Bump version

Add fpm-based Alpine APK packaging alongside existing DEB/RPM/Pacman
packages. Alpine APKs use `linux` in the filename to distinguish from
OpenWrt APKs which use the `openwrt` prefix.

.github/CRONET_GO_VERSION

@@ -1 +1 @@
-17c7ef18afa63b205e835c6270277b29382eb8e3
+2fef65f9dba90ddb89a87d00a6eb6165487c10c1

.github/build_alpine_apk.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
+
+# Service files
+install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
+install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/conf.d/sing-box
+/etc/init.d/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later with name use or association addition" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"

.github/build_openwrt_apk.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
+install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/config/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
+  --info "provider-priority:100" \
+  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"

.github/renovate.json

@@ -6,7 +6,7 @@
     ":disableRateLimiting"
   ],
   "baseBranches": [
-    "dev-next"
+    "unstable"
   ],
   "golang": {
     "enabled": false

.github/setup_go_for_macos1013.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "afe69d3cec1c6dcf0f1797b20546795730850070"
+  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
+wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
+tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
+#cp -a go go_bootstrap
+mv go go_osx
+cd go_osx
+
+# these patch URLs only work on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
+# revert:
+# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
+# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
+
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
+
+# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
+# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
+# stdlib (crypto/x509) is compiled from patched src automatically.
+#cd src
+#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
+#cd ../..
+#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"

.github/setup_go_for_windows7.sh

@@ -1,16 +1,35 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.7"
+set -euo pipefail
 
-mkdir -p $HOME/go
-cd $HOME/go
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "466f6c7a29bc098b0d4c987b803c779222894a11"
+  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
+  "a90777dcf692dd2168577853ba743b4338721b06"
+  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
+  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
+  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7
 
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
+# these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -18,10 +37,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+# fixes:
+# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
+# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""
 
-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done

.github/workflows/build.yml

@@ -25,8 +25,9 @@ on:
           - publish-android
   push:
     branches:
-      - main-next
-      - dev-next
+      - stable
+      - testing
+      - unstable
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -46,7 +47,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -71,27 +72,27 @@ jobs:
         include:
           - { os: linux, arch: amd64, variant: purego, naive: true }
           - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }
 
           - { os: linux, arch: arm64, variant: purego, naive: true }
           - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
 
           - { os: linux, arch: "386", go386: sse2 }
           - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }
 
           - { os: linux, arch: arm, goarm: "7" }
           - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
 
           - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
           - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
           - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
           - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
           - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }
 
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
@@ -120,15 +121,10 @@ jobs:
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! matrix.legacy_win7 }}
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.10
+          go-version: ~1.25.8
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -136,9 +132,11 @@ jobs:
         with:
           path: |
             ~/go/go_win7
-          key: go_win7_1255
+          key: go_win7_1258
       - name: Setup Go for Windows 7
         if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
         run: |-
           .github/setup_go_for_windows7.sh
       - name: Setup Go for Windows 7
@@ -207,9 +205,10 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           if [[ "${{ matrix.variant }}" == "purego" ]]; then
             TAGS="${TAGS},with_purego"
@@ -217,13 +216,16 @@ jobs:
             TAGS="${TAGS},with_musl"
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (purego)
         if: matrix.variant == 'purego'
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -245,7 +247,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -262,7 +264,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -279,7 +281,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -299,7 +301,7 @@ jobs:
           export CXX="${CC}++"
           mkdir -p dist
           GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -394,6 +396,30 @@ jobs:
             .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
           done
           rm "dist/openwrt.deb"
+      - name: Install apk-tools
+        if: matrix.openwrt != '' || matrix.alpine != ''
+        run: |-
+          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
+      - name: Package OpenWrt APK
+        if: matrix.openwrt != ''
+        run: |-
+          set -xeuo pipefail
+          for architecture in ${{ matrix.openwrt }}; do
+            .github/build_openwrt_apk.sh \
+              "$architecture" \
+              "${{ needs.calculate_version.outputs.version }}" \
+              "dist/sing-box" \
+              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
+          done
+      - name: Package Alpine APK
+        if: matrix.alpine != ''
+        run: |-
+          set -xeuo pipefail
+          .github/build_alpine_apk.sh \
+            "${{ matrix.alpine }}" \
+            "${{ needs.calculate_version.outputs.version }}" \
+            "dist/sing-box" \
+            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
       - name: Archive
         run: |
           set -xeuo pipefail
@@ -429,22 +455,36 @@ jobs:
         include:
           - { arch: amd64 }
           - { arch: arm64 }
-          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! matrix.legacy_go124 }}
+        if: ${{ ! matrix.legacy_osx }}
         uses: actions/setup-go@v5
         with:
           go-version: ^1.25.3
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
+      - name: Cache Go for macOS 10.13
+        if: matrix.legacy_osx
+        id: cache-go-for-macos1013
+        uses: actions/cache@v4
         with:
-          go-version: ~1.24.6
+          path: |
+            ~/go/go_osx
+          key: go_osx_1258
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |-
+          .github/setup_go_for_macos1013.sh
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx
+        run: |-
+          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -452,22 +492,27 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
+          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
           GOOS: darwin
           GOARCH: ${{ matrix.arch }}
+          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Set name
         run: |-
@@ -520,9 +565,11 @@ jobs:
       - name: Build
         if: matrix.naive
         run: |
+          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
+          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
           mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -532,9 +579,11 @@ jobs:
       - name: Build
         if: ${{ !matrix.naive }}
         run: |
+          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
+          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
           mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
-          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -579,7 +628,7 @@ jobs:
           path: "dist"
   build_android:
     name: Build Android
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -592,7 +641,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -615,12 +664,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
         run: |-
           cd clients/android
           git checkout dev
@@ -669,7 +718,7 @@ jobs:
           path: 'dist'
   publish_android:
     name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -682,7 +731,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -705,12 +754,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
         run: |-
           cd clients/android
           git checkout dev
@@ -781,7 +830,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Set tag
         if: matrix.if
         run: |-
@@ -789,12 +838,12 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/apple
           git checkout main
       - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        if: matrix.if && github.ref == 'refs/heads/testing'
         run: |-
           cd clients/apple
           git checkout dev
@@ -880,7 +929,7 @@ jobs:
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
       - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
         run: |-
           go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
       - name: Build image

.github/workflows/docker.yml

@@ -3,8 +3,8 @@ name: Publish Docker Images
 on:
   #push:
   #  branches:
-  #    - main-next
-  #    - dev-next
+  #    - stable
+  #    - testing
   release:
     types:
       - published
@@ -19,6 +19,7 @@ env:
 jobs:
   build_binary:
     name: Build binary
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
@@ -55,7 +56,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -104,17 +105,21 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (naive)
         if: matrix.naive
         run: |
           set -xeuo pipefail
           go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -127,7 +132,7 @@ jobs:
         run: |
           set -xeuo pipefail
           go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"

.github/workflows/lint.yml

@@ -3,18 +3,20 @@ name: Lint
 on:
   push:
     branches:
-      - stable-next
-      - main-next
-      - dev-next
+      - oldstable
+      - stable
+      - testing
+      - unstable
     paths-ignore:
       - '**.md'
       - '.github/**'
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - stable-next
-      - main-next
-      - dev-next
+      - oldstable
+      - stable
+      - testing
+      - unstable
 
 jobs:
   build:

.github/workflows/linux.yml

@@ -3,8 +3,8 @@ name: Build Linux Packages
 on:
   #push:
   #  branches:
-  #    - main-next
-  #    - dev-next
+  #    - stable
+  #    - testing
   workflow_dispatch:
     inputs:
       version:
@@ -23,6 +23,7 @@ on:
 jobs:
   calculate_version:
     name: Calculate version
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.outputs.outputs.version }}
@@ -34,7 +35,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -77,7 +78,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -125,18 +126,22 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="${TAGS},with_naive_outbound,with_musl"
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (naive)
         if: matrix.naive
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -152,7 +157,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"

.golangci.yml

@@ -9,6 +9,11 @@ run:
     - with_utls
     - with_acme
     - with_clash_api
+    - with_tailscale
+    - with_ccm
+    - with_ocm
+    - badlinkname
+    - tfogo_checklinkname0
 linters:
   default: none
   enable:

Dockerfile

@@ -12,10 +12,11 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
+    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
+    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
+    && go build -v -trimpath -tags "$TAGS" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

Makefile

@@ -1,12 +1,13 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
+TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
+LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
@@ -259,8 +260,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 
 docs_install:
-	python -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	python3 -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
 
 clean:
 	rm -rf bin dist sing-box

adapter/inbound.go

@@ -62,13 +62,10 @@ type InboundContext struct {
 	// cache
 
 	// Deprecated: implement in rule action
-	InboundDetour            string
-	LastInbound              string
-	OriginDestination        M.Socksaddr
-	RouteOriginalDestination M.Socksaddr
-	// Deprecated: to be removed
-	//nolint:staticcheck
-	InboundOptions            option.InboundOptions
+	InboundDetour             string
+	LastInbound               string
+	OriginDestination         M.Socksaddr
+	RouteOriginalDestination  M.Socksaddr
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration

common/dialer/dialer.go

@@ -145,3 +145,7 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
+
+type PacketDialerWithDestination interface {
+	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
+}

common/ktls/ktls_read.go

@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"unsafe"
 )
 
 func (c *Conn) Read(b []byte) (int, error) {
@@ -229,7 +230,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
 		return
 	}
 	return

common/listener/listener.go

@@ -151,6 +151,7 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
+		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {

common/listener/listener_tcp.go

@@ -99,8 +99,6 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
-		//nolint:staticcheck
-		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)

common/tls/ech.go

@@ -15,7 +15,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -38,7 +37,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -77,7 +76,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	return nil
 }

dns/client.go

@@ -240,8 +240,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
+		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
+		} else if len(response.Answer) == 0 {
+			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
@@ -322,16 +324,20 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
+	lookupOptions := options
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -339,7 +345,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}

dns/router.go

@@ -195,7 +195,16 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	return r.transport.Default(), nil, -1
+	transport := r.transport.Default()
+	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = legacyTransport.LegacyStrategy()
+		}
+		if !options.ClientSubnet.IsValid() {
+			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		}
+	}
+	return transport, nil, -1
 }
 
 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -272,13 +281,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -351,7 +354,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+				options.Strategy = legacyTransport.LegacyStrategy()
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
@@ -394,13 +397,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -428,6 +425,18 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+	if rule == nil || !rule.WithAddressLimit() {
+		return nil
+	}
+	responseMetadata := *metadata
+	return func(responseAddrs []netip.Addr) bool {
+		checkMetadata := responseMetadata
+		checkMetadata.DestinationAddresses = responseAddrs
+		return rule.MatchAddressLimit(&checkMetadata)
+	}
+}
+
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {

dns/transport/connector.go

@@ -4,6 +4,9 @@ import (
 	"context"
 	"net"
 	"sync"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
 )
 
 type ConnectorCallbacks[T any] struct {
@@ -16,10 +19,11 @@ type Connector[T any] struct {
 	dial      func(ctx context.Context) (T, error)
 	callbacks ConnectorCallbacks[T]
 
-	access        sync.Mutex
-	connection    T
-	hasConnection bool
-	connecting    chan struct{}
+	access           sync.Mutex
+	connection       T
+	hasConnection    bool
+	connectionCancel context.CancelFunc
+	connecting       chan struct{}
 
 	closeCtx context.Context
 	closed   bool
@@ -47,6 +51,16 @@ func NewSingleflightConnector(closeCtx context.Context, dial func(context.Contex
 	})
 }
 
+type contextKeyConnecting struct{}
+
+var errRecursiveConnectorDial = E.New("recursive connector dial")
+
+type connectorDialResult[T any] struct {
+	connection T
+	cancel     context.CancelFunc
+	err        error
+}
+
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -64,6 +78,14 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 		}
 
 		c.hasConnection = false
+		if c.connectionCancel != nil {
+			c.connectionCancel()
+			c.connectionCancel = nil
+		}
+		if isRecursiveConnectorDial(ctx, c) {
+			c.access.Unlock()
+			return zero, errRecursiveConnectorDial
+		}
 
 		if c.connecting != nil {
 			connecting := c.connecting
@@ -79,48 +101,134 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			}
 		}
 
-		c.connecting = make(chan struct{})
-		c.access.Unlock()
-
-		connection, err := c.dialWithCancellation(ctx)
-
-		c.access.Lock()
-		close(c.connecting)
-		c.connecting = nil
-
-		if err != nil {
+		if err := ctx.Err(); err != nil {
 			c.access.Unlock()
 			return zero, err
 		}
 
-		if c.closed {
-			c.callbacks.Close(connection)
-			c.access.Unlock()
-			return zero, ErrTransportClosed
-		}
-
-		c.connection = connection
-		c.hasConnection = true
-		result := c.connection
+		connecting := make(chan struct{})
+		c.connecting = connecting
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		dialResult := make(chan connectorDialResult[T], 1)
 		c.access.Unlock()
 
-		return result, nil
+		go func() {
+			connection, cancel, err := c.dialWithCancellation(dialContext)
+			dialResult <- connectorDialResult[T]{
+				connection: connection,
+				cancel:     cancel,
+				err:        err,
+			}
+		}()
+
+		select {
+		case result := <-dialResult:
+			return c.completeDial(ctx, connecting, result)
+		case <-ctx.Done():
+			go func() {
+				result := <-dialResult
+				_, _ = c.completeDial(ctx, connecting, result)
+			}()
+			return zero, ctx.Err()
+		case <-c.closeCtx.Done():
+			go func() {
+				result := <-dialResult
+				_, _ = c.completeDial(ctx, connecting, result)
+			}()
+			return zero, ErrTransportClosed
+		}
 	}
 }
 
-func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, error) {
-	dialCtx, cancel := context.WithCancel(ctx)
-	defer cancel()
+func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T]) bool {
+	dialConnector, loaded := ctx.Value(contextKeyConnecting{}).(*Connector[T])
+	return loaded && dialConnector == connector
+}
 
-	go func() {
-		select {
-		case <-c.closeCtx.Done():
-			cancel()
-		case <-dialCtx.Done():
+func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
+	var zero T
+
+	c.access.Lock()
+	defer c.access.Unlock()
+	defer func() {
+		if c.connecting == connecting {
+			c.connecting = nil
 		}
+		close(connecting)
 	}()
 
-	return c.dial(dialCtx)
+	if result.err != nil {
+		return zero, result.err
+	}
+	if c.closed || c.closeCtx.Err() != nil {
+		result.cancel()
+		c.callbacks.Close(result.connection)
+		return zero, ErrTransportClosed
+	}
+	if err := ctx.Err(); err != nil {
+		result.cancel()
+		c.callbacks.Close(result.connection)
+		return zero, err
+	}
+
+	c.connection = result.connection
+	c.hasConnection = true
+	c.connectionCancel = result.cancel
+	return c.connection, nil
+}
+
+func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
+	var zero T
+	if err := ctx.Err(); err != nil {
+		return zero, nil, err
+	}
+	connCtx, cancel := context.WithCancel(c.closeCtx)
+
+	var (
+		stateAccess  sync.Mutex
+		dialComplete bool
+	)
+	stopCancel := context.AfterFunc(ctx, func() {
+		stateAccess.Lock()
+		if !dialComplete {
+			cancel()
+		}
+		stateAccess.Unlock()
+	})
+	select {
+	case <-ctx.Done():
+		stateAccess.Lock()
+		dialComplete = true
+		stateAccess.Unlock()
+		stopCancel()
+		cancel()
+		return zero, nil, ctx.Err()
+	default:
+	}
+
+	connection, err := c.dial(valueContext{connCtx, ctx})
+	stateAccess.Lock()
+	dialComplete = true
+	stateAccess.Unlock()
+	stopCancel()
+	if err != nil {
+		cancel()
+		return zero, nil, err
+	}
+	return connection, cancel, nil
+}
+
+type valueContext struct {
+	context.Context
+	parent context.Context
+}
+
+func (v valueContext) Value(key any) any {
+	return v.parent.Value(key)
+}
+
+func (v valueContext) Deadline() (time.Time, bool) {
+	return v.parent.Deadline()
 }
 
 func (c *Connector[T]) Close() error {
@@ -132,6 +240,10 @@ func (c *Connector[T]) Close() error {
 	}
 	c.closed = true
 
+	if c.connectionCancel != nil {
+		c.connectionCancel()
+		c.connectionCancel = nil
+	}
 	if c.hasConnection {
 		c.callbacks.Close(c.connection)
 		c.hasConnection = false
@@ -144,6 +256,10 @@ func (c *Connector[T]) Reset() {
 	c.access.Lock()
 	defer c.access.Unlock()
 
+	if c.connectionCancel != nil {
+		c.connectionCancel()
+		c.connectionCancel = nil
+	}
 	if c.hasConnection {
 		c.callbacks.Reset(c.connection)
 		c.hasConnection = false

dns/transport/connector_test.go

@@ -0,0 +1,407 @@
+package transport
+
+import (
+	"context"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+type testConnectorConnection struct{}
+
+func TestConnectorRecursiveGetFailsFast(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+		connector  *Connector[*testConnectorConnection]
+	)
+
+	dial := func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		_, err := connector.Get(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &testConnectorConnection{}, nil
+	}
+
+	connector = NewConnector(context.Background(), dial, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+	})
+
+	_, err := connector.Get(context.Background())
+	require.ErrorIs(t, err, errRecursiveConnectorDial)
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 0, closeCount.Load())
+}
+
+func TestConnectorRecursiveGetAcrossConnectorsAllowed(t *testing.T) {
+	t.Parallel()
+
+	var (
+		outerDialCount atomic.Int32
+		innerDialCount atomic.Int32
+		outerConnector *Connector[*testConnectorConnection]
+		innerConnector *Connector[*testConnectorConnection]
+	)
+
+	innerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		innerDialCount.Add(1)
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	outerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		outerDialCount.Add(1)
+		_, err := innerConnector.Get(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	_, err := outerConnector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 1, outerDialCount.Load())
+	require.EqualValues(t, 1, innerDialCount.Load())
+}
+
+func TestConnectorDialContextPreservesValueAndDeadline(t *testing.T) {
+	t.Parallel()
+
+	type contextKey struct{}
+
+	var (
+		dialValue       any
+		dialDeadline    time.Time
+		dialHasDeadline bool
+	)
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialValue = ctx.Value(contextKey{})
+		dialDeadline, dialHasDeadline = ctx.Deadline()
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	deadline := time.Now().Add(time.Minute)
+	requestContext, cancel := context.WithDeadline(context.WithValue(context.Background(), contextKey{}, "test-value"), deadline)
+	defer cancel()
+
+	_, err := connector.Get(requestContext)
+	require.NoError(t, err)
+	require.Equal(t, "test-value", dialValue)
+	require.True(t, dialHasDeadline)
+	require.WithinDuration(t, deadline, dialDeadline, time.Second)
+}
+
+func TestConnectorDialSkipsCanceledRequest(t *testing.T) {
+	t.Parallel()
+
+	var dialCount atomic.Int32
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := connector.Get(requestContext)
+	require.ErrorIs(t, err, context.Canceled)
+	require.EqualValues(t, 0, dialCount.Load())
+}
+
+func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	dialStarted := make(chan struct{}, 1)
+	releaseDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		select {
+		case dialStarted <- struct{}{}:
+		default:
+		}
+		<-releaseDial
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	result := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		result <- err
+	}()
+
+	<-dialStarted
+	cancel()
+	close(releaseDial)
+
+	err := <-result
+	require.ErrorIs(t, err, context.Canceled)
+	require.EqualValues(t, 1, dialCount.Load())
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	_, err = connector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	dialStarted := make(chan struct{}, 1)
+	releaseDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		select {
+		case dialStarted <- struct{}{}:
+		default:
+		}
+		<-releaseDial
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	result := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		result <- err
+	}()
+
+	<-dialStarted
+	cancel()
+
+	select {
+	case err := <-result:
+		require.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("Get did not return after request cancel")
+	}
+
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 0, closeCount.Load())
+
+	close(releaseDial)
+
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	_, err := connector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	firstDialStarted := make(chan struct{}, 1)
+	secondDialStarted := make(chan struct{}, 1)
+	releaseFirstDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		attempt := dialCount.Add(1)
+		switch attempt {
+		case 1:
+			select {
+			case firstDialStarted <- struct{}{}:
+			default:
+			}
+			<-releaseFirstDial
+		case 2:
+			select {
+			case secondDialStarted <- struct{}{}:
+			default:
+			}
+		}
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	firstResult := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		firstResult <- err
+	}()
+
+	<-firstDialStarted
+	cancel()
+
+	secondResult := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(context.Background())
+		secondResult <- err
+	}()
+
+	select {
+	case <-secondDialStarted:
+		t.Fatal("second dial started before first dial completed")
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	select {
+	case err := <-firstResult:
+		require.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("first Get did not return after request cancel")
+	}
+
+	close(releaseFirstDial)
+
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	select {
+	case <-secondDialStarted:
+	case <-time.After(time.Second):
+		t.Fatal("second dial did not start after first dial completed")
+	}
+
+	err := <-secondResult
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
+	t.Parallel()
+
+	var dialContext context.Context
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialContext = ctx
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	_, err := connector.Get(requestContext)
+	require.NoError(t, err)
+	require.NotNil(t, dialContext)
+
+	cancel()
+
+	select {
+	case <-dialContext.Done():
+		t.Fatal("dial context canceled by request context after successful dial")
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	err = connector.Close()
+	require.NoError(t, err)
+}
+
+func TestConnectorDialContextCanceledOnClose(t *testing.T) {
+	t.Parallel()
+
+	var dialContext context.Context
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialContext = ctx
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	_, err := connector.Get(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, dialContext)
+
+	select {
+	case <-dialContext.Done():
+		t.Fatal("dial context canceled before connector close")
+	default:
+	}
+
+	err = connector.Close()
+	require.NoError(t, err)
+
+	select {
+	case <-dialContext.Done():
+	case <-time.After(time.Second):
+		t.Fatal("dial context not canceled after connector close")
+	}
+}

