": "ak-ccm-hello-world"
-        },
-        {
-          "name": "bob",
-          "token": "ak-ccm-hello-bob"
-        }
-      ]
+      "listen": "127.0.0.1",
+      "listen_port": 8080
    }
  ]
 }
 ```

-#### Client
+Connect to the CCM service:

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
+export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"

 claude
 ```
-
-### Example with Multiple Credentials
-
-#### Server
-
-```json
-{
-  "services": [
-    {
-      "type": "ccm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "credentials": [
-        {
-          "tag": "a",
-          "credential_path": "/home/user/.claude-a/.credentials.json",
-          "usages_path": "/data/usages-a.json",
-          "reserve_5h": 20,
-          "reserve_weekly": 20
-        },
-        {
-          "tag": "b",
-          "credential_path": "/home/user/.claude-b/.credentials.json",
-          "reserve_5h": 10,
-          "reserve_weekly": 10
-        },
-        {
-          "tag": "pool",
-          "type": "balancer",
-          "poll_interval": "60s",
-          "credentials": ["a", "b"]
-        }
-      ],
-      "users": [
-        {
-          "name": "alice",
-          "token": "ak-ccm-hello-world",
-          "credential": "pool"
-        },
-        {
-          "name": "bob",
-          "token": "ak-ccm-hello-bob",
-          "credential": "a"
-        }
-      ]
-    }
-  ]
-}
-```
--- a/docs/configuration/service/ccm.zh.md
+++ b/docs/configuration/service/ccm.zh.md
@@ -10,11 +10,6 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许

 它在本地机器上处理与 Claude API 的 OAuth 身份验证，同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [credentials](#credentials)  
-    :material-alert: [users](#users)
-
 ### 结构

 ```json
@@ -24,7 +19,6 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许
  ... // 监听字段

  "credential_path": "",
-  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -51,77 +45,6 @@ Claude Code OAuth 凭据文件的路径。

 刷新的令牌会自动写回相同位置。

-当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
-
-在 macOS 上如果未显式设置 `credential_path`，不会监听钥匙串变化。自动重载只作用于凭据文件路径。
-
-与 `credentials` 冲突。
-
-#### credentials
-
-!!! question "自 sing-box 1.14.0 起"
-
-多凭据模式的凭据配置列表。
-
-设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
-
-每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
-
-##### 默认凭据
-
-```json
-{
-  "tag": "a",
-  "credential_path": "/path/to/.credentials.json",
-  "usages_path": "/path/to/usages.json",
-  "detour": "",
-  "reserve_5h": 20,
-  "reserve_weekly": 20
-}
-```
-
-单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
-
- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
- `usages_path`：此凭据的可选使用跟踪文件。
- `detour`：此凭据用于连接 Claude API 的出站标签。
- `reserve_5h`：5 小时窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
- `reserve_weekly`：每周窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
-
-##### 均衡凭据
-
-```json
-{
-  "tag": "pool",
-  "type": "balancer",
-  "strategy": "",
-  "credentials": ["a", "b"],
-  "poll_interval": "60s"
-}
-```
-
-根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
-
- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
- `credentials`：==必填== 默认凭据标签列表。
- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
-
-##### 回退凭据
-
-```json
-{
-  "tag": "backup",
-  "type": "fallback",
-  "credentials": ["a", "b"],
-  "poll_interval": "30s"
-}
-```
-
-按顺序使用凭据。当前凭据耗尽后切换到下一个。
-
- `credentials`：==必填== 有序的默认凭据标签列表。
- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
-
 #### usages_path

 用于存储聚合 API 使用统计信息的文件路径。
@@ -137,29 +60,13 @@ Claude Code OAuth 凭据文件的路径。

 统计文件每分钟自动保存一次，并在服务关闭时保存。

-与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
-
 #### users

 用于令牌身份验证的授权用户列表。

 如果为空，则不需要身份验证。

-对象格式：
-
-```json
-{
-  "name": "",
-  "token": "",
-  "credential": ""
-}
-```
-
-对象字段：
-
- `name`：用于跟踪的用户名标识符。
- `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。
+Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。

 #### headers

@@ -171,93 +78,29 @@ Claude Code OAuth 凭据文件的路径。

 用于连接 Claude API 的出站标签。

-与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
-
 #### tls

 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 ### 示例

-#### 服务端
-
 ```json
 {
  "services": [
    {
      "type": "ccm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "usages_path": "./claude-usages.json",
-      "users": [
-        {
-          "name": "alice",
-          "token": "ak-ccm-hello-world"
-        },
-        {
-          "name": "bob",
-          "token": "ak-ccm-hello-bob"
-        }
-      ]
+      "listen": "127.0.0.1",
+      "listen_port": 8080
    }
  ]
 }
 ```

-#### 客户端
+连接到 CCM 服务：

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
+export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"

 claude
 ```
-
-### 多凭据示例
-
-#### 服务端
-
-```json
-{
-  "services": [
-    {
-      "type": "ccm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "credentials": [
-        {
-          "tag": "a",
-          "credential_path": "/home/user/.claude-a/.credentials.json",
-          "usages_path": "/data/usages-a.json",
-          "reserve_5h": 20,
-          "reserve_weekly": 20
-        },
-        {
-          "tag": "b",
-          "credential_path": "/home/user/.claude-b/.credentials.json",
-          "reserve_5h": 10,
-          "reserve_weekly": 10
-        },
-        {
-          "tag": "pool",
-          "type": "balancer",
-          "poll_interval": "60s",
-          "credentials": ["a", "b"]
-        }
-      ],
-      "users": [
-        {
-          "name": "alice",
-          "token": "ak-ccm-hello-world",
-          "credential": "pool"
-        },
-        {
-          "name": "bob",
-          "token": "ak-ccm-hello-bob",
-          "credential": "a"
-        }
-      ]
-    }
-  ]
-}
-```
--- a/docs/configuration/service/ocm.md
+++ b/docs/configuration/service/ocm.md
@@ -10,11 +10,6 @@ OCM (OpenAI Codex Multiplexer) service is a multiplexing service that allows you

 It handles OAuth authentication with OpenAI's API on your local machine while allowing remote clients to authenticate using custom tokens.

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [credentials](#credentials)  
-    :material-alert: [users](#users)
-
 ### Structure

 ```json
@@ -24,7 +19,6 @@ It handles OAuth authentication with OpenAI's API on your local machine while al
  ... // Listen Fields

  "credential_path": "",
-  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -43,81 +37,10 @@ See [Listen Fields](/configuration/shared/listen/) for details.

 Path to the OpenAI OAuth credentials file.

-If not specified, defaults to:
- `$CODEX_HOME/auth.json` if `CODEX_HOME` environment variable is set
- `~/.codex/auth.json` otherwise
+If not specified, defaults to `~/.codex/auth.json`.

 Refreshed tokens are automatically written back to the same location.

-When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
-
-Conflict with `credentials`.
-
-#### credentials
-
-!!! question "Since sing-box 1.14.0"
-
-List of credential configurations for multi-credential mode.
-
-When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
-
-Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
-
-##### Default Credential
-
-```json
-{
-  "tag": "a",
-  "credential_path": "/path/to/auth.json",
-  "usages_path": "/path/to/usages.json",
-  "detour": "",
-  "reserve_5h": 20,
-  "reserve_weekly": 20
-}
-```
-
-A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
-
- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
- `usages_path`: Optional usage tracking file for this credential.
- `detour`: Outbound tag for connecting to the OpenAI API with this credential.
- `reserve_5h`: Reserve threshold (1-99) for primary rate limit window. Credential pauses at (100-N)% utilization.
- `reserve_weekly`: Reserve threshold (1-99) for secondary (weekly) rate limit window. Credential pauses at (100-N)% utilization.
-
-##### Balancer Credential
-
-```json
-{
-  "tag": "pool",
-  "type": "balancer",
-  "strategy": "",
-  "credentials": ["a", "b"],
-  "poll_interval": "60s"
-}
-```
-
-Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
-
- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
- `credentials`: ==Required== List of default credential tags.
- `poll_interval`: How often to poll upstream usage API. Default `60s`.
-
-##### Fallback Credential
-
-```json
-{
-  "tag": "backup",
-  "type": "fallback",
-  "credentials": ["a", "b"],
-  "poll_interval": "30s"
-}
-```
-
-Uses credentials in order. Falls through to the next when the current one is exhausted.
-
- `credentials`: ==Required== Ordered list of default credential tags.
- `poll_interval`: How often to poll upstream usage API. Default `60s`.
-
 #### usages_path

 Path to the file for storing aggregated API usage statistics.
@@ -133,8 +56,6 @@ Statistics are organized by model and optionally by user when authentication is

 The statistics file is automatically saved every minute and upon service shutdown.

-Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
-
 #### users

 List of authorized users for token authentication.
@@ -146,8 +67,7 @@ Object format:
 ```json
 {
  "name": "",
-  "token": "",
-  "credential": ""
+  "token": ""
 }
 ```

@@ -155,7 +75,6 @@ Object fields:

 - `name`: Username identifier for tracking purposes.
 - `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer <token>` header.
- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.

 #### headers

@@ -167,8 +86,6 @@ These headers will override any existing headers with the same name.

 Outbound tag for connecting to the OpenAI API.

-Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
-
 #### tls

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
@@ -194,23 +111,17 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 Add to `~/.codex/config.toml`:

 ```toml
-# profile = "ocm"                # set as default profile
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # if the latest model is not yet publicly released
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
 ```

 Then run:

 ```bash
-codex --profile ocm
+codex --model-provider ocm
 ```

 ### Example with Authentication
@@ -228,11 +139,11 @@ codex --profile ocm
      "users": [
        {
          "name": "alice",
-          "token": "sk-ocm-hello-world"
+          "token": "sk-alice-secret-token"
        },
        {
          "name": "bob",
-          "token": "sk-ocm-hello-bob"
+          "token": "sk-bob-secret-token"
        }
      ]
    }
@@ -245,71 +156,16 @@ codex --profile ocm
 Add to `~/.codex/config.toml`:

 ```toml
-# profile = "ocm"                # set as default profile
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-experimental_bearer_token = "sk-ocm-hello-world"
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # if the latest model is not yet publicly released
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
+experimental_bearer_token = "sk-alice-secret-token"
 ```

 Then run:

 ```bash
-codex --profile ocm
-```
-
-### Example with Multiple Credentials
-
-#### Server
-
-```json
-{
-  "services": [
-    {
-      "type": "ocm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "credentials": [
-        {
-          "tag": "a",
-          "credential_path": "/home/user/.codex-a/auth.json",
-          "usages_path": "/data/usages-a.json",
-          "reserve_5h": 20,
-          "reserve_weekly": 20
-        },
-        {
-          "tag": "b",
-          "credential_path": "/home/user/.codex-b/auth.json",
-          "reserve_5h": 10,
-          "reserve_weekly": 10
-        },
-        {
-          "tag": "pool",
-          "type": "balancer",
-          "poll_interval": "60s",
-          "credentials": ["a", "b"]
-        }
-      ],
-      "users": [
-        {
-          "name": "alice",
-          "token": "sk-ocm-hello-world",
-          "credential": "pool"
-        },
-        {
-          "name": "bob",
-          "token": "sk-ocm-hello-bob",
-          "credential": "a"
-        }
-      ]
-    }
-  ]
-}
+codex --model-provider ocm
 ```
--- a/docs/configuration/service/ocm.zh.md
+++ b/docs/configuration/service/ocm.zh.md
@@ -10,11 +10,6 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许

 它在本地机器上处理与 OpenAI API 的 OAuth 身份验证，同时允许远程客户端使用自定义令牌进行身份验证。

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [credentials](#credentials)  
-    :material-alert: [users](#users)
-
 ### 结构

