Bump version

Update tfo-go
Fix missing Tailscale in ProxyDisplayName
2026-04-16 05:39:08 +10:00 · 2026-02-28 14:42:39 +08:00 · 2026-02-27 19:55:32 +08:00 · 2026-02-27 19:39:52 +08:00 · 2026-02-27 19:39:52 +08:00 · 2026-02-27 15:07:16 +08:00
91 changed files with 4443 additions and 1159 deletions
--- a/.fpm_pacman
+++ b/.fpm_pacman
@@ -0,0 +1,23 @@
+-s dir
+--name sing-box
+--category net
+--license GPL-3.0-or-later
+--description "The universal proxy platform."
+--url "https://sing-box.sagernet.org/"
+--maintainer "nekohasekai <contact-git@sekai.icu>"
+--config-files etc/sing-box/config.json
+--after-install release/config/sing-box.postinst
+
+release/config/config.json=/etc/sing-box/config.json
+
+release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
+release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
+release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
+release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
+release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
+release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
+release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
+
+LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-dc1cda1fe28740ba069934ab62aeb8ef85388332
+17c7ef18afa63b205e835c6270277b29382eb8e3
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-VERSION="1.25.6"
+VERSION="1.25.7"

 mkdir -p $HOME/go
 cd $HOME/go
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -85,19 +85,27 @@ jobs:
          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }

+          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
+          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: riscv64, naive: true, variant: glibc }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: glibc }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+
          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
          - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: softfloat }
          - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mips64le, gomips: hardfloat }
          - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: riscv64 }
+          - { os: linux, arch: loong64 }

          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
@@ -115,7 +123,7 @@ jobs:
        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Setup Go 1.24
        if: matrix.legacy_go124
        uses: actions/setup-go@v5
@@ -154,14 +162,23 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -236,6 +253,8 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (musl)
        if: matrix.variant == 'musl'
@@ -251,6 +270,8 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-variant)
        if: matrix.os != 'android' && matrix.variant == ''
@@ -352,7 +373,7 @@ jobs:
          sudo gem install fpm
          sudo apt-get update
          sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
+          cp .fpm_pacman .fpm
          fpm -t pacman \
            -v "$PKG_VERSION" \
            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -571,7 +592,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -661,7 +682,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -760,7 +781,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Set tag
        if: matrix.if
        run: |-
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -29,10 +29,12 @@ jobs:
          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
          - { arch: "386", naive: true, docker_platform: "linux/386" }
          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
+          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
+          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
+          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
          # Non-naive builds
          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
-          - { arch: riscv64, docker_platform: "linux/riscv64" }
          - { arch: s390x, docker_platform: "linux/s390x" }
    steps:
      - name: Get commit to build
@@ -53,7 +55,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.4
+          go-version: ~1.25.7
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -64,14 +66,23 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -110,6 +121,7 @@ jobs:
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
        run: |
@@ -148,15 +160,17 @@ jobs:
    strategy:
      fail-fast: true
      matrix:
-        platform:
-          - linux/amd64
-          - linux/arm/v6
-          - linux/arm/v7
-          - linux/arm64
-          - linux/386
-          - linux/ppc64le
-          - linux/riscv64
-          - linux/s390x
+        include:
+          - { platform: "linux/amd64" }
+          - { platform: "linux/arm/v6" }
+          - { platform: "linux/arm/v7" }
+          - { platform: "linux/arm64" }
+          - { platform: "linux/386" }
+          # mipsle: no base Docker image available for this platform
+          - { platform: "linux/ppc64le" }
+          - { platform: "linux/riscv64" }
+          - { platform: "linux/s390x" }
+          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
    steps:
      - name: Get commit to build
        id: ref
@@ -209,6 +223,8 @@ jobs:
          platforms: ${{ matrix.platform }}
          context: .
          file: Dockerfile.binary
+          build-args: |
+            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
@@ -224,6 +240,7 @@ jobs:
          if-no-files-found: error
          retention-days: 1
  merge:
+    if: github.event_name != 'push'
    runs-on: ubuntu-latest
    needs:
      - build_docker
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -34,7 +34,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -61,14 +61,14 @@ jobs:
          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
+          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
          # Non-naive builds (unsupported architectures)
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -77,7 +77,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.6
+          go-version: ~1.25.7
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -88,14 +88,23 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
-            ~/cronet-go/naiveproxy/src/out/sysroot-build
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -134,6 +143,8 @@ jobs:
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,9 @@
 /*.jar
 /*.aar
 /*.xcframework/
+/experimental/libbox/*.aar
+/experimental/libbox/*.xcframework/
+/experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/
--- a/Dockerfile.binary
+++ b/Dockerfile.binary
@@ -1,8 +1,14 @@
-FROM alpine
+ARG BASE_IMAGE=alpine
+FROM ${BASE_IMAGE}
 ARG TARGETARCH
 ARG TARGETVARIANT
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+    && if command -v apk > /dev/null; then \
+        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
+    else \
+        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
+        && rm -rf /var/lib/apt/lists/*; \
+    fi
 COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/23
+++ b/23
@@ -10,6 +10,8 @@ PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Versio
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
+SING_FFI ?= sing-ffi
+LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json

 .PHONY: test release docs build

@@ -206,7 +208,7 @@ update_apple_version:
 update_macos_version:
 	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version

-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
+release_apple: lib_apple update_apple_version release_ios release_macos release_tvos release_macos_standalone

 release_apple_beta: update_apple_version release_ios release_macos release_tvos

@@ -234,22 +236,21 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android

-lib_android_debug:
-	go run ./cmd/internal/build_libbox -target android -debug
-
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple

-lib_ios:
-	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
+lib_windows:
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp

-lib:
-	go run ./cmd/internal/build_libbox -target android
-	go run ./cmd/internal/build_libbox -target ios
+lib_android_new:
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
+
+lib_apple_new:
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple

 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.11
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12

 docs:
 	venv/bin/mkdocs serve
--- a/adapter/connections.go
+++ b/adapter/connections.go
@@ -9,6 +9,10 @@ import (

 type ConnectionManager interface {
 	Lifecycle
+	Count() int
+	CloseAll()
+	TrackConn(conn net.Conn) net.Conn
+	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"io"
 	"time"

 	"github.com/sagernet/sing/common/observable"
@@ -68,7 +69,11 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.Content)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.Write(s.Content)
 	if err != nil {
 		return nil, err
 	}
@@ -76,7 +81,11 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.LastEtag)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.WriteString(s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -90,7 +99,12 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	err = varbin.Read(reader, binary.BigEndian, &s.Content)
+	contentLength, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return err
+	}
+	s.Content = make([]byte, contentLength)
+	_, err = io.ReadFull(reader, s.Content)
 	if err != nil {
 		return err
 	}
@@ -100,10 +114,16 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
+	etagLength, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return err
 	}
+	etagBytes := make([]byte, etagLength)
+	_, err = io.ReadFull(reader, etagBytes)
+	if err != nil {
+		return err
+	}
+	s.LastEtag = string(etagBytes)
 	return nil
 }

--- a/box.go
+++ b/box.go
@@ -125,7 +125,10 @@ func New(options Options) (*Box, error) {

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	if err != nil {
+		return nil, err
+	}
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -17,17 +17,17 @@ import (
 )

 var (
-	debugEnabled  bool
-	target        string
-	platform      string
-	withTailscale bool
+	debugEnabled bool
+	target       string
+	platform     string
+	// withTailscale bool
 )

 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
+	// flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }

 func main() {
@@ -48,7 +48,7 @@ var (
 	debugFlags  []string
 	sharedTags  []string
 	darwinTags  []string
-	memcTags    []string
+	// memcTags    []string
 	notMemcTags []string
 	debugTags   []string
 )
@@ -63,9 +63,10 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
-	darwinTags = append(darwinTags, "with_dhcp")
-	memcTags = append(memcTags, "with_tailscale")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
+	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
+	// memcTags = append(memcTags, "with_tailscale")
+	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
 }
@@ -164,7 +165,7 @@ func buildAndroid() {

 	// Build main variant (SDK 23)
 	mainTags := append([]string{}, sharedTags...)
-	mainTags = append(mainTags, memcTags...)
+	// mainTags = append(mainTags, memcTags...)
 	if debugEnabled {
 		mainTags = append(mainTags, debugTags...)
 	}
@@ -176,7 +177,7 @@ func buildAndroid() {

 	// Build legacy variant (SDK 21, no naive outbound)
 	legacyTags := filterTags(sharedTags, "with_naive_outbound")
-	legacyTags = append(legacyTags, memcTags...)
+	// legacyTags = append(legacyTags, memcTags...)
 	if debugEnabled {
 		legacyTags = append(legacyTags, debugTags...)
 	}
@@ -204,9 +205,9 @@ func buildApple() {
 		"-libname=box",
 		"-tags-not-macos=with_low_memory",
 	}
-	if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
-	}
+	//if !withTailscale {
+	//	args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
+	//}

 	if !debugEnabled {
 		args = append(args, sharedFlags...)
@@ -215,9 +216,9 @@ func buildApple() {
 	}

 	tags := append(sharedTags, darwinTags...)
-	if withTailscale {
-		tags = append(tags, memcTags...)
-	}
+	//if withTailscale {
+	//	tags = append(tags, memcTags...)
+	//}
 	if debugEnabled {
 		tags = append(tags, debugTags...)
 	}
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
+		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }
--- a/common/conntrack/conn.go
+++ b/common/conntrack/conn.go
@@ -1,54 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Conn struct {
-	net.Conn
-	element *list.Element[io.Closer]
-}
-
-func NewConn(conn net.Conn) (net.Conn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &Conn{
-		Conn:    conn,
-		element: element,
-	}, nil
-}
-
-func (c *Conn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.Conn.Close()
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}
--- a/common/conntrack/killer.go
+++ b/common/conntrack/killer.go
@@ -1,35 +0,0 @@
-package conntrack
-
-import (
-	runtimeDebug "runtime/debug"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
-)
-
-var (
-	KillerEnabled   bool
-	MemoryLimit     uint64
-	killerLastCheck time.Time
-)
-
-func KillerCheck() error {
-	if !KillerEnabled {
-		return nil
-	}
-	nowTime := time.Now()
-	if nowTime.Sub(killerLastCheck) < 3*time.Second {
-		return nil
-	}
-	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
-		Close()
-		go func() {
-			time.Sleep(time.Second)
-			runtimeDebug.FreeOSMemory()
-		}()
-		return E.New("out of memory")
-	}
-	return nil
-}
--- a/common/conntrack/packet_conn.go
+++ b/common/conntrack/packet_conn.go
@@ -1,55 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type PacketConn struct {
-	net.PacketConn
-	element *list.Element[io.Closer]
-}
-
-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &PacketConn{
-		PacketConn: conn,
-		element:    element,
-	}, nil
-}
-
-func (c *PacketConn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) Upstream() any {
-	return bufio.NewPacketConn(c.PacketConn)
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}
--- a/common/conntrack/track.go
+++ b/common/conntrack/track.go
@@ -1,47 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"sync"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-var (
-	connAccess     sync.RWMutex
-	openConnection list.List[io.Closer]
-)
-
-func Count() int {
-	if !Enabled {
-		return 0
-	}
-	return openConnection.Len()
-}
-
-func List() []io.Closer {
-	if !Enabled {
-		return nil
-	}
-	connAccess.RLock()
-	defer connAccess.RUnlock()
-	connList := make([]io.Closer, 0, openConnection.Len())
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		connList = append(connList, element.Value)
-	}
-	return connList
-}
-
-func Close() {
-	if !Enabled {
-		return
-	}
-	connAccess.Lock()
-	defer connAccess.Unlock()
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
-		element.Value = nil
-	}
-	openConnection.Init()
-}
--- a/common/conntrack/track_disable.go
+++ b/common/conntrack/track_disable.go
@@ -1,5 +0,0 @@
-//go:build !with_conntrack
-
-package conntrack
-
-const Enabled = false
--- a/common/conntrack/track_enable.go
+++ b/common/conntrack/track_enable.go
@@ -1,5 +0,0 @@
-//go:build with_conntrack
-
-package conntrack
-
-const Enabled = true
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -9,7 +9,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -37,6 +36,7 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
+	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,6 +47,7 @@ type DefaultDialer struct {
 }

 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
+	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)

@@ -89,7 +90,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial

 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" {
+		if defaultOptions.BindInterface != "" && !disableDefaultBind {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -157,8 +158,11 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		dialer.KeepAlive = keepIdle
-		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
+		dialer.KeepAliveConfig = net.KeepAliveConfig{
+			Enable:   true,
+			Idle:     keepIdle,
+			Interval: keepInterval,
+		}
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
@@ -206,6 +210,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
+		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -238,7 +243,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -303,12 +308,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return trackConn(conn, nil)
+	return d.trackConn(conn, nil)
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -360,23 +365,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return trackPacketConn(packetConn, nil)
+	return d.trackPacketConn(packetConn, nil)
 }

 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }

-func trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if !conntrack.Enabled || err != nil {
+func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewConn(conn)
+	return d.connectionManager.TrackConn(conn), nil
 }

-func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if !conntrack.Enabled || err != nil {
+func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewPacketConn(conn)
+	return d.connectionManager.TrackPacketConn(conn), nil
 }
--- a/common/geosite/compat_test.go
+++ b/common/geosite/compat_test.go
@@ -0,0 +1,234 @@
+package geosite
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"strings"
+	"testing"
+
+	"github.com/sagernet/sing/common/varbin"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Old implementation using varbin reflection-based serialization
+
+func oldWriteString(writer varbin.Writer, value string) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldWriteItem(writer varbin.Writer, item Item) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, item)
+}
+
+func oldReadString(reader varbin.Reader) (string, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[string](reader, binary.BigEndian)
+}
+
+func oldReadItem(reader varbin.Reader) (Item, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[Item](reader, binary.BigEndian)
+}
+
+func TestStringCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input string
+	}{
+		{"empty", ""},
+		{"single_char", "a"},
+		{"ascii", "example.com"},
+		{"utf8", "测试域名.中国"},
+		{"special_chars", "\x00\xff\n\t"},
+		{"127_bytes", strings.Repeat("x", 127)},
+		{"128_bytes", strings.Repeat("x", 128)},
+		{"16383_bytes", strings.Repeat("x", 16383)},
+		{"16384_bytes", strings.Repeat("x", 16384)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteString(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = writeString(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadString(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestItemCompat(t *testing.T) {
+	t.Parallel()
+
+	// Note: varbin.Write has a bug where struct values (not pointers) don't write their fields
+	// because field.CanSet() returns false for non-addressable values.
+	// The old geosite code passed Item values to varbin.Write, which silently wrote nothing.
+	// The new code correctly writes Type + Value using manual serialization.
+	// This test verifies the new serialization format and round-trip correctness.
+
+	cases := []struct {
+		name  string
+		input Item
+	}{
+		{"domain_empty", Item{Type: RuleTypeDomain, Value: ""}},
+		{"domain_normal", Item{Type: RuleTypeDomain, Value: "example.com"}},
+		{"domain_suffix", Item{Type: RuleTypeDomainSuffix, Value: ".example.com"}},
+		{"domain_keyword", Item{Type: RuleTypeDomainKeyword, Value: "google"}},
+		{"domain_regex", Item{Type: RuleTypeDomainRegex, Value: `^.*\.example\.com$`}},
+		{"utf8_domain", Item{Type: RuleTypeDomain, Value: "测试.com"}},
+		{"long_domain", Item{Type: RuleTypeDomainSuffix, Value: strings.Repeat("a", 200) + ".com"}},
+		{"128_bytes_value", Item{Type: RuleTypeDomain, Value: strings.Repeat("x", 128)}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// New write
+			var newBuf bytes.Buffer
+			err := newBuf.WriteByte(byte(tc.input.Type))
+			require.NoError(t, err)
+			err = writeString(&newBuf, tc.input.Value)
+			require.NoError(t, err)
+
+			// Verify format: Type (1 byte) + Value (uvarint len + bytes)
+			require.True(t, len(newBuf.Bytes()) >= 1, "output too short")
+			require.Equal(t, byte(tc.input.Type), newBuf.Bytes()[0], "type byte mismatch")
+
+			// New write -> old read (varbin can read correctly when given addressable target)
+			readBack, err := oldReadItem(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// New write -> new read
+			reader := bufio.NewReader(bytes.NewReader(newBuf.Bytes()))
+			typeByte, err := reader.ReadByte()
+			require.NoError(t, err)
+			value, err := readString(reader)
+			require.NoError(t, err)
+			require.Equal(t, tc.input, Item{Type: ItemType(typeByte), Value: value})
+		})
+	}
+}
+
+func TestGeositeWriteReadCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input map[string][]Item
+	}{
+		{
+			"empty_map",
+			map[string][]Item{},
+		},
+		{
+			"single_code_empty_items",
+			map[string][]Item{"test": {}},
+		},
+		{
+			"single_code_single_item",
+			map[string][]Item{"test": {{Type: RuleTypeDomain, Value: "a.com"}}},
+		},
+		{
+			"single_code_multi_items",
+			map[string][]Item{
+				"test": {
+					{Type: RuleTypeDomain, Value: "a.com"},
+					{Type: RuleTypeDomainSuffix, Value: ".b.com"},
+					{Type: RuleTypeDomainKeyword, Value: "keyword"},
+					{Type: RuleTypeDomainRegex, Value: `^.*$`},
+				},
+			},
+		},
+		{
+			"multi_code",
+			map[string][]Item{
+				"cn": {{Type: RuleTypeDomain, Value: "baidu.com"}, {Type: RuleTypeDomainSuffix, Value: ".cn"}},
+				"us": {{Type: RuleTypeDomain, Value: "google.com"}},
+				"jp": {{Type: RuleTypeDomainSuffix, Value: ".jp"}},
+			},
+		},
+		{
+			"utf8_values",
+			map[string][]Item{
+				"test": {
+					{Type: RuleTypeDomain, Value: "测试.中国"},
+					{Type: RuleTypeDomainSuffix, Value: ".テスト"},
+				},
+			},
+		},
+		{
+			"large_items",
+			generateLargeItems(1000),
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Write using new implementation
+			var buf bytes.Buffer
+			err := Write(&buf, tc.input)
+			require.NoError(t, err)
+
+			// Read back and verify
+			reader, codes, err := NewReader(bytes.NewReader(buf.Bytes()))
+			require.NoError(t, err)
+
+			// Verify all codes exist
+			codeSet := make(map[string]bool)
+			for _, code := range codes {
+				codeSet[code] = true
+			}
+			for code := range tc.input {
+				require.True(t, codeSet[code], "missing code: %s", code)
+			}
+
+			// Verify items match
+			for code, expectedItems := range tc.input {
+				items, err := reader.Read(code)
+				require.NoError(t, err)
+				require.Equal(t, expectedItems, items, "items mismatch for code: %s", code)
+			}
+		})
+	}
+}
+
+func generateLargeItems(count int) map[string][]Item {
+	items := make([]Item, count)
+	for i := 0; i < count; i++ {
+		items[i] = Item{
+			Type:  ItemType(i % 4),
+			Value: strings.Repeat("x", i%200) + ".com",
+		}
+	}
+	return map[string][]Item{"large": items}
+}
--- a/common/geosite/reader.go
+++ b/common/geosite/reader.go
@@ -9,7 +9,6 @@ import (
 	"sync/atomic"

 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
 )

 type Reader struct {
@@ -78,7 +77,7 @@ func (r *Reader) readMetadata() error {
 			codeIndex  uint64
 			codeLength uint64
 		)
-		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
+		code, err = readString(reader)
 		if err != nil {
 			return err
 		}
@@ -112,9 +111,16 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	}
 	r.bufferedReader.Reset(r.reader)
 	itemList := make([]Item, r.domainLength[code])
-	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
-	if err != nil {
-		return nil, err
+	for i := range itemList {
+		typeByte, err := r.bufferedReader.ReadByte()
+		if err != nil {
+			return nil, err
+		}
+		itemList[i].Type = ItemType(typeByte)
+		itemList[i].Value, err = readString(r.bufferedReader)
+		if err != nil {
+			return nil, err
+		}
 	}
 	return itemList, nil
 }
@@ -135,3 +141,18 @@ func (r *readCounter) Read(p []byte) (n int, err error) {
 	}
 	return
 }
+
+func readString(reader io.ByteReader) (string, error) {
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return "", err
+	}
+	bytes := make([]byte, length)
+	for i := range bytes {
+		bytes[i], err = reader.ReadByte()
+		if err != nil {
+			return "", err
+		}
+	}
+	return string(bytes), nil
+}
--- a/common/geosite/writer.go
+++ b/common/geosite/writer.go
@@ -2,7 +2,6 @@ package geosite

 import (
 	"bytes"
-	"encoding/binary"
 	"sort"

 	"github.com/sagernet/sing/common/varbin"
@@ -20,7 +19,11 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	for _, code := range keys {
 		index[code] = content.Len()
 		for _, item := range domains[code] {
-			err := varbin.Write(content, binary.BigEndian, item)
+			err := content.WriteByte(byte(item.Type))
+			if err != nil {
+				return err
+			}
+			err = writeString(content, item.Value)
 			if err != nil {
 				return err
 			}
@@ -38,7 +41,7 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	}

 	for _, code := range keys {
-		err = varbin.Write(writer, binary.BigEndian, code)
+		err = writeString(writer, code)
 		if err != nil {
 			return err
 		}
@@ -59,3 +62,12 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {

 	return nil
 }
+
+func writeString(writer varbin.Writer, value string) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write([]byte(value))
+	return err
+}
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -6,6 +6,7 @@ import (
 	"encoding/binary"
 	"io"
 	"net/netip"
+	"unsafe"

 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -505,7 +506,24 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 }

 func readRuleItemString(reader varbin.Reader) ([]string, error) {
-	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]string, length)
+	for i := range result {
+		strLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		buf := make([]byte, strLen)
+		_, err = io.ReadFull(reader, buf)
+		if err != nil {
+			return nil, err
+		}
+		result[i] = string(buf)
+	}
+	return result, nil
 }

 func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
@@ -513,11 +531,34 @@ func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) e
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, s := range value {
+		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write([]byte(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }

 func readRuleItemUint8[E ~uint8](reader varbin.Reader) ([]E, error) {
-	return varbin.ReadValue[[]E](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]E, length)
+	_, err = io.ReadFull(reader, *(*[]byte)(unsafe.Pointer(&result)))
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
 }

 func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []E) error {
@@ -525,11 +566,25 @@ func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
+	return err
 }

 func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
-	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]uint16, length)
+	err = binary.Read(reader, binary.BigEndian, result)
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
 }

 func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
@@ -537,7 +592,11 @@ func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) e
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, value)
 }

 func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {
--- a/common/srs/compat_test.go
+++ b/common/srs/compat_test.go
@@ -0,0 +1,494 @@
+package srs
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"net/netip"
+	"strings"
+	"testing"
+	"unsafe"
+
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/varbin"
+
+	"github.com/stretchr/testify/require"
+	"go4.org/netipx"
+)
+
+// Old implementations using varbin reflection-based serialization
+
+func oldWriteStringSlice(writer varbin.Writer, value []string) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadStringSlice(reader varbin.Reader) ([]string, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+}
+
+func oldWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadUint8Slice[E ~uint8](reader varbin.Reader) ([]E, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]E](reader, binary.BigEndian)
+}
+
+func oldWriteUint16Slice(writer varbin.Writer, value []uint16) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadUint16Slice(reader varbin.Reader) ([]uint16, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
+}
+
+func oldWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	//nolint:staticcheck
+	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+}
+
+type oldIPRangeData struct {
+	From []byte
+	To   []byte
+}
+
+// Note: The old writeIPSet had a bug where varbin.Write(writer, binary.BigEndian, data)
+// with a struct VALUE (not pointer) silently wrote nothing because field.CanSet() returned false.
+// This caused IP range data to be missing from the output.
+// The new implementation correctly writes all range data.
+//
+// The old readIPSet used varbin.Read with a pre-allocated slice, which worked because
+// slice elements are addressable and CanSet() returns true for them.
+//
+// For compatibility testing, we verify:
+// 1. New write produces correct output with range data
+// 2. New read can parse the new format correctly
+// 3. Round-trip works correctly
+
+func oldReadIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
+	version, err := reader.ReadByte()
+	if err != nil {
+		return nil, err
+	}
+	if version != 1 {
+		return nil, err
+	}
+	var length uint64
+	err = binary.Read(reader, binary.BigEndian, &length)
+	if err != nil {
+		return nil, err
+	}
+	ranges := make([]oldIPRangeData, length)
+	//nolint:staticcheck
+	err = varbin.Read(reader, binary.BigEndian, &ranges)
+	if err != nil {
+		return nil, err
+	}
+	mySet := &myIPSet{
+		rr: make([]myIPRange, len(ranges)),
+	}
+	for i, rangeData := range ranges {
+		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
+		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+	}
+	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
+}
+
+// New write functions (without itemType prefix for testing)
+
+func newWriteStringSlice(writer varbin.Writer, value []string) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, s := range value {
+		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write([]byte(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func newWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
+	return err
+}
+
+func newWriteUint16Slice(writer varbin.Writer, value []uint16) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, value)
+}
+
+func newWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	addrSlice := prefix.Addr().AsSlice()
+	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(addrSlice)
+	if err != nil {
+		return err
+	}
+	return writer.WriteByte(uint8(prefix.Bits()))
+}
+
+// Tests
+
+func TestStringSliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []string
+	}{
+		{"nil", nil},
+		{"empty", []string{}},
+		{"single_empty", []string{""}},
+		{"single", []string{"test"}},
+		{"multi", []string{"a", "b", "c"}},
+		{"with_empty", []string{"a", "", "c"}},
+		{"utf8", []string{"测试", "テスト", "тест"}},
+		{"long_string", []string{strings.Repeat("x", 128)}},
+		{"many_elements", generateStrings(128)},
+		{"many_elements_256", generateStrings(256)},
+		{"127_byte_string", []string{strings.Repeat("x", 127)}},
+		{"128_byte_string", []string{strings.Repeat("x", 128)}},
+		{"mixed_lengths", []string{"a", strings.Repeat("b", 100), "", strings.Repeat("c", 200)}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteStringSlice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteStringSlice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadStringSlice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireStringSliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireStringSliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestUint8SliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []uint8
+	}{
+		{"nil", nil},
+		{"empty", []uint8{}},
+		{"single_zero", []uint8{0}},
+		{"single_max", []uint8{255}},
+		{"multi", []uint8{0, 1, 127, 128, 255}},
+		{"boundary", []uint8{0x00, 0x7f, 0x80, 0xff}},
+		{"sequential", generateUint8Slice(256)},
+		{"127_elements", generateUint8Slice(127)},
+		{"128_elements", generateUint8Slice(128)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteUint8Slice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteUint8Slice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadUint8Slice[uint8](bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint8SliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemUint8[uint8](bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint8SliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestUint16SliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []uint16
+	}{
+		{"nil", nil},
+		{"empty", []uint16{}},
+		{"single_zero", []uint16{0}},
+		{"single_max", []uint16{65535}},
+		{"multi", []uint16{0, 255, 256, 32767, 32768, 65535}},
+		{"ports", []uint16{80, 443, 8080, 8443}},
+		{"127_elements", generateUint16Slice(127)},
+		{"128_elements", generateUint16Slice(128)},
+		{"256_elements", generateUint16Slice(256)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteUint16Slice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteUint16Slice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadUint16Slice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint16SliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemUint16(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint16SliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestPrefixCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input netip.Prefix
+	}{
+		{"ipv4_0", netip.MustParsePrefix("0.0.0.0/0")},
+		{"ipv4_8", netip.MustParsePrefix("10.0.0.0/8")},
+		{"ipv4_16", netip.MustParsePrefix("192.168.0.0/16")},
+		{"ipv4_24", netip.MustParsePrefix("192.168.1.0/24")},
+		{"ipv4_32", netip.MustParsePrefix("1.2.3.4/32")},
+		{"ipv6_0", netip.MustParsePrefix("::/0")},
+		{"ipv6_64", netip.MustParsePrefix("2001:db8::/64")},
+		{"ipv6_128", netip.MustParsePrefix("::1/128")},
+		{"ipv6_full", netip.MustParsePrefix("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")},
+		{"ipv4_private", netip.MustParsePrefix("172.16.0.0/12")},
+		{"ipv6_link_local", netip.MustParsePrefix("fe80::/10")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWritePrefix(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWritePrefix(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> new read (no old read for prefix)
+			readBack, err := readPrefix(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readPrefix(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestIPSetCompat(t *testing.T) {
+	t.Parallel()
+
+	// Note: The old writeIPSet was buggy (varbin.Write with struct values wrote nothing).
+	// This test verifies the new implementation writes correct data and round-trips correctly.
+
+	cases := []struct {
+		name  string
+		input *netipx.IPSet
+	}{
+		{"single_ipv4", buildIPSet("1.2.3.4")},
+		{"ipv4_range", buildIPSet("192.168.0.0/16")},
+		{"multi_ipv4", buildIPSet("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")},
+		{"single_ipv6", buildIPSet("::1")},
+		{"ipv6_range", buildIPSet("2001:db8::/32")},
+		{"mixed", buildIPSet("10.0.0.0/8", "::1", "2001:db8::/32")},
+		{"large", buildLargeIPSet(100)},
+		{"adjacent_ranges", buildIPSet("192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// New write
+			var newBuf bytes.Buffer
+			err := writeIPSet(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Verify format starts with version byte (1) + uint64 count
+			require.True(t, len(newBuf.Bytes()) >= 9, "output too short")
+			require.Equal(t, byte(1), newBuf.Bytes()[0], "version byte mismatch")
+
+			// New write -> old read (varbin.Read with pre-allocated slice works correctly)
+			readBack, err := oldReadIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireIPSetEqual(t, tc.input, readBack)
+
+			// New write -> new read
+			readBack2, err := readIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireIPSetEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+// Helper functions
+
+func generateStrings(count int) []string {
+	result := make([]string, count)
+	for i := range result {
+		result[i] = strings.Repeat("x", i%50)
+	}
+	return result
+}
+
+func generateUint8Slice(count int) []uint8 {
+	result := make([]uint8, count)
+	for i := range result {
+		result[i] = uint8(i % 256)
+	}
+	return result
+}
+
+func generateUint16Slice(count int) []uint16 {
+	result := make([]uint16, count)
+	for i := range result {
+		result[i] = uint16(i * 257)
+	}
+	return result
+}
+
+func buildIPSet(cidrs ...string) *netipx.IPSet {
+	var builder netipx.IPSetBuilder
+	for _, cidr := range cidrs {
+		prefix, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			addr, err := netip.ParseAddr(cidr)
+			if err != nil {
+				panic(err)
+			}
+			builder.Add(addr)
+		} else {
+			builder.AddPrefix(prefix)
+		}
+	}
+	set, _ := builder.IPSet()
+	return set
+}
+
+func buildLargeIPSet(count int) *netipx.IPSet {
+	var builder netipx.IPSetBuilder
+	for i := 0; i < count; i++ {
+		prefix := netip.PrefixFrom(netip.AddrFrom4([4]byte{10, byte(i / 256), byte(i % 256), 0}), 24)
+		builder.AddPrefix(prefix)
+	}
+	set, _ := builder.IPSet()
+	return set
+}
+
+func requireStringSliceEqual(t *testing.T, expected, actual []string) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireUint8SliceEqual(t *testing.T, expected, actual []uint8) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireUint16SliceEqual(t *testing.T, expected, actual []uint16) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireIPSetEqual(t *testing.T, expected, actual *netipx.IPSet) {
+	t.Helper()
+	expectedRanges := expected.Ranges()
+	actualRanges := actual.Ranges()
+	require.Equal(t, len(expectedRanges), len(actualRanges), "range count mismatch")
+	for i := range expectedRanges {
+		require.Equal(t, expectedRanges[i].From(), actualRanges[i].From(), "range[%d].from mismatch", i)
+		require.Equal(t, expectedRanges[i].To(), actualRanges[i].To(), "range[%d].to mismatch", i)
+	}
+}
--- a/common/srs/ip_cidr.go
+++ b/common/srs/ip_cidr.go
@@ -2,6 +2,7 @@ package srs

 import (
 	"encoding/binary"
+	"io"
 	"net/netip"