dns/transport/fakeip/store.go

@@ -18,6 +18,8 @@ type Store struct {
 	logger     logger.Logger
 	inet4Range netip.Prefix
 	inet6Range netip.Prefix
+	inet4Last  netip.Addr
+	inet6Last  netip.Addr
 	storage    adapter.FakeIPStorage
 
 	addressAccess sync.Mutex
@@ -26,12 +28,35 @@ type Store struct {
 }
 
 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	return &Store{
+	store := &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
+	if inet4Range.IsValid() {
+		store.inet4Last = broadcastAddress(inet4Range)
+	}
+	if inet6Range.IsValid() {
+		store.inet6Last = broadcastAddress(inet6Range)
+	}
+	return store
+}
+
+func broadcastAddress(prefix netip.Prefix) netip.Addr {
+	addr := prefix.Addr()
+	raw := addr.As16()
+	bits := prefix.Bits()
+	if addr.Is4() {
+		bits += 96
+	}
+	for i := bits; i < 128; i++ {
+		raw[i/8] |= 1 << (7 - i%8)
+	}
+	if addr.Is4() {
+		return netip.AddrFrom4([4]byte(raw[12:]))
+	}
+	return netip.AddrFrom16(raw)
 }
 
 func (s *Store) Start() error {
@@ -49,10 +74,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next().Next()
+			s.inet4Current = s.inet4Range.Addr().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next().Next()
+			s.inet6Current = s.inet6Range.Addr().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -98,7 +123,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if !s.inet4Range.Contains(nextAddress) {
+		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -108,7 +133,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if !s.inet6Range.Contains(nextAddress) {
+		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress

dns/transport/local/local.go

@@ -81,10 +81,7 @@ func (t *Transport) Reset() {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
-		resolverObject := t.resolved.Object()
-		if resolverObject != nil {
-			return t.resolved.Exchange(resolverObject, ctx, message)
-		}
+		return t.resolved.Exchange(ctx, message)
 	}
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {

dns/transport/local/local_resolved.go

@@ -9,6 +9,5 @@ import (
 type ResolvedResolver interface {
 	Start() error
 	Close() error
-	Object() any
-	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+	Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
 }

dns/transport/local/local_resolved_linux.go

@@ -4,19 +4,26 @@ import (
 	"bufio"
 	"context"
 	"errors"
+	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	dnsTransport "github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/service/resolved"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 
@@ -49,13 +56,23 @@ type DBusResolvedResolver struct {
 	interfaceMonitor  tun.DefaultInterfaceMonitor
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	systemBus         *dbus.Conn
-	resoledObject     atomic.Pointer[ResolvedObject]
+	savedServerSet    atomic.Pointer[resolvedServerSet]
 	closeOnce         sync.Once
 }
 
-type ResolvedObject struct {
-	dbus.BusObject
-	InterfaceIndex int32
+type resolvedServerSet struct {
+	servers []resolvedServer
+}
+
+type resolvedServer struct {
+	primaryTransport  adapter.DNSTransport
+	fallbackTransport adapter.DNSTransport
+}
+
+type resolvedServerSpecification struct {
+	address    netip.Addr
+	port       uint16
+	serverName string
 }
 
 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
@@ -82,17 +99,31 @@ func (t *DBusResolvedResolver) Start() error {
 		"org.freedesktop.DBus",
 		"NameOwnerChanged",
 		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1"),
 	).Err
 	if err != nil {
 		return E.Cause(err, "configure resolved restart listener")
 	}
+	err = t.systemBus.BusObject().AddMatchSignal(
+		"org.freedesktop.DBus.Properties",
+		"PropertiesChanged",
+		dbus.WithMatchSender("org.freedesktop.resolve1"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+	).Err
+	if err != nil {
+		return E.Cause(err, "configure resolved properties listener")
+	}
 	go t.loopUpdateStatus()
 	return nil
 }
 
 func (t *DBusResolvedResolver) Close() error {
+	var closeErr error
 	t.closeOnce.Do(func() {
+		serverSet := t.savedServerSet.Swap(nil)
+		if serverSet != nil {
+			closeErr = serverSet.Close()
+		}
 		if t.interfaceCallback != nil {
 			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
 		}
@@ -100,99 +131,97 @@ func (t *DBusResolvedResolver) Close() error {
 			_ = t.systemBus.Close()
 		}
 	})
-	return nil
+	return closeErr
 }
 
-func (t *DBusResolvedResolver) Object() any {
-	return common.PtrOrNil(t.resoledObject.Load())
-}
-
-func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	resolvedObject := object.(*ResolvedObject)
-	call := resolvedObject.CallWithContext(
-		ctx,
-		"org.freedesktop.resolve1.Manager.ResolveRecord",
-		0,
-		resolvedObject.InterfaceIndex,
-		question.Name,
-		question.Qclass,
-		question.Qtype,
-		uint64(0),
-	)
-	if call.Err != nil {
-		var dbusError dbus.Error
-		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
-			t.updateStatus()
+func (t *DBusResolvedResolver) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverSet := t.savedServerSet.Load()
+	if serverSet == nil {
+		var err error
+		serverSet, err = t.checkResolved(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		previousServerSet := t.savedServerSet.Swap(serverSet)
+		if previousServerSet != nil {
+			_ = previousServerSet.Close()
 		}
-		return nil, E.Cause(call.Err, " resolve record via resolved")
 	}
-	var (
-		records  []resolved.ResourceRecord
-		outflags uint64
-	)
-	err := call.Store(&records, &outflags)
-	if err != nil {
+	response, err := t.exchangeServerSet(ctx, message, serverSet)
+	if err == nil {
+		return response, nil
+	}
+	t.updateStatus()
+	refreshedServerSet := t.savedServerSet.Load()
+	if refreshedServerSet == nil || refreshedServerSet == serverSet {
 		return nil, err
 	}
-	response := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                 message.Id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              mDNS.RcodeSuccess,
-		},
-		Question: []mDNS.Question{question},
-	}
-	for _, record := range records {
-		var rr mDNS.RR
-		rr, _, err = mDNS.UnpackRR(record.Data, 0)
-		if err != nil {
-			return nil, E.Cause(err, "unpack resource record")
-		}
-		response.Answer = append(response.Answer, rr)
-	}
-	return response, nil
+	return t.exchangeServerSet(ctx, message, refreshedServerSet)
 }
 
 func (t *DBusResolvedResolver) loopUpdateStatus() {
 	signalChan := make(chan *dbus.Signal, 1)
 	t.systemBus.Signal(signalChan)
 	for signal := range signalChan {
-		var restarted bool
-		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
-			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
+		switch signal.Name {
+		case "org.freedesktop.DBus.NameOwnerChanged":
+			if len(signal.Body) != 3 {
+				continue
+			}
+			newOwner, loaded := signal.Body[2].(string)
+			if !loaded || newOwner == "" {
+				continue
+			}
+			t.updateStatus()
+		case "org.freedesktop.DBus.Properties.PropertiesChanged":
+			if !shouldUpdateResolvedServerSet(signal) {
 				continue
-			} else {
-				restarted = true
 			}
-		}
-		if restarted {
 			t.updateStatus()
 		}
 	}
 }
 
 func (t *DBusResolvedResolver) updateStatus() {
-	dbusObject, err := t.checkResolved(context.Background())
-	oldValue := t.resoledObject.Swap(dbusObject)
+	serverSet, err := t.checkResolved(context.Background())
+	oldServerSet := t.savedServerSet.Swap(serverSet)
+	if oldServerSet != nil {
+		_ = oldServerSet.Close()
+	}
 	if err != nil {
 		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwner" {
 			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
 		}
-		if oldValue != nil {
+		if oldServerSet != nil {
 			t.logger.Debug("systemd-resolved service is gone")
 		}
 		return
-	} else if oldValue == nil {
+	} else if oldServerSet == nil {
 		t.logger.Debug("using systemd-resolved service as resolver")
 	}
 }
 
-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
+func (t *DBusResolvedResolver) exchangeServerSet(ctx context.Context, message *mDNS.Msg, serverSet *resolvedServerSet) (*mDNS.Msg, error) {
+	if serverSet == nil || len(serverSet.servers) == 0 {
+		return nil, E.New("link has no DNS servers configured")
+	}
+	var lastError error
+	for _, server := range serverSet.servers {
+		response, err := server.primaryTransport.Exchange(ctx, message)
+		if err != nil && server.fallbackTransport != nil {
+			response, err = server.fallbackTransport.Exchange(ctx, message)
+		}
+		if err != nil {
+			lastError = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastError
+}
+
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServerSet, error) {
 	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
 	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
 	if err != nil {
@@ -220,16 +249,19 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 	if linkObject == nil {
 		return nil, E.New("missing link object for default interface")
 	}
-	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	dnsOverTLSMode, err := loadResolvedLinkDNSOverTLS(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProp.Store(&linkDNS)
+	linkDNSEx, err := loadResolvedLinkDNSEx(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	if len(linkDNS) == 0 {
+	linkDNS, err := loadResolvedLinkDNS(linkObject)
+	if err != nil {
+		return nil, err
+	}
+	if len(linkDNSEx) == 0 && len(linkDNS) == 0 {
 		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
 			if inbound.Type() == C.TypeTun {
 				return nil, E.New("No appropriate name servers or networks for name found")
@@ -237,12 +269,233 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		}
 		return nil, E.New("link has no DNS servers configured")
 	}
-	return &ResolvedObject{
-		BusObject:      dbusObject,
-		InterfaceIndex: int32(defaultInterface.Index),
+	serverDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
+		BindInterface:      defaultInterface.Name,
+		UDPFragmentDefault: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+	var serverSpecifications []resolvedServerSpecification
+	if len(linkDNSEx) > 0 {
+		for _, entry := range linkDNSEx {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, entry.Port, entry.Name)
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	} else {
+		for _, entry := range linkDNS {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, 0, "")
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	}
+	if len(serverSpecifications) == 0 {
+		return nil, E.New("no valid DNS servers on link")
+	}
+	serverSet := &resolvedServerSet{
+		servers: make([]resolvedServer, 0, len(serverSpecifications)),
+	}
+	for _, serverSpecification := range serverSpecifications {
+		server, createErr := t.createResolvedServer(serverDialer, dnsOverTLSMode, serverSpecification)
+		if createErr != nil {
+			_ = serverSet.Close()
+			return nil, createErr
+		}
+		serverSet.servers = append(serverSet.servers, server)
+	}
+	return serverSet, nil
+}
+
+func (t *DBusResolvedResolver) createResolvedServer(serverDialer N.Dialer, dnsOverTLSMode string, serverSpecification resolvedServerSpecification) (resolvedServer, error) {
+	if dnsOverTLSMode == "yes" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport: primaryTransport,
+		}, nil
+	}
+	if dnsOverTLSMode == "opportunistic" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		fallbackTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+		if err != nil {
+			_ = primaryTransport.Close()
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport:  primaryTransport,
+			fallbackTransport: fallbackTransport,
+		}, nil
+	}
+	primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+	if err != nil {
+		return resolvedServer{}, err
+	}
+	return resolvedServer{
+		primaryTransport: primaryTransport,
 	}, nil
 }
 
+func (t *DBusResolvedResolver) createResolvedTransport(serverDialer N.Dialer, serverSpecification resolvedServerSpecification, useTLS bool) (adapter.DNSTransport, error) {
+	serverAddress := M.SocksaddrFrom(serverSpecification.address, resolvedServerPort(serverSpecification.port, useTLS))
+	if useTLS {
+		tlsAddress := serverSpecification.address
+		if tlsAddress.Zone() != "" {
+			tlsAddress = tlsAddress.WithZone("")
+		}
+		serverName := serverSpecification.serverName
+		if serverName == "" {
+			serverName = tlsAddress.String()
+		}
+		tlsConfig, err := tls.NewClient(t.ctx, t.logger, tlsAddress.String(), option.OutboundTLSOptions{
+			Enabled:    true,
+			ServerName: serverName,
+		})
+		if err != nil {
+			return nil, err
+		}
+		serverTransport := dnsTransport.NewTLSRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeTLS, "", nil), serverDialer, serverAddress, tlsConfig)
+		err = serverTransport.Start(adapter.StartStateStart)
+		if err != nil {
+			_ = serverTransport.Close()
+			return nil, err
+		}
+		return serverTransport, nil
+	}
+	serverTransport := dnsTransport.NewUDPRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeUDP, "", nil), serverDialer, serverAddress)
+	err := serverTransport.Start(adapter.StartStateStart)
+	if err != nil {
+		_ = serverTransport.Close()
+		return nil, err
+	}
+	return serverTransport, nil
+}
+
+func (s *resolvedServerSet) Close() error {
+	var errors []error
+	for _, server := range s.servers {
+		errors = append(errors, server.primaryTransport.Close())
+		if server.fallbackTransport != nil {
+			errors = append(errors, server.fallbackTransport.Close())
+		}
+	}
+	return E.Errors(errors...)
+}
+
+func buildResolvedServerSpecification(interfaceName string, rawAddress []byte, port uint16, serverName string) (resolvedServerSpecification, bool) {
+	address, loaded := netip.AddrFromSlice(rawAddress)
+	if !loaded {
+		return resolvedServerSpecification{}, false
+	}
+	if address.Is6() && address.IsLinkLocalUnicast() && address.Zone() == "" {
+		address = address.WithZone(interfaceName)
+	}
+	return resolvedServerSpecification{
+		address:    address,
+		port:       port,
+		serverName: serverName,
+	}, true
+}
+
+func resolvedServerPort(port uint16, useTLS bool) uint16 {
+	if port > 0 {
+		return port
+	}
+	if useTLS {
+		return 853
+	}
+	return 53
+}
+
+func loadResolvedLinkDNS(linkObject dbus.BusObject) ([]resolved.LinkDNS, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNS []resolved.LinkDNS
+	err = dnsProperty.Store(&linkDNS)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNS, nil
+}
+
+func loadResolvedLinkDNSEx(linkObject dbus.BusObject) ([]resolved.LinkDNSEx, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSEx")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNSEx []resolved.LinkDNSEx
+	err = dnsProperty.Store(&linkDNSEx)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNSEx, nil
+}
+
+func loadResolvedLinkDNSOverTLS(linkObject dbus.BusObject) (string, error) {
+	dnsOverTLSProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSOverTLS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return "", nil
+		}
+		return "", err
+	}
+	var dnsOverTLSMode string
+	err = dnsOverTLSProperty.Store(&dnsOverTLSMode)
+	if err != nil {
+		return "", err
+	}
+	return dnsOverTLSMode, nil
+}
+
+func isResolvedUnknownPropertyError(err error) bool {
+	var dbusError dbus.Error
+	return errors.As(err, &dbusError) && dbusError.Name == "org.freedesktop.DBus.Error.UnknownProperty"
+}
+
+func shouldUpdateResolvedServerSet(signal *dbus.Signal) bool {
+	if len(signal.Body) != 3 {
+		return true
+	}
+	changedProperties, loaded := signal.Body[1].(map[string]dbus.Variant)
+	if !loaded {
+		return true
+	}
+	for propertyName := range changedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	invalidatedProperties, loaded := signal.Body[2].([]string)
+	if !loaded {
+		return true
+	}
+	for _, propertyName := range invalidatedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	return false
+}
+
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
 	t.updateStatus()
 }

dns/transport/local/resolv_windows.go

@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -63,6 +64,9 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
+				if sockaddr.ZoneId != 0 {
+					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
+				}
 			default:
 				// Unexpected type.
 				continue

docs/changelog.md

@@ -2,6 +2,42 @@
 icon: material/alert-decagram
 ---
 
+#### 1.13.3
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.13.2
+
+* Fixes and improvements
+
+#### 1.13.1
+
+* Fixes and improvements
+
+#### 1.12.14
+
+* Backport fixes
+
 #### 1.13.0
 
 Important changes since 1.12:

docs/configuration/inbound/hysteria2.zh.md

@@ -38,7 +38,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
-    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
     要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
 
 ### 监听字段

docs/configuration/inbound/tun.md

@@ -2,6 +2,10 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.13.3"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "Changes in sing-box 1.13.0"
 
     :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -348,6 +352,9 @@ Enforce strict routing rules when `auto_route` is enabled:
 
 * Let unsupported network unreachable
 * For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
+* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
+    * Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
+    * Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.
 
 *In Windows*:
 

docs/configuration/inbound/tun.zh.md

@@ -2,6 +2,10 @@
 icon: material/new-box
 ---
 
+!!! quote "sing-box 1.13.3 中的更改"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "sing-box 1.13.0 中的更改"
 
     :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -347,6 +351,9 @@ tun 接口的 IPv6 前缀。
 
 * 使不支持的网络不可达。
 * 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
+* 当启用 `auto_redirect` 时，`strict_route` 也影响 `SO_BINDTODEVICE` 流量：
+    * 启用：`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
+    * 禁用：`SO_BINDTODEVICE` 流量绕过 sing-box。
 
 *在 Windows 中*：
 

docs/configuration/outbound/hysteria2.zh.md

@@ -38,7 +38,7 @@
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
-    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
     要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
 
 ### 字段

docs/configuration/outbound/naive.md

@@ -34,10 +34,12 @@ icon: material/new-box
 
     | Build Variant | Platforms | Description |
     |---------------|-----------|-------------|
-    | (default)     | Linux amd64/arm64 | purego build with `libcronet.so` included |
-    | `-glibc`      | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
-    | `-musl`       | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
-    | (default)     | Windows amd64/arm64 | purego build with `libcronet.dll` included |
+    | (no suffix) | Linux amd64/arm64 | purego build, `libcronet.so` included |
+    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO build, dynamically linked with glibc, requires glibc >= 2.31 (loong64: >= 2.36) |
+    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO build, statically linked with musl |
+    | (no suffix) | Windows amd64/arm64 | purego build, `libcronet.dll` included |
+
+    For Linux, choose the glibc or musl variant based on your distribution's libc type.
 
     **Runtime Requirements:**
 

docs/configuration/outbound/naive.zh.md

@@ -32,12 +32,14 @@ icon: material/new-box
 
     **官方发布版本区别：**
 
-    | 构建变体      | 平台                     | 说明                                       |
-    |-----------|------------------------|------------------------------------------|
-    | (默认)      | Linux amd64/arm64      | purego 构建，包含 `libcronet.so`              |
-    | `-glibc`  | Linux 386/amd64/arm/arm64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31       |
-    | `-musl`   | Linux 386/amd64/arm/arm64 | CGO 构建，静态链接 musl，无系统要求                   |
-    | (默认)      | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll`             |
+    | 构建变体 | 平台 | 说明 |
+    |---|---|---|
+    | (无后缀) | Linux amd64/arm64 | purego 构建，包含 `libcronet.so` |
+    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31（loong64: >= 2.36） |
+    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO 构建，静态链接 musl |
+    | (无后缀) | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll` |
+
+    对于 Linux，请根据发行版的 libc 类型选择 glibc 或 musl 变体。
 
     **运行时要求：**
 

docs/configuration/service/ccm.md

@@ -66,7 +66,19 @@ List of authorized users for token authentication.
 
 If empty, no authentication is required.
 
-Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+Object format:
+
+```json
+{
+  "name": "",
+  "token": ""
+}
+```
+
+Object fields:
+
+- `name`: Username identifier for tracking purposes.
+- `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
 
 #### headers
 
@@ -84,23 +96,36 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
 ### Example
 
+#### Server
+
 ```json
 {
   "services": [
     {
       "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "usages_path": "./claude-usages.json",
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob"
+        }
+      ]
     }
   ]
 }
 ```
 
-Connect to the CCM service:
+#### Client
 
 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
 
 claude
 ```

docs/configuration/service/ccm.zh.md

@@ -66,7 +66,19 @@ Claude Code OAuth 凭据文件的路径。
 
 如果为空，则不需要身份验证。
 
-Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+对象格式：
+
+```json
+{
+  "name": "",
+  "token": ""
+}
+```
+
+对象字段：
+
+- `name`：用于跟踪的用户名标识符。
+- `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
 
 #### headers
 
@@ -84,23 +96,36 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 ### 示例
 
+#### 服务端
+
 ```json
 {
   "services": [
     {
       "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "usages_path": "./claude-usages.json",
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob"
+        }
+      ]
     }
   ]
 }
 ```
 
-连接到 CCM 服务：
+#### 客户端
 
 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
 
 claude
 ```

docs/configuration/service/ocm.md

@@ -37,7 +37,9 @@ See [Listen Fields](/configuration/shared/listen/) for details.
 