 ```json
@@ -24,7 +19,6 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
  ... // 监听字段

  "credential_path": "",
-  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -43,81 +37,10 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许

 OpenAI OAuth 凭据文件的路径。

-如果未指定，默认值为：
- 如果设置了 `CODEX_HOME` 环境变量，则使用 `$CODEX_HOME/auth.json`
- 否则使用 `~/.codex/auth.json`
+如果未指定，默认值为 `~/.codex/auth.json`。

 刷新的令牌会自动写回相同位置。

-当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
-
-与 `credentials` 冲突。
-
-#### credentials
-
-!!! question "自 sing-box 1.14.0 起"
-
-多凭据模式的凭据配置列表。
-
-设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
-
-每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
-
-##### 默认凭据
-
-```json
-{
-  "tag": "a",
-  "credential_path": "/path/to/auth.json",
-  "usages_path": "/path/to/usages.json",
-  "detour": "",
-  "reserve_5h": 20,
-  "reserve_weekly": 20
-}
-```
-
-单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
-
- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
- `usages_path`：此凭据的可选使用跟踪文件。
- `detour`：此凭据用于连接 OpenAI API 的出站标签。
- `reserve_5h`：主要速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
- `reserve_weekly`：次要（每周）速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
-
-##### 均衡凭据
-
-```json
-{
-  "tag": "pool",
-  "type": "balancer",
-  "strategy": "",
-  "credentials": ["a", "b"],
-  "poll_interval": "60s"
-}
-```
-
-根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
-
- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
- `credentials`：==必填== 默认凭据标签列表。
- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
-
-##### 回退凭据
-
-```json
-{
-  "tag": "backup",
-  "type": "fallback",
-  "credentials": ["a", "b"],
-  "poll_interval": "30s"
-}
-```
-
-按顺序使用凭据。当前凭据耗尽后切换到下一个。
-
- `credentials`：==必填== 有序的默认凭据标签列表。
- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
-
 #### usages_path

 用于存储聚合 API 使用统计信息的文件路径。
@@ -133,8 +56,6 @@ OpenAI OAuth 凭据文件的路径。

 统计文件每分钟自动保存一次，并在服务关闭时保存。

-与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
-
 #### users

 用于令牌身份验证的授权用户列表。
@@ -146,8 +67,7 @@ OpenAI OAuth 凭据文件的路径。
 ```json
 {
  "name": "",
-  "token": "",
-  "credential": ""
+  "token": ""
 }
 ```

@@ -155,7 +75,6 @@ OpenAI OAuth 凭据文件的路径。

 - `name`：用于跟踪的用户名标识符。
 - `token`：用于身份验证的 Bearer 令牌。客户端通过设置 `Authorization: Bearer <token>` 头进行身份验证。
- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。

 #### headers

@@ -167,8 +86,6 @@ OpenAI OAuth 凭据文件的路径。

 用于连接 OpenAI API 的出站标签。

-与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
-
 #### tls

 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
@@ -194,24 +111,17 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 在 `~/.codex/config.toml` 中添加：

 ```toml
-# profile = "ocm"                # 设为默认配置
-
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # 如果最新模型尚未公开发布
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
 ```

 然后运行：

 ```bash
-codex --profile ocm
+codex --model-provider ocm
 ```

 ### 带身份验证的示例
@@ -229,11 +139,11 @@ codex --profile ocm
      "users": [
        {
          "name": "alice",
-          "token": "sk-ocm-hello-world"
+          "token": "sk-alice-secret-token"
        },
        {
          "name": "bob",
-          "token": "sk-ocm-hello-bob"
+          "token": "sk-bob-secret-token"
        }
      ]
    }
@@ -246,71 +156,16 @@ codex --profile ocm
 在 `~/.codex/config.toml` 中添加：

 ```toml
-# profile = "ocm"                # 设为默认配置
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-experimental_bearer_token = "sk-ocm-hello-world"
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # 如果最新模型尚未公开发布
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
+experimental_bearer_token = "sk-alice-secret-token"
 ```

 然后运行：

 ```bash
-codex --profile ocm
-```
-
-### 多凭据示例
-
-#### 服务端
-
-```json
-{
-  "services": [
-    {
-      "type": "ocm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "credentials": [
-        {
-          "tag": "a",
-          "credential_path": "/home/user/.codex-a/auth.json",
-          "usages_path": "/data/usages-a.json",
-          "reserve_5h": 20,
-          "reserve_weekly": 20
-        },
-        {
-          "tag": "b",
-          "credential_path": "/home/user/.codex-b/auth.json",
-          "reserve_5h": 10,
-          "reserve_weekly": 10
-        },
-        {
-          "tag": "pool",
-          "type": "balancer",
-          "poll_interval": "60s",
-          "credentials": ["a", "b"]
-        }
-      ],
-      "users": [
-        {
-          "name": "alice",
-          "token": "sk-ocm-hello-world",
-          "credential": "pool"
-        },
-        {
-          "name": "bob",
-          "token": "sk-ocm-hello-bob",
-          "credential": "a"
-        }
-      ]
-    }
-  ]
-}
+codex --model-provider ocm
 ```
--- a/docs/configuration/shared/neighbor.md
+++ b/docs/configuration/shared/neighbor.md
@@ -1,49 +0,0 @@
---
-icon: material/lan
---
-
-# Neighbor Resolution
-
-Match LAN devices by MAC address and hostname using
-[`source_mac_address`](/configuration/route/rule/#source_mac_address) and
-[`source_hostname`](/configuration/route/rule/#source_hostname) rule items.
-
-Neighbor resolution is automatically enabled when these rule items exist.
-Use [`route.find_neighbor`](/configuration/route/#find_neighbor) to force enable it for logging without rules.
-
-## Linux
-
-Works natively. No special setup required.
-
-Hostname resolution requires DHCP lease files,
-automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea).
-Custom paths can be set via [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files).
-
-## Android
-
-!!! quote ""
-
-    Only supported in graphical clients.
-
-Requires Android 11 or above and ROOT.
-
-Must use [VPNHotspot](https://github.com/Mygod/VPNHotspot) to share the VPN connection.
-ROM built-in features like "Use VPN for connected devices" can share VPN
-but cannot provide MAC address or hostname information.
-
-Set **IP Masquerade Mode** to **None** in VPNHotspot settings.
-
-Only route/DNS rules are supported. TUN include/exclude routes are not supported.
-
-### Hostname Visibility
-
-Hostname is only visible in sing-box if it is visible in VPNHotspot.
-For Apple devices, change **Private Wi-Fi Address** from **Rotating** to **Fixed** in the Wi-Fi settings
-of the connected network. Non-Apple devices are always visible.
-
-## macOS
-
-Requires the standalone version (macOS system extension).
-The App Store version can share the VPN as a hotspot but does not support MAC address or hostname reading.
-
-See [VPN Hotspot](/manual/misc/vpn-hotspot/#macos) for Internet Sharing setup.
--- a/docs/configuration/shared/neighbor.zh.md
+++ b/docs/configuration/shared/neighbor.zh.md
@@ -1,49 +0,0 @@
---
-icon: material/lan
---
-
-# 邻居解析
-
-通过
-[`source_mac_address`](/configuration/route/rule/#source_mac_address) 和
-[`source_hostname`](/configuration/route/rule/#source_hostname) 规则项匹配局域网设备的 MAC 地址和主机名。
-
-当这些规则项存在时，邻居解析自动启用。
-使用 [`route.find_neighbor`](/configuration/route/#find_neighbor) 可在没有规则时强制启用以输出日志。
-
-## Linux
-
-原生支持，无需特殊设置。
-
-主机名解析需要 DHCP 租约文件，
-自动从常见 DHCP 服务器（dnsmasq、odhcpd、ISC dhcpd、Kea）检测。
-可通过 [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files) 设置自定义路径。
-
-## Android
-
-!!! quote ""
-
-    仅在图形客户端中支持。
-
-需要 Android 11 或以上版本和 ROOT。
-
-必须使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot) 共享 VPN 连接。
-ROM 自带的「通过 VPN 共享连接」等功能可以共享 VPN，
-但无法提供 MAC 地址或主机名信息。
-
-在 VPNHotspot 设置中将 **IP 遮掩模式** 设为 **无**。
-
-仅支持路由/DNS 规则。不支持 TUN 的 include/exclude 路由。
-
-### 设备可见性
-
-MAC 地址和主机名仅在 VPNHotspot 中可见时 sing-box 才能读取。
-对于 Apple 设备，需要在所连接网络的 Wi-Fi 设置中将**私有无线局域网地址**从**轮替**改为**固定**。
-非 Apple 设备始终可见。
-
-## macOS
-
-需要独立版本（macOS 系统扩展）。
-App Store 版本可以共享 VPN 热点但不支持 MAC 地址或主机名读取。
-
-参阅 [VPN 热点](/manual/misc/vpn-hotspot/#macos) 了解互联网共享设置。
--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@@ -57,49 +57,25 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale).                                                                                                                                                                                                                                     |
-| `with_ccm`                         | :material-check:     | Build with Claude Code Multiplexer service support.                                                                                                                                                                                                                                                                            |
-| `with_ocm`                         | :material-check:     | Build with OpenAI Codex Multiplexer service support.                                                                                                                                                                                                                                                                           |
-| `with_naive_outbound`              | :material-check:     | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
-| `badlinkname`                      | :material-check:     | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation.                                 |
-| `tfogo_checklinkname0`             | :material-check:     | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement.                                                                                                                                                       |
+| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |

 It is not recommended to change the default build tag list unless you really know what you are adding.

-## :material-wrench: Linker Flags
-
-The following `-ldflags` are used in official builds:
-
-| Flag                                                        | Description                                                                                                                                                                                                             |
-|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
-| `-checklinkname=0`                                          | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag.                                                                            |
-
-## :material-package-variant: For Downstream Packagers
-
-The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
-
-| File | Description |
-|------|-------------|
-| `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
-| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
-| `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
-| `release/LDFLAGS` | Required linker flags (see above). |
-
 ## :material-layers: with_naive_outbound

 NaiveProxy outbound requires special build configurations depending on your target platform.

