Add Linux WI-FI state support

Reference: https://gitlab.com/go-extension/tls

.github/CRONET_GO_VERSION

@@ -1 +0,0 @@
-b0385d27c2ab659d9532d71f301deb6599c44a79

.github/setup_go_for_windows7.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.5"
+VERSION="1.25.1"
 
 mkdir -p $HOME/go
 cd $HOME/go

.github/update_cronet.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-
-SCRIPT_DIR=$(dirname "$0")
-PROJECTS=$SCRIPT_DIR/../..
-
-git -C $PROJECTS/cronet-go fetch origin main
-git -C $PROJECTS/cronet-go fetch origin go
-go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
-go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
-go mod tidy
-git -C $PROJECTS/cronet-go rev-parse origin/HEAD > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/workflows/build.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
+          go-version: ^1.25.1
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -69,25 +69,13 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: linux, arch: amd64, variant: purego, naive: true, openwrt: "x86_64" }
-          - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
-
-          - { os: linux, arch: arm64, variant: purego, naive: true, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
-          - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
-
-          - { os: linux, arch: "386", go386: sse2, openwrt: "i386_pentium4" }
-          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
-
-          - { os: linux, arch: arm, goarm: "7", openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
-          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
-
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: "386", go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
           - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
           - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
           - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
@@ -99,28 +87,35 @@ jobs:
           - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
 
+          - { os: windows, arch: amd64 }
           - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: "386" }
           - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: arm64 }
 
-          - { os: android, arch: arm64, ndk: "aarch64-linux-android23" }
-          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi23" }
-          - { os: android, arch: amd64, ndk: "x86_64-linux-android23" }
-          - { os: android, arch: "386", ndk: "i686-linux-android23" }
+          - { os: darwin, arch: amd64 }
+          - { os: darwin, arch: arm64 }
+          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+
+          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
+          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
+          - { os: android, arch: "386", ndk: "i686-linux-android21" }
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
+          go-version: ^1.25.1
       - name: Setup Go 1.24
         if: matrix.legacy_go124
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.24.10
+          go-version: ~1.24.6
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -128,7 +123,7 @@ jobs:
         with:
           path: |
             ~/go/go_win7
-          key: go_win7_1255
+          key: go_win7_1251
       - name: Setup Go for Windows 7
         if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
         run: |-
@@ -144,45 +139,6 @@ jobs:
         with:
           ndk-version: r28
           local-cache: true
-      - name: Clone cronet-go
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
-          git init ~/cronet-go
-          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
-          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
-          git -C ~/cronet-go checkout FETCH_HEAD
-          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Cache Chromium toolchain
-        if: matrix.naive
-        id: cache-chromium-toolchain
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
-          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
-      - name: Download Chromium toolchain
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          cd ~/cronet-go
-          if [[ "${{ matrix.variant }}" == "musl" ]]; then
-            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
-          else
-            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} download-toolchain
-          fi
-      - name: Set Chromium toolchain environment
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          cd ~/cronet-go
-          if [[ "${{ matrix.variant }}" == "musl" ]]; then
-            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
-          else
-            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} env >> $GITHUB_ENV
-          fi
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -190,70 +146,10 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
-          fi
-          if [[ "${{ matrix.variant }}" == "purego" ]]; then
-            TAGS="${TAGS},with_purego"
-          elif [[ "${{ matrix.variant }}" == "musl" ]]; then
-            TAGS="${TAGS},with_musl"
-          fi
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0'
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build (purego)
-        if: matrix.variant == 'purego'
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "0"
-          GOOS: ${{ matrix.os }}
-          GOARCH: ${{ matrix.arch }}
-          GO386: ${{ matrix.go386 }}
-          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Extract libcronet.so
-        if: matrix.variant == 'purego' && matrix.naive
-        run: |
-          cd ~/cronet-go
-          CGO_ENABLED=0 go run -v ./cmd/build-naive extract-lib --target ${{ matrix.os }}/${{ matrix.arch }} -o $GITHUB_WORKSPACE/dist
-      - name: Build (glibc)
-        if: matrix.variant == 'glibc'
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GO386: ${{ matrix.go386 }}
-          GOARM: ${{ matrix.goarm }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build (musl)
-        if: matrix.variant == 'musl'
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GO386: ${{ matrix.go386 }}
-          GOARM: ${{ matrix.goarm }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build (non-variant)
-        if: matrix.os != 'android' && matrix.variant == ''
+      - name: Build
+        if: matrix.os != 'android'
         run: |
           set -xeuo pipefail
           mkdir -p dist
@@ -297,11 +193,6 @@ jobs:
           elif [[ -n "${{ matrix.legacy_name }}" ]]; then
             DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
           fi
-          if [[ "${{ matrix.variant }}" == "glibc" ]]; then
-            DIR_NAME="${DIR_NAME}-glibc"
-          elif [[ "${{ matrix.variant }}" == "musl" ]]; then
-            DIR_NAME="${DIR_NAME}-musl"
-          fi
           echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
           PKG_VERSION="${PKG_VERSION//-/\~}"
@@ -369,12 +260,8 @@ jobs:
             -p "dist/openwrt.deb" \
             --architecture all \
             dist/sing-box=/usr/bin/sing-box
-          SUFFIX=""
-          if [[ "${{ matrix.variant }}" == "musl" ]]; then
-            SUFFIX="_musl"
-          fi
           for architecture in ${{ matrix.openwrt }}; do
-            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}${SUFFIX}.ipk"
+            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
           done
           rm "dist/openwrt.deb"
       - name: Archive
@@ -388,177 +275,15 @@ jobs:
             zip -r "${DIR_NAME}.zip" "${DIR_NAME}"
           else
             cp sing-box "${DIR_NAME}"
-            if [ -f libcronet.so ]; then
-              cp libcronet.so "${DIR_NAME}"
-            fi
             tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
           fi
           rm -r "${DIR_NAME}"
-      - name: Cleanup
-        run: rm -f dist/sing-box dist/libcronet.so
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}${{ matrix.variant && format('-{0}', matrix.variant) }}
-          path: "dist"
-  build_darwin:
-    name: Build Darwin binaries
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-    runs-on: macos-latest
-    needs:
-      - calculate_version
-    strategy:
-      matrix:
-        include:
-          - { arch: amd64 }
-          - { arch: arm64 }
-          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        if: ${{ ! matrix.legacy_go124 }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.25.3
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.6
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Set build tags
-        run: |
-          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
-          fi
-          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: darwin
-          GOARCH: ${{ matrix.arch }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set name
-        run: |-
-          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-darwin-${{ matrix.arch }}"
-          if [[ -n "${{ matrix.legacy_name }}" ]]; then
-            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
-          fi
-          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
-      - name: Archive
-        run: |
-          set -xeuo pipefail
-          cd dist
-          mkdir -p "${DIR_NAME}"
-          cp ../LICENSE "${DIR_NAME}"
-          cp sing-box "${DIR_NAME}"
-          tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
-          rm -r "${DIR_NAME}"
       - name: Cleanup
         run: rm dist/sing-box
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: binary-darwin_${{ matrix.arch }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
-          path: "dist"
-  build_windows:
-    name: Build Windows binaries
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-    runs-on: windows-latest
-    needs:
-      - calculate_version
-    strategy:
-      matrix:
-        include:
-          - { arch: amd64, naive: true }
-          - { arch: "386" }
-          - { arch: arm64, naive: true }
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.25.4
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$env:GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Build
-        if: matrix.naive
-        run: |
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0" `
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "0"
-          GOOS: windows
-          GOARCH: ${{ matrix.arch }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build
-        if: ${{ !matrix.naive }}
-        run: |
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0" `
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "0"
-          GOOS: windows
-          GOARCH: ${{ matrix.arch }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Extract libcronet.dll
-        if: matrix.naive
-        run: |
-          $CRONET_GO_VERSION = Get-Content .github/CRONET_GO_VERSION
-          $env:CGO_ENABLED = "0"
-          go run -v "github.com/sagernet/cronet-go/cmd/build-naive@$CRONET_GO_VERSION" extract-lib --target windows/${{ matrix.arch }} -o dist
-      - name: Archive
-        if: matrix.naive
-        run: |
-          $DIR_NAME = "sing-box-${{ needs.calculate_version.outputs.version }}-windows-${{ matrix.arch }}"
-          mkdir "dist/$DIR_NAME"
-          Copy-Item LICENSE "dist/$DIR_NAME"
-          Copy-Item "dist/sing-box.exe" "dist/$DIR_NAME"
-          Copy-Item "dist/libcronet.dll" "dist/$DIR_NAME"
-          Compress-Archive -Path "dist/$DIR_NAME" -DestinationPath "dist/$DIR_NAME.zip"
-          Remove-Item -Recurse "dist/$DIR_NAME"
-      - name: Archive
-        if: ${{ !matrix.naive }}
-        run: |
-          $DIR_NAME = "sing-box-${{ needs.calculate_version.outputs.version }}-windows-${{ matrix.arch }}"
-          mkdir "dist/$DIR_NAME"
-          Copy-Item LICENSE "dist/$DIR_NAME"
-          Copy-Item "dist/sing-box.exe" "dist/$DIR_NAME"
-          Compress-Archive -Path "dist/$DIR_NAME" -DestinationPath "dist/$DIR_NAME.zip"
-          Remove-Item -Recurse "dist/$DIR_NAME"
-      - name: Cleanup
-        if: matrix.naive
-        run: Remove-Item dist/sing-box.exe, dist/libcronet.dll
-      - name: Cleanup
-        if: ${{ !matrix.naive }}
-        run: Remove-Item dist/sing-box.exe
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-windows_${{ matrix.arch }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
           path: "dist"
   build_android:
     name: Build Android
@@ -575,7 +300,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
+          go-version: ^1.25.1
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -623,9 +348,9 @@ jobs:
       - name: Build
         run: |-
           mkdir clients/android/app/libs
-          cp *.aar clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
           cd clients/android
-          ./gradlew :app:assembleOtherRelease :app:assembleOtherLegacyRelease
+          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
         env:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
@@ -633,18 +358,8 @@ jobs:
       - name: Prepare upload
         run: |-
           mkdir -p dist
-          #cp clients/android/app/build/outputs/apk/play/release/*.apk dist
-          cp clients/android/app/build/outputs/apk/other/release/*.apk dist
-          cp clients/android/app/build/outputs/apk/otherLegacy/release/*.apk dist
-          VERSION_CODE=$(grep VERSION_CODE clients/android/version.properties | cut -d= -f2)
-          VERSION_NAME=$(grep VERSION_NAME clients/android/version.properties | cut -d= -f2)
-          cat > dist/SFA-version-metadata.json << EOF
-          {
-            "version_code": ${VERSION_CODE},
-            "version_name": "${VERSION_NAME}"
-          }
-          EOF
-          cat dist/SFA-version-metadata.json
+          cp clients/android/app/build/outputs/apk/play/release/*.apk dist
+          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -665,7 +380,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
+          go-version: ^1.25.1
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -706,7 +421,7 @@ jobs:
         run: |-
           go run -v ./cmd/internal/update_android_version --ci
           mkdir clients/android/app/libs
-          cp *.aar clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
           cd clients/android
           echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
           ./gradlew :app:publishPlayReleaseBundle
@@ -718,7 +433,7 @@ jobs:
   build_apple:
     name: Build Apple clients
     runs-on: macos-26
-    if: false # github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store' || inputs.build == 'iOS' || inputs.build == 'macOS' || inputs.build == 'tvOS' || inputs.build == 'macOS-standalone'
+    if: false
     needs:
       - calculate_version
     strategy:
@@ -764,7 +479,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
+          go-version: ^1.25.1
       - name: Set tag
         if: matrix.if
         run: |-
@@ -883,7 +598,7 @@ jobs:
           		--app-drop-link 0 0 \
           		--skip-jenkins \
           	SFM.dmg "${{ matrix.export_path }}/SFM.app"
-          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"
+          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
           cd "${{ matrix.archive }}"
           zip -r SFM.dSYMs.zip dSYMs
           popd
@@ -904,8 +619,6 @@ jobs:
     needs:
       - calculate_version
       - build
-      - build_darwin
-      - build_windows
       - build_android
       - build_apple
     steps:

.github/workflows/docker.yml

@@ -1,10 +1,6 @@
 name: Publish Docker Images
 
 on:
-  #push:
-  #  branches:
-  #    - main-next
-  #    - dev-next
   release:
     types:
       - published
@@ -17,134 +13,8 @@ env:
   REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
 
 jobs:
-  build_binary:
-    name: Build binary
+  build:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        include:
-          # Naive-enabled builds (musl)
-          - { arch: amd64, naive: true, docker_platform: "linux/amd64" }
-          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
-          - { arch: "386", naive: true, docker_platform: "linux/386" }
-          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
-          # Non-naive builds
-          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
-          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
-          - { arch: riscv64, docker_platform: "linux/riscv64" }
-          - { arch: s390x, docker_platform: "linux/s390x" }
-    steps:
-      - name: Get commit to build
-        id: ref
-        run: |-
-          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
-            ref="${{ github.ref_name }}"
-          else
-            ref="${{ github.event.inputs.tag }}"
-          fi
-          echo "ref=$ref"
-          echo "ref=$ref" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.25.4
-      - name: Clone cronet-go
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
-          git init ~/cronet-go
-          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
-          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
-          git -C ~/cronet-go checkout FETCH_HEAD
-          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Cache Chromium toolchain
-        if: matrix.naive
-        id: cache-chromium-toolchain
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
-          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
-      - name: Download Chromium toolchain
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          cd ~/cronet-go
-          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
-      - name: Set version
-        run: |
-          set -xeuo pipefail
-          VERSION=$(go run ./cmd/internal/read_tag)
-          echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
-      - name: Set Chromium toolchain environment
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          cd ~/cronet-go
-          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
-      - name: Set build tags
-        run: |
-          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
-          fi
-          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build (naive)
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -s -w -buildid= -checklinkname=0" \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GOARM: ${{ matrix.goarm }}
-      - name: Build (non-naive)
-        if: ${{ ! matrix.naive }}
-        run: |
-          set -xeuo pipefail
-          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -s -w -buildid= -checklinkname=0" \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "0"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GOARM: ${{ matrix.goarm }}
-      - name: Prepare artifact
-        run: |
-          platform=${{ matrix.docker_platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-          # Rename binary to include arch info for Dockerfile.binary
-          BINARY_NAME="sing-box-${{ matrix.arch }}"
-          if [[ -n "${{ matrix.goarm }}" ]]; then
-            BINARY_NAME="${BINARY_NAME}v${{ matrix.goarm }}"
-          fi
-          mv sing-box "${BINARY_NAME}"
-          echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV
-      - name: Upload binary
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-${{ env.PLATFORM_PAIR }}
-          path: ${{ env.BINARY_NAME }}
-          if-no-files-found: error
-          retention-days: 1
-  build_docker:
-    name: Build Docker image
-    runs-on: ubuntu-latest
-    needs:
-      - build_binary
     strategy:
       fail-fast: true
       matrix:
@@ -177,16 +47,6 @@ jobs:
         run: |
           platform=${{ matrix.platform }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-      - name: Download binary
-        uses: actions/download-artifact@v5
-        with:
-          name: binary-${{ env.PLATFORM_PAIR }}
-          path: .
-      - name: Prepare binary
-        run: |
-          # Find and make the binary executable
-          chmod +x sing-box-*
-          ls -la sing-box-*
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v3
       - name: Setup Docker Buildx
@@ -208,7 +68,8 @@ jobs:
         with:
           platforms: ${{ matrix.platform }}
           context: .
-          file: Dockerfile.binary
+          build-args: |
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
       - name: Export digest
@@ -226,7 +87,7 @@ jobs:
   merge:
     runs-on: ubuntu-latest
     needs:
-      - build_docker
+      - build
     steps:
       - name: Get commit to build
         id: ref
@@ -260,7 +121,6 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Create manifest list and push
-        if: github.event_name != 'push'
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create \
@@ -268,7 +128,6 @@ jobs:
             -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
       - name: Inspect image
-        if: github.event_name != 'push'
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}

.github/workflows/linux.yml

@@ -1,10 +1,6 @@
 name: Build Linux Packages
 
 on:
-  #push:
-  #  branches:
-  #    - main-next
-  #    - dev-next
   workflow_dispatch:
     inputs:
       version:
@@ -34,7 +30,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
+          go-version: ^1.25.1
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -56,13 +52,11 @@ jobs:
     strategy:
       matrix:
         include:
-          # Naive-enabled builds (musl)
-          - { os: linux, arch: amd64, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64 }
-          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
-          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
-          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
-          # Non-naive builds (unsupported architectures)
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          - { os: linux, arch: "386", debian: i386, rpm: i386 }
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
           - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
           - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
@@ -77,38 +71,13 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.5
-      - name: Clone cronet-go
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
-          git init ~/cronet-go
-          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
-          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
-          git -C ~/cronet-go checkout FETCH_HEAD
-          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Cache Chromium toolchain
-        if: matrix.naive
-        id: cache-chromium-toolchain
-        uses: actions/cache@v4
+          go-version: ^1.25.1
+      - name: Setup Android NDK
+        if: matrix.os == 'android'
+        uses: nttld/setup-ndk@v1
         with:
-          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
-          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
-      - name: Download Chromium toolchain
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          cd ~/cronet-go
-          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
-      - name: Set Chromium toolchain environment
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          cd ~/cronet-go
-          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
+          ndk-version: r28
+          local-cache: true
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -116,27 +85,9 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
-          fi
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0'
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build (naive)
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GOARM: ${{ matrix.goarm }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build (non-naive)
-        if: ${{ ! matrix.naive }}
+      - name: Build
         run: |
           set -xeuo pipefail
           mkdir -p dist
@@ -234,6 +185,5 @@ jobs:
           path: dist
           merge-multiple: true
       - name: Publish packages
-        if: github.event_name != 'push'
         run: |-
           ls dist | xargs -I {} curl -F "package=@dist/{}" https://${{ secrets.FURY_TOKEN }}@push.fury.io/sagernet/

.goreleaser.fury.yaml

@@ -0,0 +1,103 @@
+project_name: sing-box
+builds:
+  - id: main
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_utls
+      - with_acme
+      - with_clash_api
+      - with_tailscale
+    env:
+      - CGO_ENABLED=0
+    targets:
+      - linux_386
+      - linux_amd64_v1
+      - linux_arm64
+      - linux_arm_7
+      - linux_s390x
+      - linux_riscv64
+      - linux_mips64le
+    mod_timestamp: '{{ .CommitTimestamp }}'
+snapshot:
+  name_template: "{{ .Version }}.{{ .ShortCommit }}"
+nfpms:
+  - &template
+    id: package
+    package_name: sing-box
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    builds:
+      - main
+    homepage: https://sing-box.sagernet.org/
+    maintainer: nekohasekai <contact-git@sekai.icu>
+    description: The universal proxy platform.
+    license: GPLv3 or later
+    formats:
+      - deb
+      - rpm
+    priority: extra
+    contents:
+      - src: release/config/config.json
+        dst: /etc/sing-box/config.json
+        type: "config|noreplace"
+
+      - src: release/config/sing-box.service
+        dst: /usr/lib/systemd/system/sing-box.service
+      - src: release/config/sing-box@.service
+        dst: /usr/lib/systemd/system/sing-box@.service
+      - src: release/config/sing-box.sysusers
+        dst: /usr/lib/sysusers.d/sing-box.conf
+      - src: release/config/sing-box.rules
+        dst: /usr/share/polkit-1/rules.d/sing-box.rules
+      - src: release/config/sing-box-split-dns.xml
+        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+      - src: release/completions/sing-box.bash
+        dst: /usr/share/bash-completion/completions/sing-box.bash
+      - src: release/completions/sing-box.fish
+        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
+      - src: release/completions/sing-box.zsh
+        dst: /usr/share/zsh/site-functions/_sing-box
+
+      - src: LICENSE
+        dst: /usr/share/licenses/sing-box/LICENSE
+    deb:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+      fields:
+        Bugs: https://github.com/SagerNet/sing-box/issues
+    rpm:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+    conflicts:
+      - sing-box-beta
+  - id: package_beta
+    <<: *template
+    package_name: sing-box-beta
+    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    formats:
+      - deb
+      - rpm
+    conflicts:
+      - sing-box
+release:
+  disable: true
+furies:
+  - account: sagernet
+    ids:
+      - package
+    disable: "{{ not (not .Prerelease) }}"
+  - account: sagernet
+    ids:
+      - package_beta
+    disable: "{{ not .Prerelease }}"