 Path to the OpenAI OAuth credentials file.
 
-If not specified, defaults to `~/.codex/auth.json`.
+If not specified, defaults to:
+- `$CODEX_HOME/auth.json` if `CODEX_HOME` environment variable is set
+- `~/.codex/auth.json` otherwise
 
 Refreshed tokens are automatically written back to the same location.
 
@@ -111,17 +113,23 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 Add to `~/.codex/config.toml`:
 
 ```toml
+# profile = "ocm"                # set as default profile
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
+supports_websockets = true
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # if the latest model is not yet publicly released
+# model_reasoning_effort = "xhigh"
 ```
 
 Then run:
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```
 
 ### Example with Authentication
@@ -139,11 +147,11 @@ codex --model-provider ocm
       "users": [
         {
           "name": "alice",
-          "token": "sk-alice-secret-token"
+          "token": "sk-ocm-hello-world"
         },
         {
           "name": "bob",
-          "token": "sk-bob-secret-token"
+          "token": "sk-ocm-hello-bob"
         }
       ]
     }
@@ -156,16 +164,22 @@ codex --model-provider ocm
 Add to `~/.codex/config.toml`:
 
 ```toml
+# profile = "ocm"                # set as default profile
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
+supports_websockets = true
+experimental_bearer_token = "sk-ocm-hello-world"
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # if the latest model is not yet publicly released
+# model_reasoning_effort = "xhigh"
 ```
 
 Then run:
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```

docs/configuration/service/ocm.zh.md

@@ -37,7 +37,9 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
 
 OpenAI OAuth 凭据文件的路径。
 
-如果未指定，默认值为 `~/.codex/auth.json`。
+如果未指定，默认值为：
+- 如果设置了 `CODEX_HOME` 环境变量，则使用 `$CODEX_HOME/auth.json`
+- 否则使用 `~/.codex/auth.json`
 
 刷新的令牌会自动写回相同位置。
 
@@ -111,17 +113,24 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 在 `~/.codex/config.toml` 中添加：
 
 ```toml
+# profile = "ocm"                # 设为默认配置
+
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
+supports_websockets = true
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # 如果最新模型尚未公开发布
+# model_reasoning_effort = "xhigh"
 ```
 
 然后运行：
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```
 
 ### 带身份验证的示例
@@ -139,11 +148,11 @@ codex --model-provider ocm
       "users": [
         {
           "name": "alice",
-          "token": "sk-alice-secret-token"
+          "token": "sk-ocm-hello-world"
         },
         {
           "name": "bob",
-          "token": "sk-bob-secret-token"
+          "token": "sk-ocm-hello-bob"
         }
       ]
     }
@@ -156,16 +165,22 @@ codex --model-provider ocm
 在 `~/.codex/config.toml` 中添加：
 
 ```toml
+# profile = "ocm"                # 设为默认配置
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
+supports_websockets = true
+experimental_bearer_token = "sk-ocm-hello-world"
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # 如果最新模型尚未公开发布
+# model_reasoning_effort = "xhigh"
 ```
 
 然后运行：
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```

docs/installation/build-from-source.md

@@ -57,25 +57,49 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
-| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
+| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale).                                                                                                                                                                                                                                     |
+| `with_ccm`                         | :material-check:     | Build with Claude Code Multiplexer service support.                                                                                                                                                                                                                                                                            |
+| `with_ocm`                         | :material-check:     | Build with OpenAI Codex Multiplexer service support.                                                                                                                                                                                                                                                                           |
+| `with_naive_outbound`              | :material-check:     | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
+| `badlinkname`                      | :material-check:     | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation.                                 |
+| `tfogo_checklinkname0`             | :material-check:     | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement.                                                                                                                                                       |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.
 
+## :material-wrench: Linker Flags
+
+The following `-ldflags` are used in official builds:
+
+| Flag                                                        | Description                                                                                                                                                                                                             |
+|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
+| `-checklinkname=0`                                          | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag.                                                                            |
+
+## :material-package-variant: For Downstream Packagers
+
+The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
+
+| File | Description |
+|------|-------------|
+| `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
+| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
+| `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
+| `release/LDFLAGS` | Required linker flags (see above). |
+
 ## :material-layers: with_naive_outbound
 
 NaiveProxy outbound requires special build configurations depending on your target platform.
 
 ### Supported Platforms
 
-| Platform        | Architectures          | Mode   | Requirements                                      |
-|-----------------|------------------------|--------|---------------------------------------------------|
-| Linux           | amd64, arm64           | purego | None (library included in official releases)      |
-| Linux           | 386, amd64, arm, arm64 | CGO    | Chromium toolchain, glibc >= 2.31 at runtime      |
-| Linux (musl)    | 386, amd64, arm, arm64 | CGO    | Chromium toolchain                                |
-| Windows         | amd64, arm64           | purego | None (library included in official releases)      |
-| Apple platforms | *                      | CGO    | Xcode                                             |
-| Android         | *                      | CGO    | Android NDK                                       |
+| Platform        | Architectures                                          | Mode   | Requirements                                                    |
+|-----------------|--------------------------------------------------------|--------|-----------------------------------------------------------------|
+| Linux           | amd64, arm64                                           | purego | None (library included in official releases)                    |
+| Linux           | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium toolchain, glibc >= 2.31 (loong64: >= 2.36) at runtime |
+| Linux (musl)    | 386, amd64, arm, arm64, mipsle, riscv64, loong64       | CGO    | Chromium toolchain                                              |
+| Windows         | amd64, arm64                                           | purego | None (library included in official releases)                    |
+| Apple platforms | *                                                      | CGO    | Xcode                                                           |
+| Android         | *                                                      | CGO    | Android NDK                                                     |
 
 ### Windows
 

docs/installation/build-from-source.zh.md

@@ -61,25 +61,49 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
-| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |
+| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
+| `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
+| `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
+| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
+| `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
+| `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
 
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。
 
+## :material-wrench: 链接器标志
+
+以下 `-ldflags` 在官方构建中使用：
+
+| 标志                                                          | 说明                                                                                                                                                         |
+|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 默认为监听器启用 Multipath TCP（`multipathtcp=2`）。这可能在底层 socket 上导致错误，且 sing-box 有自己的 MPTCP 控制（`tcp_multi_path` 选项）。此标志禁用 Go 的默认行为。                             |
+| `-checklinkname=0`                                          | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查，需要与 `badlinkname` 构建标记一起使用。                                                                                   |
+
+## :material-package-variant: 下游打包者
+
+默认构建标签列表和链接器标志以文件形式存放在仓库中，供下游打包者直接引用：
+
+| 文件 | 说明 |
+|------|------|
+| `release/DEFAULT_BUILD_TAGS` | Linux（常见架构）、Darwin 和 Android 的默认标签。 |
+| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签（包含 `with_purego`）。 |
+| `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签（不含 `with_naive_outbound`）。 |
+| `release/LDFLAGS` | 必需的链接器标志（参见上文）。 |
+
 ## :material-layers: with_naive_outbound
 
 NaiveProxy 出站需要根据目标平台进行特殊的构建配置。
 
 ### 支持的平台
 
-| 平台            | 架构                     | 模式     | 要求                             |
-|---------------|------------------------|--------|--------------------------------|
-| Linux         | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
-| Linux         | 386, amd64, arm, arm64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31 |
-| Linux (musl)  | 386, amd64, arm, arm64 | CGO    | Chromium 工具链                   |
-| Windows       | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
-| Apple 平台      | *                      | CGO    | Xcode                          |
-| Android       | *                      | CGO    | Android NDK                    |
+| 平台           | 架构                                                       | 模式     | 要求                                                  |
+|--------------|----------------------------------------------------------|--------|-----------------------------------------------------|
+| Linux        | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
+| Linux        | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31（loong64: >= 2.36） |
+| Linux (musl) | 386, amd64, arm, arm64, mipsle, riscv64, loong64          | CGO    | Chromium 工具链                                        |
+| Windows      | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
+| Apple 平台     | *                                                        | CGO    | Xcode                                               |
+| Android      | *                                                        | CGO    | Android NDK                                          |
 
 ### Windows
 

docs/installation/tools/install.sh

@@ -47,6 +47,17 @@ elif command -v rpm >/dev/null 2>&1; then
   arch=$(uname -m)
   package_suffix=".rpm"
   package_install="rpm -i"
+elif command -v apk >/dev/null 2>&1 && [ -f /etc/os-release ] && grep -q OPENWRT_ARCH /etc/os-release; then
+  os="openwrt"
+  . /etc/os-release
+  arch="$OPENWRT_ARCH"
+  package_suffix=".apk"
+  package_install="apk add --allow-untrusted"
+elif command -v apk >/dev/null 2>&1; then
+  os="linux"
+  arch=$(apk --print-arch)
+  package_suffix=".apk"
+  package_install="apk add --allow-untrusted"
 elif command -v opkg >/dev/null 2>&1; then
   os="openwrt"
   . /etc/os-release

experimental/clashapi/api_meta.go

@@ -2,6 +2,7 @@ package clashapi
 
 import (
 	"bytes"
+	"context"
 	"net"
 	"net/http"
 	"runtime/debug"
@@ -27,7 +28,7 @@ func (s *Server) setupMetaAPI(r chi.Router) {
 		})
 		r.Mount("/", middleware.Profiler())
 	}
-	r.Get("/memory", memory(s.trafficManager))
+	r.Get("/memory", memory(s.ctx, s.trafficManager))
 	r.Mount("/group", groupRouter(s))
 	r.Mount("/upgrade", upgradeRouter(s))
 }
@@ -37,7 +38,7 @@ type Memory struct {
 	OSLimit uint64 `json:"oslimit"` // maybe we need it in the future
 }
 
-func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -46,6 +47,7 @@ func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r
 			if err != nil {
 				return
 			}
+			defer conn.Close()
 		}
 
 		if conn == nil {
@@ -58,7 +60,12 @@ func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r
 		buf := &bytes.Buffer{}
 		var err error
 		first := true
-		for range tick.C {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-tick.C:
+			}
 			buf.Reset()
 
 			inuse := trafficManager.Snapshot().Memory

experimental/clashapi/connections.go

@@ -2,6 +2,7 @@ package clashapi
 
 import (
 	"bytes"
+	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -17,15 +18,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )
 
-func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(trafficManager))
+	r.Get("/", getConnections(ctx, trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }
 
-func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -37,6 +38,7 @@ func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseW
 		if err != nil {
 			return
 		}
+		defer conn.Close()
 
 		intervalStr := r.URL.Query().Get("interval")
 		interval := 1000
@@ -67,7 +69,12 @@ func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseW
 
 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for range tick.C {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-tick.C:
+			}
 			if err = sendSnapshot(); err != nil {
 				break
 			}

experimental/clashapi/server.go

@@ -115,13 +115,13 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	chiRouter.Group(func(r chi.Router) {
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
-		r.Get("/logs", getLogs(logFactory))
-		r.Get("/traffic", traffic(trafficManager))
+		r.Get("/logs", getLogs(s.ctx, logFactory))
+		r.Get("/traffic", traffic(s.ctx, trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -303,7 +303,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }
 
-func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -324,7 +324,12 @@ func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter,
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for range tick.C {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-tick.C:
+			}
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{
@@ -355,7 +360,7 @@ type Log struct {
 	Payload string `json:"payload"`
 }
 
-func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
+func getLogs(ctx context.Context, logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		levelText := r.URL.Query().Get("level")
 		if levelText == "" {
@@ -394,6 +399,8 @@ func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *ht
 		var logEntry log.Entry
 		for {
 			select {
+			case <-ctx.Done():
+				return
 			case <-done:
 				return
 			case logEntry = <-subscription:

experimental/deprecated/constants.go

@@ -57,96 +57,6 @@ func (n Note) MessageWithLink() string {
 	}
 }
 
-var OptionBadMatchSource = Note{
-	Name:              "bad-match-source",
-	Description:       "legacy match source rule item",
-	DeprecatedVersion: "1.10.0",
-	ScheduledVersion:  "1.11.0",
-	EnvName:           "BAD_MATCH_SOURCE",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
-}
-
-var OptionGEOIP = Note{
-	Name:              "geoip",
-	Description:       "geoip database",
-	DeprecatedVersion: "1.8.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "GEOIP",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
-}
-
-var OptionGEOSITE = Note{
-	Name:              "geosite",
-	Description:       "geosite database",
-	DeprecatedVersion: "1.8.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "GEOSITE",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
-}
-
-var OptionTUNAddressX = Note{
-	Name:              "tun-address-x",
-	Description:       "legacy tun address fields",
-	DeprecatedVersion: "1.10.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "TUN_ADDRESS_X",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
-}
-
-var OptionSpecialOutbounds = Note{
-	Name:              "special-outbounds",
-	Description:       "legacy special outbounds",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "SPECIAL_OUTBOUNDS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
-}
-
-var OptionInboundOptions = Note{
-	Name:              "inbound-options",
-	Description:       "legacy inbound fields",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "INBOUND_OPTIONS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
-}
-
-var OptionDestinationOverrideFields = Note{
-	Name:              "destination-override-fields",
-	Description:       "destination override fields in direct outbound",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "DESTINATION_OVERRIDE_FIELDS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-destination-override-fields-to-route-options",
-}
-
-var OptionWireGuardOutbound = Note{
-	Name:              "wireguard-outbound",
-	Description:       "legacy wireguard outbound",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "WIREGUARD_OUTBOUND",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
-}
-
-var OptionWireGuardGSO = Note{
-	Name:              "wireguard-gso",
-	Description:       "GSO option in wireguard outbound",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "WIREGUARD_GSO",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
-}
-
-var OptionTUNGSO = Note{
-	Name:              "tun-gso",
-	Description:       "GSO option in tun",
-	DeprecatedVersion: "1.11.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "TUN_GSO",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#gso-option-in-tun",
-}
-
 var OptionLegacyDNSTransport = Note{
 	Name:              "legacy-dns-transport",
 	Description:       "legacy DNS servers",
@@ -183,15 +93,6 @@ var OptionMissingDomainResolver = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-outbound-dns-rule-items-to-domain-resolver",
 }
 
-var OptionLegacyECHOptions = Note{
-	Name:              "legacy-ech-options",
-	Description:       "legacy ECH options",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.13.0",
-	EnvName:           "LEGACY_ECH_OPTIONS",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#legacy-ech-fields",
-}
-
 var OptionLegacyDomainStrategyOptions = Note{
 	Name:              "legacy-domain-strategy-options",
 	Description:       "legacy domain strategy options",
@@ -202,20 +103,9 @@ var OptionLegacyDomainStrategyOptions = Note{
 }
 
 var Options = []Note{
-	OptionBadMatchSource,
-	OptionGEOIP,
-	OptionGEOSITE,
-	OptionTUNAddressX,
-	OptionSpecialOutbounds,
-	OptionInboundOptions,
-	OptionDestinationOverrideFields,
-	OptionWireGuardOutbound,
-	OptionWireGuardGSO,
-	OptionTUNGSO,
 	OptionLegacyDNSTransport,
 	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
-	OptionLegacyECHOptions,
 	OptionLegacyDomainStrategyOptions,
 }