 	M "github.com/sagernet/sing/common/metadata"
@@ -9,11 +10,16 @@ import (
 )

 func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
-	addrSlice, err := varbin.ReadValue[[]byte](reader, binary.BigEndian)
+	addrLen, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return netip.Prefix{}, err
 	}
-	prefixBits, err := varbin.ReadValue[uint8](reader, binary.BigEndian)
+	addrSlice := make([]byte, addrLen)
+	_, err = io.ReadFull(reader, addrSlice)
+	if err != nil {
+		return netip.Prefix{}, err
+	}
+	prefixBits, err := reader.ReadByte()
 	if err != nil {
 		return netip.Prefix{}, err
 	}
@@ -21,11 +27,16 @@ func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
 }

 func writePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	addrSlice := prefix.Addr().AsSlice()
+	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+	_, err = writer.Write(addrSlice)
+	if err != nil {
+		return err
+	}
+	err = writer.WriteByte(uint8(prefix.Bits()))
 	if err != nil {
 		return err
 	}
--- a/common/srs/ip_set.go
+++ b/common/srs/ip_set.go
@@ -2,11 +2,11 @@ package srs

 import (
 	"encoding/binary"
+	"io"
 	"net/netip"
 	"os"
 	"unsafe"

-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/varbin"

@@ -22,11 +22,6 @@ type myIPRange struct {
 	to   netip.Addr
 }

-type myIPRangeData struct {
-	From []byte
-	To   []byte
-}
-
 func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	version, err := reader.ReadByte()
 	if err != nil {
@@ -41,17 +36,30 @@ func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	if err != nil {
 		return nil, err
 	}
-	ranges := make([]myIPRangeData, length)
-	err = varbin.Read(reader, binary.BigEndian, &ranges)
-	if err != nil {
-		return nil, err
-	}
 	mySet := &myIPSet{
-		rr: make([]myIPRange, len(ranges)),
+		rr: make([]myIPRange, length),
 	}
-	for i, rangeData := range ranges {
-		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
-		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+	for i := range mySet.rr {
+		fromLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		fromBytes := make([]byte, fromLen)
+		_, err = io.ReadFull(reader, fromBytes)
+		if err != nil {
+			return nil, err
+		}
+		toLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		toBytes := make([]byte, toLen)
+		_, err = io.ReadFull(reader, toBytes)
+		if err != nil {
+			return nil, err
+		}
+		mySet.rr[i].from = M.AddrFromIP(fromBytes)
+		mySet.rr[i].to = M.AddrFromIP(toBytes)
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
@@ -61,18 +69,27 @@ func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
 	if err != nil {
 		return err
 	}
-	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
-		return myIPRangeData{
-			From: rr.from.AsSlice(),
-			To:   rr.to.AsSlice(),
-		}
-	})
-	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
+	mySet := (*myIPSet)(unsafe.Pointer(set))
+	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
 	if err != nil {
 		return err
 	}
-	for _, data := range dataList {
-		err = varbin.Write(writer, binary.BigEndian, data)
+	for _, rr := range mySet.rr {
+		fromBytes := rr.from.AsSlice()
+		_, err = varbin.WriteUvarint(writer, uint64(len(fromBytes)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(fromBytes)
+		if err != nil {
+			return err
+		}
+		toBytes := rr.to.AsSlice()
+		_, err = varbin.WriteUvarint(writer, uint64(len(toBytes)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(toBytes)
 		if err != nil {
 			return err
 		}
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -14,6 +14,7 @@ import (
 	"github.com/sagernet/sing/common/logger"

 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/acmedns"
 	"github.com/libdns/alidns"
 	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/v3/acme"
@@ -126,6 +127,13 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 				APIToken:  dnsOptions.CloudflareOptions.APIToken,
 				ZoneToken: dnsOptions.CloudflareOptions.ZoneToken,
 			}
+		case C.DNSProviderACMEDNS:
+			solver.DNSProvider = &acmedns.Provider{
+				Username:  dnsOptions.ACMEDNSOptions.Username,
+				Password:  dnsOptions.ACMEDNSOptions.Password,
+				Subdomain: dnsOptions.ACMEDNSOptions.Subdomain,
+				ServerURL: dnsOptions.ACMEDNSOptions.ServerURL,
+			}
 		default:
 			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
 		}
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -33,4 +33,5 @@ const (
 const (
 	DNSProviderAliDNS     = "alidns"
 	DNSProviderCloudflare = "cloudflare"
+	DNSProviderACMEDNS    = "acmedns"
 )
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -30,6 +30,7 @@ const (
 	TypeSSMAPI       = "ssm-api"
 	TypeCCM          = "ccm"
 	TypeOCM          = "ocm"
+	TypeOOMKiller    = "oom-killer"
 )

 const (
@@ -85,6 +86,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
+	case TypeTailscale:
+		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -7,9 +7,12 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
@@ -20,6 +23,7 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
+	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
@@ -83,6 +87,15 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
+	if s.oomKiller && C.IsIos {
+		if !common.Any(options.Services, func(it option.Service) bool {
+			return it.Type == C.TypeOOMKiller
+		}) {
+			options.Services = append(options.Services, option.Service{
+				Type: C.TypeOOMKiller,
+			})
+		}
+	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -100,9 +113,11 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
+	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)
+	log.SetStdLogger(boxInstance.LogFactory().Logger())
 	return i, nil
 }

--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -8,7 +8,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -36,6 +35,7 @@ type StartedService struct {
 	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
+	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -67,6 +67,7 @@ type ServiceOptions struct {
 	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
+	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -81,6 +82,7 @@ func NewStartedService(options ServiceOptions) *StartedService {
 		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
+		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -207,6 +209,14 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	return nil
 }

+func (s *StartedService) Close() {
+	s.serviceStatusSubscriber.Close()
+	s.logSubscriber.Close()
+	s.urlTestSubscriber.Close()
+	s.clashModeSubscriber.Close()
+	s.connectionEventSubscriber.Close()
+}
+
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -399,12 +409,14 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server

 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Inuse()
+	status.Memory = memory.Total()
 	status.Goroutines = int32(runtime.NumGoroutine())
-	status.ConnectionsOut = int32(conntrack.Count())
 	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
+	if nowService != nil && nowService.connectionManager != nil {
+		status.ConnectionsOut = int32(nowService.connectionManager.Count())
+	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -985,7 +997,12 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }

 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	conntrack.Close()
+	s.serviceAccess.RLock()
+	nowService := s.instance
+	s.serviceAccess.RUnlock()
+	if nowService != nil && nowService.connectionManager != nil {
+		nowService.connectionManager.CloseAll()
+	}
 	return &emptypb.Empty{}, nil
 }

--- a/debug.go
+++ b/debug.go
@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"

-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
 )

-func applyDebugOptions(options option.DebugOptions) {
+func applyDebugOptions(options option.DebugOptions) error {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
-		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		conntrack.KillerEnabled = *options.OOMKiller
+		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
 	}
+	return nil
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -144,7 +144,11 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		if c.cache != nil {
 			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				<-cond
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
 			} else {
 				defer func() {
 					c.cacheLock.Delete(question)
@@ -154,7 +158,11 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		} else if c.transportCache != nil {
 			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				<-cond
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
 			} else {
 				defer func() {
 					c.transportCacheLock.Delete(question)
--- a/dns/router.go
+++ b/dns/router.go
@@ -377,9 +377,11 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				case *R.RuleActionReject:
 					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
+					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
+						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,10 +2,232 @@
 icon: material/alert-decagram
 ---

-#### 1.13.0-beta.7
+#### 1.13.0
+
+Important changes since 1.12:
+
+* Add NaiveProxy outbound **1**
+* Add pre-match support for `auto_redirect` **2**
+* Improve `auto_redirect` **3**
+* Add Chrome Root Store certificate option **4**
+* Add new options for ACME DNS-01 challenge providers **5**
+* Add Wi-Fi state support for Linux and Windows **6**
+* Add curve preferences, pinned public key SHA256, mTLS and ECH `query_server_name` for TLS options **7**
+* Add kTLS support **8**
+* Add ICMP echo (ping) proxy support **9**
+* Add `interface_address`, `network_interface_address` and `default_interface_address` rule items **10**
+* Add `preferred_by` route rule item **11**
+* Improve `local` DNS server **12**
+* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
+* Add `bind_address_no_port` option for dial fields **14**
+* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
+* Add Claude Code Multiplexer service **16**
+* Add OpenAI Codex Multiplexer service **17**
+* Apple/Android: Refactor GUI
+* Apple/Android: Add support for sharing configurations via [QRS](https://github.com/qifi-dev/qrs)
+* Android: Add support for resisting VPN detection via Xposed
+* Drop support for go1.23 **18**
+* Drop support for Android 5.0 **19**
+* Update uTLS to v1.8.2 **20**
+* Update quic-go to v0.59.0
+* Update gVisor to v20250811
+* Update Tailscale to v1.92.4
+
+**1**:
+
+NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
+
+Only available on Apple platforms, Android, Windows and some Linux architectures.
+Each Windows release includes `libcronet.dll` —
+ensure this file is in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
+
+See [NaiveProxy outbound](/configuration/outbound/naive/).
+
+**2**:
+
+`auto_redirect` now allows you to bypass sing-box for connections based on routing rules.
+
+A new rule action `bypass` is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
+
+This feature requires Linux with `auto_redirect` enabled.
+
+See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
+
+**3**:
+
+`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues.
+You can change it to bypass sing-box via the new `exclude_mptcp` option.
+
+Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
+ensuring traffic is routed to the sing-box table when no route is found in system tables.
+The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
+
+See [TUN](/configuration/inbound/tun/#exclude_mptcp).
+
+**4**:
+
+Adds `chrome` as a new certificate store option alongside `mozilla`.
+Both stores filter out China-based CA certificates.
+
+See [Certificate](/configuration/certificate/#store).
+
+**5**:
+
+See [DNS-01 Challenge](/configuration/shared/dns01_challenge/).
+
+**6**:
+
+sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
+
+See [Wi-Fi State](/configuration/shared/wifi-state/).
+
+**7**:
+
+See [TLS](/configuration/shared/tls/).
+
+**8**:
+
+Adds `kernel_tx` and `kernel_rx` options for TLS inbound.
+Enables kernel-level TLS offloading via `splice(2)` on Linux 5.1+ with TLS 1.3.
+
+See [TLS](/configuration/shared/tls/).
+
+**9**:
+
+sing-box can now proxy ICMP echo (ping) requests.
+A new `icmp` network type is available for route rules.
+Supported from TUN, WireGuard and Tailscale inbounds to Direct, WireGuard and Tailscale outbounds.
+The `reject` action can also reply to ICMP echo requests.
+
+**10**:
+
+New rule items for matching based on interface IP addresses, available in route rules, DNS rules and rule-sets.
+
+**11**:
+
+Matches outbounds' preferred routes.
+For Tailscale: MagicDNS domains and peers' allowed IPs. For WireGuard: peers' allowed IPs.
+
+**12**:
+
+The `local` DNS server now uses platform-native resolution:
+`getaddrinfo`/libresolv on Apple platforms, systemd-resolved DBus on Linux.
+A new `prefer_go` option is available to opt out.
+
+See [Local DNS](/configuration/dns/server/local/).
+
+**13**:
+
+The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
+
+See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
+
+**14**:
+
+Adds the Linux socket option `IP_BIND_ADDRESS_NO_PORT` support when explicitly binding to a source address.
+
+This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
+
+See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
+
+**15**:
+
+Tailscale endpoint can now create a system TUN interface to handle traffic directly.
+New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
+New `advertise_tags` option for ACL tag advertisement.
+
+See [Tailscale endpoint](/configuration/endpoint/tailscale/).
+
+**16**:
+
+CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
+
+See [CCM](/configuration/service/ccm).
+
+**17**:
+
+See [OCM](/configuration/service/ocm).
+
+**18**:
+
+Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
+
+**19**:
+
+Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
+and only through a separate legacy build (with `-legacy-android-5` suffix).
+
+For standalone binaries, the minimum Android version has been raised to Android 6.0,
+since Termux requires Android 7.0 or later.
+
+**20**:
+
+This update fixes missing padding extension for Chrome 120+ fingerprints.
+
+Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
+uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
+use NaiveProxy instead for TLS fingerprint resistance.
+
+#### 1.12.23

 * Fixes and improvements

+#### 1.13.0-rc.5
+
+* Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
+
+#### 1.12.22
+
+* Fixes and improvements
+
+#### 1.13.0-rc.3
+
+* Fixes and improvements
+
+#### 1.12.21
+
+* Fixes and improvements
+
+#### 1.13.0-rc.2
+
+* Fixes and improvements
+
+#### 1.12.20
+
+* Fixes and improvements
+
+#### 1.13.0-rc.1
+
+* Fixes and improvements
+
+#### 1.12.19
+
+* Fixes and improvements
+
+#### 1.13.0-beta.8
+
+* Add fallback routing rule for `auto_redirect` **1**
+* Fixes and improvements
+
+**1**:
+
+Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
+ensuring traffic is routed to the sing-box table when no route is found in system tables.
+
+The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
+
+#### 1.12.18
+
+* Add fallback routing rule for `auto_redirect` **1**
+* Fixes and improvements
+
+**1**:
+
+Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
+ensuring traffic is routed to the sing-box table when no route is found in system tables.
+
+The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
+
 #### 1.13.0-beta.6

 * Update uTLS to v1.8.2 **1**
--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@@ -8,7 +8,8 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
+    :material-plus: [advertise_tags](#advertise_tags)

 !!! question "Since sing-box 1.12.0"

@@ -28,6 +29,7 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
+  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -102,6 +104,14 @@ Example: `["192.168.1.1/24"]`

 Indicates whether the node should advertise itself as an exit node.

+#### advertise_tags
+
+!!! question "Since sing-box 1.13.0"
+
+Tags to advertise for this node, for ACL enforcement purposes.
+
+Example: `["tag:server"]`
+
 #### relay_server_port

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -8,7 +8,8 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
+    :material-plus: [advertise_tags](#advertise_tags)

 !!! question "自 sing-box 1.12.0 起"

@@ -28,6 +29,7 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
+  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -101,6 +103,14 @@ icon: material/new-box

 指示节点是否应将自己通告为出口节点。

+#### advertise_tags
+
+!!! question "自 sing-box 1.13.0 起"
+
+为此节点通告的标签，用于 ACL 执行。
+
+示例：`["tag:server"]`
+
 #### relay_server_port

 !!! question "自 sing-box 1.13.0 起"
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -6,7 +6,8 @@ icon: material/new-box

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
    :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)  
-    :material-plus: [exclude_mptcp](#exclude_mptcp)
+    :material-plus: [exclude_mptcp](#exclude_mptcp)  
+    :material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)

 !!! quote "Changes in sing-box 1.12.0"

@@ -71,6 +72,7 @@ icon: material/new-box
  "auto_redirect_output_mark": "0x2024",
  "auto_redirect_reset_mark": "0x2025",
  "auto_redirect_nfqueue": 100,
+  "auto_redirect_iproute2_fallback_rule_index": 32768,
  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
@@ -303,6 +305,17 @@ NFQueue number used by `auto_redirect` pre-matching.

 `100` is used by default.

+#### auto_redirect_iproute2_fallback_rule_index
+
+!!! question "Since sing-box 1.12.18"
+
+Linux iproute2 fallback rule index generated by `auto_redirect`.
+
+This rule is checked after system default rules (32766: main, 32767: default),
+routing traffic to the sing-box table only when no route is found in system tables.
+
+`32768` is used by default.
+
 #### exclude_mptcp

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -6,7 +6,8 @@ icon: material/new-box

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
    :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)  
-    :material-plus: [exclude_mptcp](#exclude_mptcp)
+    :material-plus: [exclude_mptcp](#exclude_mptcp)  
+    :material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)

 !!! quote "sing-box 1.12.0 中的更改"

@@ -71,6 +72,7 @@ icon: material/new-box
  "auto_redirect_output_mark": "0x2024",
  "auto_redirect_reset_mark": "0x2025",
  "auto_redirect_nfqueue": 100,
+  "auto_redirect_iproute2_fallback_rule_index": 32768,
  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
@@ -302,13 +304,24 @@ tun 接口的 IPv6 前缀。

 默认使用 `100`。

+#### auto_redirect_iproute2_fallback_rule_index
+
+!!! question "自 sing-box 1.12.18 起"
+
+`auto_redirect` 生成的 iproute2 回退规则索引。
+
+此规则在系统默认规则（32766: main，32767: default）之后检查，
+仅当系统路由表中未找到路由时才将流量路由到 sing-box 路由表。
+
+默认使用 `32768`。
+
 #### exclude_mptcp

 !!! question "自 sing-box 1.13.0 起"

 !!! quote ""

-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。

 由于协议限制，MPTCP 无法被透明代理。

--- a/docs/configuration/shared/dns01_challenge.md
+++ b/docs/configuration/shared/dns01_challenge.md
@@ -5,7 +5,8 @@ icon: material/new-box
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [alidns.security_token](#security_token)  
-    :material-plus: [cloudflare.zone_token](#zone_token)
+    :material-plus: [cloudflare.zone_token](#zone_token)  
+    :material-plus: [acmedns](#acmedns)

 ### Structure

@@ -54,3 +55,19 @@ The Security Token for STS temporary credentials.
 Optional API token with `Zone:Read` permission.

 When provided, allows `api_token` to be scoped to a single zone.
+
+#### ACME-DNS
+
+!!! question "Since sing-box 1.13.0"
+
+```json
+{
+  "provider": "acmedns",
+  "username": "",
+  "password": "",
+  "subdomain": "",
+  "server_url": ""
+}
+```
+
+See [ACME-DNS](https://github.com/joohoi/acme-dns) for details.
--- a/docs/configuration/shared/dns01_challenge.zh.md
+++ b/docs/configuration/shared/dns01_challenge.zh.md
@@ -5,7 +5,8 @@ icon: material/new-box
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [alidns.security_token](#security_token)  
-    :material-plus: [cloudflare.zone_token](#zone_token)
+    :material-plus: [cloudflare.zone_token](#zone_token)  
+    :material-plus: [acmedns](#acmedns)

 ### 结构

@@ -54,3 +55,19 @@ icon: material/new-box
 具有 `Zone:Read` 权限的可选 API 令牌。

 提供后可将 `api_token` 限定到单个区域。
+
+#### ACME-DNS
+
+!!! question "自 sing-box 1.13.0 起"
+
+```json
+{
+  "provider": "acmedns",
+  "username": "",
+  "password": "",
+  "subdomain": "",
+  "server_url": ""
+}
+```
+
+参阅 [ACME-DNS](https://github.com/joohoi/acme-dns)。
--- a/experimental/cachefile/cache.go
+++ b/experimental/cachefile/cache.go
@@ -45,6 +45,7 @@ type CacheFile struct {
 	storeRDRC         bool
 	rdrcTimeout       time.Duration
 	DB                *bbolt.DB
+	resetAccess       sync.Mutex
 	saveMetadataTimer *time.Timer
 	saveFakeIPAccess  sync.RWMutex
 	saveDomain        map[netip.Addr]string
@@ -169,13 +170,55 @@ func (c *CacheFile) Close() error {
 	return c.DB.Close()
 }

+func (c *CacheFile) view(fn func(tx *bbolt.Tx) error) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			c.resetDB()
+			err = E.New("database corrupted: ", r)
+		}
+	}()
+	return c.DB.View(fn)
+}
+
+func (c *CacheFile) batch(fn func(tx *bbolt.Tx) error) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			c.resetDB()
+			err = E.New("database corrupted: ", r)
+		}
+	}()
+	return c.DB.Batch(fn)
+}
+
+func (c *CacheFile) update(fn func(tx *bbolt.Tx) error) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			c.resetDB()
+			err = E.New("database corrupted: ", r)
+		}
+	}()
+	return c.DB.Update(fn)
+}
+
+func (c *CacheFile) resetDB() {
+	c.resetAccess.Lock()
+	defer c.resetAccess.Unlock()
+	c.DB.Close()
+	os.Remove(c.path)
+	db, err := bbolt.Open(c.path, 0o666, &bbolt.Options{Timeout: time.Second})
+	if err == nil {
+		_ = filemanager.Chown(c.ctx, c.path)
+		c.DB = db
+	}
+}
+
 func (c *CacheFile) StoreFakeIP() bool {
 	return c.storeFakeIP
 }

 func (c *CacheFile) LoadMode() string {
 	var mode string
-	c.DB.View(func(t *bbolt.Tx) error {
+	c.view(func(t *bbolt.Tx) error {
 		bucket := t.Bucket(bucketMode)
 		if bucket == nil {
 			return nil
@@ -193,7 +236,7 @@ func (c *CacheFile) LoadMode() string {
 }

 func (c *CacheFile) StoreMode(mode string) error {
-	return c.DB.Batch(func(t *bbolt.Tx) error {
+	return c.batch(func(t *bbolt.Tx) error {
 		bucket, err := t.CreateBucketIfNotExists(bucketMode)
 		if err != nil {
 			return err
@@ -230,7 +273,7 @@ func (c *CacheFile) createBucket(t *bbolt.Tx, key []byte) (*bbolt.Bucket, error)

 func (c *CacheFile) LoadSelected(group string) string {
 	var selected string
-	c.DB.View(func(t *bbolt.Tx) error {
+	c.view(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketSelected)
 		if bucket == nil {
 			return nil
@@ -245,7 +288,7 @@ func (c *CacheFile) LoadSelected(group string) string {
 }

 func (c *CacheFile) StoreSelected(group, selected string) error {
-	return c.DB.Batch(func(t *bbolt.Tx) error {
+	return c.batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketSelected)
 		if err != nil {
 			return err
@@ -255,7 +298,7 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 }

 func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
-	c.DB.View(func(t *bbolt.Tx) error {
+	c.view(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketExpand)
 		if bucket == nil {
 			return nil
@@ -271,7 +314,7 @@ func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
 }

 func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
-	return c.DB.Batch(func(t *bbolt.Tx) error {
+	return c.batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketExpand)
 		if err != nil {
 			return err
@@ -286,7 +329,7 @@ func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {

 func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedBinary {
 	var savedSet adapter.SavedBinary
-	err := c.DB.View(func(t *bbolt.Tx) error {
+	err := c.view(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketRuleSet)
 		if bucket == nil {
 			return os.ErrNotExist
@@ -304,7 +347,7 @@ func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedBinary {
 }

 func (c *CacheFile) SaveRuleSet(tag string, set *adapter.SavedBinary) error {
-	return c.DB.Batch(func(t *bbolt.Tx) error {
+	return c.batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketRuleSet)
 		if err != nil {
 			return err
--- a/experimental/cachefile/fakeip.go
+++ b/experimental/cachefile/fakeip.go
@@ -23,7 +23,7 @@ var (

 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
-	err := c.DB.Batch(func(tx *bbolt.Tx) error {
+	err := c.batch(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return os.ErrNotExist
@@ -45,7 +45,7 @@ func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 }

 func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
-	return c.DB.Batch(func(tx *bbolt.Tx) error {
+	return c.batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
@@ -69,7 +69,7 @@ func (c *CacheFile) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata) {
 }

 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
-	return c.DB.Batch(func(tx *bbolt.Tx) error {
+	return c.batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
@@ -136,7 +136,7 @@ func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 		return cachedDomain, true
 	}
 	var domain string
-	_ = c.DB.View(func(tx *bbolt.Tx) error {
+	_ = c.view(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
@@ -163,7 +163,7 @@ func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bo
 		return cachedAddress, true
 	}
 	var address netip.Addr
-	_ = c.DB.View(func(tx *bbolt.Tx) error {
+	_ = c.view(func(tx *bbolt.Tx) error {
 		var bucket *bbolt.Bucket
 		if isIPv6 {
 			bucket = tx.Bucket(bucketFakeIPDomain6)
@@ -180,7 +180,7 @@ func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bo
 }

 func (c *CacheFile) FakeIPReset() error {
-	return c.DB.Batch(func(tx *bbolt.Tx) error {
+	return c.batch(func(tx *bbolt.Tx) error {
 		err := tx.DeleteBucket(bucketFakeIP)
 		if err != nil {
 			return err
--- a/experimental/cachefile/rdrc.go
+++ b/experimental/cachefile/rdrc.go
@@ -31,7 +31,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 	copy(key[2:], qName)
 	defer buf.Put(key)
 	var deleteCache bool
-	err := c.DB.View(func(tx *bbolt.Tx) error {
+	err := c.view(func(tx *bbolt.Tx) error {
 		bucket := c.bucket(tx, bucketRDRC)
 		if bucket == nil {
 			return nil
@@ -56,7 +56,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 		return
 	}
 	if deleteCache {
-		c.DB.Update(func(tx *bbolt.Tx) error {
+		c.update(func(tx *bbolt.Tx) error {
 			bucket := c.bucket(tx, bucketRDRC)
 			if bucket == nil {
 				return nil
@@ -72,7 +72,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 }

 func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) error {
-	return c.DB.Batch(func(tx *bbolt.Tx) error {
+	return c.batch(func(tx *bbolt.Tx) error {
 		bucket, err := c.createBucket(tx, bucketRDRC)
 		if err != nil {
 			return err
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -119,7 +119,11 @@ func dialTarget() (string, func(context.Context, string) (net.Conn, error)) {
 		}
 	}
 	if sCommandServerListenPort == 0 {
-		return "unix://" + filepath.Join(sBasePath, "command.sock"), nil
+		socketPath := filepath.Join(sBasePath, "command.sock")
+		return "passthrough:///command-socket", func(ctx context.Context, _ string) (net.Conn, error) {
+			var networkDialer net.Dialer
+			return networkDialer.DialContext(ctx, "unix", socketPath)
+		}
 	}
 	return net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort))), nil
 }
@@ -362,7 +366,7 @@ func (c *CommandClient) handleStatusStream() {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		c.handler.WriteStatus(StatusMessageFromGRPC(status))
+		c.handler.WriteStatus(statusMessageFromGRPC(status))
 	}
 }

@@ -381,7 +385,7 @@ func (c *CommandClient) handleGroupStream() {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		c.handler.WriteGroups(OutboundGroupIteratorFromGRPC(groups))
+		c.handler.WriteGroups(outboundGroupIteratorFromGRPC(groups))
 	}
 }

@@ -447,7 +451,7 @@ func (c *CommandClient) handleConnectionsStream() {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		libboxEvents := ConnectionEventsFromGRPC(events)
+		libboxEvents := connectionEventsFromGRPC(events)
 		c.handler.WriteConnectionEvents(libboxEvents)
 	}
 }
@@ -523,7 +527,7 @@ func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
 		if err != nil {
 			return nil, err
 		}
-		return SystemProxyStatusFromGRPC(status), nil
+		return systemProxyStatusFromGRPC(status), nil
 	})
 }