 ### Supported Platforms

-| Platform        | Architectures                                          | Mode   | Requirements                                                    |
-|-----------------|--------------------------------------------------------|--------|-----------------------------------------------------------------|
-| Linux           | amd64, arm64                                           | purego | None (library included in official releases)                    |
-| Linux           | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium toolchain, glibc >= 2.31 (loong64: >= 2.36) at runtime |
-| Linux (musl)    | 386, amd64, arm, arm64, mipsle, riscv64, loong64       | CGO    | Chromium toolchain                                              |
-| Windows         | amd64, arm64                                           | purego | None (library included in official releases)                    |
-| Apple platforms | *                                                      | CGO    | Xcode                                                           |
-| Android         | *                                                      | CGO    | Android NDK                                                     |
+| Platform        | Architectures          | Mode   | Requirements                                      |
+|-----------------|------------------------|--------|---------------------------------------------------|
+| Linux           | amd64, arm64           | purego | None (library included in official releases)      |
+| Linux           | 386, amd64, arm, arm64 | CGO    | Chromium toolchain, glibc >= 2.31 at runtime      |
+| Linux (musl)    | 386, amd64, arm, arm64 | CGO    | Chromium toolchain                                |
+| Windows         | amd64, arm64           | purego | None (library included in official releases)      |
+| Apple platforms | *                      | CGO    | Xcode                                             |
+| Android         | *                      | CGO    | Android NDK                                       |

 ### Windows

--- a/docs/installation/build-from-source.zh.md
+++ b/docs/installation/build-from-source.zh.md
@@ -61,49 +61,25 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
-| `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
-| `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
-| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
-| `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
-| `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
+| `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |

 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。

-## :material-wrench: 链接器标志
-
-以下 `-ldflags` 在官方构建中使用：
-
-| 标志                                                          | 说明                                                                                                                                                         |
-|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 默认为监听器启用 Multipath TCP（`multipathtcp=2`）。这可能在底层 socket 上导致错误，且 sing-box 有自己的 MPTCP 控制（`tcp_multi_path` 选项）。此标志禁用 Go 的默认行为。                             |
-| `-checklinkname=0`                                          | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查，需要与 `badlinkname` 构建标记一起使用。                                                                                   |
-
-## :material-package-variant: 下游打包者
-
-默认构建标签列表和链接器标志以文件形式存放在仓库中，供下游打包者直接引用：
-
-| 文件 | 说明 |
-|------|------|
-| `release/DEFAULT_BUILD_TAGS` | Linux（常见架构）、Darwin 和 Android 的默认标签。 |
-| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签（包含 `with_purego`）。 |
-| `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签（不含 `with_naive_outbound`）。 |
-| `release/LDFLAGS` | 必需的链接器标志（参见上文）。 |
-
 ## :material-layers: with_naive_outbound

 NaiveProxy 出站需要根据目标平台进行特殊的构建配置。

 ### 支持的平台

-| 平台           | 架构                                                       | 模式     | 要求                                                  |
-|--------------|----------------------------------------------------------|--------|-----------------------------------------------------|
-| Linux        | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
-| Linux        | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31（loong64: >= 2.36） |
-| Linux (musl) | 386, amd64, arm, arm64, mipsle, riscv64, loong64          | CGO    | Chromium 工具链                                        |
-| Windows      | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
-| Apple 平台     | *                                                        | CGO    | Xcode                                               |
-| Android      | *                                                        | CGO    | Android NDK                                          |
+| 平台            | 架构                     | 模式     | 要求                             |
+|---------------|------------------------|--------|--------------------------------|
+| Linux         | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
+| Linux         | 386, amd64, arm, arm64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31 |
+| Linux (musl)  | 386, amd64, arm, arm64 | CGO    | Chromium 工具链                   |
+| Windows       | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
+| Apple 平台      | *                      | CGO    | Xcode                          |
+| Android       | *                      | CGO    | Android NDK                    |

 ### Windows

--- a/docs/installation/tools/install.sh
+++ b/docs/installation/tools/install.sh
@@ -47,17 +47,6 @@ elif command -v rpm >/dev/null 2>&1; then
  arch=$(uname -m)
  package_suffix=".rpm"
  package_install="rpm -i"
-elif command -v apk >/dev/null 2>&1 && [ -f /etc/os-release ] && grep -q OPENWRT_ARCH /etc/os-release; then
-  os="openwrt"
-  . /etc/os-release
-  arch="$OPENWRT_ARCH"
-  package_suffix=".apk"
-  package_install="apk add --allow-untrusted"
-elif command -v apk >/dev/null 2>&1; then
-  os="linux"
-  arch=$(apk --print-arch)
-  package_suffix=".apk"
-  package_install="apk add --allow-untrusted"
 elif command -v opkg >/dev/null 2>&1; then
  os="openwrt"
  . /etc/os-release
--- a/experimental/clashapi/api_meta.go
+++ b/experimental/clashapi/api_meta.go
@@ -2,7 +2,6 @@ package clashapi

 import (
 	"bytes"
-	"context"
 	"net"
 	"net/http"
 	"runtime/debug"
@@ -28,7 +27,7 @@ func (s *Server) setupMetaAPI(r chi.Router) {
 		})
 		r.Mount("/", middleware.Profiler())
 	}
-	r.Get("/memory", memory(s.ctx, s.trafficManager))
+	r.Get("/memory", memory(s.trafficManager))
 	r.Mount("/group", groupRouter(s))
 	r.Mount("/upgrade", upgradeRouter(s))
 }
@@ -38,7 +37,7 @@ type Memory struct {
 	OSLimit uint64 `json:"oslimit"` // maybe we need it in the future
 }

-func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -47,7 +46,6 @@ func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w h
 			if err != nil {
 				return
 			}
-			defer conn.Close()
 		}

 		if conn == nil {
@@ -60,12 +58,7 @@ func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w h
 		buf := &bytes.Buffer{}
 		var err error
 		first := true
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			buf.Reset()

 			inuse := trafficManager.Snapshot().Memory
--- a/experimental/clashapi/connections.go
+++ b/experimental/clashapi/connections.go
@@ -2,7 +2,6 @@ package clashapi

 import (
 	"bytes"
-	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -18,15 +17,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )

-func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(ctx, trafficManager))
+	r.Get("/", getConnections(trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }

-func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -38,7 +37,6 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)
 		if err != nil {
 			return
 		}
-		defer conn.Close()

 		intervalStr := r.URL.Query().Get("interval")
 		interval := 1000
@@ -69,12 +67,7 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)

 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			if err = sendSnapshot(); err != nil {
 				break
 			}
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -115,13 +115,13 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	chiRouter.Group(func(r chi.Router) {
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
-		r.Get("/logs", getLogs(s.ctx, logFactory))
-		r.Get("/traffic", traffic(s.ctx, trafficManager))
+		r.Get("/logs", getLogs(logFactory))
+		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -303,7 +303,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }

-func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -324,12 +324,7 @@ func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{
@@ -360,7 +355,7 @@ type Log struct {
 	Payload string `json:"payload"`
 }

-func getLogs(ctx context.Context, logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
+func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		levelText := r.URL.Query().Get("level")
 		if levelText == "" {
@@ -399,8 +394,6 @@ func getLogs(ctx context.Context, logFactory log.ObservableFactory) func(w http.
 		var logEntry log.Entry
 		for {
 			select {
-			case <-ctx.Done():
-				return
 			case <-done:
 				return
 			case logEntry = <-subscription:
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -57,6 +57,96 @@ func (n Note) MessageWithLink() string {
 	}
 }

+var OptionBadMatchSource = Note{
+	Name:              "bad-match-source",
+	Description:       "legacy match source rule item",
+	DeprecatedVersion: "1.10.0",
+	ScheduledVersion:  "1.11.0",
+	EnvName:           "BAD_MATCH_SOURCE",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
+}
+
+var OptionGEOIP = Note{
+	Name:              "geoip",
+	Description:       "geoip database",
+	DeprecatedVersion: "1.8.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "GEOIP",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
+}
+
+var OptionGEOSITE = Note{
+	Name:              "geosite",
+	Description:       "geosite database",
+	DeprecatedVersion: "1.8.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "GEOSITE",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
+}
+
+var OptionTUNAddressX = Note{
+	Name:              "tun-address-x",
+	Description:       "legacy tun address fields",
+	DeprecatedVersion: "1.10.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_ADDRESS_X",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
+}
+
+var OptionSpecialOutbounds = Note{
+	Name:              "special-outbounds",
+	Description:       "legacy special outbounds",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "SPECIAL_OUTBOUNDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionInboundOptions = Note{
+	Name:              "inbound-options",
+	Description:       "legacy inbound fields",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "INBOUND_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionDestinationOverrideFields = Note{
+	Name:              "destination-override-fields",
+	Description:       "destination override fields in direct outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "DESTINATION_OVERRIDE_FIELDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-destination-override-fields-to-route-options",
+}
+
+var OptionWireGuardOutbound = Note{
+	Name:              "wireguard-outbound",
+	Description:       "legacy wireguard outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "WIREGUARD_OUTBOUND",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
+}
+
+var OptionWireGuardGSO = Note{
+	Name:              "wireguard-gso",
+	Description:       "GSO option in wireguard outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "WIREGUARD_GSO",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
+}
+
+var OptionTUNGSO = Note{
+	Name:              "tun-gso",
+	Description:       "GSO option in tun",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_GSO",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#gso-option-in-tun",
+}
+
 var OptionLegacyDNSTransport = Note{
 	Name:              "legacy-dns-transport",
 	Description:       "legacy DNS servers",
@@ -93,6 +183,15 @@ var OptionMissingDomainResolver = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-outbound-dns-rule-items-to-domain-resolver",
 }

+var OptionLegacyECHOptions = Note{
+	Name:              "legacy-ech-options",
+	Description:       "legacy ECH options",
+	DeprecatedVersion: "1.12.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "LEGACY_ECH_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#legacy-ech-fields",
+}
+
 var OptionLegacyDomainStrategyOptions = Note{
 	Name:              "legacy-domain-strategy-options",
 	Description:       "legacy domain strategy options",
@@ -103,9 +202,20 @@ var OptionLegacyDomainStrategyOptions = Note{
 }

 var Options = []Note{
+	OptionBadMatchSource,
+	OptionGEOIP,
+	OptionGEOSITE,
+	OptionTUNAddressX,
+	OptionSpecialOutbounds,
+	OptionInboundOptions,
+	OptionDestinationOverrideFields,
+	OptionWireGuardOutbound,
+	OptionWireGuardGSO,
+	OptionTUNGSO,
 	OptionLegacyDNSTransport,
 	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
+	OptionLegacyECHOptions,
 	OptionLegacyDomainStrategyOptions,
 }
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -119,11 +119,7 @@ func dialTarget() (string, func(context.Context, string) (net.Conn, error)) {
 		}
 	}
 	if sCommandServerListenPort == 0 {
-		socketPath := filepath.Join(sBasePath, "command.sock")
-		return "passthrough:///command-socket", func(ctx context.Context, _ string) (net.Conn, error) {
-			var networkDialer net.Dialer
-			return networkDialer.DialContext(ctx, "unix", socketPath)
-		}
+		return "unix://" + filepath.Join(sBasePath, "command.sock"), nil
 	}
 	return net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort))), nil
 }
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -60,7 +60,6 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 		Handler:     (*platformHandler)(server),
 		Debug:       sDebug,
 		LogMaxLines: sLogMaxLines,
-		OOMKiller:   memoryLimitEnabled,
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -160,7 +159,6 @@ func (s *CommandServer) Close() {
 		s.grpcServer.Stop()
 	}
 	common.Close(s.listener)
-	s.StartedService.Close()
 }

 type OverrideOptions struct {
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -144,18 +144,6 @@ func (s *platformInterfaceStub) SendNotification(notification *adapter.Notificat
 	return nil
 }