experimental/libbox/fdroid.go

@@ -0,0 +1,493 @@
+package libbox
+
+import (
+	"archive/zip"
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const fdroidUserAgent = "F-Droid 1.21.1"
+
+type FDroidUpdateInfo struct {
+	VersionCode int32
+	VersionName string
+	DownloadURL string
+	FileSize    int64
+	FileSHA256  string
+}
+
+type FDroidPingResult struct {
+	URL       string
+	LatencyMs int32
+	Error     string
+}
+
+type FDroidPingResultIterator interface {
+	Len() int32
+	HasNext() bool
+	Next() *FDroidPingResult
+}
+
+type fdroidAPIResponse struct {
+	PackageName          string             `json:"packageName"`
+	SuggestedVersionCode int32              `json:"suggestedVersionCode"`
+	Packages             []fdroidAPIPackage `json:"packages"`
+}
+
+type fdroidAPIPackage struct {
+	VersionName string `json:"versionName"`
+	VersionCode int32  `json:"versionCode"`
+}
+
+type fdroidEntry struct {
+	Timestamp int64                      `json:"timestamp"`
+	Version   int                        `json:"version"`
+	Index     fdroidEntryFile            `json:"index"`
+	Diffs     map[string]fdroidEntryFile `json:"diffs"`
+}
+
+type fdroidEntryFile struct {
+	Name        string `json:"name"`
+	SHA256      string `json:"sha256"`
+	Size        int64  `json:"size"`
+	NumPackages int    `json:"numPackages"`
+}
+
+type fdroidIndexV2 struct {
+	Packages map[string]fdroidV2Package `json:"packages"`
+}
+
+type fdroidV2Package struct {
+	Versions map[string]fdroidV2Version `json:"versions"`
+}
+
+type fdroidV2Version struct {
+	Manifest fdroidV2Manifest `json:"manifest"`
+	File     fdroidV2File     `json:"file"`
+}
+
+type fdroidV2Manifest struct {
+	VersionCode int32  `json:"versionCode"`
+	VersionName string `json:"versionName"`
+}
+
+type fdroidV2File struct {
+	Name   string `json:"name"`
+	SHA256 string `json:"sha256"`
+	Size   int64  `json:"size"`
+}
+
+type fdroidIndexV1 struct {
+	Packages map[string][]fdroidV1Package `json:"packages"`
+}
+
+type fdroidV1Package struct {
+	VersionCode int32  `json:"versionCode"`
+	VersionName string `json:"versionName"`
+	ApkName     string `json:"apkName"`
+	Size        int64  `json:"size"`
+	Hash        string `json:"hash"`
+	HashType    string `json:"hashType"`
+}
+
+type fdroidCache struct {
+	MirrorURL string `json:"mirrorURL"`
+	Timestamp int64  `json:"timestamp"`
+	ETag      string `json:"etag"`
+	IsV1      bool   `json:"isV1,omitempty"`
+}
+
+func CheckFDroidUpdate(mirrorURL, packageName string, currentVersionCode int32, cachePath string) (*FDroidUpdateInfo, error) {
+	mirrorURL = strings.TrimRight(mirrorURL, "/")
+	if strings.Contains(mirrorURL, "f-droid.org") {
+		return checkFDroidAPI(mirrorURL, packageName, currentVersionCode)
+	}
+	client := newFDroidHTTPClient()
+	defer client.CloseIdleConnections()
+	cache := loadFDroidCache(cachePath, mirrorURL)
+	if cache != nil && cache.IsV1 {
+		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
+	}
+	return checkFDroidV2(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
+}
+
+func PingFDroidMirrors(mirrorURLs string) (FDroidPingResultIterator, error) {
+	urls := strings.Split(mirrorURLs, ",")
+	results := make([]*FDroidPingResult, len(urls))
+	var waitGroup sync.WaitGroup
+	for i, rawURL := range urls {
+		waitGroup.Add(1)
+		go func(index int, target string) {
+			defer waitGroup.Done()
+			target = strings.TrimSpace(target)
+			result := &FDroidPingResult{URL: target}
+			latency, err := pingTLS(target)
+			if err != nil {
+				result.LatencyMs = -1
+				result.Error = err.Error()
+			} else {
+				result.LatencyMs = int32(latency.Milliseconds())
+			}
+			results[index] = result
+		}(i, rawURL)
+	}
+	waitGroup.Wait()
+	sort.Slice(results, func(i, j int) bool {
+		if results[i].LatencyMs < 0 {
+			return false
+		}
+		if results[j].LatencyMs < 0 {
+			return true
+		}
+		return results[i].LatencyMs < results[j].LatencyMs
+	})
+	return newIterator(results), nil
+}
+
+func PingFDroidMirror(mirrorURL string) *FDroidPingResult {
+	mirrorURL = strings.TrimSpace(mirrorURL)
+	result := &FDroidPingResult{URL: mirrorURL}
+	latency, err := pingTLS(mirrorURL)
+	if err != nil {
+		result.LatencyMs = -1
+		result.Error = err.Error()
+	} else {
+		result.LatencyMs = int32(latency.Milliseconds())
+	}
+	return result
+}
+
+func newFDroidHTTPClient() *http.Client {
+	return &http.Client{
+		Timeout: 30 * time.Second,
+	}
+}
+
+func newFDroidRequest(requestURL string) (*http.Request, error) {
+	request, err := http.NewRequest("GET", requestURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	request.Header.Set("User-Agent", fdroidUserAgent)
+	return request, nil
+}
+
+func checkFDroidAPI(mirrorURL, packageName string, currentVersionCode int32) (*FDroidUpdateInfo, error) {
+	client := newFDroidHTTPClient()
+	defer client.CloseIdleConnections()
+
+	apiURL := "https://f-droid.org/api/v1/packages/" + packageName
+	request, err := newFDroidRequest(apiURL)
+	if err != nil {
+		return nil, err
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", response.Status)
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var apiResponse fdroidAPIResponse
+	err = json.Unmarshal(body, &apiResponse)
+	if err != nil {
+		return nil, err
+	}
+
+	var bestCode int32
+	var bestName string
+	for _, pkg := range apiResponse.Packages {
+		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
+			bestCode = pkg.VersionCode
+			bestName = pkg.VersionName
+		}
+	}
+
+	if bestCode == 0 {
+		return nil, nil
+	}
+
+	return &FDroidUpdateInfo{
+		VersionCode: bestCode,
+		VersionName: bestName,
+		DownloadURL: "https://f-droid.org/repo/" + packageName + "_" + strconv.FormatInt(int64(bestCode), 10) + ".apk",
+	}, nil
+}
+
+func checkFDroidV2(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
+	entryURL := mirrorURL + "/entry.jar"
+	request, err := newFDroidRequest(entryURL)
+	if err != nil {
+		return nil, err
+	}
+	if cache != nil && cache.ETag != "" {
+		request.Header.Set("If-None-Match", cache.ETag)
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode == http.StatusNotModified {
+		return nil, nil
+	}
+	if response.StatusCode == http.StatusNotFound {
+		writeFDroidCache(cachePath, mirrorURL, 0, "", true)
+		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, nil)
+	}
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", response.Status, ": ", entryURL)
+	}
+
+	jarData, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+	etag := response.Header.Get("ETag")
+
+	var entry fdroidEntry
+	err = readJSONFromJar(jarData, "entry.json", &entry)
+	if err != nil {
+		return nil, E.Cause(err, "read entry.jar")
+	}
+
+	if entry.Timestamp == 0 {
+		return nil, E.New("entry.json not found in entry.jar")
+	}
+
+	if cache != nil && cache.Timestamp == entry.Timestamp {
+		writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
+		return nil, nil
+	}
+
+	var indexURL string
+	if cache != nil {
+		cachedTimestamp := strconv.FormatInt(cache.Timestamp, 10)
+		if diff, ok := entry.Diffs[cachedTimestamp]; ok {
+			indexURL = mirrorURL + "/" + diff.Name
+		}
+	}
+	if indexURL == "" {
+		indexURL = mirrorURL + "/" + entry.Index.Name
+	}
+
+	indexRequest, err := newFDroidRequest(indexURL)
+	if err != nil {
+		return nil, err
+	}
+
+	indexResponse, err := client.Do(indexRequest)
+	if err != nil {
+		return nil, err
+	}
+	defer indexResponse.Body.Close()
+
+	if indexResponse.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", indexResponse.Status, ": ", indexURL)
+	}
+
+	indexData, err := io.ReadAll(indexResponse.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var index fdroidIndexV2
+	err = json.Unmarshal(indexData, &index)
+	if err != nil {
+		return nil, err
+	}
+
+	writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
+
+	pkg, ok := index.Packages[packageName]
+	if !ok {
+		return nil, nil
+	}
+
+	var bestCode int32
+	var bestVersion fdroidV2Version
+	for _, version := range pkg.Versions {
+		if version.Manifest.VersionCode > currentVersionCode && version.Manifest.VersionCode > bestCode {
+			bestCode = version.Manifest.VersionCode
+			bestVersion = version
+		}
+	}
+
+	if bestCode == 0 {
+		return nil, nil
+	}
+
+	return &FDroidUpdateInfo{
+		VersionCode: bestCode,
+		VersionName: bestVersion.Manifest.VersionName,
+		DownloadURL: mirrorURL + "/" + bestVersion.File.Name,
+		FileSize:    bestVersion.File.Size,
+		FileSHA256:  bestVersion.File.SHA256,
+	}, nil
+}
+
+func checkFDroidV1(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
+	indexURL := mirrorURL + "/index-v1.jar"
+
+	request, err := newFDroidRequest(indexURL)
+	if err != nil {
+		return nil, err
+	}
+	if cache != nil && cache.ETag != "" {
+		request.Header.Set("If-None-Match", cache.ETag)
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode == http.StatusNotModified {
+		return nil, nil
+	}
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", response.Status, ": ", indexURL)
+	}
+
+	jarData, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+	etag := response.Header.Get("ETag")
+
+	var index fdroidIndexV1
+	err = readJSONFromJar(jarData, "index-v1.json", &index)
+	if err != nil {
+		return nil, E.Cause(err, "read index-v1.jar")
+	}
+
+	writeFDroidCache(cachePath, mirrorURL, 0, etag, true)
+
+	packages, ok := index.Packages[packageName]
+	if !ok {
+		return nil, nil
+	}
+
+	var bestCode int32
+	var bestPackage fdroidV1Package
+	for _, pkg := range packages {
+		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
+			bestCode = pkg.VersionCode
+			bestPackage = pkg
+		}
+	}
+
+	if bestCode == 0 {
+		return nil, nil
+	}
+
+	return &FDroidUpdateInfo{
+		VersionCode: bestCode,
+		VersionName: bestPackage.VersionName,
+		DownloadURL: mirrorURL + "/" + bestPackage.ApkName,
+		FileSize:    bestPackage.Size,
+		FileSHA256:  bestPackage.Hash,
+	}, nil
+}
+
+func readJSONFromJar(jarData []byte, fileName string, destination any) error {
+	zipReader, err := zip.NewReader(bytes.NewReader(jarData), int64(len(jarData)))
+	if err != nil {
+		return err
+	}
+	for _, file := range zipReader.File {
+		if file.Name != fileName {
+			continue
+		}
+		reader, err := file.Open()
+		if err != nil {
+			return err
+		}
+		data, err := io.ReadAll(reader)
+		reader.Close()
+		if err != nil {
+			return err
+		}
+		return json.Unmarshal(data, destination)
+	}
+	return nil
+}
+
+func pingTLS(mirrorURL string) (time.Duration, error) {
+	parsed, err := url.Parse(mirrorURL)
+	if err != nil {
+		return 0, err
+	}
+	host := parsed.Host
+	if !strings.Contains(host, ":") {
+		host = host + ":443"
+	}
+
+	dialer := &net.Dialer{Timeout: 5 * time.Second}
+	start := time.Now()
+	conn, err := tls.DialWithDialer(dialer, "tcp", host, &tls.Config{})
+	if err != nil {
+		return 0, err
+	}
+	latency := time.Since(start)
+	conn.Close()
+	return latency, nil
+}
+
+func loadFDroidCache(cachePath, mirrorURL string) *fdroidCache {
+	cacheFile := filepath.Join(cachePath, "fdroid_cache.json")
+	data, err := os.ReadFile(cacheFile)
+	if err != nil {
+		return nil
+	}
+	var cache fdroidCache
+	err = json.Unmarshal(data, &cache)
+	if err != nil {
+		return nil
+	}
+	if cache.MirrorURL != mirrorURL {
+		return nil
+	}
+	return &cache
+}
+
+func writeFDroidCache(cachePath, mirrorURL string, timestamp int64, etag string, isV1 bool) {
+	cache := fdroidCache{
+		MirrorURL: mirrorURL,
+		Timestamp: timestamp,
+		ETag:      etag,
+		IsV1:      isV1,
+	}
+	data, err := json.Marshal(cache)
+	if err != nil {
+		return
+	}
+	os.MkdirAll(cachePath, 0o755)
+	os.WriteFile(filepath.Join(cachePath, "fdroid_cache.json"), data, 0o644)
+}

experimental/libbox/fdroid_mirrors.go

@@ -0,0 +1,92 @@
+package libbox
+
+type FDroidMirror struct {
+	URL     string
+	Country string
+	Name    string
+}
+
+type FDroidMirrorIterator interface {
+	Len() int32
+	HasNext() bool
+	Next() *FDroidMirror
+}
+
+var builtinFDroidMirrors = []FDroidMirror{
+	// Official
+	{URL: "https://f-droid.org/repo", Country: "Official", Name: "f-droid.org"},
+	{URL: "https://cloudflare.f-droid.org/repo", Country: "Official", Name: "Cloudflare CDN"},
+
+	// China
+	{URL: "https://mirrors.tuna.tsinghua.edu.cn/fdroid/repo", Country: "China", Name: "Tsinghua TUNA"},
+	{URL: "https://mirrors.nju.edu.cn/fdroid/repo", Country: "China", Name: "Nanjing University"},
+	{URL: "https://mirror.iscas.ac.cn/fdroid/repo", Country: "China", Name: "ISCAS"},
+	{URL: "https://mirror.nyist.edu.cn/fdroid/repo", Country: "China", Name: "NYIST"},
+	{URL: "https://mirrors.cqupt.edu.cn/fdroid/repo", Country: "China", Name: "CQUPT"},
+	{URL: "https://mirrors.shanghaitech.edu.cn/fdroid/repo", Country: "China", Name: "ShanghaiTech"},
+
+	// India
+	{URL: "https://mirror.hyd.albony.in/fdroid/repo", Country: "India", Name: "Albony Hyderabad"},
+	{URL: "https://mirror.del2.albony.in/fdroid/repo", Country: "India", Name: "Albony Delhi"},
+
+	// Taiwan
+	{URL: "https://mirror.ossplanet.net/fdroid/repo", Country: "Taiwan", Name: "OSSPlanet"},
+
+	// France
+	{URL: "https://fdroid.tetaneutral.net/fdroid/repo", Country: "France", Name: "tetaneutral.net"},
+	{URL: "https://mirror.freedif.org/fdroid/repo", Country: "France", Name: "FreeDif"},
+
+	// Germany
+	{URL: "https://ftp.fau.de/fdroid/repo", Country: "Germany", Name: "FAU Erlangen"},
+	{URL: "https://ftp.agdsn.de/fdroid/repo", Country: "Germany", Name: "AGDSN Dresden"},
+	{URL: "https://ftp.gwdg.de/pub/android/fdroid/repo", Country: "Germany", Name: "GWDG"},
+	{URL: "https://mirror.level66.network/fdroid/repo", Country: "Germany", Name: "Level66"},
+	{URL: "https://mirror.mci-1.serverforge.org/fdroid/repo", Country: "Germany", Name: "ServerForge"},
+
+	// Netherlands
+	{URL: "https://ftp.snt.utwente.nl/pub/software/fdroid/repo", Country: "Netherlands", Name: "University of Twente"},
+
+	// Sweden
+	{URL: "https://ftp.lysator.liu.se/pub/fdroid/repo", Country: "Sweden", Name: "Lysator"},
+
+	// Denmark
+	{URL: "https://mirrors.dotsrc.org/fdroid/repo", Country: "Denmark", Name: "dotsrc.org"},
+
+	// Austria
+	{URL: "https://mirror.kumi.systems/fdroid/repo", Country: "Austria", Name: "Kumi Systems"},
+
+	// Switzerland
+	{URL: "https://mirror.init7.net/fdroid/repo", Country: "Switzerland", Name: "Init7"},
+
+	// Romania
+	{URL: "https://mirrors.hostico.ro/fdroid/repo", Country: "Romania", Name: "Hostico"},
+	{URL: "https://mirrors.chroot.ro/fdroid/repo", Country: "Romania", Name: "Chroot"},
+	{URL: "https://ftp.lug.ro/fdroid/repo", Country: "Romania", Name: "LUG Romania"},
+
+	// US
+	{URL: "https://plug-mirror.rcac.purdue.edu/fdroid/repo", Country: "US", Name: "Purdue"},
+	{URL: "https://mirror.fcix.net/fdroid/repo", Country: "US", Name: "FCIX"},
+	{URL: "https://opencolo.mm.fcix.net/fdroid/repo", Country: "US", Name: "OpenColo"},
+	{URL: "https://forksystems.mm.fcix.net/fdroid/repo", Country: "US", Name: "Fork Systems"},
+	{URL: "https://southfront.mm.fcix.net/fdroid/repo", Country: "US", Name: "South Front"},
+	{URL: "https://ziply.mm.fcix.net/fdroid/repo", Country: "US", Name: "Ziply"},
+
+	// Canada
+	{URL: "https://mirror.quantum5.ca/fdroid/repo", Country: "Canada", Name: "Quantum5"},
+
+	// Australia
+	{URL: "https://mirror.aarnet.edu.au/fdroid/repo", Country: "Australia", Name: "AARNet"},
+
+	// Other
+	{URL: "https://mirror.cyberbits.eu/fdroid/repo", Country: "Europe", Name: "Cyberbits EU"},
+	{URL: "https://mirror.eu.ossplanet.net/fdroid/repo", Country: "Europe", Name: "OSSPlanet EU"},
+	{URL: "https://mirror.cyberbits.asia/fdroid/repo", Country: "Asia", Name: "Cyberbits Asia"},
+	{URL: "https://mirrors.jevincanders.net/fdroid/repo", Country: "US", Name: "Jevincanders"},
+	{URL: "https://mirrors.komogoto.com/fdroid/repo", Country: "US", Name: "Komogoto"},
+	{URL: "https://fdroid.rasp.sh/fdroid/repo", Country: "Europe", Name: "rasp.sh"},
+	{URL: "https://mirror.gofoss.xyz/fdroid/repo", Country: "Europe", Name: "GoFOSS"},
+}
+
+func GetFDroidMirrors() FDroidMirrorIterator {
+	return newPtrIterator(builtinFDroidMirrors)
+}

go.mod

@@ -5,44 +5,44 @@ go 1.24.7
 require (
 	github.com/anthropics/anthropic-sdk-go v1.26.0
 	github.com/anytls/sing-anytls v0.0.11
-	github.com/caddyserver/certmagic v0.25.0
+	github.com/caddyserver/certmagic v0.25.2
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
 	github.com/database64128/tfo-go/v2 v2.3.2
-	github.com/go-chi/chi/v5 v5.2.3
+	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/render v1.0.3
-	github.com/godbus/dbus/v5 v5.2.1
+	github.com/godbus/dbus/v5 v5.2.2
 	github.com/gofrs/uuid/v5 v5.4.0
-	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167
+	github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
 	github.com/keybase/go-keychain v0.0.1
 	github.com/libdns/acmedns v0.5.0
-	github.com/libdns/alidns v1.0.6-beta.3
+	github.com/libdns/alidns v1.0.6
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/metacubex/utls v1.8.4
-	github.com/mholt/acmez/v3 v3.1.4
-	github.com/miekg/dns v1.1.69
-	github.com/openai/openai-go/v3 v3.23.0
+	github.com/mholt/acmez/v3 v3.1.6
+	github.com/miekg/dns v1.1.72
+	github.com/openai/openai-go/v3 v3.26.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260227112944-17c7ef18afa6
-	github.com/sagernet/cronet-go/all v0.0.0-20260227112944-17c7ef18afa6
+	github.com/sagernet/cronet-go v0.0.0-20260309102448-2fef65f9dba9
+	github.com/sagernet/cronet-go/all v0.0.0-20260309102448-2fef65f9dba9
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.0-beta.16.0.20260227013657-e419e9875a07
+	github.com/sagernet/sing v0.8.2
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0-beta.13
+	github.com/sagernet/sing-quic v0.6.0
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.0-beta.18
+	github.com/sagernet/sing-tun v0.8.3
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e
 	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
@@ -50,13 +50,13 @@ require (
 	github.com/vishvananda/netns v0.0.5
 	go.uber.org/zap v1.27.1
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.46.0
+	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93
-	golang.org/x/mod v0.31.0
-	golang.org/x/net v0.48.0
+	golang.org/x/mod v0.33.0
+	golang.org/x/net v0.50.0
 	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	google.golang.org/grpc v1.77.0
+	google.golang.org/grpc v1.79.1
 	google.golang.org/protobuf v1.36.11
 	howett.net/plist v1.0.1
 )
@@ -67,7 +67,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
@@ -96,7 +96,7 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
-	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
+	github.com/mdlayher/netlink v1.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -105,35 +105,35 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260227112350-bf468eec914d // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260227112350-bf468eec914d // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
@@ -154,15 +154,15 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/term v0.38.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )

go.sum

@@ -1,3 +1,5 @@
+code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
+code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -12,12 +14,14 @@ github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAf
 github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
-github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
-github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
-github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/certmagic v0.25.2 h1:D7xcS7ggX/WEY54x0czj7ioTkmDWKIgxtIi2OcQclUc=
+github.com/caddyserver/certmagic v0.25.2/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
+github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
+github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
@@ -52,10 +56,12 @@ github.com/gaissmai/bart v0.18.0 h1:jQLBT/RduJu0pv/tLwXE+xKPgtWJejbxuXAR+wLJafo=
 github.com/gaissmai/bart v0.18.0/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
-github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
-github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
+github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
@@ -68,8 +74,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/godbus/dbus/v5 v5.2.1 h1:I4wwMdWSkmI57ewd+elNGwLRf2/dtSaFz1DujfWYvOk=
-github.com/godbus/dbus/v5 v5.2.1/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
+github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
+github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gofrs/uuid/v5 v5.4.0 h1:EfbpCTjqMuGyq5ZJwxqzn3Cbr2d0rUZU7v5ycAk/e/0=
 github.com/gofrs/uuid/v5 v5.4.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -93,8 +99,8 @@ github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 h1:MEufgJohwIjFi2n3eJv4c/8UdRLQVUwPwSWQPoER+eU=
-github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
+github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91 h1:u9i04mGE3iliBh0EFuWaKsmcwrLacqGmq1G3XoaM7gY=
+github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
@@ -104,32 +110,36 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
+github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
+github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
+github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
 github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
 github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
-github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
-github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
+github.com/libdns/alidns v1.0.6 h1:/Ii428ty6WHFJmE24rZxq2taq++gh7rf9jhgLfp8PmM=
+github.com/libdns/alidns v1.0.6/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
 github.com/libdns/cloudflare v0.2.2/go.mod h1:w9uTmRCDlAoafAsTPnn2nJ0XHK/eaUMh86DUk8BWi60=
 github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
+github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
+github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
 github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
-github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
-github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
-github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
-github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
+github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.23.0 h1:FRFwTcB4FoWFtIunTY/8fgHvzSHgqbfWjiCwOMVrsvw=
-github.com/openai/openai-go/v3 v3.23.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.26.0 h1:bRt6H/ozMNt/dDkN4gobnLqaEGrRGBzmbVs0xxJEnQE=
+github.com/openai/openai-go/v3 v3.26.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -152,68 +162,68 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260227112944-17c7ef18afa6 h1:Ato+guxmEL4uezcYV1UUUDpAv9HlcJQ7BZt2zpnzjuw=
-github.com/sagernet/cronet-go v0.0.0-20260227112944-17c7ef18afa6/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260227112944-17c7ef18afa6 h1:0ldSjcR5Gt/o+otTvUAmJ28FCLab9lnlpEhxRCMQpRA=
-github.com/sagernet/cronet-go/all v0.0.0-20260227112944-17c7ef18afa6/go.mod h1:xVwYoNCyv9tF7W1RJlUdDbT4bn5tyqtyTe1P1ZY2VP8=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260227112350-bf468eec914d h1:tudlBYdQHIWctKIdf7pceBOFIUIISK6yFivwsxhxDk0=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260227112350-bf468eec914d/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260227112350-bf468eec914d h1:F5EsQlIknj0HlExBFR4EXW69dYj0MpK1HCpKhL/weEs=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260227112350-bf468eec914d h1:9SQ6I2Y2radd6RyWEfV+9s1Q9Kth54B6gBHuJWNzQas=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260227112350-bf468eec914d/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260227112350-bf468eec914d h1:+XoeknBi6+s6epDAS3BkEsp5zGqEJsT9L8JEcaq+0nE=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260227112350-bf468eec914d h1:poqfhHJAg+7BtABn4cue7V4y8Kb2eZ1Cy0j+bhDangw=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260227112350-bf468eec914d h1:nH6rtfqWbui9zQPjd18cpvZncGvn21UcVLtmeUoQKXs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260227112350-bf468eec914d h1:HtnjWZzSQBaP29XJ5NoIps1TVZ7DUC7R0NH7IyhJ5Ag=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260227112350-bf468eec914d h1:E2DWx0Agrj8Fi745S+otYW+W0rL2I8+Z2rZCFqGYPvQ=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260227112350-bf468eec914d h1:j7f/rBwPlO1RpFQeM35QVHymVXGVo6d8WTz4i4SjcPo=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260227112350-bf468eec914d h1:hz8kkcHGMe7QBTpbqkaw89ZFsfX+UN5F5RIDrroDkx8=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260227112350-bf468eec914d/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260227112350-bf468eec914d h1:TNFaO19ySEyqG79j5+dYb+w4ivusrTXanWuogmC4VM0=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260227112350-bf468eec914d h1:Ewc/wR3yu/hOwG/p49nI9TwYmYv3Llm5DA6fSb1w8hY=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260227112350-bf468eec914d h1:PJ24NkPNpMrLGNRdb6moEqJo8gfhYcIRZmQD8jPPCJk=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260227112350-bf468eec914d h1:IaUghNA8cOmmwvzUPKPsfhiG0KmpWpE0mFZl85T5/Bw=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260227112350-bf468eec914d/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260227112350-bf468eec914d h1:whbeDcr9dDWPr45Is9QV6OHAncrBWLJtPuo4uyEJFBg=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260227112350-bf468eec914d h1:ecHgaGMvikNYjsfULekdXjL/cQJXCS38yvHaKVMWtXc=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260227112350-bf468eec914d h1:no7Cb54+vv1bQ39zFp+JIHKO8Tu3sTwqz8SoOAuV/Ek=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260227112350-bf468eec914d h1:DqBSbam9KAzBgDInOoNy4K0baSJyxGWESxrDewU5aSs=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260227112350-bf468eec914d h1:fOR5i+hRyjG8ZzPSG6URkoTKr5qYOJfxZ58zd8HBteM=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260227112350-bf468eec914d h1:hEQGQI+PfUzYBVas4NWw8WiEUsATco6vwv+t4qTtgtw=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260227112350-bf468eec914d/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260227112350-bf468eec914d h1:AzzJ5AtZlwTbU5QOSixZdPLTjzWKCun3AobQChKy0W8=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260227112350-bf468eec914d/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260227112350-bf468eec914d h1:9Tp7s/WX4DZLx4ues8G38G2OV7eQbeuU2COEZEbGcF0=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260227112350-bf468eec914d h1:T9EVZKTyZHOamwevomUZnJ6TQNc09I/BwK+L5HJCJj8=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260227112350-bf468eec914d h1:FZmThI7xScJRPERFiA4L2l9KCwA0oi8/lEOajIKEtUQ=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260227112350-bf468eec914d/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260227112350-bf468eec914d h1:BCC/b8bL0dD9Q4ghgKABV/EsMe0J8GE/l7hcRdPkUXQ=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260227112350-bf468eec914d h1:3l463BXnC/X42ow2zqHm9Y/K4GM6aRsKUIZBcFxr2+Q=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260227112350-bf468eec914d h1:+XHEZ/z5NgPfjOAzOwfbQzR+42qaDNB0nv+fAOcd6Pc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260227112350-bf468eec914d/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260227112350-bf468eec914d h1:sYWbP+qCt9Rhb1yGaIRY7HVLtaQZmrHWR0obc5+Q1qc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260227112350-bf468eec914d h1:r6eOVlAfmcUMD5nfz+mPd/aORevUKhcvxA1z1GdPnG8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260227112350-bf468eec914d/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260309102448-2fef65f9dba9 h1:xq5Yr10jXEppD3cnGjE3WENaB6D0YsZu6KptZ8d3054=
+github.com/sagernet/cronet-go v0.0.0-20260309102448-2fef65f9dba9/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260309102448-2fef65f9dba9 h1:uxQyy6Y/boOuecVA66tf79JgtoRGfeDJcfYZZLKVA5E=
+github.com/sagernet/cronet-go/all v0.0.0-20260309102448-2fef65f9dba9/go.mod h1:Xm6cCvs0/twozC1JYNq0sVlOVmcSGzV7YON1XGcD97w=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Qi0IKBpoPP3qZqIXuOKMsT2dv+l/MLWMyBHDMLRw2EA=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:p+wCMjOhj46SpSD/AJeTGgkCcbyA76FyH631XZatyU8=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 h1:Y7lWrZwEhC/HX8Pb5C92CrQihuaE7hrHmWB2ykst3iQ=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:3Ggy5wiyjA6t+aVVPnXlSEIVj9zkxd4ybH3NsvsNefs=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:DuFTCnZloblY+7olXiZoRdueWfxi34EV5UheTFKM2rA=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:x/6T2gjpLw9yNdCVR6xBlzMUzED9fxNFNt6U6A6SOh8=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Lx9PExM70rg8aNxPm0JPeSr5SWC3yFiCz4wIq86ugx8=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:BTEpw7/vKR9BNBsHebfpiGHDCPpjVJ3vLIbHNU3VUfM=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:hdEph9nQXRnKwc/lIDwo15rmzbC6znXF5jJWHPN1Fiw=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Iq++oYV7dtRJHTpu8yclHJdn+1oj2t1e84/YpdXYWW8=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 h1:Y43fuLL8cgwRHpEKwxh0O3vYp7g/SZGvbkJj3cQ6USA=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:bX2GJmF0VCC+tBrVAa49YEsmJ4A9dLmwoA6DJUxRtCY=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:gQTR/2azUCInE0r3kmesZT9xu+x801+BmtDY0d0Tw9Y=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 h1:X4mP3jlYvxgrKpZLOKMmc/O8T5/zP83/23pgfQOc3tY=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:c6xj2nXr/65EDiRFddUKQIBQ/b/lAPoH8WFYlgadaPc=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:ahbl7yjOvGVVNUwk9TcQk+xejVfoYAYFRlhWnby0/YM=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 h1:JC5Zv5+J85da6g5G56VhdaK53fmo6Os2q/wWi5QlxOw=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 h1:4bt7Go588BoM4VjNYMxx0MrvbwlFQn3DdRDCM7BmkRo=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:E1z0BeLUh8EZfCjIyS9BrfCocZrt+0KPS0bzop3Sxf4=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 h1:d8ejxRHO7Vi9JqR/6DxR7RyI/swA2JfDWATR4T7otBw=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 h1:iUDVEVu3RxL5ArPIY72BesbuX5zQ1la/ZFwKpQcGc5c=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 h1:xB6ikOC/R3n3hjy68EJ0sbZhH4vwEhd6JM9jZ1U2SVY=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 h1:mBOuLCPOOMMq8N1+dUM5FqZclqga1+u6fAbPqQcbIhc=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:cwPyDfj+ZNFE7kvcWbayQJyeC/KQA16HTXOxgHphL0w=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Zk9zG8kt3mXAboclUXQlvvxKQuhnI8u5NdDEl8uotNY=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:Lu05srGqddQRMnl1MZtGAReln2yJljeGx9b1IadlMJ8=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Tk9bDywUmOtc0iMjjCVIwMlAQNsxCy+bK+bTNA0OaBE=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:tQqDQw3tEHdQpt7NTdAwF3UvZ3CjNIj/IJKMRFmm388=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:biUIbI2YxUrcQikEfS/bwPA8NsHp/WO+VZUG4morUmE=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
 github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
@@ -226,26 +236,26 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.0-beta.16.0.20260227013657-e419e9875a07 h1:LQqb+xtR5uqF6bePmJQ3sAToF/kMCjxSnz17HnboXA8=
-github.com/sagernet/sing v0.8.0-beta.16.0.20260227013657-e419e9875a07/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.2 h1:kX1IH9SWJv4S0T9M8O+HNahWgbOuY1VauxbF7NU5lOg=
+github.com/sagernet/sing v0.8.2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0-beta.13 h1:umDr6GC5fVbOIoTvqV4544wY61zEN+ObQwVGNP8sX1M=
-github.com/sagernet/sing-quic v0.6.0-beta.13/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
+github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.0-beta.18 h1:C6oHxP9BNBVEVdC9ABMTXmKej9mUVtcuw2v+IiBS8yw=
-github.com/sagernet/sing-tun v0.8.0-beta.18/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
+github.com/sagernet/sing-tun v0.8.3 h1:mozxmuIoRhFdVHnheenLpBaammVj7bZPcnkApaYKDPY=
+github.com/sagernet/sing-tun v0.8.3/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e h1:Sv1qUhJIidjSTc24XEknovDZnbmVSlAXj8wNVgIfgGo=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
@@ -299,16 +309,16 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -323,20 +333,20 @@ go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wus
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 h1:fQsdNF2N+/YewlRZiricy4P1iimyPKZ/xwniHj8Q2a0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
@@ -349,17 +359,17 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -371,10 +381,10 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
+google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

include/registry.go

@@ -20,7 +20,6 @@ import (
 	"github.com/sagernet/sing-box/protocol/anytls"
 	"github.com/sagernet/sing-box/protocol/block"
 	"github.com/sagernet/sing-box/protocol/direct"
-	protocolDNS "github.com/sagernet/sing-box/protocol/dns"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/protocol/http"
 	"github.com/sagernet/sing-box/protocol/mixed"
@@ -76,7 +75,6 @@ func OutboundRegistry() *outbound.Registry {
 	direct.RegisterOutbound(registry)
 
 	block.RegisterOutbound(registry)
-	protocolDNS.RegisterOutbound(registry)
 
 	group.RegisterSelector(registry)
 	group.RegisterURLTest(registry)
@@ -94,7 +92,6 @@ func OutboundRegistry() *outbound.Registry {
 	anytls.RegisterOutbound(registry)
 
 	registerQUICOutbounds(registry)
-	registerWireGuardOutbound(registry)
 	registerStubForRemovedOutbounds(registry)
 
 	return registry
@@ -152,4 +149,7 @@ func registerStubForRemovedOutbounds(registry *outbound.Registry) {
 	outbound.Register[option.ShadowsocksROutboundOptions](registry, C.TypeShadowsocksR, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (adapter.Outbound, error) {
 		return nil, E.New("ShadowsocksR is deprecated and removed in sing-box 1.6.0")
 	})
+	outbound.Register[option.StubOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.StubOptions) (adapter.Outbound, error) {
+		return nil, E.New("WireGuard outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use WireGuard endpoint instead")
+	})
 }

include/wireguard.go

@@ -4,14 +4,9 @@ package include
 
 import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
-	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/protocol/wireguard"
 )
 
-func registerWireGuardOutbound(registry *outbound.Registry) {
-	wireguard.RegisterOutbound(registry)
-}
-
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	wireguard.RegisterEndpoint(registry)
 }

include/wireguard_stub.go

@@ -7,19 +7,12 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/endpoint"
-	"github.com/sagernet/sing-box/adapter/outbound"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func registerWireGuardOutbound(registry *outbound.Registry) {
-	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
-		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
-	})
-}
-
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)

mkdocs.yml

@@ -1,4 +1,5 @@
 site_name: sing-box
+site_url: https://sing-box.sagernet.org/
 site_author: nekohasekai
 repo_url: https://github.com/SagerNet/sing-box
 repo_name: SagerNet/sing-box

option/direct.go

@@ -3,7 +3,7 @@ package option
 import (
 	"context"
 
-	"github.com/sagernet/sing-box/experimental/deprecated"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 )
 
@@ -31,8 +31,9 @@ func (d *DirectOutboundOptions) UnmarshalJSONContext(ctx context.Context, conten
 	if err != nil {
 		return err
 	}
+	//nolint:staticcheck
 	if d.OverrideAddress != "" || d.OverridePort != 0 {
-		deprecated.Report(ctx, deprecated.OptionDestinationOverrideFields)
+		return E.New("destination override fields in direct outbound are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use route options instead")
 	}
 	return nil
 }

option/inbound.go

@@ -55,7 +55,6 @@ type InboundOptions struct {
 	SniffTimeout              badoption.Duration `json:"sniff_timeout,omitempty"`
 	DomainStrategy            DomainStrategy     `json:"domain_strategy,omitempty"`
 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
-	Detour                    string             `json:"detour,omitempty"`
 }
 
 type ListenOptions struct {
@@ -73,6 +72,7 @@ type ListenOptions struct {
 	UDPFragment          *bool              `json:"udp_fragment,omitempty"`
 	UDPFragmentDefault   bool               `json:"-"`
 	UDPTimeout           UDPTimeoutCompat   `json:"udp_timeout,omitempty"`
+	Detour               string             `json:"detour,omitempty"`
 
 	// Deprecated: removed
 	ProxyProtocol bool `json:"proxy_protocol,omitempty"`

option/outbound.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -40,7 +39,7 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 	}
 	switch h.Type {
 	case C.TypeDNS:
-		deprecated.Report(ctx, deprecated.OptionSpecialOutbounds)
+		return E.New("dns outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
 	}
 	options, loaded := registry.CreateOptions(h.Type)
 	if !loaded {
@@ -51,8 +50,9 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 		return err
 	}
 	if listenWrapper, isListen := options.(ListenOptionsWrapper); isListen {
+		//nolint:staticcheck
 		if listenWrapper.TakeListenOptions().InboundOptions != (InboundOptions{}) {
-			deprecated.Report(ctx, deprecated.OptionInboundOptions)
+			return E.New("legacy inbound fields are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
 		}
 	}
 	h.Options = options

option/wireguard.go

@@ -28,28 +28,3 @@ type WireGuardPeer struct {
 	PersistentKeepaliveInterval uint16                           `json:"persistent_keepalive_interval,omitempty"`
 	Reserved                    []uint8                          `json:"reserved,omitempty"`
 }
-
-type LegacyWireGuardOutboundOptions struct {
-	DialerOptions
-	SystemInterface bool                             `json:"system_interface,omitempty"`
-	GSO             bool                             `json:"gso,omitempty"`
-	InterfaceName   string                           `json:"interface_name,omitempty"`
-	LocalAddress    badoption.Listable[netip.Prefix] `json:"local_address"`
-	PrivateKey      string                           `json:"private_key"`
-	Peers           []LegacyWireGuardPeer            `json:"peers,omitempty"`
-	ServerOptions
-	PeerPublicKey string      `json:"peer_public_key"`
-	PreSharedKey  string      `json:"pre_shared_key,omitempty"`
-	Reserved      []uint8     `json:"reserved,omitempty"`
-	Workers       int         `json:"workers,omitempty"`
-	MTU           uint32      `json:"mtu,omitempty"`
-	Network       NetworkList `json:"network,omitempty"`
-}
-
-type LegacyWireGuardPeer struct {
-	ServerOptions
-	PublicKey    string                           `json:"public_key,omitempty"`
-	PreSharedKey string                           `json:"pre_shared_key,omitempty"`
-	AllowedIPs   badoption.Listable[netip.Prefix] `json:"allowed_ips,omitempty"`
-	Reserved     []uint8                          `json:"reserved,omitempty"`
-}

protocol/anytls/inbound.go

@@ -122,7 +122,6 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination.Unwrap()
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {

protocol/direct/inbound.go

@@ -111,7 +111,6 @@ func (i *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = i.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = i.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	destination = i.listener.UDPAddr()
 	switch i.overrideOption {

protocol/direct/outbound.go

@@ -16,7 +16,6 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-tun/ping"
 	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -36,14 +35,12 @@ var (
 
 type Outbound struct {
 	outbound.Adapter
-	ctx                 context.Context
-	logger              logger.ContextLogger
-	dialer              dialer.ParallelInterfaceDialer
-	domainStrategy      C.DomainStrategy
-	fallbackDelay       time.Duration
-	overrideOption      int
-	overrideDestination M.Socksaddr
-	isEmpty             bool
+	ctx            context.Context
+	logger         logger.ContextLogger
+	dialer         dialer.ParallelInterfaceDialer
+	domainStrategy C.DomainStrategy
+	fallbackDelay  time.Duration
+	isEmpty        bool
 	// loopBack *loopBackDetector
 }
 
@@ -69,25 +66,13 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		domainStrategy: C.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer.(dialer.ParallelInterfaceDialer),
-		//nolint:staticcheck
-		isEmpty: reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}) && options.OverrideAddress == "" && options.OverridePort == 0,
+		isEmpty:        reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}),
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
-	//nolint:staticcheck
-	if options.OverrideAddress != "" && options.OverridePort != 0 {
-		outbound.overrideOption = 1
-		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
-	} else if options.OverrideAddress != "" {
-		outbound.overrideOption = 2
-		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
-	} else if options.OverridePort != 0 {
-		outbound.overrideOption = 3
-		outbound.overrideDestination = M.Socksaddr{Port: options.OverridePort}
-	}
 	return outbound, nil
 }
 
@@ -95,16 +80,6 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1:
-		destination = h.overrideDestination
-	case 2:
-		newDestination := h.overrideDestination
-		newDestination.Port = destination.Port
-		destination = newDestination
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -124,30 +99,12 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	originDestination := destination
-	switch h.overrideOption {
-	case 1:
-		destination = h.overrideDestination
-	case 2:
-		newDestination := h.overrideDestination
-		newDestination.Port = destination.Port
-		destination = newDestination
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
-	if h.overrideOption == 0 {
-		h.logger.InfoContext(ctx, "outbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	}
+	h.logger.InfoContext(ctx, "outbound packet connection")
 	conn, err := h.dialer.ListenPacket(ctx, destination)
 	if err != nil {
 		return nil, err
 	}
 	// conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
-	if originDestination != destination {
-		conn = bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, originDestination)
-	}
 	return conn, nil
 }
 
@@ -165,13 +122,6 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1, 2:
-		// override address
-		return h.DialContext(ctx, network, destination)
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -186,13 +136,6 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1, 2:
-		// override address
-		return h.DialContext(ctx, network, destination)
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -207,21 +150,7 @@ func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	switch h.overrideOption {
-	case 1:
-		destination = h.overrideDestination
-	case 2:
-		newDestination := h.overrideDestination
-		newDestination.Port = destination.Port
-		destination = newDestination
-	case 3:
-		destination.Port = h.overrideDestination.Port
-	}
-	if h.overrideOption == 0 {
-		h.logger.InfoContext(ctx, "outbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	}
+	h.logger.InfoContext(ctx, "outbound packet connection")
 	conn, newDestination, err := dialer.ListenSerialNetworkPacket(ctx, h.dialer, destination, destinationAddresses, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 	if err != nil {
 		return nil, netip.Addr{}, err

protocol/hysteria/inbound.go

@@ -118,7 +118,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -141,7 +140,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination

protocol/hysteria2/inbound.go

@@ -151,7 +151,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -174,7 +173,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination

protocol/naive/inbound.go

@@ -209,7 +209,6 @@ func (n *Inbound) newConnection(ctx context.Context, waitForClose bool, conn net
 	//nolint:staticcheck
 	metadata.InboundDetour = n.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = n.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()

protocol/shadowsocks/inbound_multi.go

@@ -175,7 +175,6 @@ func (h *MultiInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackConnection(conn, metadata)
 	}
@@ -201,7 +200,6 @@ func (h *MultiInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackPacketConnection(conn, metadata)
 	}

protocol/shadowsocks/inbound_relay.go

@@ -135,7 +135,6 @@ func (h *RelayInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RouteConnection(ctx, conn, metadata)
 }
 
@@ -158,7 +157,6 @@ func (h *RelayInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }
 

protocol/shadowtls/inbound.go

@@ -129,7 +129,6 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {

protocol/tailscale/dns_transport.go

@@ -1,3 +1,5 @@
+//go:build with_gvisor
+
 package tailscale
 
 import (

protocol/tailscale/endpoint.go

@@ -1,3 +1,5 @@
+//go:build with_gvisor
+
 package tailscale
 
 import (
@@ -46,6 +48,7 @@ import (
 	"github.com/sagernet/tailscale/ipn"
 	tsDNS "github.com/sagernet/tailscale/net/dns"
 	"github.com/sagernet/tailscale/net/netmon"
+	"github.com/sagernet/tailscale/net/netns"
 	"github.com/sagernet/tailscale/net/tsaddr"
 	tsTUN "github.com/sagernet/tailscale/net/tstun"
 	"github.com/sagernet/tailscale/tsnet"
@@ -63,6 +66,7 @@ import (
 var (
 	_ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
 	_ adapter.DirectRouteOutbound         = (*Endpoint)(nil)
+	_ dialer.PacketDialerWithDestination  = (*Endpoint)(nil)
 )
 
 func init() {
@@ -107,6 +111,7 @@ type Endpoint struct {
 	systemInterfaceName string
 	systemInterfaceMTU  uint32
 	systemTun           tun.Tun
+	systemDialer        *dialer.DefaultDialer
 	fallbackTCPCloser   func()
 }
 