--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -43,7 +43,7 @@ type CommandServerHandler interface {
 }

 func NewCommandServer(handler CommandServerHandler, platformInterface PlatformInterface) (*CommandServer, error) {
-	ctx := BaseContext(platformInterface)
+	ctx := baseContext(platformInterface)
 	platformWrapper := &platformInterfaceWrapper{
 		iif:       platformInterface,
 		useProcFS: platformInterface.UseProcFS(),
@@ -60,6 +60,7 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 		Handler:     (*platformHandler)(server),
 		Debug:       sDebug,
 		LogMaxLines: sLogMaxLines,
+		OOMKiller:   memoryLimitEnabled,
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -159,6 +160,7 @@ func (s *CommandServer) Close() {
 		s.grpcServer.Stop()
 	}
 	common.Close(s.listener)
+	s.StartedService.Close()
 }

 type OverrideOptions struct {
--- a/experimental/libbox/command_types.go
+++ b/experimental/libbox/command_types.go
@@ -32,11 +32,11 @@ type OutboundGroup struct {
 	Selectable bool
 	Selected   string
 	IsExpand   bool
-	ItemList   []*OutboundGroupItem
+	itemList   []*OutboundGroupItem
 }

 func (g *OutboundGroup) GetItems() OutboundGroupItemIterator {
-	return newIterator(g.ItemList)
+	return newIterator(g.itemList)
 }

 type OutboundGroupIterator interface {
@@ -267,12 +267,12 @@ type Connection struct {
 	Rule          string
 	Outbound      string
 	OutboundType  string
-	ChainList     []string
+	chainList     []string
 	ProcessInfo   *ProcessInfo
 }

 func (c *Connection) Chain() StringIterator {
-	return newIterator(c.ChainList)
+	return newIterator(c.chainList)
 }

 func (c *Connection) DisplayDestination() string {
@@ -292,7 +292,7 @@ type ConnectionIterator interface {
 	HasNext() bool
 }

-func StatusMessageFromGRPC(status *daemon.Status) *StatusMessage {
+func statusMessageFromGRPC(status *daemon.Status) *StatusMessage {
 	if status == nil {
 		return nil
 	}
@@ -309,7 +309,7 @@ func StatusMessageFromGRPC(status *daemon.Status) *StatusMessage {
 	}
 }

-func OutboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator {
+func outboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator {
 	if groups == nil || len(groups.Group) == 0 {
 		return newIterator([]*OutboundGroup{})
 	}
@@ -323,7 +323,7 @@ func OutboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator
 			IsExpand:   g.IsExpand,
 		}
 		for _, item := range g.Items {
-			libboxGroup.ItemList = append(libboxGroup.ItemList, &OutboundGroupItem{
+			libboxGroup.itemList = append(libboxGroup.itemList, &OutboundGroupItem{
 				Tag:          item.Tag,
 				Type:         item.Type,
 				URLTestTime:  item.UrlTestTime,
@@ -335,7 +335,7 @@ func OutboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator
 	return newIterator(libboxGroups)
 }

-func ConnectionFromGRPC(conn *daemon.Connection) Connection {
+func connectionFromGRPC(conn *daemon.Connection) Connection {
 	var processInfo *ProcessInfo
 	if conn.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
@@ -367,12 +367,12 @@ func ConnectionFromGRPC(conn *daemon.Connection) Connection {
 		Rule:          conn.Rule,
 		Outbound:      conn.Outbound,
 		OutboundType:  conn.OutboundType,
-		ChainList:     conn.ChainList,
+		chainList:     conn.ChainList,
 		ProcessInfo:   processInfo,
 	}
 }

-func ConnectionEventFromGRPC(event *daemon.ConnectionEvent) *ConnectionEvent {
+func connectionEventFromGRPC(event *daemon.ConnectionEvent) *ConnectionEvent {
 	if event == nil {
 		return nil
 	}
@@ -384,13 +384,13 @@ func ConnectionEventFromGRPC(event *daemon.ConnectionEvent) *ConnectionEvent {
 		ClosedAt:      event.ClosedAt,
 	}
 	if event.Connection != nil {
-		conn := ConnectionFromGRPC(event.Connection)
+		conn := connectionFromGRPC(event.Connection)
 		libboxEvent.Connection = &conn
 	}
 	return libboxEvent
 }

-func ConnectionEventsFromGRPC(events *daemon.ConnectionEvents) *ConnectionEvents {
+func connectionEventsFromGRPC(events *daemon.ConnectionEvents) *ConnectionEvents {
 	if events == nil {
 		return nil
 	}
@@ -398,14 +398,14 @@ func ConnectionEventsFromGRPC(events *daemon.ConnectionEvents) *ConnectionEvents
 		Reset: events.Reset_,
 	}
 	for _, event := range events.Events {
-		if libboxEvent := ConnectionEventFromGRPC(event); libboxEvent != nil {
+		if libboxEvent := connectionEventFromGRPC(event); libboxEvent != nil {
 			libboxEvents.events = append(libboxEvents.events, libboxEvent)
 		}
 	}
 	return libboxEvents
 }

-func SystemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxyStatus {
+func systemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxyStatus {
 	if status == nil {
 		return nil
 	}
@@ -415,7 +415,7 @@ func SystemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxySta
 	}
 }

-func SystemProxyStatusToGRPC(status *SystemProxyStatus) *daemon.SystemProxyStatus {
+func systemProxyStatusToGRPC(status *SystemProxyStatus) *daemon.SystemProxyStatus {
 	if status == nil {
 		return nil
 	}
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -22,7 +22,7 @@ import (
 	"github.com/sagernet/sing/service/filemanager"
 )

-func BaseContext(platformInterface PlatformInterface) context.Context {
+func baseContext(platformInterface PlatformInterface) context.Context {
 	dnsRegistry := include.DNSTransportRegistry()
 	if platformInterface != nil {
 		if localTransport := platformInterface.LocalDNSTransport(); localTransport != nil {
@@ -45,7 +45,7 @@ func parseConfig(ctx context.Context, configContent string) (option.Options, err
 }

 func CheckConfig(configContent string) error {
-	ctx := BaseContext(nil)
+	ctx := baseContext(nil)
 	options, err := parseConfig(ctx, configContent)
 	if err != nil {
 		return err
@@ -189,7 +189,7 @@ func (s *interfaceMonitorStub) MyInterface() string {
 }

 func FormatConfig(configContent string) (*StringBox, error) {
-	options, err := parseConfig(BaseContext(nil), configContent)
+	options, err := parseConfig(baseContext(nil), configContent)
 	if err != nil {
 		return nil, err
 	}
--- a/experimental/libbox/ffi.json
+++ b/experimental/libbox/ffi.json
@@ -0,0 +1,257 @@
+{
+  "version": 1,
+  "variables": {
+    "VERSION": "$(go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)",
+    "WORKSPACE_ROOT": "../../..",
+    "DEPLOY_ANDROID": "${WORKSPACE_ROOT}/sing-box-for-android/app/libs",
+    "DEPLOY_APPLE": "${WORKSPACE_ROOT}/sing-box-for-apple",
+    "DEPLOY_WINDOWS": "${WORKSPACE_ROOT}/sing-box-for-windows/local-packages"
+  },
+  "packages": [
+    {
+      "id": "libbox",
+      "path": ".",
+      "java_package": "io.nekohasekai.libbox",
+      "csharp_namespace": "SagerNet",
+      "csharp_entrypoint": "Libbox",
+      "apple_prefix": "Libbox"
+    }
+  ],
+  "builds": [
+    {
+      "id": "android-main",
+      "packages": ["libbox"],
+      "default": {
+        "tags": [
+          "with_gvisor",
+          "with_quic",
+          "with_wireguard",
+          "with_utls",
+          "with_naive_outbound",
+          "with_clash_api",
+          "badlinkname",
+          "tfogo_checklinkname0",
+          "with_tailscale",
+          "ts_omit_logtail",
+          "ts_omit_ssh",
+          "ts_omit_drive",
+          "ts_omit_taildrop",
+          "ts_omit_webclient",
+          "ts_omit_doctor",
+          "ts_omit_capture",
+          "ts_omit_kube",
+          "ts_omit_aws",
+          "ts_omit_synology",
+          "ts_omit_bird"
+        ],
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "trimpath": true
+      }
+    },
+    {
+      "id": "android-legacy",
+      "packages": ["libbox"],
+      "default": {
+        "tags": [
+          "with_gvisor",
+          "with_quic",
+          "with_wireguard",
+          "with_utls",
+          "with_clash_api",
+          "badlinkname",
+          "tfogo_checklinkname0",
+          "with_tailscale",
+          "ts_omit_logtail",
+          "ts_omit_ssh",
+          "ts_omit_drive",
+          "ts_omit_taildrop",
+          "ts_omit_webclient",
+          "ts_omit_doctor",
+          "ts_omit_capture",
+          "ts_omit_kube",
+          "ts_omit_aws",
+          "ts_omit_synology",
+          "ts_omit_bird"
+        ],
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "trimpath": true
+      }
+    },
+    {
+      "id": "apple",
+      "packages": ["libbox"],
+      "default": {
+        "tags": [
+          "with_gvisor",
+          "with_quic",
+          "with_wireguard",
+          "with_utls",
+          "with_naive_outbound",
+          "with_clash_api",
+          "badlinkname",
+          "tfogo_checklinkname0",
+          "with_dhcp",
+          "grpcnotrace",
+          "with_tailscale",
+          "ts_omit_logtail",
+          "ts_omit_ssh",
+          "ts_omit_drive",
+          "ts_omit_taildrop",
+          "ts_omit_webclient",
+          "ts_omit_doctor",
+          "ts_omit_capture",
+          "ts_omit_kube",
+          "ts_omit_aws",
+          "ts_omit_synology",
+          "ts_omit_bird"
+        ],
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "trimpath": true
+      },
+      "overrides": [
+        {
+          "match": { "os": "ios" },
+          "tags_append": ["with_low_memory"]
+        },
+        {
+          "match": { "os": "tvos" },
+          "tags_append": ["with_low_memory"]
+        }
+      ]
+    },
+    {
+      "id": "windows",
+      "packages": ["libbox"],
+      "default": {
+        "tags": [
+          "with_gvisor",
+          "with_quic",
+          "with_wireguard",
+          "with_utls",
+          "with_naive_outbound",
+          "with_purego",
+          "with_clash_api",
+          "badlinkname",
+          "tfogo_checklinkname0",
+          "with_tailscale",
+          "ts_omit_logtail",
+          "ts_omit_ssh",
+          "ts_omit_drive",
+          "ts_omit_taildrop",
+          "ts_omit_webclient",
+          "ts_omit_doctor",
+          "ts_omit_capture",
+          "ts_omit_kube",
+          "ts_omit_aws",
+          "ts_omit_synology",
+          "ts_omit_bird"
+        ],
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "trimpath": true
+      }
+    }
+  ],
+  "platforms": [
+    {
+      "type": "android",
+      "build": "android-main",
+      "min_sdk": 23,
+      "ndk_version": "28.0.13004108",
+      "lib_name": "box",
+      "languages": [{ "type": "java" }],
+      "artifacts": [
+        {
+          "type": "aar",
+          "output_path": "libbox.aar",
+          "execute_after": [
+            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
+            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
+            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
+            "fi"
+          ]
+        }
+      ]
+    },
+    {
+      "type": "android",
+      "build": "android-legacy",
+      "min_sdk": 21,
+      "ndk_version": "28.0.13004108",
+      "lib_name": "box",
+      "languages": [{ "type": "java" }],
+      "artifacts": [
+        {
+          "type": "aar",
+          "output_path": "libbox-legacy.aar",
+          "execute_after": [
+            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
+            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
+            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
+            "fi"
+          ]
+        }
+      ]
+    },
+    {
+      "type": "apple",
+      "build": "apple",
+      "targets": [
+        "ios/arm64",
+        "ios/simulator/arm64",
+        "ios/simulator/amd64",
+        "tvos/arm64",
+        "tvos/simulator/arm64",
+        "tvos/simulator/amd64",
+        "macos/arm64",
+        "macos/amd64"
+      ],
+      "languages": [{ "type": "objc" }],
+      "artifacts": [
+        {
+          "type": "xcframework",
+          "module_name": "Libbox",
+          "execute_after": [
+            "if [ -d \"${DEPLOY_APPLE}\" ]; then",
+            "  rm -rf \"${DEPLOY_APPLE}/${MODULE_NAME}.xcframework\"",
+            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_APPLE}/\"",
+            "fi"
+          ]
+        }
+      ]
+    },
+    {
+      "type": "csharp",
+      "build": "windows",
+      "targets": [
+        "windows/amd64"
+      ],
+      "languages": [{ "type": "csharp" }],
+      "artifacts": [
+        {
+          "type": "nuget",
+          "package_id": "SagerNet.Libbox",
+          "package_version": "0.0.0-local",
+          "execute_after": {
+            "windows": [
+              "$$deployPath = '${DEPLOY_WINDOWS}'",
+              "if (Test-Path $$deployPath) {",
+              "  Remove-Item \"$$deployPath\\${PACKAGE_ID}.*.nupkg\" -ErrorAction SilentlyContinue",
+              "  Move-Item -Force '${OUTPUT_PATH}' \"$$deployPath\\\"",
+              "  $$cachePath = if ($$env:NUGET_PACKAGES) { $$env:NUGET_PACKAGES } else { \"$$env:USERPROFILE\\.nuget\\packages\" }",
+              "  Remove-Item -Recurse -Force \"$$cachePath\\sagernet.libbox\\${PACKAGE_VERSION}\" -ErrorAction SilentlyContinue",
+              "}"
+            ],
+            "default": [
+              "if [ -d \"${DEPLOY_WINDOWS}\" ]; then",
+              "  rm -f \"${DEPLOY_WINDOWS}/${PACKAGE_ID}.*.nupkg\"",
+              "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_WINDOWS}/\"",
+              "  cache_path=\"$${NUGET_PACKAGES:-$${HOME}/.nuget/packages}\"",
+              "  rm -rf \"$${cache_path}/sagernet.libbox/${PACKAGE_VERSION}\"",
+              "fi"
+            ]
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -4,20 +4,23 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"

-	"github.com/sagernet/sing-box/common/conntrack"
+	C "github.com/sagernet/sing-box/constant"
 )

+var memoryLimitEnabled bool
+
 func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 45 * 1024 * 1024
-	const memoryLimitGo = memoryLimit / 1.5
+	memoryLimitEnabled = enabled
+	const memoryLimitGo = 45 * 1024 * 1024
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		conntrack.KillerEnabled = true
-		conntrack.MemoryLimit = memoryLimit
+		if C.IsIos {
+			runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		}
 	} else {
 		runtimeDebug.SetGCPercent(100)
-		runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		conntrack.KillerEnabled = false
+		if C.IsIos {
+			runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		}
 	}
 }
--- a/experimental/libbox/profile_import.go
+++ b/experimental/libbox/profile_import.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"compress/gzip"
 	"encoding/binary"
+	"io"

 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
@@ -35,7 +36,7 @@ type ErrorMessage struct {
 func (e *ErrorMessage) Encode() []byte {
 	var buffer bytes.Buffer
 	buffer.WriteByte(MessageTypeError)
-	varbin.Write(&buffer, binary.BigEndian, e.Message)
+	writeString(&buffer, e.Message)
 	return buffer.Bytes()
 }

@@ -49,7 +50,7 @@ func DecodeErrorMessage(data []byte) (*ErrorMessage, error) {
 		return nil, E.New("invalid message")
 	}
 	var message ErrorMessage
-	message.Message, err = varbin.ReadValue[string](reader, binary.BigEndian)
+	message.Message, err = readString(reader)
 	if err != nil {
 		return nil, err
 	}
@@ -87,7 +88,7 @@ func (e *ProfileEncoder) Encode() []byte {
 	binary.Write(&buffer, binary.BigEndian, uint16(len(e.profiles)))
 	for _, preview := range e.profiles {
 		binary.Write(&buffer, binary.BigEndian, preview.ProfileID)
-		varbin.Write(&buffer, binary.BigEndian, preview.Name)
+		writeString(&buffer, preview.Name)
 		binary.Write(&buffer, binary.BigEndian, preview.Type)
 	}
 	return buffer.Bytes()
@@ -117,7 +118,7 @@ func (d *ProfileDecoder) Decode(data []byte) error {
 		if err != nil {
 			return err
 		}
-		profile.Name, err = varbin.ReadValue[string](reader, binary.BigEndian)
+		profile.Name, err = readString(reader)
 		if err != nil {
 			return err
 		}
@@ -178,11 +179,11 @@ func (c *ProfileContent) Encode() []byte {
 	buffer.WriteByte(1)
 	gWriter := gzip.NewWriter(buffer)
 	writer := bufio.NewWriter(gWriter)
-	varbin.Write(writer, binary.BigEndian, c.Name)
+	writeStringBuffered(writer, c.Name)
 	binary.Write(writer, binary.BigEndian, c.Type)
-	varbin.Write(writer, binary.BigEndian, c.Config)
+	writeStringBuffered(writer, c.Config)
 	if c.Type != ProfileTypeLocal {
-		varbin.Write(writer, binary.BigEndian, c.RemotePath)
+		writeStringBuffered(writer, c.RemotePath)
 	}
 	if c.Type == ProfileTypeRemote {
 		binary.Write(writer, binary.BigEndian, c.AutoUpdate)
@@ -214,7 +215,7 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	}
 	bReader := varbin.StubReader(gReader)
 	var content ProfileContent
-	content.Name, err = varbin.ReadValue[string](bReader, binary.BigEndian)
+	content.Name, err = readString(bReader)
 	if err != nil {
 		return nil, err
 	}
@@ -222,12 +223,12 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	if err != nil {
 		return nil, err
 	}
-	content.Config, err = varbin.ReadValue[string](bReader, binary.BigEndian)
+	content.Config, err = readString(bReader)
 	if err != nil {
 		return nil, err
 	}
 	if content.Type != ProfileTypeLocal {
-		content.RemotePath, err = varbin.ReadValue[string](bReader, binary.BigEndian)
+		content.RemotePath, err = readString(bReader)
 		if err != nil {
 			return nil, err
 		}
@@ -250,3 +251,28 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	}
 	return &content, nil
 }
+
+func readString(reader io.ByteReader) (string, error) {
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return "", err
+	}
+	buf := make([]byte, length)
+	for i := range buf {
+		buf[i], err = reader.ReadByte()
+		if err != nil {
+			return "", err
+		}
+	}
+	return string(buf), nil
+}
+
+func writeString(buffer *bytes.Buffer, value string) {
+	varbin.WriteUvarint(buffer, uint64(len(value)))
+	buffer.WriteString(value)
+}
+
+func writeStringBuffered(writer *bufio.Writer, value string) {
+	varbin.WriteUvarint(writer, uint64(len(value)))
+	writer.WriteString(value)
+}
--- a/experimental/libbox/semver.go
+++ b/experimental/libbox/semver.go
@@ -0,0 +1,27 @@
+package libbox
+
+import (
+	"strings"
+
+	"golang.org/x/mod/semver"
+)
+
+func CompareSemver(left string, right string) bool {
+	normalizedLeft := normalizeSemver(left)
+	if !semver.IsValid(normalizedLeft) {
+		return false
+	}
+	normalizedRight := normalizeSemver(right)
+	if !semver.IsValid(normalizedRight) {
+		return false
+	}
+	return semver.Compare(normalizedLeft, normalizedRight) > 0
+}
+
+func normalizeSemver(version string) string {
+	trimmedVersion := strings.TrimSpace(version)
+	if strings.HasPrefix(trimmedVersion, "v") {
+		return trimmedVersion
+	}
+	return "v" + trimmedVersion
+}
--- a/experimental/libbox/semver_test.go
+++ b/experimental/libbox/semver_test.go
@@ -0,0 +1,16 @@
+package libbox
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCompareSemver(t *testing.T) {
+	t.Parallel()
+
+	require.False(t, CompareSemver("1.13.0-rc.4", "1.13.0"))
+	require.True(t, CompareSemver("1.13.1", "1.13.0"))
+	require.False(t, CompareSemver("v1.13.0", "1.13.0"))
+	require.False(t, CompareSemver("1.13.0-", "1.13.0"))
+}
--- a/go.mod
+++ b/go.mod
@@ -3,46 +3,47 @@ module github.com/sagernet/sing-box
 go 1.24.7

 require (
-	github.com/anthropics/anthropic-sdk-go v1.19.0
+	github.com/anthropics/anthropic-sdk-go v1.26.0
 	github.com/anytls/sing-anytls v0.0.11
 	github.com/caddyserver/certmagic v0.25.0
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
-	github.com/database64128/tfo-go/v2 v2.3.1
+	github.com/database64128/tfo-go/v2 v2.3.2
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/render v1.0.3
 	github.com/godbus/dbus/v5 v5.2.1
 	github.com/gofrs/uuid/v5 v5.4.0
 	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167
 	github.com/keybase/go-keychain v0.0.1
+	github.com/libdns/acmedns v0.5.0
 	github.com/libdns/alidns v1.0.6-beta.3
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/metacubex/utls v1.8.4
 	github.com/mholt/acmez/v3 v3.1.4
 	github.com/miekg/dns v1.1.69
-	github.com/openai/openai-go/v3 v3.15.0
+	github.com/openai/openai-go/v3 v3.23.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287
-	github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287
+	github.com/sagernet/cronet-go v0.0.0-20260227112944-17c7ef18afa6
+	github.com/sagernet/cronet-go/all v0.0.0-20260227112944-17c7ef18afa6
 	github.com/sagernet/fswatch v0.1.1
-	github.com/sagernet/gomobile v0.1.11
+	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
-	github.com/sagernet/quic-go v0.59.0-sing-box-mod.2
-	github.com/sagernet/sing v0.8.0-beta.11
+	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
+	github.com/sagernet/sing v0.8.0-beta.16.0.20260227013657-e419e9875a07
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0-beta.11
+	github.com/sagernet/sing-quic v0.6.0-beta.13
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.0-beta.13
+	github.com/sagernet/sing-tun v0.8.0-beta.18
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
 	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6
-	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288
+	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
@@ -53,7 +54,7 @@ require (
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93
 	golang.org/x/mod v0.31.0
 	golang.org/x/net v0.48.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	google.golang.org/grpc v1.77.0
 	google.golang.org/protobuf v1.36.11
@@ -104,28 +105,35 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
--- a/go.sum
+++ b/go.sum
@@ -8,8 +8,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anthropics/anthropic-sdk-go v1.19.0 h1:mO6E+ffSzLRvR/YUH9KJC0uGw0uV8GjISIuzem//3KE=
-github.com/anthropics/anthropic-sdk-go v1.19.0/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE=
+github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY=
+github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
 github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
@@ -29,8 +29,8 @@ github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/database64128/netx-go v0.1.1 h1:dT5LG7Gs7zFZBthFBbzWE6K8wAHjSNAaK7wCYZT7NzM=
 github.com/database64128/netx-go v0.1.1/go.mod h1:LNlYVipaYkQArRFDNNJ02VkNV+My9A5XR/IGS7sIBQc=
-github.com/database64128/tfo-go/v2 v2.3.1 h1:EGE+ELd5/AQ0X6YBlQ9RgKs8+kciNhgN3d8lRvfEJQw=
-github.com/database64128/tfo-go/v2 v2.3.1/go.mod h1:k9wcpg/8i5zenspBkc9jUEYehpZZccBnCElzOJB++bU=
+github.com/database64128/tfo-go/v2 v2.3.2 h1:UhZMKiMq3swZGUiETkLBDzQnZBPSAeBMClpJGlnJ5Fw=
+github.com/database64128/tfo-go/v2 v2.3.2/go.mod h1:GC3uB5oa4beGpCUbRb2ZOWP73bJJFmMyAVgQSO7r724=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,6 +38,8 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
+github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
+github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
@@ -102,6 +104,8 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
+github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
 github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
 github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
@@ -124,8 +128,8 @@ github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.15.0 h1:hk99rM7YPz+M99/5B/zOQcVwFRLLMdprVGx1vaZ8XMo=
-github.com/openai/openai-go/v3 v3.15.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.23.0 h1:FRFwTcB4FoWFtIunTY/8fgHvzSHgqbfWjiCwOMVrsvw=
+github.com/openai/openai-go/v3 v3.23.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -148,88 +152,102 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 h1:0BYNmr0ptjsII948U0oBFmrbo4qEaCFcrE2JPRg3Zlk=
-github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 h1:ghxhYSBQpzkakqWqJDvXr/Zmxe0WjTjKuALEGbjGiGY=
-github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:M+4ZjPhLJXIvoxcQsbDofmc19Wrig59hZ+hLvj6S3To=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f h1:8jZbZ4KBTdcXDFLwUBNQt5Xci6ZuAKh255S8TwuBCaM=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f h1:tG0hCx+0u5zca7qQ7AMkcv4DCrBG/DKW1ggs/P+BRRI=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f h1:ZXp5hKJIA7iJ52ZShJCKMQEPLpp/7dDIVZmPGV9Il40=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f h1:gL7H8HS8s38adz4/HZtRHh79qMwsbLTRRPz4GQ9LcWI=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f h1:Dchgc0pAY5Jwb5lzUlE+1nhHIzqLx+YOurXLHgvWd/0=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f h1:+MOLSQoduuKDxF410i1LcSPaQGaiP0eZb0INvMlmjM4=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:lIZna05Vn6n8k21p8OpSUnhwGm+E57PrMjiI4ZUfMSg=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f h1:B2aFQ5CRHI20t8YsEizvtguS5W2QfK7D5XV/NzTIxPE=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:qpSwJ1rFGYCfJDenNCZoWYjoG7N+xEa6ke+E7/JO1i4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f h1:cx7Ipg0tSvTDjS4maMEYz4vuzz93BMPAysmZ1YLrz80=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f h1:4jOHuUiBxD8pJEpBBVQfJqyLmxjpd3t4MLRzU7YLFyg=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f h1:OpXBa2WlRU+Mam9oRe9Nn4/zf7gQ+qiBTNK8A5RwbfQ=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f h1:nJpGFi+6hI85tl4zoyNFEnFEQ5+xEV5gyvsUoMvd8g0=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f h1:SEy2rpmgOJgrqcEryJI/RSnqUWIsEsp0cfYoA8y21jc=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f h1:EW2TuFMLm0iBGqRZtuGwIZdeYmDtDsDmRcRRJQOMxUo=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f h1:3U5woxrNCkzfv1+UX+mVoWh1228AE1qAiMG02F9oFbY=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f h1:YwFTfuWG3mmctroeDYtFZ6LHjGsedVO+5wInYbbUuUY=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:r4V0ddPCRLgGu0VdgR3aUsO9NjpmyjAf+h+3oTD9D6E=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f h1:B8yf4gFvEYUnwWmtVK9sdwUsflYZ387MhYmlOP2ohFQ=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:9YyaMg4rO1/jIgrxmNb0LKH+X7frSYWfX2pFgW5JUVM=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f h1:B0fnGu0sh9yT/9JDN5u/GqThGoOzNN/daOAuGWFLXEk=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f h1:lxPcIXKSSI5JDhc7rx/6yufISWM4vtBS2FY9PavWQTs=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260227112944-17c7ef18afa6 h1:Ato+guxmEL4uezcYV1UUUDpAv9HlcJQ7BZt2zpnzjuw=
+github.com/sagernet/cronet-go v0.0.0-20260227112944-17c7ef18afa6/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260227112944-17c7ef18afa6 h1:0ldSjcR5Gt/o+otTvUAmJ28FCLab9lnlpEhxRCMQpRA=
+github.com/sagernet/cronet-go/all v0.0.0-20260227112944-17c7ef18afa6/go.mod h1:xVwYoNCyv9tF7W1RJlUdDbT4bn5tyqtyTe1P1ZY2VP8=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260227112350-bf468eec914d h1:tudlBYdQHIWctKIdf7pceBOFIUIISK6yFivwsxhxDk0=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260227112350-bf468eec914d/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260227112350-bf468eec914d h1:F5EsQlIknj0HlExBFR4EXW69dYj0MpK1HCpKhL/weEs=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260227112350-bf468eec914d h1:9SQ6I2Y2radd6RyWEfV+9s1Q9Kth54B6gBHuJWNzQas=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260227112350-bf468eec914d/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260227112350-bf468eec914d h1:+XoeknBi6+s6epDAS3BkEsp5zGqEJsT9L8JEcaq+0nE=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260227112350-bf468eec914d h1:poqfhHJAg+7BtABn4cue7V4y8Kb2eZ1Cy0j+bhDangw=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260227112350-bf468eec914d h1:nH6rtfqWbui9zQPjd18cpvZncGvn21UcVLtmeUoQKXs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260227112350-bf468eec914d h1:HtnjWZzSQBaP29XJ5NoIps1TVZ7DUC7R0NH7IyhJ5Ag=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260227112350-bf468eec914d h1:E2DWx0Agrj8Fi745S+otYW+W0rL2I8+Z2rZCFqGYPvQ=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260227112350-bf468eec914d h1:j7f/rBwPlO1RpFQeM35QVHymVXGVo6d8WTz4i4SjcPo=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260227112350-bf468eec914d h1:hz8kkcHGMe7QBTpbqkaw89ZFsfX+UN5F5RIDrroDkx8=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260227112350-bf468eec914d/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260227112350-bf468eec914d h1:TNFaO19ySEyqG79j5+dYb+w4ivusrTXanWuogmC4VM0=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260227112350-bf468eec914d h1:Ewc/wR3yu/hOwG/p49nI9TwYmYv3Llm5DA6fSb1w8hY=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260227112350-bf468eec914d h1:PJ24NkPNpMrLGNRdb6moEqJo8gfhYcIRZmQD8jPPCJk=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260227112350-bf468eec914d h1:IaUghNA8cOmmwvzUPKPsfhiG0KmpWpE0mFZl85T5/Bw=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260227112350-bf468eec914d/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260227112350-bf468eec914d h1:whbeDcr9dDWPr45Is9QV6OHAncrBWLJtPuo4uyEJFBg=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260227112350-bf468eec914d h1:ecHgaGMvikNYjsfULekdXjL/cQJXCS38yvHaKVMWtXc=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260227112350-bf468eec914d h1:no7Cb54+vv1bQ39zFp+JIHKO8Tu3sTwqz8SoOAuV/Ek=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260227112350-bf468eec914d h1:DqBSbam9KAzBgDInOoNy4K0baSJyxGWESxrDewU5aSs=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260227112350-bf468eec914d h1:fOR5i+hRyjG8ZzPSG6URkoTKr5qYOJfxZ58zd8HBteM=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260227112350-bf468eec914d h1:hEQGQI+PfUzYBVas4NWw8WiEUsATco6vwv+t4qTtgtw=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260227112350-bf468eec914d/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260227112350-bf468eec914d h1:AzzJ5AtZlwTbU5QOSixZdPLTjzWKCun3AobQChKy0W8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260227112350-bf468eec914d/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260227112350-bf468eec914d h1:9Tp7s/WX4DZLx4ues8G38G2OV7eQbeuU2COEZEbGcF0=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260227112350-bf468eec914d h1:T9EVZKTyZHOamwevomUZnJ6TQNc09I/BwK+L5HJCJj8=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260227112350-bf468eec914d h1:FZmThI7xScJRPERFiA4L2l9KCwA0oi8/lEOajIKEtUQ=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260227112350-bf468eec914d h1:BCC/b8bL0dD9Q4ghgKABV/EsMe0J8GE/l7hcRdPkUXQ=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260227112350-bf468eec914d h1:3l463BXnC/X42ow2zqHm9Y/K4GM6aRsKUIZBcFxr2+Q=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260227112350-bf468eec914d h1:+XHEZ/z5NgPfjOAzOwfbQzR+42qaDNB0nv+fAOcd6Pc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260227112350-bf468eec914d h1:sYWbP+qCt9Rhb1yGaIRY7HVLtaQZmrHWR0obc5+Q1qc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260227112350-bf468eec914d h1:r6eOVlAfmcUMD5nfz+mPd/aORevUKhcvxA1z1GdPnG8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
-github.com/sagernet/gomobile v0.1.11 h1:niMQAspvuThup5eRZQpsGcbM76zAvnsGr7RUIpnQMDQ=
-github.com/sagernet/gomobile v0.1.11/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
+github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
+github.com/sagernet/gomobile v0.1.12/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1 h1:AzCE2RhBjLJ4WIWc/GejpNh+z30d5H1hwaB0nD9eY3o=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1/go.mod h1:NJKBtm9nVEK3iyOYWsUlrDQuoGh4zJ4KOPhSYVidvQ4=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.2 h1:hJUL+HtxEOjxsa0CsucbBVqI/AMS4k52NwNU637zmdw=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.2/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.0-beta.11 h1:nn/2Uod61b5rLHnXCuaFcbDxI1oRCodaxjzjt7Mobe4=
-github.com/sagernet/sing v0.8.0-beta.11/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
+github.com/sagernet/sing v0.8.0-beta.16.0.20260227013657-e419e9875a07 h1:LQqb+xtR5uqF6bePmJQ3sAToF/kMCjxSnz17HnboXA8=
+github.com/sagernet/sing v0.8.0-beta.16.0.20260227013657-e419e9875a07/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0-beta.11 h1:eUusxITKKRedhWC2ScUYFUvD96h/QfbKLaS3N6/7in4=
-github.com/sagernet/sing-quic v0.6.0-beta.11/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0-beta.13 h1:umDr6GC5fVbOIoTvqV4544wY61zEN+ObQwVGNP8sX1M=
+github.com/sagernet/sing-quic v0.6.0-beta.13/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.0-beta.13 h1:vbI3uGthPIBU2lPOCbVK1YSLeV73ivV/olOUAvh1L2g=
-github.com/sagernet/sing-tun v0.8.0-beta.13/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
+github.com/sagernet/sing-tun v0.8.0-beta.18 h1:C6oHxP9BNBVEVdC9ABMTXmKej9mUVtcuw2v+IiBS8yw=
+github.com/sagernet/sing-tun v0.8.0-beta.18/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
 github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
 github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
@@ -328,8 +346,8 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
 golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
@@ -362,6 +380,8 @@ google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/include/oom_killer.go
+++ b/include/oom_killer.go
@@ -0,0 +1,10 @@
+package include
+
+import (
+	"github.com/sagernet/sing-box/adapter/service"
+	"github.com/sagernet/sing-box/service/oomkiller"
+)
+
+func registerOOMKillerService(registry *service.Registry) {
+	oomkiller.RegisterService(registry)
+}
--- a/include/registry.go
+++ b/include/registry.go
@@ -137,6 +137,7 @@ func ServiceRegistry() *service.Registry {
 	registerDERPService(registry)
 	registerCCMService(registry)
 	registerOCMService(registry)
+	registerOOMKillerService(registry)

