[dependencies] Update github-actions

The upstream OpenAI WebSocket endpoint requires the
OpenAI-Beta: responses_websockets=2026-02-06 header. Set it
automatically when the client doesn't provide it.

Also capture and log the response body on non-429 WebSocket
handshake failures to surface the actual error from upstream.

.github/CRONET_GO_VERSION

@@ -1 +1 @@
-cba7b9ac0399055aa49fbdc57c03c374f58e1597
+ea7cd33752aed62603775af3df946c1b83f4b0b3

.github/build_alpine_apk.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
+
+# Service files
+install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
+install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/conf.d/sing-box
+/etc/init.d/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later with name use or association addition" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"

.github/build_openwrt_apk.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
+install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/config/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
+  --info "provider-priority:100" \
+  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"

.github/setup_go_for_macos1013.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "afe69d3cec1c6dcf0f1797b20546795730850070"
+  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
+wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
+tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
+#cp -a go go_bootstrap
+mv go go_osx
+cd go_osx
+
+# these patch URLs only work on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
+# revert:
+# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
+# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
+
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
+
+# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
+# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
+# stdlib (crypto/x509) is compiled from patched src automatically.
+#cd src
+#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
+#cd ../..
+#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"

.github/setup_go_for_windows7.sh

@@ -1,16 +1,35 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.7"
+set -euo pipefail
 
-mkdir -p $HOME/go
-cd $HOME/go
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "466f6c7a29bc098b0d4c987b803c779222894a11"
+  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
+  "a90777dcf692dd2168577853ba743b4338721b06"
+  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
+  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
+  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7
 
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
+# these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -18,10 +37,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+# fixes:
+# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
+# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""
 
-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done

.github/workflows/build.yml

@@ -41,13 +41,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -72,27 +72,27 @@ jobs:
         include:
           - { os: linux, arch: amd64, variant: purego, naive: true }
           - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }
 
           - { os: linux, arch: arm64, variant: purego, naive: true }
           - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
 
           - { os: linux, arch: "386", go386: sse2 }
           - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }
 
           - { os: linux, arch: arm, goarm: "7" }
           - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
 
           - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
           - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
           - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
           - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
           - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }
 
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
@@ -117,19 +117,14 @@ jobs:
           - { os: android, arch: "386", ndk: "i686-linux-android23" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! matrix.legacy_win7 }}
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.10
+          go-version: ~1.26.0
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -137,9 +132,11 @@ jobs:
         with:
           path: |
             ~/go/go_win7
-          key: go_win7_1255
+          key: go_win7_1258
       - name: Setup Go for Windows 7
         if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
         run: |-
           .github/setup_go_for_windows7.sh
       - name: Setup Go for Windows 7
@@ -399,6 +396,30 @@ jobs:
             .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
           done
           rm "dist/openwrt.deb"
+      - name: Install apk-tools
+        if: matrix.openwrt != '' || matrix.alpine != ''
+        run: |-
+          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
+      - name: Package OpenWrt APK
+        if: matrix.openwrt != ''
+        run: |-
+          set -xeuo pipefail
+          for architecture in ${{ matrix.openwrt }}; do
+            .github/build_openwrt_apk.sh \
+              "$architecture" \
+              "${{ needs.calculate_version.outputs.version }}" \
+              "dist/sing-box" \
+              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
+          done
+      - name: Package Alpine APK
+        if: matrix.alpine != ''
+        run: |-
+          set -xeuo pipefail
+          .github/build_alpine_apk.sh \
+            "${{ matrix.alpine }}" \
+            "${{ needs.calculate_version.outputs.version }}" \
+            "dist/sing-box" \
+            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
       - name: Archive
         run: |
           set -xeuo pipefail
@@ -434,22 +455,36 @@ jobs:
         include:
           - { arch: amd64 }
           - { arch: arm64 }
-          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! matrix.legacy_go124 }}
+        if: ${{ ! matrix.legacy_osx }}
         uses: actions/setup-go@v5
         with:
           go-version: ^1.25.3
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
+      - name: Cache Go for macOS 10.13
+        if: matrix.legacy_osx
+        id: cache-go-for-macos1013
+        uses: actions/cache@v4
         with:
-          go-version: ~1.24.6
+          path: |
+            ~/go/go_osx
+          key: go_osx_1258
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |-
+          .github/setup_go_for_macos1013.sh
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx
+        run: |-
+          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -457,7 +492,7 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
+          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
             TAGS=$(cat release/DEFAULT_BUILD_TAGS)
           else
             TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
@@ -477,6 +512,7 @@ jobs:
           CGO_ENABLED: "1"
           GOOS: darwin
           GOARCH: ${{ matrix.arch }}
+          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Set name
         run: |-
@@ -515,7 +551,7 @@ jobs:
           - { arch: arm64, naive: true }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -598,14 +634,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -688,14 +724,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -786,7 +822,7 @@ jobs:
     steps:
       - name: Checkout
         if: matrix.if
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -794,7 +830,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Set tag
         if: matrix.if
         run: |-
@@ -940,7 +976,7 @@ jobs:
       - build_apple
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Cache ghr

.github/workflows/docker.yml

@@ -49,14 +49,14 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -188,7 +188,7 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0

.github/workflows/lint.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/linux.yml

@@ -29,13 +29,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -72,13 +72,13 @@ jobs:
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ~1.26.0
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -236,7 +236,7 @@ jobs:
       - build
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Set tag

adapter/inbound.go

@@ -2,6 +2,7 @@ package adapter
 
 import (
 	"context"
+	"net"
 	"net/netip"
 	"time"
 
@@ -82,6 +83,8 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *ConnectionOwner
+	SourceMACAddress     net.HardwareAddr
+	SourceHostname       string
 	QueryType            uint16
 	FakeIP               bool
 

adapter/neighbor.go

@@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+)
+
+type NeighborEntry struct {
+	Address    netip.Addr
+	MACAddress net.HardwareAddr
+	Hostname   string
+}
+
+type NeighborResolver interface {
+	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
+	LookupHostname(address netip.Addr) (string, bool)
+	Start() error
+	Close() error
+}
+
+type NeighborUpdateListener interface {
+	UpdateNeighborTable(entries []NeighborEntry)
+}

adapter/platform.go

@@ -36,6 +36,10 @@ type PlatformInterface interface {
 
 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
+
+	UsePlatformNeighborResolver() bool
+	StartNeighborMonitor(listener NeighborUpdateListener) error
+	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }
 
 type FindConnectionOwnerRequest struct {

adapter/router.go

@@ -26,6 +26,8 @@ type Router interface {
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
 	NeedFindProcess() bool
+	NeedFindNeighbor() bool
+	NeighborResolver() NeighborResolver
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }

common/listener/listener.go

@@ -151,6 +151,7 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
+		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {

dns/client.go

@@ -324,16 +324,20 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
+	lookupOptions := options
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -341,7 +345,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}

dns/router.go

@@ -195,7 +195,16 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	return r.transport.Default(), nil, -1
+	transport := r.transport.Default()
+	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = legacyTransport.LegacyStrategy()
+		}
+		if !options.ClientSubnet.IsValid() {
+			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		}
+	}
+	return transport, nil, -1
 }
 
 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -345,7 +354,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+				options.Strategy = legacyTransport.LegacyStrategy()
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()

dns/transport/local/local.go

@@ -81,10 +81,7 @@ func (t *Transport) Reset() {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
-		resolverObject := t.resolved.Object()
-		if resolverObject != nil {
-			return t.resolved.Exchange(resolverObject, ctx, message)
-		}
+		return t.resolved.Exchange(ctx, message)
 	}
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {

dns/transport/local/local_resolved.go

@@ -9,6 +9,5 @@ import (
 type ResolvedResolver interface {
 	Start() error
 	Close() error
-	Object() any
-	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+	Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
 }

dns/transport/local/local_resolved_linux.go

@@ -4,19 +4,26 @@ import (
 	"bufio"
 	"context"
 	"errors"
+	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	dnsTransport "github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/service/resolved"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 
@@ -49,13 +56,23 @@ type DBusResolvedResolver struct {
 	interfaceMonitor  tun.DefaultInterfaceMonitor
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	systemBus         *dbus.Conn
-	resoledObject     atomic.Pointer[ResolvedObject]
+	savedServerSet    atomic.Pointer[resolvedServerSet]
 	closeOnce         sync.Once
 }
 
-type ResolvedObject struct {
-	dbus.BusObject
-	InterfaceIndex int32
+type resolvedServerSet struct {
+	servers []resolvedServer
+}
+
+type resolvedServer struct {
+	primaryTransport  adapter.DNSTransport
+	fallbackTransport adapter.DNSTransport
+}
+
+type resolvedServerSpecification struct {
+	address    netip.Addr
+	port       uint16
+	serverName string
 }
 
 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
@@ -82,17 +99,31 @@ func (t *DBusResolvedResolver) Start() error {
 		"org.freedesktop.DBus",
 		"NameOwnerChanged",
 		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1"),
 	).Err
 	if err != nil {
 		return E.Cause(err, "configure resolved restart listener")
 	}
+	err = t.systemBus.BusObject().AddMatchSignal(
+		"org.freedesktop.DBus.Properties",
+		"PropertiesChanged",
+		dbus.WithMatchSender("org.freedesktop.resolve1"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+	).Err
+	if err != nil {
+		return E.Cause(err, "configure resolved properties listener")
+	}
 	go t.loopUpdateStatus()
 	return nil
 }
 
 func (t *DBusResolvedResolver) Close() error {
+	var closeErr error
 	t.closeOnce.Do(func() {
+		serverSet := t.savedServerSet.Swap(nil)
+		if serverSet != nil {
+			closeErr = serverSet.Close()
+		}
 		if t.interfaceCallback != nil {
 			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
 		}
@@ -100,99 +131,97 @@ func (t *DBusResolvedResolver) Close() error {
 			_ = t.systemBus.Close()
 		}
 	})
-	return nil
+	return closeErr
 }
 
-func (t *DBusResolvedResolver) Object() any {
-	return common.PtrOrNil(t.resoledObject.Load())
-}
-
-func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	resolvedObject := object.(*ResolvedObject)
-	call := resolvedObject.CallWithContext(
-		ctx,
-		"org.freedesktop.resolve1.Manager.ResolveRecord",
-		0,
-		resolvedObject.InterfaceIndex,
-		question.Name,
-		question.Qclass,
-		question.Qtype,
-		uint64(0),
-	)
-	if call.Err != nil {
-		var dbusError dbus.Error
-		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
-			t.updateStatus()
+func (t *DBusResolvedResolver) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverSet := t.savedServerSet.Load()
+	if serverSet == nil {
+		var err error
+		serverSet, err = t.checkResolved(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		previousServerSet := t.savedServerSet.Swap(serverSet)
+		if previousServerSet != nil {
+			_ = previousServerSet.Close()
 		}
-		return nil, E.Cause(call.Err, " resolve record via resolved")
 	}
-	var (
-		records  []resolved.ResourceRecord
-		outflags uint64
-	)
-	err := call.Store(&records, &outflags)
-	if err != nil {
+	response, err := t.exchangeServerSet(ctx, message, serverSet)
+	if err == nil {
+		return response, nil
+	}
+	t.updateStatus()
+	refreshedServerSet := t.savedServerSet.Load()
+	if refreshedServerSet == nil || refreshedServerSet == serverSet {
 		return nil, err
 	}
-	response := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                 message.Id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              mDNS.RcodeSuccess,
-		},
-		Question: []mDNS.Question{question},
-	}
-	for _, record := range records {
-		var rr mDNS.RR
-		rr, _, err = mDNS.UnpackRR(record.Data, 0)
-		if err != nil {
-			return nil, E.Cause(err, "unpack resource record")
-		}
-		response.Answer = append(response.Answer, rr)
-	}
-	return response, nil
+	return t.exchangeServerSet(ctx, message, refreshedServerSet)
 }
 
 func (t *DBusResolvedResolver) loopUpdateStatus() {
 	signalChan := make(chan *dbus.Signal, 1)
 	t.systemBus.Signal(signalChan)
 	for signal := range signalChan {
-		var restarted bool
-		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
-			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
+		switch signal.Name {
+		case "org.freedesktop.DBus.NameOwnerChanged":
+			if len(signal.Body) != 3 {
+				continue
+			}
+			newOwner, loaded := signal.Body[2].(string)
+			if !loaded || newOwner == "" {
+				continue
+			}
+			t.updateStatus()
+		case "org.freedesktop.DBus.Properties.PropertiesChanged":
+			if !shouldUpdateResolvedServerSet(signal) {
 				continue
-			} else {
-				restarted = true
 			}
-		}
-		if restarted {
 			t.updateStatus()
 		}
 	}
 }
 
 func (t *DBusResolvedResolver) updateStatus() {
-	dbusObject, err := t.checkResolved(context.Background())
-	oldValue := t.resoledObject.Swap(dbusObject)
+	serverSet, err := t.checkResolved(context.Background())
+	oldServerSet := t.savedServerSet.Swap(serverSet)
+	if oldServerSet != nil {
+		_ = oldServerSet.Close()
+	}
 	if err != nil {
 		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwner" {
 			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
 		}
-		if oldValue != nil {
+		if oldServerSet != nil {
 			t.logger.Debug("systemd-resolved service is gone")
 		}
 		return
-	} else if oldValue == nil {
+	} else if oldServerSet == nil {
 		t.logger.Debug("using systemd-resolved service as resolver")
 	}
 }
 
-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
+func (t *DBusResolvedResolver) exchangeServerSet(ctx context.Context, message *mDNS.Msg, serverSet *resolvedServerSet) (*mDNS.Msg, error) {
+	if serverSet == nil || len(serverSet.servers) == 0 {
+		return nil, E.New("link has no DNS servers configured")
+	}
+	var lastError error
+	for _, server := range serverSet.servers {
+		response, err := server.primaryTransport.Exchange(ctx, message)
+		if err != nil && server.fallbackTransport != nil {
+			response, err = server.fallbackTransport.Exchange(ctx, message)
+		}
+		if err != nil {
+			lastError = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastError
+}
+
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServerSet, error) {
 	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
 	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
 	if err != nil {
@@ -220,16 +249,19 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 	if linkObject == nil {
 		return nil, E.New("missing link object for default interface")
 	}
-	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	dnsOverTLSMode, err := loadResolvedLinkDNSOverTLS(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProp.Store(&linkDNS)
+	linkDNSEx, err := loadResolvedLinkDNSEx(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	if len(linkDNS) == 0 {
+	linkDNS, err := loadResolvedLinkDNS(linkObject)
+	if err != nil {
+		return nil, err
+	}
+	if len(linkDNSEx) == 0 && len(linkDNS) == 0 {
 		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
 			if inbound.Type() == C.TypeTun {
 				return nil, E.New("No appropriate name servers or networks for name found")
@@ -237,12 +269,233 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		}
 		return nil, E.New("link has no DNS servers configured")
 	}
-	return &ResolvedObject{
-		BusObject:      dbusObject,
-		InterfaceIndex: int32(defaultInterface.Index),
+	serverDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
+		BindInterface:      defaultInterface.Name,
+		UDPFragmentDefault: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+	var serverSpecifications []resolvedServerSpecification
+	if len(linkDNSEx) > 0 {
+		for _, entry := range linkDNSEx {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, entry.Port, entry.Name)
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	} else {
+		for _, entry := range linkDNS {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, 0, "")
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	}
+	if len(serverSpecifications) == 0 {
+		return nil, E.New("no valid DNS servers on link")
+	}
+	serverSet := &resolvedServerSet{
+		servers: make([]resolvedServer, 0, len(serverSpecifications)),
+	}
+	for _, serverSpecification := range serverSpecifications {
+		server, createErr := t.createResolvedServer(serverDialer, dnsOverTLSMode, serverSpecification)
+		if createErr != nil {
+			_ = serverSet.Close()
+			return nil, createErr
+		}
+		serverSet.servers = append(serverSet.servers, server)
+	}
+	return serverSet, nil
+}
+
+func (t *DBusResolvedResolver) createResolvedServer(serverDialer N.Dialer, dnsOverTLSMode string, serverSpecification resolvedServerSpecification) (resolvedServer, error) {
+	if dnsOverTLSMode == "yes" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport: primaryTransport,
+		}, nil
+	}
+	if dnsOverTLSMode == "opportunistic" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		fallbackTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+		if err != nil {
+			_ = primaryTransport.Close()
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport:  primaryTransport,
+			fallbackTransport: fallbackTransport,
+		}, nil
+	}
+	primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+	if err != nil {
+		return resolvedServer{}, err
+	}
+	return resolvedServer{
+		primaryTransport: primaryTransport,
 	}, nil
 }
 
+func (t *DBusResolvedResolver) createResolvedTransport(serverDialer N.Dialer, serverSpecification resolvedServerSpecification, useTLS bool) (adapter.DNSTransport, error) {
+	serverAddress := M.SocksaddrFrom(serverSpecification.address, resolvedServerPort(serverSpecification.port, useTLS))
+	if useTLS {
+		tlsAddress := serverSpecification.address
+		if tlsAddress.Zone() != "" {
+			tlsAddress = tlsAddress.WithZone("")
+		}
+		serverName := serverSpecification.serverName
+		if serverName == "" {
+			serverName = tlsAddress.String()
+		}
+		tlsConfig, err := tls.NewClient(t.ctx, t.logger, tlsAddress.String(), option.OutboundTLSOptions{
+			Enabled:    true,
+			ServerName: serverName,
+		})
+		if err != nil {
+			return nil, err
+		}
+		serverTransport := dnsTransport.NewTLSRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeTLS, "", nil), serverDialer, serverAddress, tlsConfig)
+		err = serverTransport.Start(adapter.StartStateStart)
+		if err != nil {
+			_ = serverTransport.Close()
+			return nil, err
+		}
+		return serverTransport, nil
+	}
+	serverTransport := dnsTransport.NewUDPRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeUDP, "", nil), serverDialer, serverAddress)
+	err := serverTransport.Start(adapter.StartStateStart)
+	if err != nil {
+		_ = serverTransport.Close()
+		return nil, err
+	}
+	return serverTransport, nil
+}
+
+func (s *resolvedServerSet) Close() error {
+	var errors []error
+	for _, server := range s.servers {
+		errors = append(errors, server.primaryTransport.Close())
+		if server.fallbackTransport != nil {
+			errors = append(errors, server.fallbackTransport.Close())
+		}
+	}
+	return E.Errors(errors...)
+}
+
+func buildResolvedServerSpecification(interfaceName string, rawAddress []byte, port uint16, serverName string) (resolvedServerSpecification, bool) {
+	address, loaded := netip.AddrFromSlice(rawAddress)
+	if !loaded {
+		return resolvedServerSpecification{}, false
+	}
+	if address.Is6() && address.IsLinkLocalUnicast() && address.Zone() == "" {
+		address = address.WithZone(interfaceName)
+	}
+	return resolvedServerSpecification{
+		address:    address,
+		port:       port,
+		serverName: serverName,
+	}, true
+}
+
+func resolvedServerPort(port uint16, useTLS bool) uint16 {
+	if port > 0 {
+		return port
+	}
+	if useTLS {
+		return 853
+	}
+	return 53
+}
+
+func loadResolvedLinkDNS(linkObject dbus.BusObject) ([]resolved.LinkDNS, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNS []resolved.LinkDNS
+	err = dnsProperty.Store(&linkDNS)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNS, nil
+}
+
+func loadResolvedLinkDNSEx(linkObject dbus.BusObject) ([]resolved.LinkDNSEx, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSEx")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNSEx []resolved.LinkDNSEx
+	err = dnsProperty.Store(&linkDNSEx)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNSEx, nil
+}
+
+func loadResolvedLinkDNSOverTLS(linkObject dbus.BusObject) (string, error) {
+	dnsOverTLSProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSOverTLS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return "", nil
+		}
+		return "", err
+	}
+	var dnsOverTLSMode string
+	err = dnsOverTLSProperty.Store(&dnsOverTLSMode)
+	if err != nil {
+		return "", err
+	}
+	return dnsOverTLSMode, nil
+}
+
+func isResolvedUnknownPropertyError(err error) bool {
+	var dbusError dbus.Error
+	return errors.As(err, &dbusError) && dbusError.Name == "org.freedesktop.DBus.Error.UnknownProperty"
+}
+
+func shouldUpdateResolvedServerSet(signal *dbus.Signal) bool {
+	if len(signal.Body) != 3 {
+		return true
+	}
+	changedProperties, loaded := signal.Body[1].(map[string]dbus.Variant)
+	if !loaded {
+		return true
+	}
+	for propertyName := range changedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	invalidatedProperties, loaded := signal.Body[2].([]string)
+	if !loaded {
+		return true
+	}
+	for _, propertyName := range invalidatedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	return false
+}
+
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
 	t.updateStatus()
 }

docs/changelog.md

@@ -2,6 +2,79 @@
 icon: material/alert-decagram
 ---
 
+#### 1.14.0-alpha.2
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.13.3-beta.1
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.14.0-alpha.1
+
+* Add `source_mac_address` and `source_hostname` rule items **1**
+* Add `include_mac_address` and `exclude_mac_address` TUN options **2**
+* Update NaiveProxy to 145.0.7632.159 **3**
+* Fixes and improvements
+
+**1**:
+
+New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
+Supported on Linux, macOS, or in graphical clients on Android and macOS.
+
+See [Route Rule](/configuration/route/rule/#source_mac_address), [DNS Rule](/configuration/dns/rule/#source_mac_address) and [Neighbor Resolution](/configuration/shared/neighbor/).
+
+**2**:
+
+Limit or exclude devices from TUN routing by MAC address.
+Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+See [TUN](/configuration/inbound/tun/#include_mac_address).
+
+**3**:
+
+This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
+
 #### 1.13.2
 
 * Fixes and improvements

docs/configuration/dns/rule.md

@@ -2,6 +2,11 @@
 icon: material/alert-decagram
 ---
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)
+
 !!! quote "Changes in sing-box 1.13.0"
 
     :material-plus: [interface_address](#interface_address)  
@@ -149,6 +154,12 @@ icon: material/alert-decagram
         "default_interface_address": [
           "2000::/3"
         ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
         "wifi_ssid": [
           "My WIFI"
         ],
@@ -408,6 +419,26 @@ Matches network interface (same values as `network_type`) address.
 
 Match default interface address.
 
+#### source_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device MAC address.
+
+#### source_hostname
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device hostname from DHCP leases.
+
 #### wifi_ssid
 
 !!! quote ""

docs/configuration/dns/rule.zh.md

@@ -2,6 +2,11 @@
 icon: material/alert-decagram
 ---
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)
+
 !!! quote "sing-box 1.13.0 中的更改"
 
     :material-plus: [interface_address](#interface_address)  
@@ -149,6 +154,12 @@ icon: material/alert-decagram
         "default_interface_address": [
           "2000::/3"
         ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
         "wifi_ssid": [
           "My WIFI"
         ],
@@ -407,6 +418,26 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 匹配默认接口地址。
 
+#### source_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备 MAC 地址。
+
+#### source_hostname
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备从 DHCP 租约获取的主机名。
+
 #### wifi_ssid
 
 !!! quote ""

docs/configuration/inbound/tun.md

@@ -2,6 +2,15 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.14.0"
+
+:material-plus: [include_mac_address](#include_mac_address)
+:material-plus: [exclude_mac_address](#exclude_mac_address)
+
+!!! quote "Changes in sing-box 1.13.3"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "Changes in sing-box 1.13.0"
 
     :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -125,6 +134,12 @@ icon: material/new-box
   "exclude_package": [
     "com.android.captiveportallogin"
   ],
+  "include_mac_address": [
+    "00:11:22:33:44:55"
+  ],
+  "exclude_mac_address": [
+    "66:77:88:99:aa:bb"
+  ],
   "platform": {
     "http_proxy": {
       "enabled": false,
@@ -348,6 +363,9 @@ Enforce strict routing rules when `auto_route` is enabled:
 
 * Let unsupported network unreachable
 * For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
+* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
+    * Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
+    * Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.
 
 *In Windows*:
 
@@ -548,6 +566,30 @@ Limit android packages in route.
 
 Exclude android packages in route.
 
+#### include_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+Limit MAC addresses in route. Not limited by default.
+
+Conflict with `exclude_mac_address`.
+
+#### exclude_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+Exclude MAC addresses in route.
+
+Conflict with `include_mac_address`.
+
 #### platform
 
 Platform-specific settings, provided by client applications.

docs/configuration/inbound/tun.zh.md

@@ -2,6 +2,15 @@
 icon: material/new-box
 ---
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [include_mac_address](#include_mac_address)
+    :material-plus: [exclude_mac_address](#exclude_mac_address)
+
+!!! quote "sing-box 1.13.3 中的更改"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "sing-box 1.13.0 中的更改"
 
     :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -126,6 +135,12 @@ icon: material/new-box
   "exclude_package": [
     "com.android.captiveportallogin"
   ],
+  "include_mac_address": [
+    "00:11:22:33:44:55"
+  ],
+  "exclude_mac_address": [
+    "66:77:88:99:aa:bb"
+  ],
   "platform": {
     "http_proxy": {
       "enabled": false,
@@ -347,6 +362,9 @@ tun 接口的 IPv6 前缀。
 
 * 使不支持的网络不可达。
 * 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
+* 当启用 `auto_redirect` 时，`strict_route` 也影响 `SO_BINDTODEVICE` 流量：
+    * 启用：`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
+    * 禁用：`SO_BINDTODEVICE` 流量绕过 sing-box。
 
 *在 Windows 中*：
 
@@ -536,6 +554,30 @@ TCP/IP 栈。
 
 排除路由的 Android 应用包名。
 
+#### include_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
+
+限制被路由的 MAC 地址。默认不限制。
+
+与 `exclude_mac_address` 冲突。
+
+#### exclude_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
+
+排除路由的 MAC 地址。
+
+与 `include_mac_address` 冲突。
+
 #### platform
 
 平台特定的设置，由客户端应用提供。

docs/configuration/outbound/naive.md

@@ -34,10 +34,12 @@ icon: material/new-box
 
     | Build Variant | Platforms | Description |
     |---------------|-----------|-------------|
-    | (default)     | Linux amd64/arm64 | purego build with `libcronet.so` included |
-    | `-glibc`      | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
-    | `-musl`       | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
-    | (default)     | Windows amd64/arm64 | purego build with `libcronet.dll` included |
+    | (no suffix) | Linux amd64/arm64 | purego build, `libcronet.so` included |
+    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO build, dynamically linked with glibc, requires glibc >= 2.31 (loong64: >= 2.36) |
+    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO build, statically linked with musl |
+    | (no suffix) | Windows amd64/arm64 | purego build, `libcronet.dll` included |
+
+    For Linux, choose the glibc or musl variant based on your distribution's libc type.
 
     **Runtime Requirements:**
 

docs/configuration/outbound/naive.zh.md

@@ -32,12 +32,14 @@ icon: material/new-box
 
     **官方发布版本区别：**
 
-    | 构建变体      | 平台                     | 说明                                       |
-    |-----------|------------------------|------------------------------------------|
-    | (默认)      | Linux amd64/arm64      | purego 构建，包含 `libcronet.so`              |
-    | `-glibc`  | Linux 386/amd64/arm/arm64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31       |
-    | `-musl`   | Linux 386/amd64/arm/arm64 | CGO 构建，静态链接 musl，无系统要求                   |
-    | (默认)      | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll`             |
+    | 构建变体 | 平台 | 说明 |
+    |---|---|---|
+    | (无后缀) | Linux amd64/arm64 | purego 构建，包含 `libcronet.so` |
+    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31（loong64: >= 2.36） |
+    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO 构建，静态链接 musl |
+    | (无后缀) | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll` |
+
+    对于 Linux，请根据发行版的 libc 类型选择 glibc 或 musl 变体。
 
     **运行时要求：**
 

docs/configuration/route/index.md

@@ -4,6 +4,11 @@ icon: material/alert-decagram
 
 # Route
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [find_neighbor](#find_neighbor)  
+    :material-plus: [dhcp_lease_files](#dhcp_lease_files)
+
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [default_domain_resolver](#default_domain_resolver)  
@@ -35,6 +40,9 @@ icon: material/alert-decagram
     "override_android_vpn": false,
     "default_interface": "",
     "default_mark": 0,
+    "find_process": false,
+    "find_neighbor": false,
+    "dhcp_lease_files": [],
     "default_domain_resolver": "", // or {}
     "default_network_strategy": "",
     "default_network_type": [],
@@ -107,6 +115,38 @@ Set routing mark by default.
 
 Takes no effect if `outbound.routing_mark` is set.
 