.goreleaser.yaml

@@ -0,0 +1,213 @@
+version: 2
+project_name: sing-box
+builds:
+  - &template
+    id: main
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_utls
+      - with_acme
+      - with_clash_api
+      - with_tailscale
+    env:
+      - CGO_ENABLED=0
+      - GOTOOLCHAIN=local
+    targets:
+      - linux_386
+      - linux_amd64_v1
+      - linux_arm64
+      - linux_arm_6
+      - linux_arm_7
+      - linux_s390x
+      - linux_riscv64
+      - linux_mips64le
+      - windows_amd64_v1
+      - windows_386
+      - windows_arm64
+      - darwin_amd64_v1
+      - darwin_arm64
+    mod_timestamp: '{{ .CommitTimestamp }}'
+  - id: legacy
+    <<: *template
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_utls
+      - with_acme
+      - with_clash_api
+      - with_tailscale
+    env:
+      - CGO_ENABLED=0
+      - GOROOT={{ .Env.GOPATH }}/go_legacy
+    tool: "{{ .Env.GOPATH }}/go_legacy/bin/go"
+    targets:
+      - windows_amd64_v1
+      - windows_386
+  - id: android
+    <<: *template
+    env:
+      - CGO_ENABLED=1
+      - GOTOOLCHAIN=local
+    overrides:
+      - goos: android
+        goarch: arm
+        goarm: 7
+        env:
+          - CC=armv7a-linux-androideabi21-clang
+          - CXX=armv7a-linux-androideabi21-clang++
+      - goos: android
+        goarch: arm64
+        env:
+          - CC=aarch64-linux-android21-clang
+          - CXX=aarch64-linux-android21-clang++
+      - goos: android
+        goarch: 386
+        env:
+          - CC=i686-linux-android21-clang
+          - CXX=i686-linux-android21-clang++
+      - goos: android
+        goarch: amd64
+        goamd64: v1
+        env:
+          - CC=x86_64-linux-android21-clang
+          - CXX=x86_64-linux-android21-clang++
+    targets:
+      - android_arm_7
+      - android_arm64
+      - android_386
+      - android_amd64
+archives:
+  - &template
+    id: archive
+    builds:
+      - main
+      - android
+    formats:
+      - tar.gz
+    format_overrides:
+      - goos: windows
+        formats:
+          - zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+  - id: archive-legacy
+    <<: *template
+    builds:
+      - legacy
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
+nfpms:
+  - id: package
+    package_name: sing-box
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    builds:
+      - main
+    homepage: https://sing-box.sagernet.org/
+    maintainer: nekohasekai <contact-git@sekai.icu>
+    description: The universal proxy platform.
+    license: GPLv3 or later
+    formats:
+      - deb
+      - rpm
+      - archlinux
+#      - apk
+#      - ipk
+    priority: extra
+    contents:
+      - src: release/config/config.json
+        dst: /etc/sing-box/config.json
+        type: "config|noreplace"
+
+      - src: release/config/sing-box.service
+        dst: /usr/lib/systemd/system/sing-box.service
+      - src: release/config/sing-box@.service
+        dst: /usr/lib/systemd/system/sing-box@.service
+      - src: release/config/sing-box.sysusers
+        dst: /usr/lib/sysusers.d/sing-box.conf
+      - src: release/config/sing-box.rules
+        dst: /usr/share/polkit-1/rules.d/sing-box.rules
+      - src: release/config/sing-box-split-dns.xml
+        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+      - src: release/completions/sing-box.bash
+        dst: /usr/share/bash-completion/completions/sing-box.bash
+      - src: release/completions/sing-box.fish
+        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
+      - src: release/completions/sing-box.zsh
+        dst: /usr/share/zsh/site-functions/_sing-box
+
+      - src: LICENSE
+        dst: /usr/share/licenses/sing-box/LICENSE
+    deb:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+      fields:
+        Bugs: https://github.com/SagerNet/sing-box/issues
+    rpm:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+    overrides:
+      apk:
+        contents:
+          - src: release/config/config.json
+            dst: /etc/sing-box/config.json
+            type: config
+
+          - src: release/config/sing-box.initd
+            dst: /etc/init.d/sing-box
+
+          - src: release/completions/sing-box.bash
+            dst: /usr/share/bash-completion/completions/sing-box.bash
+          - src: release/completions/sing-box.fish
+            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
+          - src: release/completions/sing-box.zsh
+            dst: /usr/share/zsh/site-functions/_sing-box
+
+          - src: LICENSE
+            dst: /usr/share/licenses/sing-box/LICENSE
+      ipk:
+        contents:
+          - src: release/config/config.json
+            dst: /etc/sing-box/config.json
+            type: config
+
+          - src: release/config/openwrt.init
+            dst: /etc/init.d/sing-box
+          - src: release/config/openwrt.conf
+            dst: /etc/config/sing-box
+source:
+  enabled: false
+  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
+  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
+checksum:
+  disable: true
+  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
+signs:
+  - artifacts: checksum
+release:
+  github:
+    owner: SagerNet
+    name: sing-box
+  draft: true
+  prerelease: auto
+  mode: replace
+  ids:
+    - archive
+    - package
+  skip_upload: true
+partial:
+  by: target

Dockerfile

@@ -13,13 +13,15 @@ RUN set -ex \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
     && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0" \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+    && apk upgrade \
+    && apk add bash tzdata ca-certificates nftables \
+    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Dockerfile.binary

@@ -1,8 +0,0 @@
-FROM alpine
-ARG TARGETARCH
-ARG TARGETVARIANT
-LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
-RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
-COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
-ENTRYPOINT ["sing-box"]

Makefile

@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -249,8 +249,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.10
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.10
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.8
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.8
 
 docs:
 	venv/bin/mkdocs serve

README.md

@@ -1,11 +1,3 @@
-> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
-
-<a href="https://go.warp.dev/sing-box">
-<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
-</a>
-
----
-
 # sing-box
 
 The universal proxy platform.

adapter/dns.go

@@ -27,6 +27,8 @@ type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
+	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }
 

adapter/endpoint/manager.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"os"
 	"sync"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -12,7 +11,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.EndpointManager = (*Manager)(nil)
@@ -48,14 +46,10 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 		return nil
 	}
 	for _, endpoint := range m.endpoints {
-		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
-		m.logger.Trace(stage, " ", name)
-		startTime := time.Now()
 		err := adapter.LegacyStart(endpoint, stage)
 		if err != nil {
-			return E.Cause(err, stage, " ", name)
+			return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
 		}
-		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -72,15 +66,11 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, endpoint := range endpoints {
-		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
-		m.logger.Trace("close ", name)
-		startTime := time.Now()
-		monitor.Start("close ", name)
+		monitor.Start("close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
 		err = E.Append(err, endpoint.Close(), func(err error) error {
-			return E.Cause(err, "close ", name)
+			return E.Cause(err, "close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
 		})
 		monitor.Finish()
-		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -129,15 +119,11 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
-		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
 			err = adapter.LegacyStart(endpoint, stage)
 			if err != nil {
-				return E.Cause(err, stage, " ", name)
+				return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
 			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsEndpoint, loaded := m.endpointByTag[tag]; loaded {

adapter/experimental.go

@@ -6,7 +6,6 @@ import (
 	"encoding/binary"
 	"time"
 
-	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/varbin"
 )
 
@@ -15,7 +14,6 @@ type ClashServer interface {
 	ConnectionTracker
 	Mode() string
 	ModeList() []string
-	SetModeUpdateHook(hook *observable.Subscriber[struct{}])
 	HistoryStorage() URLTestHistoryStorage
 }
 
@@ -25,7 +23,7 @@ type URLTestHistory struct {
 }
 
 type URLTestHistoryStorage interface {
-	SetHook(hook *observable.Subscriber[struct{}])
+	SetHook(hook chan<- struct{})
 	LoadURLTestHistory(tag string) *URLTestHistory
 	DeleteURLTestHistory(tag string)
 	StoreURLTestHistory(tag string, history *URLTestHistory)

adapter/inbound/manager.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"os"
 	"sync"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -12,7 +11,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.InboundManager = (*Manager)(nil)
@@ -47,14 +45,10 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	inbounds := m.inbounds
 	m.access.Unlock()
 	for _, inbound := range inbounds {
-		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
-		m.logger.Trace(stage, " ", name)
-		startTime := time.Now()
 		err := adapter.LegacyStart(inbound, stage)
 		if err != nil {
-			return E.Cause(err, stage, " ", name)
+			return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
 		}
-		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -71,15 +65,11 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, inbound := range inbounds {
-		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
-		m.logger.Trace("close ", name)
-		startTime := time.Now()
-		monitor.Start("close ", name)
+		monitor.Start("close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
 		err = E.Append(err, inbound.Close(), func(err error) error {
-			return E.Cause(err, "close ", name)
+			return E.Cause(err, "close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
 		})
 		monitor.Finish()
-		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -131,15 +121,11 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
-		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
 			err = adapter.LegacyStart(inbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " ", name)
+				return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
 			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsInbound, loaded := m.inboundByTag[tag]; loaded {

adapter/lifecycle.go

@@ -1,14 +1,6 @@
 package adapter
 
-import (
-	"reflect"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
+import E "github.com/sagernet/sing/common/exceptions"
 
 type SimpleLifecycle interface {
 	Start() error
@@ -56,47 +48,22 @@ type LifecycleService interface {
 	Lifecycle
 }
 
-func getServiceName(service any) string {
-	if named, ok := service.(interface {
-		Type() string
-		Tag() string
-	}); ok {
-		tag := named.Tag()
-		if tag != "" {
-			return named.Type() + "[" + tag + "]"
-		}
-		return named.Type()
-	}
-	t := reflect.TypeOf(service)
-	if t.Kind() == reflect.Ptr {
-		t = t.Elem()
-	}
-	return strings.ToLower(t.Name())
-}
-
-func Start(logger log.ContextLogger, stage StartStage, services ...Lifecycle) error {
+func Start(stage StartStage, services ...Lifecycle) error {
 	for _, service := range services {
-		name := getServiceName(service)
-		logger.Trace(stage, " ", name)
-		startTime := time.Now()
 		err := service.Start(stage)
 		if err != nil {
 			return err
 		}
-		logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
 
-func StartNamed(logger log.ContextLogger, stage StartStage, services []LifecycleService) error {
+func StartNamed(stage StartStage, services []LifecycleService) error {
 	for _, service := range services {
-		logger.Trace(stage, " ", service.Name())
-		startTime := time.Now()
 		err := service.Start(stage)
 		if err != nil {
 			return E.Cause(err, stage.String(), " ", service.Name())
 		}
-		logger.Trace(stage, " ", service.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }

adapter/outbound/manager.go

@@ -6,7 +6,6 @@ import (
 	"os"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -14,7 +13,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 )
 
@@ -83,14 +81,10 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 		outbounds := m.outbounds
 		m.access.Unlock()
 		for _, outbound := range outbounds {
-			name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " ", name)
+				return E.Cause(err, stage, " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
 			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	return nil
@@ -115,29 +109,22 @@ func (m *Manager) startOutbounds(outbounds []adapter.Outbound) error {
 			}
 			started[outboundTag] = true
 			canContinue = true
-			name := "outbound/" + outboundToStart.Type() + "[" + outboundTag + "]"
 			if starter, isStarter := outboundToStart.(adapter.Lifecycle); isStarter {
-				m.logger.Trace("start ", name)
-				startTime := time.Now()
-				monitor.Start("start ", name)
+				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start(adapter.StartStateStart)
 				monitor.Finish()
 				if err != nil {
-					return E.Cause(err, "start ", name)
+					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				}
-				m.logger.Trace("start ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 			} else if starter, isStarter := outboundToStart.(interface {
 				Start() error
 			}); isStarter {
-				m.logger.Trace("start ", name)
-				startTime := time.Now()
-				monitor.Start("start ", name)
+				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
 				monitor.Finish()
 				if err != nil {
-					return E.Cause(err, "start ", name)
+					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				}
-				m.logger.Trace("start ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 			}
 		}
 		if len(started) == len(outbounds) {
@@ -184,15 +171,11 @@ func (m *Manager) Close() error {
 	var err error
 	for _, outbound := range outbounds {
 		if closer, isCloser := outbound.(io.Closer); isCloser {
-			name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
-			m.logger.Trace("close ", name)
-			startTime := time.Now()
-			monitor.Start("close ", name)
+			monitor.Start("close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
 			err = E.Append(err, closer.Close(), func(err error) error {
-				return E.Cause(err, "close ", name)
+				return E.Cause(err, "close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
 			})
 			monitor.Finish()
-			m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	return nil
@@ -273,15 +256,11 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 		return err
 	}
 	if m.started {
-		name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
 			err = adapter.LegacyStart(outbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " ", name)
+				return E.Cause(err, stage, " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
 			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	m.access.Lock()

adapter/service/manager.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"os"
 	"sync"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -12,7 +11,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.ServiceManager = (*Manager)(nil)
@@ -45,14 +43,10 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	services := m.services
 	m.access.Unlock()
 	for _, service := range services {
-		name := "service/" + service.Type() + "[" + service.Tag() + "]"
-		m.logger.Trace(stage, " ", name)
-		startTime := time.Now()
 		err := adapter.LegacyStart(service, stage)
 		if err != nil {
-			return E.Cause(err, stage, " ", name)
+			return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
 		}
-		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -69,15 +63,11 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, service := range services {
-		name := "service/" + service.Type() + "[" + service.Tag() + "]"
-		m.logger.Trace("close ", name)
-		startTime := time.Now()
-		monitor.Start("close ", name)
+		monitor.Start("close service/", service.Type(), "[", service.Tag(), "]")
 		err = E.Append(err, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", name)
+			return E.Cause(err, "close service/", service.Type(), "[", service.Tag(), "]")
 		})
 		monitor.Finish()
-		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -126,15 +116,11 @@ func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag stri
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
-		name := "service/" + service.Type() + "[" + service.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
 			err = adapter.LegacyStart(service, stage)
 			if err != nil {
-				return E.Cause(err, stage, " ", name)
+				return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
 			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsService, loaded := m.serviceByTag[tag]; loaded {

adapter/upstream.go

@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, myMetadata := ExtendContext(ctx)
+	myMetadata := ContextFrom(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, myMetadata := ExtendContext(ctx)
+	myMetadata := ContextFrom(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }
 
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, metadata := ExtendContext(ctx)
+	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }
 
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, metadata := ExtendContext(ctx)
+	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}

box.go

@@ -443,15 +443,15 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	err = adapter.StartNamed(s.logger, adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
+	err = adapter.StartNamed(adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -463,27 +463,27 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(s.logger, adapter.StartStateStart, s.internalService)
+	err = adapter.StartNamed(adapter.StartStateStart, s.internalService)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateStart, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(s.logger, adapter.StartStatePostStart, s.internalService)
+	err = adapter.StartNamed(adapter.StartStatePostStart, s.internalService)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(s.logger, adapter.StartStateStarted, s.internalService)
+	err = adapter.StartNamed(adapter.StartStateStarted, s.internalService)
 	if err != nil {
 		return err
 	}
@@ -497,42 +497,17 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	var err error
-	for _, closeItem := range []struct {
-		name    string
-		service adapter.Lifecycle
-	}{
-		{"service", s.service},
-		{"endpoint", s.endpoint},
-		{"inbound", s.inbound},
-		{"outbound", s.outbound},
-		{"router", s.router},
-		{"connection", s.connection},
-		{"dns-router", s.dnsRouter},
-		{"dns-transport", s.dnsTransport},
-		{"network", s.network},
-	} {
-		s.logger.Trace("close ", closeItem.name)
-		startTime := time.Now()
-		err = E.Append(err, closeItem.service.Close(), func(err error) error {
-			return E.Cause(err, "close ", closeItem.name)
-		})
-		s.logger.Trace("close ", closeItem.name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-	}
+	err := common.Close(
+		s.service, s.endpoint, s.inbound, s.outbound, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
+	)
 	for _, lifecycleService := range s.internalService {
-		s.logger.Trace("close ", lifecycleService.Name())
-		startTime := time.Now()
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
 			return E.Cause(err, "close ", lifecycleService.Name())
 		})
-		s.logger.Trace("close ", lifecycleService.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
-	s.logger.Trace("close logger")
-	startTime := time.Now()
 	err = E.Append(err, s.logFactory.Close(), func(err error) error {
 		return E.Cause(err, "close logger")
 	})
-	s.logger.Trace("close logger completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	return err
 }
 

cmd/internal/build_libbox/main.go

@@ -5,7 +5,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strconv"
 	"strings"
 
 	_ "github.com/sagernet/gomobile"
@@ -47,7 +46,7 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
-	darwinTags  []string
+	macOSTags   []string
 	memcTags    []string
 	notMemcTags []string
 	debugTags   []string
@@ -63,34 +62,16 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
-	darwinTags = append(darwinTags, "with_dhcp")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	macOSTags = append(macOSTags, "with_dhcp")
 	memcTags = append(memcTags, "with_tailscale")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
 }
 
-type AndroidBuildConfig struct {
-	AndroidAPI int
-	OutputName string
-	Tags       []string
-}
+func buildAndroid() {
+	build_shared.FindSDK()
 
-func filterTags(tags []string, exclude ...string) []string {
-	excludeMap := make(map[string]bool)
-	for _, tag := range exclude {
-		excludeMap[tag] = true
-	}
-	var result []string
-	for _, tag := range tags {
-		if !excludeMap[tag] {
-			result = append(result, tag)
-		}
-	}
-	return result
-}
-
-func checkJavaVersion() {
 	var javaPath string
 	javaHome := os.Getenv("JAVA_HOME")
 	if javaHome == "" {
@@ -106,24 +87,21 @@ func checkJavaVersion() {
 	if !strings.Contains(javaVersion, "openjdk 17") {
 		log.Fatal("java version should be openjdk 17")
 	}
-}
 
-func getAndroidBindTarget() string {
+	var bindTarget string
 	if platform != "" {
-		return platform
+		bindTarget = platform
 	} else if debugEnabled {
-		return "android/arm64"
+		bindTarget = "android/arm64"
+	} else {
+		bindTarget = "android"
 	}
-	return "android"
-}
 
-func buildAndroidVariant(config AndroidBuildConfig, bindTarget string) {
 	args := []string{
 		"bind",
 		"-v",
-		"-o", config.OutputName,
 		"-target", bindTarget,
-		"-androidapi", strconv.Itoa(config.AndroidAPI),
+		"-androidapi", "21",
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
 	}
@@ -134,59 +112,34 @@ func buildAndroidVariant(config AndroidBuildConfig, bindTarget string) {
 		args = append(args, debugFlags...)
 	}
 
-	args = append(args, "-tags", strings.Join(config.Tags, ","))
+	tags := append(sharedTags, memcTags...)
+	if debugEnabled {
+		tags = append(tags, debugTags...)
+	}
+
+	args = append(args, "-tags", strings.Join(tags, ","))
 	args = append(args, "./experimental/libbox")
 
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err := command.Run()
+	err = command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
 
+	const name = "libbox.aar"
 	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
 	if rw.IsDir(copyPath) {
 		copyPath, _ = filepath.Abs(copyPath)
-		err = rw.CopyFile(config.OutputName, filepath.Join(copyPath, config.OutputName))
+		err = rw.CopyFile(name, filepath.Join(copyPath, name))
 		if err != nil {
 			log.Fatal(err)
 		}
-		log.Info("copied ", config.OutputName, " to ", copyPath)
+		log.Info("copied to ", copyPath)
 	}
 }
 
-func buildAndroid() {
-	build_shared.FindSDK()
-	checkJavaVersion()
-
-	bindTarget := getAndroidBindTarget()
-
-	// Build main variant (SDK 23)
-	mainTags := append([]string{}, sharedTags...)
-	mainTags = append(mainTags, memcTags...)
-	if debugEnabled {
-		mainTags = append(mainTags, debugTags...)
-	}
-	buildAndroidVariant(AndroidBuildConfig{
-		AndroidAPI: 23,
-		OutputName: "libbox.aar",
-		Tags:       mainTags,
-	}, bindTarget)
-
-	// Build legacy variant (SDK 21, no naive outbound)
-	legacyTags := filterTags(sharedTags, "with_naive_outbound")
-	legacyTags = append(legacyTags, memcTags...)
-	if debugEnabled {
-		legacyTags = append(legacyTags, debugTags...)
-	}
-	buildAndroidVariant(AndroidBuildConfig{
-		AndroidAPI: 21,
-		OutputName: "libbox-legacy.aar",
-		Tags:       legacyTags,
-	}, bindTarget)
-}
-
 func buildApple() {
 	var bindTarget string
 	if platform != "" {
@@ -205,7 +158,9 @@ func buildApple() {
 		"-tags-not-macos=with_low_memory",
 	}
 	if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
+		args = append(args, "-tags-macos="+strings.Join(append(macOSTags, memcTags...), ","))
+	} else {
+		args = append(args, "-tags-macos="+strings.Join(macOSTags, ","))
 	}
 
 	if !debugEnabled {
@@ -214,7 +169,7 @@ func buildApple() {
 		args = append(args, debugFlags...)
 	}
 