 	return registry
 }
--- a/option/naive.go
+++ b/option/naive.go
@@ -2,6 +2,7 @@ package option

 import (
 	"github.com/sagernet/sing/common/auth"
+	"github.com/sagernet/sing/common/byteformats"
 	"github.com/sagernet/sing/common/json/badoption"
 )

@@ -26,12 +27,14 @@ type NaiveInboundOptions struct {
 type NaiveOutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	Username              string               `json:"username,omitempty"`
-	Password              string               `json:"password,omitempty"`
-	InsecureConcurrency   int                  `json:"insecure_concurrency,omitempty"`
-	ExtraHeaders          badoption.HTTPHeader `json:"extra_headers,omitempty"`
-	UDPOverTCP            *UDPOverTCPOptions   `json:"udp_over_tcp,omitempty"`
-	QUIC                  bool                 `json:"quic,omitempty"`
-	QUICCongestionControl string               `json:"quic_congestion_control,omitempty"`
+	Username                 string                   `json:"username,omitempty"`
+	Password                 string                   `json:"password,omitempty"`
+	InsecureConcurrency      int                      `json:"insecure_concurrency,omitempty"`
+	ExtraHeaders             badoption.HTTPHeader     `json:"extra_headers,omitempty"`
+	ReceiveWindow            *byteformats.MemoryBytes `json:"stream_receive_window,omitempty"`
+	UDPOverTCP               *UDPOverTCPOptions       `json:"udp_over_tcp,omitempty"`
+	QUIC                     bool                     `json:"quic,omitempty"`
+	QUICCongestionControl    string                   `json:"quic_congestion_control,omitempty"`
+	QUICSessionReceiveWindow *byteformats.MemoryBytes `json:"quic_session_receive_window,omitempty"`
 	OutboundTLSOptionsContainer
 }
--- a/option/oom_killer.go
+++ b/option/oom_killer.go
@@ -0,0 +1,14 @@
+package option
+
+import (
+	"github.com/sagernet/sing/common/byteformats"
+	"github.com/sagernet/sing/common/json/badoption"
+)
+
+type OOMKillerServiceOptions struct {
+	MemoryLimit       *byteformats.MemoryBytes `json:"memory_limit,omitempty"`
+	SafetyMargin      *byteformats.MemoryBytes `json:"safety_margin,omitempty"`
+	MinInterval       badoption.Duration       `json:"min_interval,omitempty"`
+	MaxInterval       badoption.Duration       `json:"max_interval,omitempty"`
+	ChecksBeforeLimit int                      `json:"checks_before_limit,omitempty"`
+}
--- a/option/tailscale.go
+++ b/option/tailscale.go
@@ -12,22 +12,23 @@ import (

 type TailscaleEndpointOptions struct {
 	DialerOptions
-	StateDirectory             string           `json:"state_directory,omitempty"`
-	AuthKey                    string           `json:"auth_key,omitempty"`
-	ControlURL                 string           `json:"control_url,omitempty"`
-	Ephemeral                  bool             `json:"ephemeral,omitempty"`
-	Hostname                   string           `json:"hostname,omitempty"`
-	AcceptRoutes               bool             `json:"accept_routes,omitempty"`
-	ExitNode                   string           `json:"exit_node,omitempty"`
-	ExitNodeAllowLANAccess     bool             `json:"exit_node_allow_lan_access,omitempty"`
-	AdvertiseRoutes            []netip.Prefix   `json:"advertise_routes,omitempty"`
-	AdvertiseExitNode          bool             `json:"advertise_exit_node,omitempty"`
-	RelayServerPort            *uint16          `json:"relay_server_port,omitempty"`
-	RelayServerStaticEndpoints []netip.AddrPort `json:"relay_server_static_endpoints,omitempty"`
-	SystemInterface            bool             `json:"system_interface,omitempty"`
-	SystemInterfaceName        string           `json:"system_interface_name,omitempty"`
-	SystemInterfaceMTU         uint32           `json:"system_interface_mtu,omitempty"`
-	UDPTimeout                 UDPTimeoutCompat `json:"udp_timeout,omitempty"`
+	StateDirectory             string                     `json:"state_directory,omitempty"`
+	AuthKey                    string                     `json:"auth_key,omitempty"`
+	ControlURL                 string                     `json:"control_url,omitempty"`
+	Ephemeral                  bool                       `json:"ephemeral,omitempty"`
+	Hostname                   string                     `json:"hostname,omitempty"`
+	AcceptRoutes               bool                       `json:"accept_routes,omitempty"`
+	ExitNode                   string                     `json:"exit_node,omitempty"`
+	ExitNodeAllowLANAccess     bool                       `json:"exit_node_allow_lan_access,omitempty"`
+	AdvertiseRoutes            []netip.Prefix             `json:"advertise_routes,omitempty"`
+	AdvertiseExitNode          bool                       `json:"advertise_exit_node,omitempty"`
+	AdvertiseTags              badoption.Listable[string] `json:"advertise_tags,omitempty"`
+	RelayServerPort            *uint16                    `json:"relay_server_port,omitempty"`
+	RelayServerStaticEndpoints []netip.AddrPort           `json:"relay_server_static_endpoints,omitempty"`
+	SystemInterface            bool                       `json:"system_interface,omitempty"`
+	SystemInterfaceName        string                     `json:"system_interface_name,omitempty"`
+	SystemInterfaceMTU         uint32                     `json:"system_interface_mtu,omitempty"`
+	UDPTimeout                 UDPTimeoutCompat           `json:"udp_timeout,omitempty"`
 }

 type TailscaleDNSServerOptions struct {
--- a/option/tls_acme.go
+++ b/option/tls_acme.go
@@ -31,6 +31,7 @@ type _ACMEDNS01ChallengeOptions struct {
 	Provider          string                     `json:"provider,omitempty"`
 	AliDNSOptions     ACMEDNS01AliDNSOptions     `json:"-"`
 	CloudflareOptions ACMEDNS01CloudflareOptions `json:"-"`
+	ACMEDNSOptions    ACMEDNS01ACMEDNSOptions    `json:"-"`
 }

 type ACMEDNS01ChallengeOptions _ACMEDNS01ChallengeOptions
@@ -42,6 +43,8 @@ func (o ACMEDNS01ChallengeOptions) MarshalJSON() ([]byte, error) {
 		v = o.AliDNSOptions
 	case C.DNSProviderCloudflare:
 		v = o.CloudflareOptions
+	case C.DNSProviderACMEDNS:
+		v = o.ACMEDNSOptions
 	case "":
 		return nil, E.New("missing provider type")
 	default:
@@ -61,6 +64,8 @@ func (o *ACMEDNS01ChallengeOptions) UnmarshalJSON(bytes []byte) error {
 		v = &o.AliDNSOptions
 	case C.DNSProviderCloudflare:
 		v = &o.CloudflareOptions
+	case C.DNSProviderACMEDNS:
+		v = &o.ACMEDNSOptions
 	default:
 		return E.New("unknown provider type: " + o.Provider)
 	}
@@ -82,3 +87,10 @@ type ACMEDNS01CloudflareOptions struct {
 	APIToken  string `json:"api_token,omitempty"`
 	ZoneToken string `json:"zone_token,omitempty"`
 }
+
+type ACMEDNS01ACMEDNSOptions struct {
+	Username  string `json:"username,omitempty"`
+	Password  string `json:"password,omitempty"`
+	Subdomain string `json:"subdomain,omitempty"`
+	ServerURL string `json:"server_url,omitempty"`
+}
--- a/option/tun.go
+++ b/option/tun.go
@@ -11,36 +11,37 @@ import (
 )

 type TunInboundOptions struct {
-	InterfaceName          string                           `json:"interface_name,omitempty"`
-	MTU                    uint32                           `json:"mtu,omitempty"`
-	Address                badoption.Listable[netip.Prefix] `json:"address,omitempty"`
-	AutoRoute              bool                             `json:"auto_route,omitempty"`
-	IPRoute2TableIndex     int                              `json:"iproute2_table_index,omitempty"`
-	IPRoute2RuleIndex      int                              `json:"iproute2_rule_index,omitempty"`
-	AutoRedirect           bool                             `json:"auto_redirect,omitempty"`
-	AutoRedirectInputMark  FwMark                           `json:"auto_redirect_input_mark,omitempty"`
-	AutoRedirectOutputMark FwMark                           `json:"auto_redirect_output_mark,omitempty"`
-	AutoRedirectResetMark  FwMark                           `json:"auto_redirect_reset_mark,omitempty"`
-	AutoRedirectNFQueue    uint16                           `json:"auto_redirect_nfqueue,omitempty"`
-	ExcludeMPTCP           bool                             `json:"exclude_mptcp,omitempty"`
-	LoopbackAddress        badoption.Listable[netip.Addr]   `json:"loopback_address,omitempty"`
-	StrictRoute            bool                             `json:"strict_route,omitempty"`
-	RouteAddress           badoption.Listable[netip.Prefix] `json:"route_address,omitempty"`
-	RouteAddressSet        badoption.Listable[string]       `json:"route_address_set,omitempty"`
-	RouteExcludeAddress    badoption.Listable[netip.Prefix] `json:"route_exclude_address,omitempty"`
-	RouteExcludeAddressSet badoption.Listable[string]       `json:"route_exclude_address_set,omitempty"`
-	IncludeInterface       badoption.Listable[string]       `json:"include_interface,omitempty"`
-	ExcludeInterface       badoption.Listable[string]       `json:"exclude_interface,omitempty"`
-	IncludeUID             badoption.Listable[uint32]       `json:"include_uid,omitempty"`
-	IncludeUIDRange        badoption.Listable[string]       `json:"include_uid_range,omitempty"`
-	ExcludeUID             badoption.Listable[uint32]       `json:"exclude_uid,omitempty"`
-	ExcludeUIDRange        badoption.Listable[string]       `json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser     badoption.Listable[int]          `json:"include_android_user,omitempty"`
-	IncludePackage         badoption.Listable[string]       `json:"include_package,omitempty"`
-	ExcludePackage         badoption.Listable[string]       `json:"exclude_package,omitempty"`
-	UDPTimeout             UDPTimeoutCompat                 `json:"udp_timeout,omitempty"`
-	Stack                  string                           `json:"stack,omitempty"`
-	Platform               *TunPlatformOptions              `json:"platform,omitempty"`
+	InterfaceName                 string                           `json:"interface_name,omitempty"`
+	MTU                           uint32                           `json:"mtu,omitempty"`
+	Address                       badoption.Listable[netip.Prefix] `json:"address,omitempty"`
+	AutoRoute                     bool                             `json:"auto_route,omitempty"`
+	IPRoute2TableIndex            int                              `json:"iproute2_table_index,omitempty"`
+	IPRoute2RuleIndex             int                              `json:"iproute2_rule_index,omitempty"`
+	AutoRedirect                  bool                             `json:"auto_redirect,omitempty"`
+	AutoRedirectInputMark         FwMark                           `json:"auto_redirect_input_mark,omitempty"`
+	AutoRedirectOutputMark        FwMark                           `json:"auto_redirect_output_mark,omitempty"`
+	AutoRedirectResetMark         FwMark                           `json:"auto_redirect_reset_mark,omitempty"`
+	AutoRedirectNFQueue           uint16                           `json:"auto_redirect_nfqueue,omitempty"`
+	AutoRedirectFallbackRuleIndex int                              `json:"auto_redirect_iproute2_fallback_rule_index,omitempty"`
+	ExcludeMPTCP                  bool                             `json:"exclude_mptcp,omitempty"`
+	LoopbackAddress               badoption.Listable[netip.Addr]   `json:"loopback_address,omitempty"`
+	StrictRoute                   bool                             `json:"strict_route,omitempty"`
+	RouteAddress                  badoption.Listable[netip.Prefix] `json:"route_address,omitempty"`
+	RouteAddressSet               badoption.Listable[string]       `json:"route_address_set,omitempty"`
+	RouteExcludeAddress           badoption.Listable[netip.Prefix] `json:"route_exclude_address,omitempty"`
+	RouteExcludeAddressSet        badoption.Listable[string]       `json:"route_exclude_address_set,omitempty"`
+	IncludeInterface              badoption.Listable[string]       `json:"include_interface,omitempty"`
+	ExcludeInterface              badoption.Listable[string]       `json:"exclude_interface,omitempty"`
+	IncludeUID                    badoption.Listable[uint32]       `json:"include_uid,omitempty"`
+	IncludeUIDRange               badoption.Listable[string]       `json:"include_uid_range,omitempty"`
+	ExcludeUID                    badoption.Listable[uint32]       `json:"exclude_uid,omitempty"`
+	ExcludeUIDRange               badoption.Listable[string]       `json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser            badoption.Listable[int]          `json:"include_android_user,omitempty"`
+	IncludePackage                badoption.Listable[string]       `json:"include_package,omitempty"`
+	ExcludePackage                badoption.Listable[string]       `json:"exclude_package,omitempty"`
+	UDPTimeout                    UDPTimeoutCompat                 `json:"udp_timeout,omitempty"`
+	Stack                         string                           `json:"stack,omitempty"`
+	Platform                      *TunPlatformOptions              `json:"platform,omitempty"`
 	InboundOptions

 	// Deprecated: removed
--- a/protocol/mixed/inbound.go
+++ b/protocol/mixed/inbound.go
@@ -4,6 +4,7 @@ import (
 	std_bufio "bufio"
 	"context"
 	"net"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/inbound"
@@ -36,14 +37,22 @@ type Inbound struct {
 	listener      *listener.Listener
 	authenticator *auth.Authenticator
 	tlsConfig     tls.ServerConfig
+	udpTimeout    time.Duration
 }

 func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPMixedInboundOptions) (adapter.Inbound, error) {
+	var udpTimeout time.Duration
+	if options.UDPTimeout != 0 {
+		udpTimeout = time.Duration(options.UDPTimeout)
+	} else {
+		udpTimeout = C.UDPTimeout
+	}
 	inbound := &Inbound{
 		Adapter:       inbound.NewAdapter(C.TypeMixed, tag),
 		router:        uot.NewRouter(router, logger),
 		logger:        logger,
 		authenticator: auth.NewAuthenticator(options.Users),
+		udpTimeout:    udpTimeout,
 	}
 	if options.TLS != nil {
 		tlsConfig, err := tls.NewServerWithOptions(tls.ServerOptions{
@@ -116,7 +125,7 @@ func (h *Inbound) newConnection(ctx context.Context, conn net.Conn, metadata ada
 	}
 	switch headerBytes[0] {
 	case socks4.Version, socks5.Version:
-		return socks.HandleConnectionEx(ctx, conn, reader, h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), h.listener, metadata.Source, onClose)
+		return socks.HandleConnectionEx(ctx, conn, reader, h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), h.listener, h.udpTimeout, metadata.Source, onClose)
 	default:
 		return http.HandleConnectionEx(ctx, conn, reader, h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
 	}
--- a/protocol/naive/inbound_conn.go
+++ b/protocol/naive/inbound_conn.go
@@ -95,6 +95,7 @@ func (p *paddingConn) writeWithPadding(writer io.Writer, data []byte) (n int, er
 		binary.BigEndian.PutUint16(header, uint16(len(data)))
 		header[2] = byte(paddingSize)
 		common.Must1(buffer.Write(data))
+		buffer.Extend(paddingSize)
 		_, err = writer.Write(buffer.Bytes())
 		if err == nil {
 			n = len(data)
--- a/protocol/naive/outbound.go
+++ b/protocol/naive/outbound.go
@@ -235,7 +235,7 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
-		return h.client.DialEarly(destination)
+		return h.client.DialEarly(ctx, destination)
 	case N.NetworkUDP:
 		if h.uotClient == nil {
 			return nil, E.New("UDP is not supported unless UDP over TCP is enabled")
@@ -254,6 +254,10 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return h.uotClient.ListenPacket(ctx, destination)
 }

+func (h *Outbound) InterfaceUpdated() {
+	h.client.Engine().CloseAllConnections()
+}
+
 func (h *Outbound) Close() error {
 	return h.client.Close()
 }
@@ -267,5 +271,5 @@ type naiveDialer struct {
 }

 func (d *naiveDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.NaiveClient.DialEarly(destination)
+	return d.NaiveClient.DialEarly(ctx, destination)
 }
--- a/protocol/socks/inbound.go
+++ b/protocol/socks/inbound.go
@@ -4,6 +4,7 @@ import (
 	std_bufio "bufio"
 	"context"
 	"net"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/inbound"
@@ -31,14 +32,22 @@ type Inbound struct {
 	logger        logger.ContextLogger
 	listener      *listener.Listener
 	authenticator *auth.Authenticator
+	udpTimeout    time.Duration
 }

 func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.SocksInboundOptions) (adapter.Inbound, error) {
+	var udpTimeout time.Duration
+	if options.UDPTimeout != 0 {
+		udpTimeout = time.Duration(options.UDPTimeout)
+	} else {
+		udpTimeout = C.UDPTimeout
+	}
 	inbound := &Inbound{
 		Adapter:       inbound.NewAdapter(C.TypeSOCKS, tag),
 		router:        uot.NewRouter(router, logger),
 		logger:        logger,
 		authenticator: auth.NewAuthenticator(options.Users),
+		udpTimeout:    udpTimeout,
 	}
 	inbound.listener = listener.New(listener.Options{
 		Context:           ctx,
@@ -62,7 +71,7 @@ func (h *Inbound) Close() error {
 }

 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	err := socks.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), h.listener, metadata.Source, onClose)
+	err := socks.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), h.listener, h.udpTimeout, metadata.Source, onClose)
 	N.CloseOnHandshakeFailure(conn, onClose, err)
 	if err != nil {
 		if E.IsClosedOrCanceled(err) {
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -97,6 +97,7 @@ type Endpoint struct {
 	exitNodeAllowLANAccess     bool
 	advertiseRoutes            []netip.Prefix
 	advertiseExitNode          bool
+	advertiseTags              []string
 	relayServerPort            *uint16
 	relayServerStaticEndpoints []netip.AddrPort

@@ -209,10 +210,11 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		UserLogf: func(format string, args ...any) {
 			logger.Debug(fmt.Sprintf(format, args...))
 		},
-		Ephemeral:  options.Ephemeral,
-		AuthKey:    options.AuthKey,
-		ControlURL: options.ControlURL,
-		Dialer:     &endpointDialer{Dialer: outboundDialer, logger: logger},
+		Ephemeral:     options.Ephemeral,
+		AuthKey:       options.AuthKey,
+		ControlURL:    options.ControlURL,
+		AdvertiseTags: options.AdvertiseTags,
+		Dialer:        &endpointDialer{Dialer: outboundDialer, logger: logger},
 		LookupHook: func(ctx context.Context, host string) ([]netip.Addr, error) {
 			return dnsRouter.Lookup(ctx, host, outboundDialer.(dialer.ResolveDialer).QueryOptions())
 		},
@@ -244,6 +246,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		exitNodeAllowLANAccess:     options.ExitNodeAllowLANAccess,
 		advertiseRoutes:            options.AdvertiseRoutes,
 		advertiseExitNode:          options.AdvertiseExitNode,
+		advertiseTags:              options.AdvertiseTags,
 		relayServerPort:            options.RelayServerPort,
 		relayServerStaticEndpoints: options.RelayServerStaticEndpoints,
 		udpTimeout:                 udpTimeout,
@@ -359,25 +362,23 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 	localBackend := t.server.ExportLocalBackend()
 	perfs := &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
-			RouteAll: t.acceptRoutes,
+			RouteAll:        t.acceptRoutes,
+			AdvertiseRoutes: t.advertiseRoutes,
 		},
-		RouteAllSet:        true,
-		ExitNodeIPSet:      true,
-		AdvertiseRoutesSet: true,
-	}
-	if len(t.advertiseRoutes) > 0 {
-		perfs.AdvertiseRoutes = t.advertiseRoutes
+		RouteAllSet:                   true,
+		ExitNodeIPSet:                 true,
+		AdvertiseRoutesSet:            true,
+		RelayServerPortSet:            true,
+		RelayServerStaticEndpointsSet: true,
 	}
 	if t.advertiseExitNode {
 		perfs.AdvertiseRoutes = append(perfs.AdvertiseRoutes, tsaddr.ExitRoutes()...)
 	}
 	if t.relayServerPort != nil {
 		perfs.RelayServerPort = t.relayServerPort
-		perfs.RelayServerPortSet = true
 	}
 	if len(t.relayServerStaticEndpoints) > 0 {
 		perfs.RelayServerStaticEndpoints = t.relayServerStaticEndpoints
-		perfs.RelayServerStaticEndpointsSet = true
 	}
 	_, err = localBackend.EditPrefs(perfs)
 	if err != nil {
--- a/protocol/tor/proxy.go
+++ b/protocol/tor/proxy.go
@@ -99,7 +99,7 @@ func (l *ProxyListener) acceptLoop() {
 }

 func (l *ProxyListener) accept(ctx context.Context, conn *net.TCPConn) error {
-	return socks.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), l.authenticator, l, nil, M.SocksaddrFromNet(conn.RemoteAddr()), nil)
+	return socks.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), l.authenticator, l, nil, 0, M.SocksaddrFromNet(conn.RemoteAddr()), nil)
 }

 func (l *ProxyListener) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
--- a/protocol/tun/inbound.go
+++ b/protocol/tun/inbound.go
@@ -174,6 +174,10 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	if ruleIndex == 0 {
 		ruleIndex = tun.DefaultIPRoute2RuleIndex
 	}
+	autoRedirectFallbackRuleIndex := options.AutoRedirectFallbackRuleIndex
+	if autoRedirectFallbackRuleIndex == 0 {
+		autoRedirectFallbackRuleIndex = tun.DefaultIPRoute2AutoRedirectFallbackRuleIndex
+	}
 	inputMark := uint32(options.AutoRedirectInputMark)
 	if inputMark == 0 {
 		inputMark = tun.DefaultAutoRedirectInputMark
@@ -200,35 +204,36 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		logger:         logger,
 		inboundOptions: options.InboundOptions,
 		tunOptions: tun.Options{
-			Name:                     options.InterfaceName,
-			MTU:                      tunMTU,
-			GSO:                      enableGSO,
-			Inet4Address:             inet4Address,
-			Inet6Address:             inet6Address,
-			AutoRoute:                options.AutoRoute,
-			IPRoute2TableIndex:       tableIndex,
-			IPRoute2RuleIndex:        ruleIndex,
-			AutoRedirectInputMark:    inputMark,
-			AutoRedirectOutputMark:   outputMark,
-			AutoRedirectResetMark:    resetMark,
-			AutoRedirectNFQueue:      nfQueue,
-			ExcludeMPTCP:             options.ExcludeMPTCP,
-			Inet4LoopbackAddress:     common.Filter(options.LoopbackAddress, netip.Addr.Is4),
-			Inet6LoopbackAddress:     common.Filter(options.LoopbackAddress, netip.Addr.Is6),
-			StrictRoute:              options.StrictRoute,
-			IncludeInterface:         options.IncludeInterface,
-			ExcludeInterface:         options.ExcludeInterface,
-			Inet4RouteAddress:        inet4RouteAddress,
-			Inet6RouteAddress:        inet6RouteAddress,
-			Inet4RouteExcludeAddress: inet4RouteExcludeAddress,
-			Inet6RouteExcludeAddress: inet6RouteExcludeAddress,
-			IncludeUID:               includeUID,
-			ExcludeUID:               excludeUID,
-			IncludeAndroidUser:       options.IncludeAndroidUser,
-			IncludePackage:           options.IncludePackage,
-			ExcludePackage:           options.ExcludePackage,
-			InterfaceMonitor:         networkManager.InterfaceMonitor(),
-			EXP_MultiPendingPackets:  multiPendingPackets,
+			Name:                                  options.InterfaceName,
+			MTU:                                   tunMTU,
+			GSO:                                   enableGSO,
+			Inet4Address:                          inet4Address,
+			Inet6Address:                          inet6Address,
+			AutoRoute:                             options.AutoRoute,
+			IPRoute2TableIndex:                    tableIndex,
+			IPRoute2RuleIndex:                     ruleIndex,
+			IPRoute2AutoRedirectFallbackRuleIndex: autoRedirectFallbackRuleIndex,
+			AutoRedirectInputMark:                 inputMark,
+			AutoRedirectOutputMark:                outputMark,
+			AutoRedirectResetMark:                 resetMark,
+			AutoRedirectNFQueue:                   nfQueue,
+			ExcludeMPTCP:                          options.ExcludeMPTCP,
+			Inet4LoopbackAddress:                  common.Filter(options.LoopbackAddress, netip.Addr.Is4),
+			Inet6LoopbackAddress:                  common.Filter(options.LoopbackAddress, netip.Addr.Is6),
+			StrictRoute:                           options.StrictRoute,
+			IncludeInterface:                      options.IncludeInterface,
+			ExcludeInterface:                      options.ExcludeInterface,
+			Inet4RouteAddress:                     inet4RouteAddress,
+			Inet6RouteAddress:                     inet6RouteAddress,
+			Inet4RouteExcludeAddress:              inet4RouteExcludeAddress,
+			Inet6RouteExcludeAddress:              inet6RouteExcludeAddress,
+			IncludeUID:                            includeUID,
+			ExcludeUID:                            excludeUID,
+			IncludeAndroidUser:                    options.IncludeAndroidUser,
+			IncludePackage:                        options.IncludePackage,
+			ExcludePackage:                        options.ExcludePackage,
+			InterfaceMonitor:                      networkManager.InterfaceMonitor(),
+			EXP_MultiPendingPackets:               multiPendingPackets,
 		},
 		udpTimeout:        udpTimeout,
 		stack:             options.Stack,
--- a/protocol/vmess/outbound.go
+++ b/protocol/vmess/outbound.go
@@ -57,7 +57,9 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		if err != nil {
 			return nil, err
 		}
-		outbound.tlsDialer = tls.NewDialer(outboundDialer, outbound.tlsConfig)
+		if outbound.tlsConfig != nil {
+			outbound.tlsDialer = tls.NewDialer(outboundDialer, outbound.tlsConfig)
+		}
 	}
 	if options.Transport != nil {
 		outbound.transport, err = v2ray.NewClientTransport(ctx, outbound.dialer, outbound.serverAddr, common.PtrValueOrDefault(options.Transport), outbound.tlsConfig)
--- a/route/conn.go
+++ b/route/conn.go
@@ -2,7 +2,6 @@ package route

 import (
 	"context"
-	"errors"
 	"io"
 	"net"
 	"net/netip"
@@ -45,16 +44,52 @@ func (m *ConnectionManager) Start(stage adapter.StartStage) error {
 	return nil
 }