+#### find_process
+
+!!! quote ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Enable process search for logging when no `process_name`, `process_path`, `package_name`, `user` or `user_id` rules exist.
+
+#### find_neighbor
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux and macOS.
+
+Enable neighbor resolution for logging when no `source_mac_address` or `source_hostname` rules exist.
+
+See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+#### dhcp_lease_files
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux and macOS.
+
+Custom DHCP lease file paths for hostname and MAC address resolution.
+
+Automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea) if empty.
+
 #### default_domain_resolver
 
 !!! question "Since sing-box 1.12.0"

docs/configuration/route/index.zh.md

@@ -4,6 +4,11 @@ icon: material/alert-decagram
 
 # 路由
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [find_neighbor](#find_neighbor)  
+    :material-plus: [dhcp_lease_files](#dhcp_lease_files)
+
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [default_domain_resolver](#default_domain_resolver)  
@@ -37,6 +42,9 @@ icon: material/alert-decagram
     "override_android_vpn": false,
     "default_interface": "",
     "default_mark": 0,
+    "find_process": false,
+    "find_neighbor": false,
+    "dhcp_lease_files": [],
     "default_network_strategy": "",
     "default_fallback_delay": ""
   }
@@ -106,6 +114,38 @@ icon: material/alert-decagram
 
 如果设置了 `outbound.routing_mark` 设置，则不生效。
 
+#### find_process
+
+!!! quote ""
+
+    仅支持 Linux、Windows 和 macOS。
+
+在没有 `process_name`、`process_path`、`package_name`、`user` 或 `user_id` 规则时启用进程搜索以输出日志。
+
+#### find_neighbor
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux 和 macOS。
+
+在没有 `source_mac_address` 或 `source_hostname` 规则时启用邻居解析以输出日志。
+
+参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+#### dhcp_lease_files
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux 和 macOS。
+
+用于主机名和 MAC 地址解析的自定义 DHCP 租约文件路径。
+
+为空时自动从常见 DHCP 服务器（dnsmasq、odhcpd、ISC dhcpd、Kea）检测。
+
 #### default_domain_resolver
 
 !!! question "自 sing-box 1.12.0 起"

docs/configuration/route/rule.md

@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)
+
 !!! quote "Changes in sing-box 1.13.0"
 
     :material-plus: [interface_address](#interface_address)  
@@ -159,6 +164,12 @@ icon: material/new-box
           "tailscale",
           "wireguard"
         ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
         "rule_set": [
           "geoip-cn",
           "geosite-cn"
@@ -449,6 +460,26 @@ Match specified outbounds' preferred routes.
 | `tailscale` | Match MagicDNS domains and peers' allowed IPs |
 | `wireguard` | Match peers's allowed IPs                     |
 
+#### source_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device MAC address.
+
+#### source_hostname
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device hostname from DHCP leases.
+
 #### rule_set
 
 !!! question "Since sing-box 1.8.0"

docs/configuration/route/rule.zh.md

@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)
+
 !!! quote "sing-box 1.13.0 中的更改"
 
     :material-plus: [interface_address](#interface_address)  
@@ -156,6 +161,12 @@ icon: material/new-box
           "tailscale",
           "wireguard"
         ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
         "rule_set": [
           "geoip-cn",
           "geosite-cn"
@@ -446,6 +457,26 @@ icon: material/new-box
 | `tailscale` | 匹配 MagicDNS 域名和对端的 allowed IPs |
 | `wireguard` | 匹配对端的 allowed IPs              |
 
+#### source_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备 MAC 地址。
+
+#### source_hostname
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备从 DHCP 租约获取的主机名。
+
 #### rule_set
 
 !!! question "自 sing-box 1.8.0 起"

docs/configuration/service/ccm.md

@@ -10,6 +10,11 @@ CCM (Claude Code Multiplexer) service is a multiplexing service that allows you
 
 It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### Structure
 
 ```json
@@ -19,6 +24,7 @@ It handles OAuth authentication with Claude's API on your local machine while al
   ... // Listen Fields
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -45,6 +51,77 @@ On macOS, credentials are read from the system keychain first, then fall back to
 
 Refreshed tokens are automatically written back to the same location.
 
+When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
+
+On macOS without an explicit `credential_path`, keychain changes are not watched. Automatic reload only applies to the credential file path.
+
+Conflict with `credentials`.
+
+#### credentials
+
+!!! question "Since sing-box 1.14.0"
+
+List of credential configurations for multi-credential mode.
+
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
+
+Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
+
+##### Default Credential
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/.credentials.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
+
+- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
+- `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the Claude API with this credential.
+- `reserve_5h`: Reserve threshold (1-99) for 5-hour window. Credential pauses at (100-N)% utilization.
+- `reserve_weekly`: Reserve threshold (1-99) for weekly window. Credential pauses at (100-N)% utilization.
+
+##### Balancer Credential
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
+
+- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
+- `credentials`: ==Required== List of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
+##### Fallback Credential
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+Uses credentials in order. Falls through to the next when the current one is exhausted.
+
+- `credentials`: ==Required== Ordered list of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
 #### usages_path
 
 Path to the file for storing aggregated API usage statistics.
@@ -60,13 +137,29 @@ Statistics are organized by model, context window (200k standard vs 1M premium),
 
 The statistics file is automatically saved every minute and upon service shutdown.
 
+Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
+
 #### users
 
 List of authorized users for token authentication.
 
 If empty, no authentication is required.
 
-Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+Object format:
+
+```json
+{
+  "name": "",
+  "token": "",
+  "credential": ""
+}
+```
+
+Object fields:
+
+- `name`: Username identifier for tracking purposes.
+- `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.
 
 #### headers
 
@@ -78,29 +171,93 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the Claude API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
 ### Example
 
+#### Server
+
 ```json
 {
   "services": [
     {
       "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "usages_path": "./claude-usages.json",
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob"
+        }
+      ]
     }
   ]
 }
 ```
 
-Connect to the CCM service:
+#### Client
 
 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
 
 claude
 ```
+
+### Example with Multiple Credentials
+
+#### Server
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.claude-a/.credentials.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.claude-b/.credentials.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```

docs/configuration/service/ccm.zh.md

@@ -10,6 +10,11 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许
 
 它在本地机器上处理与 Claude API 的 OAuth 身份验证，同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### 结构
 
 ```json
@@ -19,6 +24,7 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许
   ... // 监听字段
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -45,6 +51,77 @@ Claude Code OAuth 凭据文件的路径。
 
 刷新的令牌会自动写回相同位置。
 
+当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
+
+在 macOS 上如果未显式设置 `credential_path`，不会监听钥匙串变化。自动重载只作用于凭据文件路径。
+
+与 `credentials` 冲突。
+
+#### credentials
+
+!!! question "自 sing-box 1.14.0 起"
+
+多凭据模式的凭据配置列表。
+
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
+
+每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
+
+##### 默认凭据
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/.credentials.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
+
+- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
+- `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 Claude API 的出站标签。
+- `reserve_5h`：5 小时窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+- `reserve_weekly`：每周窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+
+##### 均衡凭据
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
+
+- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
+- `credentials`：==必填== 默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
+##### 回退凭据
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+按顺序使用凭据。当前凭据耗尽后切换到下一个。
+
+- `credentials`：==必填== 有序的默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
 #### usages_path
 
 用于存储聚合 API 使用统计信息的文件路径。
@@ -60,13 +137,29 @@ Claude Code OAuth 凭据文件的路径。
 
 统计文件每分钟自动保存一次，并在服务关闭时保存。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
+
 #### users
 
 用于令牌身份验证的授权用户列表。
 
 如果为空，则不需要身份验证。
 
-Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+对象格式：
+
+```json
+{
+  "name": "",
+  "token": "",
+  "credential": ""
+}
+```
+
+对象字段：
+
+- `name`：用于跟踪的用户名标识符。
+- `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。
 
 #### headers
 
@@ -78,29 +171,93 @@ Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进
 
 用于连接 Claude API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 ### 示例
 
+#### 服务端
+
 ```json
 {
   "services": [
     {
       "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "usages_path": "./claude-usages.json",
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob"
+        }
+      ]
     }
   ]
 }
 ```
 
-连接到 CCM 服务：
+#### 客户端
 
 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
 
 claude
 ```
+
+### 多凭据示例
+
+#### 服务端
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.claude-a/.credentials.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.claude-b/.credentials.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```

docs/configuration/service/ocm.md

@@ -10,6 +10,11 @@ OCM (OpenAI Codex Multiplexer) service is a multiplexing service that allows you
 
 It handles OAuth authentication with OpenAI's API on your local machine while allowing remote clients to authenticate using custom tokens.
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### Structure
 
 ```json
@@ -19,6 +24,7 @@ It handles OAuth authentication with OpenAI's API on your local machine while al
   ... // Listen Fields
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -37,10 +43,81 @@ See [Listen Fields](/configuration/shared/listen/) for details.
 
 Path to the OpenAI OAuth credentials file.
 
-If not specified, defaults to `~/.codex/auth.json`.
+If not specified, defaults to:
+- `$CODEX_HOME/auth.json` if `CODEX_HOME` environment variable is set
+- `~/.codex/auth.json` otherwise
 
 Refreshed tokens are automatically written back to the same location.
 
+When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
+
+Conflict with `credentials`.
+
+#### credentials
+
+!!! question "Since sing-box 1.14.0"
+
+List of credential configurations for multi-credential mode.
+
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
+
+Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
+
+##### Default Credential
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/auth.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
+
+- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
+- `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the OpenAI API with this credential.
+- `reserve_5h`: Reserve threshold (1-99) for primary rate limit window. Credential pauses at (100-N)% utilization.
+- `reserve_weekly`: Reserve threshold (1-99) for secondary (weekly) rate limit window. Credential pauses at (100-N)% utilization.
+
+##### Balancer Credential
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
+
+- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
+- `credentials`: ==Required== List of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
+##### Fallback Credential
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+Uses credentials in order. Falls through to the next when the current one is exhausted.
+
+- `credentials`: ==Required== Ordered list of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
 #### usages_path
 
 Path to the file for storing aggregated API usage statistics.
@@ -56,6 +133,8 @@ Statistics are organized by model and optionally by user when authentication is
 
 The statistics file is automatically saved every minute and upon service shutdown.
 
+Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
+
 #### users
 
 List of authorized users for token authentication.
@@ -67,7 +146,8 @@ Object format:
 ```json
 {
   "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```
 
@@ -75,6 +155,7 @@ Object fields:
 
 - `name`: Username identifier for tracking purposes.
 - `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer <token>` header.
+- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.
 
 #### headers
 
@@ -86,6 +167,8 @@ These headers will override any existing headers with the same name.
 
 Outbound tag for connecting to the OpenAI API.
 
+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
@@ -111,17 +194,23 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 Add to `~/.codex/config.toml`:
 
 ```toml
+# profile = "ocm"                # set as default profile
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
+supports_websockets = true
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # if the latest model is not yet publicly released
+# model_reasoning_effort = "xhigh"
 ```
 
 Then run:
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```
 
 ### Example with Authentication
@@ -139,11 +228,11 @@ codex --model-provider ocm
       "users": [
         {
           "name": "alice",
-          "token": "sk-alice-secret-token"
+          "token": "sk-ocm-hello-world"
         },
         {
           "name": "bob",
-          "token": "sk-bob-secret-token"
+          "token": "sk-ocm-hello-bob"
         }
       ]
     }
@@ -156,16 +245,71 @@ codex --model-provider ocm
 Add to `~/.codex/config.toml`:
 
 ```toml
+# profile = "ocm"                # set as default profile
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
+supports_websockets = true
+experimental_bearer_token = "sk-ocm-hello-world"
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # if the latest model is not yet publicly released
+# model_reasoning_effort = "xhigh"
 ```
 
 Then run:
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
+```
+
+### Example with Multiple Credentials
+
+#### Server
+
+```json
+{
+  "services": [
+    {
+      "type": "ocm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.codex-a/auth.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.codex-b/auth.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "sk-ocm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "sk-ocm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
 ```

docs/configuration/service/ocm.zh.md

@@ -10,6 +10,11 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
 
 它在本地机器上处理与 OpenAI API 的 OAuth 身份验证，同时允许远程客户端使用自定义令牌进行身份验证。
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### 结构
 
 ```json
@@ -19,6 +24,7 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
   ... // 监听字段
 
   "credential_path": "",
+  "credentials": [],
   "usages_path": "",
   "users": [],
   "headers": {},
@@ -37,10 +43,81 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
 
 OpenAI OAuth 凭据文件的路径。
 
-如果未指定，默认值为 `~/.codex/auth.json`。
+如果未指定，默认值为：
+- 如果设置了 `CODEX_HOME` 环境变量，则使用 `$CODEX_HOME/auth.json`
+- 否则使用 `~/.codex/auth.json`
 
 刷新的令牌会自动写回相同位置。
 
+当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
+
+与 `credentials` 冲突。
+
+#### credentials
+
+!!! question "自 sing-box 1.14.0 起"
+
+多凭据模式的凭据配置列表。
+
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
+
+每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
+
+##### 默认凭据
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/auth.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
+
+- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
+- `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 OpenAI API 的出站标签。
+- `reserve_5h`：主要速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+- `reserve_weekly`：次要（每周）速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+
+##### 均衡凭据
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
+
+- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
+- `credentials`：==必填== 默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
+##### 回退凭据
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+按顺序使用凭据。当前凭据耗尽后切换到下一个。
+
+- `credentials`：==必填== 有序的默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
 #### usages_path
 
 用于存储聚合 API 使用统计信息的文件路径。
@@ -56,6 +133,8 @@ OpenAI OAuth 凭据文件的路径。
 
 统计文件每分钟自动保存一次，并在服务关闭时保存。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
+
 #### users
 
 用于令牌身份验证的授权用户列表。
@@ -67,7 +146,8 @@ OpenAI OAuth 凭据文件的路径。
 ```json
 {
   "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```
 
@@ -75,6 +155,7 @@ OpenAI OAuth 凭据文件的路径。
 
 - `name`：用于跟踪的用户名标识符。
 - `token`：用于身份验证的 Bearer 令牌。客户端通过设置 `Authorization: Bearer <token>` 头进行身份验证。
+- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。
 
 #### headers
 
@@ -86,6 +167,8 @@ OpenAI OAuth 凭据文件的路径。
 
 用于连接 OpenAI API 的出站标签。
 
+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls
 
 TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
@@ -111,17 +194,24 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 在 `~/.codex/config.toml` 中添加：
 
 ```toml
+# profile = "ocm"                # 设为默认配置
+
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
+supports_websockets = true
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # 如果最新模型尚未公开发布
+# model_reasoning_effort = "xhigh"
 ```
 
 然后运行：
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```
 
 ### 带身份验证的示例
@@ -139,11 +229,11 @@ codex --model-provider ocm
       "users": [
         {
           "name": "alice",
-          "token": "sk-alice-secret-token"
+          "token": "sk-ocm-hello-world"
         },
         {
           "name": "bob",
-          "token": "sk-bob-secret-token"
+          "token": "sk-ocm-hello-bob"
         }
       ]
     }
@@ -156,16 +246,71 @@ codex --model-provider ocm
 在 `~/.codex/config.toml` 中添加：
 
 ```toml
+# profile = "ocm"                # 设为默认配置
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
+supports_websockets = true
+experimental_bearer_token = "sk-ocm-hello-world"
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # 如果最新模型尚未公开发布
+# model_reasoning_effort = "xhigh"
 ```
 
 然后运行：
 