-func (s *platformInterfaceStub) UsePlatformNeighborResolver() bool {
-	return false
-}
-
-func (s *platformInterfaceStub) StartNeighborMonitor(listener adapter.NeighborUpdateListener) error {
-	return os.ErrInvalid
-}
-
-func (s *platformInterfaceStub) CloseNeighborMonitor(listener adapter.NeighborUpdateListener) error {
-	return nil
-}
-
 func (s *platformInterfaceStub) UsePlatformLocalDNSTransport() bool {
 	return false
 }
--- a/experimental/libbox/fdroid.go
+++ b/experimental/libbox/fdroid.go
@@ -1,493 +0,0 @@
-package libbox
-
-import (
-	"archive/zip"
-	"bytes"
-	"crypto/tls"
-	"encoding/json"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-const fdroidUserAgent = "F-Droid 1.21.1"
-
-type FDroidUpdateInfo struct {
-	VersionCode int32
-	VersionName string
-	DownloadURL string
-	FileSize    int64
-	FileSHA256  string
-}
-
-type FDroidPingResult struct {
-	URL       string
-	LatencyMs int32
-	Error     string
-}
-
-type FDroidPingResultIterator interface {
-	Len() int32
-	HasNext() bool
-	Next() *FDroidPingResult
-}
-
-type fdroidAPIResponse struct {
-	PackageName          string             `json:"packageName"`
-	SuggestedVersionCode int32              `json:"suggestedVersionCode"`
-	Packages             []fdroidAPIPackage `json:"packages"`
-}
-
-type fdroidAPIPackage struct {
-	VersionName string `json:"versionName"`
-	VersionCode int32  `json:"versionCode"`
-}
-
-type fdroidEntry struct {
-	Timestamp int64                      `json:"timestamp"`
-	Version   int                        `json:"version"`
-	Index     fdroidEntryFile            `json:"index"`
-	Diffs     map[string]fdroidEntryFile `json:"diffs"`
-}
-
-type fdroidEntryFile struct {
-	Name        string `json:"name"`
-	SHA256      string `json:"sha256"`
-	Size        int64  `json:"size"`
-	NumPackages int    `json:"numPackages"`
-}
-
-type fdroidIndexV2 struct {
-	Packages map[string]fdroidV2Package `json:"packages"`
-}
-
-type fdroidV2Package struct {
-	Versions map[string]fdroidV2Version `json:"versions"`
-}
-
-type fdroidV2Version struct {
-	Manifest fdroidV2Manifest `json:"manifest"`
-	File     fdroidV2File     `json:"file"`
-}
-
-type fdroidV2Manifest struct {
-	VersionCode int32  `json:"versionCode"`
-	VersionName string `json:"versionName"`
-}
-
-type fdroidV2File struct {
-	Name   string `json:"name"`
-	SHA256 string `json:"sha256"`
-	Size   int64  `json:"size"`
-}
-
-type fdroidIndexV1 struct {
-	Packages map[string][]fdroidV1Package `json:"packages"`
-}
-
-type fdroidV1Package struct {
-	VersionCode int32  `json:"versionCode"`
-	VersionName string `json:"versionName"`
-	ApkName     string `json:"apkName"`
-	Size        int64  `json:"size"`
-	Hash        string `json:"hash"`
-	HashType    string `json:"hashType"`
-}
-
-type fdroidCache struct {
-	MirrorURL string `json:"mirrorURL"`
-	Timestamp int64  `json:"timestamp"`
-	ETag      string `json:"etag"`
-	IsV1      bool   `json:"isV1,omitempty"`
-}
-
-func CheckFDroidUpdate(mirrorURL, packageName string, currentVersionCode int32, cachePath string) (*FDroidUpdateInfo, error) {
-	mirrorURL = strings.TrimRight(mirrorURL, "/")
-	if strings.Contains(mirrorURL, "f-droid.org") {
-		return checkFDroidAPI(mirrorURL, packageName, currentVersionCode)
-	}
-	client := newFDroidHTTPClient()
-	defer client.CloseIdleConnections()
-	cache := loadFDroidCache(cachePath, mirrorURL)
-	if cache != nil && cache.IsV1 {
-		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
-	}
-	return checkFDroidV2(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
-}
-
-func PingFDroidMirrors(mirrorURLs string) (FDroidPingResultIterator, error) {
-	urls := strings.Split(mirrorURLs, ",")
-	results := make([]*FDroidPingResult, len(urls))
-	var waitGroup sync.WaitGroup
-	for i, rawURL := range urls {
-		waitGroup.Add(1)
-		go func(index int, target string) {
-			defer waitGroup.Done()
-			target = strings.TrimSpace(target)
-			result := &FDroidPingResult{URL: target}
-			latency, err := pingTLS(target)
-			if err != nil {
-				result.LatencyMs = -1
-				result.Error = err.Error()
-			} else {
-				result.LatencyMs = int32(latency.Milliseconds())
-			}
-			results[index] = result
-		}(i, rawURL)
-	}
-	waitGroup.Wait()
-	sort.Slice(results, func(i, j int) bool {
-		if results[i].LatencyMs < 0 {
-			return false
-		}
-		if results[j].LatencyMs < 0 {
-			return true
-		}
-		return results[i].LatencyMs < results[j].LatencyMs
-	})
-	return newIterator(results), nil
-}
-
-func PingFDroidMirror(mirrorURL string) *FDroidPingResult {
-	mirrorURL = strings.TrimSpace(mirrorURL)
-	result := &FDroidPingResult{URL: mirrorURL}
-	latency, err := pingTLS(mirrorURL)
-	if err != nil {
-		result.LatencyMs = -1
-		result.Error = err.Error()
-	} else {
-		result.LatencyMs = int32(latency.Milliseconds())
-	}
-	return result
-}
-
-func newFDroidHTTPClient() *http.Client {
-	return &http.Client{
-		Timeout: 30 * time.Second,
-	}
-}
-
-func newFDroidRequest(requestURL string) (*http.Request, error) {
-	request, err := http.NewRequest("GET", requestURL, nil)
-	if err != nil {
-		return nil, err
-	}
-	request.Header.Set("User-Agent", fdroidUserAgent)
-	return request, nil
-}
-
-func checkFDroidAPI(mirrorURL, packageName string, currentVersionCode int32) (*FDroidUpdateInfo, error) {
-	client := newFDroidHTTPClient()
-	defer client.CloseIdleConnections()
-
-	apiURL := "https://f-droid.org/api/v1/packages/" + packageName
-	request, err := newFDroidRequest(apiURL)
-	if err != nil {
-		return nil, err
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", response.Status)
-	}
-
-	body, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	var apiResponse fdroidAPIResponse
-	err = json.Unmarshal(body, &apiResponse)
-	if err != nil {
-		return nil, err
-	}
-
-	var bestCode int32
-	var bestName string
-	for _, pkg := range apiResponse.Packages {
-		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
-			bestCode = pkg.VersionCode
-			bestName = pkg.VersionName
-		}
-	}
-
-	if bestCode == 0 {
-		return nil, nil
-	}
-
-	return &FDroidUpdateInfo{
-		VersionCode: bestCode,
-		VersionName: bestName,
-		DownloadURL: "https://f-droid.org/repo/" + packageName + "_" + strconv.FormatInt(int64(bestCode), 10) + ".apk",
-	}, nil
-}
-
-func checkFDroidV2(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
-	entryURL := mirrorURL + "/entry.jar"
-	request, err := newFDroidRequest(entryURL)
-	if err != nil {
-		return nil, err
-	}
-	if cache != nil && cache.ETag != "" {
-		request.Header.Set("If-None-Match", cache.ETag)
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode == http.StatusNotModified {
-		return nil, nil
-	}
-	if response.StatusCode == http.StatusNotFound {
-		writeFDroidCache(cachePath, mirrorURL, 0, "", true)
-		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, nil)
-	}
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", response.Status, ": ", entryURL)
-	}
-
-	jarData, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, err
-	}
-	etag := response.Header.Get("ETag")
-
-	var entry fdroidEntry
-	err = readJSONFromJar(jarData, "entry.json", &entry)
-	if err != nil {
-		return nil, E.Cause(err, "read entry.jar")
-	}
-
-	if entry.Timestamp == 0 {
-		return nil, E.New("entry.json not found in entry.jar")
-	}
-
-	if cache != nil && cache.Timestamp == entry.Timestamp {
-		writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
-		return nil, nil
-	}
-
-	var indexURL string
-	if cache != nil {
-		cachedTimestamp := strconv.FormatInt(cache.Timestamp, 10)
-		if diff, ok := entry.Diffs[cachedTimestamp]; ok {
-			indexURL = mirrorURL + "/" + diff.Name
-		}
-	}
-	if indexURL == "" {
-		indexURL = mirrorURL + "/" + entry.Index.Name
-	}
-
-	indexRequest, err := newFDroidRequest(indexURL)
-	if err != nil {
-		return nil, err
-	}
-
-	indexResponse, err := client.Do(indexRequest)
-	if err != nil {
-		return nil, err
-	}
-	defer indexResponse.Body.Close()
-
-	if indexResponse.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", indexResponse.Status, ": ", indexURL)
-	}
-
-	indexData, err := io.ReadAll(indexResponse.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	var index fdroidIndexV2
-	err = json.Unmarshal(indexData, &index)
-	if err != nil {
-		return nil, err
-	}
-
-	writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
-
-	pkg, ok := index.Packages[packageName]
-	if !ok {
-		return nil, nil
-	}
-
-	var bestCode int32
-	var bestVersion fdroidV2Version
-	for _, version := range pkg.Versions {
-		if version.Manifest.VersionCode > currentVersionCode && version.Manifest.VersionCode > bestCode {
-			bestCode = version.Manifest.VersionCode
-			bestVersion = version
-		}
-	}
-
-	if bestCode == 0 {
-		return nil, nil
-	}
-
-	return &FDroidUpdateInfo{
-		VersionCode: bestCode,
-		VersionName: bestVersion.Manifest.VersionName,
-		DownloadURL: mirrorURL + "/" + bestVersion.File.Name,
-		FileSize:    bestVersion.File.Size,
-		FileSHA256:  bestVersion.File.SHA256,
-	}, nil
-}
-
-func checkFDroidV1(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
-	indexURL := mirrorURL + "/index-v1.jar"
-
-	request, err := newFDroidRequest(indexURL)
-	if err != nil {
-		return nil, err
-	}
-	if cache != nil && cache.ETag != "" {
-		request.Header.Set("If-None-Match", cache.ETag)
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode == http.StatusNotModified {
-		return nil, nil
-	}
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", response.Status, ": ", indexURL)
-	}
-
-	jarData, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, err
-	}
-	etag := response.Header.Get("ETag")
-
-	var index fdroidIndexV1
-	err = readJSONFromJar(jarData, "index-v1.json", &index)
-	if err != nil {
-		return nil, E.Cause(err, "read index-v1.jar")
-	}
-
-	writeFDroidCache(cachePath, mirrorURL, 0, etag, true)
-
-	packages, ok := index.Packages[packageName]
-	if !ok {
-		return nil, nil
-	}
-
-	var bestCode int32
-	var bestPackage fdroidV1Package
-	for _, pkg := range packages {
-		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
-			bestCode = pkg.VersionCode
-			bestPackage = pkg
-		}
-	}
-
-	if bestCode == 0 {
-		return nil, nil
-	}
-
-	return &FDroidUpdateInfo{
-		VersionCode: bestCode,
-		VersionName: bestPackage.VersionName,
-		DownloadURL: mirrorURL + "/" + bestPackage.ApkName,
-		FileSize:    bestPackage.Size,
-		FileSHA256:  bestPackage.Hash,
-	}, nil
-}
-
-func readJSONFromJar(jarData []byte, fileName string, destination any) error {
-	zipReader, err := zip.NewReader(bytes.NewReader(jarData), int64(len(jarData)))
-	if err != nil {
-		return err
-	}
-	for _, file := range zipReader.File {
-		if file.Name != fileName {
-			continue
-		}
-		reader, err := file.Open()
-		if err != nil {
-			return err
-		}
-		data, err := io.ReadAll(reader)
-		reader.Close()
-		if err != nil {
-			return err
-		}
-		return json.Unmarshal(data, destination)
-	}
-	return nil
-}
-
-func pingTLS(mirrorURL string) (time.Duration, error) {
-	parsed, err := url.Parse(mirrorURL)