-func (m *ConnectionManager) Close() error {
+func (m *ConnectionManager) Count() int {
+	return m.connections.Len()
+}
+
+func (m *ConnectionManager) CloseAll() {
 	m.access.Lock()
-	defer m.access.Unlock()
-	for element := m.connections.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
+	var closers []io.Closer
+	for element := m.connections.Front(); element != nil; {
+		nextElement := element.Next()
+		closers = append(closers, element.Value)
+		m.connections.Remove(element)
+		element = nextElement
 	}
-	m.connections.Init()
+	m.access.Unlock()
+	for _, closer := range closers {
+		common.Close(closer)
+	}
+}
+
+func (m *ConnectionManager) Close() error {
+	m.CloseAll()
 	return nil
 }

+func (m *ConnectionManager) TrackConn(conn net.Conn) net.Conn {
+	m.access.Lock()
+	element := m.connections.PushBack(conn)
+	m.access.Unlock()
+	return &trackedConn{
+		Conn:    conn,
+		manager: m,
+		element: element,
+	}
+}
+
+func (m *ConnectionManager) TrackPacketConn(conn net.PacketConn) net.PacketConn {
+	m.access.Lock()
+	element := m.connections.PushBack(conn)
+	m.access.Unlock()
+	return &trackedPacketConn{
+		PacketConn: conn,
+		manager:    m,
+		element:    element,
+	}
+}
+
 func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var (
@@ -93,17 +128,13 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 	if metadata.TLSFragment || metadata.TLSRecordFragment {
 		remoteConn = tf.NewConn(remoteConn, ctx, metadata.TLSFragment, metadata.TLSRecordFragment, metadata.TLSFragmentFallbackDelay)
 	}
-	m.access.Lock()
-	element := m.connections.PushBack(conn)
-	m.access.Unlock()
-	onClose = N.AppendClose(onClose, func(it error) {
-		m.access.Lock()
-		defer m.access.Unlock()
-		m.connections.Remove(element)
-	})
 	var done atomic.Bool
-	m.preConnectionCopy(ctx, conn, remoteConn, false, &done, onClose)
-	m.preConnectionCopy(ctx, remoteConn, conn, true, &done, onClose)
+	if m.kickWriteHandshake(ctx, conn, remoteConn, false, &done, onClose) {
+		return
+	}
+	if m.kickWriteHandshake(ctx, remoteConn, conn, true, &done, onClose) {
+		return
+	}
 	go m.connectionCopy(ctx, conn, remoteConn, false, &done, onClose)
 	go m.connectionCopy(ctx, remoteConn, conn, true, &done, onClose)
 }
@@ -213,88 +244,13 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		ctx, conn = canceler.NewPacketConn(ctx, conn, udpTimeout)
 	}
 	destination := bufio.NewPacketConn(remotePacketConn)
-	m.access.Lock()
-	element := m.connections.PushBack(conn)
-	m.access.Unlock()
-	onClose = N.AppendClose(onClose, func(it error) {
-		m.access.Lock()
-		defer m.access.Unlock()
-		m.connections.Remove(element)
-	})
 	var done atomic.Bool
 	go m.packetConnectionCopy(ctx, conn, destination, false, &done, onClose)
 	go m.packetConnectionCopy(ctx, destination, conn, true, &done, onClose)
 }

-func (m *ConnectionManager) preConnectionCopy(ctx context.Context, source net.Conn, destination net.Conn, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
-	readHandshake := N.NeedHandshakeForRead(source)
-	writeHandshake := N.NeedHandshakeForWrite(destination)
-	if readHandshake || writeHandshake {
-		var err error
-		for {
-			err = m.connectionCopyEarlyWrite(source, destination, readHandshake, writeHandshake)
-			if err == nil && N.NeedHandshakeForRead(source) {
-				continue
-			} else if E.IsMulti(err, os.ErrInvalid, context.DeadlineExceeded, io.EOF) {
-				err = nil
-			}
-			break
-		}
-		if err != nil {
-			if done.Swap(true) {
-				onClose(err)
-			}
-			common.Close(source, destination)
-			if !direction {
-				m.logger.ErrorContext(ctx, "connection upload handshake: ", err)
-			} else {
-				m.logger.ErrorContext(ctx, "connection download handshake: ", err)
-			}
-			return
-		}
-	}
-}
-
 func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn, destination net.Conn, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
-	var (
-		sourceReader      io.Reader = source
-		destinationWriter io.Writer = destination
-	)
-	var readCounters, writeCounters []N.CountFunc
-	for {
-		sourceReader, readCounters = N.UnwrapCountReader(sourceReader, readCounters)
-		destinationWriter, writeCounters = N.UnwrapCountWriter(destinationWriter, writeCounters)
-		if cachedSrc, isCached := sourceReader.(N.CachedReader); isCached {
-			cachedBuffer := cachedSrc.ReadCached()
-			if cachedBuffer != nil {
-				dataLen := cachedBuffer.Len()
-				_, err := destination.Write(cachedBuffer.Bytes())
-				cachedBuffer.Release()
-				if err != nil {
-					if done.Swap(true) {
-						onClose(err)
-					}
-					common.Close(source, destination)
-					if !direction {
-						m.logger.ErrorContext(ctx, "connection upload payload: ", err)
-					} else {
-						m.logger.ErrorContext(ctx, "connection download payload: ", err)
-					}
-					return
-				}
-				for _, counter := range readCounters {
-					counter(int64(dataLen))
-				}
-				for _, counter := range writeCounters {
-					counter(int64(dataLen))
-				}
-			}
-			continue
-		}
-		break
-	}
-
-	_, err := bufio.CopyWithCounters(destinationWriter, sourceReader, source, readCounters, writeCounters, bufio.DefaultIncreaseBufferAfter, bufio.DefaultBatchSize)
+	_, err := bufio.CopyWithIncreateBuffer(destination, source, bufio.DefaultIncreaseBufferAfter, bufio.DefaultBatchSize)
 	if err != nil {
 		common.Close(source, destination)
 	} else if duplexDst, isDuplex := destination.(N.WriteCloser); isDuplex {
@@ -306,7 +262,9 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn,
 		destination.Close()
 	}
 	if done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
+			onClose(err)
+		}
 		common.Close(source, destination)
 	}
 	if !direction {
@@ -328,45 +286,56 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn,
 	}
 }

-func (m *ConnectionManager) connectionCopyEarlyWrite(source net.Conn, destination io.Writer, readHandshake bool, writeHandshake bool) error {
-	payload := buf.NewPacket()
-	defer payload.Release()
-	err := source.SetReadDeadline(time.Now().Add(C.ReadPayloadTimeout))
-	if err != nil {
-		if err == os.ErrInvalid {
-			if writeHandshake {
-				return common.Error(destination.Write(nil))
-			}
-		}
-		return err
+func (m *ConnectionManager) kickWriteHandshake(ctx context.Context, source net.Conn, destination net.Conn, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) bool {
+	if !N.NeedHandshakeForWrite(destination) {
+		return false
 	}
 	var (
-		isTimeout bool
-		isEOF     bool
+		cachedBuffer *buf.Buffer
+		wrotePayload bool
 	)
-	_, err = payload.ReadOnceFrom(source)
-	if err != nil {
-		if E.IsTimeout(err) {
-			isTimeout = true
-		} else if errors.Is(err, io.EOF) {
-			isEOF = true
-		} else {
-			return E.Cause(err, "read payload")
+	sourceReader, readCounters := N.UnwrapCountReader(source, nil)
+	destinationWriter, writeCounters := N.UnwrapCountWriter(destination, nil)
+	if cachedReader, ok := sourceReader.(N.CachedReader); ok {
+		cachedBuffer = cachedReader.ReadCached()
+	}
+	var err error
+	if cachedBuffer != nil {
+		wrotePayload = true
+		dataLen := cachedBuffer.Len()
+		_, err = destinationWriter.Write(cachedBuffer.Bytes())
+		cachedBuffer.Release()
+		if err == nil {
+			for _, counter := range readCounters {
+				counter(int64(dataLen))
+			}
+			for _, counter := range writeCounters {
+				counter(int64(dataLen))
+			}
+		}
+	} else {
+		_ = destination.SetWriteDeadline(time.Now().Add(C.ReadPayloadTimeout))
+		_, err = destinationWriter.Write(nil)
+		_ = destination.SetWriteDeadline(time.Time{})
+	}
+	if err == nil {
+		return false
+	}
+	if !wrotePayload && (E.IsMulti(err, os.ErrInvalid, context.DeadlineExceeded, io.EOF) || E.IsTimeout(err)) {
+		return false
+	}
+	if !done.Swap(true) {
+		if onClose != nil {
+			onClose(err)
 		}
 	}
-	_ = source.SetReadDeadline(time.Time{})
-	if !payload.IsEmpty() || writeHandshake {
-		_, err = destination.Write(payload.Bytes())
-		if err != nil {
-			return E.Cause(err, "write payload")
-		}
+	common.Close(source, destination)
+	if !direction {
+		m.logger.ErrorContext(ctx, "connection upload handshake: ", err)
+	} else {
+		m.logger.ErrorContext(ctx, "connection download handshake: ", err)
 	}
-	if isTimeout {
-		return context.DeadlineExceeded
-	} else if isEOF {
-		return io.EOF
-	}
-	return nil
+	return true
 }

 func (m *ConnectionManager) packetConnectionCopy(ctx context.Context, source N.PacketReader, destination N.PacketWriter, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
@@ -389,7 +358,59 @@ func (m *ConnectionManager) packetConnectionCopy(ctx context.Context, source N.P
 		}
 	}
 	if !done.Swap(true) {
-		onClose(err)
+		if onClose != nil {
+			onClose(err)
+		}
 	}
 	common.Close(source, destination)
 }
+
+type trackedConn struct {
+	net.Conn
+	manager *ConnectionManager
+	element *list.Element[io.Closer]
+}
+
+func (c *trackedConn) Close() error {
+	c.manager.access.Lock()
+	c.manager.connections.Remove(c.element)
+	c.manager.access.Unlock()
+	return c.Conn.Close()
+}
+
+func (c *trackedConn) Upstream() any {
+	return c.Conn
+}
+
+func (c *trackedConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *trackedConn) WriterReplaceable() bool {
+	return true
+}
+
+type trackedPacketConn struct {
+	net.PacketConn
+	manager *ConnectionManager
+	element *list.Element[io.Closer]
+}
+
+func (c *trackedPacketConn) Close() error {
+	c.manager.access.Lock()
+	c.manager.connections.Remove(c.element)
+	c.manager.access.Unlock()
+	return c.PacketConn.Close()
+}
+
+func (c *trackedPacketConn) Upstream() any {
+	return bufio.NewPacketConn(c.PacketConn)
+}
+
+func (c *trackedPacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *trackedPacketConn) WriterReplaceable() bool {
+	return true
+}
--- a/route/network.go
+++ b/route/network.go
@@ -13,7 +13,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/settings"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
@@ -48,6 +47,7 @@ type NetworkManager struct {
 	powerListener          winpowrprof.EventListener
 	pauseManager           pause.Manager
 	platformInterface      adapter.PlatformInterface
+	connectionManager      adapter.ConnectionManager
 	endpoint               adapter.EndpointManager
 	inbound                adapter.InboundManager
 	outbound               adapter.OutboundManager
@@ -90,6 +90,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, options
 		},
 		pauseManager:      service.FromContext[pause.Manager](ctx),
 		platformInterface: service.FromContext[adapter.PlatformInterface](ctx),
+		connectionManager: service.FromContext[adapter.ConnectionManager](ctx),
 		endpoint:          service.FromContext[adapter.EndpointManager](ctx),
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
@@ -450,7 +451,9 @@ func (r *NetworkManager) UpdateWIFIState() {
 }

 func (r *NetworkManager) ResetNetwork() {
-	conntrack.Close()
+	if r.connectionManager != nil {
+		r.connectionManager.CloseAll()
+	}

 	for _, endpoint := range r.endpoint.Endpoints() {
 		listener, isListener := endpoint.(adapter.InterfaceUpdateListener)
--- a/route/route.go
+++ b/route/route.go
@@ -9,7 +9,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
@@ -80,7 +79,6 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 		injectable.NewConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
-	conntrack.KillerCheck()
 	metadata.Network = N.NetworkTCP
 	switch metadata.Destination.Fqdn {
 	case mux.Destination.Fqdn:
@@ -216,8 +214,6 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 		injectable.NewPacketConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
-	conntrack.KillerCheck()
-
 	// TODO: move to UoT
 	metadata.Network = N.NetworkUDP

--- a/route/rule/rule_abstract.go
+++ b/route/rule/rule_abstract.go
@@ -107,9 +107,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}

 	for _, item := range r.items {
-		if _, isRuleSet := item.(*RuleSetItem); !isRuleSet {
-			metadata.DidMatch = true
-		}
+		metadata.DidMatch = true
 		if !item.Match(metadata) {
 			return r.invert
 		}
--- a/route/rule/rule_abstract_test.go
+++ b/route/rule/rule_abstract_test.go
@@ -0,0 +1,157 @@
+package rule
+
+import (
+	"context"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common/x/list"
+
+	"github.com/stretchr/testify/require"
+	"go4.org/netipx"
+)
+
+type fakeRuleSet struct {
+	matched bool
+}
+
+func (f *fakeRuleSet) Name() string {
+	return "fake-rule-set"
+}
+
+func (f *fakeRuleSet) StartContext(context.Context, *adapter.HTTPStartContext) error {
+	return nil
+}
+
+func (f *fakeRuleSet) PostStart() error {
+	return nil
+}
+
+func (f *fakeRuleSet) Metadata() adapter.RuleSetMetadata {
+	return adapter.RuleSetMetadata{}
+}
+
+func (f *fakeRuleSet) ExtractIPSet() []*netipx.IPSet {
+	return nil
+}
+
+func (f *fakeRuleSet) IncRef() {}
+
+func (f *fakeRuleSet) DecRef() {}
+
+func (f *fakeRuleSet) Cleanup() {}
+
+func (f *fakeRuleSet) RegisterCallback(adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
+	return nil
+}
+
+func (f *fakeRuleSet) UnregisterCallback(*list.Element[adapter.RuleSetUpdateCallback]) {}
+
+func (f *fakeRuleSet) Close() error {
+	return nil
+}
+
+func (f *fakeRuleSet) Match(*adapter.InboundContext) bool {
+	return f.matched
+}
+
+func (f *fakeRuleSet) String() string {
+	return "fake-rule-set"
+}
+
+type fakeRuleItem struct {
+	matched bool
+}
+
+func (f *fakeRuleItem) Match(*adapter.InboundContext) bool {
+	return f.matched
+}
+
+func (f *fakeRuleItem) String() string {
+	return "fake-rule-item"
+}
+
+func newRuleSetOnlyRule(ruleSetMatched bool, invert bool) *DefaultRule {
+	ruleSetItem := &RuleSetItem{
+		setList: []adapter.RuleSet{&fakeRuleSet{matched: ruleSetMatched}},
+	}
+	return &DefaultRule{
+		abstractDefaultRule: abstractDefaultRule{
+			items:    []RuleItem{ruleSetItem},
+			allItems: []RuleItem{ruleSetItem},
+			invert:   invert,
+		},
+	}
+}
+
+func newSingleItemRule(matched bool) *DefaultRule {
+	item := &fakeRuleItem{matched: matched}
+	return &DefaultRule{
+		abstractDefaultRule: abstractDefaultRule{
+			items:    []RuleItem{item},
+			allItems: []RuleItem{item},
+		},
+	}
+}
+
+func TestAbstractDefaultRule_RuleSetOnly_InvertFalse(t *testing.T) {
+	t.Parallel()
+	require.True(t, newRuleSetOnlyRule(true, false).Match(&adapter.InboundContext{}))
+	require.False(t, newRuleSetOnlyRule(false, false).Match(&adapter.InboundContext{}))
+}
+
+func TestAbstractDefaultRule_RuleSetOnly_InvertTrue(t *testing.T) {
+	t.Parallel()
+	require.False(t, newRuleSetOnlyRule(true, true).Match(&adapter.InboundContext{}))
+	require.True(t, newRuleSetOnlyRule(false, true).Match(&adapter.InboundContext{}))
+}
+
+func TestAbstractLogicalRule_And_WithRuleSetInvert(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name          string
+		aMatched      bool
+		ruleSetBMatch bool
+		expected      bool
+	}{
+		{
+			name:          "A true B true",
+			aMatched:      true,
+			ruleSetBMatch: true,
+			expected:      false,
+		},
+		{
+			name:          "A true B false",
+			aMatched:      true,
+			ruleSetBMatch: false,
+			expected:      true,
+		},
+		{
+			name:          "A false B true",
+			aMatched:      false,
+			ruleSetBMatch: true,
+			expected:      false,
+		},
+		{
+			name:          "A false B false",
+			aMatched:      false,
+			ruleSetBMatch: false,
+			expected:      false,
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			logicalRule := &abstractLogicalRule{
+				mode: C.LogicalTypeAnd,
+				rules: []adapter.HeadlessRule{
+					newSingleItemRule(testCase.aMatched),
+					newRuleSetOnlyRule(testCase.ruleSetBMatch, true),
+				},
+			}
+			require.Equal(t, testCase.expected, logicalRule.Match(&adapter.InboundContext{}))
+		})
+	}
+}
--- a/service/ccm/service.go
+++ b/service/ccm/service.go
@@ -10,6 +10,7 @@ import (
 	"mime"
 	"net"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -79,6 +80,35 @@ func isHopByHopHeader(header string) bool {
 	}
 }

+const (
+	weeklyWindowSeconds = 604800
+	weeklyWindowMinutes = weeklyWindowSeconds / 60
+)
+
+func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
+	headerValue := strings.TrimSpace(headers.Get(headerName))
+	if headerValue == "" {
+		return 0, false
+	}
+	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
+	if parseError != nil {
+		return 0, false
+	}
+	return parsedValue, true
+}
+
+func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
+	resetAtUnix, hasResetAt := parseInt64Header(headers, "anthropic-ratelimit-unified-7d-reset")
+	if !hasResetAt || resetAtUnix <= 0 {
+		return nil
+	}
+
+	return &WeeklyCycleHint{
+		WindowMinutes: weeklyWindowMinutes,
+		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
+	}
+}
+
 type Service struct {
 	boxService.Adapter
 	ctx            context.Context
@@ -392,6 +422,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }

 func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
+	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"

@@ -417,7 +448,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 		if usage.InputTokens > 0 || usage.OutputTokens > 0 {
 			if responseModel != "" {
 				contextWindow := detectContextWindow(anthropicBetaHeader, usage.InputTokens)
-				s.usageTracker.AddUsage(
+				s.usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					contextWindow,
 					messagesCount,
@@ -425,7 +456,11 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 					usage.OutputTokens,
 					usage.CacheReadInputTokens,
 					usage.CacheCreationInputTokens,
+					usage.CacheCreation.Ephemeral5mInputTokens,
+					usage.CacheCreation.Ephemeral1hInputTokens,
 					username,
+					time.Now(),
+					weeklyCycleHint,
 				)
 			}
 		}
@@ -485,6 +520,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 							accumulatedUsage.InputTokens = messageStart.Message.Usage.InputTokens
 							accumulatedUsage.CacheReadInputTokens = messageStart.Message.Usage.CacheReadInputTokens
 							accumulatedUsage.CacheCreationInputTokens = messageStart.Message.Usage.CacheCreationInputTokens
+							accumulatedUsage.CacheCreation.Ephemeral5mInputTokens = messageStart.Message.Usage.CacheCreation.Ephemeral5mInputTokens
+							accumulatedUsage.CacheCreation.Ephemeral1hInputTokens = messageStart.Message.Usage.CacheCreation.Ephemeral1hInputTokens
 						}
 					case "message_delta":
 						messageDelta := event.AsMessageDelta()
@@ -511,7 +548,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			if accumulatedUsage.InputTokens > 0 || accumulatedUsage.OutputTokens > 0 {
 				if responseModel != "" {
 					contextWindow := detectContextWindow(anthropicBetaHeader, accumulatedUsage.InputTokens)
-					s.usageTracker.AddUsage(
+					s.usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						contextWindow,
 						messagesCount,
@@ -519,7 +556,11 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 						accumulatedUsage.OutputTokens,
 						accumulatedUsage.CacheReadInputTokens,
 						accumulatedUsage.CacheCreationInputTokens,
+						accumulatedUsage.CacheCreation.Ephemeral5mInputTokens,
+						accumulatedUsage.CacheCreation.Ephemeral1hInputTokens,
 						username,
+						time.Now(),
+						weeklyCycleHint,
 					)
 				}
 			}
--- a/service/ccm/service_usage.go
+++ b/service/ccm/service_usage.go
@@ -2,6 +2,7 @@ package ccm

 import (
 	"encoding/json"
+	"fmt"
 	"math"
 	"os"
 	"regexp"
@@ -13,17 +14,20 @@ import (
 )

 type UsageStats struct {
-	RequestCount             int   `json:"request_count"`
-	MessagesCount            int   `json:"messages_count"`
-	InputTokens              int64 `json:"input_tokens"`
-	OutputTokens             int64 `json:"output_tokens"`
-	CacheReadInputTokens     int64 `json:"cache_read_input_tokens"`
-	CacheCreationInputTokens int64 `json:"cache_creation_input_tokens"`
+	RequestCount                    int   `json:"request_count"`
+	MessagesCount                   int   `json:"messages_count"`
+	InputTokens                     int64 `json:"input_tokens"`
+	OutputTokens                    int64 `json:"output_tokens"`
+	CacheReadInputTokens            int64 `json:"cache_read_input_tokens"`
+	CacheCreationInputTokens        int64 `json:"cache_creation_input_tokens"`
+	CacheCreation5MinuteInputTokens int64 `json:"cache_creation_5m_input_tokens,omitempty"`
+	CacheCreation1HourInputTokens   int64 `json:"cache_creation_1h_input_tokens,omitempty"`
 }

 type CostCombination struct {
 	Model         string                `json:"model"`
 	ContextWindow int                   `json:"context_window"`
+	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
 	Total         UsageStats            `json:"total"`
 	ByUser        map[string]UsageStats `json:"by_user"`
 }
@@ -41,18 +45,21 @@ type AggregatedUsage struct {
 }

 type UsageStatsJSON struct {
-	RequestCount             int     `json:"request_count"`
-	MessagesCount            int     `json:"messages_count"`
-	InputTokens              int64   `json:"input_tokens"`
-	OutputTokens             int64   `json:"output_tokens"`
-	CacheReadInputTokens     int64   `json:"cache_read_input_tokens"`
-	CacheCreationInputTokens int64   `json:"cache_creation_input_tokens"`
-	CostUSD                  float64 `json:"cost_usd"`
+	RequestCount                    int     `json:"request_count"`
+	MessagesCount                   int     `json:"messages_count"`
+	InputTokens                     int64   `json:"input_tokens"`
+	OutputTokens                    int64   `json:"output_tokens"`
+	CacheReadInputTokens            int64   `json:"cache_read_input_tokens"`
+	CacheCreationInputTokens        int64   `json:"cache_creation_input_tokens"`
+	CacheCreation5MinuteInputTokens int64   `json:"cache_creation_5m_input_tokens,omitempty"`
+	CacheCreation1HourInputTokens   int64   `json:"cache_creation_1h_input_tokens,omitempty"`
+	CostUSD                         float64 `json:"cost_usd"`
 }

 type CostCombinationJSON struct {
 	Model         string                    `json:"model"`
 	ContextWindow int                       `json:"context_window"`
+	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
 	Total         UsageStatsJSON            `json:"total"`
 	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }
@@ -60,6 +67,7 @@ type CostCombinationJSON struct {
 type CostsSummaryJSON struct {
 	TotalUSD float64            `json:"total_usd"`
 	ByUser   map[string]float64 `json:"by_user"`
+	ByWeek   map[string]float64 `json:"by_week,omitempty"`
 }

 type AggregatedUsageJSON struct {
@@ -68,11 +76,17 @@ type AggregatedUsageJSON struct {
 	Combinations []CostCombinationJSON `json:"combinations"`
 }

+type WeeklyCycleHint struct {
+	WindowMinutes int64
+	ResetAt       time.Time
+}
+
 type ModelPricing struct {
-	InputPrice      float64
-	OutputPrice     float64
-	CacheReadPrice  float64
-	CacheWritePrice float64
+	InputPrice             float64
+	OutputPrice            float64
+	CacheReadPrice         float64
+	CacheWritePrice5Minute float64
+	CacheWritePrice1Hour   float64
 }

 type modelFamily struct {
@@ -82,143 +96,205 @@ type modelFamily struct {
 }

 var (
-	opus4Pricing = ModelPricing{
-		InputPrice:      15.0,
-		OutputPrice:     75.0,
-		CacheReadPrice:  1.5,
-		CacheWritePrice: 18.75,
+	opus46StandardPricing = ModelPricing{
+		InputPrice:             5.0,
+		OutputPrice:            25.0,
+		CacheReadPrice:         0.5,
+		CacheWritePrice5Minute: 6.25,
+		CacheWritePrice1Hour:   10.0,
 	}