 ```bash
-codex --model-provider ocm
+codex --profile ocm
+```
+
+### 多凭据示例
+
+#### 服务端
+
+```json
+{
+  "services": [
+    {
+      "type": "ocm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.codex-a/auth.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.codex-b/auth.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "sk-ocm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "sk-ocm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
 ```

docs/configuration/shared/neighbor.md

@@ -0,0 +1,49 @@
+---
+icon: material/lan
+---
+
+# Neighbor Resolution
+
+Match LAN devices by MAC address and hostname using
+[`source_mac_address`](/configuration/route/rule/#source_mac_address) and
+[`source_hostname`](/configuration/route/rule/#source_hostname) rule items.
+
+Neighbor resolution is automatically enabled when these rule items exist.
+Use [`route.find_neighbor`](/configuration/route/#find_neighbor) to force enable it for logging without rules.
+
+## Linux
+
+Works natively. No special setup required.
+
+Hostname resolution requires DHCP lease files,
+automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea).
+Custom paths can be set via [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files).
+
+## Android
+
+!!! quote ""
+
+    Only supported in graphical clients.
+
+Requires Android 11 or above and ROOT.
+
+Must use [VPNHotspot](https://github.com/Mygod/VPNHotspot) to share the VPN connection.
+ROM built-in features like "Use VPN for connected devices" can share VPN
+but cannot provide MAC address or hostname information.
+
+Set **IP Masquerade Mode** to **None** in VPNHotspot settings.
+
+Only route/DNS rules are supported. TUN include/exclude routes are not supported.
+
+### Hostname Visibility
+
+Hostname is only visible in sing-box if it is visible in VPNHotspot.
+For Apple devices, change **Private Wi-Fi Address** from **Rotating** to **Fixed** in the Wi-Fi settings
+of the connected network. Non-Apple devices are always visible.
+
+## macOS
+
+Requires the standalone version (macOS system extension).
+The App Store version can share the VPN as a hotspot but does not support MAC address or hostname reading.
+
+See [VPN Hotspot](/manual/misc/vpn-hotspot/#macos) for Internet Sharing setup.

docs/configuration/shared/neighbor.zh.md

@@ -0,0 +1,49 @@
+---
+icon: material/lan
+---
+
+# 邻居解析
+
+通过
+[`source_mac_address`](/configuration/route/rule/#source_mac_address) 和
+[`source_hostname`](/configuration/route/rule/#source_hostname) 规则项匹配局域网设备的 MAC 地址和主机名。
+
+当这些规则项存在时，邻居解析自动启用。
+使用 [`route.find_neighbor`](/configuration/route/#find_neighbor) 可在没有规则时强制启用以输出日志。
+
+## Linux
+
+原生支持，无需特殊设置。
+
+主机名解析需要 DHCP 租约文件，
+自动从常见 DHCP 服务器（dnsmasq、odhcpd、ISC dhcpd、Kea）检测。
+可通过 [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files) 设置自定义路径。
+
+## Android
+
+!!! quote ""
+
+    仅在图形客户端中支持。
+
+需要 Android 11 或以上版本和 ROOT。
+
+必须使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot) 共享 VPN 连接。
+ROM 自带的「通过 VPN 共享连接」等功能可以共享 VPN，
+但无法提供 MAC 地址或主机名信息。
+
+在 VPNHotspot 设置中将 **IP 遮掩模式** 设为 **无**。
+
+仅支持路由/DNS 规则。不支持 TUN 的 include/exclude 路由。
+
+### 设备可见性
+
+MAC 地址和主机名仅在 VPNHotspot 中可见时 sing-box 才能读取。
+对于 Apple 设备，需要在所连接网络的 Wi-Fi 设置中将**私有无线局域网地址**从**轮替**改为**固定**。
+非 Apple 设备始终可见。
+
+## macOS
+
+需要独立版本（macOS 系统扩展）。
+App Store 版本可以共享 VPN 热点但不支持 MAC 地址或主机名读取。
+
+参阅 [VPN 热点](/manual/misc/vpn-hotspot/#macos) 了解互联网共享设置。

docs/installation/build-from-source.md

@@ -92,14 +92,14 @@ NaiveProxy outbound requires special build configurations depending on your targ
 
 ### Supported Platforms
 
-| Platform        | Architectures          | Mode   | Requirements                                      |
-|-----------------|------------------------|--------|---------------------------------------------------|
-| Linux           | amd64, arm64           | purego | None (library included in official releases)      |
-| Linux           | 386, amd64, arm, arm64 | CGO    | Chromium toolchain, glibc >= 2.31 at runtime      |
-| Linux (musl)    | 386, amd64, arm, arm64 | CGO    | Chromium toolchain                                |
-| Windows         | amd64, arm64           | purego | None (library included in official releases)      |
-| Apple platforms | *                      | CGO    | Xcode                                             |
-| Android         | *                      | CGO    | Android NDK                                       |
+| Platform        | Architectures                                          | Mode   | Requirements                                                    |
+|-----------------|--------------------------------------------------------|--------|-----------------------------------------------------------------|
+| Linux           | amd64, arm64                                           | purego | None (library included in official releases)                    |
+| Linux           | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium toolchain, glibc >= 2.31 (loong64: >= 2.36) at runtime |
+| Linux (musl)    | 386, amd64, arm, arm64, mipsle, riscv64, loong64       | CGO    | Chromium toolchain                                              |
+| Windows         | amd64, arm64                                           | purego | None (library included in official releases)                    |
+| Apple platforms | *                                                      | CGO    | Xcode                                                           |
+| Android         | *                                                      | CGO    | Android NDK                                                     |
 
 ### Windows
 

docs/installation/build-from-source.zh.md

@@ -96,14 +96,14 @@ NaiveProxy 出站需要根据目标平台进行特殊的构建配置。
 
 ### 支持的平台
 
-| 平台            | 架构                     | 模式     | 要求                             |
-|---------------|------------------------|--------|--------------------------------|
-| Linux         | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
-| Linux         | 386, amd64, arm, arm64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31 |
-| Linux (musl)  | 386, amd64, arm, arm64 | CGO    | Chromium 工具链                   |
-| Windows       | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
-| Apple 平台      | *                      | CGO    | Xcode                          |
-| Android       | *                      | CGO    | Android NDK                    |
+| 平台           | 架构                                                       | 模式     | 要求                                                  |
+|--------------|----------------------------------------------------------|--------|-----------------------------------------------------|
+| Linux        | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
+| Linux        | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31（loong64: >= 2.36） |
+| Linux (musl) | 386, amd64, arm, arm64, mipsle, riscv64, loong64          | CGO    | Chromium 工具链                                        |
+| Windows      | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
+| Apple 平台     | *                                                        | CGO    | Xcode                                               |
+| Android      | *                                                        | CGO    | Android NDK                                          |
 
 ### Windows
 

docs/installation/tools/install.sh

@@ -47,6 +47,17 @@ elif command -v rpm >/dev/null 2>&1; then
   arch=$(uname -m)
   package_suffix=".rpm"
   package_install="rpm -i"
+elif command -v apk >/dev/null 2>&1 && [ -f /etc/os-release ] && grep -q OPENWRT_ARCH /etc/os-release; then
+  os="openwrt"
+  . /etc/os-release
+  arch="$OPENWRT_ARCH"
+  package_suffix=".apk"
+  package_install="apk add --allow-untrusted"
+elif command -v apk >/dev/null 2>&1; then
+  os="linux"
+  arch=$(apk --print-arch)
+  package_suffix=".apk"
+  package_install="apk add --allow-untrusted"
 elif command -v opkg >/dev/null 2>&1; then
   os="openwrt"
   . /etc/os-release

experimental/clashapi/api_meta.go

@@ -2,6 +2,7 @@ package clashapi
 
 import (
 	"bytes"
+	"context"
 	"net"
 	"net/http"
 	"runtime/debug"
@@ -27,7 +28,7 @@ func (s *Server) setupMetaAPI(r chi.Router) {
 		})
 		r.Mount("/", middleware.Profiler())
 	}
-	r.Get("/memory", memory(s.trafficManager))
+	r.Get("/memory", memory(s.ctx, s.trafficManager))
 	r.Mount("/group", groupRouter(s))
 	r.Mount("/upgrade", upgradeRouter(s))
 }
@@ -37,7 +38,7 @@ type Memory struct {
 	OSLimit uint64 `json:"oslimit"` // maybe we need it in the future
 }
 
-func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -46,6 +47,7 @@ func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r
 			if err != nil {
 				return
 			}
+			defer conn.Close()
 		}
 
 		if conn == nil {
@@ -58,7 +60,12 @@ func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r
 		buf := &bytes.Buffer{}
 		var err error
 		first := true
-		for range tick.C {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-tick.C:
+			}
 			buf.Reset()
 
 			inuse := trafficManager.Snapshot().Memory

experimental/clashapi/connections.go

@@ -38,6 +38,7 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)
 		if err != nil {
 			return
 		}
+		defer conn.Close()
 
 		intervalStr := r.URL.Query().Get("interval")
 		interval := 1000

experimental/clashapi/server.go

@@ -115,7 +115,7 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	chiRouter.Group(func(r chi.Router) {
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
-		r.Get("/logs", getLogs(logFactory))
+		r.Get("/logs", getLogs(s.ctx, logFactory))
 		r.Get("/traffic", traffic(s.ctx, trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
@@ -360,7 +360,7 @@ type Log struct {
 	Payload string `json:"payload"`
 }
 
-func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
+func getLogs(ctx context.Context, logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		levelText := r.URL.Query().Get("level")
 		if levelText == "" {
@@ -399,6 +399,8 @@ func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *ht
 		var logEntry log.Entry
 		for {
 			select {
+			case <-ctx.Done():
+				return
 			case <-done:
 				return
 			case logEntry = <-subscription:

experimental/libbox/config.go

@@ -144,6 +144,18 @@ func (s *platformInterfaceStub) SendNotification(notification *adapter.Notificat
 	return nil
 }
 
+func (s *platformInterfaceStub) UsePlatformNeighborResolver() bool {
+	return false
+}
+
+func (s *platformInterfaceStub) StartNeighborMonitor(listener adapter.NeighborUpdateListener) error {
+	return os.ErrInvalid
+}
+
+func (s *platformInterfaceStub) CloseNeighborMonitor(listener adapter.NeighborUpdateListener) error {
+	return nil
+}
+
 func (s *platformInterfaceStub) UsePlatformLocalDNSTransport() bool {
 	return false
 }

experimental/libbox/fdroid.go

@@ -0,0 +1,493 @@
+package libbox
+
+import (
+	"archive/zip"
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const fdroidUserAgent = "F-Droid 1.21.1"
+
+type FDroidUpdateInfo struct {
+	VersionCode int32
+	VersionName string
+	DownloadURL string
+	FileSize    int64
+	FileSHA256  string
+}
+
+type FDroidPingResult struct {
+	URL       string
+	LatencyMs int32
+	Error     string
+}
+
+type FDroidPingResultIterator interface {
+	Len() int32
+	HasNext() bool
+	Next() *FDroidPingResult
+}
+
+type fdroidAPIResponse struct {
+	PackageName          string             `json:"packageName"`
+	SuggestedVersionCode int32              `json:"suggestedVersionCode"`
+	Packages             []fdroidAPIPackage `json:"packages"`
+}
+
+type fdroidAPIPackage struct {
+	VersionName string `json:"versionName"`
+	VersionCode int32  `json:"versionCode"`
+}
+
+type fdroidEntry struct {
+	Timestamp int64                      `json:"timestamp"`
+	Version   int                        `json:"version"`
+	Index     fdroidEntryFile            `json:"index"`
+	Diffs     map[string]fdroidEntryFile `json:"diffs"`
+}
+
+type fdroidEntryFile struct {
+	Name        string `json:"name"`
+	SHA256      string `json:"sha256"`
+	Size        int64  `json:"size"`
+	NumPackages int    `json:"numPackages"`
+}
+
+type fdroidIndexV2 struct {
+	Packages map[string]fdroidV2Package `json:"packages"`
+}
+
+type fdroidV2Package struct {
+	Versions map[string]fdroidV2Version `json:"versions"`
+}
+
+type fdroidV2Version struct {
+	Manifest fdroidV2Manifest `json:"manifest"`
+	File     fdroidV2File     `json:"file"`
+}
+
+type fdroidV2Manifest struct {
+	VersionCode int32  `json:"versionCode"`
+	VersionName string `json:"versionName"`
+}
+
+type fdroidV2File struct {
+	Name   string `json:"name"`
+	SHA256 string `json:"sha256"`
+	Size   int64  `json:"size"`
+}
+
+type fdroidIndexV1 struct {
+	Packages map[string][]fdroidV1Package `json:"packages"`
+}
+
+type fdroidV1Package struct {
+	VersionCode int32  `json:"versionCode"`
+	VersionName string `json:"versionName"`
+	ApkName     string `json:"apkName"`
+	Size        int64  `json:"size"`
+	Hash        string `json:"hash"`
+	HashType    string `json:"hashType"`
+}
+
+type fdroidCache struct {
+	MirrorURL string `json:"mirrorURL"`
+	Timestamp int64  `json:"timestamp"`
+	ETag      string `json:"etag"`
+	IsV1      bool   `json:"isV1,omitempty"`
+}
+
+func CheckFDroidUpdate(mirrorURL, packageName string, currentVersionCode int32, cachePath string) (*FDroidUpdateInfo, error) {
+	mirrorURL = strings.TrimRight(mirrorURL, "/")
+	if strings.Contains(mirrorURL, "f-droid.org") {
+		return checkFDroidAPI(mirrorURL, packageName, currentVersionCode)
+	}
+	client := newFDroidHTTPClient()
+	defer client.CloseIdleConnections()
+	cache := loadFDroidCache(cachePath, mirrorURL)
+	if cache != nil && cache.IsV1 {
+		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
+	}
+	return checkFDroidV2(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
+}
+
+func PingFDroidMirrors(mirrorURLs string) (FDroidPingResultIterator, error) {
+	urls := strings.Split(mirrorURLs, ",")
+	results := make([]*FDroidPingResult, len(urls))
+	var waitGroup sync.WaitGroup
+	for i, rawURL := range urls {
+		waitGroup.Add(1)
+		go func(index int, target string) {
+			defer waitGroup.Done()
+			target = strings.TrimSpace(target)
+			result := &FDroidPingResult{URL: target}
+			latency, err := pingTLS(target)
+			if err != nil {
+				result.LatencyMs = -1
+				result.Error = err.Error()
+			} else {
+				result.LatencyMs = int32(latency.Milliseconds())
+			}
+			results[index] = result
+		}(i, rawURL)
+	}
+	waitGroup.Wait()
+	sort.Slice(results, func(i, j int) bool {
+		if results[i].LatencyMs < 0 {
+			return false
+		}
+		if results[j].LatencyMs < 0 {
+			return true
+		}
+		return results[i].LatencyMs < results[j].LatencyMs
+	})
+	return newIterator(results), nil
+}
+
+func PingFDroidMirror(mirrorURL string) *FDroidPingResult {
+	mirrorURL = strings.TrimSpace(mirrorURL)
+	result := &FDroidPingResult{URL: mirrorURL}
+	latency, err := pingTLS(mirrorURL)
+	if err != nil {
+		result.LatencyMs = -1
+		result.Error = err.Error()
+	} else {
+		result.LatencyMs = int32(latency.Milliseconds())
+	}
+	return result
+}
+
+func newFDroidHTTPClient() *http.Client {
+	return &http.Client{
+		Timeout: 30 * time.Second,
+	}
+}
+
+func newFDroidRequest(requestURL string) (*http.Request, error) {
+	request, err := http.NewRequest("GET", requestURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	request.Header.Set("User-Agent", fdroidUserAgent)
+	return request, nil
+}
+
+func checkFDroidAPI(mirrorURL, packageName string, currentVersionCode int32) (*FDroidUpdateInfo, error) {
+	client := newFDroidHTTPClient()
+	defer client.CloseIdleConnections()
+
+	apiURL := "https://f-droid.org/api/v1/packages/" + packageName
+	request, err := newFDroidRequest(apiURL)
+	if err != nil {
+		return nil, err
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", response.Status)
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var apiResponse fdroidAPIResponse
+	err = json.Unmarshal(body, &apiResponse)
+	if err != nil {
+		return nil, err
+	}
+
+	var bestCode int32
+	var bestName string
+	for _, pkg := range apiResponse.Packages {
+		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
+			bestCode = pkg.VersionCode
+			bestName = pkg.VersionName
+		}
+	}
+
+	if bestCode == 0 {
+		return nil, nil
+	}
+
+	return &FDroidUpdateInfo{
+		VersionCode: bestCode,
+		VersionName: bestName,
+		DownloadURL: "https://f-droid.org/repo/" + packageName + "_" + strconv.FormatInt(int64(bestCode), 10) + ".apk",
+	}, nil
+}
+
+func checkFDroidV2(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
+	entryURL := mirrorURL + "/entry.jar"
+	request, err := newFDroidRequest(entryURL)
+	if err != nil {
+		return nil, err
+	}
+	if cache != nil && cache.ETag != "" {
+		request.Header.Set("If-None-Match", cache.ETag)
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode == http.StatusNotModified {
+		return nil, nil
+	}
+	if response.StatusCode == http.StatusNotFound {
+		writeFDroidCache(cachePath, mirrorURL, 0, "", true)
+		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, nil)
+	}
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", response.Status, ": ", entryURL)
+	}
+
+	jarData, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+	etag := response.Header.Get("ETag")
+
+	var entry fdroidEntry
+	err = readJSONFromJar(jarData, "entry.json", &entry)
+	if err != nil {
+		return nil, E.Cause(err, "read entry.jar")
+	}
+
+	if entry.Timestamp == 0 {
+		return nil, E.New("entry.json not found in entry.jar")
+	}
+
+	if cache != nil && cache.Timestamp == entry.Timestamp {
+		writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
+		return nil, nil
+	}
+
+	var indexURL string
+	if cache != nil {
+		cachedTimestamp := strconv.FormatInt(cache.Timestamp, 10)
+		if diff, ok := entry.Diffs[cachedTimestamp]; ok {
+			indexURL = mirrorURL + "/" + diff.Name
+		}
+	}
+	if indexURL == "" {
+		indexURL = mirrorURL + "/" + entry.Index.Name
+	}
+
+	indexRequest, err := newFDroidRequest(indexURL)
+	if err != nil {
+		return nil, err
+	}
+
+	indexResponse, err := client.Do(indexRequest)
+	if err != nil {
+		return nil, err
+	}
+	defer indexResponse.Body.Close()
+
+	if indexResponse.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", indexResponse.Status, ": ", indexURL)
+	}
+
+	indexData, err := io.ReadAll(indexResponse.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var index fdroidIndexV2
+	err = json.Unmarshal(indexData, &index)
+	if err != nil {
+		return nil, err
+	}
+
+	writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
+
+	pkg, ok := index.Packages[packageName]
+	if !ok {
+		return nil, nil
+	}
+
+	var bestCode int32
+	var bestVersion fdroidV2Version
+	for _, version := range pkg.Versions {
+		if version.Manifest.VersionCode > currentVersionCode && version.Manifest.VersionCode > bestCode {
+			bestCode = version.Manifest.VersionCode
+			bestVersion = version
+		}
+	}
+
+	if bestCode == 0 {
+		return nil, nil
+	}
+
+	return &FDroidUpdateInfo{
+		VersionCode: bestCode,
+		VersionName: bestVersion.Manifest.VersionName,
+		DownloadURL: mirrorURL + "/" + bestVersion.File.Name,
+		FileSize:    bestVersion.File.Size,
+		FileSHA256:  bestVersion.File.SHA256,
+	}, nil
+}
+
+func checkFDroidV1(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
+	indexURL := mirrorURL + "/index-v1.jar"
+
+	request, err := newFDroidRequest(indexURL)
+	if err != nil {
+		return nil, err
+	}
+	if cache != nil && cache.ETag != "" {
+		request.Header.Set("If-None-Match", cache.ETag)
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode == http.StatusNotModified {
+		return nil, nil
+	}
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("HTTP ", response.Status, ": ", indexURL)
+	}
+
+	jarData, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+	etag := response.Header.Get("ETag")
+
+	var index fdroidIndexV1
+	err = readJSONFromJar(jarData, "index-v1.json", &index)
+	if err != nil {
+		return nil, E.Cause(err, "read index-v1.jar")
+	}
+
+	writeFDroidCache(cachePath, mirrorURL, 0, etag, true)
+
+	packages, ok := index.Packages[packageName]
+	if !ok {
+		return nil, nil
+	}
+
+	var bestCode int32
+	var bestPackage fdroidV1Package
+	for _, pkg := range packages {
+		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
+			bestCode = pkg.VersionCode
+			bestPackage = pkg
+		}
+	}
+
+	if bestCode == 0 {
+		return nil, nil
+	}
+
+	return &FDroidUpdateInfo{
+		VersionCode: bestCode,
+		VersionName: bestPackage.VersionName,
+		DownloadURL: mirrorURL + "/" + bestPackage.ApkName,
+		FileSize:    bestPackage.Size,
+		FileSHA256:  bestPackage.Hash,
+	}, nil
+}
+
+func readJSONFromJar(jarData []byte, fileName string, destination any) error {
+	zipReader, err := zip.NewReader(bytes.NewReader(jarData), int64(len(jarData)))
+	if err != nil {
+		return err
+	}
+	for _, file := range zipReader.File {
+		if file.Name != fileName {
+			continue
+		}
+		reader, err := file.Open()
+		if err != nil {
+			return err
+		}
+		data, err := io.ReadAll(reader)
+		reader.Close()
+		if err != nil {
+			return err
+		}
+		return json.Unmarshal(data, destination)
+	}
+	return nil
+}
+
+func pingTLS(mirrorURL string) (time.Duration, error) {
+	parsed, err := url.Parse(mirrorURL)
+	if err != nil {
+		return 0, err
+	}
+	host := parsed.Host
+	if !strings.Contains(host, ":") {
+		host = host + ":443"
+	}
+
+	dialer := &net.Dialer{Timeout: 5 * time.Second}
+	start := time.Now()
+	conn, err := tls.DialWithDialer(dialer, "tcp", host, &tls.Config{})
+	if err != nil {
+		return 0, err
+	}
+	latency := time.Since(start)
+	conn.Close()
+	return latency, nil
+}
+
+func loadFDroidCache(cachePath, mirrorURL string) *fdroidCache {
+	cacheFile := filepath.Join(cachePath, "fdroid_cache.json")
+	data, err := os.ReadFile(cacheFile)
+	if err != nil {
+		return nil
+	}
+	var cache fdroidCache
+	err = json.Unmarshal(data, &cache)
+	if err != nil {
+		return nil
+	}
+	if cache.MirrorURL != mirrorURL {
+		return nil
+	}
+	return &cache
+}
+
+func writeFDroidCache(cachePath, mirrorURL string, timestamp int64, etag string, isV1 bool) {
+	cache := fdroidCache{
+		MirrorURL: mirrorURL,
+		Timestamp: timestamp,
+		ETag:      etag,
+		IsV1:      isV1,
+	}
+	data, err := json.Marshal(cache)
+	if err != nil {
+		return
+	}
+	os.MkdirAll(cachePath, 0o755)
+	os.WriteFile(filepath.Join(cachePath, "fdroid_cache.json"), data, 0o644)
+}

experimental/libbox/fdroid_mirrors.go

@@ -0,0 +1,92 @@
+package libbox
+
+type FDroidMirror struct {
+	URL     string
+	Country string
+	Name    string
+}
+
+type FDroidMirrorIterator interface {
+	Len() int32
+	HasNext() bool
+	Next() *FDroidMirror
+}
+
+var builtinFDroidMirrors = []FDroidMirror{
+	// Official
+	{URL: "https://f-droid.org/repo", Country: "Official", Name: "f-droid.org"},
+	{URL: "https://cloudflare.f-droid.org/repo", Country: "Official", Name: "Cloudflare CDN"},
+
+	// China
+	{URL: "https://mirrors.tuna.tsinghua.edu.cn/fdroid/repo", Country: "China", Name: "Tsinghua TUNA"},
+	{URL: "https://mirrors.nju.edu.cn/fdroid/repo", Country: "China", Name: "Nanjing University"},
+	{URL: "https://mirror.iscas.ac.cn/fdroid/repo", Country: "China", Name: "ISCAS"},
+	{URL: "https://mirror.nyist.edu.cn/fdroid/repo", Country: "China", Name: "NYIST"},
+	{URL: "https://mirrors.cqupt.edu.cn/fdroid/repo", Country: "China", Name: "CQUPT"},
+	{URL: "https://mirrors.shanghaitech.edu.cn/fdroid/repo", Country: "China", Name: "ShanghaiTech"},
+
+	// India
+	{URL: "https://mirror.hyd.albony.in/fdroid/repo", Country: "India", Name: "Albony Hyderabad"},
+	{URL: "https://mirror.del2.albony.in/fdroid/repo", Country: "India", Name: "Albony Delhi"},
+
+	// Taiwan
+	{URL: "https://mirror.ossplanet.net/fdroid/repo", Country: "Taiwan", Name: "OSSPlanet"},
+
+	// France
+	{URL: "https://fdroid.tetaneutral.net/fdroid/repo", Country: "France", Name: "tetaneutral.net"},
+	{URL: "https://mirror.freedif.org/fdroid/repo", Country: "France", Name: "FreeDif"},
+
+	// Germany
+	{URL: "https://ftp.fau.de/fdroid/repo", Country: "Germany", Name: "FAU Erlangen"},
+	{URL: "https://ftp.agdsn.de/fdroid/repo", Country: "Germany", Name: "AGDSN Dresden"},
+	{URL: "https://ftp.gwdg.de/pub/android/fdroid/repo", Country: "Germany", Name: "GWDG"},
+	{URL: "https://mirror.level66.network/fdroid/repo", Country: "Germany", Name: "Level66"},
+	{URL: "https://mirror.mci-1.serverforge.org/fdroid/repo", Country: "Germany", Name: "ServerForge"},
+
+	// Netherlands
+	{URL: "https://ftp.snt.utwente.nl/pub/software/fdroid/repo", Country: "Netherlands", Name: "University of Twente"},
+
+	// Sweden
+	{URL: "https://ftp.lysator.liu.se/pub/fdroid/repo", Country: "Sweden", Name: "Lysator"},
+
+	// Denmark
+	{URL: "https://mirrors.dotsrc.org/fdroid/repo", Country: "Denmark", Name: "dotsrc.org"},
+
+	// Austria
+	{URL: "https://mirror.kumi.systems/fdroid/repo", Country: "Austria", Name: "Kumi Systems"},
+
+	// Switzerland
+	{URL: "https://mirror.init7.net/fdroid/repo", Country: "Switzerland", Name: "Init7"},
+
+	// Romania
+	{URL: "https://mirrors.hostico.ro/fdroid/repo", Country: "Romania", Name: "Hostico"},
+	{URL: "https://mirrors.chroot.ro/fdroid/repo", Country: "Romania", Name: "Chroot"},
+	{URL: "https://ftp.lug.ro/fdroid/repo", Country: "Romania", Name: "LUG Romania"},
+
+	// US
+	{URL: "https://plug-mirror.rcac.purdue.edu/fdroid/repo", Country: "US", Name: "Purdue"},
+	{URL: "https://mirror.fcix.net/fdroid/repo", Country: "US", Name: "FCIX"},
+	{URL: "https://opencolo.mm.fcix.net/fdroid/repo", Country: "US", Name: "OpenColo"},
+	{URL: "https://forksystems.mm.fcix.net/fdroid/repo", Country: "US", Name: "Fork Systems"},
+	{URL: "https://southfront.mm.fcix.net/fdroid/repo", Country: "US", Name: "South Front"},
+	{URL: "https://ziply.mm.fcix.net/fdroid/repo", Country: "US", Name: "Ziply"},
+
+	// Canada
+	{URL: "https://mirror.quantum5.ca/fdroid/repo", Country: "Canada", Name: "Quantum5"},
+
+	// Australia
+	{URL: "https://mirror.aarnet.edu.au/fdroid/repo", Country: "Australia", Name: "AARNet"},
+
+	// Other
+	{URL: "https://mirror.cyberbits.eu/fdroid/repo", Country: "Europe", Name: "Cyberbits EU"},
+	{URL: "https://mirror.eu.ossplanet.net/fdroid/repo", Country: "Europe", Name: "OSSPlanet EU"},
+	{URL: "https://mirror.cyberbits.asia/fdroid/repo", Country: "Asia", Name: "Cyberbits Asia"},
+	{URL: "https://mirrors.jevincanders.net/fdroid/repo", Country: "US", Name: "Jevincanders"},
+	{URL: "https://mirrors.komogoto.com/fdroid/repo", Country: "US", Name: "Komogoto"},
+	{URL: "https://fdroid.rasp.sh/fdroid/repo", Country: "Europe", Name: "rasp.sh"},
+	{URL: "https://mirror.gofoss.xyz/fdroid/repo", Country: "Europe", Name: "GoFOSS"},
+}
+
+func GetFDroidMirrors() FDroidMirrorIterator {
+	return newPtrIterator(builtinFDroidMirrors)
+}

experimental/libbox/neighbor.go

@@ -0,0 +1,53 @@
+package libbox
+
+import (
+	"net"
+	"net/netip"
+)
+
+type NeighborEntry struct {
+	Address    string
+	MacAddress string
+	Hostname   string
+}
+
+type NeighborEntryIterator interface {
+	Next() *NeighborEntry
+	HasNext() bool
+}
+
+type NeighborSubscription struct {
+	done chan struct{}
+}
+
+func (s *NeighborSubscription) Close() {
+	close(s.done)
+}
+
+func tableToIterator(table map[netip.Addr]net.HardwareAddr) NeighborEntryIterator {
+	entries := make([]*NeighborEntry, 0, len(table))
+	for address, mac := range table {
+		entries = append(entries, &NeighborEntry{
+			Address:    address.String(),
+			MacAddress: mac.String(),
+		})
+	}
+	return &neighborEntryIterator{entries}
+}
+
+type neighborEntryIterator struct {
+	entries []*NeighborEntry
+}
+
+func (i *neighborEntryIterator) HasNext() bool {
+	return len(i.entries) > 0
+}
+
+func (i *neighborEntryIterator) Next() *NeighborEntry {
+	if len(i.entries) == 0 {
+		return nil
+	}
+	entry := i.entries[0]
+	i.entries = i.entries[1:]
+	return entry
+}

experimental/libbox/neighbor_darwin.go

@@ -0,0 +1,123 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"slices"
+	"time"
+
+	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	xroute "golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+)
+
+func SubscribeNeighborTable(listener NeighborUpdateListener) (*NeighborSubscription, error) {
+	entries, err := route.ReadNeighborEntries()
+	if err != nil {
+		return nil, E.Cause(err, "initial neighbor dump")
+	}
+	table := make(map[netip.Addr]net.HardwareAddr)
+	for _, entry := range entries {
+		table[entry.Address] = entry.MACAddress
+	}
+	listener.UpdateNeighborTable(tableToIterator(table))
+	routeSocket, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, 0)
+	if err != nil {
+		return nil, E.Cause(err, "open route socket")
+	}
+	err = unix.SetNonblock(routeSocket, true)
+	if err != nil {
+		unix.Close(routeSocket)
+		return nil, E.Cause(err, "set route socket nonblock")
+	}
+	subscription := &NeighborSubscription{
+		done: make(chan struct{}),
+	}
+	go subscription.loop(listener, routeSocket, table)
+	return subscription, nil
+}
+
+func (s *NeighborSubscription) loop(listener NeighborUpdateListener, routeSocket int, table map[netip.Addr]net.HardwareAddr) {
+	routeSocketFile := os.NewFile(uintptr(routeSocket), "route")