-	if err != nil {
-		return 0, err
-	}
-	host := parsed.Host
-	if !strings.Contains(host, ":") {
-		host = host + ":443"
-	}
-
-	dialer := &net.Dialer{Timeout: 5 * time.Second}
-	start := time.Now()
-	conn, err := tls.DialWithDialer(dialer, "tcp", host, &tls.Config{})
-	if err != nil {
-		return 0, err
-	}
-	latency := time.Since(start)
-	conn.Close()
-	return latency, nil
-}
-
-func loadFDroidCache(cachePath, mirrorURL string) *fdroidCache {
-	cacheFile := filepath.Join(cachePath, "fdroid_cache.json")
-	data, err := os.ReadFile(cacheFile)
-	if err != nil {
-		return nil
-	}
-	var cache fdroidCache
-	err = json.Unmarshal(data, &cache)
-	if err != nil {
-		return nil
-	}
-	if cache.MirrorURL != mirrorURL {
-		return nil
-	}
-	return &cache
-}
-
-func writeFDroidCache(cachePath, mirrorURL string, timestamp int64, etag string, isV1 bool) {
-	cache := fdroidCache{
-		MirrorURL: mirrorURL,
-		Timestamp: timestamp,
-		ETag:      etag,
-		IsV1:      isV1,
-	}
-	data, err := json.Marshal(cache)
-	if err != nil {
-		return
-	}
-	os.MkdirAll(cachePath, 0o755)
-	os.WriteFile(filepath.Join(cachePath, "fdroid_cache.json"), data, 0o644)
-}
--- a/experimental/libbox/fdroid_mirrors.go
+++ b/experimental/libbox/fdroid_mirrors.go
@@ -1,92 +0,0 @@
-package libbox
-
-type FDroidMirror struct {
-	URL     string
-	Country string
-	Name    string
-}
-
-type FDroidMirrorIterator interface {
-	Len() int32
-	HasNext() bool
-	Next() *FDroidMirror
-}
-
-var builtinFDroidMirrors = []FDroidMirror{
-	// Official
-	{URL: "https://f-droid.org/repo", Country: "Official", Name: "f-droid.org"},
-	{URL: "https://cloudflare.f-droid.org/repo", Country: "Official", Name: "Cloudflare CDN"},
-
-	// China
-	{URL: "https://mirrors.tuna.tsinghua.edu.cn/fdroid/repo", Country: "China", Name: "Tsinghua TUNA"},
-	{URL: "https://mirrors.nju.edu.cn/fdroid/repo", Country: "China", Name: "Nanjing University"},
-	{URL: "https://mirror.iscas.ac.cn/fdroid/repo", Country: "China", Name: "ISCAS"},
-	{URL: "https://mirror.nyist.edu.cn/fdroid/repo", Country: "China", Name: "NYIST"},
-	{URL: "https://mirrors.cqupt.edu.cn/fdroid/repo", Country: "China", Name: "CQUPT"},
-	{URL: "https://mirrors.shanghaitech.edu.cn/fdroid/repo", Country: "China", Name: "ShanghaiTech"},
-
-	// India
-	{URL: "https://mirror.hyd.albony.in/fdroid/repo", Country: "India", Name: "Albony Hyderabad"},
-	{URL: "https://mirror.del2.albony.in/fdroid/repo", Country: "India", Name: "Albony Delhi"},
-
-	// Taiwan
-	{URL: "https://mirror.ossplanet.net/fdroid/repo", Country: "Taiwan", Name: "OSSPlanet"},
-
-	// France
-	{URL: "https://fdroid.tetaneutral.net/fdroid/repo", Country: "France", Name: "tetaneutral.net"},
-	{URL: "https://mirror.freedif.org/fdroid/repo", Country: "France", Name: "FreeDif"},
-
-	// Germany
-	{URL: "https://ftp.fau.de/fdroid/repo", Country: "Germany", Name: "FAU Erlangen"},
-	{URL: "https://ftp.agdsn.de/fdroid/repo", Country: "Germany", Name: "AGDSN Dresden"},
-	{URL: "https://ftp.gwdg.de/pub/android/fdroid/repo", Country: "Germany", Name: "GWDG"},
-	{URL: "https://mirror.level66.network/fdroid/repo", Country: "Germany", Name: "Level66"},
-	{URL: "https://mirror.mci-1.serverforge.org/fdroid/repo", Country: "Germany", Name: "ServerForge"},
-
-	// Netherlands
-	{URL: "https://ftp.snt.utwente.nl/pub/software/fdroid/repo", Country: "Netherlands", Name: "University of Twente"},
-
-	// Sweden
-	{URL: "https://ftp.lysator.liu.se/pub/fdroid/repo", Country: "Sweden", Name: "Lysator"},
-
-	// Denmark
-	{URL: "https://mirrors.dotsrc.org/fdroid/repo", Country: "Denmark", Name: "dotsrc.org"},
-
-	// Austria
-	{URL: "https://mirror.kumi.systems/fdroid/repo", Country: "Austria", Name: "Kumi Systems"},
-
-	// Switzerland
-	{URL: "https://mirror.init7.net/fdroid/repo", Country: "Switzerland", Name: "Init7"},
-
-	// Romania
-	{URL: "https://mirrors.hostico.ro/fdroid/repo", Country: "Romania", Name: "Hostico"},
-	{URL: "https://mirrors.chroot.ro/fdroid/repo", Country: "Romania", Name: "Chroot"},
-	{URL: "https://ftp.lug.ro/fdroid/repo", Country: "Romania", Name: "LUG Romania"},
-
-	// US
-	{URL: "https://plug-mirror.rcac.purdue.edu/fdroid/repo", Country: "US", Name: "Purdue"},
-	{URL: "https://mirror.fcix.net/fdroid/repo", Country: "US", Name: "FCIX"},
-	{URL: "https://opencolo.mm.fcix.net/fdroid/repo", Country: "US", Name: "OpenColo"},
-	{URL: "https://forksystems.mm.fcix.net/fdroid/repo", Country: "US", Name: "Fork Systems"},
-	{URL: "https://southfront.mm.fcix.net/fdroid/repo", Country: "US", Name: "South Front"},
-	{URL: "https://ziply.mm.fcix.net/fdroid/repo", Country: "US", Name: "Ziply"},
-
-	// Canada
-	{URL: "https://mirror.quantum5.ca/fdroid/repo", Country: "Canada", Name: "Quantum5"},
-
-	// Australia
-	{URL: "https://mirror.aarnet.edu.au/fdroid/repo", Country: "Australia", Name: "AARNet"},
-
-	// Other
-	{URL: "https://mirror.cyberbits.eu/fdroid/repo", Country: "Europe", Name: "Cyberbits EU"},
-	{URL: "https://mirror.eu.ossplanet.net/fdroid/repo", Country: "Europe", Name: "OSSPlanet EU"},
-	{URL: "https://mirror.cyberbits.asia/fdroid/repo", Country: "Asia", Name: "Cyberbits Asia"},
-	{URL: "https://mirrors.jevincanders.net/fdroid/repo", Country: "US", Name: "Jevincanders"},
-	{URL: "https://mirrors.komogoto.com/fdroid/repo", Country: "US", Name: "Komogoto"},
-	{URL: "https://fdroid.rasp.sh/fdroid/repo", Country: "Europe", Name: "rasp.sh"},
-	{URL: "https://mirror.gofoss.xyz/fdroid/repo", Country: "Europe", Name: "GoFOSS"},
-}
-
-func GetFDroidMirrors() FDroidMirrorIterator {
-	return newPtrIterator(builtinFDroidMirrors)
-}
--- a/experimental/libbox/ffi.json
+++ b/experimental/libbox/ffi.json
@@ -1,19 +1,10 @@
 {
  "version": 1,
-  "variables": {
-    "VERSION": "$(go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)",
-    "WORKSPACE_ROOT": "../../..",
-    "DEPLOY_ANDROID": "${WORKSPACE_ROOT}/sing-box-for-android/app/libs",
-    "DEPLOY_APPLE": "${WORKSPACE_ROOT}/sing-box-for-apple",
-    "DEPLOY_WINDOWS": "${WORKSPACE_ROOT}/sing-box-for-windows/local-packages"
-  },
  "packages": [
    {
      "id": "libbox",
      "path": ".",
      "java_package": "io.nekohasekai.libbox",
-      "csharp_namespace": "SagerNet",
-      "csharp_entrypoint": "Libbox",
      "apple_prefix": "Libbox"
    }
  ],
@@ -29,6 +20,7 @@
          "with_utls",
          "with_naive_outbound",
          "with_clash_api",
+          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
@@ -44,7 +36,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    },
@@ -58,6 +50,7 @@
          "with_wireguard",
          "with_utls",
          "with_clash_api",
+          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
@@ -73,7 +66,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    },
@@ -88,6 +81,7 @@
          "with_utls",
          "with_naive_outbound",
          "with_clash_api",
+          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_dhcp",
@@ -105,7 +99,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      },
      "overrides": [
@@ -118,37 +112,6 @@
          "tags_append": ["with_low_memory"]
        }
      ]
-    },
-    {
-      "id": "windows",
-      "packages": ["libbox"],
-      "default": {
-        "tags": [
-          "with_gvisor",
-          "with_quic",
-          "with_wireguard",
-          "with_utls",
-          "with_naive_outbound",
-          "with_purego",
-          "with_clash_api",
-          "badlinkname",
-          "tfogo_checklinkname0",
-          "with_tailscale",
-          "ts_omit_logtail",
-          "ts_omit_ssh",
-          "ts_omit_drive",
-          "ts_omit_taildrop",
-          "ts_omit_webclient",
-          "ts_omit_doctor",
-          "ts_omit_capture",
-          "ts_omit_kube",
-          "ts_omit_aws",
-          "ts_omit_synology",
-          "ts_omit_bird"
-        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
-        "trimpath": true
-      }
    }
  ],
  "platforms": [
@@ -156,19 +119,12 @@
      "type": "android",
      "build": "android-main",
      "min_sdk": 23,
-      "ndk_version": "28.0.13004108",
      "lib_name": "box",
      "languages": [{ "type": "java" }],
      "artifacts": [
        {
          "type": "aar",
-          "output_path": "libbox.aar",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
-            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
-            "fi"
-          ]
+          "output_path": "libbox.aar"
        }
      ]
    },
@@ -176,19 +132,12 @@
      "type": "android",
      "build": "android-legacy",
      "min_sdk": 21,
-      "ndk_version": "28.0.13004108",
      "lib_name": "box",
      "languages": [{ "type": "java" }],
      "artifacts": [
        {
          "type": "aar",
-          "output_path": "libbox-legacy.aar",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
-            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
-            "fi"
-          ]
+          "output_path": "libbox-legacy.aar"
        }
      ]
    },
@@ -210,46 +159,7 @@
        {
          "type": "xcframework",
          "module_name": "Libbox",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_APPLE}\" ]; then",
-            "  rm -rf \"${DEPLOY_APPLE}/${MODULE_NAME}.xcframework\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_APPLE}/\"",
-            "fi"
-          ]
-        }
-      ]
-    },
-    {
-      "type": "csharp",
-      "build": "windows",
-      "targets": [
-        "windows/amd64"
-      ],
-      "languages": [{ "type": "csharp" }],
-      "artifacts": [
-        {
-          "type": "nuget",
-          "package_id": "SagerNet.Libbox",
-          "package_version": "0.0.0-local",
-          "execute_after": {
-            "windows": [
-              "$$deployPath = '${DEPLOY_WINDOWS}'",
-              "if (Test-Path $$deployPath) {",
-              "  Remove-Item \"$$deployPath\\${PACKAGE_ID}.*.nupkg\" -ErrorAction SilentlyContinue",
-              "  Move-Item -Force '${OUTPUT_PATH}' \"$$deployPath\\\"",
-              "  $$cachePath = if ($$env:NUGET_PACKAGES) { $$env:NUGET_PACKAGES } else { \"$$env:USERPROFILE\\.nuget\\packages\" }",
-              "  Remove-Item -Recurse -Force \"$$cachePath\\sagernet.libbox\\${PACKAGE_VERSION}\" -ErrorAction SilentlyContinue",
-              "}"
-            ],
-            "default": [
-              "if [ -d \"${DEPLOY_WINDOWS}\" ]; then",
-              "  rm -f \"${DEPLOY_WINDOWS}/${PACKAGE_ID}.*.nupkg\"",
-              "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_WINDOWS}/\"",
-              "  cache_path=\"$${NUGET_PACKAGES:-$${HOME}/.nuget/packages}\"",
-              "  rm -rf \"$${cache_path}/sagernet.libbox/${PACKAGE_VERSION}\"",
-              "fi"
-            ]
-          }
+          "output_path": "Libbox.xcframework"
        }
      ]
    }
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -4,23 +4,20 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"