-	tags := append(sharedTags, darwinTags...)
+	tags := sharedTags
 	if withTailscale {
 		tags = append(tags, memcTags...)
 	}

cmd/internal/update_certificates/main.go

@@ -17,10 +17,6 @@ func main() {
 	if err != nil {
 		log.Error(err)
 	}
-	err = updateChromeIncludedRootCAs()
-	if err != nil {
-		log.Error(err)
-	}
 }
 
 func updateMozillaIncludedRootCAs() error {
@@ -73,94 +69,3 @@ func init() {
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
-
-func fetchChinaFingerprints() (map[string]bool, error) {
-	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv4")
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-	reader := csv.NewReader(response.Body)
-	header, err := reader.Read()
-	if err != nil {
-		return nil, err
-	}
-	countryIndex := slices.Index(header, "Country")
-	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
-
-	chinaFingerprints := make(map[string]bool)
-	for {
-		record, err := reader.Read()
-		if err == io.EOF {
-			break
-		} else if err != nil {
-			return nil, err
-		}
-		if record[countryIndex] == "China" {
-			chinaFingerprints[record[fingerprintIndex]] = true
-		}
-	}
-	return chinaFingerprints, nil
-}
-
-func updateChromeIncludedRootCAs() error {
-	chinaFingerprints, err := fetchChinaFingerprints()
-	if err != nil {
-		return err
-	}
-
-	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV")
-	if err != nil {
-		return err
-	}
-	defer response.Body.Close()
-	reader := csv.NewReader(response.Body)
-	header, err := reader.Read()
-	if err != nil {
-		return err
-	}
-	subjectIndex := slices.Index(header, "Subject")
-	statusIndex := slices.Index(header, "Google Chrome Status")
-	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
-	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
-
-	generated := strings.Builder{}
-	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
-
-package certificate
-
-import "crypto/x509"
-
-var chromeIncluded *x509.CertPool
-
-func init() {
-	chromeIncluded = x509.NewCertPool()
-`)
-	for {
-		record, err := reader.Read()
-		if err == io.EOF {
-			break
-		} else if err != nil {
-			return err
-		}
-		if record[statusIndex] != "Included" {
-			continue
-		}
-		if chinaFingerprints[record[fingerprintIndex]] {
-			continue
-		}
-		generated.WriteString("\n	// ")
-		generated.WriteString(record[subjectIndex])
-		generated.WriteString("\n")
-		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
-		cert := record[certIndex]
-		// Remove single quotes if present
-		if len(cert) > 0 && cert[0] == '\'' {
-			cert = cert[1 : len(cert)-1]
-		}
-		generated.WriteString(cert)
-		generated.WriteString("`))\n")
-	}
-	generated.WriteString("}\n")
-	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
-}

common/certificate/store.go

@@ -53,8 +53,6 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 		}
 	case C.CertificateStoreMozilla:
 		systemPool = mozillaIncluded
-	case C.CertificateStoreChrome:
-		systemPool = chromeIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:

common/dialer/default.go

@@ -142,18 +142,9 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 	} else {
 		dialer.Timeout = C.TCPConnectTimeout
 	}
-	if !options.DisableTCPKeepAlive {
-		keepIdle := time.Duration(options.TCPKeepAlive)
-		if keepIdle == 0 {
-			keepIdle = C.TCPKeepAliveInitial
-		}
-		keepInterval := time.Duration(options.TCPKeepAliveInterval)
-		if keepInterval == 0 {
-			keepInterval = C.TCPKeepAliveInterval
-		}
-		dialer.KeepAlive = keepIdle
-		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
-	}
+	// TODO: Add an option to customize the keep alive period
+	dialer.KeepAlive = C.TCPKeepAliveInitial
+	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment

common/listener/listener_tcp.go

@@ -37,7 +37,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.listenOptions.ReuseAddr {
 		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
 	}
-	if !l.listenOptions.DisableTCPKeepAlive {
+	if l.listenOptions.TCPKeepAlive >= 0 {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial

common/settings/wifi_linux_connman.go

@@ -1,5 +1,3 @@
-//go:build linux
-
 package settings
 
 import (
@@ -136,9 +134,7 @@ func (m *connmanMonitor) monitorSignals(ctx context.Context, signalChan chan *db
 			if !ok {
 				return
 			}
-			// godbus Signal.Name uses "interface.member" format (e.g. "net.connman.Service.PropertyChanged"),
-			// not just the member name. This differs from the D-Bus signal member in the match rule.
-			if signal.Name == "net.connman.Service.PropertyChanged" {
+			if signal.Name == "PropertyChanged" {
 				state := m.ReadWIFIState()
 				if state != lastState {
 					lastState = state
@@ -158,10 +154,6 @@ func (m *connmanMonitor) Close() error {
 		close(m.signalChan)
 	}
 	if m.conn != nil {
-		m.conn.RemoveMatchSignal(
-			dbus.WithMatchInterface("net.connman.Service"),
-			dbus.WithMatchSender("net.connman"),
-		)
 		return m.conn.Close()
 	}
 	return nil

common/settings/wifi_linux_iwd.go

@@ -1,5 +1,3 @@
-//go:build linux
-
 package settings
 
 import (
@@ -180,10 +178,6 @@ func (m *iwdMonitor) Close() error {
 		close(m.signalChan)
 	}
 	if m.conn != nil {
-		m.conn.RemoveMatchSignal(
-			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
-			dbus.WithMatchSender("net.connman.iwd"),
-		)
 		return m.conn.Close()
 	}
 	return nil

common/settings/wifi_linux_nm.go

@@ -1,5 +1,3 @@
-//go:build linux
-
 package settings
 
 import (
@@ -42,59 +40,57 @@ func (m *networkManagerMonitor) ReadWIFIState() adapter.WIFIState {
 
 	nmObj := m.conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
 
-	var activeConnectionPaths []dbus.ObjectPath
-	err := nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "ActiveConnections").Store(&activeConnectionPaths)
-	if err != nil || len(activeConnectionPaths) == 0 {
+	var primaryConnectionPath dbus.ObjectPath
+	err := nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "PrimaryConnection").Store(&primaryConnectionPath)
+	if err != nil || primaryConnectionPath == "/" {
 		return adapter.WIFIState{}
 	}
 
-	for _, connectionPath := range activeConnectionPaths {
-		connObj := m.conn.Object("org.freedesktop.NetworkManager", connectionPath)
+	connObj := m.conn.Object("org.freedesktop.NetworkManager", primaryConnectionPath)
 
-		var devicePaths []dbus.ObjectPath
-		err = connObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Connection.Active", "Devices").Store(&devicePaths)
-		if err != nil || len(devicePaths) == 0 {
+	var devicePaths []dbus.ObjectPath
+	err = connObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Connection.Active", "Devices").Store(&devicePaths)
+	if err != nil || len(devicePaths) == 0 {
+		return adapter.WIFIState{}
+	}
+
+	for _, devicePath := range devicePaths {
+		deviceObj := m.conn.Object("org.freedesktop.NetworkManager", devicePath)
+
+		var deviceType uint32
+		err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device", "DeviceType").Store(&deviceType)
+		if err != nil || deviceType != 2 {
 			continue
 		}
 
-		for _, devicePath := range devicePaths {
-			deviceObj := m.conn.Object("org.freedesktop.NetworkManager", devicePath)
+		var accessPointPath dbus.ObjectPath
+		err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device.Wireless", "ActiveAccessPoint").Store(&accessPointPath)
+		if err != nil || accessPointPath == "/" {
+			continue
+		}
 
-			var deviceType uint32
-			err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device", "DeviceType").Store(&deviceType)
-			if err != nil || deviceType != 2 {
-				continue
-			}
+		apObj := m.conn.Object("org.freedesktop.NetworkManager", accessPointPath)
 
-			var accessPointPath dbus.ObjectPath
-			err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device.Wireless", "ActiveAccessPoint").Store(&accessPointPath)
-			if err != nil || accessPointPath == "/" {
-				continue
-			}
+		var ssidBytes []byte
+		err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "Ssid").Store(&ssidBytes)
+		if err != nil {
+			continue
+		}
 
-			apObj := m.conn.Object("org.freedesktop.NetworkManager", accessPointPath)
+		var hwAddress string
+		err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "HwAddress").Store(&hwAddress)
+		if err != nil {
+			continue
+		}
 
-			var ssidBytes []byte
-			err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "Ssid").Store(&ssidBytes)
-			if err != nil {
-				continue
-			}
+		ssid := strings.TrimSpace(string(ssidBytes))
+		if ssid == "" {
+			continue
+		}
 
-			var hwAddress string
-			err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "HwAddress").Store(&hwAddress)
-			if err != nil {
-				continue
-			}
-
-			ssid := strings.TrimSpace(string(ssidBytes))
-			if ssid == "" {
-				continue
-			}
-
-			return adapter.WIFIState{
-				SSID:  ssid,
-				BSSID: strings.ToUpper(strings.ReplaceAll(hwAddress, ":", "")),
-			}
+		return adapter.WIFIState{
+			SSID:  ssid,
+			BSSID: strings.ToUpper(strings.ReplaceAll(hwAddress, ":", "")),
 		}
 	}
 
@@ -155,10 +151,6 @@ func (m *networkManagerMonitor) Close() error {
 		close(m.signalChan)
 	}
 	if m.conn != nil {
-		m.conn.RemoveMatchSignal(
-			dbus.WithMatchSender("org.freedesktop.NetworkManager"),
-			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
-		)
 		return m.conn.Close()
 	}
 	return nil

common/settings/wifi_linux_wpa.go

@@ -8,21 +8,15 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 )
 
-var wpaSocketCounter atomic.Uint64
-
 type wpaSupplicantMonitor struct {
-	socketPath  string
-	callback    func(adapter.WIFIState)
-	cancel      context.CancelFunc
-	monitorConn *net.UnixConn
-	connMutex   sync.Mutex
+	socketPath string
+	callback   func(adapter.WIFIState)
+	cancel     context.CancelFunc
 }
 
 func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
@@ -37,8 +31,7 @@ func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, err
 				continue
 			}
 			socketPath := filepath.Join(socketDir, entry.Name())
-			id := wpaSocketCounter.Add(1)
-			localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
+			localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d", os.Getpid()), Net: "unixgram"}
 			remoteAddr := &net.UnixAddr{Name: socketPath, Net: "unixgram"}
 			conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
 			if err != nil {
@@ -52,8 +45,7 @@ func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, err
 }
 
 func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
-	id := wpaSocketCounter.Add(1)
-	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
+	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d", os.Getpid()), Net: "unixgram"}
 	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
 	conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
 	if err != nil {
@@ -93,11 +85,8 @@ func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
 	}
 }
 
-// sendCommand sends a command to wpa_supplicant and returns the response.
-// Commands are sent without trailing newlines per the wpa_supplicant control
-// interface protocol - the official wpa_ctrl.c sends raw command strings.
 func (m *wpaSupplicantMonitor) sendCommand(conn *net.UnixConn, command string) (string, error) {
-	_, err := conn.Write([]byte(command))
+	_, err := conn.Write([]byte(command + "\n"))
 	if err != nil {
 		return "", err
 	}
@@ -132,8 +121,6 @@ func (m *wpaSupplicantMonitor) Start() error {
 
 func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adapter.WIFIState) {
 	var consecutiveErrors int
-	var debounceTimer *time.Timer
-	var debounceMutex sync.Mutex
 
 	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-mon-%d", os.Getpid()), Net: "unixgram"}
 	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
@@ -143,14 +130,7 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 	}
 	defer conn.Close()
 
-	m.connMutex.Lock()
-	m.monitorConn = conn
-	m.connMutex.Unlock()
-
-	// ATTACH/DETACH commands use os_strcmp() for exact matching in wpa_supplicant,
-	// so they must be sent without trailing newlines.
-	// See: https://w1.fi/cgit/hostap/tree/wpa_supplicant/ctrl_iface_unix.c
-	_, err = conn.Write([]byte("ATTACH"))
+	_, err = conn.Write([]byte("ATTACH\n"))
 	if err != nil {
 		return
 	}
@@ -164,12 +144,6 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 	for {
 		select {
 		case <-ctx.Done():
-			debounceMutex.Lock()
-			if debounceTimer != nil {
-				debounceTimer.Stop()
-			}
-			debounceMutex.Unlock()
-			conn.Write([]byte("DETACH"))
 			return
 		default:
 		}
@@ -177,14 +151,6 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 		conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 		n, err := conn.Read(buf)
 		if err != nil {
-			if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
-				continue
-			}
-			select {
-			case <-ctx.Done():
-				return
-			default:
-			}
 			consecutiveErrors++
 			if consecutiveErrors > 10 {
 				return
@@ -196,18 +162,11 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 
 		msg := string(buf[:n])
 		if strings.Contains(msg, "CTRL-EVENT-CONNECTED") || strings.Contains(msg, "CTRL-EVENT-DISCONNECTED") {
-			debounceMutex.Lock()
-			if debounceTimer != nil {
-				debounceTimer.Stop()
+			state := m.ReadWIFIState()
+			if state != lastState {
+				lastState = state
+				m.callback(state)
 			}
-			debounceTimer = time.AfterFunc(500*time.Millisecond, func() {
-				state := m.ReadWIFIState()
-				if state != lastState {
-					lastState = state
-					m.callback(state)
-				}
-			})
-			debounceMutex.Unlock()
 		}
 	}
 }
@@ -216,10 +175,5 @@ func (m *wpaSupplicantMonitor) Close() error {
 	if m.cancel != nil {
 		m.cancel()
 	}
-	m.connMutex.Lock()
-	if m.monitorConn != nil {
-		m.monitorConn.Close()
-	}
-	m.connMutex.Unlock()
 	return nil
 }

common/settings/wifi_stub.go

@@ -1,4 +1,4 @@
-//go:build !linux && !windows
+//go:build !linux
 
 package settings
 

common/settings/wifi_windows.go

@@ -1,144 +0,0 @@
-//go:build windows
-
-package settings
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"sync"
-	"syscall"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common/winwlanapi"
-
-	"golang.org/x/sys/windows"
-)
-
-type windowsWIFIMonitor struct {
-	handle    windows.Handle
-	callback  func(adapter.WIFIState)
-	cancel    context.CancelFunc
-	lastState adapter.WIFIState
-	mutex     sync.Mutex
-}
-
-func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	handle, err := winwlanapi.OpenHandle()
-	if err != nil {
-		return nil, err
-	}
-
-	interfaces, err := winwlanapi.EnumInterfaces(handle)
-	if err != nil {
-		winwlanapi.CloseHandle(handle)
-		return nil, err
-	}
-	if len(interfaces) == 0 {
-		winwlanapi.CloseHandle(handle)
-		return nil, fmt.Errorf("no wireless interfaces found")
-	}
-
-	return &windowsWIFIMonitor{
-		handle:   handle,
-		callback: callback,
-	}, nil
-}
-
-func (m *windowsWIFIMonitor) ReadWIFIState() adapter.WIFIState {
-	interfaces, err := winwlanapi.EnumInterfaces(m.handle)
-	if err != nil || len(interfaces) == 0 {
-		return adapter.WIFIState{}
-	}
-
-	for _, iface := range interfaces {
-		if iface.InterfaceState != winwlanapi.InterfaceStateConnected {
-			continue
-		}
-
-		guid := iface.InterfaceGUID
-		attrs, err := winwlanapi.QueryCurrentConnection(m.handle, &guid)
-		if err != nil {
-			continue
-		}
-
-		ssidLength := attrs.AssociationAttributes.SSID.Length
-		if ssidLength == 0 || ssidLength > winwlanapi.Dot11SSIDMaxLength {
-			continue
-		}
-
-		ssid := string(attrs.AssociationAttributes.SSID.SSID[:ssidLength])
-		bssid := formatBSSID(attrs.AssociationAttributes.BSSID)
-
-		return adapter.WIFIState{
-			SSID:  strings.TrimSpace(ssid),
-			BSSID: bssid,
-		}
-	}
-
-	return adapter.WIFIState{}
-}
-
-func formatBSSID(mac winwlanapi.Dot11MacAddress) string {
-	return fmt.Sprintf("%02X%02X%02X%02X%02X%02X",
-		mac[0], mac[1], mac[2], mac[3], mac[4], mac[5])
-}
-
-func (m *windowsWIFIMonitor) Start() error {
-	if m.callback == nil {
-		return nil
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	m.lastState = m.ReadWIFIState()
-
-	callbackFunc := func(data *winwlanapi.NotificationData, callbackContext uintptr) uintptr {
-		if data.NotificationSource != winwlanapi.NotificationSourceACM {
-			return 0
-		}
-		switch data.NotificationCode {
-		case winwlanapi.NotificationACMConnectionComplete,
-			winwlanapi.NotificationACMDisconnected:
-			m.checkAndNotify()
-		}
-		return 0
-	}
-
-	callbackPointer := syscall.NewCallback(callbackFunc)
-
-	err := winwlanapi.RegisterNotification(m.handle, winwlanapi.NotificationSourceACM, callbackPointer, 0)
-	if err != nil {
-		cancel()
-		return err
-	}
-
-	go func() {
-		<-ctx.Done()
-	}()
-
-	m.callback(m.lastState)
-	return nil
-}
-
-func (m *windowsWIFIMonitor) checkAndNotify() {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	state := m.ReadWIFIState()
-	if state != m.lastState {
-		m.lastState = state
-		if m.callback != nil {
-			m.callback(state)
-		}
-	}
-}
-
-func (m *windowsWIFIMonitor) Close() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-	winwlanapi.UnregisterNotification(m.handle)
-	return winwlanapi.CloseHandle(m.handle)
-}

common/tls/acme.go

@@ -114,17 +114,13 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		switch dnsOptions.Provider {
 		case C.DNSProviderAliDNS:
 			solver.DNSProvider = &alidns.Provider{
-				CredentialInfo: alidns.CredentialInfo{
-					AccessKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
-					AccessKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
-					RegionID:        dnsOptions.AliDNSOptions.RegionID,
-					SecurityToken:   dnsOptions.AliDNSOptions.SecurityToken,
-				},
+				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
+				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
+				RegionID:     dnsOptions.AliDNSOptions.RegionID,
 			}
 		case C.DNSProviderCloudflare:
 			solver.DNSProvider = &cloudflare.Provider{
-				APIToken:  dnsOptions.CloudflareOptions.APIToken,
-				ZoneToken: dnsOptions.CloudflareOptions.ZoneToken,
+				APIToken: dnsOptions.CloudflareOptions.APIToken,
 			}
 		default:
 			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)

common/tls/ech.go

@@ -51,7 +51,6 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 		return &ECHClientConfig{
 			ECHCapableConfig: clientConfig,
 			dnsRouter:        service.FromContext[adapter.DNSRouter](ctx),
-			queryServerName:  options.ECH.QueryServerName,
 		}, nil
 	}
 }
@@ -109,11 +108,10 @@ func parseECHKeys(echKey []byte) ([]tls.EncryptedClientHelloKey, error) {
 
 type ECHClientConfig struct {
 	ECHCapableConfig
-	access          sync.Mutex
-	dnsRouter       adapter.DNSRouter
-	queryServerName string
-	lastTTL         time.Duration
-	lastUpdate      time.Time
+	access     sync.Mutex
+	dnsRouter  adapter.DNSRouter
+	lastTTL    time.Duration
+	lastUpdate time.Time
 }
 
 func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
@@ -132,17 +130,13 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 	s.access.Lock()
 	defer s.access.Unlock()
 	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Since(s.lastUpdate) > s.lastTTL {
-		queryServerName := s.queryServerName
-		if queryServerName == "" {
-			queryServerName = s.ServerName()
-		}
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
-					Name:   mDNS.Fqdn(queryServerName),
+					Name:   mDNS.Fqdn(s.ServerName()),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
@@ -181,12 +175,7 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 }
 
 func (s *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{
-		ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig),
-		dnsRouter:        s.dnsRouter,
-		queryServerName:  s.queryServerName,
-		lastUpdate:       s.lastUpdate,
-	}
+	return &ECHClientConfig{ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig), dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
 }
 