+	defer routeSocketFile.Close()
+	buffer := buf.NewPacket()
+	defer buffer.Release()
+	for {
+		select {
+		case <-s.done:
+			return
+		default:
+		}
+		tv := unix.NsecToTimeval(int64(3 * time.Second))
+		_ = unix.SetsockoptTimeval(routeSocket, unix.SOL_SOCKET, unix.SO_RCVTIMEO, &tv)
+		n, err := routeSocketFile.Read(buffer.FreeBytes())
+		if err != nil {
+			if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
+				continue
+			}
+			select {
+			case <-s.done:
+				return
+			default:
+			}
+			continue
+		}
+		messages, err := xroute.ParseRIB(xroute.RIBTypeRoute, buffer.FreeBytes()[:n])
+		if err != nil {
+			continue
+		}
+		changed := false
+		for _, message := range messages {
+			routeMessage, isRouteMessage := message.(*xroute.RouteMessage)
+			if !isRouteMessage {
+				continue
+			}
+			if routeMessage.Flags&unix.RTF_LLINFO == 0 {
+				continue
+			}
+			address, mac, isDelete, ok := route.ParseRouteNeighborMessage(routeMessage)
+			if !ok {
+				continue
+			}
+			if isDelete {
+				if _, exists := table[address]; exists {
+					delete(table, address)
+					changed = true
+				}
+			} else {
+				existing, exists := table[address]
+				if !exists || !slices.Equal(existing, mac) {
+					table[address] = mac
+					changed = true
+				}
+			}
+		}
+		if changed {
+			listener.UpdateNeighborTable(tableToIterator(table))
+		}
+	}
+}
+
+func ReadBootpdLeases() NeighborEntryIterator {
+	leaseIPToMAC, ipToHostname, macToHostname := route.ReloadLeaseFiles([]string{"/var/db/dhcpd_leases"})
+	entries := make([]*NeighborEntry, 0, len(leaseIPToMAC))
+	for address, mac := range leaseIPToMAC {
+		entry := &NeighborEntry{
+			Address:    address.String(),
+			MacAddress: mac.String(),
+		}
+		hostname, found := ipToHostname[address]
+		if !found {
+			hostname = macToHostname[mac.String()]
+		}
+		entry.Hostname = hostname
+		entries = append(entries, entry)
+	}
+	return &neighborEntryIterator{entries}
+}

experimental/libbox/neighbor_linux.go

@@ -0,0 +1,88 @@
+//go:build linux
+
+package libbox
+
+import (
+	"net"
+	"net/netip"
+	"slices"
+	"time"
+
+	"github.com/sagernet/sing-box/route"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+func SubscribeNeighborTable(listener NeighborUpdateListener) (*NeighborSubscription, error) {
+	entries, err := route.ReadNeighborEntries()
+	if err != nil {
+		return nil, E.Cause(err, "initial neighbor dump")
+	}
+	table := make(map[netip.Addr]net.HardwareAddr)
+	for _, entry := range entries {
+		table[entry.Address] = entry.MACAddress
+	}
+	listener.UpdateNeighborTable(tableToIterator(table))
+	connection, err := netlink.Dial(unix.NETLINK_ROUTE, &netlink.Config{
+		Groups: 1 << (unix.RTNLGRP_NEIGH - 1),
+	})
+	if err != nil {
+		return nil, E.Cause(err, "subscribe neighbor updates")
+	}
+	subscription := &NeighborSubscription{
+		done: make(chan struct{}),
+	}
+	go subscription.loop(listener, connection, table)
+	return subscription, nil
+}
+
+func (s *NeighborSubscription) loop(listener NeighborUpdateListener, connection *netlink.Conn, table map[netip.Addr]net.HardwareAddr) {
+	defer connection.Close()
+	for {
+		select {
+		case <-s.done:
+			return
+		default:
+		}
+		err := connection.SetReadDeadline(time.Now().Add(3 * time.Second))
+		if err != nil {
+			return
+		}
+		messages, err := connection.Receive()
+		if err != nil {
+			if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
+				continue
+			}
+			select {
+			case <-s.done:
+				return
+			default:
+			}
+			continue
+		}
+		changed := false
+		for _, message := range messages {
+			address, mac, isDelete, ok := route.ParseNeighborMessage(message)
+			if !ok {
+				continue
+			}
+			if isDelete {
+				if _, exists := table[address]; exists {
+					delete(table, address)
+					changed = true
+				}
+			} else {
+				existing, exists := table[address]
+				if !exists || !slices.Equal(existing, mac) {
+					table[address] = mac
+					changed = true
+				}
+			}
+		}
+		if changed {
+			listener.UpdateNeighborTable(tableToIterator(table))
+		}
+	}
+}

experimental/libbox/neighbor_stub.go

@@ -0,0 +1,9 @@
+//go:build !linux && !darwin
+
+package libbox
+
+import "os"
+
+func SubscribeNeighborTable(_ NeighborUpdateListener) (*NeighborSubscription, error) {
+	return nil, os.ErrInvalid
+}

experimental/libbox/platform.go

@@ -21,6 +21,13 @@ type PlatformInterface interface {
 	SystemCertificates() StringIterator
 	ClearDNSCache()
 	SendNotification(notification *Notification) error
+	StartNeighborMonitor(listener NeighborUpdateListener) error
+	CloseNeighborMonitor(listener NeighborUpdateListener) error
+	RegisterMyInterface(name string)
+}
+
+type NeighborUpdateListener interface {
+	UpdateNeighborTable(entries NeighborEntryIterator)
 }
 
 type ConnectionOwner struct {

experimental/libbox/service.go

@@ -78,6 +78,7 @@ func (w *platformInterfaceWrapper) OpenInterface(options *tun.Options, platformO
 	}
 	options.FileDescriptor = dupFd
 	w.myTunName = options.Name
+	w.iif.RegisterMyInterface(options.Name)
 	return tun.New(*options)
 }
 
@@ -220,6 +221,46 @@ func (w *platformInterfaceWrapper) SendNotification(notification *adapter.Notifi
 	return w.iif.SendNotification((*Notification)(notification))
 }
 
+func (w *platformInterfaceWrapper) UsePlatformNeighborResolver() bool {
+	return true
+}
+
+func (w *platformInterfaceWrapper) StartNeighborMonitor(listener adapter.NeighborUpdateListener) error {
+	return w.iif.StartNeighborMonitor(&neighborUpdateListenerWrapper{listener: listener})
+}
+
+func (w *platformInterfaceWrapper) CloseNeighborMonitor(listener adapter.NeighborUpdateListener) error {
+	return w.iif.CloseNeighborMonitor(nil)
+}
+
+type neighborUpdateListenerWrapper struct {
+	listener adapter.NeighborUpdateListener
+}
+
+func (w *neighborUpdateListenerWrapper) UpdateNeighborTable(entries NeighborEntryIterator) {
+	var result []adapter.NeighborEntry
+	for entries.HasNext() {
+		entry := entries.Next()
+		if entry == nil {
+			continue
+		}
+		address, err := netip.ParseAddr(entry.Address)
+		if err != nil {
+			continue
+		}
+		macAddress, err := net.ParseMAC(entry.MacAddress)
+		if err != nil {
+			continue
+		}
+		result = append(result, adapter.NeighborEntry{
+			Address:    address,
+			MACAddress: macAddress,
+			Hostname:   entry.Hostname,
+		})
+	}
+	w.listener.UpdateNeighborTable(result)
+}
+
 func AvailablePort(startPort int32) (int32, error) {
 	for port := int(startPort); ; port++ {
 		if port > 65535 {

go.mod

@@ -14,35 +14,37 @@ require (
 	github.com/godbus/dbus/v5 v5.2.2
 	github.com/gofrs/uuid/v5 v5.4.0
 	github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
+	github.com/jsimonetti/rtnetlink v1.4.0
 	github.com/keybase/go-keychain v0.0.1
 	github.com/libdns/acmedns v0.5.0
 	github.com/libdns/alidns v1.0.6
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
+	github.com/mdlayher/netlink v1.9.0
 	github.com/metacubex/utls v1.8.4
 	github.com/mholt/acmez/v3 v3.1.6
 	github.com/miekg/dns v1.1.72
-	github.com/openai/openai-go/v3 v3.24.0
+	github.com/openai/openai-go/v3 v3.26.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399
-	github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399
+	github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc
+	github.com/sagernet/cronet-go/all v0.0.0-20260309100020-c128886ff3fc
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.2
+	github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69
 	github.com/sagernet/sing-mux v0.3.4
 	github.com/sagernet/sing-quic v0.6.0
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.2
+	github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e
 	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
@@ -92,11 +94,9 @@ require (
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
-	github.com/mdlayher/netlink v1.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -105,35 +105,35 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6 // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect

go.sum

@@ -138,8 +138,8 @@ github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.24.0 h1:08x6GnYiB+AAejTo6yzPY8RkZMJQ8NpreiOyM5QfyYU=
-github.com/openai/openai-go/v3 v3.24.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.26.0 h1:bRt6H/ozMNt/dDkN4gobnLqaEGrRGBzmbVs0xxJEnQE=
+github.com/openai/openai-go/v3 v3.26.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -162,68 +162,68 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399 h1:x3tVYQHdqqnKbEd9/H4KIGhtHTjA+KfiiaXedI3/w8Q=
-github.com/sagernet/cronet-go v0.0.0-20260303101018-cba7b9ac0399/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399 h1:mD3ehudpYf1IFgCTv25d/B6KnBc/lLFq1jmSQIK24y0=
-github.com/sagernet/cronet-go/all v0.0.0-20260303101018-cba7b9ac0399/go.mod h1:MbYagcGGIaRo9tNrgafbCTO+Qc7eVEh32ZWMprSB8b0=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6 h1:ghRKgSaswefPwQF8AYtUlNyumILOB0ptJWxgZ8MFrEE=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:Behr7YCnQP2dsvzAJDIoMd5nTVU9/d6MMtk/S3MctwA=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6 h1:6UL9XdGU/44oTHj36e+EBDJ0RonFoObmd299NG/qQCU=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:Q9apxjtkj6iMIBQlTo71QsOTrNlhHneaXQb1Q0IshU8=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:0N+xlnMkFEeqgFe3X/PEvHt+/t+BPgxmbx7wzNcYppg=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:7f2vTXtePikBSV1bdD0zs5/WuZM+bRuej3mREpWL/qQ=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:HMlnhEYs+axOa0tAJ79se3QsYB8CpRCQo9mewWWFeeg=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:Ux/U6vF+1AoGLSJK3jVa9Kqkn64MX4Ivv7fy0ikDrpQ=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:5Dhuere2bQFzfGvKxA7TFgA5MoTtgcZMmJQuKwQKlyA=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6 h1:aMRcLow4UpZWZ28fR9FjveTL/4okrigZySIkEVZnlgA=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6 h1:y4g8oNtEfSdcKrBKsH5vMAjzGthvhHFNU80sanYDQEM=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:CXN6OPILi5trwffmYiiJ9rqJL3XAWx1menLrBBwA0gU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:ZphFHQeFOTpqCWPwFcQRnrePXajml8LbKlYFJ5n0isU=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6 h1:nKzFK84oANHz7I6bab+25bBY+pdpAbO0b3NJroyLldo=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:HqqZUGRXcWvvwlbuvjk/efo8TKW1H/aHdqQTde+Xs9Q=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:D2v9lZZG5sm4x/CkG7uqc6ZU3YlhFQ+GmJfvZMK0h/s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6 h1:TWveNeXHrA5r8XOlf+vw7U2b2M0ip6GNF89jcUi1ogw=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6 h1:DVCBoXOZI4PNG0cbCLg8lrphRXoLFcAIDLNmzsCVg3I=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:7s5xqNlBUWkIXdruPYi3/txXekQhGWxrYxbnB0cnARo=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6 h1:eyEb+Q7VH4hpE1nV+EmEnN2XX5WilgBpIsfCw4C/7no=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6 h1:9F1W7+z1hHST6GSzdpQ8Q0NCkneAL18dkRA1HfxH09A=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6 h1:MmQIR3iJsdvw1ONBP3geK57i9c3+v9dXPMNdZYcYGKw=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6 h1:j6Pk1Wsl+PCbKRXtp7a912D2D6zqX5Nk51wDQU9TEDc=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6 h1:0DnFhbRfNqwguNCxiinA7BowQ/RaFt627sjW09JNp80=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:3CZmlEk2/WW5UHLFJZxXPJ9IJxX3td8U3PyqWSGMl3c=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:eHkVRptoZf3BuuskkjcclO2dwQrX4zluoVGODMrX7n0=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6 h1:UgFmE0cZo9euu8/7sTAhj1G8lldavwXBdcPNyTE29CQ=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6 h1:xbg3ZB9tLMGDQe4+aewG0Z4bEP/2pLtYBcDzILv5eEc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6 h1:M0bTSTSTnSMlPY2WaZT6fL5TFICqk8v4cm+QVf8Fcao=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260303100323-125d0d93b3e6/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc h1:YK7PwJT0irRAEui9ASdXSxcE2BOVQipWMF/A1Ogt+7c=
+github.com/sagernet/cronet-go v0.0.0-20260309100020-c128886ff3fc/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260309100020-c128886ff3fc h1:EJPHOqk23IuBsTjXK9OXqkNxPbKOBWKRmviQoCcriAs=
+github.com/sagernet/cronet-go/all v0.0.0-20260309100020-c128886ff3fc/go.mod h1:8aty0RW96DrJSMWXO6bRPMBJEjuqq5JWiOIi4bCRzFA=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Qi0IKBpoPP3qZqIXuOKMsT2dv+l/MLWMyBHDMLRw2EA=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:p+wCMjOhj46SpSD/AJeTGgkCcbyA76FyH631XZatyU8=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 h1:Y7lWrZwEhC/HX8Pb5C92CrQihuaE7hrHmWB2ykst3iQ=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:3Ggy5wiyjA6t+aVVPnXlSEIVj9zkxd4ybH3NsvsNefs=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:DuFTCnZloblY+7olXiZoRdueWfxi34EV5UheTFKM2rA=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:x/6T2gjpLw9yNdCVR6xBlzMUzED9fxNFNt6U6A6SOh8=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Lx9PExM70rg8aNxPm0JPeSr5SWC3yFiCz4wIq86ugx8=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:BTEpw7/vKR9BNBsHebfpiGHDCPpjVJ3vLIbHNU3VUfM=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:hdEph9nQXRnKwc/lIDwo15rmzbC6znXF5jJWHPN1Fiw=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Iq++oYV7dtRJHTpu8yclHJdn+1oj2t1e84/YpdXYWW8=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 h1:Y43fuLL8cgwRHpEKwxh0O3vYp7g/SZGvbkJj3cQ6USA=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:bX2GJmF0VCC+tBrVAa49YEsmJ4A9dLmwoA6DJUxRtCY=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:gQTR/2azUCInE0r3kmesZT9xu+x801+BmtDY0d0Tw9Y=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 h1:X4mP3jlYvxgrKpZLOKMmc/O8T5/zP83/23pgfQOc3tY=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:c6xj2nXr/65EDiRFddUKQIBQ/b/lAPoH8WFYlgadaPc=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:ahbl7yjOvGVVNUwk9TcQk+xejVfoYAYFRlhWnby0/YM=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 h1:JC5Zv5+J85da6g5G56VhdaK53fmo6Os2q/wWi5QlxOw=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 h1:4bt7Go588BoM4VjNYMxx0MrvbwlFQn3DdRDCM7BmkRo=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:E1z0BeLUh8EZfCjIyS9BrfCocZrt+0KPS0bzop3Sxf4=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 h1:d8ejxRHO7Vi9JqR/6DxR7RyI/swA2JfDWATR4T7otBw=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 h1:iUDVEVu3RxL5ArPIY72BesbuX5zQ1la/ZFwKpQcGc5c=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 h1:xB6ikOC/R3n3hjy68EJ0sbZhH4vwEhd6JM9jZ1U2SVY=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 h1:mBOuLCPOOMMq8N1+dUM5FqZclqga1+u6fAbPqQcbIhc=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:cwPyDfj+ZNFE7kvcWbayQJyeC/KQA16HTXOxgHphL0w=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Zk9zG8kt3mXAboclUXQlvvxKQuhnI8u5NdDEl8uotNY=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:Lu05srGqddQRMnl1MZtGAReln2yJljeGx9b1IadlMJ8=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Tk9bDywUmOtc0iMjjCVIwMlAQNsxCy+bK+bTNA0OaBE=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:tQqDQw3tEHdQpt7NTdAwF3UvZ3CjNIj/IJKMRFmm388=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:biUIbI2YxUrcQikEfS/bwPA8NsHp/WO+VZUG4morUmE=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
 github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
@@ -236,8 +236,8 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.2 h1:kX1IH9SWJv4S0T9M8O+HNahWgbOuY1VauxbF7NU5lOg=
-github.com/sagernet/sing v0.8.2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69 h1:h6UF2emeydBQMAso99Nr3APV6YustOs+JszVuCkcFy0=
+github.com/sagernet/sing v0.8.3-0.20260311155444-d39eb42a9f69/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
 github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
@@ -248,14 +248,14 @@ github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnq
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.2 h1:rQr/x3eQCHh3oleIaoJdPdJwqzZp4+QWcJLT0Wz2xKY=
-github.com/sagernet/sing-tun v0.8.2/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f h1:uj3rzedphq1AiL0PpuVoob5RtKsPBcMRd8aqo+q0rqA=
+github.com/sagernet/sing-tun v0.8.3-0.20260311132553-5485872f601f/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349 h1:ju7aTbndj2sqK4NplE97ynLdhuCtel5OS4e0NrT71nk=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260303140313-3bcf9a4b9349/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e h1:Sv1qUhJIidjSTc24XEknovDZnbmVSlAXj8wNVgIfgGo=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=

log/format.go

@@ -168,7 +168,11 @@ func FormatDuration(duration time.Duration) string {
 		return F.ToString(duration.Milliseconds(), "ms")
 	} else if duration < time.Minute {
 		return F.ToString(int64(duration.Seconds()), ".", int64(duration.Seconds()*100)%100, "s")
-	} else {
+	} else if duration < time.Hour {
 		return F.ToString(int64(duration.Minutes()), "m", int64(duration.Seconds())%60, "s")
+	} else if duration < 24*time.Hour {
+		return F.ToString(int64(duration.Hours()), "h", int64(duration.Minutes())%60, "m")
+	} else {
+		return F.ToString(int64(duration.Hours())/24, "d", int64(duration.Hours())%24, "h")
 	}
 }

mkdocs.yml

@@ -129,6 +129,7 @@ nav:
           - UDP over TCP: configuration/shared/udp-over-tcp.md
           - TCP Brutal: configuration/shared/tcp-brutal.md
           - Wi-Fi State: configuration/shared/wifi-state.md
+          - Neighbor Resolution: configuration/shared/neighbor.md
       - Endpoint:
           - configuration/endpoint/index.md
           - WireGuard: configuration/endpoint/wireguard.md

option/ccm.go

@@ -1,6 +1,9 @@
 package option
 
 import (
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 
@@ -8,6 +11,7 @@ type CCMServiceOptions struct {
 	ListenOptions
 	InboundTLSOptionsContainer
 	CredentialPath string               `json:"credential_path,omitempty"`
+	Credentials    []CCMCredential      `json:"credentials,omitempty"`
 	Users          []CCMUser            `json:"users,omitempty"`
 	Headers        badoption.HTTPHeader `json:"headers,omitempty"`
 	Detour         string               `json:"detour,omitempty"`
@@ -15,6 +19,94 @@ type CCMServiceOptions struct {
 }
 
 type CCMUser struct {
-	Name  string `json:"name,omitempty"`
-	Token string `json:"token,omitempty"`
+	Name               string `json:"name,omitempty"`
+	Token              string `json:"token,omitempty"`
+	Credential         string `json:"credential,omitempty"`
+	ExternalCredential string `json:"external_credential,omitempty"`
+	AllowExternalUsage bool   `json:"allow_external_usage,omitempty"`
+}
+
+type _CCMCredential struct {
+	Type            string                       `json:"type,omitempty"`
+	Tag             string                       `json:"tag"`
+	DefaultOptions  CCMDefaultCredentialOptions  `json:"-"`
+	ExternalOptions CCMExternalCredentialOptions `json:"-"`
+	BalancerOptions CCMBalancerCredentialOptions `json:"-"`
+	FallbackOptions CCMFallbackCredentialOptions `json:"-"`
+}
+
+type CCMCredential _CCMCredential
+
+func (c CCMCredential) MarshalJSON() ([]byte, error) {
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = ""
+		v = c.DefaultOptions
+	case "external":
+		v = c.ExternalOptions
+	case "balancer":
+		v = c.BalancerOptions
+	case "fallback":
+		v = c.FallbackOptions
+	default:
+		return nil, E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.MarshallObjects((_CCMCredential)(c), v)
+}
+
+func (c *CCMCredential) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_CCMCredential)(c))
+	if err != nil {
+		return err
+	}
+	if c.Tag == "" {
+		return E.New("missing credential tag")
+	}
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = "default"
+		v = &c.DefaultOptions
+	case "external":
+		v = &c.ExternalOptions
+	case "balancer":
+		v = &c.BalancerOptions
+	case "fallback":
+		v = &c.FallbackOptions
+	default:
+		return E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.UnmarshallExcluded(bytes, (*_CCMCredential)(c), v)
+}
+
+type CCMDefaultCredentialOptions struct {
+	CredentialPath string `json:"credential_path,omitempty"`
+	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
+	Reserve5h      uint8  `json:"reserve_5h"`
+	ReserveWeekly  uint8  `json:"reserve_weekly"`
+	Limit5h        uint8  `json:"limit_5h,omitempty"`
+	LimitWeekly    uint8  `json:"limit_weekly,omitempty"`
+}
+
+type CCMBalancerCredentialOptions struct {
+	Strategy     string                     `json:"strategy,omitempty"`
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
+}
+
+type CCMExternalCredentialOptions struct {
+	URL string `json:"url,omitempty"`
+	ServerOptions
+	Token        string             `json:"token"`
+	Reverse      bool               `json:"reverse,omitempty"`
+	Detour       string             `json:"detour,omitempty"`
+	UsagesPath   string             `json:"usages_path,omitempty"`
+	PollInterval badoption.Duration `json:"poll_interval,omitempty"`
+}
+
+type CCMFallbackCredentialOptions struct {
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
 }

option/ocm.go

@@ -1,6 +1,9 @@
 package option
 
 import (
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 
@@ -8,6 +11,7 @@ type OCMServiceOptions struct {
 	ListenOptions
 	InboundTLSOptionsContainer
 	CredentialPath string               `json:"credential_path,omitempty"`
+	Credentials    []OCMCredential      `json:"credentials,omitempty"`
 	Users          []OCMUser            `json:"users,omitempty"`
 	Headers        badoption.HTTPHeader `json:"headers,omitempty"`
 	Detour         string               `json:"detour,omitempty"`
@@ -15,6 +19,94 @@ type OCMServiceOptions struct {
 }
 
 type OCMUser struct {
-	Name  string `json:"name,omitempty"`
-	Token string `json:"token,omitempty"`
+	Name               string `json:"name,omitempty"`
+	Token              string `json:"token,omitempty"`
+	Credential         string `json:"credential,omitempty"`
+	ExternalCredential string `json:"external_credential,omitempty"`
+	AllowExternalUsage bool   `json:"allow_external_usage,omitempty"`
+}
+
+type _OCMCredential struct {
+	Type            string                       `json:"type,omitempty"`
+	Tag             string                       `json:"tag"`
+	DefaultOptions  OCMDefaultCredentialOptions  `json:"-"`
+	ExternalOptions OCMExternalCredentialOptions `json:"-"`
+	BalancerOptions OCMBalancerCredentialOptions `json:"-"`
+	FallbackOptions OCMFallbackCredentialOptions `json:"-"`
+}
+
+type OCMCredential _OCMCredential
+
+func (c OCMCredential) MarshalJSON() ([]byte, error) {
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = ""
+		v = c.DefaultOptions
+	case "external":
+		v = c.ExternalOptions
+	case "balancer":
+		v = c.BalancerOptions
+	case "fallback":
+		v = c.FallbackOptions
+	default:
+		return nil, E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.MarshallObjects((_OCMCredential)(c), v)
+}
+
+func (c *OCMCredential) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_OCMCredential)(c))
+	if err != nil {
+		return err
+	}
+	if c.Tag == "" {
+		return E.New("missing credential tag")
+	}
+	var v any
+	switch c.Type {
+	case "", "default":
+		c.Type = "default"
+		v = &c.DefaultOptions
+	case "external":
+		v = &c.ExternalOptions
+	case "balancer":
+		v = &c.BalancerOptions
+	case "fallback":
+		v = &c.FallbackOptions
+	default:
+		return E.New("unknown credential type: ", c.Type)
+	}
+	return badjson.UnmarshallExcluded(bytes, (*_OCMCredential)(c), v)
+}
+
+type OCMDefaultCredentialOptions struct {
+	CredentialPath string `json:"credential_path,omitempty"`
+	UsagesPath     string `json:"usages_path,omitempty"`
+	Detour         string `json:"detour,omitempty"`
+	Reserve5h      uint8  `json:"reserve_5h"`
+	ReserveWeekly  uint8  `json:"reserve_weekly"`
+	Limit5h        uint8  `json:"limit_5h,omitempty"`
+	LimitWeekly    uint8  `json:"limit_weekly,omitempty"`
+}
+
+type OCMBalancerCredentialOptions struct {
+	Strategy     string                     `json:"strategy,omitempty"`
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
+}
+
+type OCMExternalCredentialOptions struct {
+	URL string `json:"url,omitempty"`
+	ServerOptions
+	Token        string             `json:"token"`
+	Reverse      bool               `json:"reverse,omitempty"`
+	Detour       string             `json:"detour,omitempty"`
+	UsagesPath   string             `json:"usages_path,omitempty"`
+	PollInterval badoption.Duration `json:"poll_interval,omitempty"`
+}
+
+type OCMFallbackCredentialOptions struct {
+	Credentials  badoption.Listable[string] `json:"credentials"`
+	PollInterval badoption.Duration         `json:"poll_interval,omitempty"`
 }

option/route.go

@@ -9,6 +9,8 @@ type RouteOptions struct {
 	RuleSet                    []RuleSet                         `json:"rule_set,omitempty"`
 	Final                      string                            `json:"final,omitempty"`
 	FindProcess                bool                              `json:"find_process,omitempty"`
+	FindNeighbor               bool                              `json:"find_neighbor,omitempty"`
+	DHCPLeaseFiles             badoption.Listable[string]        `json:"dhcp_lease_files,omitempty"`
 	AutoDetectInterface        bool                              `json:"auto_detect_interface,omitempty"`
 	OverrideAndroidVPN         bool                              `json:"override_android_vpn,omitempty"`
 	DefaultInterface           string                            `json:"default_interface,omitempty"`

option/rule.go

@@ -103,6 +103,8 @@ type RawDefaultRule struct {
 	InterfaceAddress         *badjson.TypedMap[string, badoption.Listable[*badoption.Prefixable]]        `json:"interface_address,omitempty"`
 	NetworkInterfaceAddress  *badjson.TypedMap[InterfaceType, badoption.Listable[*badoption.Prefixable]] `json:"network_interface_address,omitempty"`
 	DefaultInterfaceAddress  badoption.Listable[*badoption.Prefixable]                                   `json:"default_interface_address,omitempty"`
+	SourceMACAddress         badoption.Listable[string]                                                  `json:"source_mac_address,omitempty"`
+	SourceHostname           badoption.Listable[string]                                                  `json:"source_hostname,omitempty"`
 	PreferredBy              badoption.Listable[string]                                                  `json:"preferred_by,omitempty"`
 	RuleSet                  badoption.Listable[string]                                                  `json:"rule_set,omitempty"`
 	RuleSetIPCIDRMatchSource bool                                                                        `json:"rule_set_ip_cidr_match_source,omitempty"`

option/rule_dns.go

@@ -106,6 +106,8 @@ type RawDefaultDNSRule struct {
 	InterfaceAddress         *badjson.TypedMap[string, badoption.Listable[*badoption.Prefixable]]        `json:"interface_address,omitempty"`
 	NetworkInterfaceAddress  *badjson.TypedMap[InterfaceType, badoption.Listable[*badoption.Prefixable]] `json:"network_interface_address,omitempty"`
 	DefaultInterfaceAddress  badoption.Listable[*badoption.Prefixable]                                   `json:"default_interface_address,omitempty"`
+	SourceMACAddress         badoption.Listable[string]                                                  `json:"source_mac_address,omitempty"`
+	SourceHostname           badoption.Listable[string]                                                  `json:"source_hostname,omitempty"`
 	RuleSet                  badoption.Listable[string]                                                  `json:"rule_set,omitempty"`
 	RuleSetIPCIDRMatchSource bool                                                                        `json:"rule_set_ip_cidr_match_source,omitempty"`
 	RuleSetIPCIDRAcceptEmpty bool                                                                        `json:"rule_set_ip_cidr_accept_empty,omitempty"`

option/tun.go

@@ -39,6 +39,8 @@ type TunInboundOptions struct {
 	IncludeAndroidUser            badoption.Listable[int]          `json:"include_android_user,omitempty"`
 	IncludePackage                badoption.Listable[string]       `json:"include_package,omitempty"`
 	ExcludePackage                badoption.Listable[string]       `json:"exclude_package,omitempty"`
+	IncludeMACAddress             badoption.Listable[string]       `json:"include_mac_address,omitempty"`
+	ExcludeMACAddress             badoption.Listable[string]       `json:"exclude_mac_address,omitempty"`
 	UDPTimeout                    UDPTimeoutCompat                 `json:"udp_timeout,omitempty"`
 	Stack                         string                           `json:"stack,omitempty"`
 	Platform                      *TunPlatformOptions              `json:"platform,omitempty"`

protocol/tailscale/dns_transport.go

@@ -1,3 +1,5 @@
+//go:build with_gvisor
+
 package tailscale
 
 import (

protocol/tailscale/endpoint.go

@@ -1,3 +1,5 @@
+//go:build with_gvisor
+
 package tailscale
 
 import (
@@ -46,6 +48,7 @@ import (
 	"github.com/sagernet/tailscale/ipn"
 	tsDNS "github.com/sagernet/tailscale/net/dns"
 	"github.com/sagernet/tailscale/net/netmon"
+	"github.com/sagernet/tailscale/net/netns"
 	"github.com/sagernet/tailscale/net/tsaddr"
 	tsTUN "github.com/sagernet/tailscale/net/tstun"