@@ -143,7 +148,7 @@ func (t *Endpoint) registerNetstackHandlers() {
 			ctx := log.ContextWithNewID(t.ctx)
 			source := M.SocksaddrFrom(src.Addr(), src.Port())
 			destination := M.SocksaddrFrom(dst.Addr(), dst.Port())
-			packetConn := bufio.NewPacketConn(conn)
+			packetConn := bufio.NewUnbindPacketConnWithAddr(conn, destination)
 			t.NewPacketConnectionEx(ctx, packetConn, source, destination, nil)
 		}, true
 	}
@@ -284,9 +289,6 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 				}
 			}), nil
 		})
-		if runtime.GOOS == "android" {
-			setAndroidProtectFunc(t.platformInterface)
-		}
 	}
 	if t.systemInterface {
 		mtu := t.systemInterfaceMTU
@@ -321,9 +323,30 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 			_ = systemTun.Close()
 			return err
 		}
+		systemDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
+			BindInterface: tunName,
+		})
+		if err != nil {
+			_ = systemTun.Close()
+			return err
+		}
 		t.systemTun = systemTun
+		t.systemDialer = systemDialer
 		t.server.TunDevice = wgTunDevice
 	}
+	if mark := t.network.AutoRedirectOutputMark(); mark > 0 {
+		controlFunc := t.network.AutoRedirectOutputMarkFunc()
+		if bindFunc := t.network.AutoDetectInterfaceFunc(); bindFunc != nil {
+			controlFunc = control.Append(controlFunc, bindFunc)
+		}
+		netns.SetControlFunc(controlFunc)
+	} else if runtime.GOOS == "android" && t.platformInterface != nil {
+		netns.SetControlFunc(func(network, address string, c syscall.RawConn) error {
+			return control.Raw(c, func(fd uintptr) error {
+				return t.platformInterface.AutoDetectInterfaceControl(int(fd))
+			})
+		})
+	}
 	err := t.server.Start()
 	if err != nil {
 		if t.systemTun != nil {
@@ -449,14 +472,17 @@ func (t *Endpoint) watchState() {
 
 func (t *Endpoint) Close() error {
 	netmon.RegisterInterfaceGetter(nil)
-	if runtime.GOOS == "android" {
-		setAndroidProtectFunc(nil)
-	}
+	netns.SetControlFunc(nil)
 	if t.fallbackTCPCloser != nil {
 		t.fallbackTCPCloser()
 		t.fallbackTCPCloser = nil
 	}
-	return common.Close(common.PtrOrNil(t.server))
+	err := common.Close(common.PtrOrNil(t.server))
+	if t.systemTun != nil {
+		t.systemTun.Close()
+		t.systemTun = nil
+	}
+	return err
 }
 
 func (t *Endpoint) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
@@ -473,6 +499,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 		}
 		return N.DialSerial(ctx, t, network, destination, destinationAddresses)
 	}
+	if t.systemDialer != nil {
+		return t.systemDialer.DialContext(ctx, network, destination)
+	}
 	addr4, addr6 := t.server.TailscaleIPs()
 	remoteAddr := tcpip.FullAddress{
 		NIC:  1,
@@ -518,18 +547,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 	}
 }
 
-func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	if destination.IsFqdn() {
-		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		packetConn, _, err := N.ListenSerial(ctx, t, destination, destinationAddresses)
-		if err != nil {
-			return nil, err
-		}
-		return packetConn, err
+func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	if t.systemDialer != nil {
+		return t.systemDialer.ListenPacket(ctx, destination)
 	}
 	addr4, addr6 := t.server.TailscaleIPs()
 	bind := tcpip.FullAddress{
@@ -556,6 +576,44 @@ func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return udpConn, nil
 }
 
+func (t *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
+	t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	if destination.IsFqdn() {
+		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
+		if err != nil {
+			return nil, netip.Addr{}, err
+		}
+		var errors []error
+		for _, address := range destinationAddresses {
+			packetConn, packetErr := t.listenPacketWithAddress(ctx, M.SocksaddrFrom(address, destination.Port))
+			if packetErr == nil {
+				return packetConn, address, nil
+			}
+			errors = append(errors, packetErr)
+		}
+		return nil, netip.Addr{}, E.Errors(errors...)
+	}
+	packetConn, err := t.listenPacketWithAddress(ctx, destination)
+	if err != nil {
+		return nil, netip.Addr{}, err
+	}
+	if destination.IsIP() {
+		return packetConn, destination.Addr, nil
+	}
+	return packetConn, netip.Addr{}, nil
+}
+
+func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	packetConn, destinationAddress, err := t.ListenPacketWithDestination(ctx, destination)
+	if err != nil {
+		return nil, err
+	}
+	if destinationAddress.IsValid() && destination != M.SocksaddrFrom(destinationAddress, destination.Port) {
+		return bufio.NewNATPacketConn(bufio.NewPacketConn(packetConn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	}
+	return packetConn, nil
+}
+
 func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	tsFilter := t.filter.Load()
 	if tsFilter != nil {
@@ -650,19 +708,29 @@ func (t *Endpoint) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 }
 
 func (t *Endpoint) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
-	inet4Address, inet6Address := t.server.TailscaleIPs()
-	if metadata.Destination.Addr.Is4() && !inet4Address.IsValid() || metadata.Destination.Addr.Is6() && !inet6Address.IsValid() {
-		return nil, E.New("Tailscale is not ready yet")
-	}
 	ctx := log.ContextWithNewID(t.ctx)
-	destination, err := ping.ConnectGVisor(
-		ctx, t.logger,
-		metadata.Source.Addr, metadata.Destination.Addr,
-		routeContext,
-		t.stack,
-		inet4Address, inet6Address,
-		timeout,
-	)
+	var destination tun.DirectRouteDestination
+	var err error
+	if t.systemDialer != nil {
+		destination, err = ping.ConnectDestination(
+			ctx, t.logger,
+			t.systemDialer.DialerForICMPDestination(metadata.Destination.Addr).Control,
+			metadata.Destination.Addr, routeContext, timeout,
+		)
+	} else {
+		inet4Address, inet6Address := t.server.TailscaleIPs()
+		if metadata.Destination.Addr.Is4() && !inet4Address.IsValid() || metadata.Destination.Addr.Is6() && !inet6Address.IsValid() {
+			return nil, E.New("Tailscale is not ready yet")
+		}
+		destination, err = ping.ConnectGVisor(
+			ctx, t.logger,
+			metadata.Source.Addr, metadata.Destination.Addr,
+			routeContext,
+			t.stack,
+			inet4Address, inet6Address,
+			timeout,
+		)
+	}
 	if err != nil {
 		return nil, err
 	}

protocol/tailscale/protect_android.go

@@ -1,16 +0,0 @@
-package tailscale
-
-import (
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/tailscale/net/netns"
-)
-
-func setAndroidProtectFunc(platformInterface adapter.PlatformInterface) {
-	if platformInterface != nil {
-		netns.SetAndroidProtectFunc(func(fd int) error {
-			return platformInterface.AutoDetectInterfaceControl(fd)
-		})
-	} else {
-		netns.SetAndroidProtectFunc(nil)
-	}
-}

protocol/tailscale/protect_nonandroid.go

@@ -1,8 +0,0 @@
-//go:build !android
-
-package tailscale
-
-import "github.com/sagernet/sing-box/adapter"
-
-func setAndroidProtectFunc(platformInterface adapter.PlatformInterface) {
-}

protocol/tailscale/tun_device_unix.go

@@ -1,4 +1,4 @@
-//go:build !windows
+//go:build with_gvisor && !windows
 
 package tailscale
 

protocol/tailscale/tun_device_windows.go

@@ -1,4 +1,4 @@
-//go:build windows
+//go:build with_gvisor && windows
 
 package tailscale
 

protocol/trojan/inbound.go

@@ -257,7 +257,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/tuic/inbound.go

@@ -108,7 +108,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -131,7 +130,6 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination

protocol/tun/inbound.go

@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route/rule"
@@ -36,13 +35,11 @@ func RegisterInbound(registry *inbound.Registry) {
 }
 
 type Inbound struct {
-	tag            string
-	ctx            context.Context
-	router         adapter.Router
-	networkManager adapter.NetworkManager
-	logger         log.ContextLogger
-	//nolint:staticcheck
-	inboundOptions              option.InboundOptions
+	tag                         string
+	ctx                         context.Context
+	router                      adapter.Router
+	networkManager              adapter.NetworkManager
+	logger                      log.ContextLogger
 	tunOptions                  tun.Options
 	udpTimeout                  time.Duration
 	stack                       string
@@ -60,20 +57,18 @@ type Inbound struct {
 }
 
 func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions) (adapter.Inbound, error) {
+	//nolint:staticcheck
+	if len(options.Inet4Address) > 0 || len(options.Inet6Address) > 0 ||
+		len(options.Inet4RouteAddress) > 0 || len(options.Inet6RouteAddress) > 0 ||
+		len(options.Inet4RouteExcludeAddress) > 0 || len(options.Inet6RouteExcludeAddress) > 0 {
+		return nil, E.New("legacy tun address fields are deprecated in sing-box 1.10.0 and removed in sing-box 1.12.0")
+	}
+	//nolint:staticcheck
+	if options.GSO {
+		return nil, E.New("GSO option in tun is deprecated in sing-box 1.11.0 and removed in sing-box 1.12.0")
+	}
+
 	address := options.Address
-	var deprecatedAddressUsed bool
-
-	//nolint:staticcheck
-	if len(options.Inet4Address) > 0 {
-		address = append(address, options.Inet4Address...)
-		deprecatedAddressUsed = true
-	}
-
-	//nolint:staticcheck
-	if len(options.Inet6Address) > 0 {
-		address = append(address, options.Inet6Address...)
-		deprecatedAddressUsed = true
-	}
 	inet4Address := common.Filter(address, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -82,18 +77,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	})
 
 	routeAddress := options.RouteAddress
-
-	//nolint:staticcheck
-	if len(options.Inet4RouteAddress) > 0 {
-		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
-		deprecatedAddressUsed = true
-	}
-
-	//nolint:staticcheck
-	if len(options.Inet6RouteAddress) > 0 {
-		routeAddress = append(routeAddress, options.Inet6RouteAddress...)
-		deprecatedAddressUsed = true
-	}
 	inet4RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -102,18 +85,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	})
 
 	routeExcludeAddress := options.RouteExcludeAddress
-
-	//nolint:staticcheck
-	if len(options.Inet4RouteExcludeAddress) > 0 {
-		routeExcludeAddress = append(routeExcludeAddress, options.Inet4RouteExcludeAddress...)
-		deprecatedAddressUsed = true
-	}
-
-	//nolint:staticcheck
-	if len(options.Inet6RouteExcludeAddress) > 0 {
-		routeExcludeAddress = append(routeExcludeAddress, options.Inet6RouteExcludeAddress...)
-		deprecatedAddressUsed = true
-	}
 	inet4RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
 	})
@@ -121,15 +92,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		return it.Addr().Is6()
 	})
 
-	if deprecatedAddressUsed {
-		deprecated.Report(ctx, deprecated.OptionTUNAddressX)
-	}
-
-	//nolint:staticcheck
-	if options.GSO {
-		deprecated.Report(ctx, deprecated.OptionTUNGSO)
-	}
-
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 	tunMTU := options.MTU
 	enableGSO := C.IsLinux && options.Stack == "gvisor" && platformInterface == nil && tunMTU > 0 && tunMTU < 49152
@@ -202,7 +164,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		router:         router,
 		networkManager: networkManager,
 		logger:         logger,
-		inboundOptions: options.InboundOptions,
 		tunOptions: tun.Options{
 			Name:                                  options.InterfaceName,
 			MTU:                                   tunMTU,
@@ -478,13 +439,12 @@ func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destinat
 		ipVersion = 6
 	}
 	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
-		Inbound:        t.tag,
-		InboundType:    C.TypeTun,
-		IPVersion:      ipVersion,
-		Network:        network,
-		Source:         source,
-		Destination:    destination,
-		InboundOptions: t.inboundOptions,
+		Inbound:     t.tag,
+		InboundType: C.TypeTun,
+		IPVersion:   ipVersion,
+		Network:     network,
+		Source:      source,
+		Destination: destination,
 	}, routeContext, timeout, false)
 	if err != nil {
 		switch {
@@ -508,8 +468,7 @@ func (t *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundOptions = t.inboundOptions
+
 	t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)
@@ -522,8 +481,7 @@ func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundOptions = t.inboundOptions
+
 	t.logger.InfoContext(ctx, "inbound packet connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 	t.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
@@ -539,13 +497,12 @@ func (t *autoRedirectHandler) PrepareConnection(network string, source M.Socksad
 		ipVersion = 6
 	}
 	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
-		Inbound:        t.tag,
-		InboundType:    C.TypeTun,
-		IPVersion:      ipVersion,
-		Network:        network,
-		Source:         source,
-		Destination:    destination,
-		InboundOptions: t.inboundOptions,
+		Inbound:     t.tag,
+		InboundType: C.TypeTun,
+		IPVersion:   ipVersion,
+		Network:     network,
+		Source:      source,
+		Destination: destination,
 	}, routeContext, timeout, true)
 	if err != nil {
 		switch {
@@ -569,8 +526,7 @@ func (t *autoRedirectHandler) NewConnectionEx(ctx context.Context, conn net.Conn
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundOptions = t.inboundOptions
+
 	t.logger.InfoContext(ctx, "inbound redirect connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)

protocol/vless/inbound.go

@@ -217,7 +217,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/vmess/inbound.go

@@ -223,7 +223,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/wireguard/endpoint.go

@@ -24,7 +24,10 @@ import (
 	"github.com/sagernet/sing/service"
 )
 
-var _ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
+var (
+	_ adapter.OutboundWithPreferredRoutes = (*Endpoint)(nil)
+	_ dialer.PacketDialerWithDestination  = (*Endpoint)(nil)
+)
 
 func RegisterEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, NewEndpoint)
@@ -219,20 +222,34 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 	return w.endpoint.DialContext(ctx, network, destination)
 }
 
-func (w *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (w *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if destination.IsFqdn() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
-			return nil, err
+			return nil, netip.Addr{}, err
 		}
-		packetConn, _, err := N.ListenSerial(ctx, w.endpoint, destination, destinationAddresses)
-		if err != nil {
-			return nil, err
-		}
-		return packetConn, err
+		return N.ListenSerial(ctx, w.endpoint, destination, destinationAddresses)
 	}
-	return w.endpoint.ListenPacket(ctx, destination)
+	packetConn, err := w.endpoint.ListenPacket(ctx, destination)
+	if err != nil {
+		return nil, netip.Addr{}, err
+	}
+	if destination.IsIP() {
+		return packetConn, destination.Addr, nil
+	}
+	return packetConn, netip.Addr{}, nil
+}
+
+func (w *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	packetConn, destinationAddress, err := w.ListenPacketWithDestination(ctx, destination)
+	if err != nil {
+		return nil, err
+	}
+	if destinationAddress.IsValid() && destination != M.SocksaddrFrom(destinationAddress, destination.Port) {
+		return bufio.NewNATPacketConn(bufio.NewPacketConn(packetConn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	}
+	return packetConn, nil
 }
 
 func (w *Endpoint) PreferredDomain(domain string) bool {

protocol/wireguard/outbound.go

@@ -1,176 +0,0 @@
-package wireguard
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/outbound"
-	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/wireguard"
-	tun "github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-)
-
-var _ adapter.OutboundWithPreferredRoutes = (*Outbound)(nil)
-
-func RegisterOutbound(registry *outbound.Registry) {
-	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, NewOutbound)
-}
-
-type Outbound struct {
-	outbound.Adapter
-	ctx            context.Context
-	dnsRouter      adapter.DNSRouter
-	logger         logger.ContextLogger
-	localAddresses []netip.Prefix
-	endpoint       *wireguard.Endpoint
-}
-
-func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
-	deprecated.Report(ctx, deprecated.OptionWireGuardOutbound)
-	if options.GSO {
-		deprecated.Report(ctx, deprecated.OptionWireGuardGSO)
-	}
-	outbound := &Outbound{
-		Adapter:        outbound.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, options.DialerOptions),
-		ctx:            ctx,
-		dnsRouter:      service.FromContext[adapter.DNSRouter](ctx),
-		logger:         logger,
-		localAddresses: options.LocalAddress,
-	}
-	if options.Detour != "" && options.GSO {
-		return nil, E.New("gso is conflict with detour")
-	}
-	outboundDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context: ctx,
-		Options: options.DialerOptions,
-		RemoteIsDomain: options.ServerIsDomain() || common.Any(options.Peers, func(it option.LegacyWireGuardPeer) bool {
-			return it.ServerIsDomain()
-		}),
-		ResolverOnDetour: true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	peers := common.Map(options.Peers, func(it option.LegacyWireGuardPeer) wireguard.PeerOptions {
-		return wireguard.PeerOptions{
-			Endpoint:     it.ServerOptions.Build(),
-			PublicKey:    it.PublicKey,
-			PreSharedKey: it.PreSharedKey,
-			AllowedIPs:   it.AllowedIPs,
-			// PersistentKeepaliveInterval: time.Duration(it.PersistentKeepaliveInterval),
-			Reserved: it.Reserved,
-		}
-	})
-	if len(peers) == 0 {
-		peers = []wireguard.PeerOptions{{
-			Endpoint:     options.ServerOptions.Build(),
-			PublicKey:    options.PeerPublicKey,
-			PreSharedKey: options.PreSharedKey,
-			AllowedIPs:   []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0), netip.PrefixFrom(netip.IPv6Unspecified(), 0)},
-			Reserved:     options.Reserved,
-		}}
-	}
-	wgEndpoint, err := wireguard.NewEndpoint(wireguard.EndpointOptions{
-		Context: ctx,
-		Logger:  logger,
-		System:  options.SystemInterface,
-		Dialer:  outboundDialer,
-		CreateDialer: func(interfaceName string) N.Dialer {
-			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
-				BindInterface: interfaceName,
-			}))
-		},
-		Name:       options.InterfaceName,
-		MTU:        options.MTU,
-		Address:    options.LocalAddress,
-		PrivateKey: options.PrivateKey,
-		ResolvePeer: func(domain string) (netip.Addr, error) {
-			endpointAddresses, lookupErr := outbound.dnsRouter.Lookup(ctx, domain, outboundDialer.(dialer.ResolveDialer).QueryOptions())
-			if lookupErr != nil {
-				return netip.Addr{}, lookupErr
-			}
-			return endpointAddresses[0], nil
-		},
-		Peers:   peers,
-		Workers: options.Workers,
-	})
-	if err != nil {
-		return nil, err
-	}
-	outbound.endpoint = wgEndpoint
-	return outbound, nil
-}
-
-func (o *Outbound) Start(stage adapter.StartStage) error {
-	switch stage {
-	case adapter.StartStateStart:
-		return o.endpoint.Start(false)
-	case adapter.StartStatePostStart:
-		return o.endpoint.Start(true)
-	}
-	return nil
-}
-
-func (o *Outbound) Close() error {
-	return o.endpoint.Close()
-}
-
-func (o *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch network {
-	case N.NetworkTCP:
-		o.logger.InfoContext(ctx, "outbound connection to ", destination)
-	case N.NetworkUDP:
-		o.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	}
-	if destination.IsFqdn() {
-		destinationAddresses, err := o.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		return N.DialSerial(ctx, o.endpoint, network, destination, destinationAddresses)
-	} else if !destination.Addr.IsValid() {
-		return nil, E.New("invalid destination: ", destination)
-	}
-	return o.endpoint.DialContext(ctx, network, destination)
-}
-
-func (o *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	o.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	if destination.IsFqdn() {
-		destinationAddresses, err := o.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		packetConn, _, err := N.ListenSerial(ctx, o.endpoint, destination, destinationAddresses)
-		if err != nil {
-			return nil, err
-		}
-		return packetConn, err
-	}
-	return o.endpoint.ListenPacket(ctx, destination)
-}
-
-func (o *Outbound) PreferredDomain(domain string) bool {
-	return false
-}
-
-func (o *Outbound) PreferredAddress(address netip.Addr) bool {
-	return o.endpoint.Lookup(address) != nil
-}
-
-func (o *Outbound) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
-	return o.endpoint.NewDirectRouteConnection(metadata, routeContext, timeout)
-}

release/DEFAULT_BUILD_TAGS

@@ -0,0 +1 @@
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,badlinkname,tfogo_checklinkname0

release/DEFAULT_BUILD_TAGS_OTHERS

@@ -0,0 +1 @@
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0

release/DEFAULT_BUILD_TAGS_WINDOWS

@@ -0,0 +1 @@
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0

release/LDFLAGS

@@ -0,0 +1 @@
+-X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0

release/config/config.json

@@ -5,7 +5,9 @@
   "dns": {
     "servers": [
       {
-        "address": "tls://8.8.8.8"
+        "type": "tls",
+        "tag": "google",
+        "server": "8.8.8.8"
       }
     ]
   },
@@ -26,17 +28,13 @@
   "outbounds": [
     {
       "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
     }
   ],
   "route": {
     "rules": [
       {
         "port": 53,
-        "outbound": "dns-out"
+        "action": "hijack-dns"
       }
     ]
   }

release/config/sing-box.confd

@@ -0,0 +1,6 @@
+# /etc/conf.d/sing-box: config file for /etc/init.d/sing-box
+
+# sing-box configuration path, could be file or directory
+# SINGBOX_CONFIG=/etc/sing-box
+
+# SINGBOX_WORKDIR=/var/lib/sing-box

release/config/sing-box.initd

@@ -4,15 +4,41 @@ name=$RC_SVCNAME
 description="sing-box service"
 supervisor="supervise-daemon"
 command="/usr/bin/sing-box"
-command_args="-D /var/lib/sing-box -C /etc/sing-box run"
+extra_commands="checkconfig"
 extra_started_commands="reload"
 