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {

common/tls/std_client.go

@@ -169,35 +169,6 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	var clientCertificate []byte
-	if len(options.ClientCertificate) > 0 {
-		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
-	} else if options.ClientCertificatePath != "" {
-		content, err := os.ReadFile(options.ClientCertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read client certificate")
-		}
-		clientCertificate = content
-	}
-	var clientKey []byte
-	if len(options.ClientKey) > 0 {
-		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
-	} else if options.ClientKeyPath != "" {
-		content, err := os.ReadFile(options.ClientKeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read client key")
-		}
-		clientKey = content
-	}
-	if len(clientCertificate) > 0 && len(clientKey) > 0 {
-		keyPair, err := tls.X509KeyPair(clientCertificate, clientKey)
-		if err != nil {
-			return nil, E.Cause(err, "parse client x509 key pair")
-		}
-		tlsConfig.Certificates = []tls.Certificate{keyPair}
-	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
-		return nil, E.New("client certificate and client key must be provided together")
-	}
 	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		var err error

common/tls/utls_client.go

@@ -222,35 +222,6 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	var clientCertificate []byte
-	if len(options.ClientCertificate) > 0 {
-		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
-	} else if options.ClientCertificatePath != "" {
-		content, err := os.ReadFile(options.ClientCertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read client certificate")
-		}
-		clientCertificate = content
-	}
-	var clientKey []byte
-	if len(options.ClientKey) > 0 {
-		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
-	} else if options.ClientKeyPath != "" {
-		content, err := os.ReadFile(options.ClientKeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read client key")
-		}
-		clientKey = content
-	}
-	if len(clientCertificate) > 0 && len(clientKey) > 0 {
-		keyPair, err := utls.X509KeyPair(clientCertificate, clientKey)
-		if err != nil {
-			return nil, E.Cause(err, "parse client x509 key pair")
-		}
-		tlsConfig.Certificates = []utls.Certificate{keyPair}
-	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
-		return nil, E.New("client certificate and client key must be provided together")
-	}
 	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
 	if err != nil {
 		return nil, err

common/urltest/urltest.go

@@ -14,7 +14,6 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
-	"github.com/sagernet/sing/common/observable"
 )
 
 var _ adapter.URLTestHistoryStorage = (*HistoryStorage)(nil)
@@ -22,7 +21,7 @@ var _ adapter.URLTestHistoryStorage = (*HistoryStorage)(nil)
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*adapter.URLTestHistory
-	updateHook   *observable.Subscriber[struct{}]
+	updateHook   chan<- struct{}
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -31,7 +30,7 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) SetHook(hook *observable.Subscriber[struct{}]) {
+func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
 	s.updateHook = hook
 }
 
@@ -61,7 +60,10 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *adapter.URLTes
 func (s *HistoryStorage) notifyUpdated() {
 	updateHook := s.updateHook
 	if updateHook != nil {
-		updateHook.Emit(struct{}{})
+		select {
+		case updateHook <- struct{}{}:
+		default:
+		}
 	}
 }
 

constant/certificate.go

@@ -3,6 +3,5 @@ package constant
 const (
 	CertificateStoreSystem  = "system"
 	CertificateStoreMozilla = "mozilla"
-	CertificateStoreChrome  = "chrome"
 	CertificateStoreNone    = "none"
 )

constant/dhcp.go

@@ -4,5 +4,5 @@ import "time"
 
 const (
 	DHCPTTL     = time.Hour
-	DHCPTimeout = 5 * time.Second
+	DHCPTimeout = time.Minute
 )

constant/proxy.go

@@ -28,8 +28,6 @@ const (
 	TypeDERP         = "derp"
 	TypeResolved     = "resolved"
 	TypeSSMAPI       = "ssm-api"
-	TypeCCM          = "ccm"
-	TypeOCM          = "ocm"
 )
 
 const (

constant/timeout.go

@@ -3,7 +3,7 @@ package constant
 import "time"
 
 const (
-	TCPKeepAliveInitial        = 5 * time.Minute
+	TCPKeepAliveInitial        = 10 * time.Minute
 	TCPKeepAliveInterval       = 75 * time.Second
 	TCPConnectTimeout          = 5 * time.Second
 	TCPTimeout                 = 15 * time.Second

daemon/instance.go

@@ -7,12 +7,15 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
+	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/sing/service/pause"
 )
 
@@ -26,12 +29,23 @@ type Instance struct {
 	urlTestHistoryStorage *urltest.HistoryStorage
 }
 
+func (s *StartedService) baseContext() context.Context {
+	dnsRegistry := include.DNSTransportRegistry()
+	if s.platform != nil && s.platform.UsePlatformLocalDNSTransport() {
+		dns.RegisterTransport[option.LocalDNSServerOptions](dnsRegistry, C.DNSTypeLocal, s.platform.LocalDNSTransport())
+	}
+	ctx := box.Context(s.ctx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry, include.ServiceRegistry())
+	ctx = filemanager.WithDefault(ctx, s.workingDirectory, s.tempDirectory, s.userID, s.groupID)
+	return ctx
+}
+
 func (s *StartedService) CheckConfig(configContent string) error {
-	options, err := parseConfig(s.ctx, configContent)
+	ctx := s.baseContext()
+	options, err := parseConfig(ctx, configContent)
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithCancel(s.ctx)
+	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	instance, err := box.New(box.Options{
 		Context: ctx,
@@ -44,7 +58,7 @@ func (s *StartedService) CheckConfig(configContent string) error {
 }
 
 func (s *StartedService) FormatConfig(configContent string) (string, error) {
-	options, err := parseConfig(s.ctx, configContent)
+	options, err := parseConfig(s.baseContext(), configContent)
 	if err != nil {
 		return "", err
 	}
@@ -65,7 +79,7 @@ type OverrideOptions struct {
 }
 
 func (s *StartedService) newInstance(profileContent string, overrideOptions *OverrideOptions) (*Instance, error) {
-	ctx := s.ctx
+	ctx := s.baseContext()
 	service.MustRegister[deprecated.Manager](ctx, new(deprecatedManager))
 	ctx, cancel := context.WithCancel(include.Context(ctx))
 	options, err := parseConfig(ctx, profileContent)

daemon/platform.go

@@ -1,5 +1,11 @@
 package daemon
 
+import (
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/option"
+)
+
 type PlatformHandler interface {
 	ServiceStop() error
 	ServiceReload() error
@@ -7,3 +13,10 @@ type PlatformHandler interface {
 	SetSystemProxyEnabled(enabled bool) error
 	WriteDebugMessage(message string)
 }
+
+type PlatformInterface interface {
+	adapter.PlatformInterface
+
+	UsePlatformLocalDNSTransport() bool
+	LocalDNSTransport() dns.TransportConstructorFunc[option.LocalDNSServerOptions]
+}

daemon/started_service.go

@@ -31,16 +31,16 @@ import (
 var _ StartedServiceServer = (*StartedService)(nil)
 
 type StartedService struct {
-	ctx context.Context
-	// platform adapter.PlatformInterface
-	handler     PlatformHandler
-	debug       bool
-	logMaxLines int
-	// workingDirectory string
-	// tempDirectory    string
-	// userID           int
-	// groupID          int
-	// systemProxyEnabled      bool
+	ctx                     context.Context
+	platform                PlatformInterface
+	platformHandler         PlatformHandler
+	debug                   bool
+	logMaxLines             int
+	workingDirectory        string
+	tempDirectory           string
+	userID                  int
+	groupID                 int
+	systemProxyEnabled      bool
 	serviceAccess           sync.RWMutex
 	serviceStatus           *ServiceStatus
 	serviceStatusSubscriber *observable.Subscriber[*ServiceStatus]
@@ -58,30 +58,30 @@ type StartedService struct {
 }
 
 type ServiceOptions struct {
-	Context context.Context
-	// Platform           adapter.PlatformInterface
-	Handler     PlatformHandler
-	Debug       bool
-	LogMaxLines int
-	// WorkingDirectory   string
-	// TempDirectory      string
-	// UserID             int
-	// GroupID            int
-	// SystemProxyEnabled bool
+	Context            context.Context
+	Platform           PlatformInterface
+	PlatformHandler    PlatformHandler
+	Debug              bool
+	LogMaxLines        int
+	WorkingDirectory   string
+	TempDirectory      string
+	UserID             int
+	GroupID            int
+	SystemProxyEnabled bool
 }
 
 func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
-		ctx: options.Context,
-		// platform:                options.Platform,
-		handler:     options.Handler,
-		debug:       options.Debug,
-		logMaxLines: options.LogMaxLines,
-		// workingDirectory: options.WorkingDirectory,
-		// tempDirectory:    options.TempDirectory,
-		// userID:           options.UserID,
-		// groupID:          options.GroupID,
-		// systemProxyEnabled:      options.SystemProxyEnabled,
+		ctx:                     options.Context,
+		platform:                options.Platform,
+		platformHandler:         options.PlatformHandler,
+		debug:                   options.Debug,
+		logMaxLines:             options.LogMaxLines,
+		workingDirectory:        options.WorkingDirectory,
+		tempDirectory:           options.TempDirectory,
+		userID:                  options.UserID,
+		groupID:                 options.GroupID,
+		systemProxyEnabled:      options.SystemProxyEnabled,
 		serviceStatus:           &ServiceStatus{Status: ServiceStatus_IDLE},
 		serviceStatusSubscriber: observable.NewSubscriber[*ServiceStatus](4),
 		logSubscriber:           observable.NewSubscriber[*log.Entry](128),
@@ -117,46 +117,6 @@ func (s *StartedService) updateStatusError(err error) error {
 	return err
 }
 
-func (s *StartedService) waitForStarted(ctx context.Context) error {
-	s.serviceAccess.RLock()
-	currentStatus := s.serviceStatus.Status
-	s.serviceAccess.RUnlock()
-
-	switch currentStatus {
-	case ServiceStatus_STARTED:
-		return nil
-	case ServiceStatus_STARTING:
-	default:
-		return os.ErrInvalid
-	}
-
-	subscription, done, err := s.serviceStatusObserver.Subscribe()
-	if err != nil {
-		return err
-	}
-	defer s.serviceStatusObserver.UnSubscribe(subscription)
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-s.ctx.Done():
-			return s.ctx.Err()
-		case status := <-subscription:
-			switch status.Status {
-			case ServiceStatus_STARTED:
-				return nil
-			case ServiceStatus_FATAL:
-				return E.New(status.ErrorMessage)
-			case ServiceStatus_IDLE, ServiceStatus_STOPPING:
-				return os.ErrInvalid
-			}
-		case <-done:
-			return os.ErrClosed
-		}
-	}
-}
-
 func (s *StartedService) StartOrReloadService(profileContent string, options *OverrideOptions) error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -165,13 +125,6 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 		s.serviceAccess.Unlock()
 		return os.ErrInvalid
 	}
-	oldInstance := s.instance
-	if oldInstance != nil {
-		s.updateStatus(ServiceStatus_STOPPING)
-		s.serviceAccess.Unlock()
-		_ = oldInstance.Close()
-		s.serviceAccess.Lock()
-	}
 	s.updateStatus(ServiceStatus_STARTING)
 	s.resetLogs()
 	instance, err := s.newInstance(profileContent, options)
@@ -179,10 +132,6 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 		return s.updateStatusError(err)
 	}
 	s.instance = instance
-	instance.urlTestHistoryStorage.SetHook(s.urlTestSubscriber)
-	if instance.clashServer != nil {
-		instance.clashServer.SetModeUpdateHook(s.clashModeSubscriber)
-	}
 	s.serviceAccess.Unlock()
 	err = instance.Start()
 	s.serviceAccess.Lock()
@@ -224,11 +173,12 @@ func (s *StartedService) CloseService() error {
 func (s *StartedService) SetError(err error) {
 	s.serviceAccess.Lock()
 	s.updateStatusError(err)
+	s.serviceAccess.Unlock()
 	s.WriteMessage(log.LevelError, err.Error())
 }
 
 func (s *StartedService) StopService(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	err := s.handler.ServiceStop()
+	err := s.platformHandler.ServiceStop()
 	if err != nil {
 		return nil, err
 	}
@@ -236,7 +186,7 @@ func (s *StartedService) StopService(ctx context.Context, empty *emptypb.Empty)
 }
 
 func (s *StartedService) ReloadService(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	err := s.handler.ServiceReload()
+	err := s.platformHandler.ServiceReload()
 	if err != nil {
 		return nil, err
 	}
@@ -277,8 +227,8 @@ func (s *StartedService) SubscribeLog(empty *emptypb.Empty, server grpc.ServerSt
 	for element := s.logLines.Front(); element != nil; element = element.Next() {
 		savedLines = append(savedLines, element.Value)
 	}
-	subscription, done, err := s.logObserver.Subscribe()
 	s.logAccess.Unlock()
+	subscription, done, err := s.logObserver.Subscribe()
 	if err != nil {
 		return err
 	}
@@ -302,33 +252,30 @@ func (s *StartedService) SubscribeLog(empty *emptypb.Empty, server grpc.ServerSt
 		case <-server.Context().Done():
 			return server.Context().Err()
 		case message := <-subscription:
-			var rawMessage Log
 			if message == nil {
-				rawMessage.Reset_ = true
-			} else {
-				rawMessage.Messages = append(rawMessage.Messages, &Log_Message{
-					Level:   LogLevel(message.Level),
-					Message: message.Message,
-				})
+				err = server.Send(&Log{Reset_: true})
+				if err != nil {
+					return err
+				}
+				continue
 			}
+			messages := []*Log_Message{{
+				Level:   LogLevel(message.Level),
+				Message: message.Message,
+			}}
 		fetch:
 			for {
 				select {
 				case message = <-subscription:
-					if message == nil {
-						rawMessage.Messages = nil
-						rawMessage.Reset_ = true
-					} else {
-						rawMessage.Messages = append(rawMessage.Messages, &Log_Message{
-							Level:   LogLevel(message.Level),
-							Message: message.Message,
-						})
-					}
+					messages = append(messages, &Log_Message{
+						Level:   LogLevel(message.Level),
+						Message: message.Message,
+					})
 				default:
 					break fetch
 				}
 			}
-			err = server.Send(&rawMessage)
+			err = server.Send(&Log{Messages: messages})
 			if err != nil {
 				return err
 			}
@@ -351,11 +298,6 @@ func (s *StartedService) GetDefaultLogLevel(ctx context.Context, empty *emptypb.
 	return &DefaultLogLevel{Level: LogLevel(logLevel)}, nil
 }
 
-func (s *StartedService) ClearLogs(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	s.resetLogs()
-	return &emptypb.Empty{}, nil
-}
-
 func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server grpc.ServerStreamingServer[Status]) error {
 	interval := time.Duration(request.Interval)
 	if interval <= 0 {
@@ -393,9 +335,7 @@ func (s *StartedService) readStatus() *Status {
 	status.Memory = memory.Inuse()
 	status.Goroutines = int32(runtime.NumGoroutine())
 	status.ConnectionsOut = int32(conntrack.Count())
-	s.serviceAccess.RLock()
 	nowService := s.instance
-	s.serviceAccess.RUnlock()
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -408,10 +348,6 @@ func (s *StartedService) readStatus() *Status {
 }
 
 func (s *StartedService) SubscribeGroups(empty *emptypb.Empty, server grpc.ServerStreamingServer[Groups]) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
 	subscription, done, err := s.urlTestObserver.Subscribe()
 	if err != nil {
 		return err
@@ -419,16 +355,18 @@ func (s *StartedService) SubscribeGroups(empty *emptypb.Empty, server grpc.Serve
 	defer s.urlTestObserver.UnSubscribe(subscription)
 	for {
 		s.serviceAccess.RLock()
-		if s.serviceStatus.Status != ServiceStatus_STARTED {
+		switch s.serviceStatus.Status {
+		case ServiceStatus_STARTING, ServiceStatus_STARTED:
+			groups := s.readGroups()
+			s.serviceAccess.RUnlock()
+			err = server.Send(groups)
+			if err != nil {
+				return err
+			}
+		default:
 			s.serviceAccess.RUnlock()
 			return os.ErrInvalid
 		}
-		groups := s.readGroups()
-		s.serviceAccess.RUnlock()
-		err = server.Send(groups)
-		if err != nil {
-			return err
-		}
 		select {
 		case <-subscription:
 		case <-s.ctx.Done():
@@ -505,27 +443,12 @@ func (s *StartedService) GetClashModeStatus(ctx context.Context, empty *emptypb.
 }
 
 func (s *StartedService) SubscribeClashMode(empty *emptypb.Empty, server grpc.ServerStreamingServer[ClashMode]) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
 	subscription, done, err := s.clashModeObserver.Subscribe()
 	if err != nil {
 		return err
 	}
 	defer s.clashModeObserver.UnSubscribe(subscription)
 	for {
-		s.serviceAccess.RLock()
-		if s.serviceStatus.Status != ServiceStatus_STARTED {
-			s.serviceAccess.RUnlock()
-			return os.ErrInvalid
-		}
-		message := &ClashMode{Mode: s.instance.clashServer.Mode()}
-		s.serviceAccess.RUnlock()
-		err = server.Send(message)
-		if err != nil {
-			return err
-		}
 		select {
 		case <-subscription:
 		case <-s.ctx.Done():
@@ -535,6 +458,16 @@ func (s *StartedService) SubscribeClashMode(empty *emptypb.Empty, server grpc.Se
 		case <-done:
 			return nil
 		}
+		s.serviceAccess.RLock()
+		if s.serviceStatus.Status != ServiceStatus_STARTED {
+			return nil
+		}
+		message := &ClashMode{Mode: s.instance.clashServer.Mode()}
+		s.serviceAccess.RUnlock()
+		err = server.Send(message)
+		if err != nil {
+			return err
+		}
 	}
 }
 
@@ -571,7 +504,12 @@ func (s *StartedService) URLTest(ctx context.Context, request *URLTestRequest) (
 	if isURLTest {
 		go urlTest.CheckOutbounds()
 	} else {
-		historyStorage := boxService.urlTestHistoryStorage
+		var historyStorage adapter.URLTestHistoryStorage
+		if s.instance.clashServer != nil {
+			historyStorage = s.instance.clashServer.HistoryStorage()
+		} else {
+			return nil, E.New("Clash API is required for URLTest on non-URLTest group")
+		}
 
 		outbounds := common.Filter(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
 			itOutbound, _ := boxService.instance.Outbound().Outbound(it)
@@ -628,7 +566,6 @@ func (s *StartedService) SelectOutbound(ctx context.Context, request *SelectOutb
 	if !selector.SelectOutbound(request.OutboundTag) {
 		return nil, E.New("outbound not found in selector: ", request.OutboundTag)
 	}
-	s.urlTestObserver.Emit(struct{}{})
 	return &emptypb.Empty{}, nil
 }
 