 	"github.com/sagernet/tailscale/tsnet"
@@ -108,6 +111,7 @@ type Endpoint struct {
 	systemInterfaceName string
 	systemInterfaceMTU  uint32
 	systemTun           tun.Tun
+	systemDialer        *dialer.DefaultDialer
 	fallbackTCPCloser   func()
 }
 
@@ -144,7 +148,7 @@ func (t *Endpoint) registerNetstackHandlers() {
 			ctx := log.ContextWithNewID(t.ctx)
 			source := M.SocksaddrFrom(src.Addr(), src.Port())
 			destination := M.SocksaddrFrom(dst.Addr(), dst.Port())
-			packetConn := bufio.NewPacketConn(conn)
+			packetConn := bufio.NewUnbindPacketConnWithAddr(conn, destination)
 			t.NewPacketConnectionEx(ctx, packetConn, source, destination, nil)
 		}, true
 	}
@@ -285,9 +289,6 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 				}
 			}), nil
 		})
-		if runtime.GOOS == "android" {
-			setAndroidProtectFunc(t.platformInterface)
-		}
 	}
 	if t.systemInterface {
 		mtu := t.systemInterfaceMTU
@@ -322,9 +323,30 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 			_ = systemTun.Close()
 			return err
 		}
+		systemDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
+			BindInterface: tunName,
+		})
+		if err != nil {
+			_ = systemTun.Close()
+			return err
+		}
 		t.systemTun = systemTun
+		t.systemDialer = systemDialer
 		t.server.TunDevice = wgTunDevice
 	}
+	if mark := t.network.AutoRedirectOutputMark(); mark > 0 {
+		controlFunc := t.network.AutoRedirectOutputMarkFunc()
+		if bindFunc := t.network.AutoDetectInterfaceFunc(); bindFunc != nil {
+			controlFunc = control.Append(controlFunc, bindFunc)
+		}
+		netns.SetControlFunc(controlFunc)
+	} else if runtime.GOOS == "android" && t.platformInterface != nil {
+		netns.SetControlFunc(func(network, address string, c syscall.RawConn) error {
+			return control.Raw(c, func(fd uintptr) error {
+				return t.platformInterface.AutoDetectInterfaceControl(int(fd))
+			})
+		})
+	}
 	err := t.server.Start()
 	if err != nil {
 		if t.systemTun != nil {
@@ -450,14 +472,17 @@ func (t *Endpoint) watchState() {
 
 func (t *Endpoint) Close() error {
 	netmon.RegisterInterfaceGetter(nil)
-	if runtime.GOOS == "android" {
-		setAndroidProtectFunc(nil)
-	}
+	netns.SetControlFunc(nil)
 	if t.fallbackTCPCloser != nil {
 		t.fallbackTCPCloser()
 		t.fallbackTCPCloser = nil
 	}
-	return common.Close(common.PtrOrNil(t.server))
+	err := common.Close(common.PtrOrNil(t.server))
+	if t.systemTun != nil {
+		t.systemTun.Close()
+		t.systemTun = nil
+	}
+	return err
 }
 
 func (t *Endpoint) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
@@ -474,6 +499,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 		}
 		return N.DialSerial(ctx, t, network, destination, destinationAddresses)
 	}
+	if t.systemDialer != nil {
+		return t.systemDialer.DialContext(ctx, network, destination)
+	}
 	addr4, addr6 := t.server.TailscaleIPs()
 	remoteAddr := tcpip.FullAddress{
 		NIC:  1,
@@ -520,6 +548,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 }
 
 func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	if t.systemDialer != nil {
+		return t.systemDialer.ListenPacket(ctx, destination)
+	}
 	addr4, addr6 := t.server.TailscaleIPs()
 	bind := tcpip.FullAddress{
 		NIC: 1,
@@ -677,19 +708,29 @@ func (t *Endpoint) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 }
 
 func (t *Endpoint) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
-	inet4Address, inet6Address := t.server.TailscaleIPs()
-	if metadata.Destination.Addr.Is4() && !inet4Address.IsValid() || metadata.Destination.Addr.Is6() && !inet6Address.IsValid() {
-		return nil, E.New("Tailscale is not ready yet")
-	}
 	ctx := log.ContextWithNewID(t.ctx)
-	destination, err := ping.ConnectGVisor(
-		ctx, t.logger,
-		metadata.Source.Addr, metadata.Destination.Addr,
-		routeContext,
-		t.stack,
-		inet4Address, inet6Address,
-		timeout,
-	)
+	var destination tun.DirectRouteDestination
+	var err error
+	if t.systemDialer != nil {
+		destination, err = ping.ConnectDestination(
+			ctx, t.logger,
+			t.systemDialer.DialerForICMPDestination(metadata.Destination.Addr).Control,
+			metadata.Destination.Addr, routeContext, timeout,
+		)
+	} else {
+		inet4Address, inet6Address := t.server.TailscaleIPs()
+		if metadata.Destination.Addr.Is4() && !inet4Address.IsValid() || metadata.Destination.Addr.Is6() && !inet6Address.IsValid() {
+			return nil, E.New("Tailscale is not ready yet")
+		}
+		destination, err = ping.ConnectGVisor(
+			ctx, t.logger,
+			metadata.Source.Addr, metadata.Destination.Addr,
+			routeContext,
+			t.stack,
+			inet4Address, inet6Address,
+			timeout,
+		)
+	}
 	if err != nil {
 		return nil, err
 	}

protocol/tailscale/protect_android.go

@@ -1,16 +0,0 @@
-package tailscale
-
-import (
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/tailscale/net/netns"
-)
-
-func setAndroidProtectFunc(platformInterface adapter.PlatformInterface) {
-	if platformInterface != nil {
-		netns.SetAndroidProtectFunc(func(fd int) error {
-			return platformInterface.AutoDetectInterfaceControl(fd)
-		})
-	} else {
-		netns.SetAndroidProtectFunc(nil)
-	}
-}

protocol/tailscale/protect_nonandroid.go

@@ -1,8 +0,0 @@
-//go:build !android
-
-package tailscale
-
-import "github.com/sagernet/sing-box/adapter"
-
-func setAndroidProtectFunc(platformInterface adapter.PlatformInterface) {
-}

protocol/tailscale/tun_device_unix.go

@@ -1,4 +1,4 @@
-//go:build !windows
+//go:build with_gvisor && !windows
 
 package tailscale
 

protocol/tailscale/tun_device_windows.go

@@ -1,4 +1,4 @@
-//go:build windows
+//go:build with_gvisor && windows
 
 package tailscale
 

protocol/tun/inbound.go

@@ -156,6 +156,22 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	if nfQueue == 0 {
 		nfQueue = tun.DefaultAutoRedirectNFQueue
 	}
+	var includeMACAddress []net.HardwareAddr
+	for i, macString := range options.IncludeMACAddress {
+		mac, macErr := net.ParseMAC(macString)
+		if macErr != nil {
+			return nil, E.Cause(macErr, "parse include_mac_address[", i, "]")
+		}
+		includeMACAddress = append(includeMACAddress, mac)
+	}
+	var excludeMACAddress []net.HardwareAddr
+	for i, macString := range options.ExcludeMACAddress {
+		mac, macErr := net.ParseMAC(macString)
+		if macErr != nil {
+			return nil, E.Cause(macErr, "parse exclude_mac_address[", i, "]")
+		}
+		excludeMACAddress = append(excludeMACAddress, mac)
+	}
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	multiPendingPackets := C.IsDarwin && ((options.Stack == "gvisor" && tunMTU < 32768) || (options.Stack != "gvisor" && options.MTU <= 9000))
 	inbound := &Inbound{
@@ -193,6 +209,8 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 			IncludeAndroidUser:                    options.IncludeAndroidUser,
 			IncludePackage:                        options.IncludePackage,
 			ExcludePackage:                        options.ExcludePackage,
+			IncludeMACAddress:                     includeMACAddress,
+			ExcludeMACAddress:                     excludeMACAddress,
 			InterfaceMonitor:                      networkManager.InterfaceMonitor(),
 			EXP_MultiPendingPackets:               multiPendingPackets,
 		},

release/config/config.json

@@ -5,7 +5,9 @@
   "dns": {
     "servers": [
       {
-        "address": "tls://8.8.8.8"
+        "type": "tls",
+        "tag": "google",
+        "server": "8.8.8.8"
       }
     ]
   },
@@ -26,17 +28,13 @@
   "outbounds": [
     {
       "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
     }
   ],
   "route": {
     "rules": [
       {
         "port": 53,
-        "outbound": "dns-out"
+        "action": "hijack-dns"
       }
     ]
   }

release/config/sing-box.confd

@@ -0,0 +1,6 @@
+# /etc/conf.d/sing-box: config file for /etc/init.d/sing-box
+
+# sing-box configuration path, could be file or directory
+# SINGBOX_CONFIG=/etc/sing-box
+
+# SINGBOX_WORKDIR=/var/lib/sing-box

release/config/sing-box.initd

@@ -4,15 +4,41 @@ name=$RC_SVCNAME
 description="sing-box service"
 supervisor="supervise-daemon"
 command="/usr/bin/sing-box"
-command_args="-D /var/lib/sing-box -C /etc/sing-box run"
+extra_commands="checkconfig"
 extra_started_commands="reload"
 
+: ${SINGBOX_CONFIG:=${config:-"/etc/sing-box"}}
+
+if [ -d "$SINGBOX_CONFIG" ]; then
+	_config_opt="-C $SINGBOX_CONFIG"
+elif [ -z "$SINGBOX_CONFIG" ]; then
+	_config_opt=""
+else
+	_config_opt="-c $SINGBOX_CONFIG"
+fi
+
+_workdir=${SINGBOX_WORKDIR:-${workdir:-"/var/lib/sing-box"}}
+
+command_args="run --disable-color
+	-D $_workdir
+	$_config_opt"
+
 depend() {
 	after net dns
 }
 
+checkconfig() {
+	ebegin "Checking $RC_SVCNAME configuration"
+	sing-box check -D "$_workdir" $_config_opt
+	eend $?
+}
+
+start_pre() {
+	checkconfig
+}
+
 reload() {
 	ebegin "Reloading $RC_SVCNAME"
-        $supervisor "$RC_SVCNAME" --signal HUP
+	checkconfig && $supervisor "$RC_SVCNAME" --signal HUP
 	eend $?
-}
+}

route/neighbor_resolver_darwin.go

@@ -0,0 +1,239 @@
+//go:build darwin
+
+package route
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/sagernet/fswatch"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+)
+
+var defaultLeaseFiles = []string{
+	"/var/db/dhcpd_leases",
+	"/tmp/dhcp.leases",
+}
+
+type neighborResolver struct {
+	logger          logger.ContextLogger
+	leaseFiles      []string
+	access          sync.RWMutex
+	neighborIPToMAC map[netip.Addr]net.HardwareAddr
+	leaseIPToMAC    map[netip.Addr]net.HardwareAddr
+	ipToHostname    map[netip.Addr]string
+	macToHostname   map[string]string
+	watcher         *fswatch.Watcher
+	done            chan struct{}
+}
+
+func newNeighborResolver(resolverLogger logger.ContextLogger, leaseFiles []string) (adapter.NeighborResolver, error) {
+	if len(leaseFiles) == 0 {
+		for _, path := range defaultLeaseFiles {
+			info, err := os.Stat(path)
+			if err == nil && info.Size() > 0 {
+				leaseFiles = append(leaseFiles, path)
+			}
+		}
+	}
+	return &neighborResolver{
+		logger:          resolverLogger,
+		leaseFiles:      leaseFiles,
+		neighborIPToMAC: make(map[netip.Addr]net.HardwareAddr),
+		leaseIPToMAC:    make(map[netip.Addr]net.HardwareAddr),
+		ipToHostname:    make(map[netip.Addr]string),
+		macToHostname:   make(map[string]string),
+		done:            make(chan struct{}),
+	}, nil
+}
+
+func (r *neighborResolver) Start() error {
+	err := r.loadNeighborTable()
+	if err != nil {
+		r.logger.Warn(E.Cause(err, "load neighbor table"))
+	}
+	r.doReloadLeaseFiles()
+	go r.subscribeNeighborUpdates()
+	if len(r.leaseFiles) > 0 {
+		watcher, err := fswatch.NewWatcher(fswatch.Options{
+			Path:   r.leaseFiles,
+			Logger: r.logger,
+			Callback: func(_ string) {
+				r.doReloadLeaseFiles()
+			},
+		})
+		if err != nil {
+			r.logger.Warn(E.Cause(err, "create lease file watcher"))
+		} else {
+			r.watcher = watcher
+			err = watcher.Start()
+			if err != nil {
+				r.logger.Warn(E.Cause(err, "start lease file watcher"))
+			}
+		}
+	}
+	return nil
+}
+
+func (r *neighborResolver) Close() error {
+	close(r.done)
+	if r.watcher != nil {
+		return r.watcher.Close()
+	}
+	return nil
+}
+
+func (r *neighborResolver) LookupMAC(address netip.Addr) (net.HardwareAddr, bool) {
+	r.access.RLock()
+	defer r.access.RUnlock()
+	mac, found := r.neighborIPToMAC[address]
+	if found {
+		return mac, true
+	}
+	mac, found = r.leaseIPToMAC[address]
+	if found {
+		return mac, true
+	}
+	mac, found = extractMACFromEUI64(address)
+	if found {
+		return mac, true
+	}
+	return nil, false
+}
+
+func (r *neighborResolver) LookupHostname(address netip.Addr) (string, bool) {
+	r.access.RLock()
+	defer r.access.RUnlock()
+	hostname, found := r.ipToHostname[address]
+	if found {
+		return hostname, true
+	}
+	mac, macFound := r.neighborIPToMAC[address]
+	if !macFound {
+		mac, macFound = r.leaseIPToMAC[address]
+	}
+	if !macFound {
+		mac, macFound = extractMACFromEUI64(address)
+	}
+	if macFound {
+		hostname, found = r.macToHostname[mac.String()]
+		if found {
+			return hostname, true
+		}
+	}
+	return "", false
+}
+
+func (r *neighborResolver) loadNeighborTable() error {
+	entries, err := ReadNeighborEntries()
+	if err != nil {
+		return err
+	}
+	r.access.Lock()
+	defer r.access.Unlock()
+	for _, entry := range entries {
+		r.neighborIPToMAC[entry.Address] = entry.MACAddress
+	}
+	return nil
+}
+
+func (r *neighborResolver) subscribeNeighborUpdates() {
+	routeSocket, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, 0)
+	if err != nil {
+		r.logger.Warn(E.Cause(err, "subscribe neighbor updates"))
+		return
+	}
+	err = unix.SetNonblock(routeSocket, true)
+	if err != nil {
+		unix.Close(routeSocket)
+		r.logger.Warn(E.Cause(err, "set route socket nonblock"))
+		return
+	}
+	routeSocketFile := os.NewFile(uintptr(routeSocket), "route")
+	defer routeSocketFile.Close()
+	buffer := buf.NewPacket()
+	defer buffer.Release()
+	for {
+		select {
+		case <-r.done:
+			return
+		default:
+		}
+		err = setReadDeadline(routeSocketFile, 3*time.Second)
+		if err != nil {
+			r.logger.Warn(E.Cause(err, "set route socket read deadline"))
+			return
+		}
+		n, err := routeSocketFile.Read(buffer.FreeBytes())
+		if err != nil {
+			if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
+				continue
+			}
+			select {
+			case <-r.done:
+				return
+			default:
+			}
+			r.logger.Warn(E.Cause(err, "receive neighbor update"))
+			continue
+		}
+		messages, err := route.ParseRIB(route.RIBTypeRoute, buffer.FreeBytes()[:n])
+		if err != nil {
+			continue
+		}
+		for _, message := range messages {
+			routeMessage, isRouteMessage := message.(*route.RouteMessage)
+			if !isRouteMessage {
+				continue
+			}
+			if routeMessage.Flags&unix.RTF_LLINFO == 0 {
+				continue
+			}
+			address, mac, isDelete, ok := ParseRouteNeighborMessage(routeMessage)
+			if !ok {
+				continue
+			}
+			r.access.Lock()
+			if isDelete {
+				delete(r.neighborIPToMAC, address)
+			} else {
+				r.neighborIPToMAC[address] = mac
+			}
+			r.access.Unlock()
+		}
+	}
+}
+
+func (r *neighborResolver) doReloadLeaseFiles() {
+	leaseIPToMAC, ipToHostname, macToHostname := ReloadLeaseFiles(r.leaseFiles)
+	r.access.Lock()
+	r.leaseIPToMAC = leaseIPToMAC
+	r.ipToHostname = ipToHostname
+	r.macToHostname = macToHostname
+	r.access.Unlock()
+}
+
+func setReadDeadline(file *os.File, timeout time.Duration) error {
+	rawConn, err := file.SyscallConn()
+	if err != nil {
+		return err
+	}
+	var controlErr error
+	err = rawConn.Control(func(fd uintptr) {
+		tv := unix.NsecToTimeval(int64(timeout))
+		controlErr = unix.SetsockoptTimeval(int(fd), unix.SOL_SOCKET, unix.SO_RCVTIMEO, &tv)
+	})
+	if err != nil {
+		return err
+	}
+	return controlErr
+}

route/neighbor_resolver_lease.go

@@ -0,0 +1,386 @@
+package route
+
+import (
+	"bufio"
+	"encoding/hex"
+	"net"
+	"net/netip"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func parseLeaseFile(path string, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	file, err := os.Open(path)
+	if err != nil {
+		return
+	}
+	defer file.Close()
+	if strings.HasSuffix(path, "dhcpd_leases") {
+		parseBootpdLeases(file, ipToMAC, ipToHostname, macToHostname)
+		return
+	}
+	if strings.HasSuffix(path, "kea-leases4.csv") {
+		parseKeaCSV4(file, ipToMAC, ipToHostname, macToHostname)
+		return
+	}
+	if strings.HasSuffix(path, "kea-leases6.csv") {
+		parseKeaCSV6(file, ipToMAC, ipToHostname, macToHostname)
+		return
+	}
+	if strings.HasSuffix(path, "dhcpd.leases") {
+		parseISCDhcpd(file, ipToMAC, ipToHostname, macToHostname)
+		return
+	}
+	parseDnsmasqOdhcpd(file, ipToMAC, ipToHostname, macToHostname)
+}
+
+func ReloadLeaseFiles(leaseFiles []string) (leaseIPToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	leaseIPToMAC = make(map[netip.Addr]net.HardwareAddr)
+	ipToHostname = make(map[netip.Addr]string)
+	macToHostname = make(map[string]string)
+	for _, path := range leaseFiles {
+		parseLeaseFile(path, leaseIPToMAC, ipToHostname, macToHostname)
+	}
+	return
+}
+
+func parseDnsmasqOdhcpd(file *os.File, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	now := time.Now().Unix()
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "duid ") {
+			continue
+		}
+		if strings.HasPrefix(line, "# ") {
+			parseOdhcpdLine(line[2:], ipToMAC, ipToHostname, macToHostname)
+			continue
+		}
+		fields := strings.Fields(line)
+		if len(fields) < 4 {
+			continue
+		}
+		expiry, err := strconv.ParseInt(fields[0], 10, 64)
+		if err != nil {
+			continue
+		}
+		if expiry != 0 && expiry < now {
+			continue
+		}
+		if strings.Contains(fields[1], ":") {
+			mac, macErr := net.ParseMAC(fields[1])
+			if macErr != nil {
+				continue
+			}
+			address, addrOK := netip.AddrFromSlice(net.ParseIP(fields[2]))
+			if !addrOK {
+				continue
+			}
+			address = address.Unmap()
+			ipToMAC[address] = mac
+			hostname := fields[3]
+			if hostname != "*" {
+				ipToHostname[address] = hostname
+				macToHostname[mac.String()] = hostname
+			}
+		} else {
+			var mac net.HardwareAddr
+			if len(fields) >= 5 {
+				duid, duidErr := parseDUID(fields[4])
+				if duidErr == nil {
+					mac, _ = extractMACFromDUID(duid)
+				}
+			}
+			address, addrOK := netip.AddrFromSlice(net.ParseIP(fields[2]))
+			if !addrOK {
+				continue
+			}
+			address = address.Unmap()
+			if mac != nil {
+				ipToMAC[address] = mac
+			}
+			hostname := fields[3]
+			if hostname != "*" {
+				ipToHostname[address] = hostname
+				if mac != nil {
+					macToHostname[mac.String()] = hostname
+				}
+			}
+		}
+	}
+}
+
+func parseOdhcpdLine(line string, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	fields := strings.Fields(line)
+	if len(fields) < 5 {
+		return
+	}
+	validTime, err := strconv.ParseInt(fields[4], 10, 64)
+	if err != nil {
+		return
+	}
+	if validTime == 0 {
+		return
+	}
+	if validTime > 0 && validTime < time.Now().Unix() {
+		return
+	}
+	hostname := fields[3]
+	if hostname == "-" || strings.HasPrefix(hostname, `broken\x20`) {
+		hostname = ""
+	}
+	if len(fields) >= 8 && fields[2] == "ipv4" {
+		mac, macErr := net.ParseMAC(fields[1])
+		if macErr != nil {
+			return
+		}
+		addressField := fields[7]
+		slashIndex := strings.IndexByte(addressField, '/')
+		if slashIndex >= 0 {
+			addressField = addressField[:slashIndex]
+		}
+		address, addrOK := netip.AddrFromSlice(net.ParseIP(addressField))
+		if !addrOK {
+			return
+		}
+		address = address.Unmap()
+		ipToMAC[address] = mac
+		if hostname != "" {
+			ipToHostname[address] = hostname
+			macToHostname[mac.String()] = hostname
+		}
+		return
+	}
+	var mac net.HardwareAddr
+	duidHex := fields[1]
+	duidBytes, hexErr := hex.DecodeString(duidHex)
+	if hexErr == nil {
+		mac, _ = extractMACFromDUID(duidBytes)
+	}
+	for i := 7; i < len(fields); i++ {
+		addressField := fields[i]
+		slashIndex := strings.IndexByte(addressField, '/')
+		if slashIndex >= 0 {
+			addressField = addressField[:slashIndex]
+		}
+		address, addrOK := netip.AddrFromSlice(net.ParseIP(addressField))
+		if !addrOK {
+			continue
+		}
+		address = address.Unmap()
+		if mac != nil {
+			ipToMAC[address] = mac
+		}
+		if hostname != "" {
+			ipToHostname[address] = hostname
+			if mac != nil {
+				macToHostname[mac.String()] = hostname
+			}
+		}
+	}
+}
+
+func parseISCDhcpd(file *os.File, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	scanner := bufio.NewScanner(file)
+	var currentIP netip.Addr
+	var currentMAC net.HardwareAddr
+	var currentHostname string
+	var currentActive bool
+	var inLease bool
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if strings.HasPrefix(line, "lease ") && strings.HasSuffix(line, "{") {
+			ipString := strings.TrimSuffix(strings.TrimPrefix(line, "lease "), " {")
+			parsed, addrOK := netip.AddrFromSlice(net.ParseIP(ipString))
+			if addrOK {
+				currentIP = parsed.Unmap()
+				inLease = true
+				currentMAC = nil
+				currentHostname = ""
+				currentActive = false
+			}
+			continue
+		}
+		if line == "}" && inLease {
+			if currentActive && currentMAC != nil {
+				ipToMAC[currentIP] = currentMAC
+				if currentHostname != "" {
+					ipToHostname[currentIP] = currentHostname
+					macToHostname[currentMAC.String()] = currentHostname
+				}
+			} else {
+				delete(ipToMAC, currentIP)
+				delete(ipToHostname, currentIP)
+			}
+			inLease = false
+			continue
+		}
+		if !inLease {
+			continue
+		}
+		if strings.HasPrefix(line, "hardware ethernet ") {
+			macString := strings.TrimSuffix(strings.TrimPrefix(line, "hardware ethernet "), ";")
+			parsed, macErr := net.ParseMAC(macString)
+			if macErr == nil {
+				currentMAC = parsed
+			}
+		} else if strings.HasPrefix(line, "client-hostname ") {
+			hostname := strings.TrimSuffix(strings.TrimPrefix(line, "client-hostname "), ";")
+			hostname = strings.Trim(hostname, "\"")
+			if hostname != "" {
+				currentHostname = hostname
+			}
+		} else if strings.HasPrefix(line, "binding state ") {
+			state := strings.TrimSuffix(strings.TrimPrefix(line, "binding state "), ";")
+			currentActive = state == "active"
+		}
+	}
+}
+
+func parseKeaCSV4(file *os.File, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	scanner := bufio.NewScanner(file)
+	firstLine := true
+	for scanner.Scan() {
+		if firstLine {
+			firstLine = false
+			continue
+		}
+		fields := strings.Split(scanner.Text(), ",")
+		if len(fields) < 10 {
+			continue
+		}
+		if fields[9] != "0" {
+			continue
+		}
+		address, addrOK := netip.AddrFromSlice(net.ParseIP(fields[0]))
+		if !addrOK {
+			continue
+		}
+		address = address.Unmap()
+		mac, macErr := net.ParseMAC(fields[1])
+		if macErr != nil {
+			continue
+		}
+		ipToMAC[address] = mac
+		hostname := ""
+		if len(fields) > 8 {
+			hostname = fields[8]
+		}
+		if hostname != "" {
+			ipToHostname[address] = hostname
+			macToHostname[mac.String()] = hostname
+		}
+	}
+}
+
+func parseKeaCSV6(file *os.File, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	scanner := bufio.NewScanner(file)
+	firstLine := true
+	for scanner.Scan() {
+		if firstLine {
+			firstLine = false
+			continue
+		}
+		fields := strings.Split(scanner.Text(), ",")
+		if len(fields) < 14 {
+			continue
+		}
+		if fields[13] != "0" {
+			continue
+		}
+		address, addrOK := netip.AddrFromSlice(net.ParseIP(fields[0]))
+		if !addrOK {
+			continue
+		}
+		address = address.Unmap()
+		var mac net.HardwareAddr
+		if fields[12] != "" {
+			mac, _ = net.ParseMAC(fields[12])
+		}
+		if mac == nil {
+			duid, duidErr := hex.DecodeString(strings.ReplaceAll(fields[1], ":", ""))
+			if duidErr == nil {
+				mac, _ = extractMACFromDUID(duid)
+			}
+		}
+		hostname := ""
+		if len(fields) > 11 {
+			hostname = fields[11]
+		}
+		if mac != nil {
+			ipToMAC[address] = mac
+		}
+		if hostname != "" {
+			ipToHostname[address] = hostname
+			if mac != nil {
+				macToHostname[mac.String()] = hostname
+			}
+		}
+	}
+}
+
+func parseBootpdLeases(file *os.File, ipToMAC map[netip.Addr]net.HardwareAddr, ipToHostname map[netip.Addr]string, macToHostname map[string]string) {
+	now := time.Now().Unix()
+	scanner := bufio.NewScanner(file)
+	var currentName string
+	var currentIP netip.Addr
+	var currentMAC net.HardwareAddr
+	var currentLease int64
+	var inBlock bool
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "{" {
+			inBlock = true
+			currentName = ""
+			currentIP = netip.Addr{}
+			currentMAC = nil
+			currentLease = 0
+			continue
+		}
+		if line == "}" && inBlock {
+			if currentMAC != nil && currentIP.IsValid() {
+				if currentLease == 0 || currentLease >= now {
+					ipToMAC[currentIP] = currentMAC
+					if currentName != "" {
+						ipToHostname[currentIP] = currentName
+						macToHostname[currentMAC.String()] = currentName
+					}
+				}
+			}
+			inBlock = false
+			continue
+		}
+		if !inBlock {
+			continue
+		}
+		key, value, found := strings.Cut(line, "=")
+		if !found {
+			continue
+		}
+		switch key {
+		case "name":
+			currentName = value
+		case "ip_address":
+			parsed, addrOK := netip.AddrFromSlice(net.ParseIP(value))
+			if addrOK {
+				currentIP = parsed.Unmap()
+			}
+		case "hw_address":
+			typeAndMAC, hasSep := strings.CutPrefix(value, "1,")
+			if hasSep {
+				mac, macErr := net.ParseMAC(typeAndMAC)
+				if macErr == nil {
+					currentMAC = mac
+				}
+			}
+		case "lease":
+			leaseHex := strings.TrimPrefix(value, "0x")
+			parsed, parseErr := strconv.ParseInt(leaseHex, 16, 64)
+			if parseErr == nil {
+				currentLease = parsed
+			}
+		}
+	}
+}

route/neighbor_resolver_linux.go

@@ -0,0 +1,224 @@
+//go:build linux
+
+package route
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"slices"
+	"sync"
+	"time"
+
+	"github.com/sagernet/fswatch"
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+
+	"github.com/jsimonetti/rtnetlink"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+var defaultLeaseFiles = []string{
+	"/tmp/dhcp.leases",
+	"/var/lib/dhcp/dhcpd.leases",
+	"/var/lib/dhcpd/dhcpd.leases",
+	"/var/lib/kea/kea-leases4.csv",
+	"/var/lib/kea/kea-leases6.csv",
+}
+
+type neighborResolver struct {
+	logger          logger.ContextLogger
+	leaseFiles      []string
+	access          sync.RWMutex
+	neighborIPToMAC map[netip.Addr]net.HardwareAddr
+	leaseIPToMAC    map[netip.Addr]net.HardwareAddr
+	ipToHostname    map[netip.Addr]string
+	macToHostname   map[string]string
+	watcher         *fswatch.Watcher
+	done            chan struct{}
+}
+
+func newNeighborResolver(resolverLogger logger.ContextLogger, leaseFiles []string) (adapter.NeighborResolver, error) {
+	if len(leaseFiles) == 0 {
+		for _, path := range defaultLeaseFiles {
+			info, err := os.Stat(path)
+			if err == nil && info.Size() > 0 {
+				leaseFiles = append(leaseFiles, path)
+			}
+		}
+	}
+	return &neighborResolver{
+		logger:          resolverLogger,
+		leaseFiles:      leaseFiles,
+		neighborIPToMAC: make(map[netip.Addr]net.HardwareAddr),
+		leaseIPToMAC:    make(map[netip.Addr]net.HardwareAddr),
+		ipToHostname:    make(map[netip.Addr]string),
+		macToHostname:   make(map[string]string),
+		done:            make(chan struct{}),
+	}, nil
+}
+
+func (r *neighborResolver) Start() error {
+	err := r.loadNeighborTable()
+	if err != nil {
+		r.logger.Warn(E.Cause(err, "load neighbor table"))
+	}
+	r.doReloadLeaseFiles()
+	go r.subscribeNeighborUpdates()
+	if len(r.leaseFiles) > 0 {
+		watcher, err := fswatch.NewWatcher(fswatch.Options{
+			Path:   r.leaseFiles,
+			Logger: r.logger,
+			Callback: func(_ string) {
+				r.doReloadLeaseFiles()
+			},
+		})
+		if err != nil {
+			r.logger.Warn(E.Cause(err, "create lease file watcher"))
+		} else {
+			r.watcher = watcher
+			err = watcher.Start()
+			if err != nil {
+				r.logger.Warn(E.Cause(err, "start lease file watcher"))
+			}
+		}
+	}
+	return nil
+}
+
+func (r *neighborResolver) Close() error {
+	close(r.done)
+	if r.watcher != nil {
+		return r.watcher.Close()
+	}
+	return nil
+}
+
+func (r *neighborResolver) LookupMAC(address netip.Addr) (net.HardwareAddr, bool) {
+	r.access.RLock()
+	defer r.access.RUnlock()
+	mac, found := r.neighborIPToMAC[address]
+	if found {
+		return mac, true
+	}
+	mac, found = r.leaseIPToMAC[address]
+	if found {
+		return mac, true
+	}
+	mac, found = extractMACFromEUI64(address)
+	if found {
+		return mac, true
+	}
+	return nil, false
+}
+
+func (r *neighborResolver) LookupHostname(address netip.Addr) (string, bool) {
+	r.access.RLock()
+	defer r.access.RUnlock()
+	hostname, found := r.ipToHostname[address]
+	if found {
+		return hostname, true
+	}
+	mac, macFound := r.neighborIPToMAC[address]
+	if !macFound {
+		mac, macFound = r.leaseIPToMAC[address]
+	}
+	if !macFound {
+		mac, macFound = extractMACFromEUI64(address)
+	}
+	if macFound {
+		hostname, found = r.macToHostname[mac.String()]
+		if found {
+			return hostname, true
+		}
+	}
+	return "", false
+}
+
+func (r *neighborResolver) loadNeighborTable() error {
+	connection, err := rtnetlink.Dial(nil)
+	if err != nil {
+		return E.Cause(err, "dial rtnetlink")
+	}
+	defer connection.Close()
+	neighbors, err := connection.Neigh.List()
+	if err != nil {
+		return E.Cause(err, "list neighbors")
+	}
+	r.access.Lock()
+	defer r.access.Unlock()
+	for _, neigh := range neighbors {
+		if neigh.Attributes == nil {
+			continue
+		}
+		if neigh.Attributes.LLAddress == nil || len(neigh.Attributes.Address) == 0 {
+			continue
+		}
+		address, ok := netip.AddrFromSlice(neigh.Attributes.Address)
+		if !ok {
+			continue
+		}
+		r.neighborIPToMAC[address] = slices.Clone(neigh.Attributes.LLAddress)
+	}
+	return nil
+}
+
+func (r *neighborResolver) subscribeNeighborUpdates() {
+	connection, err := netlink.Dial(unix.NETLINK_ROUTE, &netlink.Config{
+		Groups: 1 << (unix.RTNLGRP_NEIGH - 1),
+	})
+	if err != nil {
+		r.logger.Warn(E.Cause(err, "subscribe neighbor updates"))
+		return
+	}
+	defer connection.Close()
+	for {
+		select {
+		case <-r.done:
+			return
+		default:
+		}
+		err = connection.SetReadDeadline(time.Now().Add(3 * time.Second))
+		if err != nil {
+			r.logger.Warn(E.Cause(err, "set netlink read deadline"))
+			return
+		}
+		messages, err := connection.Receive()
+		if err != nil {
+			if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
+				continue
+			}
+			select {
+			case <-r.done:
+				return
+			default:
+			}
+			r.logger.Warn(E.Cause(err, "receive neighbor update"))