-	sonnet4StandardPricing = ModelPricing{
-		InputPrice:      3.0,
-		OutputPrice:     15.0,
-		CacheReadPrice:  0.3,
-		CacheWritePrice: 3.75,
-	}
-
-	sonnet4PremiumPricing = ModelPricing{
-		InputPrice:      6.0,
-		OutputPrice:     22.5,
-		CacheReadPrice:  0.6,
-		CacheWritePrice: 7.5,
-	}
-
-	haiku4Pricing = ModelPricing{
-		InputPrice:      1.0,
-		OutputPrice:     5.0,
-		CacheReadPrice:  0.1,
-		CacheWritePrice: 1.25,
-	}
-
-	haiku35Pricing = ModelPricing{
-		InputPrice:      0.8,
-		OutputPrice:     4.0,
-		CacheReadPrice:  0.08,
-		CacheWritePrice: 1.0,
-	}
-
-	sonnet35Pricing = ModelPricing{
-		InputPrice:      3.0,
-		OutputPrice:     15.0,
-		CacheReadPrice:  0.3,
-		CacheWritePrice: 3.75,
+	opus46PremiumPricing = ModelPricing{
+		InputPrice:             10.0,
+		OutputPrice:            37.5,
+		CacheReadPrice:         1.0,
+		CacheWritePrice5Minute: 12.5,
+		CacheWritePrice1Hour:   20.0,
 	}

 	opus45Pricing = ModelPricing{
-		InputPrice:      5.0,
-		OutputPrice:     25.0,
-		CacheReadPrice:  0.5,
-		CacheWritePrice: 6.25,
+		InputPrice:             5.0,
+		OutputPrice:            25.0,
+		CacheReadPrice:         0.5,
+		CacheWritePrice5Minute: 6.25,
+		CacheWritePrice1Hour:   10.0,
+	}
+
+	opus4Pricing = ModelPricing{
+		InputPrice:             15.0,
+		OutputPrice:            75.0,
+		CacheReadPrice:         1.5,
+		CacheWritePrice5Minute: 18.75,
+		CacheWritePrice1Hour:   30.0,
+	}
+
+	sonnet46StandardPricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
+	}
+
+	sonnet46PremiumPricing = ModelPricing{
+		InputPrice:             6.0,
+		OutputPrice:            22.5,
+		CacheReadPrice:         0.6,
+		CacheWritePrice5Minute: 7.5,
+		CacheWritePrice1Hour:   12.0,
 	}

 	sonnet45StandardPricing = ModelPricing{
-		InputPrice:      3.0,
-		OutputPrice:     15.0,
-		CacheReadPrice:  0.3,
-		CacheWritePrice: 3.75,
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
 	}

 	sonnet45PremiumPricing = ModelPricing{
-		InputPrice:      6.0,
-		OutputPrice:     22.5,
-		CacheReadPrice:  0.6,
-		CacheWritePrice: 7.5,
+		InputPrice:             6.0,
+		OutputPrice:            22.5,
+		CacheReadPrice:         0.6,
+		CacheWritePrice5Minute: 7.5,
+		CacheWritePrice1Hour:   12.0,
+	}
+
+	sonnet4StandardPricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
+	}
+
+	sonnet4PremiumPricing = ModelPricing{
+		InputPrice:             6.0,
+		OutputPrice:            22.5,
+		CacheReadPrice:         0.6,
+		CacheWritePrice5Minute: 7.5,
+		CacheWritePrice1Hour:   12.0,
+	}
+
+	sonnet37Pricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
+	}
+
+	sonnet35Pricing = ModelPricing{
+		InputPrice:             3.0,
+		OutputPrice:            15.0,
+		CacheReadPrice:         0.3,
+		CacheWritePrice5Minute: 3.75,
+		CacheWritePrice1Hour:   6.0,
 	}

 	haiku45Pricing = ModelPricing{
-		InputPrice:      1.0,
-		OutputPrice:     5.0,
-		CacheReadPrice:  0.1,
-		CacheWritePrice: 1.25,
+		InputPrice:             1.0,
+		OutputPrice:            5.0,
+		CacheReadPrice:         0.1,
+		CacheWritePrice5Minute: 1.25,
+		CacheWritePrice1Hour:   2.0,
+	}
+
+	haiku4Pricing = ModelPricing{
+		InputPrice:             1.0,
+		OutputPrice:            5.0,
+		CacheReadPrice:         0.1,
+		CacheWritePrice5Minute: 1.25,
+		CacheWritePrice1Hour:   2.0,
+	}
+
+	haiku35Pricing = ModelPricing{
+		InputPrice:             0.8,
+		OutputPrice:            4.0,
+		CacheReadPrice:         0.08,
+		CacheWritePrice5Minute: 1.0,
+		CacheWritePrice1Hour:   1.6,
 	}

 	haiku3Pricing = ModelPricing{
-		InputPrice:      0.25,
-		OutputPrice:     1.25,
-		CacheReadPrice:  0.03,
-		CacheWritePrice: 0.3,
+		InputPrice:             0.25,
+		OutputPrice:            1.25,
+		CacheReadPrice:         0.03,
+		CacheWritePrice5Minute: 0.3,
+		CacheWritePrice1Hour:   0.5,
 	}

 	opus3Pricing = ModelPricing{
-		InputPrice:      15.0,
-		OutputPrice:     75.0,
-		CacheReadPrice:  1.5,
-		CacheWritePrice: 18.75,
+		InputPrice:             15.0,
+		OutputPrice:            75.0,
+		CacheReadPrice:         1.5,
+		CacheWritePrice5Minute: 18.75,
+		CacheWritePrice1Hour:   30.0,
 	}

 	modelFamilies = []modelFamily{
 		{
-			pattern:         regexp.MustCompile(`^claude-opus-4-5-`),
+			pattern:         regexp.MustCompile(`^claude-opus-4-6(?:-|$)`),
+			standardPricing: opus46StandardPricing,
+			premiumPricing:  &opus46PremiumPricing,
+		},
+		{
+			pattern:         regexp.MustCompile(`^claude-opus-4-5(?:-|$)`),
 			standardPricing: opus45Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:opus-4-|4-opus-|opus-4-1-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:opus-4(?:-|$)|4-opus-)`),
 			standardPricing: opus4Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:opus-3-|3-opus-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:opus-3(?:-|$)|3-opus-)`),
 			standardPricing: opus3Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-5-|4-5-sonnet-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-6(?:-|$)|4-6-sonnet-)`),
+			standardPricing: sonnet46StandardPricing,
+			premiumPricing:  &sonnet46PremiumPricing,
+		},
+		{
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-5(?:-|$)|4-5-sonnet-)`),
 			standardPricing: sonnet45StandardPricing,
 			premiumPricing:  &sonnet45PremiumPricing,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-7-sonnet-`),
+			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4(?:-|$)|4-sonnet-)`),
 			standardPricing: sonnet4StandardPricing,
 			premiumPricing:  &sonnet4PremiumPricing,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:sonnet-4-|4-sonnet-)`),
-			standardPricing: sonnet4StandardPricing,
-			premiumPricing:  &sonnet4PremiumPricing,
+			pattern:         regexp.MustCompile(`^claude-3-7-sonnet(?:-|$)`),
+			standardPricing: sonnet37Pricing,
+			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-5-sonnet-`),
+			pattern:         regexp.MustCompile(`^claude-3-5-sonnet(?:-|$)`),
 			standardPricing: sonnet35Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-(?:haiku-4-5-|4-5-haiku-)`),
+			pattern:         regexp.MustCompile(`^claude-(?:haiku-4-5(?:-|$)|4-5-haiku-)`),
 			standardPricing: haiku45Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-haiku-4-`),
+			pattern:         regexp.MustCompile(`^claude-haiku-4(?:-|$)`),
 			standardPricing: haiku4Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-5-haiku-`),
+			pattern:         regexp.MustCompile(`^claude-3-5-haiku(?:-|$)`),
 			standardPricing: haiku35Pricing,
 			premiumPricing:  nil,
 		},
 		{
-			pattern:         regexp.MustCompile(`^claude-3-haiku-`),
+			pattern:         regexp.MustCompile(`^claude-3-haiku(?:-|$)`),
 			standardPricing: haiku3Pricing,
 			premiumPricing:  nil,
 		},
@@ -243,68 +319,211 @@ func getPricing(model string, contextWindow int) ModelPricing {
 func calculateCost(stats UsageStats, model string, contextWindow int) float64 {
 	pricing := getPricing(model, contextWindow)

+	cacheCreationCost := 0.0
+	if stats.CacheCreation5MinuteInputTokens > 0 || stats.CacheCreation1HourInputTokens > 0 {
+		cacheCreationCost = float64(stats.CacheCreation5MinuteInputTokens)*pricing.CacheWritePrice5Minute +
+			float64(stats.CacheCreation1HourInputTokens)*pricing.CacheWritePrice1Hour
+	} else {
+		// Backward compatibility for usage files generated before TTL split tracking.
+		cacheCreationCost = float64(stats.CacheCreationInputTokens) * pricing.CacheWritePrice5Minute
+	}
+
 	cost := (float64(stats.InputTokens)*pricing.InputPrice +
 		float64(stats.OutputTokens)*pricing.OutputPrice +
 		float64(stats.CacheReadInputTokens)*pricing.CacheReadPrice +
-		float64(stats.CacheCreationInputTokens)*pricing.CacheWritePrice) / 1_000_000
+		cacheCreationCost) / 1_000_000

 	return math.Round(cost*100) / 100
 }

+func roundCost(cost float64) float64 {
+	return math.Round(cost*100) / 100
+}
+
+func normalizeCombinations(combinations []CostCombination) {
+	for index := range combinations {
+		if combinations[index].ByUser == nil {
+			combinations[index].ByUser = make(map[string]UsageStats)
+		}
+	}
+}
+
+func addUsageToCombinations(
+	combinations *[]CostCombination,
+	model string,
+	contextWindow int,
+	weekStartUnix int64,
+	messagesCount int,
+	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
+	user string,
+) {
+	var matchedCombination *CostCombination
+	for index := range *combinations {
+		combination := &(*combinations)[index]
+		if combination.Model == model && combination.ContextWindow == contextWindow && combination.WeekStartUnix == weekStartUnix {
+			matchedCombination = combination
+			break
+		}
+	}
+
+	if matchedCombination == nil {
+		newCombination := CostCombination{
+			Model:         model,
+			ContextWindow: contextWindow,
+			WeekStartUnix: weekStartUnix,
+			Total:         UsageStats{},
+			ByUser:        make(map[string]UsageStats),
+		}
+		*combinations = append(*combinations, newCombination)
+		matchedCombination = &(*combinations)[len(*combinations)-1]
+	}
+
+	if cacheCreationTokens == 0 {
+		cacheCreationTokens = cacheCreation5MinuteTokens + cacheCreation1HourTokens
+	}
+
+	matchedCombination.Total.RequestCount++
+	matchedCombination.Total.MessagesCount += messagesCount
+	matchedCombination.Total.InputTokens += inputTokens
+	matchedCombination.Total.OutputTokens += outputTokens
+	matchedCombination.Total.CacheReadInputTokens += cacheReadTokens
+	matchedCombination.Total.CacheCreationInputTokens += cacheCreationTokens
+	matchedCombination.Total.CacheCreation5MinuteInputTokens += cacheCreation5MinuteTokens
+	matchedCombination.Total.CacheCreation1HourInputTokens += cacheCreation1HourTokens
+
+	if user != "" {
+		userStats := matchedCombination.ByUser[user]
+		userStats.RequestCount++
+		userStats.MessagesCount += messagesCount
+		userStats.InputTokens += inputTokens
+		userStats.OutputTokens += outputTokens
+		userStats.CacheReadInputTokens += cacheReadTokens
+		userStats.CacheCreationInputTokens += cacheCreationTokens
+		userStats.CacheCreation5MinuteInputTokens += cacheCreation5MinuteTokens
+		userStats.CacheCreation1HourInputTokens += cacheCreation1HourTokens
+		matchedCombination.ByUser[user] = userStats
+	}
+}
+
+func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map[string]float64) ([]CostCombinationJSON, float64) {
+	result := make([]CostCombinationJSON, len(combinations))
+	var totalCost float64
+
+	for index, combination := range combinations {
+		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ContextWindow)
+		totalCost += combinationTotalCost
+
+		combinationJSON := CostCombinationJSON{
+			Model:         combination.Model,
+			ContextWindow: combination.ContextWindow,
+			WeekStartUnix: combination.WeekStartUnix,
+			Total: UsageStatsJSON{
+				RequestCount:                    combination.Total.RequestCount,
+				MessagesCount:                   combination.Total.MessagesCount,
+				InputTokens:                     combination.Total.InputTokens,
+				OutputTokens:                    combination.Total.OutputTokens,
+				CacheReadInputTokens:            combination.Total.CacheReadInputTokens,
+				CacheCreationInputTokens:        combination.Total.CacheCreationInputTokens,
+				CacheCreation5MinuteInputTokens: combination.Total.CacheCreation5MinuteInputTokens,
+				CacheCreation1HourInputTokens:   combination.Total.CacheCreation1HourInputTokens,
+				CostUSD:                         combinationTotalCost,
+			},
+			ByUser: make(map[string]UsageStatsJSON),
+		}
+
+		for user, userStats := range combination.ByUser {
+			userCost := calculateCost(userStats, combination.Model, combination.ContextWindow)
+			if aggregateUserCosts != nil {
+				aggregateUserCosts[user] += userCost
+			}
+
+			combinationJSON.ByUser[user] = UsageStatsJSON{
+				RequestCount:                    userStats.RequestCount,
+				MessagesCount:                   userStats.MessagesCount,
+				InputTokens:                     userStats.InputTokens,
+				OutputTokens:                    userStats.OutputTokens,
+				CacheReadInputTokens:            userStats.CacheReadInputTokens,
+				CacheCreationInputTokens:        userStats.CacheCreationInputTokens,
+				CacheCreation5MinuteInputTokens: userStats.CacheCreation5MinuteInputTokens,
+				CacheCreation1HourInputTokens:   userStats.CacheCreation1HourInputTokens,
+				CostUSD:                         userCost,
+			}
+		}
+
+		result[index] = combinationJSON
+	}
+
+	return result, roundCost(totalCost)
+}
+
+func formatUTCOffsetLabel(timestamp time.Time) string {
+	_, offsetSeconds := timestamp.Zone()
+	sign := "+"
+	if offsetSeconds < 0 {
+		sign = "-"
+		offsetSeconds = -offsetSeconds
+	}
+	offsetHours := offsetSeconds / 3600
+	offsetMinutes := (offsetSeconds % 3600) / 60
+	if offsetMinutes == 0 {
+		return fmt.Sprintf("UTC%s%d", sign, offsetHours)
+	}
+	return fmt.Sprintf("UTC%s%d:%02d", sign, offsetHours, offsetMinutes)
+}
+
+func formatWeekStartKey(cycleStartAt time.Time) string {
+	localCycleStart := cycleStartAt.In(time.Local)
+	return fmt.Sprintf("%s %s", localCycleStart.Format("2006-01-02 15:04:05"), formatUTCOffsetLabel(localCycleStart))
+}
+
+func buildByWeekCost(combinations []CostCombination) map[string]float64 {
+	byWeek := make(map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ContextWindow)
+	}
+	for weekKey, weekCost := range byWeek {
+		byWeek[weekKey] = roundCost(weekCost)
+	}
+	return byWeek
+}
+
+func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
+	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
+		return 0
+	}
+	windowDuration := time.Duration(cycleHint.WindowMinutes) * time.Minute
+	return cycleHint.ResetAt.UTC().Add(-windowDuration).Unix()
+}
+
 func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

 	result := &AggregatedUsageJSON{
-		LastUpdated:  u.LastUpdated,
-		Combinations: make([]CostCombinationJSON, len(u.Combinations)),
+		LastUpdated: u.LastUpdated,
 		Costs: CostsSummaryJSON{
 			TotalUSD: 0,
 			ByUser:   make(map[string]float64),
+			ByWeek:   make(map[string]float64),
 		},
 	}

-	for i, combo := range u.Combinations {
-		totalCost := calculateCost(combo.Total, combo.Model, combo.ContextWindow)
+	globalCombinationsJSON, totalCost := buildCombinationJSON(u.Combinations, result.Costs.ByUser)
+	result.Combinations = globalCombinationsJSON
+	result.Costs.TotalUSD = totalCost
+	result.Costs.ByWeek = buildByWeekCost(u.Combinations)

-		result.Costs.TotalUSD += totalCost
-
-		comboJSON := CostCombinationJSON{
-			Model:         combo.Model,
-			ContextWindow: combo.ContextWindow,
-			Total: UsageStatsJSON{
-				RequestCount:             combo.Total.RequestCount,
-				MessagesCount:            combo.Total.MessagesCount,
-				InputTokens:              combo.Total.InputTokens,
-				OutputTokens:             combo.Total.OutputTokens,
-				CacheReadInputTokens:     combo.Total.CacheReadInputTokens,
-				CacheCreationInputTokens: combo.Total.CacheCreationInputTokens,
-				CostUSD:                  totalCost,
-			},
-			ByUser: make(map[string]UsageStatsJSON),
-		}
-
-		for user, userStats := range combo.ByUser {
-			userCost := calculateCost(userStats, combo.Model, combo.ContextWindow)
-			result.Costs.ByUser[user] += userCost
-
-			comboJSON.ByUser[user] = UsageStatsJSON{
-				RequestCount:             userStats.RequestCount,
-				MessagesCount:            userStats.MessagesCount,
-				InputTokens:              userStats.InputTokens,
-				OutputTokens:             userStats.OutputTokens,
-				CacheReadInputTokens:     userStats.CacheReadInputTokens,
-				CacheCreationInputTokens: userStats.CacheCreationInputTokens,
-				CostUSD:                  userCost,
-			}
-		}
-
-		result.Combinations[i] = comboJSON
+	if len(result.Costs.ByWeek) == 0 {
+		result.Costs.ByWeek = nil
 	}

-	result.Costs.TotalUSD = math.Round(result.Costs.TotalUSD*100) / 100
 	for user, cost := range result.Costs.ByUser {
-		result.Costs.ByUser[user] = math.Round(cost*100) / 100
+		result.Costs.ByUser[user] = roundCost(cost)
 	}

 	return result
@@ -314,6 +533,9 @@ func (u *AggregatedUsage) Load() error {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

+	u.LastUpdated = time.Time{}
+	u.Combinations = nil
+
 	data, err := os.ReadFile(u.filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -334,12 +556,7 @@ func (u *AggregatedUsage) Load() error {

 	u.LastUpdated = temp.LastUpdated
 	u.Combinations = temp.Combinations
-
-	for i := range u.Combinations {
-		if u.Combinations[i].ByUser == nil {
-			u.Combinations[i].ByUser = make(map[string]UsageStats)
-		}
-	}
+	normalizeCombinations(u.Combinations)

 	return nil
 }
@@ -367,58 +584,42 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }

-func (u *AggregatedUsage) AddUsage(model string, contextWindow int, messagesCount int, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens int64, user string) error {
+func (u *AggregatedUsage) AddUsage(
+	model string,
+	contextWindow int,
+	messagesCount int,
+	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
+	user string,
+) error {
+	return u.AddUsageWithCycleHint(model, contextWindow, messagesCount, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens, user, time.Now(), nil)
+}
+
+func (u *AggregatedUsage) AddUsageWithCycleHint(
+	model string,
+	contextWindow int,
+	messagesCount int,
+	inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens int64,
+	user string,
+	observedAt time.Time,
+	cycleHint *WeeklyCycleHint,
+) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}
 	if contextWindow <= 0 {
 		return E.New("contextWindow must be positive")
 	}
+	if observedAt.IsZero() {
+		observedAt = time.Now()
+	}

 	u.mutex.Lock()
 	defer u.mutex.Unlock()

-	u.LastUpdated = time.Now()
+	u.LastUpdated = observedAt
+	weekStartUnix := deriveWeekStartUnix(cycleHint)

-	// Find or create combination
-	var combo *CostCombination
-	for i := range u.Combinations {
-		if u.Combinations[i].Model == model && u.Combinations[i].ContextWindow == contextWindow {
-			combo = &u.Combinations[i]
-			break
-		}
-	}
-
-	if combo == nil {
-		newCombo := CostCombination{
-			Model:         model,
-			ContextWindow: contextWindow,
-			Total:         UsageStats{},
-			ByUser:        make(map[string]UsageStats),
-		}
-		u.Combinations = append(u.Combinations, newCombo)
-		combo = &u.Combinations[len(u.Combinations)-1]
-	}
-
-	// Update total stats
-	combo.Total.RequestCount++
-	combo.Total.MessagesCount += messagesCount
-	combo.Total.InputTokens += inputTokens
-	combo.Total.OutputTokens += outputTokens
-	combo.Total.CacheReadInputTokens += cacheReadTokens
-	combo.Total.CacheCreationInputTokens += cacheCreationTokens
-
-	// Update per-user stats if user is specified
-	if user != "" {
-		userStats := combo.ByUser[user]
-		userStats.RequestCount++
-		userStats.MessagesCount += messagesCount
-		userStats.InputTokens += inputTokens
-		userStats.OutputTokens += outputTokens
-		userStats.CacheReadInputTokens += cacheReadTokens
-		userStats.CacheCreationInputTokens += cacheCreationTokens
-		combo.ByUser[user] = userStats
-	}
+	addUsageToCombinations(&u.Combinations, model, contextWindow, weekStartUnix, messagesCount, inputTokens, outputTokens, cacheReadTokens, cacheCreationTokens, cacheCreation5MinuteTokens, cacheCreation1HourTokens, user)

 	go u.scheduleSave()

--- a/service/ocm/service.go
+++ b/service/ocm/service.go
@@ -10,6 +10,7 @@ import (
 	"mime"
 	"net"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -71,6 +72,57 @@ func isHopByHopHeader(header string) bool {
 	}
 }

+func normalizeRateLimitIdentifier(limitIdentifier string) string {
+	trimmedIdentifier := strings.TrimSpace(strings.ToLower(limitIdentifier))
+	if trimmedIdentifier == "" {
+		return ""
+	}
+	return strings.ReplaceAll(trimmedIdentifier, "_", "-")
+}
+
+func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
+	headerValue := strings.TrimSpace(headers.Get(headerName))
+	if headerValue == "" {
+		return 0, false
+	}
+	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
+	if parseError != nil {
+		return 0, false
+	}
+	return parsedValue, true
+}
+
+func weeklyCycleHintForLimit(headers http.Header, limitIdentifier string) *WeeklyCycleHint {
+	normalizedLimitIdentifier := normalizeRateLimitIdentifier(limitIdentifier)
+	if normalizedLimitIdentifier == "" {
+		return nil
+	}
+
+	windowHeader := "x-" + normalizedLimitIdentifier + "-secondary-window-minutes"
+	resetHeader := "x-" + normalizedLimitIdentifier + "-secondary-reset-at"
+
+	windowMinutes, hasWindowMinutes := parseInt64Header(headers, windowHeader)
+	resetAtUnix, hasResetAt := parseInt64Header(headers, resetHeader)
+	if !hasWindowMinutes || !hasResetAt || windowMinutes <= 0 || resetAtUnix <= 0 {
+		return nil
+	}
+
+	return &WeeklyCycleHint{
+		WindowMinutes: windowMinutes,
+		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
+	}
+}
+
+func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
+	activeLimitIdentifier := normalizeRateLimitIdentifier(headers.Get("x-codex-active-limit"))
+	if activeLimitIdentifier != "" {
+		if activeHint := weeklyCycleHintForLimit(headers, activeLimitIdentifier); activeHint != nil {
+			return activeHint
+		}
+	}
+	return weeklyCycleHintForLimit(headers, "codex")
+}
+
 type Service struct {
 	boxService.Adapter
 	ctx            context.Context
@@ -404,9 +456,12 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, path string, requestModel string, username string) {
 	isChatCompletions := path == "/v1/chat/completions"
+	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
-
+	if !isStreaming && !isChatCompletions && response.Header.Get("Content-Type") == "" {
+		isStreaming = true
+	}
 	if !isStreaming {
 		bodyBytes, err := io.ReadAll(response.Body)
 		if err != nil {
@@ -414,13 +469,14 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			return
 		}

-		var responseModel string
+		var responseModel, serviceTier string
 		var inputTokens, outputTokens, cachedTokens int64

 		if isChatCompletions {
 			var chatCompletion openai.ChatCompletion
 			if json.Unmarshal(bodyBytes, &chatCompletion) == nil {
 				responseModel = chatCompletion.Model
+				serviceTier = string(chatCompletion.ServiceTier)
 				inputTokens = chatCompletion.Usage.PromptTokens
 				outputTokens = chatCompletion.Usage.CompletionTokens
 				cachedTokens = chatCompletion.Usage.PromptTokensDetails.CachedTokens
@@ -429,6 +485,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 			var responsesResponse responses.Response
 			if json.Unmarshal(bodyBytes, &responsesResponse) == nil {
 				responseModel = string(responsesResponse.Model)
+				serviceTier = string(responsesResponse.ServiceTier)
 				inputTokens = responsesResponse.Usage.InputTokens
 				outputTokens = responsesResponse.Usage.OutputTokens
 				cachedTokens = responsesResponse.Usage.InputTokensDetails.CachedTokens
@@ -440,7 +497,16 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 				responseModel = requestModel
 			}
 			if responseModel != "" {
-				s.usageTracker.AddUsage(responseModel, inputTokens, outputTokens, cachedTokens, username)
+				s.usageTracker.AddUsageWithCycleHint(
+					responseModel,
+					inputTokens,
+					outputTokens,
+					cachedTokens,
+					serviceTier,
+					username,
+					time.Now(),
+					weeklyCycleHint,
+				)
 			}
 		}

@@ -455,7 +521,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	}

 	var inputTokens, outputTokens, cachedTokens int64
-	var responseModel string
+	var responseModel, serviceTier string
 	buffer := make([]byte, buf.BufferSize)
 	var leftover []byte

@@ -490,6 +556,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 							if chatChunk.Model != "" {
 								responseModel = chatChunk.Model
 							}
+							if chatChunk.ServiceTier != "" {
+								serviceTier = string(chatChunk.ServiceTier)
+							}
 							if chatChunk.Usage.PromptTokens > 0 {
 								inputTokens = chatChunk.Usage.PromptTokens
 								cachedTokens = chatChunk.Usage.PromptTokensDetails.CachedTokens
@@ -506,6 +575,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 								if string(completedEvent.Response.Model) != "" {
 									responseModel = string(completedEvent.Response.Model)
 								}
+								if completedEvent.Response.ServiceTier != "" {
+									serviceTier = string(completedEvent.Response.ServiceTier)
+								}
 								if completedEvent.Response.Usage.InputTokens > 0 {
 									inputTokens = completedEvent.Response.Usage.InputTokens
 									cachedTokens = completedEvent.Response.Usage.InputTokensDetails.CachedTokens
@@ -534,7 +606,16 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons

 			if inputTokens > 0 || outputTokens > 0 {
 				if responseModel != "" {
-					s.usageTracker.AddUsage(responseModel, inputTokens, outputTokens, cachedTokens, username)
+					s.usageTracker.AddUsageWithCycleHint(
+						responseModel,
+						inputTokens,
+						outputTokens,
+						cachedTokens,
+						serviceTier,
+						username,
+						time.Now(),
+						weeklyCycleHint,
+					)
 				}
 			}
 			return
--- a/service/ocm/service_usage.go
+++ b/service/ocm/service_usage.go
@@ -2,9 +2,11 @@ package ocm

 import (
 	"encoding/json"
+	"fmt"
 	"math"
 	"os"
 	"regexp"
+	"strings"
 	"sync"
 	"time"

@@ -42,9 +44,11 @@ func (u *UsageStats) UnmarshalJSON(data []byte) error {
 }

 type CostCombination struct {
-	Model  string                `json:"model"`
-	Total  UsageStats            `json:"total"`
-	ByUser map[string]UsageStats `json:"by_user"`
+	Model         string                `json:"model"`
+	ServiceTier   string                `json:"service_tier,omitempty"`
+	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
+	Total         UsageStats            `json:"total"`
+	ByUser        map[string]UsageStats `json:"by_user"`
 }

 type AggregatedUsage struct {
@@ -68,14 +72,17 @@ type UsageStatsJSON struct {
 }

 type CostCombinationJSON struct {
-	Model  string                    `json:"model"`
-	Total  UsageStatsJSON            `json:"total"`
-	ByUser map[string]UsageStatsJSON `json:"by_user"`
+	Model         string                    `json:"model"`
+	ServiceTier   string                    `json:"service_tier,omitempty"`
+	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
+	Total         UsageStatsJSON            `json:"total"`
+	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }

 type CostsSummaryJSON struct {
 	TotalUSD float64            `json:"total_usd"`
 	ByUser   map[string]float64 `json:"by_user"`
+	ByWeek   map[string]float64 `json:"by_week,omitempty"`
 }

 type AggregatedUsageJSON struct {
@@ -84,6 +91,11 @@ type AggregatedUsageJSON struct {
 	Combinations []CostCombinationJSON `json:"combinations"`
 }

+type WeeklyCycleHint struct {
+	WindowMinutes int64
+	ResetAt       time.Time
+}
+
 type ModelPricing struct {
 	InputPrice       float64
 	OutputPrice      float64
@@ -95,7 +107,123 @@ type modelFamily struct {
 	pricing ModelPricing
 }

+const (
+	serviceTierAuto     = "auto"
+	serviceTierDefault  = "default"
+	serviceTierFlex     = "flex"
+	serviceTierPriority = "priority"
+	serviceTierScale    = "scale"
+)
+
 var (
+	gpt52Pricing = ModelPricing{
+		InputPrice:       1.75,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.175,
+	}
+
+	gpt5Pricing = ModelPricing{
+		InputPrice:       1.25,
+		OutputPrice:      10.0,
+		CachedInputPrice: 0.125,
+	}
+
+	gpt5MiniPricing = ModelPricing{
+		InputPrice:       0.25,
+		OutputPrice:      2.0,
+		CachedInputPrice: 0.025,
+	}
+
+	gpt5NanoPricing = ModelPricing{
+		InputPrice:       0.05,
+		OutputPrice:      0.4,
+		CachedInputPrice: 0.005,
+	}
+
+	gpt52CodexPricing = ModelPricing{
+		InputPrice:       1.75,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.175,
+	}
+
+	gpt51CodexPricing = ModelPricing{
+		InputPrice:       1.25,
+		OutputPrice:      10.0,
+		CachedInputPrice: 0.125,
+	}
+
+	gpt51CodexMiniPricing = ModelPricing{
+		InputPrice:       0.25,
+		OutputPrice:      2.0,
+		CachedInputPrice: 0.025,
+	}
+
+	gpt52ProPricing = ModelPricing{
+		InputPrice:       21.0,
+		OutputPrice:      168.0,
+		CachedInputPrice: 21.0,
+	}
+
+	gpt5ProPricing = ModelPricing{
+		InputPrice:       15.0,
+		OutputPrice:      120.0,
+		CachedInputPrice: 15.0,
+	}
+
+	gpt52FlexPricing = ModelPricing{
+		InputPrice:       0.875,
+		OutputPrice:      7.0,
+		CachedInputPrice: 0.0875,
+	}
+
+	gpt5FlexPricing = ModelPricing{
+		InputPrice:       0.625,
+		OutputPrice:      5.0,
+		CachedInputPrice: 0.0625,
+	}
+
+	gpt5MiniFlexPricing = ModelPricing{
+		InputPrice:       0.125,
+		OutputPrice:      1.0,
+		CachedInputPrice: 0.0125,
+	}
+
+	gpt5NanoFlexPricing = ModelPricing{
+		InputPrice:       0.025,
+		OutputPrice:      0.2,
+		CachedInputPrice: 0.0025,
+	}
+
+	gpt52PriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      28.0,
+		CachedInputPrice: 0.35,
+	}
+
+	gpt5PriorityPricing = ModelPricing{
+		InputPrice:       2.5,
+		OutputPrice:      20.0,
+		CachedInputPrice: 0.25,
+	}
+
+	gpt5MiniPriorityPricing = ModelPricing{
+		InputPrice:       0.45,
+		OutputPrice:      3.6,
+		CachedInputPrice: 0.045,
+	}
+
+	gpt52CodexPriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      28.0,
+		CachedInputPrice: 0.35,
+	}
+
+	gpt51CodexPriorityPricing = ModelPricing{
+		InputPrice:       2.5,
+		OutputPrice:      20.0,
+		CachedInputPrice: 0.25,
+	}
+
 	gpt4oPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      10.0,
@@ -111,7 +239,19 @@ var (
 	gpt4oAudioPricing = ModelPricing{
 		InputPrice:       2.5,
 		OutputPrice:      10.0,
-		CachedInputPrice: 1.25,
+		CachedInputPrice: 2.5,
+	}
+
+	gpt4oMiniAudioPricing = ModelPricing{
+		InputPrice:       0.15,
+		OutputPrice:      0.6,
+		CachedInputPrice: 0.15,
+	}
+
+	gptAudioMiniPricing = ModelPricing{
+		InputPrice:       0.6,
+		OutputPrice:      2.4,
+		CachedInputPrice: 0.6,
 	}

 	o1Pricing = ModelPricing{
@@ -120,6 +260,12 @@ var (
 		CachedInputPrice: 7.5,
 	}