@@ -652,11 +589,11 @@ func (s *StartedService) SetGroupExpand(ctx context.Context, request *SetGroupEx
 }
 
 func (s *StartedService) GetSystemProxyStatus(ctx context.Context, empty *emptypb.Empty) (*SystemProxyStatus, error) {
-	return s.handler.SystemProxyStatus()
+	return s.platformHandler.SystemProxyStatus()
 }
 
 func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *SetSystemProxyEnabledRequest) (*emptypb.Empty, error) {
-	err := s.handler.SetSystemProxyEnabled(request.Enabled)
+	err := s.platformHandler.SetSystemProxyEnabled(request.Enabled)
 	if err != nil {
 		return nil, err
 	}
@@ -664,11 +601,13 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 }
 
 func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[Connections]) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
 	s.serviceAccess.RLock()
+	switch s.serviceStatus.Status {
+	case ServiceStatus_STARTING, ServiceStatus_STARTED:
+	default:
+		s.serviceAccess.RUnlock()
+		return os.ErrInvalid
+	}
 	boxService := s.instance
 	s.serviceAccess.RUnlock()
 	ticker := time.NewTicker(time.Duration(request.Interval))
@@ -816,15 +755,15 @@ func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 
 func (s *StartedService) WriteMessage(level log.Level, message string) {
 	item := &log.Entry{Level: level, Message: message}
+	s.logSubscriber.Emit(item)
 	s.logAccess.Lock()
 	s.logLines.PushBack(item)
 	if s.logLines.Len() > s.logMaxLines {
 		s.logLines.Remove(s.logLines.Front())
 	}
 	s.logAccess.Unlock()
-	s.logSubscriber.Emit(item)
 	if s.debug {
-		s.handler.WriteDebugMessage(message)
+		s.platformHandler.WriteDebugMessage(message)
 	}
 }
 

daemon/started_service.pb.go

@@ -1746,14 +1746,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x10ConnectionSortBy\x12\b\n" +
 	"\x04DATE\x10\x00\x12\v\n" +
 	"\aTRAFFIC\x10\x01\x12\x11\n" +
-	"\rTOTAL_TRAFFIC\x10\x022\xb7\f\n" +
+	"\rTOTAL_TRAFFIC\x10\x022\xf8\v\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
 	"\x16SubscribeServiceStatus\x12\x16.google.protobuf.Empty\x1a\x15.daemon.ServiceStatus\"\x000\x01\x127\n" +
 	"\fSubscribeLog\x12\x16.google.protobuf.Empty\x1a\v.daemon.Log\"\x000\x01\x12G\n" +
-	"\x12GetDefaultLogLevel\x12\x16.google.protobuf.Empty\x1a\x17.daemon.DefaultLogLevel\"\x00\x12=\n" +
-	"\tClearLogs\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12E\n" +
+	"\x12GetDefaultLogLevel\x12\x16.google.protobuf.Empty\x1a\x17.daemon.DefaultLogLevel\"\x00\x12E\n" +
 	"\x0fSubscribeStatus\x12\x1e.daemon.SubscribeStatusRequest\x1a\x0e.daemon.Status\"\x000\x01\x12=\n" +
 	"\x0fSubscribeGroups\x12\x16.google.protobuf.Empty\x1a\x0e.daemon.Groups\"\x000\x01\x12G\n" +
 	"\x12GetClashModeStatus\x12\x16.google.protobuf.Empty\x1a\x17.daemon.ClashModeStatus\"\x00\x12C\n" +
@@ -1836,47 +1835,45 @@ var file_daemon_started_service_proto_depIdxs = []int32{
 	27, // 12: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
 	27, // 13: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
 	27, // 14: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
-	27, // 15: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	6,  // 16: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
-	27, // 17: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
-	27, // 18: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
-	27, // 19: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	16, // 20: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	13, // 21: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	14, // 22: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	15, // 23: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
-	27, // 24: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	19, // 25: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	20, // 26: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
-	23, // 27: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
-	27, // 28: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
-	27, // 29: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
-	27, // 30: daemon.StartedService.SubscribeHelperEvents:input_type -> google.protobuf.Empty
-	28, // 31: daemon.StartedService.SendHelperResponse:input_type -> daemon.HelperResponse
-	27, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	27, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	4,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	7,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	8,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	27, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	9,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	10, // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	17, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	16, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	27, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	27, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	27, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	27, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	18, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	27, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.Connections
-	27, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	27, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	24, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	29, // 52: daemon.StartedService.SubscribeHelperEvents:output_type -> daemon.HelperRequest
-	27, // 53: daemon.StartedService.SendHelperResponse:output_type -> google.protobuf.Empty
-	32, // [32:54] is the sub-list for method output_type
-	10, // [10:32] is the sub-list for method input_type
+	6,  // 15: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	27, // 16: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
+	27, // 17: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
+	27, // 18: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
+	16, // 19: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	13, // 20: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	14, // 21: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	15, // 22: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	27, // 23: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
+	19, // 24: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	20, // 25: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	23, // 26: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
+	27, // 27: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
+	27, // 28: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
+	27, // 29: daemon.StartedService.SubscribeHelperEvents:input_type -> google.protobuf.Empty
+	28, // 30: daemon.StartedService.SendHelperResponse:input_type -> daemon.HelperResponse
+	27, // 31: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	27, // 32: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	4,  // 33: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	7,  // 34: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	8,  // 35: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	9,  // 36: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	10, // 37: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	17, // 38: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	16, // 39: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	27, // 40: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	27, // 41: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	27, // 42: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	27, // 43: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	18, // 44: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	27, // 45: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	21, // 46: daemon.StartedService.SubscribeConnections:output_type -> daemon.Connections
+	27, // 47: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	27, // 48: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	24, // 49: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	29, // 50: daemon.StartedService.SubscribeHelperEvents:output_type -> daemon.HelperRequest
+	27, // 51: daemon.StartedService.SendHelperResponse:output_type -> google.protobuf.Empty
+	31, // [31:52] is the sub-list for method output_type
+	10, // [10:31] is the sub-list for method input_type
 	10, // [10:10] is the sub-list for extension type_name
 	10, // [10:10] is the sub-list for extension extendee
 	0,  // [0:10] is the sub-list for field type_name

daemon/started_service.proto

@@ -13,7 +13,6 @@ service StartedService {
   rpc SubscribeServiceStatus(google.protobuf.Empty) returns(stream ServiceStatus) {}
   rpc SubscribeLog(google.protobuf.Empty) returns(stream Log) {}
   rpc GetDefaultLogLevel(google.protobuf.Empty) returns(DefaultLogLevel) {}
-  rpc ClearLogs(google.protobuf.Empty) returns(google.protobuf.Empty) {}
   rpc SubscribeStatus(SubscribeStatusRequest) returns(stream Status) {}
   rpc SubscribeGroups(google.protobuf.Empty) returns(stream Groups) {}
 

daemon/started_service_grpc.pb.go

@@ -20,7 +20,6 @@ const (
 	StartedService_SubscribeServiceStatus_FullMethodName = "/daemon.StartedService/SubscribeServiceStatus"
 	StartedService_SubscribeLog_FullMethodName           = "/daemon.StartedService/SubscribeLog"
 	StartedService_GetDefaultLogLevel_FullMethodName     = "/daemon.StartedService/GetDefaultLogLevel"
-	StartedService_ClearLogs_FullMethodName              = "/daemon.StartedService/ClearLogs"
 	StartedService_SubscribeStatus_FullMethodName        = "/daemon.StartedService/SubscribeStatus"
 	StartedService_SubscribeGroups_FullMethodName        = "/daemon.StartedService/SubscribeGroups"
 	StartedService_GetClashModeStatus_FullMethodName     = "/daemon.StartedService/GetClashModeStatus"
@@ -48,7 +47,6 @@ type StartedServiceClient interface {
 	SubscribeServiceStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ServiceStatus], error)
 	SubscribeLog(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Log], error)
 	GetDefaultLogLevel(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DefaultLogLevel, error)
-	ClearLogs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeStatus(ctx context.Context, in *SubscribeStatusRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Status], error)
 	SubscribeGroups(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Groups], error)
 	GetClashModeStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ClashModeStatus, error)
@@ -143,16 +141,6 @@ func (c *startedServiceClient) GetDefaultLogLevel(ctx context.Context, in *empty
 	return out, nil
 }
 
-func (c *startedServiceClient) ClearLogs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, StartedService_ClearLogs_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *startedServiceClient) SubscribeStatus(ctx context.Context, in *SubscribeStatusRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Status], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[2], StartedService_SubscribeStatus_FullMethodName, cOpts...)
@@ -367,7 +355,6 @@ type StartedServiceServer interface {
 	SubscribeServiceStatus(*emptypb.Empty, grpc.ServerStreamingServer[ServiceStatus]) error
 	SubscribeLog(*emptypb.Empty, grpc.ServerStreamingServer[Log]) error
 	GetDefaultLogLevel(context.Context, *emptypb.Empty) (*DefaultLogLevel, error)
-	ClearLogs(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeStatus(*SubscribeStatusRequest, grpc.ServerStreamingServer[Status]) error
 	SubscribeGroups(*emptypb.Empty, grpc.ServerStreamingServer[Groups]) error
 	GetClashModeStatus(context.Context, *emptypb.Empty) (*ClashModeStatus, error)
@@ -414,10 +401,6 @@ func (UnimplementedStartedServiceServer) GetDefaultLogLevel(context.Context, *em
 	return nil, status.Errorf(codes.Unimplemented, "method GetDefaultLogLevel not implemented")
 }
 
-func (UnimplementedStartedServiceServer) ClearLogs(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ClearLogs not implemented")
-}
-
 func (UnimplementedStartedServiceServer) SubscribeStatus(*SubscribeStatusRequest, grpc.ServerStreamingServer[Status]) error {
 	return status.Errorf(codes.Unimplemented, "method SubscribeStatus not implemented")
 }
@@ -578,24 +561,6 @@ func _StartedService_GetDefaultLogLevel_Handler(srv interface{}, ctx context.Con
 	return interceptor(ctx, in, info, handler)
 }
 
-func _StartedService_ClearLogs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(emptypb.Empty)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(StartedServiceServer).ClearLogs(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: StartedService_ClearLogs_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(StartedServiceServer).ClearLogs(ctx, req.(*emptypb.Empty))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _StartedService_SubscribeStatus_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeStatusRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -868,10 +833,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetDefaultLogLevel",
 			Handler:    _StartedService_GetDefaultLogLevel_Handler,
 		},
-		{
-			MethodName: "ClearLogs",
-			Handler:    _StartedService_ClearLogs_Handler,
-		},
 		{
 			MethodName: "GetClashModeStatus",
 			Handler:    _StartedService_GetClashModeStatus_Handler,

dns/client.go

@@ -95,20 +95,6 @@ func (c *Client) Start() {
 	}
 }
 
-func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
-	for _, record := range response.Ns {
-		if soa, isSOA := record.(*dns.SOA); isSOA {
-			soaTTL := soa.Header().Ttl
-			soaMinimum := soa.Minttl
-			if soaTTL < soaMinimum {
-				return soaTTL, true
-			}
-			return soaMinimum, true
-		}
-	}
-	return 0, false
-}
-
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
@@ -228,7 +214,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
-	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
+	disableCache = disableCache || response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
@@ -265,17 +251,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	var timeToLive uint32
-	if len(response.Answer) == 0 {
-		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
-			timeToLive = soaTTL
-		}
-	}
-	if timeToLive == 0 {
-		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-			for _, record := range recordList {
-				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-					timeToLive = record.Header().Ttl
-				}
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+				timeToLive = record.Header().Ttl
 			}
 		}
 	}
@@ -353,6 +332,64 @@ func (c *Client) ClearCache() {
 	}
 }
 
+func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
+	if c.disableCache || c.independentCache {
+		return nil, false
+	}
+	if dns.IsFqdn(domain) {
+		domain = domain[:len(domain)-1]
+	}
+	dnsName := dns.Fqdn(domain)
+	if strategy == C.DomainStrategyIPv4Only {
+		addresses, err := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if err != ErrNotCached {
+			return addresses, true
+		}
+	} else if strategy == C.DomainStrategyIPv6Only {
+		addresses, err := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if err != ErrNotCached {
+			return addresses, true
+		}
+	} else {
+		response4, _ := c.loadResponse(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		response6, _ := c.loadResponse(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if response4 != nil || response6 != nil {
+			return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
+		}
+	}
+	return nil, false
+}
+
+func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
+	if c.disableCache || c.independentCache || len(message.Question) != 1 {
+		return nil, false
+	}
+	question := message.Question[0]
+	response, ttl := c.loadResponse(question, nil)
+	if response == nil {
+		return nil, false
+	}
+	logCachedResponse(c.logger, ctx, response, ttl)
+	response.Id = message.Id
+	return response, true
+}
+
 func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
 	if strategy == C.DomainStrategyPreferIPv6 {
 		return append(response6, response4...)

dns/router.go

@@ -213,94 +213,96 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	}
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
-		response  *mDNS.Msg
 		transport adapter.DNSTransport
 		err       error
 	)
-	var metadata *adapter.InboundContext
-	ctx, metadata = adapter.ExtendContext(ctx)
-	metadata.Destination = M.Socksaddr{}
-	metadata.QueryType = message.Question[0].Qtype
-	switch metadata.QueryType {
-	case mDNS.TypeA:
-		metadata.IPVersion = 4
-	case mDNS.TypeAAAA:
-		metadata.IPVersion = 6
-	}
-	metadata.Domain = FqdnToDomain(message.Question[0].Name)
-	if options.Transport != nil {
-		transport = options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+	response, cached := r.client.ExchangeCache(ctx, message)
+	if !cached {
+		var metadata *adapter.InboundContext
+		ctx, metadata = adapter.ExtendContext(ctx)
+		metadata.Destination = M.Socksaddr{}
+		metadata.QueryType = message.Question[0].Qtype
+		switch metadata.QueryType {
+		case mDNS.TypeA:
+			metadata.IPVersion = 4
+		case mDNS.TypeAAAA:
+			metadata.IPVersion = 6
+		}
+		metadata.Domain = FqdnToDomain(message.Question[0].Name)
+		if options.Transport != nil {
+			transport = options.Transport
+			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+				if options.Strategy == C.DomainStrategyAsIS {
+					options.Strategy = legacyTransport.LegacyStrategy()
+				}
+				if !options.ClientSubnet.IsValid() {
+					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+				}
+			}
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
+				options.Strategy = r.defaultDomainStrategy
 			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = r.defaultDomainStrategy
-		}
-		response, err = r.client.Exchange(ctx, transport, message, options, nil)
-	} else {
-		var (
-			rule      adapter.DNSRule
-			ruleIndex int
-		)
-		ruleIndex = -1
-		for {
-			dnsCtx := adapter.OverrideContext(ctx)
-			dnsOptions := options
-			transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
-			if rule != nil {
-				switch action := rule.Action().(type) {
-				case *R.RuleActionReject:
-					switch action.Method {
-					case C.RuleActionRejectMethodDefault:
-						return &mDNS.Msg{
-							MsgHdr: mDNS.MsgHdr{
-								Id:       message.Id,
-								Rcode:    mDNS.RcodeRefused,
-								Response: true,
-							},
-							Question: []mDNS.Question{message.Question[0]},
-						}, nil
-					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
+			response, err = r.client.Exchange(ctx, transport, message, options, nil)
+		} else {
+			var (
+				rule      adapter.DNSRule
+				ruleIndex int
+			)
+			ruleIndex = -1
+			for {
+				dnsCtx := adapter.OverrideContext(ctx)
+				dnsOptions := options
+				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
+				if rule != nil {
+					switch action := rule.Action().(type) {
+					case *R.RuleActionReject:
+						switch action.Method {
+						case C.RuleActionRejectMethodDefault:
+							return &mDNS.Msg{
+								MsgHdr: mDNS.MsgHdr{
+									Id:       message.Id,
+									Rcode:    mDNS.RcodeRefused,
+									Response: true,
+								},
+								Question: []mDNS.Question{message.Question[0]},
+							}, nil
+						case C.RuleActionRejectMethodDrop:
+							return nil, tun.ErrDrop
+						}
+					case *R.RuleActionPredefined:
+						return action.Response(message), nil
 					}
-				case *R.RuleActionPredefined:
-					return action.Response(message), nil
 				}
-			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
+				var responseCheck func(responseAddrs []netip.Addr) bool
+				if rule != nil && rule.WithAddressLimit() {
+					responseCheck = func(responseAddrs []netip.Addr) bool {
+						metadata.DestinationAddresses = responseAddrs
+						return rule.MatchAddressLimit(metadata)
+					}
 				}
-			}
-			if dnsOptions.Strategy == C.DomainStrategyAsIS {
-				dnsOptions.Strategy = r.defaultDomainStrategy
-			}
-			response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
-			var rejected bool
-			if err != nil {
-				if errors.Is(err, ErrResponseRejectedCached) {
-					rejected = true
-					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
-				} else if errors.Is(err, ErrResponseRejected) {
-					rejected = true
-					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-				} else if len(message.Question) > 0 {
-					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-				} else {
-					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+				if dnsOptions.Strategy == C.DomainStrategyAsIS {
+					dnsOptions.Strategy = r.defaultDomainStrategy
 				}
+				response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
+				var rejected bool
+				if err != nil {
+					if errors.Is(err, ErrResponseRejectedCached) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
+					} else if errors.Is(err, ErrResponseRejected) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
+					} else if len(message.Question) > 0 {
+						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+					} else {
+						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+					}
+				}
+				if responseCheck != nil && rejected {
+					continue
+				}
+				break
 			}
-			if responseCheck != nil && rejected {
-				continue
-			}
-			break
 		}
 	}
 	if err != nil {
@@ -324,6 +326,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
+		cached        bool
 		err           error
 	)
 	printResult := func() {
@@ -343,6 +346,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			err = E.Cause(err, "lookup ", domain)
 		}
 	}
+	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
+	if cached {
+		if len(responseAddrs) == 0 {
+			return nil, E.New("lookup ", domain, ": empty result (cached)")
+		}
+		return responseAddrs, nil
+	}
 	r.logger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
@@ -375,7 +385,12 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
-					return nil, &R.RejectedError{Cause: action.Error(ctx)}
+					switch action.Method {
+					case C.RuleActionRejectMethodDefault:
+						return nil, nil
+					case C.RuleActionRejectMethodDrop:
+						return nil, tun.ErrDrop
+					}
 				case *R.RuleActionPredefined:
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)

dns/transport/dhcp/dhcp.go

@@ -49,7 +49,6 @@ type Transport struct {
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	transportLock     sync.RWMutex
 	updatedAt         time.Time
-	lastError         error
 	servers           []M.Socksaddr
 	search            []string
 	ndots             int
@@ -93,7 +92,7 @@ func (t *Transport) Start(stage adapter.StartStage) error {
 		t.interfaceCallback = t.networkManager.InterfaceMonitor().RegisterCallback(t.interfaceUpdated)
 	}
 	go func() {
-		_, err := t.fetch()
+		_, err := t.Fetch()
 		if err != nil {
 			t.logger.Error(E.Cause(err, "fetch DNS servers"))
 		}
@@ -109,7 +108,7 @@ func (t *Transport) Close() error {
 }
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	servers, err := t.fetch()
+	servers, err := t.Fetch()
 	if err != nil {
 		return nil, err
 	}
@@ -129,20 +128,11 @@ func (t *Transport) Exchange0(ctx context.Context, message *mDNS.Msg, servers []
 	}
 }
 
-func (t *Transport) Fetch() []M.Socksaddr {
-	servers, _ := t.fetch()
-	return servers
-}
-
-func (t *Transport) fetch() ([]M.Socksaddr, error) {
+func (t *Transport) Fetch() ([]M.Socksaddr, error) {
 	t.transportLock.RLock()
 	updatedAt := t.updatedAt
-	lastError := t.lastError
 	servers := t.servers
 	t.transportLock.RUnlock()
-	if lastError != nil {
-		return nil, lastError
-	}
 	if time.Since(updatedAt) < C.DHCPTTL {
 		return servers, nil
 	}
@@ -153,7 +143,7 @@ func (t *Transport) fetch() ([]M.Socksaddr, error) {
 	}
 	err := t.updateServers()
 	if err != nil {
-		return servers, err
+		return nil, err
 	}
 	return t.servers, nil
 }
@@ -183,15 +173,12 @@ func (t *Transport) updateServers() error {
 	fetchCtx, cancel := context.WithTimeout(t.ctx, C.DHCPTimeout)
 	err = t.fetchServers0(fetchCtx, iface)
 	cancel()
-	t.updatedAt = time.Now()
 	if err != nil {
-		t.lastError = err
 		return err
 	} else if len(t.servers) == 0 {
-		t.lastError = E.New("dhcp: empty DNS servers response")
-		return t.lastError
+		return E.New("dhcp: empty DNS servers response")
 	} else {
-		t.lastError = nil
+		t.updatedAt = time.Now()
 		return nil
 	}
 }

dns/transport/https_transport.go

@@ -75,6 +75,5 @@ func (h *HTTPSTransportWrapper) Clone() *HTTPSTransportWrapper {
 		http2Transport: &http2.Transport{
 			DialTLSContext: h.http2Transport.DialTLSContext,
 		},
-		fallback: h.fallback,
 	}
 }

dns/transport/local/local.go

@@ -53,15 +53,13 @@ func (t *Transport) Start(stage adapter.StartStage) error {
 	switch stage {
 	case adapter.StartStateInitialize:
 		if !t.preferGo {
-			if isSystemdResolvedManaged() {
-				resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
+			resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
+			if err == nil {
+				err = resolvedResolver.Start()
 				if err == nil {
-					err = resolvedResolver.Start()
-					if err == nil {
-						t.resolved = resolvedResolver
-					} else {
-						t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
-					}
+					t.resolved = resolvedResolver
+				} else {
+					t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
 				}
 			}
 		}
@@ -84,11 +82,12 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		}
 	}
 	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
+		addresses := t.hosts.Lookup(domain)
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	return t.exchange(ctx, message, question.Name)
+	return t.exchange(ctx, message, domain)
 }

dns/transport/local/local_darwin.go

@@ -43,7 +43,7 @@ type Transport struct {
 
 type dhcpTransport interface {
 	adapter.DNSTransport
-	Fetch() []M.Socksaddr
+	Fetch() ([]M.Socksaddr, error)
 	Exchange0(ctx context.Context, message *mDNS.Msg, servers []M.Socksaddr) (*mDNS.Msg, error)
 }
 