+			continue
+		}
+		for _, message := range messages {
+			address, mac, isDelete, ok := ParseNeighborMessage(message)
+			if !ok {
+				continue
+			}
+			r.access.Lock()
+			if isDelete {
+				delete(r.neighborIPToMAC, address)
+			} else {
+				r.neighborIPToMAC[address] = mac
+			}
+			r.access.Unlock()
+		}
+	}
+}
+
+func (r *neighborResolver) doReloadLeaseFiles() {
+	leaseIPToMAC, ipToHostname, macToHostname := ReloadLeaseFiles(r.leaseFiles)
+	r.access.Lock()
+	r.leaseIPToMAC = leaseIPToMAC
+	r.ipToHostname = ipToHostname
+	r.macToHostname = macToHostname
+	r.access.Unlock()
+}

route/neighbor_resolver_parse.go

@@ -0,0 +1,50 @@
+package route
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"net"
+	"net/netip"
+	"slices"
+	"strings"
+)
+
+func extractMACFromDUID(duid []byte) (net.HardwareAddr, bool) {
+	if len(duid) < 4 {
+		return nil, false
+	}
+	duidType := binary.BigEndian.Uint16(duid[0:2])
+	hwType := binary.BigEndian.Uint16(duid[2:4])
+	if hwType != 1 {
+		return nil, false
+	}
+	switch duidType {
+	case 1:
+		if len(duid) < 14 {
+			return nil, false
+		}
+		return net.HardwareAddr(slices.Clone(duid[8:14])), true
+	case 3:
+		if len(duid) < 10 {
+			return nil, false
+		}
+		return net.HardwareAddr(slices.Clone(duid[4:10])), true
+	}
+	return nil, false
+}
+
+func extractMACFromEUI64(address netip.Addr) (net.HardwareAddr, bool) {
+	if !address.Is6() {
+		return nil, false
+	}
+	b := address.As16()
+	if b[11] != 0xff || b[12] != 0xfe {
+		return nil, false
+	}
+	return net.HardwareAddr{b[8] ^ 0x02, b[9], b[10], b[13], b[14], b[15]}, true
+}
+
+func parseDUID(s string) ([]byte, error) {
+	cleaned := strings.ReplaceAll(s, ":", "")
+	return hex.DecodeString(cleaned)
+}

route/neighbor_resolver_platform.go

@@ -0,0 +1,84 @@
+package route
+
+import (
+	"net"
+	"net/netip"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/logger"
+)
+
+type platformNeighborResolver struct {
+	logger        logger.ContextLogger
+	platform      adapter.PlatformInterface
+	access        sync.RWMutex
+	ipToMAC       map[netip.Addr]net.HardwareAddr
+	ipToHostname  map[netip.Addr]string
+	macToHostname map[string]string
+}
+
+func newPlatformNeighborResolver(resolverLogger logger.ContextLogger, platform adapter.PlatformInterface) adapter.NeighborResolver {
+	return &platformNeighborResolver{
+		logger:        resolverLogger,
+		platform:      platform,
+		ipToMAC:       make(map[netip.Addr]net.HardwareAddr),
+		ipToHostname:  make(map[netip.Addr]string),
+		macToHostname: make(map[string]string),
+	}
+}
+
+func (r *platformNeighborResolver) Start() error {
+	return r.platform.StartNeighborMonitor(r)
+}
+
+func (r *platformNeighborResolver) Close() error {
+	return r.platform.CloseNeighborMonitor(r)
+}
+
+func (r *platformNeighborResolver) LookupMAC(address netip.Addr) (net.HardwareAddr, bool) {
+	r.access.RLock()
+	defer r.access.RUnlock()
+	mac, found := r.ipToMAC[address]
+	if found {
+		return mac, true
+	}
+	return extractMACFromEUI64(address)
+}
+
+func (r *platformNeighborResolver) LookupHostname(address netip.Addr) (string, bool) {
+	r.access.RLock()
+	defer r.access.RUnlock()
+	hostname, found := r.ipToHostname[address]
+	if found {
+		return hostname, true
+	}
+	mac, found := r.ipToMAC[address]
+	if !found {
+		mac, found = extractMACFromEUI64(address)
+	}
+	if !found {
+		return "", false
+	}
+	hostname, found = r.macToHostname[mac.String()]
+	return hostname, found
+}
+
+func (r *platformNeighborResolver) UpdateNeighborTable(entries []adapter.NeighborEntry) {
+	ipToMAC := make(map[netip.Addr]net.HardwareAddr)
+	ipToHostname := make(map[netip.Addr]string)
+	macToHostname := make(map[string]string)
+	for _, entry := range entries {
+		ipToMAC[entry.Address] = entry.MACAddress
+		if entry.Hostname != "" {
+			ipToHostname[entry.Address] = entry.Hostname
+			macToHostname[entry.MACAddress.String()] = entry.Hostname
+		}
+	}
+	r.access.Lock()
+	r.ipToMAC = ipToMAC
+	r.ipToHostname = ipToHostname
+	r.macToHostname = macToHostname
+	r.access.Unlock()
+	r.logger.Info("updated neighbor table: ", len(entries), " entries")
+}

route/neighbor_resolver_stub.go

@@ -0,0 +1,14 @@
+//go:build !linux && !darwin
+
+package route
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/logger"
+)
+
+func newNeighborResolver(_ logger.ContextLogger, _ []string) (adapter.NeighborResolver, error) {
+	return nil, os.ErrInvalid
+}

route/neighbor_table_darwin.go

@@ -0,0 +1,104 @@
+//go:build darwin
+
+package route
+
+import (
+	"net"
+	"net/netip"
+	"syscall"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+)
+
+func ReadNeighborEntries() ([]adapter.NeighborEntry, error) {
+	var entries []adapter.NeighborEntry
+	ipv4Entries, err := readNeighborEntriesAF(syscall.AF_INET)
+	if err != nil {
+		return nil, E.Cause(err, "read IPv4 neighbors")
+	}
+	entries = append(entries, ipv4Entries...)
+	ipv6Entries, err := readNeighborEntriesAF(syscall.AF_INET6)
+	if err != nil {
+		return nil, E.Cause(err, "read IPv6 neighbors")
+	}
+	entries = append(entries, ipv6Entries...)
+	return entries, nil
+}
+
+func readNeighborEntriesAF(addressFamily int) ([]adapter.NeighborEntry, error) {
+	rib, err := route.FetchRIB(addressFamily, route.RIBType(syscall.NET_RT_FLAGS), syscall.RTF_LLINFO)
+	if err != nil {
+		return nil, err
+	}
+	messages, err := route.ParseRIB(route.RIBType(syscall.NET_RT_FLAGS), rib)
+	if err != nil {
+		return nil, err
+	}
+	var entries []adapter.NeighborEntry
+	for _, message := range messages {
+		routeMessage, isRouteMessage := message.(*route.RouteMessage)
+		if !isRouteMessage {
+			continue
+		}
+		address, macAddress, ok := parseRouteNeighborEntry(routeMessage)
+		if !ok {
+			continue
+		}
+		entries = append(entries, adapter.NeighborEntry{
+			Address:    address,
+			MACAddress: macAddress,
+		})
+	}
+	return entries, nil
+}
+
+func parseRouteNeighborEntry(message *route.RouteMessage) (address netip.Addr, macAddress net.HardwareAddr, ok bool) {
+	if len(message.Addrs) <= unix.RTAX_GATEWAY {
+		return
+	}
+	gateway, isLinkAddr := message.Addrs[unix.RTAX_GATEWAY].(*route.LinkAddr)
+	if !isLinkAddr || len(gateway.Addr) < 6 {
+		return
+	}
+	switch destination := message.Addrs[unix.RTAX_DST].(type) {
+	case *route.Inet4Addr:
+		address = netip.AddrFrom4(destination.IP)
+	case *route.Inet6Addr:
+		address = netip.AddrFrom16(destination.IP)
+	default:
+		return
+	}
+	macAddress = net.HardwareAddr(make([]byte, len(gateway.Addr)))
+	copy(macAddress, gateway.Addr)
+	ok = true
+	return
+}
+
+func ParseRouteNeighborMessage(message *route.RouteMessage) (address netip.Addr, macAddress net.HardwareAddr, isDelete bool, ok bool) {
+	isDelete = message.Type == unix.RTM_DELETE
+	if len(message.Addrs) <= unix.RTAX_GATEWAY {
+		return
+	}
+	switch destination := message.Addrs[unix.RTAX_DST].(type) {
+	case *route.Inet4Addr:
+		address = netip.AddrFrom4(destination.IP)
+	case *route.Inet6Addr:
+		address = netip.AddrFrom16(destination.IP)
+	default:
+		return
+	}
+	if !isDelete {
+		gateway, isLinkAddr := message.Addrs[unix.RTAX_GATEWAY].(*route.LinkAddr)
+		if !isLinkAddr || len(gateway.Addr) < 6 {
+			return
+		}
+		macAddress = net.HardwareAddr(make([]byte, len(gateway.Addr)))
+		copy(macAddress, gateway.Addr)
+	}
+	ok = true
+	return
+}

route/neighbor_table_linux.go

@@ -0,0 +1,68 @@
+//go:build linux
+
+package route
+
+import (
+	"net"
+	"net/netip"
+	"slices"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/jsimonetti/rtnetlink"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+func ReadNeighborEntries() ([]adapter.NeighborEntry, error) {
+	connection, err := rtnetlink.Dial(nil)
+	if err != nil {
+		return nil, E.Cause(err, "dial rtnetlink")
+	}
+	defer connection.Close()
+	neighbors, err := connection.Neigh.List()
+	if err != nil {
+		return nil, E.Cause(err, "list neighbors")
+	}
+	var entries []adapter.NeighborEntry
+	for _, neighbor := range neighbors {
+		if neighbor.Attributes == nil {
+			continue
+		}
+		if neighbor.Attributes.LLAddress == nil || len(neighbor.Attributes.Address) == 0 {
+			continue
+		}
+		address, ok := netip.AddrFromSlice(neighbor.Attributes.Address)
+		if !ok {
+			continue
+		}
+		entries = append(entries, adapter.NeighborEntry{
+			Address:    address,
+			MACAddress: slices.Clone(neighbor.Attributes.LLAddress),
+		})
+	}
+	return entries, nil
+}
+
+func ParseNeighborMessage(message netlink.Message) (address netip.Addr, macAddress net.HardwareAddr, isDelete bool, ok bool) {
+	var neighMessage rtnetlink.NeighMessage
+	err := neighMessage.UnmarshalBinary(message.Data)
+	if err != nil {
+		return
+	}
+	if neighMessage.Attributes == nil || len(neighMessage.Attributes.Address) == 0 {
+		return
+	}
+	address, ok = netip.AddrFromSlice(neighMessage.Attributes.Address)
+	if !ok {
+		return
+	}
+	isDelete = message.Header.Type == unix.RTM_DELNEIGH
+	if !isDelete && neighMessage.Attributes.LLAddress == nil {
+		ok = false
+		return
+	}
+	macAddress = slices.Clone(neighMessage.Attributes.LLAddress)
+	return
+}

route/network.go

@@ -51,6 +51,7 @@ type NetworkManager struct {
 	endpoint               adapter.EndpointManager
 	inbound                adapter.InboundManager
 	outbound               adapter.OutboundManager
+	serviceManager         adapter.ServiceManager
 	needWIFIState          bool
 	wifiMonitor            settings.WIFIMonitor
 	wifiState              adapter.WIFIState
@@ -94,6 +95,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, options
 		endpoint:          service.FromContext[adapter.EndpointManager](ctx),
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
+		serviceManager:    service.FromContext[adapter.ServiceManager](ctx),
 		needWIFIState:     hasRule(options.Rules, isWIFIRule) || hasDNSRule(dnsOptions.Rules, isWIFIDNSRule),
 	}
 	if options.DefaultNetworkStrategy != nil {
@@ -475,6 +477,15 @@ func (r *NetworkManager) ResetNetwork() {
 			listener.InterfaceUpdated()
 		}
 	}
+
+	if r.serviceManager != nil {
+		for _, svc := range r.serviceManager.Services() {
+			listener, isListener := svc.(adapter.InterfaceUpdateListener)
+			if isListener {
+				listener.InterfaceUpdated()
+			}
+		}
+	}
 }
 
 func (r *NetworkManager) notifyInterfaceUpdate(defaultInterface *control.Interface, flags int) {

route/route.go

@@ -439,6 +439,23 @@ func (r *Router) matchRule(
 			metadata.ProcessInfo = processInfo
 		}
 	}
+	if r.neighborResolver != nil && metadata.SourceMACAddress == nil && metadata.Source.Addr.IsValid() {
+		mac, macFound := r.neighborResolver.LookupMAC(metadata.Source.Addr)
+		if macFound {
+			metadata.SourceMACAddress = mac
+		}
+		hostname, hostnameFound := r.neighborResolver.LookupHostname(metadata.Source.Addr)
+		if hostnameFound {
+			metadata.SourceHostname = hostname
+			if macFound {
+				r.logger.InfoContext(ctx, "found neighbor: ", mac, ", hostname: ", hostname)
+			} else {
+				r.logger.InfoContext(ctx, "found neighbor hostname: ", hostname)
+			}
+		} else if macFound {
+			r.logger.InfoContext(ctx, "found neighbor: ", mac)
+		}
+	}
 	if metadata.Destination.Addr.IsValid() && r.dnsTransport.FakeIP() != nil && r.dnsTransport.FakeIP().Store().Contains(metadata.Destination.Addr) {
 		domain, loaded := r.dnsTransport.FakeIP().Store().Lookup(metadata.Destination.Addr)
 		if !loaded {

route/router.go

@@ -31,9 +31,12 @@ type Router struct {
 	network           adapter.NetworkManager
 	rules             []adapter.Rule
 	needFindProcess   bool
+	needFindNeighbor  bool
+	leaseFiles        []string
 	ruleSets          []adapter.RuleSet
 	ruleSetMap        map[string]adapter.RuleSet
 	processSearcher   process.Searcher
+	neighborResolver  adapter.NeighborResolver
 	pauseManager      pause.Manager
 	trackers          []adapter.ConnectionTracker
 	platformInterface adapter.PlatformInterface
@@ -53,6 +56,8 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.Route
 		rules:             make([]adapter.Rule, 0, len(options.Rules)),
 		ruleSetMap:        make(map[string]adapter.RuleSet),
 		needFindProcess:   hasRule(options.Rules, isProcessRule) || hasDNSRule(dnsOptions.Rules, isProcessDNSRule) || options.FindProcess,
+		needFindNeighbor:  hasRule(options.Rules, isNeighborRule) || hasDNSRule(dnsOptions.Rules, isNeighborDNSRule) || options.FindNeighbor,
+		leaseFiles:        options.DHCPLeaseFiles,
 		pauseManager:      service.FromContext[pause.Manager](ctx),
 		platformInterface: service.FromContext[adapter.PlatformInterface](ctx),
 	}
@@ -112,6 +117,7 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		}
 		r.network.Initialize(r.ruleSets)
 		needFindProcess := r.needFindProcess
+		needFindNeighbor := r.needFindNeighbor
 		for _, ruleSet := range r.ruleSets {
 			metadata := ruleSet.Metadata()
 			if metadata.ContainsProcessRule {
@@ -141,6 +147,36 @@ func (r *Router) Start(stage adapter.StartStage) error {
 				}
 			}
 		}
+		r.needFindNeighbor = needFindNeighbor
+		if needFindNeighbor {
+			if r.platformInterface != nil && r.platformInterface.UsePlatformNeighborResolver() {
+				monitor.Start("initialize neighbor resolver")
+				resolver := newPlatformNeighborResolver(r.logger, r.platformInterface)
+				err := resolver.Start()
+				monitor.Finish()
+				if err != nil {
+					r.logger.Error(E.Cause(err, "start neighbor resolver"))
+				} else {
+					r.neighborResolver = resolver
+				}
+			} else {
+				monitor.Start("initialize neighbor resolver")
+				resolver, err := newNeighborResolver(r.logger, r.leaseFiles)
+				monitor.Finish()
+				if err != nil {
+					if err != os.ErrInvalid {
+						r.logger.Error(E.Cause(err, "create neighbor resolver"))
+					}
+				} else {
+					err = resolver.Start()
+					if err != nil {
+						r.logger.Error(E.Cause(err, "start neighbor resolver"))
+					} else {
+						r.neighborResolver = resolver
+					}
+				}
+			}
+		}
 	case adapter.StartStatePostStart:
 		for i, rule := range r.rules {
 			monitor.Start("initialize rule[", i, "]")
@@ -172,6 +208,13 @@ func (r *Router) Start(stage adapter.StartStage) error {
 func (r *Router) Close() error {
 	monitor := taskmonitor.New(r.logger, C.StopTimeout)
 	var err error
+	if r.neighborResolver != nil {
+		monitor.Start("close neighbor resolver")
+		err = E.Append(err, r.neighborResolver.Close(), func(closeErr error) error {
+			return E.Cause(closeErr, "close neighbor resolver")
+		})
+		monitor.Finish()
+	}
 	for i, rule := range r.rules {
 		monitor.Start("close rule[", i, "]")
 		err = E.Append(err, rule.Close(), func(err error) error {
@@ -206,6 +249,14 @@ func (r *Router) NeedFindProcess() bool {
 	return r.needFindProcess
 }
 
+func (r *Router) NeedFindNeighbor() bool {
+	return r.needFindNeighbor
+}
+
+func (r *Router) NeighborResolver() adapter.NeighborResolver {
+	return r.neighborResolver
+}
+
 func (r *Router) ResetNetwork() {
 	r.network.ResetNetwork()
 	r.dns.ResetNetwork()

route/rule/rule_default.go

@@ -260,6 +260,16 @@ func NewDefaultRule(ctx context.Context, logger log.ContextLogger, options optio
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if len(options.SourceMACAddress) > 0 {
+		item := NewSourceMACAddressItem(options.SourceMACAddress)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceHostname) > 0 {
+		item := NewSourceHostnameItem(options.SourceHostname)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.PreferredBy) > 0 {
 		item := NewPreferredByItem(ctx, options.PreferredBy)
 		rule.items = append(rule.items, item)

route/rule/rule_dns.go

@@ -261,6 +261,16 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if len(options.SourceMACAddress) > 0 {
+		item := NewSourceMACAddressItem(options.SourceMACAddress)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceHostname) > 0 {
+		item := NewSourceHostnameItem(options.SourceHostname)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.RuleSet) > 0 {
 		//nolint:staticcheck
 		if options.Deprecated_RulesetIPCIDRMatchSource {

route/rule/rule_item_source_hostname.go

@@ -0,0 +1,42 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*SourceHostnameItem)(nil)
+
+type SourceHostnameItem struct {
+	hostnames   []string
+	hostnameMap map[string]bool
+}
+
+func NewSourceHostnameItem(hostnameList []string) *SourceHostnameItem {
+	rule := &SourceHostnameItem{
+		hostnames:   hostnameList,
+		hostnameMap: make(map[string]bool),
+	}
+	for _, hostname := range hostnameList {
+		rule.hostnameMap[hostname] = true
+	}
+	return rule
+}
+
+func (r *SourceHostnameItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.SourceHostname == "" {
+		return false
+	}
+	return r.hostnameMap[metadata.SourceHostname]
+}
+
+func (r *SourceHostnameItem) String() string {
+	var description string
+	if len(r.hostnames) == 1 {
+		description = "source_hostname=" + r.hostnames[0]
+	} else {
+		description = "source_hostname=[" + strings.Join(r.hostnames, " ") + "]"
+	}
+	return description
+}

route/rule/rule_item_source_mac_address.go

@@ -0,0 +1,48 @@
+package rule
+
+import (
+	"net"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*SourceMACAddressItem)(nil)
+
+type SourceMACAddressItem struct {
+	addresses  []string
+	addressMap map[string]bool
+}
+
+func NewSourceMACAddressItem(addressList []string) *SourceMACAddressItem {
+	rule := &SourceMACAddressItem{
+		addresses:  addressList,
+		addressMap: make(map[string]bool),
+	}
+	for _, address := range addressList {
+		parsed, err := net.ParseMAC(address)
+		if err == nil {
+			rule.addressMap[parsed.String()] = true
+		} else {
+			rule.addressMap[address] = true
+		}
+	}
+	return rule
+}
+
+func (r *SourceMACAddressItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.SourceMACAddress == nil {
+		return false
+	}
+	return r.addressMap[metadata.SourceMACAddress.String()]
+}
+
+func (r *SourceMACAddressItem) String() string {
+	var description string
+	if len(r.addresses) == 1 {
+		description = "source_mac_address=" + r.addresses[0]
+	} else {
+		description = "source_mac_address=[" + strings.Join(r.addresses, " ") + "]"
+	}
+	return description
+}

route/rule_conds.go

@@ -45,6 +45,14 @@ func isProcessDNSRule(rule option.DefaultDNSRule) bool {
 	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
 }
 
+func isNeighborRule(rule option.DefaultRule) bool {
+	return len(rule.SourceMACAddress) > 0 || len(rule.SourceHostname) > 0
+}
+
+func isNeighborDNSRule(rule option.DefaultDNSRule) bool {
+	return len(rule.SourceMACAddress) > 0 || len(rule.SourceHostname) > 0
+}
+
 func isWIFIRule(rule option.DefaultRule) bool {
 	return len(rule.WIFISSID) > 0 || len(rule.WIFIBSSID) > 0
 }

service/ccm/credential.go

@@ -2,25 +2,74 @@ package ccm
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
 	"os"
 	"os/user"
 	"path/filepath"
+	"runtime"
+	"slices"
+	"sync"
 	"time"
 
+	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 const (
 	oauth2ClientID          = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
-	oauth2TokenURL          = "https://console.anthropic.com/v1/oauth/token"
+	oauth2TokenURL          = "https://platform.claude.com/v1/oauth/token"
 	claudeAPIBaseURL        = "https://api.anthropic.com"
 	tokenRefreshBufferMs    = 60000
 	anthropicBetaOAuthValue = "oauth-2025-04-20"
 )
 
+const ccmUserAgentFallback = "claude-code/2.1.72"
+
+var (
+	ccmUserAgentOnce  sync.Once
+	ccmUserAgentValue string
+)
+
+func initCCMUserAgent(logger log.ContextLogger) {
+	ccmUserAgentOnce.Do(func() {
+		version, err := detectClaudeCodeVersion()
+		if err != nil {
+			logger.Error("detect Claude Code version: ", err)
+			ccmUserAgentValue = ccmUserAgentFallback
+			return
+		}
+		logger.Debug("detected Claude Code version: ", version)
+		ccmUserAgentValue = "claude-code/" + version
+	})
+}
+
+func detectClaudeCodeVersion() (string, error) {
+	userInfo, err := getRealUser()
+	if err != nil {
+		return "", E.Cause(err, "get user")
+	}
+	binaryName := "claude"
+	if runtime.GOOS == "windows" {
+		binaryName = "claude.exe"
+	}
+	linkPath := filepath.Join(userInfo.HomeDir, ".local", "bin", binaryName)
+	target, err := os.Readlink(linkPath)
+	if err != nil {
+		return "", E.Cause(err, "readlink ", linkPath)
+	}
+	if !filepath.IsAbs(target) {
+		target = filepath.Join(filepath.Dir(linkPath), target)
+	}
+	parent := filepath.Base(filepath.Dir(target))
+	if parent != "versions" {
+		return "", E.New("unexpected symlink target: ", target)
+	}
+	return filepath.Base(target), nil
+}
+
 func getRealUser() (*user.User, error) {
 	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
 		sudoUserInfo, err := user.Lookup(sudoUser)
@@ -60,6 +109,14 @@ func readCredentialsFromFile(path string) (*oauthCredentials, error) {
 	return credentialsContainer.ClaudeAIAuth, nil
 }
 
+func checkCredentialFileWritable(path string) error {
+	file, err := os.OpenFile(path, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	return file.Close()
+}
+
 func writeCredentialsToFile(oauthCredentials *oauthCredentials, path string) error {
 	data, err := json.MarshalIndent(map[string]any{
 		"claudeAiOauth": oauthCredentials,
@@ -76,6 +133,7 @@ type oauthCredentials struct {
 	ExpiresAt        int64    `json:"expiresAt"`
 	Scopes           []string `json:"scopes,omitempty"`
 	SubscriptionType string   `json:"subscriptionType,omitempty"`
+	RateLimitTier    string   `json:"rateLimitTier,omitempty"`
 	IsMax            bool     `json:"isMax,omitempty"`
 }
 
@@ -86,7 +144,7 @@ func (c *oauthCredentials) needsRefresh() bool {
 	return time.Now().UnixMilli() >= c.ExpiresAt-tokenRefreshBufferMs
 }
 
-func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
+func refreshToken(ctx context.Context, httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
 	if credentials.RefreshToken == "" {
 		return nil, E.New("refresh token is empty")
 	}
@@ -100,19 +158,24 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 		return nil, E.Cause(err, "marshal request")
 	}
 
-	request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
-	if err != nil {
-		return nil, err
-	}
-	request.Header.Set("Content-Type", "application/json")
-	request.Header.Set("Accept", "application/json")
-
-	response, err := httpClient.Do(request)
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Content-Type", "application/json")
+		request.Header.Set("User-Agent", ccmUserAgentValue)
+		return request, nil
+	})
 	if err != nil {
 		return nil, err
 	}
 	defer response.Body.Close()
 
+	if response.StatusCode == http.StatusTooManyRequests {
+		body, _ := io.ReadAll(response.Body)
+		return nil, E.New("refresh rate limited: ", response.Status, " ", string(body))
+	}
 	if response.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(response.Body)
 		return nil, E.New("refresh failed: ", response.Status, " ", string(body))
@@ -137,3 +200,25 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 
 	return &newCredentials, nil
 }
+
+func cloneCredentials(credentials *oauthCredentials) *oauthCredentials {
+	if credentials == nil {
+		return nil
+	}
+	cloned := *credentials
+	cloned.Scopes = append([]string(nil), credentials.Scopes...)
+	return &cloned
+}
+
+func credentialsEqual(left *oauthCredentials, right *oauthCredentials) bool {
+	if left == nil || right == nil {
+		return left == right
+	}
+	return left.AccessToken == right.AccessToken &&
+		left.RefreshToken == right.RefreshToken &&
+		left.ExpiresAt == right.ExpiresAt &&
+		slices.Equal(left.Scopes, right.Scopes) &&
+		left.SubscriptionType == right.SubscriptionType &&
+		left.RateLimitTier == right.RateLimitTier &&
+		left.IsMax == right.IsMax
+}

service/ccm/credential_darwin.go

@@ -69,6 +69,13 @@ func platformReadCredentials(customPath string) (*oauthCredentials, error) {
 	return readCredentialsFromFile(defaultPath)
 }
 
+func platformCanWriteCredentials(customPath string) error {
+	if customPath == "" {
+		return nil
+	}
+	return checkCredentialFileWritable(customPath)
+}
+
 func platformWriteCredentials(oauthCredentials *oauthCredentials, customPath string) error {
 	if customPath != "" {
 		return writeCredentialsToFile(oauthCredentials, customPath)

service/ccm/credential_external.go

@@ -0,0 +1,676 @@
+package ccm
+
+import (
+	"bytes"
+	"context"
+	stdTLS "crypto/tls"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/hashicorp/yamux"
+)
+
+const reverseProxyBaseURL = "http://reverse-proxy"
+
+type externalCredential struct {
+	tag          string
+	baseURL      string
+	token        string
+	httpClient   *http.Client
+	state        credentialState
+	stateMutex   sync.RWMutex
+	pollAccess   sync.Mutex
+	pollInterval time.Duration
+	usageTracker *AggregatedUsage
+	logger       log.ContextLogger
+
+	onBecameUnusable func()
+	interrupted      bool
+	requestContext   context.Context
+	cancelRequests   context.CancelFunc
+	requestAccess    sync.Mutex
+
+	// Reverse proxy fields
+	reverse              bool
+	reverseSession       *yamux.Session
+	reverseAccess        sync.RWMutex
+	closed               bool
+	reverseContext       context.Context
+	reverseCancel        context.CancelFunc
+	connectorDialer      N.Dialer
+	connectorDestination M.Socksaddr
+	connectorRequestPath string
+	connectorURL         *url.URL
+	connectorTLS         *stdTLS.Config
+	reverseService       http.Handler
+}
+
+func externalCredentialURLPort(parsedURL *url.URL) uint16 {
+	portStr := parsedURL.Port()
+	if portStr != "" {
+		port, err := strconv.ParseUint(portStr, 10, 16)
+		if err == nil {
+			return uint16(port)
+		}
+	}
+	if parsedURL.Scheme == "https" {
+		return 443
+	}
+	return 80
+}
+
+func externalCredentialServerPort(parsedURL *url.URL, configuredPort uint16) uint16 {
+	if configuredPort != 0 {
+		return configuredPort
+	}
+	return externalCredentialURLPort(parsedURL)
+}
+
+func externalCredentialBaseURL(parsedURL *url.URL) string {
+	baseURL := parsedURL.Scheme + "://" + parsedURL.Host
+	if parsedURL.Path != "" && parsedURL.Path != "/" {
+		baseURL += parsedURL.Path
+	}
+	if len(baseURL) > 0 && baseURL[len(baseURL)-1] == '/' {
+		baseURL = baseURL[:len(baseURL)-1]
+	}
+	return baseURL
+}
+
+func externalCredentialReversePath(parsedURL *url.URL, endpointPath string) string {
+	pathPrefix := parsedURL.EscapedPath()
+	if pathPrefix == "/" {
+		pathPrefix = ""
+	} else {
+		pathPrefix = strings.TrimSuffix(pathPrefix, "/")
+	}
+	return pathPrefix + endpointPath
+}
+
+func newExternalCredential(ctx context.Context, tag string, options option.CCMExternalCredentialOptions, logger log.ContextLogger) (*externalCredential, error) {
+	pollInterval := time.Duration(options.PollInterval)
+	if pollInterval <= 0 {
+		pollInterval = 30 * time.Minute
+	}
+
+	requestContext, cancelRequests := context.WithCancel(context.Background())
+	reverseContext, reverseCancel := context.WithCancel(context.Background())
+
+	cred := &externalCredential{
+		tag:            tag,
+		token:          options.Token,
+		pollInterval:   pollInterval,
+		logger:         logger,
+		requestContext: requestContext,
+		cancelRequests: cancelRequests,
+		reverse:        options.Reverse,
+		reverseContext: reverseContext,
+		reverseCancel:  reverseCancel,
+	}
+
+	if options.URL == "" {
+		// Receiver mode: no URL, wait for reverse connection
+		cred.baseURL = reverseProxyBaseURL
+		cred.httpClient = &http.Client{
+			Transport: &http.Transport{
+				ForceAttemptHTTP2: false,
+				DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+					return cred.openReverseConnection(ctx)
+				},
+			},
+		}
+	} else {
+		// Normal or connector mode: has URL
+		parsedURL, err := url.Parse(options.URL)
+		if err != nil {
+			return nil, E.Cause(err, "parse url for credential ", tag)
+		}
+
+		credentialDialer, err := dialer.NewWithOptions(dialer.Options{
+			Context: ctx,
+			Options: option.DialerOptions{
+				Detour: options.Detour,
+			},
+			RemoteIsDomain: true,
+		})
+		if err != nil {
+			return nil, E.Cause(err, "create dialer for credential ", tag)
+		}
+
+		transport := &http.Transport{
+			ForceAttemptHTTP2: true,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				if options.Server != "" {
+					destination := M.ParseSocksaddrHostPort(options.Server, externalCredentialServerPort(parsedURL, options.ServerPort))
+					return credentialDialer.DialContext(ctx, network, destination)
+				}
+				return credentialDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		}
+
+		if parsedURL.Scheme == "https" {
+			transport.TLSClientConfig = &stdTLS.Config{
+				ServerName: parsedURL.Hostname(),
+				RootCAs:    adapter.RootPoolFromContext(ctx),
+				Time:       ntp.TimeFuncFromContext(ctx),
+			}
+		}
+
+		cred.baseURL = externalCredentialBaseURL(parsedURL)
+
+		if options.Reverse {
+			// Connector mode: we dial out to serve, not to proxy
+			cred.connectorDialer = credentialDialer
+			if options.Server != "" {
+				cred.connectorDestination = M.ParseSocksaddrHostPort(options.Server, externalCredentialServerPort(parsedURL, options.ServerPort))
+			} else {
+				cred.connectorDestination = M.ParseSocksaddrHostPort(parsedURL.Hostname(), externalCredentialURLPort(parsedURL))
+			}
+			cred.connectorRequestPath = externalCredentialReversePath(parsedURL, "/ccm/v1/reverse")