+: ${SINGBOX_CONFIG:=${config:-"/etc/sing-box"}}
+
+if [ -d "$SINGBOX_CONFIG" ]; then
+	_config_opt="-C $SINGBOX_CONFIG"
+elif [ -z "$SINGBOX_CONFIG" ]; then
+	_config_opt=""
+else
+	_config_opt="-c $SINGBOX_CONFIG"
+fi
+
+_workdir=${SINGBOX_WORKDIR:-${workdir:-"/var/lib/sing-box"}}
+
+command_args="run --disable-color
+	-D $_workdir
+	$_config_opt"
+
 depend() {
 	after net dns
 }
 
+checkconfig() {
+	ebegin "Checking $RC_SVCNAME configuration"
+	sing-box check -D "$_workdir" $_config_opt
+	eend $?
+}
+
+start_pre() {
+	checkconfig
+}
+
 reload() {
 	ebegin "Reloading $RC_SVCNAME"
-        $supervisor "$RC_SVCNAME" --signal HUP
+	checkconfig && $supervisor "$RC_SVCNAME" --signal HUP
 	eend $?
-}
+}

release/local/common.sh

@@ -11,7 +11,7 @@ INSTALL_CONFIG_PATH="/usr/local/etc/sing-box"
 INSTALL_DATA_PATH="/var/lib/sing-box"
 SYSTEMD_SERVICE_PATH="/etc/systemd/system"
 
-DEFAULT_BUILD_TAGS="with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0"
+DEFAULT_BUILD_TAGS="$(cat "$PROJECT_DIR/release/DEFAULT_BUILD_TAGS_OTHERS")"
 
 setup_environment() {
     if [ -d /usr/local/go ]; then
@@ -44,7 +44,9 @@ get_version() {
 get_ldflags() {
     local version
     version=$(get_version)
-    echo "-X 'github.com/sagernet/sing-box/constant.Version=${version}' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
+    local shared_ldflags
+    shared_ldflags=$(cat "$PROJECT_DIR/release/LDFLAGS")
+    echo "-X 'github.com/sagernet/sing-box/constant.Version=${version}' ${shared_ldflags} -s -w -buildid="
 }
 
 build_sing_box() {

route/conn.go

@@ -188,6 +188,8 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 	} else {
 		if len(metadata.DestinationAddresses) > 0 {
 			remotePacketConn, destinationAddress, err = dialer.ListenSerialNetworkPacket(ctx, this, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
+		} else if packetDialer, withDestination := this.(dialer.PacketDialerWithDestination); withDestination {
+			remotePacketConn, destinationAddress, err = packetDialer.ListenPacketWithDestination(ctx, metadata.Destination)
 		} else {
 			remotePacketConn, err = this.ListenPacket(ctx, metadata.Destination)
 		}
@@ -218,11 +220,16 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
 			natConn.UpdateDestination(destinationAddress)
-		} else if metadata.Destination != M.SocksaddrFrom(destinationAddress, metadata.Destination.Port) {
-			if metadata.UDPDisableDomainUnmapping {
-				remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
-			} else {
-				remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
+		} else {
+			destination := M.SocksaddrFrom(destinationAddress, metadata.Destination.Port)
+			if metadata.Destination != destination {
+				if metadata.UDPDisableDomainUnmapping {
+					remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), destination, originDestination)
+				} else {
+					remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), destination, originDestination)
+				}
+			} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {
+				remotePacketConn = bufio.NewDestinationNATPacketConn(bufio.NewPacketConn(remotePacketConn), metadata.Destination, metadata.RouteOriginalDestination)
 			}
 		}
 	} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {

route/route.go

@@ -12,7 +12,6 @@ import (
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
@@ -468,37 +467,6 @@ func (r *Router) matchRule(
 		metadata.IPVersion = 6
 	}
 
-	//nolint:staticcheck
-	if metadata.InboundOptions != common.DefaultValue[option.InboundOptions]() {
-		if !preMatch && metadata.InboundOptions.SniffEnabled {
-			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &R.RuleActionSniff{
-				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
-				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
-			}, inputConn, inputPacketConn, nil, nil)
-			if newBuffer != nil {
-				buffers = []*buf.Buffer{newBuffer}
-			} else if len(newPackerBuffers) > 0 {
-				packetBuffers = newPackerBuffers
-			}
-			if newErr != nil {
-				fatalErr = newErr
-				return
-			}
-		}
-		if C.DomainStrategy(metadata.InboundOptions.DomainStrategy) != C.DomainStrategyAsIS {
-			fatalErr = r.actionResolve(ctx, metadata, &R.RuleActionResolve{
-				Strategy: C.DomainStrategy(metadata.InboundOptions.DomainStrategy),
-			})
-			if fatalErr != nil {
-				return
-			}
-		}
-		if metadata.InboundOptions.UDPDisableDomainUnmapping {
-			metadata.UDPDisableDomainUnmapping = true
-		}
-		metadata.InboundOptions = option.InboundOptions{}
-	}
-
 match:
 	for currentRuleIndex, currentRule := range r.rules {
 		metadata.ResetRuleCache()

route/rule/rule_default.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -267,14 +266,13 @@ func NewDefaultRule(ctx context.Context, logger log.ContextLogger, options optio
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
+		//nolint:staticcheck
+		if options.Deprecated_RulesetIPCIDRMatchSource {
+			return nil, E.New("rule_set_ipcidr_match_source is deprecated in sing-box 1.10.0 and removed in sing-box 1.11.0")
+		}
 		var matchSource bool
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
-		} else
-		//nolint:staticcheck
-		if options.Deprecated_RulesetIPCIDRMatchSource {
-			matchSource = true
-			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
 		}
 		item := NewRuleSetItem(router, options.RuleSet, matchSource, false)
 		rule.items = append(rule.items, item)

route/rule/rule_dns.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -263,14 +262,13 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
+		//nolint:staticcheck
+		if options.Deprecated_RulesetIPCIDRMatchSource {
+			return nil, E.New("rule_set_ipcidr_match_source is deprecated in sing-box 1.10.0 and removed in sing-box 1.11.0")
+		}
 		var matchSource bool
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
-		} else
-		//nolint:staticcheck
-		if options.Deprecated_RulesetIPCIDRMatchSource {
-			matchSource = true
-			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
 		}
 		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty)
 		rule.items = append(rule.items, item)

service/ccm/service.go

@@ -281,11 +281,11 @@ func (s *Service) getAccessToken() (string, error) {
 	return newCredentials.AccessToken, nil
 }
 
-func detectContextWindow(betaHeader string, inputTokens int64) int {
-	if inputTokens > premiumContextThreshold {
+func detectContextWindow(betaHeader string, totalInputTokens int64) int {
+	if totalInputTokens > premiumContextThreshold {
 		features := strings.Split(betaHeader, ",")
 		for _, feature := range features {
-			if strings.TrimSpace(feature) == "context-1m" {
+			if strings.HasPrefix(strings.TrimSpace(feature), "context-1m") {
 				return contextWindowPremium
 			}
 		}
@@ -362,6 +362,13 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	serviceOverridesAcceptEncoding := len(s.httpHeaders.Values("Accept-Encoding")) > 0
+	if s.usageTracker != nil && !serviceOverridesAcceptEncoding {
+		// Strip Accept-Encoding so Go Transport adds it automatically
+		// and transparently decompresses the response for correct usage counting.
+		proxyRequest.Header.Del("Accept-Encoding")
+	}
+
 	anthropicBetaHeader := proxyRequest.Header.Get("anthropic-beta")
 	if anthropicBetaHeader != "" {
 		proxyRequest.Header.Set("anthropic-beta", anthropicBetaOAuthValue+","+anthropicBetaHeader)
@@ -447,7 +454,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 		if usage.InputTokens > 0 || usage.OutputTokens > 0 {
 			if responseModel != "" {
-				contextWindow := detectContextWindow(anthropicBetaHeader, usage.InputTokens)
+				totalInputTokens := usage.InputTokens + usage.CacheCreationInputTokens + usage.CacheReadInputTokens
+				contextWindow := detectContextWindow(anthropicBetaHeader, totalInputTokens)
 				s.usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					contextWindow,
@@ -547,7 +555,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 			if accumulatedUsage.InputTokens > 0 || accumulatedUsage.OutputTokens > 0 {
 				if responseModel != "" {
-					contextWindow := detectContextWindow(anthropicBetaHeader, accumulatedUsage.InputTokens)
+					totalInputTokens := accumulatedUsage.InputTokens + accumulatedUsage.CacheCreationInputTokens + accumulatedUsage.CacheReadInputTokens
+					contextWindow := detectContextWindow(anthropicBetaHeader, totalInputTokens)
 					s.usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						contextWindow,

service/ccm/service_usage.go

@@ -65,9 +65,10 @@ type CostCombinationJSON struct {
 }
 
 type CostsSummaryJSON struct {
-	TotalUSD float64            `json:"total_usd"`
-	ByUser   map[string]float64 `json:"by_user"`
-	ByWeek   map[string]float64 `json:"by_week,omitempty"`
+	TotalUSD      float64                       `json:"total_usd"`
+	ByUser        map[string]float64            `json:"by_user"`
+	ByWeek        map[string]float64            `json:"by_week,omitempty"`
+	ByUserAndWeek map[string]map[string]float64 `json:"by_user_and_week,omitempty"`
 }
 
 type AggregatedUsageJSON struct {
@@ -492,6 +493,31 @@ func buildByWeekCost(combinations []CostCombination) map[string]float64 {
 	return byWeek
 }
 
+func buildByUserAndWeekCost(combinations []CostCombination) map[string]map[string]float64 {
+	byUserAndWeek := make(map[string]map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		for user, userStats := range combination.ByUser {
+			userWeeks, exists := byUserAndWeek[user]
+			if !exists {
+				userWeeks = make(map[string]float64)
+				byUserAndWeek[user] = userWeeks
+			}
+			userWeeks[weekKey] += calculateCost(userStats, combination.Model, combination.ContextWindow)
+		}
+	}
+	for _, weekCosts := range byUserAndWeek {
+		for weekKey, cost := range weekCosts {
+			weekCosts[weekKey] = roundCost(cost)
+		}
+	}
+	return byUserAndWeek
+}
+
 func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
 	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
 		return 0
@@ -522,6 +548,11 @@ func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 		result.Costs.ByWeek = nil
 	}
 
+	result.Costs.ByUserAndWeek = buildByUserAndWeekCost(u.Combinations)
+	if len(result.Costs.ByUserAndWeek) == 0 {
+		result.Costs.ByUserAndWeek = nil
+	}
+
 	for user, cost := range result.Costs.ByUser {
 		result.Costs.ByUser[user] = roundCost(cost)
 	}

service/derp/service.go

@@ -1,3 +1,5 @@
+//go:build with_gvisor
+
 package derp
 
 import (

service/ocm/service.go

@@ -130,6 +130,7 @@ type Service struct {
 	credentialPath string
 	credentials    *oauthCredentials
 	users          []option.OCMUser
+	dialer         N.Dialer
 	httpClient     *http.Client
 	httpHeaders    http.Header
 	listener       *listener.Listener
@@ -138,7 +139,9 @@ type Service struct {
 	userManager    *UserManager
 	accessMutex    sync.RWMutex
 	usageTracker   *AggregatedUsage
-	trackingGroup  sync.WaitGroup
+	webSocketMutex sync.Mutex
+	webSocketGroup sync.WaitGroup
+	webSocketConns map[*webSocketSession]struct{}
 	shuttingDown   bool
 }
 
@@ -187,6 +190,7 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 		logger:         logger,
 		credentialPath: options.CredentialPath,
 		users:          options.Users,
+		dialer:         serviceDialer,
 		httpClient:     httpClient,
 		httpHeaders:    options.Headers.Build(),
 		listener: listener.New(listener.Options{
@@ -195,8 +199,9 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 			Network: []string{N.NetworkTCP},
 			Listen:  options.ListenOptions,
 		}),
-		userManager:  userManager,
-		usageTracker: usageTracker,
+		userManager:    userManager,
+		usageTracker:   usageTracker,
+		webSocketConns: make(map[*webSocketSession]struct{}),
 	}
 
 	if options.TLS != nil {
@@ -356,6 +361,11 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	if strings.EqualFold(r.Header.Get("Upgrade"), "websocket") && strings.HasPrefix(path, "/v1/responses") {
+		s.handleWebSocket(w, r, proxyPath, username)
+		return
+	}
+
 	var requestModel string
 
 	if s.usageTracker != nil && r.Body != nil {
@@ -497,8 +507,10 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 				responseModel = requestModel
 			}
 			if responseModel != "" {
+				contextWindow := detectContextWindow(responseModel, serviceTier, inputTokens)
 				s.usageTracker.AddUsageWithCycleHint(
 					responseModel,
+					contextWindow,
 					inputTokens,
 					outputTokens,
 					cachedTokens,
@@ -606,8 +618,10 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 			if inputTokens > 0 || outputTokens > 0 {
 				if responseModel != "" {
+					contextWindow := detectContextWindow(responseModel, serviceTier, inputTokens)
 					s.usageTracker.AddUsageWithCycleHint(
 						responseModel,
+						contextWindow,
 						inputTokens,
 						outputTokens,
 						cachedTokens,
@@ -624,11 +638,17 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 }
 
 func (s *Service) Close() error {
+	webSocketSessions := s.startWebSocketShutdown()
+
 	err := common.Close(
 		common.PtrOrNil(s.httpServer),
 		common.PtrOrNil(s.listener),
 		s.tlsConfig,
 	)
+	for _, session := range webSocketSessions {
+		session.Close()
+	}
+	s.webSocketGroup.Wait()
 
 	if s.usageTracker != nil {
 		s.usageTracker.cancelPendingSave()
@@ -640,3 +660,48 @@ func (s *Service) Close() error {
 
 	return err
 }
+
+func (s *Service) registerWebSocketSession(session *webSocketSession) bool {
+	s.webSocketMutex.Lock()
+	defer s.webSocketMutex.Unlock()
+
+	if s.shuttingDown {
+		return false
+	}
+
+	s.webSocketConns[session] = struct{}{}
+	s.webSocketGroup.Add(1)
+	return true
+}
+
+func (s *Service) unregisterWebSocketSession(session *webSocketSession) {
+	s.webSocketMutex.Lock()
+	_, loaded := s.webSocketConns[session]
+	if loaded {
+		delete(s.webSocketConns, session)
+	}
+	s.webSocketMutex.Unlock()
+
+	if loaded {
+		s.webSocketGroup.Done()
+	}
+}
+
+func (s *Service) isShuttingDown() bool {
+	s.webSocketMutex.Lock()
+	defer s.webSocketMutex.Unlock()
+	return s.shuttingDown
+}
+
+func (s *Service) startWebSocketShutdown() []*webSocketSession {
+	s.webSocketMutex.Lock()
+	defer s.webSocketMutex.Unlock()
+
+	s.shuttingDown = true
+
+	webSocketSessions := make([]*webSocketSession, 0, len(s.webSocketConns))
+	for session := range s.webSocketConns {
+		webSocketSessions = append(webSocketSessions, session)
+	}
+	return webSocketSessions
+}

service/ocm/service_usage.go

@@ -46,6 +46,7 @@ func (u *UsageStats) UnmarshalJSON(data []byte) error {
 type CostCombination struct {
 	Model         string                `json:"model"`
 	ServiceTier   string                `json:"service_tier,omitempty"`
+	ContextWindow int                   `json:"context_window"`
 	WeekStartUnix int64                 `json:"week_start_unix,omitempty"`
 	Total         UsageStats            `json:"total"`
 	ByUser        map[string]UsageStats `json:"by_user"`
@@ -74,15 +75,17 @@ type UsageStatsJSON struct {
 type CostCombinationJSON struct {
 	Model         string                    `json:"model"`
 	ServiceTier   string                    `json:"service_tier,omitempty"`
+	ContextWindow int                       `json:"context_window"`
 	WeekStartUnix int64                     `json:"week_start_unix,omitempty"`
 	Total         UsageStatsJSON            `json:"total"`
 	ByUser        map[string]UsageStatsJSON `json:"by_user"`
 }
 
 type CostsSummaryJSON struct {
-	TotalUSD float64            `json:"total_usd"`
-	ByUser   map[string]float64 `json:"by_user"`
-	ByWeek   map[string]float64 `json:"by_week,omitempty"`
+	TotalUSD      float64                       `json:"total_usd"`
+	ByUser        map[string]float64            `json:"by_user"`
+	ByWeek        map[string]float64            `json:"by_week,omitempty"`
+	ByUserAndWeek map[string]map[string]float64 `json:"by_user_and_week,omitempty"`
 }
 
 type AggregatedUsageJSON struct {
@@ -103,8 +106,9 @@ type ModelPricing struct {
 }
 
 type modelFamily struct {
-	pattern *regexp.Regexp
-	pricing ModelPricing
+	pattern        *regexp.Regexp
+	pricing        ModelPricing
+	premiumPricing *ModelPricing
 }
 
 const (
@@ -115,6 +119,12 @@ const (
 	serviceTierScale    = "scale"
 )
 
+const (
+	contextWindowStandard   = 272000
+	contextWindowPremium    = 1050000
+	premiumContextThreshold = 272000
+)
+
 var (
 	gpt52Pricing = ModelPricing{
 		InputPrice:       1.75,
@@ -158,6 +168,30 @@ var (
 		CachedInputPrice: 0.025,
 	}
 
+	gpt54StandardPricing = ModelPricing{
+		InputPrice:       2.5,
+		OutputPrice:      15.0,
+		CachedInputPrice: 0.25,
+	}
+
+	gpt54PremiumPricing = ModelPricing{
+		InputPrice:       5.0,
+		OutputPrice:      22.5,
+		CachedInputPrice: 0.5,
+	}
+
+	gpt54ProPricing = ModelPricing{
+		InputPrice:       30.0,
+		OutputPrice:      180.0,
+		CachedInputPrice: 30.0,
+	}
+
+	gpt54ProPremiumPricing = ModelPricing{
+		InputPrice:       60.0,
+		OutputPrice:      270.0,
+		CachedInputPrice: 60.0,
+	}
+
 	gpt52ProPricing = ModelPricing{
 		InputPrice:       21.0,
 		OutputPrice:      168.0,
@@ -170,6 +204,30 @@ var (
 		CachedInputPrice: 15.0,
 	}
 
+	gpt54FlexPricing = ModelPricing{
+		InputPrice:       1.25,
+		OutputPrice:      7.5,
+		CachedInputPrice: 0.125,
+	}
+
+	gpt54PremiumFlexPricing = ModelPricing{
+		InputPrice:       2.5,
+		OutputPrice:      11.25,
+		CachedInputPrice: 0.25,
+	}
+
+	gpt54ProFlexPricing = ModelPricing{
+		InputPrice:       15.0,
+		OutputPrice:      90.0,
+		CachedInputPrice: 15.0,
+	}
+
+	gpt54ProPremiumFlexPricing = ModelPricing{
+		InputPrice:       30.0,
+		OutputPrice:      135.0,
+		CachedInputPrice: 30.0,
+	}
+
 	gpt52FlexPricing = ModelPricing{
 		InputPrice:       0.875,
 		OutputPrice:      7.0,
@@ -194,6 +252,18 @@ var (
 		CachedInputPrice: 0.0025,
 	}
 
+	gpt54PriorityPricing = ModelPricing{
+		InputPrice:       5.0,
+		OutputPrice:      30.0,
+		CachedInputPrice: 0.5,
+	}
+
+	gpt54PremiumPriorityPricing = ModelPricing{
+		InputPrice:       10.0,
+		OutputPrice:      45.0,
+		CachedInputPrice: 1.0,
+	}
+
 	gpt52PriorityPricing = ModelPricing{
 		InputPrice:       3.5,
 		OutputPrice:      28.0,
@@ -381,6 +451,16 @@ var (
 	}
 
 	standardModelFamilies = []modelFamily{
+		{
+			pattern:        regexp.MustCompile(`^gpt-5\.4-pro(?:$|-)`),
+			pricing:        gpt54ProPricing,
+			premiumPricing: &gpt54ProPremiumPricing,
+		},
+		{
+			pattern:        regexp.MustCompile(`^gpt-5\.4(?:$|-)`),
+			pricing:        gpt54StandardPricing,
+			premiumPricing: &gpt54PremiumPricing,
+		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
 			pricing: gpt52CodexPricing,
@@ -524,6 +604,16 @@ var (
 	}
 
 	flexModelFamilies = []modelFamily{
+		{
+			pattern:        regexp.MustCompile(`^gpt-5\.4-pro(?:$|-)`),
+			pricing:        gpt54ProFlexPricing,
+			premiumPricing: &gpt54ProPremiumFlexPricing,
+		},
+		{
+			pattern:        regexp.MustCompile(`^gpt-5\.4(?:$|-)`),
+			pricing:        gpt54FlexPricing,
+			premiumPricing: &gpt54PremiumFlexPricing,
+		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5-mini(?:$|-)`),
 			pricing: gpt5MiniFlexPricing,
@@ -555,6 +645,11 @@ var (
 	}
 
 	priorityModelFamilies = []modelFamily{
+		{
+			pattern:        regexp.MustCompile(`^gpt-5\.4(?:$|-)`),
+			pricing:        gpt54PriorityPricing,
+			premiumPricing: &gpt54PremiumPriorityPricing,
+		},
 		{
 			pattern: regexp.MustCompile(`^gpt-5\.3-codex(?:$|-)`),
 			pricing: gpt52CodexPriorityPricing,
@@ -637,15 +732,28 @@ func modelFamiliesForTier(serviceTier string) []modelFamily {
 	}
 }
 