@@ -74,12 +74,14 @@ func (t *Transport) Start(stage adapter.StartStage) error {
 			break
 		}
 	}
-	if t.fallback {
-		t.dhcpTransport = newDHCPTransport(t.TransportAdapter, log.ContextWithOverrideLevel(t.ctx, log.LevelDebug), t.dialer, t.logger)
-		if t.dhcpTransport != nil {
-			err := t.dhcpTransport.Start(stage)
-			if err != nil {
-				return err
+	if !C.IsIos {
+		if t.fallback {
+			t.dhcpTransport = newDHCPTransport(t.TransportAdapter, log.ContextWithOverrideLevel(t.ctx, log.LevelDebug), t.dialer, t.logger)
+			if t.dhcpTransport != nil {
+				err := t.dhcpTransport.Start(stage)
+				if err != nil {
+					return err
+				}
 			}
 		}
 	}
@@ -94,24 +96,27 @@ func (t *Transport) Close() error {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
+		addresses := t.hosts.Lookup(domain)
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
 	if !t.fallback {
-		return t.exchange(ctx, message, question.Name)
+		return t.exchange(ctx, message, domain)
 	}
-	if t.dhcpTransport != nil {
-		dhcpTransports := t.dhcpTransport.Fetch()
-		if len(dhcpTransports) > 0 {
-			return t.dhcpTransport.Exchange0(ctx, message, dhcpTransports)
+	if !C.IsIos {
+		if t.dhcpTransport != nil {
+			dhcpTransports, _ := t.dhcpTransport.Fetch()
+			if len(dhcpTransports) > 0 {
+				return t.dhcpTransport.Exchange0(ctx, message, dhcpTransports)
+			}
 		}
 	}
 	if t.preferGo {
 		// Assuming the user knows what they are doing, we still execute the query which will fail.
-		return t.exchange(ctx, message, question.Name)
+		return t.exchange(ctx, message, domain)
 	}
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 		var network string
@@ -120,7 +125,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		} else {
 			network = "ip6"
 		}
-		addresses, err := t.resolver.LookupNetIP(ctx, network, question.Name)
+		addresses, err := t.resolver.LookupNetIP(ctx, network, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
@@ -130,5 +135,9 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		}
 		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 	}
-	return nil, E.New("only A and AAAA queries are supported on Apple platforms when using TUN and DHCP unavailable.")
+	if C.IsIos {
+		return nil, E.New("only A and AAAA queries are supported on iOS and tvOS when using NetworkExtension.")
+	} else {
+		return nil, E.New("only A and AAAA queries are supported on macOS when using NetworkExtension and DHCP unavailable.")
+	}
 }

dns/transport/local/local_resolved_linux.go

@@ -1,11 +1,9 @@
 package local
 
 import (
-	"bufio"
 	"context"
 	"errors"
 	"os"
-	"strings"
 	"sync"
 	"sync/atomic"
 
@@ -24,25 +22,6 @@ import (
 	mDNS "github.com/miekg/dns"
 )
 
-func isSystemdResolvedManaged() bool {
-	resolvContent, err := os.Open("/etc/resolv.conf")
-	if err != nil {
-		return false
-	}
-	defer resolvContent.Close()
-	scanner := bufio.NewScanner(resolvContent)
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if line == "" || line[0] != '#' {
-			return false
-		}
-		if strings.Contains(line, "systemd-resolved") {
-			return true
-		}
-	}
-	return false
-}
-
 type DBusResolvedResolver struct {
 	ctx               context.Context
 	logger            logger.ContextLogger
@@ -209,7 +188,7 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		int32(defaultInterface.Index),
 	)
 	if call.Err != nil {
-		return nil, call.Err
+		return nil, err
 	}
 	var linkPath dbus.ObjectPath
 	err = call.Store(&linkPath)
@@ -235,12 +214,15 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 				return nil, E.New("No appropriate name servers or networks for name found")
 			}
 		}
-		return nil, E.New("link has no DNS servers configured")
+		return &ResolvedObject{
+			BusObject: dbusObject,
+		}, nil
+	} else {
+		return &ResolvedObject{
+			BusObject:      dbusObject,
+			InterfaceIndex: int32(defaultInterface.Index),
+		}, nil
 	}
-	return &ResolvedObject{
-		BusObject:      dbusObject,
-		InterfaceIndex: int32(defaultInterface.Index),
-	}, nil
 }
 
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {

dns/transport/local/local_resolved_stub.go

@@ -9,10 +9,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )
 
-func isSystemdResolvedManaged() bool {
-	return false
-}
-
 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
 	return nil, os.ErrInvalid
 }

docs/changelog.md

@@ -2,216 +2,10 @@
 icon: material/alert-decagram
 ---
 
-#### 1.13.0-alpha.34
-
-* Add Chrome Root Store certificate option **1**
-* Add new options for ACME DNS-01 challenge providers **2**
-* Add Wi-Fi state support for Linux and Windows **3**
-* Update naiveproxy to 143.0.7499.109
-* Update quic-go to v0.58.0
-* Update tailscale to v1.92.4
-* Drop support for go1.23 **4**
-* Drop support for Android 5.0 **5**
-
-**1**:
-
-Adds `chrome` as a new certificate store option alongside `mozilla`.
-Both stores filter out China-based CA certificates.
-
-See [Certificate](/configuration/certificate/#store).
-
-**2**:
-
-See [DNS-01 Challenge](/configuration/shared/dns01_challenge/).
-
-**3**:
-
-sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
-
-See [Wi-Fi State](/configuration/shared/wifi-state/).
-
-**4**:
-
-Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
-
-**5**:
-
-Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
-and only through a separate legacy build (with `-legacy-android-5` suffix).
-
-For standalone binaries, the minimum Android version has been raised to Android 6.0,
-since Termux requires Android 7.0 or later.
-
-#### 1.12.14
+#### 1.13.0-alpha.20
 
 * Fixes and improvements
 
-#### 1.13.0-alpha.33
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.32
-
-* Remove `certificate_public_key_sha256` option for NaiveProxy outbound **1**
-* Fixes and improvements
-
-**1**:
-
-Self-signed certificates change traffic behavior significantly, which defeats the purpose of NaiveProxy's design to resist traffic analysis.
-For this reason, and due to maintenance costs, there is no reason to continue supporting `certificate_public_key_sha256`, which was designed to simplify the use of self-signed certificates.
-
-#### 1.13.0-alpha.31
-
-* Add QUIC support for NaiveProxy outbound **1**
-* Add QUIC congestion control option for NaiveProxy **2**
-* Fixes and improvements
-
-**1**:
-
-NaiveProxy outbound now supports QUIC.
-
-See [NaiveProxy outbound](/configuration/outbound/naive/#quic).
-
-**2**:
-
-NaiveProxy inbound and outbound now supports configurable QUIC congestion control algorithms, including BBR and BBRv2.
-
-See [NaiveProxy inbound](/configuration/inbound/naive/#quic_congestion_control) and [NaiveProxy outbound](/configuration/outbound/naive/#quic_congestion_control).
-
-#### 1.13.0-alpha.30
-
-* Add ECH support for NaiveProxy outbound **1**
-* Add `tls.ech.query_server_name` option **2**
-* Fix NaiveProxy outbound on Windows **3**
-* Add OpenAI Codex Multiplexer service **4**
-* Fixes and improvements
-
-**1**:
-
-See [NaiveProxy outbound](/configuration/outbound/naive/#tls).
-
-**2**:
-
-See [TLS](/configuration/shared/tls/#query_server_name).
-
-**3**:
-
-Each Windows release now includes `libcronet.dll`.
-Ensure this file is in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
-
-**4**:
-
-See [OCM](/configuration/service/ocm).
-
-#### 1.13.0-alpha.29
-
-* Add UDP over TCP support for naiveproxy outbound **1**
-* Fixes and improvements
-
-**1**:
-
-See [NaiveProxy outbound](/configuration/outbound/naive/#udp_over_tcp).
-
-#### 1.13.0-alpha.28
-
-* Add naiveproxy outbound **1**
-* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for dial fields **2**
-* Update default TCP keep-alive initial period from 10 minutes to 5 minutes
-* Update quic-go to v0.57.1
-* Fixes and improvements
-
-**1**:
-
-Only available on Apple platforms, Android, Windows and some Linux architectures.
-
-See [NaiveProxy outbound](/configuration/outbound/naive/).
-
-**2**:
-
-See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
-
-* __Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
-because system extensions require signatures to function, we have had to temporarily halt its release.__
-
-__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
-only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
-
-
-#### 1.12.13
-
-* Fix naive inbound
-* Fixes and improvements
-
-__Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
-because system extensions require signatures to function, we have had to temporarily halt its release.__
-
-__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
-only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
-
-#### 1.12.12
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.26
-
-* Update quic-go to v0.55.0
-* Fix memory leak in hysteria2
-* Fixes and improvements
-
-#### 1.12.11
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.24
-
-* Add Claude Code Multiplexer service **1**
-* Fixes and improvements
-
-**1**:
-
-CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
-
-See [CCM](/configuration/service/ccm).
-
-#### 1.13.0-alpha.23
-
-* Fix compatibility with MPTCP **1**
-* Fixes and improvements
-
-**1**:
-
-`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues,
-but you can change it to bypass the sing-box via the new `exclude_mptcp` option.
-
-See [TUN](/configuration/inbound/tun/#exclude_mptcp).
-
-#### 1.13.0-alpha.22
-
-* Update uTLS to v1.8.1 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
-see https://github.com/refraction-networking/utls/pull/375.
-
-#### 1.12.10
-
-* Update uTLS to v1.8.1 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
-see https://github.com/refraction-networking/utls/pull/375.
-
-#### 1.13.0-alpha.21
-
-* Fix missing mTLS support in client options **1**
-* Fixes and improvements
-
-See [TLS](/configuration/shared/tls/).
-
 #### 1.12.9
 
 * Fixes and improvements
@@ -333,8 +127,7 @@ See [Tailscale](/configuration/endpoint/tailscale/).
 
 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
 
-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
-from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
 
 **7**:
 
@@ -396,8 +189,7 @@ See [Tun](/configuration/inbound/tun/#loopback_address).
 
 We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
 
-The following data was tested
-using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
+The following data was tested using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
 
 | Version     | Stack  | MTU   | Upload | Download |
 |-------------|--------|-------|--------|----------|
@@ -416,8 +208,8 @@ using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/interna
 
 **18**:
 
-We continue to experience issues updating our sing-box apps on the App Store and Play Store.
-Until we rewrite and resubmit the apps, they are considered irrecoverable.
+We continue to experience issues updating our sing-box apps on the App Store and Play Store. 
+Until we rewrite and resubmit the apps, they are considered irrecoverable. 
 Therefore, after this release, we will not be repeating this notice unless there is new information.
 
 ### 1.11.15
@@ -698,8 +490,7 @@ See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/conf
 
 **2**:
 
-`resolve` route action now accepts `disable_cache` and other options like in DNS route actions,
-see [Route Action](/configuration/route/rule_action).
+`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
 
 **3**:
 
@@ -730,8 +521,7 @@ See [Tailscale](/configuration/endpoint/tailscale/).
 
 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
 
-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
-from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
 
 ### 1.11.3
 

docs/clients/apple/index.md

@@ -9,7 +9,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 !!! failure ""
 
-    Due to non-technical reasons, we are temporarily unable to update the sing-box app on the App Store and release the standalone version of the macOS client (TestFlight users are not affected)
+    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
 
 ## :material-graph: Requirements
 
@@ -18,7 +18,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 ## :material-download: Download
 
-* ~~[App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)~~
+* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
 * TestFlight (Beta)
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
@@ -26,15 +26,15 @@ TestFlight quota is only available to [sponsors](https://github.com/sponsors/nek
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
-## ~~:material-file-download: Download (macOS standalone version)~~
+## :material-file-download: Download (macOS standalone version)
 
-* ~~[Homebrew Cask](https://formulae.brew.sh/cask/sfm)~~
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
 
 ```bash
-# brew install sfm
+brew install sfm
 ```
 
-* ~~[GitHub Releases](https://github.com/SagerNet/sing-box/releases)~~
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
 
 ## :material-source-repository: Source code
 

docs/configuration/certificate/index.md

@@ -4,10 +4,6 @@ icon: material/new-box
 
 !!! question "Since sing-box 1.12.0"
 
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [Chrome Root Store](#store)
-
 # Certificate
 
 ### Structure
@@ -31,12 +27,11 @@ icon: material/new-box
 
 The default X509 trusted CA certificate list.
 
-| Type               | Description                                                                                                    |
-|--------------------|----------------------------------------------------------------------------------------------------------------|
-| `system` (default) | System trusted CA certificates                                                                                 |
+| Type               | Description                                                                                                   |
+|--------------------|---------------------------------------------------------------------------------------------------------------|
+| `system` (default) | System trusted CA certificates                                                                                |
 | `mozilla`          | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |
-| `chrome`           | [Chrome Root Store](https://g.co/chrome/root-policy) with China CA certificates removed                        |
-| `none`             | Empty list                                                                                                     |
+| `none`             | Empty list                                                                                                    |
 
 #### certificate
 

docs/configuration/certificate/index.zh.md

@@ -4,10 +4,6 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.12.0 起"
 
-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [Chrome Root Store](#store)
-
 # 证书
 
 ### 结构
@@ -31,12 +27,11 @@ icon: material/new-box
 
 默认的 X509 受信任 CA 证书列表。
 
-| 类型              | 描述                                                                                       |
-|-------------------|--------------------------------------------------------------------------------------------|
-| `system`（默认）   | 系统受信任的 CA 证书                                                                        |
-| `mozilla`         | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
-| `chrome`          | [Chrome Root Store](https://g.co/chrome/root-policy)（已移除中国 CA 证书）                  |
-| `none`            | 空列表                                                                                     |
+| 类型                | 描述                                                                                       |
+|--------------------|--------------------------------------------------------------------------------------------|
+| `system`（默认）    | 系统受信任的 CA 证书                                                                        |
+| `mozilla`          | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
+| `none`             | 空列表                                                                                     |
 
 #### certificate
 

docs/configuration/dns/rule.md

@@ -412,7 +412,7 @@ Match default interface address.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms, or on Linux.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi SSID.
 
@@ -420,7 +420,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms, or on Linux.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi BSSID.
 

docs/configuration/dns/rule.zh.md

@@ -411,7 +411,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! quote ""
 
-    仅在 Android 与 Apple 平台图形客户端和 Linux 中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 
 匹配 WiFi SSID。
 
@@ -419,7 +419,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! quote ""
 
-    仅在 Android 与 Apple 平台图形客户端和 Linux 中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 
 匹配 WiFi BSSID。
 

docs/configuration/dns/server/legacy.zh.md

@@ -53,7 +53,7 @@ DNS 服务器的地址。
 | `HTTP3`                              | `h3://8.8.8.8/dns-query`     |
 | `RCode`                              | `rcode://refused`            |
 | `DHCP`                               | `dhcp://auto` 或 `dhcp://en0` |
-| [FakeIP](/zh/configuration/dns/fakeip/) | `fakeip`                     |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                     |
 
 !!! warning ""
 

docs/configuration/inbound/naive.md

@@ -1,25 +1,20 @@
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [quic_congestion_control](#quic_congestion_control)
-
 ### Structure
 
 ```json
 {
-"type": "naive",
-"tag": "naive-in",
-"network": "udp",
-...
-// Listen Fields
+  "type": "naive",
+  "tag": "naive-in",
+  "network": "udp",
 
-"users": [
-{
-"username": "sekai",
-"password": "password"
-}
-],
-"quic_congestion_control": "",
-"tls": {}
+  ... // Listen Fields
+
+  "users": [
+    {
+      "username": "sekai",
+      "password": "password"
+    }
+  ],
+  "tls": {}
 }
 ```
 
@@ -41,23 +36,6 @@ Both if empty.
 
 Naive users.
 
-#### quic_congestion_control
-
-!!! question "Since sing-box 1.13.0"
-
-QUIC congestion control algorithm.
-
-| Algorithm      | Description                     |
-|----------------|---------------------------------|
-| `bbr`          | BBR                             |
-| `bbr_standard` | BBR (Standard version)         |
-| `bbr2`         | BBRv2                           |
-| `bbr2_variant` | BBRv2 (An experimental variant) |
-| `cubic`        | CUBIC                           |
-| `reno`         | New Reno                        |
-
-`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).
-
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/naive.zh.md

@@ -1,25 +1,20 @@
-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [quic_congestion_control](#quic_congestion_control)
-
 ### 结构
 
 ```json
 {
-"type": "naive",
-"tag": "naive-in",
-"network": "udp",
+  "type": "naive",
+  "tag": "naive-in",
+  "network": "udp",
 
-... // 监听字段
+  ... // 监听字段
 
-"users": [
-{
-"username": "sekai",
-"password": "password"
-}
-],
-"quic_congestion_control": "",
-"tls": {}
+  "users": [
+    {
+      "username": "sekai",
+      "password": "password"
+    }
+  ],
+  "tls": {}
 }
 ```
 
@@ -41,23 +36,6 @@
 
 Naive 用户。
 
-#### quic_congestion_control
-
-!!! question "Since sing-box 1.13.0"
-
-QUIC 拥塞控制算法。
-
-| 算法             | 描述                 |
-|----------------|--------------------|
-| `bbr`          | BBR                |
-| `bbr_standard` | BBR (标准版) |
-| `bbr2`         | BBRv2              |
-| `bbr2_variant` | BBRv2 (一种试验变体)     |
-| `cubic`        | CUBIC              |
-| `reno`         | New Reno           |
-
-默认使用 `bbr`（NaiveProxy 基于的 Chromium 使用的 QUICHE 的默认值）。
-
 #### tls
 