+			cred.connectorURL = parsedURL
+			if parsedURL.Scheme == "https" {
+				cred.connectorTLS = &stdTLS.Config{
+					ServerName: parsedURL.Hostname(),
+					RootCAs:    adapter.RootPoolFromContext(ctx),
+					Time:       ntp.TimeFuncFromContext(ctx),
+				}
+			}
+		} else {
+			// Normal mode: standard HTTP client for proxying
+			cred.httpClient = &http.Client{Transport: transport}
+		}
+	}
+
+	if options.UsagesPath != "" {
+		cred.usageTracker = &AggregatedUsage{
+			LastUpdated:  time.Now(),
+			Combinations: make([]CostCombination, 0),
+			filePath:     options.UsagesPath,
+			logger:       logger,
+		}
+	}
+
+	return cred, nil
+}
+
+func (c *externalCredential) start() error {
+	if c.usageTracker != nil {
+		err := c.usageTracker.Load()
+		if err != nil {
+			c.logger.Warn("load usage statistics for ", c.tag, ": ", err)
+		}
+	}
+	if c.reverse && c.connectorURL != nil {
+		go c.connectorLoop()
+	}
+	return nil
+}
+
+func (c *externalCredential) tagName() string {
+	return c.tag
+}
+
+func (c *externalCredential) isExternal() bool {
+	return true
+}
+
+func (c *externalCredential) isAvailable() bool {
+	return c.unavailableError() == nil
+}
+
+func (c *externalCredential) isUsable() bool {
+	if !c.isAvailable() {
+		return false
+	}
+	c.stateMutex.RLock()
+	if c.state.consecutivePollFailures > 0 {
+		c.stateMutex.RUnlock()
+		return false
+	}
+	if c.state.hardRateLimited {
+		if time.Now().Before(c.state.rateLimitResetAt) {
+			c.stateMutex.RUnlock()
+			return false
+		}
+		c.stateMutex.RUnlock()
+		c.stateMutex.Lock()
+		if c.state.hardRateLimited && !time.Now().Before(c.state.rateLimitResetAt) {
+			c.state.hardRateLimited = false
+		}
+		// No reserve for external: only 100% is unusable
+		usable := c.state.fiveHourUtilization < 100 && c.state.weeklyUtilization < 100
+		c.stateMutex.Unlock()
+		return usable
+	}
+	usable := c.state.fiveHourUtilization < 100 && c.state.weeklyUtilization < 100
+	c.stateMutex.RUnlock()
+	return usable
+}
+
+func (c *externalCredential) fiveHourUtilization() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.fiveHourUtilization
+}
+
+func (c *externalCredential) weeklyUtilization() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.weeklyUtilization
+}
+
+func (c *externalCredential) fiveHourCap() float64 {
+	return 100
+}
+
+func (c *externalCredential) weeklyCap() float64 {
+	return 100
+}
+
+func (c *externalCredential) planWeight() float64 {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	if c.state.remotePlanWeight > 0 {
+		return c.state.remotePlanWeight
+	}
+	return 10
+}
+
+func (c *externalCredential) weeklyResetTime() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.weeklyReset
+}
+
+func (c *externalCredential) markRateLimited(resetAt time.Time) {
+	c.logger.Warn("rate limited for ", c.tag, ", reset in ", log.FormatDuration(time.Until(resetAt)))
+	c.stateMutex.Lock()
+	c.state.hardRateLimited = true
+	c.state.rateLimitResetAt = resetAt
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) earliestReset() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	if c.state.hardRateLimited {
+		return c.state.rateLimitResetAt
+	}
+	earliest := c.state.fiveHourReset
+	if !c.state.weeklyReset.IsZero() && (earliest.IsZero() || c.state.weeklyReset.Before(earliest)) {
+		earliest = c.state.weeklyReset
+	}
+	return earliest
+}
+
+func (c *externalCredential) unavailableError() error {
+	if c.reverse && c.connectorURL != nil {
+		return E.New("credential ", c.tag, " is unavailable: reverse connector credentials cannot serve local requests")
+	}
+	if c.baseURL == reverseProxyBaseURL {
+		session := c.getReverseSession()
+		if session == nil || session.IsClosed() {
+			return E.New("credential ", c.tag, " is unavailable: reverse connection not established")
+		}
+	}
+	return nil
+}
+
+func (c *externalCredential) getAccessToken() (string, error) {
+	return c.token, nil
+}
+
+func (c *externalCredential) buildProxyRequest(ctx context.Context, original *http.Request, bodyBytes []byte, _ http.Header) (*http.Request, error) {
+	proxyURL := c.baseURL + original.URL.RequestURI()
+	var body io.Reader
+	if bodyBytes != nil {
+		body = bytes.NewReader(bodyBytes)
+	} else {
+		body = original.Body
+	}
+	proxyRequest, err := http.NewRequestWithContext(ctx, original.Method, proxyURL, body)
+	if err != nil {
+		return nil, err
+	}
+
+	for key, values := range original.Header {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+			proxyRequest.Header[key] = values
+		}
+	}
+
+	proxyRequest.Header.Set("Authorization", "Bearer "+c.token)
+
+	return proxyRequest, nil
+}
+
+func (c *externalCredential) openReverseConnection(ctx context.Context) (net.Conn, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	default:
+	}
+	session := c.getReverseSession()
+	if session == nil || session.IsClosed() {
+		return nil, E.New("reverse connection not established for ", c.tag)
+	}
+	conn, err := session.Open()
+	if err != nil {
+		return nil, err
+	}
+	select {
+	case <-ctx.Done():
+		conn.Close()
+		return nil, ctx.Err()
+	default:
+	}
+	return conn, nil
+}
+
+func (c *externalCredential) updateStateFromHeaders(headers http.Header) {
+	c.stateMutex.Lock()
+	isFirstUpdate := c.state.lastUpdated.IsZero()
+	oldFiveHour := c.state.fiveHourUtilization
+	oldWeekly := c.state.weeklyUtilization
+	hadData := false
+
+	if value, exists := parseOptionalAnthropicResetHeader(headers, "anthropic-ratelimit-unified-5h-reset"); exists {
+		hadData = true
+		c.state.fiveHourReset = value
+	}
+	if utilization := headers.Get("anthropic-ratelimit-unified-5h-utilization"); utilization != "" {
+		value, err := strconv.ParseFloat(utilization, 64)
+		if err == nil {
+			hadData = true
+			c.state.fiveHourUtilization = value * 100
+		}
+	}
+
+	if value, exists := parseOptionalAnthropicResetHeader(headers, "anthropic-ratelimit-unified-7d-reset"); exists {
+		hadData = true
+		c.state.weeklyReset = value
+	}
+	if utilization := headers.Get("anthropic-ratelimit-unified-7d-utilization"); utilization != "" {
+		value, err := strconv.ParseFloat(utilization, 64)
+		if err == nil {
+			hadData = true
+			c.state.weeklyUtilization = value * 100
+		}
+	}
+	if planWeight := headers.Get("X-CCM-Plan-Weight"); planWeight != "" {
+		value, err := strconv.ParseFloat(planWeight, 64)
+		if err == nil && value > 0 {
+			c.state.remotePlanWeight = value
+		}
+	}
+	if hadData {
+		c.state.consecutivePollFailures = 0
+		c.state.lastUpdated = time.Now()
+	}
+	if isFirstUpdate || int(c.state.fiveHourUtilization*100) != int(oldFiveHour*100) || int(c.state.weeklyUtilization*100) != int(oldWeekly*100) {
+		resetSuffix := ""
+		if !c.state.weeklyReset.IsZero() {
+			resetSuffix = ", resets=" + log.FormatDuration(time.Until(c.state.weeklyReset))
+		}
+		c.logger.Debug("usage update for ", c.tag, ": 5h=", c.state.fiveHourUtilization, "%, weekly=", c.state.weeklyUtilization, "%", resetSuffix)
+	}
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) checkTransitionLocked() bool {
+	unusable := c.state.hardRateLimited || c.state.fiveHourUtilization >= 100 || c.state.weeklyUtilization >= 100 || c.state.consecutivePollFailures > 0
+	if unusable && !c.interrupted {
+		c.interrupted = true
+		return true
+	}
+	if !unusable && c.interrupted {
+		c.interrupted = false
+	}
+	return false
+}
+
+func (c *externalCredential) wrapRequestContext(parent context.Context) *credentialRequestContext {
+	c.requestAccess.Lock()
+	credentialContext := c.requestContext
+	c.requestAccess.Unlock()
+	derived, cancel := context.WithCancel(parent)
+	stop := context.AfterFunc(credentialContext, func() {
+		cancel()
+	})
+	return &credentialRequestContext{
+		Context:     derived,
+		releaseFunc: stop,
+		cancelFunc:  cancel,
+	}
+}
+
+func (c *externalCredential) interruptConnections() {
+	c.logger.Warn("interrupting connections for ", c.tag)
+	c.requestAccess.Lock()
+	c.cancelRequests()
+	c.requestContext, c.cancelRequests = context.WithCancel(context.Background())
+	c.requestAccess.Unlock()
+	if c.onBecameUnusable != nil {
+		c.onBecameUnusable()
+	}
+}
+
+func (c *externalCredential) pollUsage(ctx context.Context) {
+	if !c.pollAccess.TryLock() {
+		return
+	}
+	defer c.pollAccess.Unlock()
+	defer c.markUsagePollAttempted()
+
+	statusURL := c.baseURL + "/ccm/v1/status"
+	httpClient := &http.Client{
+		Transport: c.httpClient.Transport,
+		Timeout:   5 * time.Second,
+	}
+
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequestWithContext(ctx, http.MethodGet, statusURL, nil)
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Authorization", "Bearer "+c.token)
+		return request, nil
+	})
+	if err != nil {
+		c.logger.Error("poll usage for ", c.tag, ": ", err)
+		c.incrementPollFailures()
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(response.Body)
+		c.logger.Debug("poll usage for ", c.tag, ": status ", response.StatusCode, " ", string(body))
+		// 404 means the remote does not have a status endpoint yet;
+		// usage will be updated passively from response headers.
+		if response.StatusCode == http.StatusNotFound {
+			c.stateMutex.Lock()
+			c.state.consecutivePollFailures = 0
+			c.checkTransitionLocked()
+			c.stateMutex.Unlock()
+		} else {
+			c.incrementPollFailures()
+		}
+		return
+	}
+
+	var statusResponse struct {
+		FiveHourUtilization float64 `json:"five_hour_utilization"`
+		WeeklyUtilization   float64 `json:"weekly_utilization"`
+		PlanWeight          float64 `json:"plan_weight"`
+	}
+	err = json.NewDecoder(response.Body).Decode(&statusResponse)
+	if err != nil {
+		c.logger.Debug("poll usage for ", c.tag, ": decode: ", err)
+		c.incrementPollFailures()
+		return
+	}
+
+	c.stateMutex.Lock()
+	isFirstUpdate := c.state.lastUpdated.IsZero()
+	oldFiveHour := c.state.fiveHourUtilization
+	oldWeekly := c.state.weeklyUtilization
+	c.state.consecutivePollFailures = 0
+	c.state.fiveHourUtilization = statusResponse.FiveHourUtilization
+	c.state.weeklyUtilization = statusResponse.WeeklyUtilization
+	if statusResponse.PlanWeight > 0 {
+		c.state.remotePlanWeight = statusResponse.PlanWeight
+	}
+	if c.state.hardRateLimited && time.Now().After(c.state.rateLimitResetAt) {
+		c.state.hardRateLimited = false
+	}
+	if isFirstUpdate || int(c.state.fiveHourUtilization*100) != int(oldFiveHour*100) || int(c.state.weeklyUtilization*100) != int(oldWeekly*100) {
+		resetSuffix := ""
+		if !c.state.weeklyReset.IsZero() {
+			resetSuffix = ", resets=" + log.FormatDuration(time.Until(c.state.weeklyReset))
+		}
+		c.logger.Debug("poll usage for ", c.tag, ": 5h=", c.state.fiveHourUtilization, "%, weekly=", c.state.weeklyUtilization, "%", resetSuffix)
+	}
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) lastUpdatedTime() time.Time {
+	c.stateMutex.RLock()
+	defer c.stateMutex.RUnlock()
+	return c.state.lastUpdated
+}
+
+func (c *externalCredential) markUsagePollAttempted() {
+	c.stateMutex.Lock()
+	defer c.stateMutex.Unlock()
+	c.state.lastUpdated = time.Now()
+}
+
+func (c *externalCredential) pollBackoff(baseInterval time.Duration) time.Duration {
+	c.stateMutex.RLock()
+	failures := c.state.consecutivePollFailures
+	c.stateMutex.RUnlock()
+	if failures <= 0 {
+		return baseInterval
+	}
+	return failedPollRetryInterval
+}
+
+func (c *externalCredential) incrementPollFailures() {
+	c.stateMutex.Lock()
+	c.state.consecutivePollFailures++
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+	if shouldInterrupt {
+		c.interruptConnections()
+	}
+}
+
+func (c *externalCredential) usageTrackerOrNil() *AggregatedUsage {
+	return c.usageTracker
+}
+
+func (c *externalCredential) httpTransport() *http.Client {
+	return c.httpClient
+}
+
+func (c *externalCredential) close() {
+	var session *yamux.Session
+	c.reverseAccess.Lock()
+	if !c.closed {
+		c.closed = true
+		if c.reverseCancel != nil {
+			c.reverseCancel()
+		}
+		session = c.reverseSession
+		c.reverseSession = nil
+	}
+	c.reverseAccess.Unlock()
+	if session != nil {
+		session.Close()
+	}
+	if c.usageTracker != nil {
+		c.usageTracker.cancelPendingSave()
+		err := c.usageTracker.Save()
+		if err != nil {
+			c.logger.Error("save usage statistics for ", c.tag, ": ", err)
+		}
+	}
+}
+
+func (c *externalCredential) getReverseSession() *yamux.Session {
+	c.reverseAccess.RLock()
+	defer c.reverseAccess.RUnlock()
+	return c.reverseSession
+}
+
+func (c *externalCredential) setReverseSession(session *yamux.Session) bool {
+	c.reverseAccess.Lock()
+	if c.closed {
+		c.reverseAccess.Unlock()
+		return false
+	}
+	old := c.reverseSession
+	c.reverseSession = session
+	c.reverseAccess.Unlock()
+	if old != nil {
+		old.Close()
+	}
+	return true
+}
+
+func (c *externalCredential) clearReverseSession(session *yamux.Session) {
+	c.reverseAccess.Lock()
+	if c.reverseSession == session {
+		c.reverseSession = nil
+	}
+	c.reverseAccess.Unlock()
+}
+
+func (c *externalCredential) getReverseContext() context.Context {
+	c.reverseAccess.RLock()
+	defer c.reverseAccess.RUnlock()
+	return c.reverseContext
+}
+
+func (c *externalCredential) resetReverseContext() {
+	c.reverseAccess.Lock()
+	if c.closed {
+		c.reverseAccess.Unlock()
+		return
+	}
+	c.reverseCancel()
+	c.reverseContext, c.reverseCancel = context.WithCancel(context.Background())
+	c.reverseAccess.Unlock()
+}

service/ccm/credential_file.go

@@ -0,0 +1,143 @@
+package ccm
+
+import (
+	"path/filepath"
+	"time"
+
+	"github.com/sagernet/fswatch"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const credentialReloadRetryInterval = 2 * time.Second
+
+func resolveCredentialFilePath(customPath string) (string, error) {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return "", err
+		}
+	}
+	if filepath.IsAbs(customPath) {
+		return customPath, nil
+	}
+	return filepath.Abs(customPath)
+}
+
+func (c *defaultCredential) ensureCredentialWatcher() error {
+	c.watcherAccess.Lock()
+	defer c.watcherAccess.Unlock()
+
+	if c.watcher != nil || c.credentialFilePath == "" {
+		return nil
+	}
+	if !c.watcherRetryAt.IsZero() && time.Now().Before(c.watcherRetryAt) {
+		return nil
+	}
+
+	watcher, err := fswatch.NewWatcher(fswatch.Options{
+		Path:   []string{c.credentialFilePath},
+		Logger: c.logger,
+		Callback: func(string) {
+			err := c.reloadCredentials(true)
+			if err != nil {
+				c.logger.Warn("reload credentials for ", c.tag, ": ", err)
+			}
+		},
+	})
+	if err != nil {
+		c.watcherRetryAt = time.Now().Add(credentialReloadRetryInterval)
+		return err
+	}
+
+	err = watcher.Start()
+	if err != nil {
+		c.watcherRetryAt = time.Now().Add(credentialReloadRetryInterval)
+		return err
+	}
+
+	c.watcher = watcher
+	c.watcherRetryAt = time.Time{}
+	return nil
+}
+
+func (c *defaultCredential) retryCredentialReloadIfNeeded() {
+	c.stateMutex.RLock()
+	unavailable := c.state.unavailable
+	lastAttempt := c.state.lastCredentialLoadAttempt
+	c.stateMutex.RUnlock()
+	if !unavailable {
+		return
+	}
+	if !lastAttempt.IsZero() && time.Since(lastAttempt) < credentialReloadRetryInterval {
+		return
+	}
+
+	err := c.ensureCredentialWatcher()
+	if err != nil {
+		c.logger.Debug("start credential watcher for ", c.tag, ": ", err)
+	}
+	_ = c.reloadCredentials(false)
+}
+
+func (c *defaultCredential) reloadCredentials(force bool) error {
+	c.reloadAccess.Lock()
+	defer c.reloadAccess.Unlock()
+
+	c.stateMutex.RLock()
+	unavailable := c.state.unavailable
+	lastAttempt := c.state.lastCredentialLoadAttempt
+	c.stateMutex.RUnlock()
+	if !force {
+		if !unavailable {
+			return nil
+		}
+		if !lastAttempt.IsZero() && time.Since(lastAttempt) < credentialReloadRetryInterval {
+			return c.unavailableError()
+		}
+	}
+
+	c.stateMutex.Lock()
+	c.state.lastCredentialLoadAttempt = time.Now()
+	c.stateMutex.Unlock()
+
+	credentials, err := platformReadCredentials(c.credentialPath)
+	if err != nil {
+		return c.markCredentialsUnavailable(E.Cause(err, "read credentials"))
+	}
+
+	c.accessMutex.Lock()
+	c.credentials = credentials
+	c.accessMutex.Unlock()
+
+	c.stateMutex.Lock()
+	c.state.unavailable = false
+	c.state.lastCredentialLoadError = ""
+	c.state.accountType = credentials.SubscriptionType
+	c.state.rateLimitTier = credentials.RateLimitTier
+	c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+
+	return nil
+}
+
+func (c *defaultCredential) markCredentialsUnavailable(err error) error {
+	c.accessMutex.Lock()
+	hadCredentials := c.credentials != nil
+	c.credentials = nil
+	c.accessMutex.Unlock()
+
+	c.stateMutex.Lock()
+	c.state.unavailable = true
+	c.state.lastCredentialLoadError = err.Error()
+	c.state.accountType = ""
+	c.state.rateLimitTier = ""
+	shouldInterrupt := c.checkTransitionLocked()
+	c.stateMutex.Unlock()
+
+	if shouldInterrupt && hadCredentials {
+		c.interruptConnections()
+	}
+
+	return err
+}

service/ccm/credential_other.go

@@ -13,6 +13,17 @@ func platformReadCredentials(customPath string) (*oauthCredentials, error) {
 	return readCredentialsFromFile(customPath)
 }
 
+func platformCanWriteCredentials(customPath string) error {
+	if customPath == "" {
+		var err error
+		customPath, err = getDefaultCredentialsPath()
+		if err != nil {
+			return err
+		}
+	}
+	return checkCredentialFileWritable(customPath)
+}
+
 func platformWriteCredentials(oauthCredentials *oauthCredentials, customPath string) error {
 	if customPath == "" {
 		var err error

service/ccm/reverse.go

@@ -0,0 +1,259 @@
+package ccm
+
+import (
+	"bufio"
+	"context"
+	stdTLS "crypto/tls"
+	"errors"
+	"io"
+	"math/rand/v2"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/hashicorp/yamux"
+)
+
+func reverseYamuxConfig() *yamux.Config {
+	config := yamux.DefaultConfig()
+	config.KeepAliveInterval = 15 * time.Second
+	config.ConnectionWriteTimeout = 10 * time.Second
+	config.MaxStreamWindowSize = 512 * 1024
+	config.LogOutput = io.Discard
+	return config
+}
+
+type bufferedConn struct {
+	reader *bufio.Reader
+	net.Conn
+}
+
+func (c *bufferedConn) Read(p []byte) (int, error) {
+	return c.reader.Read(p)
+}
+
+type yamuxNetListener struct {
+	session *yamux.Session
+}
+
+func (l *yamuxNetListener) Accept() (net.Conn, error) {
+	return l.session.Accept()
+}
+
+func (l *yamuxNetListener) Close() error {
+	return l.session.Close()
+}
+
+func (l *yamuxNetListener) Addr() net.Addr {
+	return l.session.Addr()
+}
+
+func (s *Service) handleReverseConnect(ctx context.Context, w http.ResponseWriter, r *http.Request) {
+	if r.Header.Get("Upgrade") != "reverse-proxy" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error", "missing Upgrade header")
+		return
+	}
+
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
+		return
+	}
+	clientToken := strings.TrimPrefix(authHeader, "Bearer ")
+	if clientToken == authHeader {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
+		return
+	}
+
+	receiverCredential := s.findReceiverCredential(clientToken)
+	if receiverCredential == nil {
+		s.logger.WarnContext(ctx, "reverse connect failed from ", r.RemoteAddr, ": no matching receiver credential")
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid reverse token")
+		return
+	}
+
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		s.logger.ErrorContext(ctx, "reverse connect: hijack not supported")
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "hijack not supported")
+		return
+	}
+
+	conn, bufferedReadWriter, err := hijacker.Hijack()
+	if err != nil {
+		s.logger.ErrorContext(ctx, "reverse connect: hijack: ", err)
+		return
+	}
+
+	response := "HTTP/1.1 101 Switching Protocols\r\nConnection: Upgrade\r\nUpgrade: reverse-proxy\r\n\r\n"
+	_, err = bufferedReadWriter.WriteString(response)
+	if err != nil {
+		conn.Close()
+		s.logger.ErrorContext(ctx, "reverse connect: write upgrade response: ", err)
+		return
+	}
+	err = bufferedReadWriter.Flush()
+	if err != nil {
+		conn.Close()
+		s.logger.ErrorContext(ctx, "reverse connect: flush upgrade response: ", err)
+		return
+	}
+
+	session, err := yamux.Client(conn, reverseYamuxConfig())
+	if err != nil {
+		conn.Close()
+		s.logger.ErrorContext(ctx, "reverse connect: create yamux client for ", receiverCredential.tagName(), ": ", err)
+		return
+	}
+
+	if !receiverCredential.setReverseSession(session) {
+		session.Close()
+		return
+	}
+	s.logger.InfoContext(ctx, "reverse connection established for ", receiverCredential.tagName(), " from ", r.RemoteAddr)
+
+	go func() {
+		<-session.CloseChan()
+		receiverCredential.clearReverseSession(session)
+		s.logger.WarnContext(ctx, "reverse connection lost for ", receiverCredential.tagName())
+	}()
+}
+
+func (s *Service) findReceiverCredential(token string) *externalCredential {
+	for _, cred := range s.allCredentials {
+		extCred, ok := cred.(*externalCredential)
+		if !ok {
+			continue
+		}
+		if extCred.baseURL == reverseProxyBaseURL && extCred.token == token {
+			return extCred
+		}
+	}
+	return nil
+}
+
+func (c *externalCredential) connectorLoop() {
+	var consecutiveFailures int
+	ctx := c.getReverseContext()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		default:
+		}
+
+		sessionLifetime, err := c.connectorConnect(ctx)
+		if ctx.Err() != nil {
+			return
+		}
+		if sessionLifetime >= connectorBackoffResetThreshold {
+			consecutiveFailures = 0
+		}
+		consecutiveFailures++
+		backoff := connectorBackoff(consecutiveFailures)
+		c.logger.Warn("reverse connection for ", c.tag, " lost: ", err, ", reconnecting in ", backoff)
+		select {
+		case <-time.After(backoff):
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+const connectorBackoffResetThreshold = time.Minute
+
+func connectorBackoff(failures int) time.Duration {
+	if failures > 5 {
+		failures = 5
+	}
+	base := time.Second * time.Duration(1<<failures)
+	if base > 30*time.Second {
+		base = 30 * time.Second
+	}
+	jitter := time.Duration(rand.Int64N(int64(base) / 2))
+	return base + jitter
+}
+
+func (c *externalCredential) connectorConnect(ctx context.Context) (time.Duration, error) {
+	if c.reverseService == nil {
+		return 0, E.New("reverse service not initialized")
+	}
+	destination := c.connectorResolveDestination()
+	conn, err := c.connectorDialer.DialContext(ctx, "tcp", destination)
+	if err != nil {
+		return 0, E.Cause(err, "dial")
+	}
+
+	if c.connectorTLS != nil {
+		tlsConn := stdTLS.Client(conn, c.connectorTLS.Clone())
+		err = tlsConn.HandshakeContext(ctx)
+		if err != nil {
+			conn.Close()
+			return 0, E.Cause(err, "tls handshake")
+		}
+		conn = tlsConn
+	}
+
+	upgradeRequest := "GET " + c.connectorRequestPath + " HTTP/1.1\r\n" +
+		"Host: " + c.connectorURL.Host + "\r\n" +
+		"Connection: Upgrade\r\n" +
+		"Upgrade: reverse-proxy\r\n" +
+		"Authorization: Bearer " + c.token + "\r\n" +
+		"\r\n"
+	_, err = io.WriteString(conn, upgradeRequest)
+	if err != nil {
+		conn.Close()
+		return 0, E.Cause(err, "write upgrade request")
+	}
+
+	reader := bufio.NewReader(conn)
+	statusLine, err := reader.ReadString('\n')
+	if err != nil {
+		conn.Close()
+		return 0, E.Cause(err, "read upgrade response")
+	}
+	if !strings.HasPrefix(statusLine, "HTTP/1.1 101") {
+		conn.Close()
+		return 0, E.New("unexpected upgrade response: ", strings.TrimSpace(statusLine))
+	}
+	for {
+		line, readErr := reader.ReadString('\n')
+		if readErr != nil {
+			conn.Close()
+			return 0, E.Cause(readErr, "read upgrade headers")
+		}
+		if strings.TrimSpace(line) == "" {
+			break
+		}
+	}
+
+	session, err := yamux.Server(&bufferedConn{reader: reader, Conn: conn}, reverseYamuxConfig())
+	if err != nil {
+		conn.Close()
+		return 0, E.Cause(err, "create yamux server")
+	}
+	defer session.Close()
+
+	c.logger.Info("reverse connection established for ", c.tag)
+
+	serveStart := time.Now()
+	httpServer := &http.Server{
+		Handler:     c.reverseService,
+		ReadTimeout: 0,
+		IdleTimeout: 120 * time.Second,
+	}
+	err = httpServer.Serve(&yamuxNetListener{session: session})
+	sessionLifetime := time.Since(serveStart)
+	if err != nil && !errors.Is(err, http.ErrServerClosed) && ctx.Err() == nil {
+		return sessionLifetime, E.Cause(err, "serve")
+	}
+	return sessionLifetime, E.New("connection closed")
+}
+
+func (c *externalCredential) connectorResolveDestination() M.Socksaddr {
+	return c.connectorDestination
+}

service/ccm/service.go

@@ -3,12 +3,10 @@ package ccm
 import (
 	"bytes"
 	"context"
-	stdTLS "crypto/tls"
 	"encoding/json"
 	"errors"
 	"io"
 	"mime"
-	"net"
 	"net/http"
 	"strconv"
 	"strings"
@@ -17,7 +15,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	boxService "github.com/sagernet/sing-box/adapter/service"
-	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/listener"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -26,20 +23,20 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
 
 	"github.com/anthropics/anthropic-sdk-go"
 	"github.com/go-chi/chi/v5"
 	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 )
 
 const (
 	contextWindowStandard   = 200000
 	contextWindowPremium    = 1000000
 	premiumContextThreshold = 200000
+	retryableUsageMessage   = "current credential reached its usage limit; retry the request to use another credential"
 )
 
 func RegisterService(registry *boxService.Registry) {
@@ -60,7 +57,6 @@ type errorDetails struct {
 func writeJSONError(w http.ResponseWriter, r *http.Request, statusCode int, errorType string, message string) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(statusCode)
-
 	json.NewEncoder(w).Encode(errorResponse{
 		Type: "error",
 		Error: errorDetails{
@@ -71,6 +67,58 @@ func writeJSONError(w http.ResponseWriter, r *http.Request, statusCode int, erro
 	})
 }
 
+func hasAlternativeCredential(provider credentialProvider, currentCredential credential, filter func(credential) bool) bool {
+	if provider == nil || currentCredential == nil {
+		return false
+	}
+	for _, cred := range provider.allCredentials() {
+		if cred == currentCredential {
+			continue
+		}
+		if filter != nil && !filter(cred) {
+			continue
+		}
+		if cred.isUsable() {
+			return true
+		}
+	}
+	return false
+}
+
+func unavailableCredentialMessage(provider credentialProvider, fallback string) string {
+	if provider == nil {
+		return fallback
+	}
+	message := allCredentialsUnavailableError(provider.allCredentials()).Error()
+	if message == "all credentials unavailable" && fallback != "" {
+		return fallback
+	}
+	return message
+}
+
+func writeRetryableUsageError(w http.ResponseWriter, r *http.Request) {
+	writeJSONError(w, r, http.StatusTooManyRequests, "rate_limit_error", retryableUsageMessage)
+}
+
+func writeNonRetryableCredentialError(w http.ResponseWriter, r *http.Request, message string) {
+	writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error", message)
+}
+
+func writeCredentialUnavailableError(
+	w http.ResponseWriter,
+	r *http.Request,
+	provider credentialProvider,
+	currentCredential credential,
+	filter func(credential) bool,
+	fallback string,
+) {
+	if hasAlternativeCredential(provider, currentCredential, filter) {
+		writeRetryableUsageError(w, r)
+		return
+	}
+	writeNonRetryableCredentialError(w, r, unavailableCredentialMessage(provider, fallback))
+}
+
 func isHopByHopHeader(header string) bool {
 	switch strings.ToLower(header) {
 	case "connection", "keep-alive", "proxy-authenticate", "proxy-authorization", "te", "trailers", "transfer-encoding", "upgrade", "host":
@@ -80,109 +128,111 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 
+func isReverseProxyHeader(header string) bool {
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "cf-") {
+		return true
+	}
+	switch lowerHeader {
+	case "cdn-loop", "true-client-ip", "x-forwarded-for", "x-forwarded-proto", "x-real-ip":
+		return true
+	default:
+		return false
+	}
+}
+
 const (
 	weeklyWindowSeconds = 604800
 	weeklyWindowMinutes = weeklyWindowSeconds / 60
 )
 
-func parseInt64Header(headers http.Header, headerName string) (int64, bool) {
-	headerValue := strings.TrimSpace(headers.Get(headerName))
-	if headerValue == "" {
-		return 0, false
-	}
-	parsedValue, parseError := strconv.ParseInt(headerValue, 10, 64)
-	if parseError != nil {
-		return 0, false
-	}
-	return parsedValue, true
-}
-
 func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
-	resetAtUnix, hasResetAt := parseInt64Header(headers, "anthropic-ratelimit-unified-7d-reset")
-	if !hasResetAt || resetAtUnix <= 0 {
+	resetAt, exists := parseOptionalAnthropicResetHeader(headers, "anthropic-ratelimit-unified-7d-reset")
+	if !exists {
 		return nil
 	}
 
 	return &WeeklyCycleHint{
 		WindowMinutes: weeklyWindowMinutes,
-		ResetAt:       time.Unix(resetAtUnix, 0).UTC(),
+		ResetAt:       resetAt.UTC(),
 	}
 }
 
 type Service struct {
 	boxService.Adapter
-	ctx            context.Context
-	logger         log.ContextLogger
-	credentialPath string
-	credentials    *oauthCredentials
-	users          []option.CCMUser
-	httpClient     *http.Client
-	httpHeaders    http.Header
-	listener       *listener.Listener
-	tlsConfig      tls.ServerConfig
-	httpServer     *http.Server
-	userManager    *UserManager
-	accessMutex    sync.RWMutex
-	usageTracker   *AggregatedUsage
-	trackingGroup  sync.WaitGroup
-	shuttingDown   bool
+	ctx           context.Context
+	logger        log.ContextLogger
+	options       option.CCMServiceOptions