+	o1ProPricing = ModelPricing{
+		InputPrice:       150.0,
+		OutputPrice:      600.0,
+		CachedInputPrice: 150.0,
+	}
+
 	o1MiniPricing = ModelPricing{
 		InputPrice:       1.1,
 		OutputPrice:      4.4,
@@ -135,13 +281,55 @@ var (
 	o3Pricing = ModelPricing{
 		InputPrice:       2.0,
 		OutputPrice:      8.0,
-		CachedInputPrice: 1.0,
+		CachedInputPrice: 0.5,
+	}
+
+	o3ProPricing = ModelPricing{
+		InputPrice:       20.0,
+		OutputPrice:      80.0,
+		CachedInputPrice: 20.0,
+	}
+
+	o3DeepResearchPricing = ModelPricing{
+		InputPrice:       10.0,
+		OutputPrice:      40.0,
+		CachedInputPrice: 2.5,
 	}

 	o4MiniPricing = ModelPricing{
 		InputPrice:       1.1,
 		OutputPrice:      4.4,
-		CachedInputPrice: 0.55,
+		CachedInputPrice: 0.275,
+	}
+
+	o4MiniDeepResearchPricing = ModelPricing{
+		InputPrice:       2.0,
+		OutputPrice:      8.0,
+		CachedInputPrice: 0.5,
+	}
+
+	o3FlexPricing = ModelPricing{
+		InputPrice:       1.0,
+		OutputPrice:      4.0,
+		CachedInputPrice: 0.25,
+	}
+
+	o4MiniFlexPricing = ModelPricing{
+		InputPrice:       0.55,
+		OutputPrice:      2.2,
+		CachedInputPrice: 0.138,
+	}
+
+	o3PriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.875,
+	}
+
+	o4MiniPriorityPricing = ModelPricing{
+		InputPrice:       2.0,
+		OutputPrice:      8.0,
+		CachedInputPrice: 0.5,
 	}

 	gpt41Pricing = ModelPricing{
@@ -162,69 +350,374 @@ var (
 		CachedInputPrice: 0.025,
 	}

-	modelFamilies = []modelFamily{
+	gpt41PriorityPricing = ModelPricing{
+		InputPrice:       3.5,
+		OutputPrice:      14.0,
+		CachedInputPrice: 0.875,
+	}
+
+	gpt41MiniPriorityPricing = ModelPricing{
+		InputPrice:       0.7,
+		OutputPrice:      2.8,
+		CachedInputPrice: 0.175,
+	}
+
+	gpt41NanoPriorityPricing = ModelPricing{
+		InputPrice:       0.2,
+		OutputPrice:      0.8,
+		CachedInputPrice: 0.05,
+	}
+
+	gpt4oPriorityPricing = ModelPricing{
+		InputPrice:       4.25,
+		OutputPrice:      17.0,
+		CachedInputPrice: 2.125,
+	}
+
+	gpt4oMiniPriorityPricing = ModelPricing{
+		InputPrice:       0.25,
+		OutputPrice:      1.0,
+		CachedInputPrice: 0.125,
+	}
+
+	standardModelFamilies = []modelFamily{
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1-nano`),
-			pricing: gpt41NanoPricing,
+			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
+			pricing: gpt52CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1-mini`),
-			pricing: gpt41MiniPricing,
+			pattern: regexp.MustCompile(`^gpt-5\.2-codex(?:$|-)`),
+			pricing: gpt52CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4\.1`),
-			pricing: gpt41Pricing,
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-max(?:$|-)`),
+			pricing: gpt51CodexPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o4-mini`),
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-mini(?:$|-)`),
+			pricing: gpt51CodexMiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex(?:$|-)`),
+			pricing: gpt51CodexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex-mini(?:$|-)`),
+			pricing: gpt51CodexMiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex(?:$|-)`),
+			pricing: gpt51CodexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2-chat-latest$`),
+			pricing: gpt52Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-chat-latest$`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-chat-latest$`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2-pro(?:$|-)`),
+			pricing: gpt52ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-pro(?:$|-)`),
+			pricing: gpt5ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
+			pricing: gpt5MiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-nano(?:$|-)`),
+			pricing: gpt5NanoPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
+			pricing: gpt52Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
+			pricing: gpt5Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini-deep-research(?:$|-)`),
+			pricing: o4MiniDeepResearchPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
 			pricing: o4MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o3-mini`),
+			pattern: regexp.MustCompile(`^o3-pro(?:$|-)`),
+			pricing: o3ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3-deep-research(?:$|-)`),
+			pricing: o3DeepResearchPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3-mini(?:$|-)`),
 			pricing: o3MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o3`),
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
 			pricing: o3Pricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o1-mini`),
+			pattern: regexp.MustCompile(`^o1-pro(?:$|-)`),
+			pricing: o1ProPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o1-mini(?:$|-)`),
 			pricing: o1MiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^o1`),
+			pattern: regexp.MustCompile(`^o1(?:$|-)`),
 			pricing: o1Pricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o-audio`),
+			pattern: regexp.MustCompile(`^gpt-4o-mini-audio(?:$|-)`),
+			pricing: gpt4oMiniAudioPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-audio-mini(?:$|-)`),
+			pricing: gptAudioMiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^(?:gpt-4o-audio|gpt-audio)(?:$|-)`),
 			pricing: gpt4oAudioPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o-mini`),
+			pattern: regexp.MustCompile(`^gpt-4\.1-nano(?:$|-)`),
+			pricing: gpt41NanoPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1-mini(?:$|-)`),
+			pricing: gpt41MiniPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1(?:$|-)`),
+			pricing: gpt41Pricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4o-mini(?:$|-)`),
 			pricing: gpt4oMiniPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^gpt-4o`),
+			pattern: regexp.MustCompile(`^gpt-4o(?:$|-)`),
 			pricing: gpt4oPricing,
 		},
 		{
-			pattern: regexp.MustCompile(`^chatgpt-4o`),
+			pattern: regexp.MustCompile(`^chatgpt-4o(?:$|-)`),
 			pricing: gpt4oPricing,
 		},
 	}
+
+	flexModelFamilies = []modelFamily{
+		{
+			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
+			pricing: gpt5MiniFlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-nano(?:$|-)`),
+			pricing: gpt5NanoFlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
+			pricing: gpt52FlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
+			pricing: gpt5FlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
+			pricing: gpt5FlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
+			pricing: o4MiniFlexPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
+			pricing: o3FlexPricing,
+		},
+	}
+
+	priorityModelFamilies = []modelFamily{
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
+			pricing: gpt52CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2-codex(?:$|-)`),
+			pricing: gpt52CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex-max(?:$|-)`),
+			pricing: gpt51CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1-codex(?:$|-)`),
+			pricing: gpt51CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex-mini(?:$|-)`),
+			pricing: gpt5MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-codex(?:$|-)`),
+			pricing: gpt51CodexPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
+			pricing: gpt5MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.2(?:$|-)`),
+			pricing: gpt52PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5\.1(?:$|-)`),
+			pricing: gpt5PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-5(?:$|-)`),
+			pricing: gpt5PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o4-mini(?:$|-)`),
+			pricing: o4MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^o3(?:$|-)`),
+			pricing: o3PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1-nano(?:$|-)`),
+			pricing: gpt41NanoPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1-mini(?:$|-)`),
+			pricing: gpt41MiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4\.1(?:$|-)`),
+			pricing: gpt41PriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4o-mini(?:$|-)`),
+			pricing: gpt4oMiniPriorityPricing,
+		},
+		{
+			pattern: regexp.MustCompile(`^gpt-4o(?:$|-)`),
+			pricing: gpt4oPriorityPricing,
+		},
+	}
 )

-func getPricing(model string) ModelPricing {
+func modelFamiliesForTier(serviceTier string) []modelFamily {
+	switch serviceTier {
+	case serviceTierFlex:
+		return flexModelFamilies
+	case serviceTierPriority:
+		return priorityModelFamilies
+	default:
+		return standardModelFamilies
+	}
+}
+
+func findPricingInFamilies(model string, modelFamilies []modelFamily) (ModelPricing, bool) {
 	for _, family := range modelFamilies {
 		if family.pattern.MatchString(model) {
-			return family.pricing
+			return family.pricing, true
 		}
 	}
+	return ModelPricing{}, false
+}
+
+func normalizeServiceTier(serviceTier string) string {
+	switch strings.ToLower(strings.TrimSpace(serviceTier)) {
+	case "", serviceTierAuto, serviceTierDefault:
+		return serviceTierDefault
+	case serviceTierFlex:
+		return serviceTierFlex
+	case serviceTierPriority:
+		return serviceTierPriority
+	case serviceTierScale:
+		// Scale-tier requests are prepaid differently and not listed in this usage file.
+		return serviceTierDefault
+	default:
+		return serviceTierDefault
+	}
+}
+
+func getPricing(model string, serviceTier string) ModelPricing {
+	normalizedServiceTier := normalizeServiceTier(serviceTier)
+	modelFamilies := modelFamiliesForTier(normalizedServiceTier)
+
+	if pricing, found := findPricingInFamilies(model, modelFamilies); found {
+		return pricing
+	}
+
+	normalizedModel := normalizeGPT5Model(model)
+	if normalizedModel != model {
+		if pricing, found := findPricingInFamilies(normalizedModel, modelFamilies); found {
+			return pricing
+		}
+	}
+
+	if normalizedServiceTier != serviceTierDefault {
+		if pricing, found := findPricingInFamilies(model, standardModelFamilies); found {
+			return pricing
+		}
+		if normalizedModel != model {
+			if pricing, found := findPricingInFamilies(normalizedModel, standardModelFamilies); found {
+				return pricing
+			}
+		}
+	}
+
 	return gpt4oPricing
 }

-func calculateCost(stats UsageStats, model string) float64 {
-	pricing := getPricing(model)
+func normalizeGPT5Model(model string) string {
+	if !strings.HasPrefix(model, "gpt-5.") {
+		return model
+	}
+
+	switch {
+	case strings.Contains(model, "-codex-mini"):
+		return "gpt-5.1-codex-mini"
+	case strings.Contains(model, "-codex-max"):
+		return "gpt-5.1-codex-max"
+	case strings.Contains(model, "-codex"):
+		return "gpt-5.3-codex"
+	case strings.Contains(model, "-chat-latest"):
+		return "gpt-5.2-chat-latest"
+	case strings.Contains(model, "-pro"):
+		return "gpt-5.2-pro"
+	case strings.Contains(model, "-mini"):
+		return "gpt-5-mini"
+	case strings.Contains(model, "-nano"):
+		return "gpt-5-nano"
+	default:
+		return "gpt-5.2"
+	}
+}
+
+func calculateCost(stats UsageStats, model string, serviceTier string) float64 {
+	pricing := getPricing(model, serviceTier)

 	regularInputTokens := stats.InputTokens - stats.CachedTokens
 	if regularInputTokens < 0 {
@@ -238,41 +731,89 @@ func calculateCost(stats UsageStats, model string) float64 {
 	return math.Round(cost*100) / 100
 }

-func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
+func roundCost(cost float64) float64 {
+	return math.Round(cost*100) / 100
+}

-	result := &AggregatedUsageJSON{
-		LastUpdated:  u.LastUpdated,
-		Combinations: make([]CostCombinationJSON, len(u.Combinations)),
-		Costs: CostsSummaryJSON{
-			TotalUSD: 0,
-			ByUser:   make(map[string]float64),
-		},
+func normalizeCombinations(combinations []CostCombination) {
+	for index := range combinations {
+		combinations[index].ServiceTier = normalizeServiceTier(combinations[index].ServiceTier)
+		if combinations[index].ByUser == nil {
+			combinations[index].ByUser = make(map[string]UsageStats)
+		}
+	}
+}
+
+func addUsageToCombinations(combinations *[]CostCombination, model string, serviceTier string, weekStartUnix int64, user string, inputTokens, outputTokens, cachedTokens int64) {
+	var matchedCombination *CostCombination
+	for index := range *combinations {
+		combination := &(*combinations)[index]
+		combinationServiceTier := normalizeServiceTier(combination.ServiceTier)
+		if combination.ServiceTier != combinationServiceTier {
+			combination.ServiceTier = combinationServiceTier
+		}
+		if combination.Model == model && combinationServiceTier == serviceTier && combination.WeekStartUnix == weekStartUnix {
+			matchedCombination = combination
+			break
+		}
 	}

-	for i, combo := range u.Combinations {
-		totalCost := calculateCost(combo.Total, combo.Model)
+	if matchedCombination == nil {
+		newCombination := CostCombination{
+			Model:         model,
+			ServiceTier:   serviceTier,
+			WeekStartUnix: weekStartUnix,
+			Total:         UsageStats{},
+			ByUser:        make(map[string]UsageStats),
+		}
+		*combinations = append(*combinations, newCombination)
+		matchedCombination = &(*combinations)[len(*combinations)-1]
+	}

-		result.Costs.TotalUSD += totalCost
+	matchedCombination.Total.RequestCount++
+	matchedCombination.Total.InputTokens += inputTokens
+	matchedCombination.Total.OutputTokens += outputTokens
+	matchedCombination.Total.CachedTokens += cachedTokens

-		comboJSON := CostCombinationJSON{
-			Model: combo.Model,
+	if user != "" {
+		userStats := matchedCombination.ByUser[user]
+		userStats.RequestCount++
+		userStats.InputTokens += inputTokens
+		userStats.OutputTokens += outputTokens
+		userStats.CachedTokens += cachedTokens
+		matchedCombination.ByUser[user] = userStats
+	}
+}
+
+func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map[string]float64) ([]CostCombinationJSON, float64) {
+	result := make([]CostCombinationJSON, len(combinations))
+	var totalCost float64
+
+	for index, combination := range combinations {
+		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ServiceTier)
+		totalCost += combinationTotalCost
+
+		combinationJSON := CostCombinationJSON{
+			Model:         combination.Model,
+			ServiceTier:   combination.ServiceTier,
+			WeekStartUnix: combination.WeekStartUnix,
 			Total: UsageStatsJSON{
-				RequestCount: combo.Total.RequestCount,
-				InputTokens:  combo.Total.InputTokens,
-				OutputTokens: combo.Total.OutputTokens,
-				CachedTokens: combo.Total.CachedTokens,
-				CostUSD:      totalCost,
+				RequestCount: combination.Total.RequestCount,
+				InputTokens:  combination.Total.InputTokens,
+				OutputTokens: combination.Total.OutputTokens,
+				CachedTokens: combination.Total.CachedTokens,
+				CostUSD:      combinationTotalCost,
 			},
 			ByUser: make(map[string]UsageStatsJSON),
 		}

-		for user, userStats := range combo.ByUser {
-			userCost := calculateCost(userStats, combo.Model)
-			result.Costs.ByUser[user] += userCost
+		for user, userStats := range combination.ByUser {
+			userCost := calculateCost(userStats, combination.Model, combination.ServiceTier)
+			if aggregateUserCosts != nil {
+				aggregateUserCosts[user] += userCost
+			}

-			comboJSON.ByUser[user] = UsageStatsJSON{
+			combinationJSON.ByUser[user] = UsageStatsJSON{
 				RequestCount: userStats.RequestCount,
 				InputTokens:  userStats.InputTokens,
 				OutputTokens: userStats.OutputTokens,
@@ -281,12 +822,80 @@ func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 			}
 		}

-		result.Combinations[i] = comboJSON
+		result[index] = combinationJSON
+	}
+
+	return result, roundCost(totalCost)
+}
+
+func formatUTCOffsetLabel(timestamp time.Time) string {
+	_, offsetSeconds := timestamp.Zone()
+	sign := "+"
+	if offsetSeconds < 0 {
+		sign = "-"
+		offsetSeconds = -offsetSeconds
+	}
+	offsetHours := offsetSeconds / 3600
+	offsetMinutes := (offsetSeconds % 3600) / 60
+	if offsetMinutes == 0 {
+		return fmt.Sprintf("UTC%s%d", sign, offsetHours)
+	}
+	return fmt.Sprintf("UTC%s%d:%02d", sign, offsetHours, offsetMinutes)
+}
+
+func formatWeekStartKey(cycleStartAt time.Time) string {
+	localCycleStart := cycleStartAt.In(time.Local)
+	return fmt.Sprintf("%s %s", localCycleStart.Format("2006-01-02 15:04:05"), formatUTCOffsetLabel(localCycleStart))
+}
+
+func buildByWeekCost(combinations []CostCombination) map[string]float64 {
+	byWeek := make(map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ServiceTier)
+	}
+	for weekKey, weekCost := range byWeek {
+		byWeek[weekKey] = roundCost(weekCost)
+	}
+	return byWeek
+}
+
+func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
+	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
+		return 0
+	}
+	windowDuration := time.Duration(cycleHint.WindowMinutes) * time.Minute
+	return cycleHint.ResetAt.UTC().Add(-windowDuration).Unix()
+}
+
+func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+
+	result := &AggregatedUsageJSON{
+		LastUpdated: u.LastUpdated,
+		Costs: CostsSummaryJSON{
+			TotalUSD: 0,
+			ByUser:   make(map[string]float64),
+			ByWeek:   make(map[string]float64),
+		},
+	}
+
+	globalCombinationsJSON, totalCost := buildCombinationJSON(u.Combinations, result.Costs.ByUser)
+	result.Combinations = globalCombinationsJSON
+	result.Costs.TotalUSD = totalCost
+	result.Costs.ByWeek = buildByWeekCost(u.Combinations)
+
+	if len(result.Costs.ByWeek) == 0 {
+		result.Costs.ByWeek = nil
 	}

-	result.Costs.TotalUSD = math.Round(result.Costs.TotalUSD*100) / 100
 	for user, cost := range result.Costs.ByUser {
-		result.Costs.ByUser[user] = math.Round(cost*100) / 100
+		result.Costs.ByUser[user] = roundCost(cost)
 	}

 	return result
@@ -296,6 +905,9 @@ func (u *AggregatedUsage) Load() error {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

+	u.LastUpdated = time.Time{}
+	u.Combinations = nil
+
 	data, err := os.ReadFile(u.filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -316,12 +928,7 @@ func (u *AggregatedUsage) Load() error {

 	u.LastUpdated = temp.LastUpdated
 	u.Combinations = temp.Combinations
-
-	for i := range u.Combinations {
-		if u.Combinations[i].ByUser == nil {
-			u.Combinations[i].ByUser = make(map[string]UsageStats)
-		}
-	}
+	normalizeCombinations(u.Combinations)

 	return nil
 }
@@ -349,47 +956,27 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }

-func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, user string) error {
+func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string) error {
+	return u.AddUsageWithCycleHint(model, inputTokens, outputTokens, cachedTokens, serviceTier, user, time.Now(), nil)
+}
+
+func (u *AggregatedUsage) AddUsageWithCycleHint(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string, observedAt time.Time, cycleHint *WeeklyCycleHint) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}

+	normalizedServiceTier := normalizeServiceTier(serviceTier)
+	if observedAt.IsZero() {
+		observedAt = time.Now()
+	}
+
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

-	u.LastUpdated = time.Now()
+	u.LastUpdated = observedAt
+	weekStartUnix := deriveWeekStartUnix(cycleHint)

-	var combo *CostCombination
-	for i := range u.Combinations {
-		if u.Combinations[i].Model == model {
-			combo = &u.Combinations[i]
-			break
-		}
-	}
-
-	if combo == nil {
-		newCombo := CostCombination{
-			Model:  model,
-			Total:  UsageStats{},
-			ByUser: make(map[string]UsageStats),
-		}
-		u.Combinations = append(u.Combinations, newCombo)
-		combo = &u.Combinations[len(u.Combinations)-1]
-	}
-
-	combo.Total.RequestCount++
-	combo.Total.InputTokens += inputTokens
-	combo.Total.OutputTokens += outputTokens
-	combo.Total.CachedTokens += cachedTokens
-
-	if user != "" {
-		userStats := combo.ByUser[user]
-		userStats.RequestCount++
-		userStats.InputTokens += inputTokens
-		userStats.OutputTokens += outputTokens
-		userStats.CachedTokens += cachedTokens
-		combo.ByUser[user] = userStats
-	}
+	addUsageToCombinations(&u.Combinations, model, normalizedServiceTier, weekStartUnix, user, inputTokens, outputTokens, cachedTokens)

 	go u.scheduleSave()