-	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/common/conntrack"
 )

-var memoryLimitEnabled bool
-
 func SetMemoryLimit(enabled bool) {
-	memoryLimitEnabled = enabled
-	const memoryLimitGo = 45 * 1024 * 1024
+	const memoryLimit = 45 * 1024 * 1024
+	const memoryLimitGo = memoryLimit / 1.5
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		}
+		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		conntrack.KillerEnabled = true
+		conntrack.MemoryLimit = memoryLimit
 	} else {
 		runtimeDebug.SetGCPercent(100)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		}
+		runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		conntrack.KillerEnabled = false
 	}
 }
--- a/experimental/libbox/neighbor.go
+++ b/experimental/libbox/neighbor.go
@@ -1,53 +0,0 @@
-package libbox
-
-import (
-	"net"
-	"net/netip"
-)
-
-type NeighborEntry struct {
-	Address    string
-	MacAddress string
-	Hostname   string
-}
-
-type NeighborEntryIterator interface {
-	Next() *NeighborEntry
-	HasNext() bool
-}
-
-type NeighborSubscription struct {
-	done chan struct{}
-}
-
-func (s *NeighborSubscription) Close() {
-	close(s.done)
-}
-
-func tableToIterator(table map[netip.Addr]net.HardwareAddr) NeighborEntryIterator {
-	entries := make([]*NeighborEntry, 0, len(table))
-	for address, mac := range table {
-		entries = append(entries, &NeighborEntry{
-			Address:    address.String(),
-			MacAddress: mac.String(),
-		})
-	}
-	return &neighborEntryIterator{entries}
-}
-
-type neighborEntryIterator struct {
-	entries []*NeighborEntry
-}
-
-func (i *neighborEntryIterator) HasNext() bool {
-	return len(i.entries) > 0
-}
-
-func (i *neighborEntryIterator) Next() *NeighborEntry {
-	if len(i.entries) == 0 {
-		return nil
-	}
-	entry := i.entries[0]
-	i.entries = i.entries[1:]
-	return entry
-}
--- a/experimental/libbox/neighbor_darwin.go
+++ b/experimental/libbox/neighbor_darwin.go
@@ -1,123 +0,0 @@
-//go:build darwin
-
-package libbox
-
-import (
-	"net"
-	"net/netip"
-	"os"
-	"slices"
-	"time"
-
-	"github.com/sagernet/sing-box/route"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	xroute "golang.org/x/net/route"
-	"golang.org/x/sys/unix"
-)
-
-func SubscribeNeighborTable(listener NeighborUpdateListener) (*NeighborSubscription, error) {
-	entries, err := route.ReadNeighborEntries()
-	if err != nil {
-		return nil, E.Cause(err, "initial neighbor dump")
-	}
-	table := make(map[netip.Addr]net.HardwareAddr)
-	for _, entry := range entries {
-		table[entry.Address] = entry.MACAddress
-	}
-	listener.UpdateNeighborTable(tableToIterator(table))
-	routeSocket, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, 0)
-	if err != nil {
-		return nil, E.Cause(err, "open route socket")
-	}
-	err = unix.SetNonblock(routeSocket, true)
-	if err != nil {
-		unix.Close(routeSocket)
-		return nil, E.Cause(err, "set route socket nonblock")
-	}
-	subscription := &NeighborSubscription{
-		done: make(chan struct{}),
-	}
-	go subscription.loop(listener, routeSocket, table)
-	return subscription, nil
-}
-
-func (s *NeighborSubscription) loop(listener NeighborUpdateListener, routeSocket int, table map[netip.Addr]net.HardwareAddr) {
-	routeSocketFile := os.NewFile(uintptr(routeSocket), "route")
-	defer routeSocketFile.Close()
-	buffer := buf.NewPacket()
-	defer buffer.Release()
-	for {
-		select {
-		case <-s.done:
-			return
-		default:
-		}
-		tv := unix.NsecToTimeval(int64(3 * time.Second))
-		_ = unix.SetsockoptTimeval(routeSocket, unix.SOL_SOCKET, unix.SO_RCVTIMEO, &tv)
-		n, err := routeSocketFile.Read(buffer.FreeBytes())
-		if err != nil {
-			if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
-				continue
-			}
-			select {
-			case <-s.done:
-				return
-			default:
-			}
-			continue
-		}
-		messages, err := xroute.ParseRIB(xroute.RIBTypeRoute, buffer.FreeBytes()[:n])
-		if err != nil {
-			continue
-		}
-		changed := false
-		for _, message := range messages {
-			routeMessage, isRouteMessage := message.(*xroute.RouteMessage)
-			if !isRouteMessage {
-				continue
-			}
-			if routeMessage.Flags&unix.RTF_LLINFO == 0 {
-				continue
-			}
-			address, mac, isDelete, ok := route.ParseRouteNeighborMessage(routeMessage)
-			if !ok {
-				continue
-			}
-			if isDelete {
-				if _, exists := table[address]; exists {
-					delete(table, address)
-					changed = true
-				}
-			} else {
-				existing, exists := table[address]
-				if !exists || !slices.Equal(existing, mac) {
-					table[address] = mac
-					changed = true
-				}
-			}
-		}
-		if changed {
-			listener.UpdateNeighborTable(tableToIterator(table))
-		}
-	}
-}
-
-func ReadBootpdLeases() NeighborEntryIterator {
-	leaseIPToMAC, ipToHostname, macToHostname := route.ReloadLeaseFiles([]string{"/var/db/dhcpd_leases"})
-	entries := make([]*NeighborEntry, 0, len(leaseIPToMAC))
-	for address, mac := range leaseIPToMAC {
-		entry := &NeighborEntry{
-			Address:    address.String(),
-			MacAddress: mac.String(),
-		}
-		hostname, found := ipToHostname[address]
-		if !found {
-			hostname = macToHostname[mac.String()]
-		}
-		entry.Hostname = hostname
-		entries = append(entries, entry)
-	}
-	return &neighborEntryIterator{entries}
-}
--- a/experimental/libbox/neighbor_linux.go
+++ b/experimental/libbox/neighbor_linux.go
@@ -1,88 +0,0 @@
-//go:build linux
-
-package libbox
-
-import (
-	"net"
-	"net/netip"
-	"slices"
-	"time"
-
-	"github.com/sagernet/sing-box/route"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/mdlayher/netlink"
-	"golang.org/x/sys/unix"
-)
-
-func SubscribeNeighborTable(listener NeighborUpdateListener) (*NeighborSubscription, error) {
-	entries, err := route.ReadNeighborEntries()
-	if err != nil {
-		return nil, E.Cause(err, "initial neighbor dump")
-	}
-	table := make(map[netip.Addr]net.HardwareAddr)
-	for _, entry := range entries {
-		table[entry.Address] = entry.MACAddress
-	}
-	listener.UpdateNeighborTable(tableToIterator(table))
-	connection, err := netlink.Dial(unix.NETLINK_ROUTE, &netlink.Config{
-		Groups: 1 << (unix.RTNLGRP_NEIGH - 1),
-	})
-	if err != nil {
-		return nil, E.Cause(err, "subscribe neighbor updates")
-	}
-	subscription := &NeighborSubscription{
-		done: make(chan struct{}),
-	}
-	go subscription.loop(listener, connection, table)
-	return subscription, nil
-}
-
-func (s *NeighborSubscription) loop(listener NeighborUpdateListener, connection *netlink.Conn, table map[netip.Addr]net.HardwareAddr) {
-	defer connection.Close()
-	for {
-		select {
-		case <-s.done:
-			return
-		default:
-		}
-		err := connection.SetReadDeadline(time.Now().Add(3 * time.Second))
-		if err != nil {
-			return
-		}
-		messages, err := connection.Receive()
-		if err != nil {
-			if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
-				continue
-			}
-			select {
-			case <-s.done:
-				return
-			default:
-			}
-			continue
-		}
-		changed := false
-		for _, message := range messages {
-			address, mac, isDelete, ok := route.ParseNeighborMessage(message)
-			if !ok {
-				continue
-			}
-			if isDelete {
-				if _, exists := table[address]; exists {
-					delete(table, address)
-					changed = true
-				}
-			} else {
-				existing, exists := table[address]
-				if !exists || !slices.Equal(existing, mac) {
-					table[address] = mac
-					changed = true
-				}
-			}
-		}
-		if changed {
-			listener.UpdateNeighborTable(tableToIterator(table))
-		}
-	}
-}
--- a/experimental/libbox/neighbor_stub.go
+++ b/experimental/libbox/neighbor_stub.go
@@ -1,9 +0,0 @@
-//go:build !linux && !darwin
-
-package libbox
-
-import "os"
-
-func SubscribeNeighborTable(_ NeighborUpdateListener) (*NeighborSubscription, error) {
-	return nil, os.ErrInvalid
-}
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -21,13 +21,6 @@ type PlatformInterface interface {
 	SystemCertificates() StringIterator
 	ClearDNSCache()
 	SendNotification(notification *Notification) error
-	StartNeighborMonitor(listener NeighborUpdateListener) error
-	CloseNeighborMonitor(listener NeighborUpdateListener) error
-	RegisterMyInterface(name string)
-}
-
-type NeighborUpdateListener interface {
-	UpdateNeighborTable(entries NeighborEntryIterator)
 }