+	httpHeaders   http.Header
+	listener      *listener.Listener
+	tlsConfig     tls.ServerConfig
+	httpServer    *http.Server
+	userManager   *UserManager
+	trackingGroup sync.WaitGroup
+	shuttingDown  bool
+
+	// Legacy mode (single credential)
+	legacyCredential *defaultCredential
+	legacyProvider   credentialProvider
+
+	// Multi-credential mode
+	providers      map[string]credentialProvider
+	allCredentials []credential
+	userConfigMap  map[string]*option.CCMUser
 }
 
 func NewService(ctx context.Context, logger log.ContextLogger, tag string, options option.CCMServiceOptions) (adapter.Service, error) {
-	serviceDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context: ctx,
-		Options: option.DialerOptions{
-			Detour: options.Detour,
-		},
-		RemoteIsDomain: true,
-	})
-	if err != nil {
-		return nil, E.Cause(err, "create dialer")
-	}
+	initCCMUserAgent(logger)
 
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2: true,
-			TLSClientConfig: &stdTLS.Config{
-				RootCAs: adapter.RootPoolFromContext(ctx),
-				Time:    ntp.TimeFuncFromContext(ctx),
-			},
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return serviceDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
+	err := validateCCMOptions(options)
+	if err != nil {
+		return nil, E.Cause(err, "validate options")
 	}
 
 	userManager := &UserManager{
 		tokenMap: make(map[string]string),
 	}
 
-	var usageTracker *AggregatedUsage
-	if options.UsagesPath != "" {
-		usageTracker = &AggregatedUsage{
-			LastUpdated:  time.Now(),
-			Combinations: make([]CostCombination, 0),
-			filePath:     options.UsagesPath,
-			logger:       logger,
-		}
-	}
-
 	service := &Service{
-		Adapter:        boxService.NewAdapter(C.TypeCCM, tag),
-		ctx:            ctx,
-		logger:         logger,
-		credentialPath: options.CredentialPath,
-		users:          options.Users,
-		httpClient:     httpClient,
-		httpHeaders:    options.Headers.Build(),
+		Adapter:     boxService.NewAdapter(C.TypeCCM, tag),
+		ctx:         ctx,
+		logger:      logger,
+		options:     options,
+		httpHeaders: options.Headers.Build(),
 		listener: listener.New(listener.Options{
 			Context: ctx,
 			Logger:  logger,
 			Network: []string{N.NetworkTCP},
 			Listen:  options.ListenOptions,
 		}),
-		userManager:  userManager,
-		usageTracker: usageTracker,
+		userManager: userManager,
+	}
+
+	if len(options.Credentials) > 0 {
+		providers, allCredentials, err := buildCredentialProviders(ctx, options, logger)
+		if err != nil {
+			return nil, E.Cause(err, "build credential providers")
+		}
+		service.providers = providers
+		service.allCredentials = allCredentials
+
+		userConfigMap := make(map[string]*option.CCMUser)
+		for i := range options.Users {
+			userConfigMap[options.Users[i].Name] = &options.Users[i]
+		}
+		service.userConfigMap = userConfigMap
+	} else {
+		cred, err := newDefaultCredential(ctx, "default", option.CCMDefaultCredentialOptions{
+			CredentialPath: options.CredentialPath,
+			UsagesPath:     options.UsagesPath,
+			Detour:         options.Detour,
+		}, logger)
+		if err != nil {
+			return nil, err
+		}
+		service.legacyCredential = cred
+		service.legacyProvider = &singleCredentialProvider{cred: cred}
+		service.allCredentials = []credential{cred}
 	}
 
 	if options.TLS != nil {
@@ -201,28 +251,25 @@ func (s *Service) Start(stage adapter.StartStage) error {
 		return nil
 	}
 
-	s.userManager.UpdateUsers(s.users)
+	s.userManager.UpdateUsers(s.options.Users)
 
-	credentials, err := platformReadCredentials(s.credentialPath)
-	if err != nil {
-		return E.Cause(err, "read credentials")
-	}
-	s.credentials = credentials
-
-	if s.usageTracker != nil {
-		err = s.usageTracker.Load()
+	for _, cred := range s.allCredentials {
+		if extCred, ok := cred.(*externalCredential); ok && extCred.reverse && extCred.connectorURL != nil {
+			extCred.reverseService = s
+		}
+		err := cred.start()
 		if err != nil {
-			s.logger.Warn("load usage statistics: ", err)
+			return err
 		}
 	}
 
 	router := chi.NewRouter()
 	router.Mount("/", s)
 
-	s.httpServer = &http.Server{Handler: router}
+	s.httpServer = &http.Server{Handler: h2c.NewHandler(router, &http2.Server{})}
 
 	if s.tlsConfig != nil {
-		err = s.tlsConfig.Start()
+		err := s.tlsConfig.Start()
 		if err != nil {
 			return E.Cause(err, "create TLS config")
 		}
@@ -250,148 +297,257 @@ func (s *Service) Start(stage adapter.StartStage) error {
 	return nil
 }
 
-func (s *Service) getAccessToken() (string, error) {
-	s.accessMutex.RLock()
-	if !s.credentials.needsRefresh() {
-		token := s.credentials.AccessToken
-		s.accessMutex.RUnlock()
-		return token, nil
+func isExtendedContextRequest(betaHeader string) bool {
+	for _, feature := range strings.Split(betaHeader, ",") {
+		if strings.HasPrefix(strings.TrimSpace(feature), "context-1m") {
+			return true
+		}
 	}
-	s.accessMutex.RUnlock()
-
-	s.accessMutex.Lock()
-	defer s.accessMutex.Unlock()
-
-	if !s.credentials.needsRefresh() {
-		return s.credentials.AccessToken, nil
-	}
-
-	newCredentials, err := refreshToken(s.httpClient, s.credentials)
-	if err != nil {
-		return "", err
-	}
-
-	s.credentials = newCredentials
-
-	err = platformWriteCredentials(newCredentials, s.credentialPath)
-	if err != nil {
-		s.logger.Warn("persist refreshed token: ", err)
-	}
-
-	return newCredentials.AccessToken, nil
+	return false
 }
 
-func detectContextWindow(betaHeader string, inputTokens int64) int {
-	if inputTokens > premiumContextThreshold {
-		features := strings.Split(betaHeader, ",")
-		for _, feature := range features {
-			if strings.TrimSpace(feature) == "context-1m" {
-				return contextWindowPremium
-			}
+func isFastModeRequest(betaHeader string) bool {
+	for _, feature := range strings.Split(betaHeader, ",") {
+		if strings.HasPrefix(strings.TrimSpace(feature), "fast-mode") {
+			return true
+		}
+	}
+	return false
+}
+
+func detectContextWindow(betaHeader string, totalInputTokens int64) int {
+	if totalInputTokens > premiumContextThreshold {
+		if isExtendedContextRequest(betaHeader) {
+			return contextWindowPremium
 		}
 	}
 	return contextWindowStandard
 }
 
 func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := log.ContextWithNewID(r.Context())
+	if r.URL.Path == "/ccm/v1/status" {
+		s.handleStatusEndpoint(w, r)
+		return
+	}
+
+	if r.URL.Path == "/ccm/v1/reverse" {
+		s.handleReverseConnect(ctx, w, r)
+		return
+	}
+
 	if !strings.HasPrefix(r.URL.Path, "/v1/") {
 		writeJSONError(w, r, http.StatusNotFound, "not_found_error", "Not found")
 		return
 	}
 
 	var username string
-	if len(s.users) > 0 {
+	if len(s.options.Users) > 0 {
 		authHeader := r.Header.Get("Authorization")
 		if authHeader == "" {
-			s.logger.Warn("authentication failed for request from ", r.RemoteAddr, ": missing Authorization header")
+			s.logger.WarnContext(ctx, "authentication failed for request from ", r.RemoteAddr, ": missing Authorization header")
 			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
 			return
 		}
 		clientToken := strings.TrimPrefix(authHeader, "Bearer ")
 		if clientToken == authHeader {
-			s.logger.Warn("authentication failed for request from ", r.RemoteAddr, ": invalid Authorization format")
+			s.logger.WarnContext(ctx, "authentication failed for request from ", r.RemoteAddr, ": invalid Authorization format")
 			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
 			return
 		}
 		var ok bool
 		username, ok = s.userManager.Authenticate(clientToken)
 		if !ok {
-			s.logger.Warn("authentication failed for request from ", r.RemoteAddr, ": unknown key: ", clientToken)
+			s.logger.WarnContext(ctx, "authentication failed for request from ", r.RemoteAddr, ": unknown key: ", clientToken)
 			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
 			return
 		}
 	}
 
+	// Always read body to extract model and session ID
+	var bodyBytes []byte
 	var requestModel string
 	var messagesCount int
+	var sessionID string
 
-	if s.usageTracker != nil && r.Body != nil {
-		bodyBytes, err := io.ReadAll(r.Body)
-		if err == nil {
-			var request struct {
-				Model    string                   `json:"model"`
-				Messages []anthropic.MessageParam `json:"messages"`
-			}
-			err := json.Unmarshal(bodyBytes, &request)
-			if err == nil {
-				requestModel = request.Model
-				messagesCount = len(request.Messages)
-			}
-			r.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+	if r.Body != nil {
+		var err error
+		bodyBytes, err = io.ReadAll(r.Body)
+		if err != nil {
+			s.logger.ErrorContext(ctx, "read request body: ", err)
+			writeJSONError(w, r, http.StatusInternalServerError, "api_error", "failed to read request body")
+			return
 		}
+
+		var request struct {
+			Model    string                   `json:"model"`
+			Messages []anthropic.MessageParam `json:"messages"`
+		}
+		err = json.Unmarshal(bodyBytes, &request)
+		if err == nil {
+			requestModel = request.Model
+			messagesCount = len(request.Messages)
+		}
+
+		sessionID = extractCCMSessionID(bodyBytes)
+		r.Body = io.NopCloser(bytes.NewReader(bodyBytes))
 	}
 
-	accessToken, err := s.getAccessToken()
-	if err != nil {
-		s.logger.Error("get access token: ", err)
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "Authentication failed")
+	// Resolve credential provider and user config
+	var provider credentialProvider
+	var userConfig *option.CCMUser
+	if len(s.options.Users) > 0 {
+		userConfig = s.userConfigMap[username]
+		var err error
+		provider, err = credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+		if err != nil {
+			s.logger.ErrorContext(ctx, "resolve credential: ", err)
+			writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+			return
+		}
+	} else {
+		provider = noUserCredentialProvider(s.providers, s.legacyProvider, s.options)
+	}
+	if provider == nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "no credential available")
 		return
 	}
 
-	proxyURL := claudeAPIBaseURL + r.URL.RequestURI()
-	proxyRequest, err := http.NewRequestWithContext(r.Context(), r.Method, proxyURL, r.Body)
+	provider.pollIfStale(s.ctx)
+
+	anthropicBetaHeader := r.Header.Get("anthropic-beta")
+	if isFastModeRequest(anthropicBetaHeader) {
+		if _, isSingle := provider.(*singleCredentialProvider); !isSingle {
+			writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+				"fast mode requests will consume Extra usage, please use a default credential directly")
+			return
+		}
+	}
+
+	var credentialFilter func(credential) bool
+	if userConfig != nil && !userConfig.AllowExternalUsage {
+		credentialFilter = func(c credential) bool { return !c.isExternal() }
+	}
+
+	selectedCredential, isNew, err := provider.selectCredential(sessionID, credentialFilter)
 	if err != nil {
-		s.logger.Error("create proxy request: ", err)
+		writeNonRetryableCredentialError(w, r, unavailableCredentialMessage(provider, err.Error()))
+		return
+	}
+	if isNew {
+		logParts := []any{"assigned credential ", selectedCredential.tagName()}
+		if sessionID != "" {
+			logParts = append(logParts, " for session ", sessionID)
+		}
+		if username != "" {
+			logParts = append(logParts, " by user ", username)
+		}
+		if requestModel != "" {
+			modelDisplay := requestModel
+			if isExtendedContextRequest(anthropicBetaHeader) {
+				modelDisplay += "[1m]"
+			}
+			logParts = append(logParts, ", model=", modelDisplay)
+		}
+		s.logger.DebugContext(ctx, logParts...)
+	}
+
+	if isFastModeRequest(anthropicBetaHeader) && selectedCredential.isExternal() {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"fast mode requests cannot be proxied through external credentials")
+		return
+	}
+
+	requestContext := selectedCredential.wrapRequestContext(r.Context())
+	defer func() {
+		requestContext.cancelRequest()
+	}()
+	proxyRequest, err := selectedCredential.buildProxyRequest(requestContext, r, bodyBytes, s.httpHeaders)
+	if err != nil {
+		s.logger.ErrorContext(ctx, "create proxy request: ", err)
 		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "Internal server error")
 		return
 	}
 
-	for key, values := range r.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
-			proxyRequest.Header[key] = values
-		}
-	}
-
-	anthropicBetaHeader := proxyRequest.Header.Get("anthropic-beta")
-	if anthropicBetaHeader != "" {
-		proxyRequest.Header.Set("anthropic-beta", anthropicBetaOAuthValue+","+anthropicBetaHeader)
-	} else {
-		proxyRequest.Header.Set("anthropic-beta", anthropicBetaOAuthValue)
-	}
-
-	for key, values := range s.httpHeaders {
-		proxyRequest.Header.Del(key)
-		proxyRequest.Header[key] = values
-	}
-
-	proxyRequest.Header.Set("Authorization", "Bearer "+accessToken)
-
-	response, err := s.httpClient.Do(proxyRequest)
+	response, err := selectedCredential.httpTransport().Do(proxyRequest)
 	if err != nil {
+		if r.Context().Err() != nil {
+			return
+		}
+		if requestContext.Err() != nil {
+			writeCredentialUnavailableError(w, r, provider, selectedCredential, credentialFilter, "credential became unavailable while processing the request")
+			return
+		}
 		writeJSONError(w, r, http.StatusBadGateway, "api_error", err.Error())
 		return
 	}
+	requestContext.releaseCredentialInterrupt()
+
+	// Transparent 429 retry
+	for response.StatusCode == http.StatusTooManyRequests {
+		resetAt := parseRateLimitResetFromHeaders(response.Header)
+		nextCredential := provider.onRateLimited(sessionID, selectedCredential, resetAt, credentialFilter)
+		selectedCredential.updateStateFromHeaders(response.Header)
+		if bodyBytes == nil || nextCredential == nil {
+			response.Body.Close()
+			writeCredentialUnavailableError(w, r, provider, selectedCredential, credentialFilter, "all credentials rate-limited")
+			return
+		}
+		response.Body.Close()
+		s.logger.InfoContext(ctx, "retrying with credential ", nextCredential.tagName(), " after 429 from ", selectedCredential.tagName())
+		requestContext.cancelRequest()
+		requestContext = nextCredential.wrapRequestContext(r.Context())
+		retryRequest, buildErr := nextCredential.buildProxyRequest(requestContext, r, bodyBytes, s.httpHeaders)
+		if buildErr != nil {
+			s.logger.ErrorContext(ctx, "retry request: ", buildErr)
+			writeJSONError(w, r, http.StatusBadGateway, "api_error", buildErr.Error())
+			return
+		}
+		retryResponse, retryErr := nextCredential.httpTransport().Do(retryRequest)
+		if retryErr != nil {
+			if r.Context().Err() != nil {
+				return
+			}
+			if requestContext.Err() != nil {
+				writeCredentialUnavailableError(w, r, provider, nextCredential, credentialFilter, "credential became unavailable while retrying the request")
+				return
+			}
+			s.logger.ErrorContext(ctx, "retry request: ", retryErr)
+			writeJSONError(w, r, http.StatusBadGateway, "api_error", retryErr.Error())
+			return
+		}
+		requestContext.releaseCredentialInterrupt()
+		response = retryResponse
+		selectedCredential = nextCredential
+	}
 	defer response.Body.Close()
 
+	selectedCredential.updateStateFromHeaders(response.Header)
+
+	if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusTooManyRequests {
+		body, _ := io.ReadAll(response.Body)
+		s.logger.ErrorContext(ctx, "upstream error from ", selectedCredential.tagName(), ": status ", response.StatusCode, " ", string(body))
+		go selectedCredential.pollUsage(s.ctx)
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error",
+			"proxy request (status "+strconv.Itoa(response.StatusCode)+"): "+string(body))
+		return
+	}
+
+	// Rewrite response headers for external users
+	if userConfig != nil && userConfig.ExternalCredential != "" {
+		s.rewriteResponseHeadersForExternalUser(response.Header, userConfig)
+	}
+
 	for key, values := range response.Header {
-		if !isHopByHopHeader(key) {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) {
 			w.Header()[key] = values
 		}
 	}
 	w.WriteHeader(response.StatusCode)
 
-	if s.usageTracker != nil && response.StatusCode == http.StatusOK {
-		s.handleResponseWithTracking(w, response, requestModel, anthropicBetaHeader, messagesCount, username)
+	usageTracker := selectedCredential.usageTrackerOrNil()
+	if usageTracker != nil && response.StatusCode == http.StatusOK {
+		s.handleResponseWithTracking(ctx, w, response, usageTracker, requestModel, anthropicBetaHeader, messagesCount, username)
 	} else {
 		mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 		if err == nil && mediaType != "text/event-stream" {
@@ -400,7 +556,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		flusher, ok := w.(http.Flusher)
 		if !ok {
-			s.logger.Error("streaming not supported")
+			s.logger.ErrorContext(ctx, "streaming not supported")
 			return
 		}
 		buffer := make([]byte, buf.BufferSize)
@@ -409,7 +565,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			if n > 0 {
 				_, writeError := w.Write(buffer[:n])
 				if writeError != nil {
-					s.logger.Error("write streaming response: ", writeError)
+					s.logger.ErrorContext(ctx, "write streaming response: ", writeError)
 					return
 				}
 				flusher.Flush()
@@ -421,7 +577,7 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, response *http.Response, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
+func (s *Service) handleResponseWithTracking(ctx context.Context, writer http.ResponseWriter, response *http.Response, usageTracker *AggregatedUsage, requestModel string, anthropicBetaHeader string, messagesCount int, username string) {
 	weeklyCycleHint := extractWeeklyCycleHint(response.Header)
 	mediaType, _, err := mime.ParseMediaType(response.Header.Get("Content-Type"))
 	isStreaming := err == nil && mediaType == "text/event-stream"
@@ -429,7 +585,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	if !isStreaming {
 		bodyBytes, err := io.ReadAll(response.Body)
 		if err != nil {
-			s.logger.Error("read response body: ", err)
+			s.logger.ErrorContext(ctx, "read response body: ", err)
 			return
 		}
 
@@ -447,8 +603,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 		if usage.InputTokens > 0 || usage.OutputTokens > 0 {
 			if responseModel != "" {
-				contextWindow := detectContextWindow(anthropicBetaHeader, usage.InputTokens)
-				s.usageTracker.AddUsageWithCycleHint(
+				totalInputTokens := usage.InputTokens + usage.CacheCreationInputTokens + usage.CacheReadInputTokens
+				contextWindow := detectContextWindow(anthropicBetaHeader, totalInputTokens)
+				usageTracker.AddUsageWithCycleHint(
 					responseModel,
 					contextWindow,
 					messagesCount,
@@ -471,7 +628,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 	flusher, ok := writer.(http.Flusher)
 	if !ok {
-		s.logger.Error("streaming not supported")
+		s.logger.ErrorContext(ctx, "streaming not supported")
 		return
 	}
 
@@ -534,7 +691,7 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 			_, writeError := writer.Write(buffer[:n])
 			if writeError != nil {
-				s.logger.Error("write streaming response: ", writeError)
+				s.logger.ErrorContext(ctx, "write streaming response: ", writeError)
 				return
 			}
 			flusher.Flush()
@@ -547,8 +704,9 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 
 			if accumulatedUsage.InputTokens > 0 || accumulatedUsage.OutputTokens > 0 {
 				if responseModel != "" {
-					contextWindow := detectContextWindow(anthropicBetaHeader, accumulatedUsage.InputTokens)
-					s.usageTracker.AddUsageWithCycleHint(
+					totalInputTokens := accumulatedUsage.InputTokens + accumulatedUsage.CacheCreationInputTokens + accumulatedUsage.CacheReadInputTokens
+					contextWindow := detectContextWindow(anthropicBetaHeader, totalInputTokens)
+					usageTracker.AddUsageWithCycleHint(
 						responseModel,
 						contextWindow,
 						messagesCount,
@@ -569,6 +727,120 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 	}
 }
 
+func (s *Service) handleStatusEndpoint(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		writeJSONError(w, r, http.StatusMethodNotAllowed, "invalid_request_error", "method not allowed")
+		return
+	}
+
+	if len(s.options.Users) == 0 {
+		writeJSONError(w, r, http.StatusForbidden, "authentication_error", "status endpoint requires user authentication")
+		return
+	}
+
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
+		return
+	}
+	clientToken := strings.TrimPrefix(authHeader, "Bearer ")
+	if clientToken == authHeader {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
+		return
+	}
+	username, ok := s.userManager.Authenticate(clientToken)
+	if !ok {
+		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
+		return
+	}
+
+	userConfig := s.userConfigMap[username]
+	if userConfig == nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "user config not found")
+		return
+	}
+
+	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+	if err != nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+		return
+	}
+
+	provider.pollIfStale(r.Context())
+	avgFiveHour, avgWeekly, totalWeight := s.computeAggregatedUtilization(provider, userConfig)
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(map[string]float64{
+		"five_hour_utilization": avgFiveHour,
+		"weekly_utilization":    avgWeekly,
+		"plan_weight":           totalWeight,
+	})
+}
+
+func (s *Service) computeAggregatedUtilization(provider credentialProvider, userConfig *option.CCMUser) (float64, float64, float64) {
+	var totalWeightedRemaining5h, totalWeightedRemainingWeekly, totalWeight float64
+	for _, cred := range provider.allCredentials() {
+		if !cred.isAvailable() {
+			continue
+		}
+		if userConfig.ExternalCredential != "" && cred.tagName() == userConfig.ExternalCredential {
+			continue
+		}
+		if !userConfig.AllowExternalUsage && cred.isExternal() {
+			continue
+		}
+		weight := cred.planWeight()
+		remaining5h := cred.fiveHourCap() - cred.fiveHourUtilization()
+		if remaining5h < 0 {
+			remaining5h = 0
+		}
+		remainingWeekly := cred.weeklyCap() - cred.weeklyUtilization()
+		if remainingWeekly < 0 {
+			remainingWeekly = 0
+		}
+		totalWeightedRemaining5h += remaining5h * weight
+		totalWeightedRemainingWeekly += remainingWeekly * weight
+		totalWeight += weight
+	}
+	if totalWeight == 0 {
+		return 100, 100, 0
+	}
+	return 100 - totalWeightedRemaining5h/totalWeight,
+		100 - totalWeightedRemainingWeekly/totalWeight,
+		totalWeight
+}
+
+func (s *Service) rewriteResponseHeadersForExternalUser(headers http.Header, userConfig *option.CCMUser) {
+	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, userConfig.Name)
+	if err != nil {
+		return
+	}
+
+	avgFiveHour, avgWeekly, totalWeight := s.computeAggregatedUtilization(provider, userConfig)
+
+	// Rewrite utilization headers to aggregated average (convert back to 0.0-1.0 range)
+	headers.Set("anthropic-ratelimit-unified-5h-utilization", strconv.FormatFloat(avgFiveHour/100, 'f', 6, 64))
+	headers.Set("anthropic-ratelimit-unified-7d-utilization", strconv.FormatFloat(avgWeekly/100, 'f', 6, 64))
+	if totalWeight > 0 {
+		headers.Set("X-CCM-Plan-Weight", strconv.FormatFloat(totalWeight, 'f', -1, 64))
+	}
+}
+
+func (s *Service) InterfaceUpdated() {
+	for _, cred := range s.allCredentials {
+		extCred, ok := cred.(*externalCredential)
+		if !ok {
+			continue
+		}
+		if extCred.reverse && extCred.connectorURL != nil {
+			extCred.reverseService = s
+			extCred.resetReverseContext()
+			go extCred.connectorLoop()
+		}
+	}
+}
+
 func (s *Service) Close() error {
 	err := common.Close(
 		common.PtrOrNil(s.httpServer),
@@ -576,12 +848,8 @@ func (s *Service) Close() error {
 		s.tlsConfig,
 	)
 
-	if s.usageTracker != nil {
-		s.usageTracker.cancelPendingSave()
-		saveErr := s.usageTracker.Save()
-		if saveErr != nil {
-			s.logger.Error("save usage statistics: ", saveErr)
-		}
+	for _, cred := range s.allCredentials {
+		cred.close()
 	}
 
 	return err

service/ccm/service_usage.go

@@ -65,9 +65,10 @@ type CostCombinationJSON struct {
 }
 
 type CostsSummaryJSON struct {
-	TotalUSD float64            `json:"total_usd"`
-	ByUser   map[string]float64 `json:"by_user"`
-	ByWeek   map[string]float64 `json:"by_week,omitempty"`
+	TotalUSD      float64                       `json:"total_usd"`
+	ByUser        map[string]float64            `json:"by_user"`
+	ByWeek        map[string]float64            `json:"by_week,omitempty"`
+	ByUserAndWeek map[string]map[string]float64 `json:"by_user_and_week,omitempty"`
 }
 
 type AggregatedUsageJSON struct {
@@ -492,6 +493,31 @@ func buildByWeekCost(combinations []CostCombination) map[string]float64 {
 	return byWeek
 }
 
+func buildByUserAndWeekCost(combinations []CostCombination) map[string]map[string]float64 {
+	byUserAndWeek := make(map[string]map[string]float64)
+	for _, combination := range combinations {
+		if combination.WeekStartUnix <= 0 {
+			continue
+		}
+		weekStartAt := time.Unix(combination.WeekStartUnix, 0).UTC()
+		weekKey := formatWeekStartKey(weekStartAt)
+		for user, userStats := range combination.ByUser {
+			userWeeks, exists := byUserAndWeek[user]
+			if !exists {
+				userWeeks = make(map[string]float64)
+				byUserAndWeek[user] = userWeeks
+			}
+			userWeeks[weekKey] += calculateCost(userStats, combination.Model, combination.ContextWindow)
+		}
+	}
+	for _, weekCosts := range byUserAndWeek {
+		for weekKey, cost := range weekCosts {
+			weekCosts[weekKey] = roundCost(cost)
+		}
+	}
+	return byUserAndWeek
+}
+
 func deriveWeekStartUnix(cycleHint *WeeklyCycleHint) int64 {
 	if cycleHint == nil || cycleHint.WindowMinutes <= 0 || cycleHint.ResetAt.IsZero() {
 		return 0
@@ -522,6 +548,11 @@ func (u *AggregatedUsage) ToJSON() *AggregatedUsageJSON {
 		result.Costs.ByWeek = nil
 	}
 
+	result.Costs.ByUserAndWeek = buildByUserAndWeekCost(u.Combinations)
+	if len(result.Costs.ByUserAndWeek) == 0 {
+		result.Costs.ByUserAndWeek = nil
+	}
+
 	for user, cost := range result.Costs.ByUser {
 		result.Costs.ByUser[user] = roundCost(cost)
 	}

service/derp/service.go

@@ -1,3 +1,5 @@
+//go:build with_gvisor
+
 package derp
 
 import (

service/ocm/credential.go

@@ -2,6 +2,7 @@ package ocm
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -55,6 +56,14 @@ func readCredentialsFromFile(path string) (*oauthCredentials, error) {
 	return &credentials, nil
 }
 
+func checkCredentialFileWritable(path string) error {
+	file, err := os.OpenFile(path, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	return file.Close()
+}
+
 func writeCredentialsToFile(credentials *oauthCredentials, path string) error {
 	data, err := json.MarshalIndent(credentials, "", "  ")
 	if err != nil {
@@ -110,7 +119,7 @@ func (c *oauthCredentials) needsRefresh() bool {
 	return time.Since(*c.LastRefresh) >= time.Duration(tokenRefreshIntervalDays)*24*time.Hour
 }
 
-func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
+func refreshToken(ctx context.Context, httpClient *http.Client, credentials *oauthCredentials) (*oauthCredentials, error) {
 	if credentials.Tokens == nil || credentials.Tokens.RefreshToken == "" {
 		return nil, E.New("refresh token is empty")
 	}
@@ -125,19 +134,24 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 		return nil, E.Cause(err, "marshal request")
 	}
 
-	request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
-	if err != nil {
-		return nil, err
-	}
-	request.Header.Set("Content-Type", "application/json")
-	request.Header.Set("Accept", "application/json")
-
-	response, err := httpClient.Do(request)
+	response, err := doHTTPWithRetry(ctx, httpClient, func() (*http.Request, error) {
+		request, err := http.NewRequest("POST", oauth2TokenURL, bytes.NewReader(requestBody))
+		if err != nil {
+			return nil, err
+		}
+		request.Header.Set("Content-Type", "application/json")
+		request.Header.Set("Accept", "application/json")
+		return request, nil
+	})
 	if err != nil {
 		return nil, err
 	}
 	defer response.Body.Close()
 
+	if response.StatusCode == http.StatusTooManyRequests {
+		body, _ := io.ReadAll(response.Body)
+		return nil, E.New("refresh rate limited: ", response.Status, " ", string(body))
+	}
 	if response.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(response.Body)
 		return nil, E.New("refresh failed: ", response.Status, " ", string(body))
@@ -171,3 +185,41 @@ func refreshToken(httpClient *http.Client, credentials *oauthCredentials) (*oaut
 
 	return &newCredentials, nil
 }
+
+func cloneCredentials(credentials *oauthCredentials) *oauthCredentials {
+	if credentials == nil {
+		return nil
+	}
+	cloned := *credentials
+	if credentials.Tokens != nil {
+		clonedTokens := *credentials.Tokens
+		cloned.Tokens = &clonedTokens
+	}
+	if credentials.LastRefresh != nil {
+		lastRefresh := *credentials.LastRefresh
+		cloned.LastRefresh = &lastRefresh
+	}
+	return &cloned
+}
+
+func credentialsEqual(left *oauthCredentials, right *oauthCredentials) bool {
+	if left == nil || right == nil {
+		return left == right
+	}
+	if left.APIKey != right.APIKey {
+		return false
+	}
+	if (left.Tokens == nil) != (right.Tokens == nil) {
+		return false
+	}
+	if left.Tokens != nil && *left.Tokens != *right.Tokens {
+		return false
+	}
+	if (left.LastRefresh == nil) != (right.LastRefresh == nil) {
+		return false
+	}
+	if left.LastRefresh != nil && !left.LastRefresh.Equal(*right.LastRefresh) {
+		return false
+	}
+	return true
+}