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/shadowsocks.zh.md

@@ -48,9 +48,9 @@
 }
 ```
 
-### 监听字段
+### Listen Fields
 
-参阅 [监听字段](/zh/configuration/shared/listen/)。
+See [Listen Fields](/configuration/shared/listen/) for details.
 
 ### 字段
 

docs/configuration/inbound/tun.md

@@ -2,10 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [exclude_mptcp](#exclude_mptcp)
-
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [loopback_address](#loopback_address)
@@ -67,7 +63,6 @@ icon: material/new-box
   "auto_redirect": true,
   "auto_redirect_input_mark": "0x2023",
   "auto_redirect_output_mark": "0x2024",
-  "exclude_mptcp": false,
   "loopback_address": [
     "10.7.0.1"
   ],
@@ -283,20 +278,6 @@ Connection output mark used by `auto_redirect`.
 
 `0x2024` is used by default.
 
-#### exclude_mptcp
-
-!!! question "Since sing-box 1.13.0"
-
-!!! quote ""
-
-    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-
-MPTCP cannot be transparently proxied due to protocol limitations.
-
-Such traffic is usually created by Apple systems.
-
-When enabled, MPTCP connections will bypass sing-box and connect directly, otherwise, will be rejected to avoid errors by default.
-
 #### loopback_address
 
 !!! question "Since sing-box 1.12.0"

docs/configuration/inbound/tun.zh.md

@@ -2,10 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [exclude_mptcp](#exclude_mptcp)
-
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [loopback_address](#loopback_address)
@@ -67,7 +63,6 @@ icon: material/new-box
   "auto_redirect": true,
   "auto_redirect_input_mark": "0x2023",
   "auto_redirect_output_mark": "0x2024",
-  "exclude_mptcp": false,
   "loopback_address": [
     "10.7.0.1"
   ],
@@ -282,20 +277,6 @@ tun 接口的 IPv6 前缀。
 
 默认使用 `0x2024`。
 
-#### exclude_mptcp
-
-!!! question "自 sing-box 1.13.0 起"
-
-!!! quote ""
-
-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
-
-由于协议限制，MPTCP 无法被透明代理。
-
-此类流量通常由 Apple 系统创建。
-
-启用时，MPTCP 连接将绕过 sing-box 直接连接，否则，将被拒绝以避免错误。
-
 #### loopback_address
 
 !!! question "自 sing-box 1.12.0 起"

docs/configuration/outbound/index.md

@@ -36,7 +36,6 @@
 | `dns`          | [DNS](./dns/)                   |
 | `selector`     | [Selector](./selector/)         |
 | `urltest`      | [URLTest](./urltest/)           |
-| `naive`        | [NaiveProxy](./naive/)          |
 
 #### tag
 

docs/configuration/outbound/index.zh.md

@@ -36,7 +36,6 @@
 | `dns`          | [DNS](./dns/)                   |
 | `selector`     | [Selector](./selector/)         |
 | `urltest`      | [URLTest](./urltest/)           |
-| `naive`        | [NaiveProxy](./naive/)          |
 
 #### tag
 

docs/configuration/outbound/naive.md

@@ -1,114 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "Since sing-box 1.13.0"
-
-### Structure
-
-```json
-{
-  "type": "naive",
-  "tag": "naive-out",
-
-  "server": "127.0.0.1",
-  "server_port": 443,
-  "username": "sekai",
-  "password": "password",
-  "insecure_concurrency": 0,
-  "extra_headers": {},
-  "udp_over_tcp": false | {},
-  "quic": false,
-  "quic_congestion_control": "",
-  "tls": {},
-
-  ... // Dial Fields
-}
-```
-
-!!! warning "Platform Support"
-
-    NaiveProxy outbound is only available on Apple platforms, Android, Windows and certain Linux builds.
-
-    **Official Release Build Variants:**
-
-    | Build Variant | Platforms | Description |
-    |---------------|-----------|-------------|
-    | (default)     | Linux amd64/arm64 | purego build with `libcronet.so` included |
-    | `-glibc`      | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
-    | `-musl`       | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
-    | (default)     | Windows amd64/arm64 | purego build with `libcronet.dll` included |
-
-    **Runtime Requirements:**
-
-    - **Linux purego**: `libcronet.so` must be in the same directory as the sing-box binary or in system library path
-    - **Windows**: `libcronet.dll` must be in the same directory as `sing-box.exe` or in a directory listed in `PATH`
-
-    For self-built binaries, see [Build from source](/installation/build-from-source/#with_naive_outbound).
-
-### Fields
-
-#### server
-
-==Required==
-
-The server address.
-
-#### server_port
-
-==Required==
-
-The server port.
-
-#### username
-
-Authentication username.
-
-#### password
-
-Authentication password.
-
-#### insecure_concurrency
-
-Number of concurrent tunnel connections. Multiple connections make the tunneling easier to detect through traffic analysis, which defeats the purpose of NaiveProxy's design to resist traffic analysis.
-
-#### extra_headers
-
-Extra headers to send in HTTP requests.
-
-#### udp_over_tcp
-
-UDP over TCP protocol settings.
-
-See [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.
-
-#### quic
-
-Use QUIC instead of HTTP/2.
-
-#### quic_congestion_control
-
-QUIC congestion control algorithm.
-
-| Algorithm | Description |
-|-----------|-------------|
-| `bbr` | BBR |
-| `bbr2` | BBRv2 |
-| `cubic` | CUBIC |
-| `reno` | New Reno |
-
-`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
-Only `server_name`, `certificate`, `certificate_path` and `ech` are supported.
-
-Self-signed certificates change traffic behavior significantly, which defeats the purpose of NaiveProxy's design to resist traffic analysis, and should not be used in production.
-
-### Dial Fields
-
-See [Dial Fields](/configuration/shared/dial/) for details.

docs/configuration/outbound/naive.zh.md

@@ -1,114 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "自 sing-box 1.13.0 起"
-
-### 结构
-
-```json
-{
-  "type": "naive",
-  "tag": "naive-out",
-
-  "server": "127.0.0.1",
-  "server_port": 443,
-  "username": "sekai",
-  "password": "password",
-  "insecure_concurrency": 0,
-  "extra_headers": {},
-  "udp_over_tcp": false | {},
-  "quic": false,
-  "quic_congestion_control": "",
-  "tls": {},
-
-  ... // 拨号字段
-}
-```
-
-!!! warning "平台支持"
-
-    NaiveProxy 出站仅在 Apple 平台、Android、Windows 和特定 Linux 构建上可用。
-
-    **官方发布版本区别：**
-
-    | 构建变体      | 平台                     | 说明                                       |
-    |-----------|------------------------|------------------------------------------|
-    | (默认)      | Linux amd64/arm64      | purego 构建，包含 `libcronet.so`              |
-    | `-glibc`  | Linux 386/amd64/arm/arm64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31       |
-    | `-musl`   | Linux 386/amd64/arm/arm64 | CGO 构建，静态链接 musl，无系统要求                   |
-    | (默认)      | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll`             |
-
-    **运行时要求：**
-
-    - **Linux purego**：`libcronet.so` 必须位于 sing-box 二进制文件相同目录或系统库路径中
-    - **Windows**：`libcronet.dll` 必须位于 `sing-box.exe` 相同目录或 `PATH` 中的任意目录
-
-    自行构建请参阅 [从源代码构建](/zh/installation/build-from-source/#with_naive_outbound)。
-
-### 字段
-
-#### server
-
-==必填==
-
-服务器地址。
-
-#### server_port
-
-==必填==
-
-服务器端口。
-
-#### username
-
-认证用户名。
-
-#### password
-
-认证密码。
-
-#### insecure_concurrency
-
-并发隧道连接数。多连接使隧道更容易被流量分析检测，违背 NaiveProxy 抵抗流量分析的设计目的。
-
-#### extra_headers
-
-HTTP 请求中发送的额外头部。
-
-#### udp_over_tcp
-
-UDP over TCP 配置。
-
-参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp/)。
-
-#### quic
-
-使用 QUIC 代替 HTTP/2。
-
-#### quic_congestion_control
-
-QUIC 拥塞控制算法。
-
-| 算法 | 描述 |
-|------|------|
-| `bbr` | BBR |
-| `bbr2` | BBRv2 |
-| `cubic` | CUBIC |
-| `reno` | New Reno |
-
-默认使用 `bbr`（NaiveProxy 基于的 Chromium 使用的 QUICHE 的默认值）。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-只有 `server_name`、`certificate`、`certificate_path` 和 `ech` 是被支持的。
-
-自签名证书会显著改变流量行为，违背了 NaiveProxy 旨在抵抗流量分析的设计初衷，不应该在生产环境中使用。
-
-### 拨号字段
-
-参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/tuic.zh.md

@@ -66,7 +66,7 @@ UDP 包中继模式
 
 #### udp_over_stream
 
-这是 TUIC 的 [UDP over TCP 协议](/zh/configuration/shared/udp-over-tcp/) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。
+这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp/) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。
 
 此模式在正确的 UDP 代理场景中没有任何积极作用，仅适用于中继流式 UDP 流量（基本上是 QUIC 流）。
 

docs/configuration/route/index.zh.md

@@ -62,7 +62,7 @@ icon: material/alert-decagram
 
 !!! question "自 sing-box 1.8.0 起"
 
-一组 [规则集](/zh/configuration/rule-set/)。
+一组 [规则集](/configuration/rule-set/)。
 
 #### final
 

docs/configuration/route/rule.md

@@ -428,15 +428,19 @@ Match default interface address.
 
 #### wifi_ssid
 
-Match WiFi SSID.
+!!! quote ""
 
-See [Wi-Fi State](/configuration/shared/wifi-state/) for details.
+    Only supported in graphical clients on Android and Apple platforms.
+
+Match WiFi SSID.
 
 #### wifi_bssid
 
-Match WiFi BSSID.
+!!! quote ""
 
-See [Wi-Fi State](/configuration/shared/wifi-state/) for details.
+    Only supported in graphical clients on Android and Apple platforms.
+
+Match WiFi BSSID.
 
 #### preferred_by
 

docs/configuration/route/rule.zh.md

@@ -425,15 +425,19 @@ icon: material/new-box
 
 #### wifi_ssid
 
-匹配 WiFi SSID。
+!!! quote ""
 
-参阅 [Wi-Fi 状态](/zh/configuration/shared/wifi-state/)。
+    仅在 Android 与 Apple 平台图形客户端中支持。
+
+匹配 WiFi SSID。
 
 #### wifi_bssid
 
-匹配 WiFi BSSID。
+!!! quote ""
 
-参阅 [Wi-Fi 状态](/zh/configuration/shared/wifi-state/)。
+    仅在 Android 与 Apple 平台图形客户端中支持。
+
+匹配 WiFi BSSID。
 
 #### preferred_by
 

docs/configuration/service/ccm.md

@@ -1,106 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "Since sing-box 1.13.0"
-
-# CCM
-
-CCM (Claude Code Multiplexer) service is a multiplexing service that allows you to access your local Claude Code subscription remotely through custom tokens.
-
-It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.
-
-### Structure
-
-```json
-{
-  "type": "ccm",
-
-  ... // Listen Fields
-
-  "credential_path": "",
-  "usages_path": "",
-  "users": [],
-  "headers": {},
-  "detour": "",
-  "tls": {}
-}
-```
-
-### Listen Fields
-
-See [Listen Fields](/configuration/shared/listen/) for details.
-
-### Fields
-
-#### credential_path
-
-Path to the Claude Code OAuth credentials file.
-
-If not specified, defaults to:
-- `$CLAUDE_CONFIG_DIR/.credentials.json` if `CLAUDE_CONFIG_DIR` environment variable is set
-- `~/.claude/.credentials.json` otherwise
-
-On macOS, credentials are read from the system keychain first, then fall back to the file if unavailable.
-
-Refreshed tokens are automatically written back to the same location.
-
-#### usages_path
-
-Path to the file for storing aggregated API usage statistics.
-
-Usage tracking is disabled if not specified.
-
-When enabled, the service tracks and saves comprehensive statistics including:
-- Request counts
-- Token usage (input, output, cache read, cache creation)
-- Calculated costs in USD based on Claude API pricing
-
-Statistics are organized by model, context window (200k standard vs 1M premium), and optionally by user when authentication is enabled.
-
-The statistics file is automatically saved every minute and upon service shutdown.
-
-#### users
-
-List of authorized users for token authentication.
-
-If empty, no authentication is required.
-
-Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
-
-#### headers
-
-Custom HTTP headers to send to the Claude API.
-
-These headers will override any existing headers with the same name.
-
-#### detour
-
-Outbound tag for connecting to the Claude API.
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-### Example
-
-```json
-{
-  "services": [
-    {
-      "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
-    }
-  ]
-}
-```
-
-Connect to the CCM service:
-
-```bash
-export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
-
-claude
-```

docs/configuration/service/ccm.zh.md

@@ -1,106 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "自 sing-box 1.13.0 起"
-
-# CCM
-
-CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许您通过自定义令牌远程访问本地的 Claude Code 订阅。
-
-它在本地机器上处理与 Claude API 的 OAuth 身份验证，同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。
-
-### 结构
-
-```json
-{
-  "type": "ccm",
-
-  ... // 监听字段
-
-  "credential_path": "",
-  "usages_path": "",
-  "users": [],
-  "headers": {},
-  "detour": "",
-  "tls": {}
-}
-```
-
-### 监听字段
-
-参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
-
-### 字段
-
-#### credential_path
-
-Claude Code OAuth 凭据文件的路径。
-
-如果未指定，默认值为：
-- 如果设置了 `CLAUDE_CONFIG_DIR` 环境变量，则使用 `$CLAUDE_CONFIG_DIR/.credentials.json`
-- 否则使用 `~/.claude/.credentials.json`
-
-在 macOS 上，首先从系统钥匙串读取凭据，如果不可用则回退到文件。
-
-刷新的令牌会自动写回相同位置。
-
-#### usages_path
-
-用于存储聚合 API 使用统计信息的文件路径。
-
-如果未指定，使用跟踪将被禁用。
-
-启用后，服务会跟踪并保存全面的统计信息，包括：
-- 请求计数
-- 令牌使用量（输入、输出、缓存读取、缓存创建）
-- 基于 Claude API 定价计算的美元成本
-
-统计信息按模型、上下文窗口（200k 标准版 vs 1M 高级版）以及可选的用户（启用身份验证时）进行组织。
-
-统计文件每分钟自动保存一次，并在服务关闭时保存。
-
-#### users
-
-用于令牌身份验证的授权用户列表。
-
-如果为空，则不需要身份验证。
-
-Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
-
-#### headers
-
-发送到 Claude API 的自定义 HTTP 头。
-
-这些头会覆盖同名的现有头。
-
-#### detour
-
-用于连接 Claude API 的出站标签。
-
-#### tls
-
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-### 示例
-
-```json
-{
-  "services": [
-    {
-      "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
-    }
-  ]
-}
-```
-
-连接到 CCM 服务：
-
-```bash
-export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
-
-claude
-```

docs/configuration/service/index.md

@@ -23,9 +23,7 @@ icon: material/new-box
 
 | Type       | Format                 |
 |------------|------------------------|
-| `ccm`      | [CCM](./ccm)           |
 | `derp`     | [DERP](./derp)         |
-| `ocm`      | [OCM](./ocm)           |
 | `resolved` | [Resolved](./resolved) |
 | `ssm-api`  | [SSM API](./ssm-api)   |
 

docs/configuration/service/index.zh.md

@@ -23,9 +23,7 @@ icon: material/new-box
 
 | 类型       | 格式                   |
 |-----------|------------------------|
-| `ccm`     | [CCM](./ccm)           |
 | `derp`    | [DERP](./derp)         |
-| `ocm`     | [OCM](./ocm)           |
 | `resolved`| [Resolved](./resolved) |
 | `ssm-api` | [SSM API](./ssm-api)   |
 

docs/configuration/service/ocm.md

@@ -1,171 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "Since sing-box 1.13.0"
-
-# OCM
-
-OCM (OpenAI Codex Multiplexer) service is a multiplexing service that allows you to access your local OpenAI Codex subscription remotely through custom tokens.
-
-It handles OAuth authentication with OpenAI's API on your local machine while allowing remote clients to authenticate using custom tokens.
-
-### Structure
-
-```json
-{
-  "type": "ocm",
-
-  ... // Listen Fields
-
-  "credential_path": "",
-  "usages_path": "",
-  "users": [],
-  "headers": {},
-  "detour": "",
-  "tls": {}
-}
-```
-
-### Listen Fields
-
-See [Listen Fields](/configuration/shared/listen/) for details.
-
-### Fields
-
-#### credential_path
-
-Path to the OpenAI OAuth credentials file.
-
-If not specified, defaults to `~/.codex/auth.json`.
-
-Refreshed tokens are automatically written back to the same location.
-
-#### usages_path
-
-Path to the file for storing aggregated API usage statistics.
-
-Usage tracking is disabled if not specified.
-
-When enabled, the service tracks and saves comprehensive statistics including:
-- Request counts
-- Token usage (input, output, cached)
-- Calculated costs in USD based on OpenAI API pricing
-
-Statistics are organized by model and optionally by user when authentication is enabled.
-
-The statistics file is automatically saved every minute and upon service shutdown.
-
-#### users
-
-List of authorized users for token authentication.
-
-If empty, no authentication is required.
-
-Object format:
-
-```json
-{
-  "name": "",
-  "token": ""
-}
-```
-
-Object fields:
-
-- `name`: Username identifier for tracking purposes.
-- `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer <token>` header.
-
-#### headers
-
-Custom HTTP headers to send to the OpenAI API.
-
-These headers will override any existing headers with the same name.
-
-#### detour
-
-Outbound tag for connecting to the OpenAI API.
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-### Example
-
-#### Server
-
-```json
-{
-  "services": [
-    {
-      "type": "ocm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
-    }
-  ]
-}
-```
-
-#### Client
-
-Add to `~/.codex/config.toml`:
-
-```toml
-[model_providers.ocm]
-name = "OCM Proxy"
-base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-```
-
-Then run:
-
-```bash
-codex --model-provider ocm
-```
-
-### Example with Authentication
-
-#### Server
-
-```json
-{
-  "services": [
-    {
-      "type": "ocm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "usages_path": "./codex-usages.json",
-      "users": [
-        {
-          "name": "alice",
-          "token": "sk-alice-secret-token"
-        },
-        {
-          "name": "bob",
-          "token": "sk-bob-secret-token"
-        }
-      ]
-    }
-  ]
-}
-```
-
-#### Client
-
-Add to `~/.codex/config.toml`:
-
-```toml
-[model_providers.ocm]
-name = "OCM Proxy"
-base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
-```
-
-Then run:
-
-```bash
-codex --model-provider ocm
-```

docs/configuration/service/ocm.zh.md

@@ -1,171 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "自 sing-box 1.13.0 起"
-
-# OCM
-
-OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许您通过自定义令牌远程访问本地的 OpenAI Codex 订阅。
-
-它在本地机器上处理与 OpenAI API 的 OAuth 身份验证，同时允许远程客户端使用自定义令牌进行身份验证。
-
-### 结构
-
-```json
-{
-  "type": "ocm",
-
-  ... // 监听字段
-
-  "credential_path": "",
-  "usages_path": "",
-  "users": [],
-  "headers": {},
-  "detour": "",
-  "tls": {}
-}
-```
-
-### 监听字段
-
-参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
-
-### 字段
-
-#### credential_path
-
-OpenAI OAuth 凭据文件的路径。
-
-如果未指定，默认值为 `~/.codex/auth.json`。
-
-刷新的令牌会自动写回相同位置。
-
-#### usages_path
-
-用于存储聚合 API 使用统计信息的文件路径。
-
-如果未指定，使用跟踪将被禁用。
-
-启用后，服务会跟踪并保存全面的统计信息，包括：
-- 请求计数
-- 令牌使用量（输入、输出、缓存）
-- 基于 OpenAI API 定价计算的美元成本
-
-统计信息按模型以及可选的用户（启用身份验证时）进行组织。
-
-统计文件每分钟自动保存一次，并在服务关闭时保存。
-
-#### users
-
-用于令牌身份验证的授权用户列表。
-
-如果为空，则不需要身份验证。
-
-对象格式：
-
-```json
-{
-  "name": "",
-  "token": ""
-}
-```
-
-对象字段：
-
-- `name`：用于跟踪的用户名标识符。
-- `token`：用于身份验证的 Bearer 令牌。客户端通过设置 `Authorization: Bearer <token>` 头进行身份验证。
-
-#### headers
-
-发送到 OpenAI API 的自定义 HTTP 头。
-
-这些头会覆盖同名的现有头。
-
-#### detour
-
-用于连接 OpenAI API 的出站标签。
-
-#### tls
-
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-### 示例
-
-#### 服务端
-
-```json
-{
-  "services": [
-    {
-      "type": "ocm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
-    }
-  ]
-}
-```
-
-#### 客户端
-
-在 `~/.codex/config.toml` 中添加：
-
-```toml
-[model_providers.ocm]
-name = "OCM Proxy"
-base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-```
-
-然后运行：
-
-```bash
-codex --model-provider ocm
-```
-
-### 带身份验证的示例
-
-#### 服务端
-
-```json
-{
-  "services": [
-    {
-      "type": "ocm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "usages_path": "./codex-usages.json",
-      "users": [
-        {
-          "name": "alice",
-          "token": "sk-alice-secret-token"
-        },
-        {
-          "name": "bob",
-          "token": "sk-bob-secret-token"
-        }
-      ]
-    }
-  ]
-}
-```
-
-#### 客户端
-
-在 `~/.codex/config.toml` 中添加：
-
-```toml
-[model_providers.ocm]
-name = "OCM Proxy"
-base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
-```
-
-然后运行：
-
-```bash
-codex --model-provider ocm
-```

docs/configuration/shared/dial.md

@@ -2,12 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
-    :material-plus: [tcp_keep_alive](#tcp_keep_alive)
-    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
-
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [domain_resolver](#domain_resolver)  
@@ -35,11 +29,8 @@ icon: material/new-box
   "connect_timeout": "",
   "tcp_fast_open": false,
   "tcp_multi_path": false,
-  "disable_tcp_keep_alive": false,
-  "tcp_keep_alive": "",
-  "tcp_keep_alive_interval": "",
   "udp_fragment": false,
-
+  
   "domain_resolver": "", // or {}
   "network_strategy": "",
   "network_type": [],
@@ -121,30 +112,6 @@ Enable TCP Fast Open.
 
 Enable TCP Multi Path.
 
-#### disable_tcp_keep_alive
-
-!!! question "Since sing-box 1.13.0"
-
-Disable TCP keep alive.
-
-#### tcp_keep_alive
-
-!!! question "Since sing-box 1.13.0"
-
-    Default value changed from `10m` to `5m`.
-
-TCP keep alive initial period.
-
-`5m` will be used by default.
-
-#### tcp_keep_alive_interval
-
-!!! question "Since sing-box 1.13.0"
-
-TCP keep alive interval.
-
-`75s` will be used by default.
-
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/dial.zh.md

@@ -2,12 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
-    :material-plus: [tcp_keep_alive](#tcp_keep_alive)
-    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
-
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [domain_resolver](#domain_resolver)  
@@ -35,11 +29,7 @@ icon: material/new-box
   "connect_timeout": "",
   "tcp_fast_open": false,
   "tcp_multi_path": false,
-  "disable_tcp_keep_alive": false,
-  "tcp_keep_alive": "",
-  "tcp_keep_alive_interval": "",
   "udp_fragment": false,
-
   "domain_resolver": "", // 或 {}
   "network_strategy": "",
   "network_type": [],
@@ -119,30 +109,6 @@ icon: material/new-box
 
 启用 TCP Multi Path。
 
-#### disable_tcp_keep_alive
-
-!!! question "自 sing-box 1.13.0 起"
-
-禁用 TCP keep alive。
-
-#### tcp_keep_alive
-
-!!! question "自 sing-box 1.13.0 起"
-
-    默认值从 `10m` 更改为 `5m`。
-
-TCP keep alive 初始周期。
-
-默认使用 `5m`。
-
-#### tcp_keep_alive_interval
-
-!!! question "自 sing-box 1.13.0 起"
-
-TCP keep alive 间隔。
-
-默认使用 `75s`。
-
 #### udp_fragment
 
 启用 UDP 分段。

docs/configuration/shared/dns01_challenge.md

@@ -1,18 +1,9 @@
----
-icon: material/new-box
----
-
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [alidns.security_token](#security_token)
-    :material-plus: [cloudflare.zone_token](#zone_token)
-
 ### Structure
 