-func findPricingInFamilies(model string, modelFamilies []modelFamily) (ModelPricing, bool) {
+func findPricingInFamilies(model string, contextWindow int, modelFamilies []modelFamily) (ModelPricing, bool) {
+	isPremium := contextWindow >= contextWindowPremium
 	for _, family := range modelFamilies {
 		if family.pattern.MatchString(model) {
+			if isPremium && family.premiumPricing != nil {
+				return *family.premiumPricing, true
+			}
 			return family.pricing, true
 		}
 	}
 	return ModelPricing{}, false
 }
 
+func hasPremiumPricingInFamilies(model string, modelFamilies []modelFamily) bool {
+	for _, family := range modelFamilies {
+		if family.pattern.MatchString(model) {
+			return family.premiumPricing != nil
+		}
+	}
+	return false
+}
+
 func normalizeServiceTier(serviceTier string) string {
 	switch strings.ToLower(strings.TrimSpace(serviceTier)) {
 	case "", serviceTierAuto, serviceTierDefault:
@@ -662,27 +770,27 @@ func normalizeServiceTier(serviceTier string) string {
 	}
 }
 
-func getPricing(model string, serviceTier string) ModelPricing {
+func getPricing(model string, serviceTier string, contextWindow int) ModelPricing {
 	normalizedServiceTier := normalizeServiceTier(serviceTier)
-	modelFamilies := modelFamiliesForTier(normalizedServiceTier)
+	families := modelFamiliesForTier(normalizedServiceTier)
 
-	if pricing, found := findPricingInFamilies(model, modelFamilies); found {
+	if pricing, found := findPricingInFamilies(model, contextWindow, families); found {
 		return pricing
 	}
 
 	normalizedModel := normalizeGPT5Model(model)
 	if normalizedModel != model {
-		if pricing, found := findPricingInFamilies(normalizedModel, modelFamilies); found {
+		if pricing, found := findPricingInFamilies(normalizedModel, contextWindow, families); found {
 			return pricing
 		}
 	}
 
 	if normalizedServiceTier != serviceTierDefault {
-		if pricing, found := findPricingInFamilies(model, standardModelFamilies); found {
+		if pricing, found := findPricingInFamilies(model, contextWindow, standardModelFamilies); found {
 			return pricing
 		}
 		if normalizedModel != model {
-			if pricing, found := findPricingInFamilies(normalizedModel, standardModelFamilies); found {
+			if pricing, found := findPricingInFamilies(normalizedModel, contextWindow, standardModelFamilies); found {
 				return pricing
 			}
 		}
@@ -691,6 +799,30 @@ func getPricing(model string, serviceTier string) ModelPricing {
 	return gpt4oPricing
 }
 
+func detectContextWindow(model string, serviceTier string, inputTokens int64) int {
+	if inputTokens <= premiumContextThreshold {
+		return contextWindowStandard
+	}
+	normalizedServiceTier := normalizeServiceTier(serviceTier)
+	families := modelFamiliesForTier(normalizedServiceTier)
+	if hasPremiumPricingInFamilies(model, families) {
+		return contextWindowPremium
+	}
+	normalizedModel := normalizeGPT5Model(model)
+	if normalizedModel != model && hasPremiumPricingInFamilies(normalizedModel, families) {
+		return contextWindowPremium
+	}
+	if normalizedServiceTier != serviceTierDefault {
+		if hasPremiumPricingInFamilies(model, standardModelFamilies) {
+			return contextWindowPremium
+		}
+		if normalizedModel != model && hasPremiumPricingInFamilies(normalizedModel, standardModelFamilies) {
+			return contextWindowPremium
+		}
+	}
+	return contextWindowStandard
+}
+
 func normalizeGPT5Model(model string) string {
 	if !strings.HasPrefix(model, "gpt-5.") {
 		return model
@@ -706,18 +838,18 @@ func normalizeGPT5Model(model string) string {
 	case strings.Contains(model, "-chat-latest"):
 		return "gpt-5.2-chat-latest"
 	case strings.Contains(model, "-pro"):
-		return "gpt-5.2-pro"
+		return "gpt-5.4-pro"
 	case strings.Contains(model, "-mini"):
 		return "gpt-5-mini"
 	case strings.Contains(model, "-nano"):
 		return "gpt-5-nano"
 	default:
-		return "gpt-5.2"
+		return "gpt-5.4"
 	}
 }
 
-func calculateCost(stats UsageStats, model string, serviceTier string) float64 {
-	pricing := getPricing(model, serviceTier)
+func calculateCost(stats UsageStats, model string, serviceTier string, contextWindow int) float64 {
+	pricing := getPricing(model, serviceTier, contextWindow)
 
 	regularInputTokens := stats.InputTokens - stats.CachedTokens
 	if regularInputTokens < 0 {
@@ -738,13 +870,16 @@ func roundCost(cost float64) float64 {
 func normalizeCombinations(combinations []CostCombination) {
 	for index := range combinations {
 		combinations[index].ServiceTier = normalizeServiceTier(combinations[index].ServiceTier)
+		if combinations[index].ContextWindow <= 0 {
+			combinations[index].ContextWindow = contextWindowStandard
+		}
 		if combinations[index].ByUser == nil {
 			combinations[index].ByUser = make(map[string]UsageStats)
 		}
 	}
 }
 
-func addUsageToCombinations(combinations *[]CostCombination, model string, serviceTier string, weekStartUnix int64, user string, inputTokens, outputTokens, cachedTokens int64) {
+func addUsageToCombinations(combinations *[]CostCombination, model string, serviceTier string, contextWindow int, weekStartUnix int64, user string, inputTokens, outputTokens, cachedTokens int64) {
 	var matchedCombination *CostCombination
 	for index := range *combinations {
 		combination := &(*combinations)[index]
@@ -752,7 +887,7 @@ func addUsageToCombinations(combinations *[]CostCombination, model string, servi
 		if combination.ServiceTier != combinationServiceTier {
 			combination.ServiceTier = combinationServiceTier
 		}
-		if combination.Model == model && combinationServiceTier == serviceTier && combination.WeekStartUnix == weekStartUnix {
+		if combination.Model == model && combinationServiceTier == serviceTier && combination.ContextWindow == contextWindow && combination.WeekStartUnix == weekStartUnix {
 			matchedCombination = combination
 			break
 		}
@@ -762,6 +897,7 @@ func addUsageToCombinations(combinations *[]CostCombination, model string, servi
 		newCombination := CostCombination{
 			Model:         model,
 			ServiceTier:   serviceTier,
+			ContextWindow: contextWindow,
 			WeekStartUnix: weekStartUnix,
 			Total:         UsageStats{},
 			ByUser:        make(map[string]UsageStats),
@@ -790,12 +926,13 @@ func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map
 	var totalCost float64
 
 	for index, combination := range combinations {
-		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ServiceTier)
+		combinationTotalCost := calculateCost(combination.Total, combination.Model, combination.ServiceTier, combination.ContextWindow)
 		totalCost += combinationTotalCost
 
 		combinationJSON := CostCombinationJSON{
 			Model:         combination.Model,
 			ServiceTier:   combination.ServiceTier,
+			ContextWindow: combination.ContextWindow,
 			WeekStartUnix: combination.WeekStartUnix,
 			Total: UsageStatsJSON{
 				RequestCount: combination.Total.RequestCount,
@@ -808,7 +945,7 @@ func buildCombinationJSON(combinations []CostCombination, aggregateUserCosts map
 		}
 
 		for user, userStats := range combination.ByUser {
-			userCost := calculateCost(userStats, combination.Model, combination.ServiceTier)
+			userCost := calculateCost(userStats, combination.Model, combination.ServiceTier, combination.ContextWindow)
 			if aggregateUserCosts != nil {
 				aggregateUserCosts[user] += userCost
 			}
@@ -856,7 +993,7 @@ func buildByWeekCost(combinations []CostCombination) map[string]float64 {
 		}
 		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
 		weekKey := formatWeekStartKey(weekStartAt)
-		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ServiceTier)
+		byWeek[weekKey] += calculateCost(combination.Total, combination.Model, combination.ServiceTier, combination.ContextWindow)
 	}
 	for weekKey, weekCost := range byWeek {
 		byWeek[weekKey] = roundCost(weekCost)
@@ -864,6 +1001,31 @@ func buildByWeekCost(combinations []CostCombination) map[string]float64 {
 	return byWeek
 }
 
+func buildByUserAndWeekCost(combinations []CostCombination) map[string]map[string]float64 {
+	byUserAndWeek := make(map[string]map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		for user, userStats := range combination.ByUser {
+			userWeeks, exists := byUserAndWeek[user]
+			if !exists {
+				userWeeks = make(map[string]float64)
+				byUserAndWeek[user] = userWeeks
+			}
+			userWeeks[weekKey] += calculateCost(userStats, combination.Model, combination.ServiceTier, combination.ContextWindow)
+		}
+	}
+	for _, weekCosts := range byUserAndWeek {
+		for weekKey, cost := range weekCosts {
+			weekCosts[weekKey] = roundCost(cost)
+		}
+	}
+	return byUserAndWeek
+}
+
 func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
 	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
 		return 0
@@ -894,6 +1056,11 @@ func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 		result.Costs.ByWeek = nil
 	}
 
+	result.Costs.ByUserAndWeek = buildByUserAndWeekCost(u.Combinations)
+	if len(result.Costs.ByUserAndWeek) == 0 {
+		result.Costs.ByUserAndWeek = nil
+	}
+
 	for user, cost := range result.Costs.ByUser {
 		result.Costs.ByUser[user] = roundCost(cost)
 	}
@@ -956,14 +1123,17 @@ func (u *AggregatedUsage) Save() error {
 	return err
 }
 
-func (u *AggregatedUsage) AddUsage(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string) error {
-	return u.AddUsageWithCycleHint(model, inputTokens, outputTokens, cachedTokens, serviceTier, user, time.Now(), nil)
+func (u *AggregatedUsage) AddUsage(model string, contextWindow int, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string) error {
+	return u.AddUsageWithCycleHint(model, contextWindow, inputTokens, outputTokens, cachedTokens, serviceTier, user, time.Now(), nil)
 }
 
-func (u *AggregatedUsage) AddUsageWithCycleHint(model string, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string, observedAt time.Time, cycleHint *WeeklyCycleHint) error {
+func (u *AggregatedUsage) AddUsageWithCycleHint(model string, contextWindow int, inputTokens, outputTokens, cachedTokens int64, serviceTier string, user string, observedAt time.Time, cycleHint *WeeklyCycleHint) error {
 	if model == "" {
 		return E.New("model cannot be empty")
 	}
+	if contextWindow <= 0 {
+		return E.New("contextWindow must be positive")
+	}
 
 	normalizedServiceTier := normalizeServiceTier(serviceTier)
 	if observedAt.IsZero() {
@@ -976,7 +1146,7 @@ func (u *AggregatedUsage) AddUsageWithCycleHint(model string, inputTokens, outpu
 	u.LastUpdated = observedAt
 	weekStartUnix := deriveWeekStartUnix(cycleHint)
 
-	addUsageToCombinations(&u.Combinations, model, normalizedServiceTier, weekStartUnix, user, inputTokens, outputTokens, cachedTokens)
+	addUsageToCombinations(&u.Combinations, model, normalizedServiceTier, contextWindow, weekStartUnix, user, inputTokens, outputTokens, cachedTokens)
 
 	go u.scheduleSave()
 

service/ocm/service_websocket.go

@@ -0,0 +1,285 @@
+package ocm
+
+import (
+	"context"
+	stdTLS "crypto/tls"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/ws"
+	"github.com/sagernet/ws/wsutil"
+
+	"github.com/openai/openai-go/v3/responses"
+)
+
+type webSocketSession struct {
+	clientConn   net.Conn
+	upstreamConn net.Conn
+	closeOnce    sync.Once
+}
+
+func (s *webSocketSession) Close() {
+	s.closeOnce.Do(func() {
+		s.clientConn.Close()
+		s.upstreamConn.Close()
+	})
+}
+
+func buildUpstreamWebSocketURL(baseURL string, proxyPath string) string {
+	upstreamURL := baseURL
+	if strings.HasPrefix(upstreamURL, "https://") {
+		upstreamURL = "wss://" + upstreamURL[len("https://"):]
+	} else if strings.HasPrefix(upstreamURL, "http://") {
+		upstreamURL = "ws://" + upstreamURL[len("http://"):]
+	}
+	return upstreamURL + proxyPath
+}
+
+func isForwardableResponseHeader(key string) bool {
+	lowerKey := strings.ToLower(key)
+	switch {
+	case strings.HasPrefix(lowerKey, "x-codex-"):
+		return true
+	case strings.HasPrefix(lowerKey, "x-reasoning"):
+		return true
+	case lowerKey == "openai-model":
+		return true
+	case strings.Contains(lowerKey, "-secondary-"):
+		return true
+	default:
+		return false
+	}
+}
+
+func isForwardableWebSocketRequestHeader(key string) bool {
+	if isHopByHopHeader(key) {
+		return false
+	}
+
+	lowerKey := strings.ToLower(key)
+	switch {
+	case lowerKey == "authorization":
+		return false
+	case strings.HasPrefix(lowerKey, "sec-websocket-"):
+		return false
+	default:
+		return true
+	}
+}
+
+func (s *Service) handleWebSocket(w http.ResponseWriter, r *http.Request, proxyPath string, username string) {
+	accessToken, err := s.getAccessToken()
+	if err != nil {
+		s.logger.Error("get access token for websocket: ", err)
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "authentication failed")
+		return
+	}
+
+	upstreamURL := buildUpstreamWebSocketURL(s.getBaseURL(), proxyPath)
+	if r.URL.RawQuery != "" {
+		upstreamURL += "?" + r.URL.RawQuery
+	}
+
+	upstreamHeaders := make(http.Header)
+	for key, values := range r.Header {
+		if isForwardableWebSocketRequestHeader(key) {
+			upstreamHeaders[key] = values
+		}
+	}
+	for key, values := range s.httpHeaders {
+		upstreamHeaders.Del(key)
+		upstreamHeaders[key] = values
+	}
+	upstreamHeaders.Set("Authorization", "Bearer "+accessToken)
+	if accountID := s.getAccountID(); accountID != "" {
+		upstreamHeaders.Set("ChatGPT-Account-Id", accountID)
+	}
+
+	upstreamResponseHeaders := make(http.Header)
+	upstreamDialer := ws.Dialer{
+		NetDial: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			return s.dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+		},
+		TLSConfig: &stdTLS.Config{
+			RootCAs: adapter.RootPoolFromContext(s.ctx),
+			Time:    ntp.TimeFuncFromContext(s.ctx),
+		},
+		Header: ws.HandshakeHeaderHTTP(upstreamHeaders),
+		OnHeader: func(key, value []byte) error {
+			upstreamResponseHeaders.Add(string(key), string(value))
+			return nil
+		},
+	}
+
+	upstreamConn, upstreamBufferedReader, _, err := upstreamDialer.Dial(r.Context(), upstreamURL)
+	if err != nil {
+		s.logger.Error("dial upstream websocket: ", err)
+		writeJSONError(w, r, http.StatusBadGateway, "api_error", "upstream websocket connection failed")
+		return
+	}
+
+	weeklyCycleHint := extractWeeklyCycleHint(upstreamResponseHeaders)
+
+	clientResponseHeaders := make(http.Header)
+	for key, values := range upstreamResponseHeaders {
+		if isForwardableResponseHeader(key) {
+			clientResponseHeaders[key] = values
+		}
+	}
+
+	clientUpgrader := ws.HTTPUpgrader{
+		Header: clientResponseHeaders,
+	}
+	if s.isShuttingDown() {
+		upstreamConn.Close()
+		writeJSONError(w, r, http.StatusServiceUnavailable, "api_error", "service is shutting down")
+		return
+	}
+	clientConn, _, _, err := clientUpgrader.Upgrade(r, w)
+	if err != nil {
+		s.logger.Error("upgrade client websocket: ", err)
+		upstreamConn.Close()
+		return
+	}
+	session := &webSocketSession{
+		clientConn:   clientConn,
+		upstreamConn: upstreamConn,
+	}
+	if !s.registerWebSocketSession(session) {
+		session.Close()
+		return
+	}
+	defer s.unregisterWebSocketSession(session)
+
+	var upstreamReadWriter io.ReadWriter
+	if upstreamBufferedReader != nil {
+		upstreamReadWriter = struct {
+			io.Reader
+			io.Writer
+		}{upstreamBufferedReader, upstreamConn}
+	} else {
+		upstreamReadWriter = upstreamConn
+	}
+
+	modelChannel := make(chan string, 1)
+	var waitGroup sync.WaitGroup
+
+	waitGroup.Add(2)
+	go func() {
+		defer waitGroup.Done()
+		defer session.Close()
+		s.proxyWebSocketClientToUpstream(clientConn, upstreamConn, modelChannel)
+	}()
+	go func() {
+		defer waitGroup.Done()
+		defer session.Close()
+		s.proxyWebSocketUpstreamToClient(upstreamReadWriter, clientConn, modelChannel, username, weeklyCycleHint)
+	}()
+	waitGroup.Wait()
+}
+
+func (s *Service) proxyWebSocketClientToUpstream(clientConn net.Conn, upstreamConn net.Conn, modelChannel chan<- string) {
+	for {
+		data, opCode, err := wsutil.ReadClientData(clientConn)
+		if err != nil {
+			if !E.IsClosedOrCanceled(err) {
+				s.logger.Debug("read client websocket: ", err)
+			}
+			return
+		}
+
+		if opCode == ws.OpText && s.usageTracker != nil {
+			var request struct {
+				Type  string `json:"type"`
+				Model string `json:"model"`
+			}
+			if json.Unmarshal(data, &request) == nil && request.Type == "response.create" && request.Model != "" {
+				select {
+				case modelChannel <- request.Model:
+				default:
+				}
+			}
+		}
+
+		err = wsutil.WriteClientMessage(upstreamConn, opCode, data)
+		if err != nil {
+			if !E.IsClosedOrCanceled(err) {
+				s.logger.Debug("write upstream websocket: ", err)
+			}
+			return
+		}
+	}
+}
+
+func (s *Service) proxyWebSocketUpstreamToClient(upstreamReadWriter io.ReadWriter, clientConn net.Conn, modelChannel <-chan string, username string, weeklyCycleHint *WeeklyCycleHint) {
+	var requestModel string
+	for {
+		data, opCode, err := wsutil.ReadServerData(upstreamReadWriter)
+		if err != nil {
+			if !E.IsClosedOrCanceled(err) {
+				s.logger.Debug("read upstream websocket: ", err)
+			}
+			return
+		}
+
+		if opCode == ws.OpText && s.usageTracker != nil {
+			select {
+			case model := <-modelChannel:
+				requestModel = model
+			default:
+			}
+
+			var event struct {
+				Type string `json:"type"`
+			}
+			if json.Unmarshal(data, &event) == nil && event.Type == "response.completed" {
+				var streamEvent responses.ResponseStreamEventUnion
+				if json.Unmarshal(data, &streamEvent) == nil {
+					completedEvent := streamEvent.AsResponseCompleted()
+					responseModel := string(completedEvent.Response.Model)
+					serviceTier := string(completedEvent.Response.ServiceTier)
+					inputTokens := completedEvent.Response.Usage.InputTokens
+					outputTokens := completedEvent.Response.Usage.OutputTokens
+					cachedTokens := completedEvent.Response.Usage.InputTokensDetails.CachedTokens
+
+					if inputTokens > 0 || outputTokens > 0 {
+						if responseModel == "" {
+							responseModel = requestModel
+						}
+						if responseModel != "" {
+							contextWindow := detectContextWindow(responseModel, serviceTier, inputTokens)
+							s.usageTracker.AddUsageWithCycleHint(
+								responseModel,
+								contextWindow,
+								inputTokens,
+								outputTokens,
+								cachedTokens,
+								serviceTier,
+								username,
+								time.Now(),
+								weeklyCycleHint,
+							)
+						}
+					}
+				}
+			}
+		}
+
+		err = wsutil.WriteServerMessage(clientConn, opCode, data)
+		if err != nil {
+			if !E.IsClosedOrCanceled(err) {
+				s.logger.Debug("write client websocket: ", err)
+			}
+			return
+		}
+	}
+}