 type ConnectionOwner struct {
--- a/experimental/libbox/semver.go
+++ b/experimental/libbox/semver.go
@@ -1,27 +0,0 @@
-package libbox
-
-import (
-	"strings"
-
-	"golang.org/x/mod/semver"
-)
-
-func CompareSemver(left string, right string) bool {
-	normalizedLeft := normalizeSemver(left)
-	if !semver.IsValid(normalizedLeft) {
-		return false
-	}
-	normalizedRight := normalizeSemver(right)
-	if !semver.IsValid(normalizedRight) {
-		return false
-	}
-	return semver.Compare(normalizedLeft, normalizedRight) > 0
-}
-
-func normalizeSemver(version string) string {
-	trimmedVersion := strings.TrimSpace(version)
-	if strings.HasPrefix(trimmedVersion, "v") {
-		return trimmedVersion
-	}
-	return "v" + trimmedVersion
-}
--- a/experimental/libbox/semver_test.go
+++ b/experimental/libbox/semver_test.go
@@ -1,16 +0,0 @@
-package libbox
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestCompareSemver(t *testing.T) {
-	t.Parallel()
-
-	require.False(t, CompareSemver("1.13.0-rc.4", "1.13.0"))
-	require.True(t, CompareSemver("1.13.1", "1.13.0"))
-	require.False(t, CompareSemver("v1.13.0", "1.13.0"))
-	require.False(t, CompareSemver("1.13.0-", "1.13.0"))
-}
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -78,7 +78,6 @@ func (w *platformInterfaceWrapper) OpenInterface(options *tun.Options, platformO
 	}
 	options.FileDescriptor = dupFd
 	w.myTunName = options.Name
-	w.iif.RegisterMyInterface(options.Name)
 	return tun.New(*options)
 }

@@ -221,46 +220,6 @@ func (w *platformInterfaceWrapper) SendNotification(notification *adapter.Notifi
 	return w.iif.SendNotification((*Notification)(notification))
 }

-func (w *platformInterfaceWrapper) UsePlatformNeighborResolver() bool {
-	return true
-}
-
-func (w *platformInterfaceWrapper) StartNeighborMonitor(listener adapter.NeighborUpdateListener) error {
-	return w.iif.StartNeighborMonitor(&neighborUpdateListenerWrapper{listener: listener})
-}
-
-func (w *platformInterfaceWrapper) CloseNeighborMonitor(listener adapter.NeighborUpdateListener) error {
-	return w.iif.CloseNeighborMonitor(nil)
-}
-
-type neighborUpdateListenerWrapper struct {
-	listener adapter.NeighborUpdateListener
-}
-
-func (w *neighborUpdateListenerWrapper) UpdateNeighborTable(entries NeighborEntryIterator) {
-	var result []adapter.NeighborEntry
-	for entries.HasNext() {
-		entry := entries.Next()
-		if entry == nil {
-			continue
-		}
-		address, err := netip.ParseAddr(entry.Address)
-		if err != nil {
-			continue
-		}
-		macAddress, err := net.ParseMAC(entry.MacAddress)
-		if err != nil {
-			continue
-		}
-		result = append(result, adapter.NeighborEntry{
-			Address:    address,
-			MACAddress: macAddress,
-			Hostname:   entry.Hostname,
-		})
-	}
-	w.listener.UpdateNeighborTable(result)
-}
-
 func AvailablePort(startPort int32) (int32, error) {
 	for port := int(startPort); ; port++ {
 		if port > 65535 {
--- a/go.mod
+++ b/go.mod
@@ -3,62 +3,60 @@ module github.com/sagernet/sing-box
 go 1.24.7