 ```json
 {
   "provider": "",
-
+  
   ... // Provider Fields
 }
 ```
@@ -26,31 +17,15 @@ icon: material/new-box
   "provider": "alidns",
   "access_key_id": "",
   "access_key_secret": "",
-  "region_id": "",
-  "security_token": ""
+  "region_id": ""
 }
 ```
 
-##### security_token
-
-!!! question "Since sing-box 1.13.0"
-
-The Security Token for STS temporary credentials.
-
 #### Cloudflare
 
 ```json
 {
   "provider": "cloudflare",
-  "api_token": "",
-  "zone_token": ""
+  "api_token": ""
 }
-```
-
-##### zone_token
-
-!!! question "Since sing-box 1.13.0"
-
-Optional API token with `Zone:Read` permission.
-
-When provided, allows `api_token` to be scoped to a single zone.
+```

docs/configuration/shared/dns01_challenge.zh.md

@@ -1,18 +1,9 @@
----
-icon: material/new-box
----
-
-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [alidns.security_token](#security_token)
-    :material-plus: [cloudflare.zone_token](#zone_token)
-
 ### 结构
 
 ```json
 {
   "provider": "",
-
+  
   ... // 提供商字段
 }
 ```
@@ -26,31 +17,15 @@ icon: material/new-box
   "provider": "alidns",
   "access_key_id": "",
   "access_key_secret": "",
-  "region_id": "",
-  "security_token": ""
+  "region_id": ""
 }
 ```
 
-##### security_token
-
-!!! question "自 sing-box 1.13.0 起"
-
-用于 STS 临时凭证的安全令牌。
-
 #### Cloudflare
 
 ```json
 {
   "provider": "cloudflare",
-  "api_token": "",
-  "zone_token": ""
+  "api_token": ""
 }
-```
-
-##### zone_token
-
-!!! question "自 sing-box 1.13.0 起"
-
-具有 `Zone:Read` 权限的可选 API 令牌。
-
-提供后可将 `api_token` 限定到单个区域。
+```

docs/configuration/shared/listen.md

@@ -2,11 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
-    :material-alert: [tcp_keep_alive](#tcp_keep_alive)
-
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [netns](#netns)  
@@ -34,9 +29,6 @@ icon: material/new-box
   "netns": "",
   "tcp_fast_open": false,
   "tcp_multi_path": false,
-  "disable_tcp_keep_alive": false,
-  "tcp_keep_alive": "",
-  "tcp_keep_alive_interval": "",
   "udp_fragment": false,
   "udp_timeout": "",
   "detour": "",
@@ -109,28 +101,6 @@ Enable TCP Fast Open.
 
 Enable TCP Multi Path.
 
-#### disable_tcp_keep_alive
-
-!!! question "Since sing-box 1.13.0"
-
-Disable TCP keep alive.
-
-#### tcp_keep_alive
-
-!!! question "Since sing-box 1.13.0"
-
-    Default value changed from `10m` to `5m`.
-
-TCP keep alive initial period.
-
-`5m` will be used by default.
-
-#### tcp_keep_alive_interval
-
-TCP keep alive interval.
-
-`75s` will be used by default.
-
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/listen.zh.md

@@ -2,12 +2,7 @@
 icon: material/new-box
 ---
 
-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
-    :material-alert: [tcp_keep_alive](#tcp_keep_alive)
-
-!!! quote "sing-box 1.12.0 中的更改"
+!!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [netns](#netns)  
     :material-plus: [bind_interface](#bind_interface)  
@@ -34,9 +29,6 @@ icon: material/new-box
   "netns": "",
   "tcp_fast_open": false,
   "tcp_multi_path": false,
-  "disable_tcp_keep_alive": false,
-  "tcp_keep_alive": "",
-  "tcp_keep_alive_interval": "",
   "udp_fragment": false,
   "udp_timeout": "",
   "detour": "",
@@ -109,28 +101,6 @@ icon: material/new-box
 
 启用 TCP Multi Path。
 
-#### disable_tcp_keep_alive
-
-!!! question "自 sing-box 1.13.0 起"
-
-禁用 TCP keep alive。
-
-#### tcp_keep_alive
-
-!!! question "自 sing-box 1.13.0 起"
-
-    默认值从 `10m` 更改为 `5m`。
-
-TCP keep alive 初始周期。
-
-默认使用 `5m`。
-
-#### tcp_keep_alive_interval
-
-TCP keep alive 间隔。
-
-默认使用 `75s`。
-
 #### udp_fragment
 
 启用 UDP 分段。

docs/configuration/shared/tls.md

@@ -8,13 +8,10 @@ icon: material/new-box
     :material-plus: [kernel_rx](#kernel_rx)  
     :material-plus: [curve_preferences](#curve_preferences)  
     :material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)  
+    :material-plus: [client_authentication](#client_authentication)  
     :material-plus: [client_certificate](#client_certificate)  
     :material-plus: [client_certificate_path](#client_certificate_path)  
-    :material-plus: [client_key](#client_key)  
-    :material-plus: [client_key_path](#client_key_path)  
-    :material-plus: [client_authentication](#client_authentication)  
-    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)  
-    :material-plus: [ech.query_server_name](#query_server_name)
+    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
 
 !!! quote "Changes in sing-box 1.12.0"
 
@@ -104,14 +101,9 @@ icon: material/new-box
   "min_version": "",
   "max_version": "",
   "cipher_suites": [],
-  "curve_preferences": [],
   "certificate": "",
   "certificate_path": "",
   "certificate_public_key_sha256": [],
-  "client_certificate": [],
-  "client_certificate_path": "",
-  "client_key": [],
-  "client_key_path": "",
   "fragment": false,
   "fragment_fallback_delay": "",
   "record_fragment": false,
@@ -119,7 +111,6 @@ icon: material/new-box
     "enabled": false,
     "config": [],
     "config_path": "",
-    "query_server_name": "",
 
     // Deprecated
     "pq_signature_schemes_enabled": false,
@@ -267,38 +258,6 @@ openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform d
 echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
 ```
 
-#### client_certificate
-
-!!! question "Since sing-box 1.13.0"
-
-==Client only==
-
-Client certificate chain line array, in PEM format.
-
-#### client_certificate_path
-
-!!! question "Since sing-box 1.13.0"
-
-==Client only==
-
-The path to client certificate chain, in PEM format.
-
-#### client_key
-
-!!! question "Since sing-box 1.13.0"
-
-==Client only==
-
-Client private key line array, in PEM format.
-
-#### client_key_path
-
-!!! question "Since sing-box 1.13.0"
-
-==Client only==
-
-The path to client private key, in PEM format.
-
 #### key
 
 ==Server only==
@@ -507,16 +466,6 @@ The path to ECH configuration, in PEM format.
 
 If empty, load from DNS will be attempted.
 
-#### query_server_name
-
-!!! question "Since sing-box 1.13.0"
-
-==Client only==
-
-Overrides the domain name used for ECH HTTPS record queries.
-
-If empty, `server_name` is used for queries.
-
 #### fragment
 
 !!! question "Since sing-box 1.12.0"

docs/configuration/shared/tls.zh.md

@@ -4,17 +4,14 @@ icon: material/new-box
 
 !!! quote "sing-box 1.13.0 中的更改"
 
-    :material-plus: [kernel_tx](#kernel_tx)  
-    :material-plus: [kernel_rx](#kernel_rx)  
-    :material-plus: [curve_preferences](#curve_preferences)  
-    :material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)  
-    :material-plus: [client_certificate](#client_certificate)  
-    :material-plus: [client_certificate_path](#client_certificate_path)  
-    :material-plus: [client_key](#client_key)  
-    :material-plus: [client_key_path](#client_key_path)  
-    :material-plus: [client_authentication](#client_authentication)  
-    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)  
-    :material-plus: [ech.query_server_name](#query_server_name)
+    :material-plus: [kernel_tx](#kernel_tx)
+    :material-plus: [kernel_rx](#kernel_rx)
+    :material-plus: [curve_preferences](#curve_preferences)
+    :material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
+    :material-plus: [client_authentication](#client_authentication)
+    :material-plus: [client_certificate](#client_certificate)
+    :material-plus: [client_certificate_path](#client_certificate_path)
+    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
 
 !!! quote "sing-box 1.12.0 中的更改"
 
@@ -104,14 +101,9 @@ icon: material/new-box
   "min_version": "",
   "max_version": "",
   "cipher_suites": [],
-  "curve_preferences": [],
   "certificate": "",
   "certificate_path": "",
   "certificate_public_key_sha256": [],
-  "client_certificate": [],
-  "client_certificate_path": "",
-  "client_key": [],
-  "client_key_path": "",
   "fragment": false,
   "fragment_fallback_delay": "",
   "record_fragment": false,
@@ -119,7 +111,6 @@ icon: material/new-box
     "enabled": false,
     "config": [],
     "config_path": "",
-    "query_server_name": "",
 
     // 废弃的
     "pq_signature_schemes_enabled": false,
@@ -262,38 +253,6 @@ openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform d
 echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
 ```
 
-#### client_certificate
-
-!!! question "自 sing-box 1.13.0 起"
-
-==仅客户端==
-
-客户端证书链行数组，PEM 格式。
-
-#### client_certificate_path
-
-!!! question "自 sing-box 1.13.0 起"
-
-==仅客户端==
-
-客户端证书链路径，PEM 格式。
-
-#### client_key
-
-!!! question "自 sing-box 1.13.0 起"
-
-==仅客户端==
-
-客户端私钥行数组，PEM 格式。
-
-#### client_key_path
-
-!!! question "自 sing-box 1.13.0 起"
-
-==仅客户端==
-
-客户端私钥路径，PEM 格式。
-
 #### key
 
 ==仅服务器==
@@ -505,16 +464,6 @@ ECH 配置路径，PEM 格式。
 
 如果为空，将尝试从 DNS 加载。
 
-#### query_server_name
-
-!!! question "自 sing-box 1.13.0 起"
-
-==仅客户端==
-
-覆盖用于 ECH HTTPS 记录查询的域名。
-
-如果为空，使用 `server_name` 查询。
-
 #### fragment
 
 !!! question "自 sing-box 1.12.0 起"
@@ -620,7 +569,7 @@ MAC 密钥。
 
 ACME DNS01 验证字段。如果配置，将禁用其他验证方法。
 
-参阅 [DNS01 验证字段](/zh/configuration/shared/dns01_challenge/)。
+参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge/)。
 
 ### Reality 字段
 

docs/configuration/shared/wifi-state.md

@@ -1,41 +0,0 @@
----
-icon: material/new-box
----
-
-# Wi-Fi State
-
-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: Linux support
-    :material-plus: Windows support
-
-sing-box can monitor Wi-Fi state to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
-
-### Platform Support
-
-| Platform        | Support          | Notes                    |
-|-----------------|------------------|--------------------------|
-| Android         | :material-check: | In graphical client      |
-| Apple platforms | :material-check: | In graphical clients     |
-| Linux           | :material-check: | Requires supported daemon |
-| Windows         | :material-check: | WLAN API                 |
-| Others          | :material-close: |                          |
-
-### Linux
-
-!!! question "Since sing-box 1.13.0"
-
-The following backends are supported and will be auto-detected in order of priority:
-
-| Backend          | Interface   |
-|------------------|-------------|
-| NetworkManager   | D-Bus       |
-| IWD              | D-Bus       |
-| wpa_supplicant   | Unix socket |
-| ConnMan          | D-Bus       |
-
-### Windows
-
-!!! question "Since sing-box 1.13.0"
-
-Uses Windows WLAN API.

docs/configuration/shared/wifi-state.zh.md

@@ -1,41 +0,0 @@
----
-icon: material/new-box
----
-
-# Wi-Fi 状态
-
-!!! quote "sing-box 1.13.0 的变更"
-
-    :material-plus: Linux 支持
-    :material-plus: Windows 支持
-
-sing-box 可以监控 Wi-Fi 状态，以启用基于 `wifi_ssid` 和 `wifi_bssid` 的路由规则。
-
-### 平台支持
-
-| 平台            | 支持              | 备注           |
-|-----------------|------------------|----------------|
-| Android         | :material-check: | 仅图形客户端    |
-| Apple 平台      | :material-check: | 仅图形客户端    |
-| Linux           | :material-check: | 需要支持的守护进程 |
-| Windows         | :material-check: | WLAN API       |
-| 其他            | :material-close: |                |
-
-### Linux
-
-!!! question "自 sing-box 1.13.0 起"
-
-支持以下后端，将按优先级顺序自动探测：
-
-| 后端              | 接口         |
-|------------------|-------------|
-| NetworkManager   | D-Bus       |
-| IWD              | D-Bus       |
-| wpa_supplicant   | Unix socket |
-| ConnMan          | D-Bus       |
-
-### Windows
-
-!!! question "自 sing-box 1.13.0 起"
-
-使用 Windows WLAN API。

docs/deprecated.zh.md

@@ -95,7 +95,7 @@ GeoIP 已废弃且将在 sing-box 1.12.0 中被移除。
 maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量绕过，
 且现有的实现均存在内存使用大与管理困难的问题。
 
-sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，
+sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，
 可以完全替代 GeoIP， 参阅 [迁移指南](/zh/migration/#geoip)。
 
 #### Geosite
@@ -105,7 +105,7 @@ Geosite 已废弃且将在 sing-box 1.12.0 中被移除。
 Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。
 
-sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，
+sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，
 可以完全替代 Geosite，参阅 [迁移指南](/zh/migration/#geosite)。
 
 ## 1.6.0

docs/installation/build-from-source.md

@@ -57,45 +57,6 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
-| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
+| `with_tailscale`                   | :material-check:   | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.
-
-## :material-layers: with_naive_outbound
-
-NaiveProxy outbound requires special build configurations depending on your target platform.
-
-### Supported Platforms
-
-| Platform        | Architectures          | Mode   | Requirements                                      |
-|-----------------|------------------------|--------|---------------------------------------------------|
-| Linux           | amd64, arm64           | purego | None (library included in official releases)      |
-| Linux           | 386, amd64, arm, arm64 | CGO    | Chromium toolchain, glibc >= 2.31 at runtime      |
-| Linux (musl)    | 386, amd64, arm, arm64 | CGO    | Chromium toolchain                                |
-| Windows         | amd64, arm64           | purego | None (library included in official releases)      |
-| Apple platforms | *                      | CGO    | Xcode                                             |
-| Android         | *                      | CGO    | Android NDK                                       |
-
-### Windows
-
-Use `with_purego` tag.
-
-For official releases, `libcronet.dll` is included in the archive. For self-built binaries, download from [cronet-go releases](https://github.com/sagernet/cronet-go/releases) and place in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
-
-### Linux (purego, amd64/arm64 only)
-
-Use `with_purego` tag.
-
-For official releases, `libcronet.so` is included in the archive. For self-built binaries, download from [cronet-go releases](https://github.com/sagernet/cronet-go/releases) and place in the same directory as sing-box binary or in system library path.
-
-### Linux (CGO)
-
-See [cronet-go](https://github.com/sagernet/cronet-go#linux-build-instructions).
-
-- **glibc build**: Requires glibc >= 2.31 at runtime
-- **musl build**: Use `with_musl` tag, statically linked, no runtime requirements
-
-### Apple platforms / Android
-
-See [cronet-go](https://github.com/sagernet/cronet-go).

docs/installation/build-from-source.zh.md

@@ -62,44 +62,5 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
 | `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
-| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |
 
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。
-
-## :material-layers: with_naive_outbound
-
-NaiveProxy 出站需要根据目标平台进行特殊的构建配置。
-
-### 支持的平台
-
-| 平台            | 架构                     | 模式     | 要求                             |
-|---------------|------------------------|--------|--------------------------------|
-| Linux         | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
-| Linux         | 386, amd64, arm, arm64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31 |
-| Linux (musl)  | 386, amd64, arm, arm64 | CGO    | Chromium 工具链                   |
-| Windows       | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
-| Apple 平台      | *                      | CGO    | Xcode                          |
-| Android       | *                      | CGO    | Android NDK                    |
-
-### Windows
-
-使用 `with_purego` 标记。
-
-官方发布版本已包含 `libcronet.dll`。自行构建时，从 [cronet-go releases](https://github.com/sagernet/cronet-go/releases) 下载并放置在 `sing-box.exe` 相同目录或 `PATH` 中的任意目录。
-
-### Linux (purego, 仅 amd64/arm64)
-
-使用 `with_purego` 标记。
-
-官方发布版本已包含 `libcronet.so`。自行构建时，从 [cronet-go releases](https://github.com/sagernet/cronet-go/releases) 下载并放置在 sing-box 二进制文件相同目录或系统库路径中。
-
-### Linux (CGO)
-
-参阅 [cronet-go](https://github.com/sagernet/cronet-go#linux-build-instructions)。
-
-- **glibc 构建**：运行时需要 glibc >= 2.31
-- **musl 构建**：使用 `with_musl` 标记，静态链接，无运行时要求
-
-### Apple 平台 / Android
-
-参阅 [cronet-go](https://github.com/sagernet/cronet-go)。

docs/migration.zh.md

@@ -10,8 +10,8 @@ DNS 服务器已经重构。
 
 !!! info "引用"
 
-    [DNS 服务器](/zh/configuration/dns/server/) /
-    [旧 DNS 服务器](/zh/configuration/dns/server/legacy/)
+    [DNS 服务器](/configuration/dns/server/) /
+    [旧 DNS 服务器](/configuration/dns/server/legacy/)
 
 === "Local"
 

docs/sponsors.md

@@ -11,22 +11,16 @@ the project maintainer via [GitHub Sponsors](https://github.com/sponsors/nekohas
 
 ![](https://nekohasekai.github.io/sponsor-images/sponsors.svg)
 
-## Commercial Sponsors
+### Special Sponsors
 
-> [Warp](https://go.warp.dev/sing-box), Built for coding with multiple AI agents.
-
-[![](https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png)](https://go.warp.dev/sing-box)
-
-## Special Sponsors
-
-> Viral Tech, Inc.
+**Viral Tech, Inc.**
 
 Helping us re-list sing-box apps on the Apple Store.
 
 ---
 
-> [JetBrains](https://www.jetbrains.com)
+[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
 
 Free license for the amazing IDEs.
 
-[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
+---