--- a/service/oomkiller/config.go
+++ b/service/oomkiller/config.go
@@ -0,0 +1,51 @@
+package oomkiller
+
+import (
+	"time"
+
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func buildTimerConfig(options option.OOMKillerServiceOptions, memoryLimit uint64, useAvailable bool) (timerConfig, error) {
+	safetyMargin := uint64(defaultSafetyMargin)
+	if options.SafetyMargin != nil && options.SafetyMargin.Value() > 0 {
+		safetyMargin = options.SafetyMargin.Value()
+	}
+
+	minInterval := defaultMinInterval
+	if options.MinInterval != 0 {
+		minInterval = time.Duration(options.MinInterval.Build())
+		if minInterval <= 0 {
+			return timerConfig{}, E.New("min_interval must be greater than 0")
+		}
+	}
+
+	maxInterval := defaultMaxInterval
+	if options.MaxInterval != 0 {
+		maxInterval = time.Duration(options.MaxInterval.Build())
+		if maxInterval <= 0 {
+			return timerConfig{}, E.New("max_interval must be greater than 0")
+		}
+	}
+	if maxInterval < minInterval {
+		return timerConfig{}, E.New("max_interval must be greater than or equal to min_interval")
+	}
+
+	checksBeforeLimit := defaultChecksBeforeLimit
+	if options.ChecksBeforeLimit != 0 {
+		checksBeforeLimit = options.ChecksBeforeLimit
+		if checksBeforeLimit <= 0 {
+			return timerConfig{}, E.New("checks_before_limit must be greater than 0")
+		}
+	}
+
+	return timerConfig{
+		memoryLimit:       memoryLimit,
+		safetyMargin:      safetyMargin,
+		minInterval:       minInterval,
+		maxInterval:       maxInterval,
+		checksBeforeLimit: checksBeforeLimit,
+		useAvailable:      useAvailable,
+	}, nil
+}
--- a/service/oomkiller/service.go
+++ b/service/oomkiller/service.go
@@ -0,0 +1,192 @@
+//go:build darwin && cgo
+
+package oomkiller
+
+/*
+#include <dispatch/dispatch.h>
+
+static dispatch_source_t memoryPressureSource;
+
+extern void goMemoryPressureCallback(unsigned long status);
+
+static void startMemoryPressureMonitor() {
+	memoryPressureSource = dispatch_source_create(
+		DISPATCH_SOURCE_TYPE_MEMORYPRESSURE,
+		0,
+		DISPATCH_MEMORYPRESSURE_WARN | DISPATCH_MEMORYPRESSURE_CRITICAL,
+		dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0)
+	);
+	dispatch_source_set_event_handler(memoryPressureSource, ^{
+		unsigned long status = dispatch_source_get_data(memoryPressureSource);
+		goMemoryPressureCallback(status);
+	});
+	dispatch_activate(memoryPressureSource);
+}
+
+static void stopMemoryPressureMonitor() {
+	if (memoryPressureSource) {
+		dispatch_source_cancel(memoryPressureSource);
+		memoryPressureSource = NULL;
+	}
+}
+*/
+import "C"
+
+import (
+	"context"
+	runtimeDebug "runtime/debug"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	boxService "github.com/sagernet/sing-box/adapter/service"
+	boxConstant "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/memory"
+	"github.com/sagernet/sing/service"
+)
+
+func RegisterService(registry *boxService.Registry) {
+	boxService.Register[option.OOMKillerServiceOptions](registry, boxConstant.TypeOOMKiller, NewService)
+}
+
+var (
+	globalAccess   sync.Mutex
+	globalServices []*Service
+)
+
+type Service struct {
+	boxService.Adapter
+	logger        log.ContextLogger
+	router        adapter.Router
+	memoryLimit   uint64
+	hasTimerMode  bool
+	useAvailable  bool
+	timerConfig   timerConfig
+	adaptiveTimer *adaptiveTimer
+}
+
+func NewService(ctx context.Context, logger log.ContextLogger, tag string, options option.OOMKillerServiceOptions) (adapter.Service, error) {
+	s := &Service{
+		Adapter: boxService.NewAdapter(boxConstant.TypeOOMKiller, tag),
+		logger:  logger,
+		router:  service.FromContext[adapter.Router](ctx),
+	}
+
+	if options.MemoryLimit != nil {
+		s.memoryLimit = options.MemoryLimit.Value()
+		if s.memoryLimit > 0 {
+			s.hasTimerMode = true
+		}
+	}
+
+	config, err := buildTimerConfig(options, s.memoryLimit, s.useAvailable)
+	if err != nil {
+		return nil, err
+	}
+	s.timerConfig = config
+
+	return s, nil
+}
+
+func (s *Service) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+
+	if s.hasTimerMode {
+		s.adaptiveTimer = newAdaptiveTimer(s.logger, s.router, s.timerConfig)
+		if s.memoryLimit > 0 {
+			s.logger.Info("started memory monitor with limit: ", s.memoryLimit/(1024*1024), " MiB")
+		} else {
+			s.logger.Info("started memory monitor with available memory detection")
+		}
+	} else {
+		s.logger.Info("started memory pressure monitor")
+	}
+
+	globalAccess.Lock()
+	isFirst := len(globalServices) == 0
+	globalServices = append(globalServices, s)
+	globalAccess.Unlock()
+
+	if isFirst {
+		C.startMemoryPressureMonitor()
+	}
+	return nil
+}
+
+func (s *Service) Close() error {
+	if s.adaptiveTimer != nil {
+		s.adaptiveTimer.stop()
+	}
+	globalAccess.Lock()
+	for i, svc := range globalServices {
+		if svc == s {
+			globalServices = append(globalServices[:i], globalServices[i+1:]...)
+			break
+		}
+	}
+	isLast := len(globalServices) == 0
+	globalAccess.Unlock()
+	if isLast {
+		C.stopMemoryPressureMonitor()
+	}
+	return nil
+}
+
+//export goMemoryPressureCallback
+func goMemoryPressureCallback(status C.ulong) {
+	globalAccess.Lock()
+	services := make([]*Service, len(globalServices))
+	copy(services, globalServices)
+	globalAccess.Unlock()
+	if len(services) == 0 {
+		return
+	}
+	criticalFlag := C.ulong(C.DISPATCH_MEMORYPRESSURE_CRITICAL)
+	warnFlag := C.ulong(C.DISPATCH_MEMORYPRESSURE_WARN)
+	isCritical := status&criticalFlag != 0
+	isWarning := status&warnFlag != 0
+	var level string
+	switch {
+	case isCritical:
+		level = "critical"
+	case isWarning:
+		level = "warning"
+	default:
+		level = "normal"
+	}
+	var freeOSMemory bool
+	for _, s := range services {
+		usage := memory.Total()
+		if s.hasTimerMode {
+			if isCritical {
+				s.logger.Warn("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
+				if s.adaptiveTimer != nil {
+					s.adaptiveTimer.startNow()
+				}
+			} else if isWarning {
+				s.logger.Warn("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
+			} else {
+				s.logger.Debug("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
+				if s.adaptiveTimer != nil {
+					s.adaptiveTimer.stop()
+				}
+			}
+		} else {
+			if isCritical {
+				s.logger.Error("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB, resetting network")
+				s.router.ResetNetwork()
+				freeOSMemory = true
+			} else if isWarning {
+				s.logger.Warn("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
+			} else {
+				s.logger.Debug("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
+			}
+		}
+	}
+	if freeOSMemory {
+		runtimeDebug.FreeOSMemory()
+	}
+}
--- a/service/oomkiller/service_stub.go
+++ b/service/oomkiller/service_stub.go
@@ -0,0 +1,81 @@
+//go:build !darwin || !cgo
+
+package oomkiller
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	boxService "github.com/sagernet/sing-box/adapter/service"
+	boxConstant "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
+	"github.com/sagernet/sing/service"
+)
+
+func RegisterService(registry *boxService.Registry) {
+	boxService.Register[option.OOMKillerServiceOptions](registry, boxConstant.TypeOOMKiller, NewService)
+}
+
+type Service struct {
+	boxService.Adapter
+	logger        log.ContextLogger
+	router        adapter.Router
+	adaptiveTimer *adaptiveTimer
+	timerConfig   timerConfig
+	hasTimerMode  bool
+	useAvailable  bool
+	memoryLimit   uint64
+}
+
+func NewService(ctx context.Context, logger log.ContextLogger, tag string, options option.OOMKillerServiceOptions) (adapter.Service, error) {
+	s := &Service{
+		Adapter: boxService.NewAdapter(boxConstant.TypeOOMKiller, tag),
+		logger:  logger,
+		router:  service.FromContext[adapter.Router](ctx),
+	}
+
+	if options.MemoryLimit != nil {
+		s.memoryLimit = options.MemoryLimit.Value()
+	}
+	if s.memoryLimit > 0 {
+		s.hasTimerMode = true
+	} else if memory.AvailableSupported() {
+		s.useAvailable = true
+		s.hasTimerMode = true
+	}
+
+	config, err := buildTimerConfig(options, s.memoryLimit, s.useAvailable)
+	if err != nil {
+		return nil, err
+	}
+	s.timerConfig = config
+
+	return s, nil
+}
+
+func (s *Service) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+	if !s.hasTimerMode {
+		return E.New("memory pressure monitoring is not available on this platform without memory_limit")
+	}
+	s.adaptiveTimer = newAdaptiveTimer(s.logger, s.router, s.timerConfig)
+	s.adaptiveTimer.start(0)
+	if s.useAvailable {
+		s.logger.Info("started memory monitor with available memory detection")
+	} else {
+		s.logger.Info("started memory monitor with limit: ", s.memoryLimit/(1024*1024), " MiB")
+	}
+	return nil
+}
+
+func (s *Service) Close() error {
+	if s.adaptiveTimer != nil {
+		s.adaptiveTimer.stop()
+	}
+	return nil
+}
--- a/service/oomkiller/service_timer.go
+++ b/service/oomkiller/service_timer.go
@@ -0,0 +1,158 @@
+package oomkiller
+
+import (
+	runtimeDebug "runtime/debug"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/memory"
+)
+
+const (
+	defaultChecksBeforeLimit = 4
+	defaultMinInterval       = 500 * time.Millisecond
+	defaultMaxInterval       = 10 * time.Second
+	defaultSafetyMargin      = 5 * 1024 * 1024
+)
+
+type adaptiveTimer struct {
+	logger            log.ContextLogger
+	router            adapter.Router
+	memoryLimit       uint64
+	safetyMargin      uint64
+	minInterval       time.Duration
+	maxInterval       time.Duration
+	checksBeforeLimit int
+	useAvailable      bool
+
+	access        sync.Mutex
+	timer         *time.Timer
+	previousUsage uint64
+	lastInterval  time.Duration
+}
+
+type timerConfig struct {
+	memoryLimit       uint64
+	safetyMargin      uint64
+	minInterval       time.Duration
+	maxInterval       time.Duration
+	checksBeforeLimit int
+	useAvailable      bool
+}
+
+func newAdaptiveTimer(logger log.ContextLogger, router adapter.Router, config timerConfig) *adaptiveTimer {
+	return &adaptiveTimer{
+		logger:            logger,
+		router:            router,
+		memoryLimit:       config.memoryLimit,
+		safetyMargin:      config.safetyMargin,
+		minInterval:       config.minInterval,
+		maxInterval:       config.maxInterval,
+		checksBeforeLimit: config.checksBeforeLimit,
+		useAvailable:      config.useAvailable,
+	}
+}
+
+func (t *adaptiveTimer) start(_ uint64) {
+	t.access.Lock()
+	defer t.access.Unlock()
+	t.startLocked()
+}
+
+func (t *adaptiveTimer) startNow() {
+	t.access.Lock()
+	t.startLocked()
+	t.access.Unlock()
+	t.poll()
+}
+
+func (t *adaptiveTimer) startLocked() {
+	if t.timer != nil {
+		return
+	}
+	t.previousUsage = memory.Total()
+	t.lastInterval = t.minInterval
+	t.timer = time.AfterFunc(t.minInterval, t.poll)
+}
+
+func (t *adaptiveTimer) stop() {
+	t.access.Lock()
+	defer t.access.Unlock()
+	t.stopLocked()
+}
+
+func (t *adaptiveTimer) stopLocked() {
+	if t.timer != nil {
+		t.timer.Stop()
+		t.timer = nil
+	}
+}
+
+func (t *adaptiveTimer) running() bool {
+	t.access.Lock()
+	defer t.access.Unlock()
+	return t.timer != nil
+}
+
+func (t *adaptiveTimer) poll() {
+	t.access.Lock()
+	defer t.access.Unlock()
+	if t.timer == nil {
+		return
+	}
+
+	usage := memory.Total()
+	delta := int64(usage) - int64(t.previousUsage)
+	t.previousUsage = usage
+
+	var remaining uint64
+	var triggered bool
+
+	if t.memoryLimit > 0 {
+		if usage >= t.memoryLimit {
+			remaining = 0
+			triggered = true
+		} else {
+			remaining = t.memoryLimit - usage
+		}
+	} else if t.useAvailable {
+		available := memory.Available()
+		if available <= t.safetyMargin {
+			remaining = 0
+			triggered = true
+		} else {
+			remaining = available - t.safetyMargin
+		}
+	} else {
+		remaining = 0
+	}
+
+	if triggered {
+		t.logger.Error("memory threshold reached, usage: ", usage/(1024*1024), " MiB, resetting network")
+		t.router.ResetNetwork()
+		runtimeDebug.FreeOSMemory()
+	}
+
+	var interval time.Duration
+	if triggered {
+		interval = t.maxInterval
+	} else if delta <= 0 {
+		interval = t.maxInterval
+	} else if t.checksBeforeLimit <= 0 {
+		interval = t.maxInterval
+	} else {
+		timeToLimit := time.Duration(float64(remaining) / float64(delta) * float64(t.lastInterval))
+		interval = timeToLimit / time.Duration(t.checksBeforeLimit)
+		if interval < t.minInterval {
+			interval = t.minInterval
+		}
+		if interval > t.maxInterval {
+			interval = t.maxInterval
+		}
+	}
+
+	t.lastInterval = interval
+	t.timer.Reset(interval)
+}
--- a/test/go.mod
+++ b/test/go.mod
@@ -10,9 +10,9 @@ require (
 	github.com/docker/docker v27.3.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/gofrs/uuid/v5 v5.4.0
-	github.com/sagernet/quic-go v0.58.0-sing-box-mod.1
-	github.com/sagernet/sing v0.8.0-beta.6.0.20251207063731-56fd482ce1c6
-	github.com/sagernet/sing-quic v0.6.0-beta.6
+	github.com/sagernet/quic-go v0.59.0-sing-box-mod.2
+	github.com/sagernet/sing v0.8.0-beta.16
+	github.com/sagernet/sing-quic v0.6.0-beta.11
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/spyzhov/ajson v0.9.4
@@ -40,17 +40,17 @@ require (
 	github.com/database64128/tfo-go/v2 v2.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
-	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/florianl/go-nfqueue/v2 v2.0.2 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gaissmai/bart v0.18.0 // indirect
 	github.com/go-chi/chi/v5 v5.2.3 // indirect
 	github.com/go-chi/render v1.0.3 // indirect
-	github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -65,21 +65,19 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
-	github.com/illarion/gonotify/v3 v3.0.2 // indirect
 	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/keybase/go-keychain v0.0.1 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/libdns/acmedns v0.5.0 // indirect
 	github.com/libdns/alidns v1.0.6-beta.3 // indirect
 	github.com/libdns/cloudflare v0.2.2 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
-	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
-	github.com/mdlayher/sdnotify v1.0.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/metacubex/utls v1.8.3 // indirect
+	github.com/metacubex/utls v1.8.4 // indirect
 	github.com/mholt/acmez/v3 v3.1.4 // indirect
 	github.com/miekg/dns v1.1.69 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -88,8 +86,9 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/openai/openai-go/v3 v3.15.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
@@ -97,40 +96,40 @@ require (
 	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a // indirect
 	github.com/sagernet/cors v1.2.1 // indirect
-	github.com/sagernet/cronet-go v0.0.0-20251220122645-b05b5c41614a // indirect
-	github.com/sagernet/cronet-go/all v0.0.0-20251220122645-b05b5c41614a // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251220122226-25b6d00c5b7e // indirect
+	github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 // indirect
+	github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
 	github.com/sagernet/fswatch v0.1.1 // indirect
 	github.com/sagernet/gvisor v0.0.0-20250822052253-5558536cf237 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
-	github.com/sagernet/sing-mux v0.3.3 // indirect
+	github.com/sagernet/sing-mux v0.3.4 // indirect
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 // indirect
-	github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251201004738-e9e3fbf0c15e // indirect
+	github.com/sagernet/sing-tun v0.8.0-beta.17 // indirect
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 // indirect
-	github.com/sagernet/smux v1.5.34-mod.2 // indirect
-	github.com/sagernet/tailscale v1.86.5-sing-box-1.13-mod.4 // indirect
+	github.com/sagernet/smux v1.5.50-sing-box-mod.1 // indirect
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 // indirect
 	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 // indirect
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 // indirect
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
@@ -140,7 +139,6 @@ require (
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
@@ -163,6 +161,7 @@ require (
 	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 // indirect
 	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/term v0.38.0 // indirect
--- a/test/go.sum
+++ b/test/go.sum
@@ -37,13 +37,10 @@ github.com/database64128/netx-go v0.1.1/go.mod h1:LNlYVipaYkQArRFDNNJ02VkNV+My9A
 github.com/database64128/tfo-go/v2 v2.3.1 h1:EGE+ELd5/AQ0X6YBlQ9RgKs8+kciNhgN3d8lRvfEJQw=
 github.com/database64128/tfo-go/v2 v2.3.1/go.mod h1:k9wcpg/8i5zenspBkc9jUEYehpZZccBnCElzOJB++bU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
-github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
-github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
@@ -56,6 +53,8 @@ github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
+github.com/florianl/go-nfqueue/v2 v2.0.2/go.mod h1:VA09+iPOT43OMoCKNfXHyzujQUty2xmzyCRkBOlmabc=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -68,8 +67,8 @@ github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 h1:F8d1AJ6M9UQCavhwmO6ZsrYLfG8zVFWfEfMS2MXPkSY=
-github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -105,8 +104,6 @@ github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8
 github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
-github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeVNmJMk=
-github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
 github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 h1:MEufgJohwIjFi2n3eJv4c/8UdRLQVUwPwSWQPoER+eU=
 github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
@@ -115,14 +112,16 @@ github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRt
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
+github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
 github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
 github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
@@ -131,16 +130,12 @@ github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
-github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
-github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
-github.com/metacubex/utls v1.8.3 h1:0m/yCxm3SK6kWve2lKiFb1pue1wHitJ8sQQD4Ikqde4=
-github.com/metacubex/utls v1.8.3/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
+github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
+github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
 github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
 github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
 github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
@@ -159,10 +154,12 @@ github.com/openai/openai-go/v3 v3.15.0 h1:hk99rM7YPz+M99/5B/zOQcVwFRLLMdprVGx1va
 github.com/openai/openai-go/v3 v3.15.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
-github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -180,54 +177,54 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20251220122645-b05b5c41614a h1:EdIrRa0yH3ZaLOfX95RYYiN0etpX3b9+jcsW/D8jCyQ=
-github.com/sagernet/cronet-go v0.0.0-20251220122645-b05b5c41614a/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20251220122645-b05b5c41614a h1:GU/oBPVjyrCVb2l0SI5qtF6aUlLsnE4u4ehXbS/NF+0=
-github.com/sagernet/cronet-go/all v0.0.0-20251220122645-b05b5c41614a/go.mod h1:4MT0juyKK0lIVwa6+6xLbRMFJBUIqRZOx70iMvq5vf0=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251220122226-25b6d00c5b7e h1:EAcY0ZK8DWTNUdVCKdBQfXRsfGsohsh2ae9jIjlri2o=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251220122226-25b6d00c5b7e h1:9luoNSy9Ej8rC/nZejzrP0uxX+BxiNxjLJ7XPYlApQg=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251220122226-25b6d00c5b7e h1:CSWZTuMlkO/98RSQpqC1EHtc9eSBzVmvMdPTnaFSDCM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251220122226-25b6d00c5b7e h1:vkf3GDA11NtGm6XQHyP4tgWK3GD426ObmshdKdxGMhA=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251220122226-25b6d00c5b7e h1:pNyNjDC5XPC6+2yNqiDA8QL8IYSsBJpaSLwPi/jY4JQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251220122226-25b6d00c5b7e h1:2yDmTzppvxWuwxo4oDjxRzjlXBzZ6O3OCPWYeQcJRrw=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251220122226-25b6d00c5b7e h1:+lyrRlxlKBYT/3LcYMaFHilUnRlKn3OQrImlWCey+qM=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251220122226-25b6d00c5b7e h1:dBeeUaCPG0Y26FfCPO1o3v72yw2pSjqopryAW0uV354=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251220122226-25b6d00c5b7e h1:JkGEqkfeglehN9tu+a0gHTq9Dmm+pY2wtjY+NiUdjgw=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251220122226-25b6d00c5b7e h1:rd/AbuuEMCHcA6ib5JBkQmWvonnoGwVc0/P0sHcWfAQ=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251220122226-25b6d00c5b7e h1:4XcwU6KOCkVOAr2EKKY8geYm7ctKCLlb1SsmFWMMUzE=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251220122226-25b6d00c5b7e h1:fYDhPtxvMtZxBUM0k6GcaxbynLxMG2iTmQL3XcLtjS8=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251220122226-25b6d00c5b7e h1:F5Vzd50H/AaoSHvt81yXZeUwDRKTcFjO/+KVW6VqbUs=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251220122226-25b6d00c5b7e h1:Ok/Eh8ajcvxlu7FAWk+lHAPLcSRDKrKkgq30o6gCR6M=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251220122226-25b6d00c5b7e h1:JoohVAfcwE9HjpwAaTULtEOFZ1Mz0Zz5K4pOcrRjqwo=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251220122226-25b6d00c5b7e h1:ULxfoxcNRA96QDDRLmObH4adbeUGtudH/2HlL4TgaNY=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251220122226-25b6d00c5b7e h1:NnhScXJyx4Fg+pV/WtkC1mD6+VR7D/Q+PMU4xGRvdRQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251220122226-25b6d00c5b7e h1:INcIfjzUl0qgtZkt8OcVV537GoApcBsdegDl8yNJEdQ=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251220122226-25b6d00c5b7e h1:jrialJ4U7BW9xyGI/JdUiigZ9hgyF1EayFKCH4pZxdw=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251220122226-25b6d00c5b7e h1:XefHhnALVHU4ZgICNq6ZJl78bWDQO4nHwoWn+Ar7e0g=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251220122226-25b6d00c5b7e h1:djShWO5vN0CamyboNDyNRDxL0/9oMtKjCDesqolIAsg=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251220122226-25b6d00c5b7e h1:AgKqyS5zfRgDc8uprxUh+XCwwzJCj31KAFPjzyLRWs0=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251220122226-25b6d00c5b7e/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 h1:0BYNmr0ptjsII948U0oBFmrbo4qEaCFcrE2JPRg3Zlk=
+github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 h1:ghxhYSBQpzkakqWqJDvXr/Zmxe0WjTjKuALEGbjGiGY=
+github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:M+4ZjPhLJXIvoxcQsbDofmc19Wrig59hZ+hLvj6S3To=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f h1:8jZbZ4KBTdcXDFLwUBNQt5Xci6ZuAKh255S8TwuBCaM=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f h1:tG0hCx+0u5zca7qQ7AMkcv4DCrBG/DKW1ggs/P+BRRI=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f h1:ZXp5hKJIA7iJ52ZShJCKMQEPLpp/7dDIVZmPGV9Il40=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f h1:gL7H8HS8s38adz4/HZtRHh79qMwsbLTRRPz4GQ9LcWI=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f h1:Dchgc0pAY5Jwb5lzUlE+1nhHIzqLx+YOurXLHgvWd/0=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f h1:+MOLSQoduuKDxF410i1LcSPaQGaiP0eZb0INvMlmjM4=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:lIZna05Vn6n8k21p8OpSUnhwGm+E57PrMjiI4ZUfMSg=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f h1:B2aFQ5CRHI20t8YsEizvtguS5W2QfK7D5XV/NzTIxPE=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:qpSwJ1rFGYCfJDenNCZoWYjoG7N+xEa6ke+E7/JO1i4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f h1:cx7Ipg0tSvTDjS4maMEYz4vuzz93BMPAysmZ1YLrz80=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f h1:4jOHuUiBxD8pJEpBBVQfJqyLmxjpd3t4MLRzU7YLFyg=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f h1:OpXBa2WlRU+Mam9oRe9Nn4/zf7gQ+qiBTNK8A5RwbfQ=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f h1:nJpGFi+6hI85tl4zoyNFEnFEQ5+xEV5gyvsUoMvd8g0=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f h1:SEy2rpmgOJgrqcEryJI/RSnqUWIsEsp0cfYoA8y21jc=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f h1:EW2TuFMLm0iBGqRZtuGwIZdeYmDtDsDmRcRRJQOMxUo=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f h1:3U5woxrNCkzfv1+UX+mVoWh1228AE1qAiMG02F9oFbY=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f h1:YwFTfuWG3mmctroeDYtFZ6LHjGsedVO+5wInYbbUuUY=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:r4V0ddPCRLgGu0VdgR3aUsO9NjpmyjAf+h+3oTD9D6E=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f h1:B8yf4gFvEYUnwWmtVK9sdwUsflYZ387MhYmlOP2ohFQ=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:9YyaMg4rO1/jIgrxmNb0LKH+X7frSYWfX2pFgW5JUVM=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f h1:B0fnGu0sh9yT/9JDN5u/GqThGoOzNN/daOAuGWFLXEk=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f h1:lxPcIXKSSI5JDhc7rx/6yufISWM4vtBS2FY9PavWQTs=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
 github.com/sagernet/gvisor v0.0.0-20250822052253-5558536cf237 h1:SUPFNB+vSP4RBPrSEgNII+HkfqC8hKMpYLodom4o4EU=
@@ -236,27 +233,28 @@ github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZN
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.58.0-sing-box-mod.1 h1:E9yZrU0ZxSiW5RrGUnFZeI02EIMdAAv0RxdoxXCqZyk=
-github.com/sagernet/quic-go v0.58.0-sing-box-mod.1/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.6.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing v0.8.0-beta.6.0.20251207063731-56fd482ce1c6 h1:EYaDzllFzNYnzQ9xH/ieSAXct4wQ8pD45kgNMo7RPZc=
-github.com/sagernet/sing v0.8.0-beta.6.0.20251207063731-56fd482ce1c6/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing-mux v0.3.3 h1:YFgt9plMWzH994BMZLmyKL37PdIVaIilwP0Jg+EcLfw=
-github.com/sagernet/sing-mux v0.3.3/go.mod h1:pht8iFY4c9Xltj7rhVd208npkNaeCxzyXCgulDPLUDA=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.2 h1:hJUL+HtxEOjxsa0CsucbBVqI/AMS4k52NwNU637zmdw=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.2/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
+github.com/sagernet/sing v0.8.0-beta.16 h1:Fe+6E9VHYky9Mx4cf0ugbZPWDcXRflpAu7JQ5bWXvaA=
+github.com/sagernet/sing v0.8.0-beta.16/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
+github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
+github.com/sagernet/sing-quic v0.6.0-beta.11 h1:eUusxITKKRedhWC2ScUYFUvD96h/QfbKLaS3N6/7in4=
+github.com/sagernet/sing-quic v0.6.0-beta.11/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251201004738-e9e3fbf0c15e h1:ZEv+9vy7vC1vbr3LfwZGx3JAOkl/w4+hnGamHw4W36M=
-github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251201004738-e9e3fbf0c15e/go.mod h1:eWETzl4AwaxGKiZTpDIDVJLTBz9cfIdoZwaZY1jlSjg=
+github.com/sagernet/sing-tun v0.8.0-beta.17 h1:6DdbNXeTFYj8Tb4FCh8Mp2boA3rVY6VNqzTOObj7Xis=
+github.com/sagernet/sing-tun v0.8.0-beta.17/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
-github.com/sagernet/smux v1.5.34-mod.2 h1:gkmBjIjlJ2zQKpLigOkFur5kBKdV6bNRoFu2WkltRQ4=
-github.com/sagernet/smux v1.5.34-mod.2/go.mod h1:0KW0+R+ycvA2INW4gbsd7BNyg+HEfLIAxa5N02/28Zc=
-github.com/sagernet/tailscale v1.86.5-sing-box-1.13-mod.4 h1:Ceg+9Ug+qAFgEchGodlHmMOY2h7KktQQDAyuoIsPbos=
-github.com/sagernet/tailscale v1.86.5-sing-box-1.13-mod.4/go.mod h1:YdN/avjce8sqPFLT9E1uEh8gPewNSnC41U4ZhBJ+ACw=
+github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
+github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
@@ -266,14 +264,7 @@ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs
 github.com/spyzhov/ajson v0.9.4 h1:MVibcTCgO7DY4IlskdqIlCmDOsUOZ9P7oKj8ifdcf84=
 github.com/spyzhov/ajson v0.9.4/go.mod h1:a6oSw0MMb7Z5aD2tPoPO+jq11ETKgXUr2XktHdT8Wt8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
@@ -290,8 +281,6 @@ github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+y
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da h1:jVRUZPRs9sqyKlYHHzHjAqKN+6e/Vog6NpHYeNPJqOw=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
 github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
@@ -373,6 +362,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
 golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -388,7 +379,6 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
 golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -433,8 +423,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633 h1:2gap+Kh/3F47cO6hAu3idFvsJ0ue6TRcEi2IUkv/F8k=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633/go.mod h1:5DMfjtclAbTIjbXqO1qCe2K5GKKxWz2JHvCChuTcJEM=
 lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
 lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
--- a/test/socks_test.go
+++ b/test/socks_test.go
@@ -0,0 +1,133 @@
+package main
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/json/badoption"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/protocol/socks"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSOCKSUDPTimeout(t *testing.T) {
+	const testTimeout = 2 * time.Second
+	udpTimeout := option.UDPTimeoutCompat(testTimeout)
+
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeSOCKS,
+				Tag:  "socks-in",
+				Options: &option.SocksInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     common.Ptr(badoption.Addr(netip.IPv4Unspecified())),
+						ListenPort: clientPort,
+						UDPTimeout: udpTimeout,
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+			},
+		},
+	})
+
+	testUDPSessionIdleTimeout(t, clientPort, testPort, testTimeout)
+}
+
+func TestMixedUDPTimeout(t *testing.T) {
+	const testTimeout = 2 * time.Second
+	udpTimeout := option.UDPTimeoutCompat(testTimeout)
+
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeMixed,
+				Tag:  "mixed-in",
+				Options: &option.HTTPMixedInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     common.Ptr(badoption.Addr(netip.IPv4Unspecified())),
+						ListenPort: clientPort,
+						UDPTimeout: udpTimeout,
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+			},
+		},
+	})
+
+	testUDPSessionIdleTimeout(t, clientPort, testPort, testTimeout)
+}
+
+func testUDPSessionIdleTimeout(t *testing.T, proxyPort uint16, echoPort uint16, expectedTimeout time.Duration) {
+	echoServer, err := listenPacket("udp", ":"+F.ToString(echoPort))
+	require.NoError(t, err)
+	defer echoServer.Close()
+
+	go func() {
+		buffer := make([]byte, 1024)
+		for {
+			n, address, err := echoServer.ReadFrom(buffer)
+			if err != nil {
+				return
+			}
+			_, _ = echoServer.WriteTo(buffer[:n], address)
+		}
+	}()
+
+	dialer := socks.NewClient(N.SystemDialer, M.ParseSocksaddrHostPort("127.0.0.1", proxyPort), socks.Version5, "", "")
+
+	packetConn, err := dialer.ListenPacket(context.Background(), M.ParseSocksaddrHostPort("127.0.0.1", echoPort))
+	require.NoError(t, err)
+	defer packetConn.Close()
+
+	remoteAddress := &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: int(echoPort)}
+
+	_, err = packetConn.WriteTo([]byte("hello"), remoteAddress)
+	require.NoError(t, err)
+
+	buffer := make([]byte, 1024)
+	packetConn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	n, _, err := packetConn.ReadFrom(buffer)
+	require.NoError(t, err, "failed to receive echo response")
+	require.Equal(t, "hello", string(buffer[:n]))
+	t.Log("UDP echo successful, session established")
+
+	packetConn.SetReadDeadline(time.Time{})
+
+	waitTime := expectedTimeout + time.Second
+	t.Logf("Waiting %v for UDP session to timeout...", waitTime)
+	time.Sleep(waitTime)
+
+	_, err = packetConn.WriteTo([]byte("after-timeout"), remoteAddress)
+	if err != nil {
+		t.Logf("Write after timeout correctly failed: %v", err)
+		return
+	}
+
+	packetConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+	n, _, err = packetConn.ReadFrom(buffer)
+	if err != nil {
+		t.Logf("Read after timeout correctly failed: %v", err)
+		return
+	}
+
+	t.Fatalf("UDP session should have timed out after %v, but received response: %s",
+		expectedTimeout, string(buffer[:n]))
+}
--- a/transport/wireguard/device_system.go
+++ b/transport/wireguard/device_system.go
@@ -116,7 +116,7 @@ func (w *systemDevice) Start() error {
 	w.options.Logger.Info("started at ", w.options.Name)
 	w.device = tunInterface
 	batchTUN, isBatchTUN := tunInterface.(tun.LinuxTUN)
-	if isBatchTUN {
+	if isBatchTUN && batchTUN.BatchSize() > 1 {
 		w.batchDevice = batchTUN
 	}
 	w.events <- wgTun.EventUp
Author	SHA1	Message	Date
世界	6da7e538e1	Bump version	2026-02-28 14:42:39 +08:00
世界	13e6ba4cb2	Update tfo-go	2026-02-27 19:55:32 +08:00
世界	93b7328c3f	Fix missing Tailscale in ProxyDisplayName	2026-02-27 19:39:52 +08:00
世界	11dc5bcbe1	Fixes in cronet-go	2026-02-27 19:39:52 +08:00
世界	fa3ab87b11	platform: Fix gorelease build	2026-02-27 15:07:16 +08:00
世界	9bd9e9a58b	dialer: use KeepAliveConfig for TCP keepalive	2026-02-27 14:58:06 +08:00
世界	9d6dee7451	release: Fix pacman package	2026-02-27 14:58:06 +08:00
世界	9c2cdc7203	Fix per-outbound bind_interface	2026-02-27 14:58:06 +08:00
世界	65150f5cc3	platform: Improve OOM killer for iOS	2026-02-27 14:58:06 +08:00
世界	21a1512e6c	tailscale: Fix AdvertiseTags	2026-02-27 14:58:06 +08:00
世界	cf4791f1ad	platform: Improve iOS OOM killer	2026-02-26 14:13:32 +08:00
世界	0bc66e5a56	service/ccm,ocm: Fixes and improvements	2026-02-26 13:36:46 +08:00
世界	d48236da94	Fix wireguard reserved	2026-02-24 15:49:52 +08:00
世界	4c05d7b888	Add advertise tags support for Tailscale endpoint	2026-02-24 15:31:57 +08:00
世界	94ed42caf1	Bump version	2026-02-23 18:17:47 +08:00
世界	e0c18cc3d4	tun: Fix nftablesCreateLocalAddressSets	2026-02-23 18:17:47 +08:00
世界	0817c25f4c	release: Fix Docker build for loong64 and mipsle	2026-02-23 16:31:19 +08:00
世界	7745a97cca	daemon: Fix started service leak	2026-02-23 14:49:58 +08:00
世界	9bcd715d31	Bump version	2026-02-21 13:55:31 +08:00
世界	6a95c66bc7	Pin Go version to 1.25.7	2026-02-21 13:55:31 +08:00
世界	b5800847ae	More linux builds for naive	2026-02-21 13:55:31 +08:00
世界	aa85cbb86e	Treat H3 RequestCanceled as closed	2026-02-21 09:31:11 +08:00
世界	c59991420e	Minor fixes for naive	2026-02-18 01:26:29 +08:00
世界	c0304b8362	Bump version	2026-02-16 12:46:43 +08:00
世界	d1f1271a02	quic-go: Minor fixes	2026-02-16 12:46:29 +08:00
世界	de4fdbe553	platform: Add semver helper	2026-02-16 11:28:54 +08:00
世界	804606042f	Bump version	2026-02-15 21:13:55 +08:00
世界	53f2db3f97	platform: Add windows build	2026-02-15 21:10:44 +08:00
世界	1f2fdec89d	release: Fix update_apple_version command	2026-02-15 21:09:14 +08:00
世界	8714c157c9	Fix matching multi predefined	2026-02-15 21:09:06 +08:00
世界	657fba4ca5	Fix matching rule-set invert	2026-02-15 21:08:33 +08:00
世界	0a69621207	wireguard: Fix missing fallback for gso	2026-02-15 21:08:26 +08:00
世界	58ccf82e0b	Bump version	2026-02-09 15:50:51 +08:00
世界	ceab244329	tuic: Fix udp context	2026-02-09 15:50:51 +08:00
世界	58fcdceca2	Fix naive padding	2026-02-09 15:50:51 +08:00
世界	98af3c0ad6	experimental: New FFI	2026-02-09 15:50:51 +08:00
世界	172a9d5e4e	Standardize gomobile usages	2026-02-07 15:52:26 +08:00
世界	aba8346bd6	Fix DNS cache lock goroutine leak The cache deduplication in Client.Exchange uses a channel-based lock per DNS question. Waiting goroutines blocked on <-cond without context awareness, causing them to accumulate indefinitely when the owning goroutine's transport call stalls. Add select on ctx.Done() so waiters respect context cancellation and timeouts.	2026-02-06 22:28:35 +08:00
世界	d8e269e0ac	socks: Fix "Fix missing UDP timeout"	2026-02-06 22:26:45 +08:00
世界	c45ea8dfac	Recover from bbolt panics on corrupted database When bbolt encounters corrupted page data at runtime, it panics instead of returning an error. Wrap all DB transactions with recover to catch these panics, delete the corrupted database file, and reopen a fresh one.	2026-02-06 19:35:32 +08:00
世界	a2d313c59b	Bump version	2026-02-05 20:28:25 +08:00
世界	15722b06dd	Update Go to 1.25.7	2026-02-05 17:49:06 +08:00
世界	d230dae0a5	Fix vmess crash	2026-02-05 17:23:49 +08:00
世界	e11dbf3a8e	bufio: Refactor copy	2026-02-05 12:03:03 +08:00
世界	baa9f29f0d	documentation: Update release changelog	2026-02-05 12:03:03 +08:00
世界	55b6e7dbfe	socks: Fix missing UDP timeout	2026-02-05 12:03:03 +08:00
世界	a05e05a47c	Fix random iproute2 table index was incorrectly removed	2026-02-02 14:15:55 +08:00
世界	c1dc6cb0fb	Bump version	2026-02-01 12:29:57 +08:00
世界	432fe1b3c9	Disable rp filter atomically	2026-02-01 10:49:12 +08:00
世界	8dd8897fd8	Fix varbin serialization	2026-02-01 10:48:05 +08:00
世界	ff58edb1c1	Bump version	2026-01-30 14:05:29 +08:00
世界	79bab39502	Fix auto_redirect fallback rule	2026-01-30 11:42:56 +08:00
世界	a4d5d59901	Minor fixes	2026-01-29 13:40:34 +08:00
世界	1af14a0237	Remove varbin usages	2026-01-29 13:40:34 +08:00
世界	944a9986d9	release: Always build tailscale for iOS and tvOS	2026-01-29 13:40:34 +08:00
Balthild	60a1e4c866	Add acmedns support	2026-01-17 20:52:43 +08:00