 require (
-	github.com/anthropics/anthropic-sdk-go v1.26.0
+	github.com/anthropics/anthropic-sdk-go v1.19.0
 	github.com/anytls/sing-anytls v0.0.11
-	github.com/caddyserver/certmagic v0.25.2
+	github.com/caddyserver/certmagic v0.25.0
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
-	github.com/database64128/tfo-go/v2 v2.3.2
-	github.com/go-chi/chi/v5 v5.2.5
+	github.com/database64128/tfo-go/v2 v2.3.1
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/render v1.0.3
-	github.com/godbus/dbus/v5 v5.2.2
+	github.com/godbus/dbus/v5 v5.2.1
 	github.com/gofrs/uuid/v5 v5.4.0
-	github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
-	github.com/jsimonetti/rtnetlink v1.4.0
+	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167
 	github.com/keybase/go-keychain v0.0.1
 	github.com/libdns/acmedns v0.5.0
-	github.com/libdns/alidns v1.0.6
+	github.com/libdns/alidns v1.0.6-beta.3
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
-	github.com/mdlayher/netlink v1.9.0
 	github.com/metacubex/utls v1.8.4
-	github.com/mholt/acmez/v3 v3.1.6
-	github.com/miekg/dns v1.1.72
-	github.com/openai/openai-go/v3 v3.26.0
+	github.com/mholt/acmez/v3 v3.1.4
+	github.com/miekg/dns v1.1.69
+	github.com/openai/openai-go/v3 v3.15.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc
-	github.com/sagernet/cronet-go/all v0.0.0-20260309100020-c128886ff3fc
+	github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287
+	github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287
 	github.com/sagernet/fswatch v0.1.1
-	github.com/sagernet/gomobile v0.1.12
+	github.com/sagernet/gomobile v0.1.11
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
-	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69
+	github.com/sagernet/quic-go v0.59.0-sing-box-mod.2
+	github.com/sagernet/sing v0.8.0-beta.16
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0
+	github.com/sagernet/sing-quic v0.6.0-beta.12
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f
+	github.com/sagernet/sing-tun v0.8.0-beta.17
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e
-	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6
+	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netns v0.0.5
 	go.uber.org/zap v1.27.1
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.46.0
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93
-	golang.org/x/mod v0.33.0
-	golang.org/x/net v0.50.0
-	golang.org/x/sys v0.41.0
+	golang.org/x/mod v0.31.0
+	golang.org/x/net v0.48.0
+	golang.org/x/sys v0.39.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	google.golang.org/grpc v1.79.1
+	google.golang.org/grpc v1.77.0
 	google.golang.org/protobuf v1.36.11
 	howett.net/plist v1.0.1
 )
@@ -69,7 +67,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/caddyserver/zerossl v0.1.5 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
@@ -94,9 +92,11 @@ require (
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -105,35 +105,28 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
@@ -154,15 +147,15 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,3 @@
-code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
-code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -10,18 +8,16 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY=
-github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
+github.com/anthropics/anthropic-sdk-go v1.19.0 h1:mO6E+ffSzLRvR/YUH9KJC0uGw0uV8GjISIuzem//3KE=
+github.com/anthropics/anthropic-sdk-go v1.19.0/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/caddyserver/certmagic v0.25.2 h1:D7xcS7ggX/WEY54x0czj7ioTkmDWKIgxtIi2OcQclUc=
-github.com/caddyserver/certmagic v0.25.2/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
-github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
-github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
+github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
+github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
+github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
@@ -33,8 +29,8 @@ github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/database64128/netx-go v0.1.1 h1:dT5LG7Gs7zFZBthFBbzWE6K8wAHjSNAaK7wCYZT7NzM=
 github.com/database64128/netx-go v0.1.1/go.mod h1:LNlYVipaYkQArRFDNNJ02VkNV+My9A5XR/IGS7sIBQc=
-github.com/database64128/tfo-go/v2 v2.3.2 h1:UhZMKiMq3swZGUiETkLBDzQnZBPSAeBMClpJGlnJ5Fw=
-github.com/database64128/tfo-go/v2 v2.3.2/go.mod h1:GC3uB5oa4beGpCUbRb2ZOWP73bJJFmMyAVgQSO7r724=
+github.com/database64128/tfo-go/v2 v2.3.1 h1:EGE+ELd5/AQ0X6YBlQ9RgKs8+kciNhgN3d8lRvfEJQw=
+github.com/database64128/tfo-go/v2 v2.3.1/go.mod h1:k9wcpg/8i5zenspBkc9jUEYehpZZccBnCElzOJB++bU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -42,8 +38,6 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
-github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
-github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
@@ -56,12 +50,10 @@ github.com/gaissmai/bart v0.18.0 h1:jQLBT/RduJu0pv/tLwXE+xKPgtWJejbxuXAR+wLJafo=
 github.com/gaissmai/bart v0.18.0/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
-github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
-github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
@@ -74,8 +66,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
-github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
+github.com/godbus/dbus/v5 v5.2.1 h1:I4wwMdWSkmI57ewd+elNGwLRf2/dtSaFz1DujfWYvOk=
+github.com/godbus/dbus/v5 v5.2.1/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gofrs/uuid/v5 v5.4.0 h1:EfbpCTjqMuGyq5ZJwxqzn3Cbr2d0rUZU7v5ycAk/e/0=
 github.com/gofrs/uuid/v5 v5.4.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -99,8 +91,8 @@ github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91 h1:u9i04mGE3iliBh0EFuWaKsmcwrLacqGmq1G3XoaM7gY=
-github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
+github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 h1:MEufgJohwIjFi2n3eJv4c/8UdRLQVUwPwSWQPoER+eU=
+github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
@@ -110,36 +102,32 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
-github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
-github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
-github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
 github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
 github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
-github.com/libdns/alidns v1.0.6 h1:/Ii428ty6WHFJmE24rZxq2taq++gh7rf9jhgLfp8PmM=
-github.com/libdns/alidns v1.0.6/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
+github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
+github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
 github.com/libdns/cloudflare v0.2.2/go.mod h1:w9uTmRCDlAoafAsTPnn2nJ0XHK/eaUMh86DUk8BWi60=
 github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
-github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
 github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
-github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
-github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
-github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
-github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
+github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.26.0 h1:bRt6H/ozMNt/dDkN4gobnLqaEGrRGBzmbVs0xxJEnQE=
-github.com/openai/openai-go/v3 v3.26.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.15.0 h1:hk99rM7YPz+M99/5B/zOQcVwFRLLMdprVGx1vaZ8XMo=
+github.com/openai/openai-go/v3 v3.15.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -162,102 +150,88 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc h1:YK7PwJT0irRAEui9ASdXSxcE2BOVQipWMF/A1Ogt+7c=
-github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260309100020-c128886ff3fc h1:EJPHOqk23IuBsTjXK9OXqkNxPbKOBWKRmviQoCcriAs=
-github.com/sagernet/cronet-go/all v0.0.0-20260309100020-c128886ff3fc/go.mod h1:8aty0RW96DrJSMWXO6bRPMBJEjuqq5JWiOIi4bCRzFA=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Qi0IKBpoPP3qZqIXuOKMsT2dv+l/MLWMyBHDMLRw2EA=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:p+wCMjOhj46SpSD/AJeTGgkCcbyA76FyH631XZatyU8=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 h1:Y7lWrZwEhC/HX8Pb5C92CrQihuaE7hrHmWB2ykst3iQ=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:3Ggy5wiyjA6t+aVVPnXlSEIVj9zkxd4ybH3NsvsNefs=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:DuFTCnZloblY+7olXiZoRdueWfxi34EV5UheTFKM2rA=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:x/6T2gjpLw9yNdCVR6xBlzMUzED9fxNFNt6U6A6SOh8=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Lx9PExM70rg8aNxPm0JPeSr5SWC3yFiCz4wIq86ugx8=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:BTEpw7/vKR9BNBsHebfpiGHDCPpjVJ3vLIbHNU3VUfM=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:hdEph9nQXRnKwc/lIDwo15rmzbC6znXF5jJWHPN1Fiw=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Iq++oYV7dtRJHTpu8yclHJdn+1oj2t1e84/YpdXYWW8=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 h1:Y43fuLL8cgwRHpEKwxh0O3vYp7g/SZGvbkJj3cQ6USA=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:bX2GJmF0VCC+tBrVAa49YEsmJ4A9dLmwoA6DJUxRtCY=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:gQTR/2azUCInE0r3kmesZT9xu+x801+BmtDY0d0Tw9Y=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 h1:X4mP3jlYvxgrKpZLOKMmc/O8T5/zP83/23pgfQOc3tY=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:c6xj2nXr/65EDiRFddUKQIBQ/b/lAPoH8WFYlgadaPc=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:ahbl7yjOvGVVNUwk9TcQk+xejVfoYAYFRlhWnby0/YM=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 h1:JC5Zv5+J85da6g5G56VhdaK53fmo6Os2q/wWi5QlxOw=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 h1:4bt7Go588BoM4VjNYMxx0MrvbwlFQn3DdRDCM7BmkRo=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:E1z0BeLUh8EZfCjIyS9BrfCocZrt+0KPS0bzop3Sxf4=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 h1:d8ejxRHO7Vi9JqR/6DxR7RyI/swA2JfDWATR4T7otBw=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 h1:iUDVEVu3RxL5ArPIY72BesbuX5zQ1la/ZFwKpQcGc5c=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 h1:xB6ikOC/R3n3hjy68EJ0sbZhH4vwEhd6JM9jZ1U2SVY=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 h1:mBOuLCPOOMMq8N1+dUM5FqZclqga1+u6fAbPqQcbIhc=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:cwPyDfj+ZNFE7kvcWbayQJyeC/KQA16HTXOxgHphL0w=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Zk9zG8kt3mXAboclUXQlvvxKQuhnI8u5NdDEl8uotNY=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:Lu05srGqddQRMnl1MZtGAReln2yJljeGx9b1IadlMJ8=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Tk9bDywUmOtc0iMjjCVIwMlAQNsxCy+bK+bTNA0OaBE=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:tQqDQw3tEHdQpt7NTdAwF3UvZ3CjNIj/IJKMRFmm388=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:biUIbI2YxUrcQikEfS/bwPA8NsHp/WO+VZUG4morUmE=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 h1:0BYNmr0ptjsII948U0oBFmrbo4qEaCFcrE2JPRg3Zlk=
+github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 h1:ghxhYSBQpzkakqWqJDvXr/Zmxe0WjTjKuALEGbjGiGY=
+github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:M+4ZjPhLJXIvoxcQsbDofmc19Wrig59hZ+hLvj6S3To=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f h1:8jZbZ4KBTdcXDFLwUBNQt5Xci6ZuAKh255S8TwuBCaM=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f h1:tG0hCx+0u5zca7qQ7AMkcv4DCrBG/DKW1ggs/P+BRRI=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f h1:ZXp5hKJIA7iJ52ZShJCKMQEPLpp/7dDIVZmPGV9Il40=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f h1:gL7H8HS8s38adz4/HZtRHh79qMwsbLTRRPz4GQ9LcWI=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f h1:Dchgc0pAY5Jwb5lzUlE+1nhHIzqLx+YOurXLHgvWd/0=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f h1:+MOLSQoduuKDxF410i1LcSPaQGaiP0eZb0INvMlmjM4=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:lIZna05Vn6n8k21p8OpSUnhwGm+E57PrMjiI4ZUfMSg=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f h1:B2aFQ5CRHI20t8YsEizvtguS5W2QfK7D5XV/NzTIxPE=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:qpSwJ1rFGYCfJDenNCZoWYjoG7N+xEa6ke+E7/JO1i4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f h1:cx7Ipg0tSvTDjS4maMEYz4vuzz93BMPAysmZ1YLrz80=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f h1:4jOHuUiBxD8pJEpBBVQfJqyLmxjpd3t4MLRzU7YLFyg=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f h1:OpXBa2WlRU+Mam9oRe9Nn4/zf7gQ+qiBTNK8A5RwbfQ=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f h1:nJpGFi+6hI85tl4zoyNFEnFEQ5+xEV5gyvsUoMvd8g0=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f h1:SEy2rpmgOJgrqcEryJI/RSnqUWIsEsp0cfYoA8y21jc=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f h1:EW2TuFMLm0iBGqRZtuGwIZdeYmDtDsDmRcRRJQOMxUo=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f h1:3U5woxrNCkzfv1+UX+mVoWh1228AE1qAiMG02F9oFbY=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f h1:YwFTfuWG3mmctroeDYtFZ6LHjGsedVO+5wInYbbUuUY=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:r4V0ddPCRLgGu0VdgR3aUsO9NjpmyjAf+h+3oTD9D6E=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f h1:B8yf4gFvEYUnwWmtVK9sdwUsflYZ387MhYmlOP2ohFQ=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:9YyaMg4rO1/jIgrxmNb0LKH+X7frSYWfX2pFgW5JUVM=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f h1:B0fnGu0sh9yT/9JDN5u/GqThGoOzNN/daOAuGWFLXEk=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f h1:lxPcIXKSSI5JDhc7rx/6yufISWM4vtBS2FY9PavWQTs=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
-github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
-github.com/sagernet/gomobile v0.1.12/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
+github.com/sagernet/gomobile v0.1.11 h1:niMQAspvuThup5eRZQpsGcbM76zAvnsGr7RUIpnQMDQ=
+github.com/sagernet/gomobile v0.1.11/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1 h1:AzCE2RhBjLJ4WIWc/GejpNh+z30d5H1hwaB0nD9eY3o=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1/go.mod h1:NJKBtm9nVEK3iyOYWsUlrDQuoGh4zJ4KOPhSYVidvQ4=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69 h1:h6UF2emeydBQMAso99Nr3APV6YustOs+JszVuCkcFy0=
-github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.2 h1:hJUL+HtxEOjxsa0CsucbBVqI/AMS4k52NwNU637zmdw=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.2/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
+github.com/sagernet/sing v0.8.0-beta.16 h1:Fe+6E9VHYky9Mx4cf0ugbZPWDcXRflpAu7JQ5bWXvaA=
+github.com/sagernet/sing v0.8.0-beta.16/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
-github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0-beta.12 h1:njyU2NYGBITShAu31wJRmqAtx7hQBcXqBPowDv+W0sk=
+github.com/sagernet/sing-quic v0.6.0-beta.12/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f h1:uj3rzedphq1AiL0PpuVoob5RtKsPBcMRd8aqo+q0rqA=
-github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.0-beta.17 h1:6DdbNXeTFYj8Tb4FCh8Mp2boA3rVY6VNqzTOObj7Xis=
+github.com/sagernet/sing-tun v0.8.0-beta.17/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e h1:Sv1qUhJIidjSTc24XEknovDZnbmVSlAXj8wNVgIfgGo=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
@@ -309,16 +283,16 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -333,20 +307,20 @@ go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wus
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 h1:fQsdNF2N+/YewlRZiricy4P1iimyPKZ/xwniHj8Q2a0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
@@ -356,20 +330,20 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -381,17 +355,15 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/include/oom_killer.go
+++ b/include/oom_killer.go
@@ -1,10 +0,0 @@
-package include
-
-import (
-	"github.com/sagernet/sing-box/adapter/service"
-	"github.com/sagernet/sing-box/service/oomkiller"
-)
-
-func registerOOMKillerService(registry *service.Registry) {
-	oomkiller.RegisterService(registry)
-}
--- a/include/registry.go
+++ b/include/registry.go
@@ -20,6 +20,7 @@ import (
 	"github.com/sagernet/sing-box/protocol/anytls"
 	"github.com/sagernet/sing-box/protocol/block"
 	"github.com/sagernet/sing-box/protocol/direct"
+	protocolDNS "github.com/sagernet/sing-box/protocol/dns"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/protocol/http"
 	"github.com/sagernet/sing-box/protocol/mixed"
@@ -75,6 +76,7 @@ func OutboundRegistry() *outbound.Registry {
 	direct.RegisterOutbound(registry)

 	block.RegisterOutbound(registry)
+	protocolDNS.RegisterOutbound(registry)

 	group.RegisterSelector(registry)
 	group.RegisterURLTest(registry)
@@ -92,6 +94,7 @@ func OutboundRegistry() *outbound.Registry {
 	anytls.RegisterOutbound(registry)

 	registerQUICOutbounds(registry)
+	registerWireGuardOutbound(registry)
 	registerStubForRemovedOutbounds(registry)

 	return registry
@@ -134,7 +137,6 @@ func ServiceRegistry() *service.Registry {
 	registerDERPService(registry)
 	registerCCMService(registry)
 	registerOCMService(registry)
-	registerOOMKillerService(registry)

 	return registry
 }
@@ -149,7 +151,4 @@ func registerStubForRemovedOutbounds(registry *outbound.Registry) {
 	outbound.Register[option.ShadowsocksROutboundOptions](registry, C.TypeShadowsocksR, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (adapter.Outbound, error) {
 		return nil, E.New("ShadowsocksR is deprecated and removed in sing-box 1.6.0")
 	})
-	outbound.Register[option.StubOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.StubOptions) (adapter.Outbound, error) {
-		return nil, E.New("WireGuard outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use WireGuard endpoint instead")
-	})
 }
--- a/include/wireguard.go
+++ b/include/wireguard.go
@@ -4,9 +4,14 @@ package include

 import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
+	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/protocol/wireguard"
 )

+func registerWireGuardOutbound(registry *outbound.Registry) {
+	wireguard.RegisterOutbound(registry)
+}
+
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	wireguard.RegisterEndpoint(registry)
 }
--- a/include/wireguard_stub.go
+++ b/include/wireguard_stub.go
@@ -7,12 +7,19 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/endpoint"
+	"github.com/sagernet/sing-box/adapter/outbound"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

+func registerWireGuardOutbound(registry *outbound.Registry) {
+	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
+		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
+	})
+}
+
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
--- a/log/format.go
+++ b/log/format.go
@@ -168,11 +168,7 @@ func FormatDuration(duration time.Duration) string {
 		return F.ToString(duration.Milliseconds(), "ms")
 	} else if duration < time.Minute {
 		return F.ToString(int64(duration.Seconds()), ".", int64(duration.Seconds()*100)%100, "s")
-	} else if duration < time.Hour {
-		return F.ToString(int64(duration.Minutes()), "m", int64(duration.Seconds())%60, "s")
-	} else if duration < 24*time.Hour {
-		return F.ToString(int64(duration.Hours()), "h", int64(duration.Minutes())%60, "m")
 	} else {
-		return F.ToString(int64(duration.Hours())/24, "d", int64(duration.Hours())%24, "h")
+		return F.ToString(int64(duration.Minutes()), "m", int64(duration.Seconds())%60, "s")
 	}
 }
--- a/Show More
+++ b/Show More