ccm,ocm: add request ID context to HTTP request logging

service/ocm: add default OpenAI-Beta header and log websocket error body
The upstream OpenAI WebSocket endpoint requires the OpenAI-Beta: responses_websockets=2026-02-06 header. Set it automatically when the client doesn't provide it. Also capture and log the response body on non-429 WebSocket handshake failures to surface the actual error from upstream.
2026-04-12 01:57:18 +10:00 · 2026-03-14 16:14:24 +08:00 · 2026-03-14 16:07:58 +08:00 · 2026-03-14 15:58:33 +08:00 · 2026-03-14 15:52:27 +08:00 · 2026-03-14 15:44:04 +08:00
225 changed files with 8694 additions and 8829 deletions
--- a/.fpm_systemd
+++ b/.fpm_systemd
@@ -4,7 +4,6 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
--vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes
--- a/.github/detect_track.sh
+++ b/.github/detect_track.sh
@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-branches=$(git branch -r --contains HEAD)
-if echo "$branches" | grep -q 'origin/stable'; then
-  track=stable
-elif echo "$branches" | grep -q 'origin/testing'; then
-  track=testing
-elif echo "$branches" | grep -q 'origin/oldstable'; then
-  track=oldstable
-else
-  echo "ERROR: HEAD is not on any known release branch (stable/testing/oldstable)" >&2
-  exit 1
-fi
-
-if [[ "$track" == "stable" ]]; then
-  tag=$(git describe --tags --exact-match HEAD 2>/dev/null || true)
-  if [[ -n "$tag" && "$tag" == *"-"* ]]; then
-    track=beta
-  fi
-fi
-
-case "$track" in
-  stable)    name=sing-box;           docker_tag=latest ;;
-  beta)      name=sing-box-beta;      docker_tag=latest-beta ;;
-  testing)   name=sing-box-testing;   docker_tag=latest-testing ;;
-  oldstable) name=sing-box-oldstable; docker_tag=latest-oldstable ;;
-esac
-
-echo "track=${track} name=${name} docker_tag=${docker_tag}" >&2
-echo "TRACK=${track}" >> "$GITHUB_ENV"
-echo "NAME=${name}" >> "$GITHUB_ENV"
-echo "DOCKER_TAG=${docker_tag}" >> "$GITHUB_ENV"
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,7 @@ env:
 jobs:
  build_binary:
    name: Build binary
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
@@ -259,13 +260,13 @@ jobs:
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
-          fetch-depth: 0
-      - name: Detect track
-        run: bash .github/detect_track.sh
+          if [[ $ref == *"-"* ]]; then
+            latest=latest-beta
+          else
+            latest=latest
+          fi
+          echo "latest=$latest"
+          echo "latest=$latest" >> $GITHUB_OUTPUT
      - name: Download digests
        uses: actions/download-artifact@v5
        with:
@@ -285,11 +286,11 @@ jobs:
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        if: github.event_name != 'push'
        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -11,6 +11,11 @@ on:
        description: "Version name"
        required: true
        type: string
+      forceBeta:
+        description: "Force beta"
+        required: false
+        type: boolean
+        default: false
  release:
    types:
      - published
@@ -18,6 +23,7 @@ on:
 jobs:
  calculate_version:
    name: Calculate version
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
@@ -162,8 +168,14 @@ jobs:
      - name: Set mtime
        run: |-
          TZ=UTC touch -t '197001010000' dist/sing-box
-      - name: Detect track
-        run: bash .github/detect_track.sh
+      - name: Set name
+        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
+        run: |-
+          echo "NAME=sing-box" >> "$GITHUB_ENV"
+      - name: Set beta name
+        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
+        run: |-
+          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
      - name: Set version
        run: |-
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
--- a/adapter/certificate/adapter.go
+++ b/adapter/certificate/adapter.go
@@ -1,21 +0,0 @@
-package certificate
-
-type Adapter struct {
-	providerType string
-	providerTag  string
-}
-
-func NewAdapter(providerType string, providerTag string) Adapter {
-	return Adapter{
-		providerType: providerType,
-		providerTag:  providerTag,
-	}
-}
-
-func (a *Adapter) Type() string {
-	return a.providerType
-}
-
-func (a *Adapter) Tag() string {
-	return a.providerTag
-}
--- a/adapter/certificate/manager.go
+++ b/adapter/certificate/manager.go
@@ -1,158 +0,0 @@
-package certificate
-
-import (
-	"context"
-	"os"
-	"sync"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-var _ adapter.CertificateProviderManager = (*Manager)(nil)
-
-type Manager struct {
-	logger        log.ContextLogger
-	registry      adapter.CertificateProviderRegistry
-	access        sync.Mutex
-	started       bool
-	stage         adapter.StartStage
-	providers     []adapter.CertificateProviderService
-	providerByTag map[string]adapter.CertificateProviderService
-}
-
-func NewManager(logger log.ContextLogger, registry adapter.CertificateProviderRegistry) *Manager {
-	return &Manager{
-		logger:        logger,
-		registry:      registry,
-		providerByTag: make(map[string]adapter.CertificateProviderService),
-	}
-}
-
-func (m *Manager) Start(stage adapter.StartStage) error {
-	m.access.Lock()
-	if m.started && m.stage >= stage {
-		panic("already started")
-	}
-	m.started = true
-	m.stage = stage
-	providers := m.providers
-	m.access.Unlock()
-	for _, provider := range providers {
-		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
-		m.logger.Trace(stage, " ", name)
-		startTime := time.Now()
-		err := adapter.LegacyStart(provider, stage)
-		if err != nil {
-			return E.Cause(err, stage, " ", name)
-		}
-		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-	}
-	return nil
-}
-
-func (m *Manager) Close() error {
-	m.access.Lock()
-	defer m.access.Unlock()
-	if !m.started {
-		return nil
-	}
-	m.started = false
-	providers := m.providers
-	m.providers = nil
-	monitor := taskmonitor.New(m.logger, C.StopTimeout)
-	var err error
-	for _, provider := range providers {
-		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
-		m.logger.Trace("close ", name)
-		startTime := time.Now()
-		monitor.Start("close ", name)
-		err = E.Append(err, provider.Close(), func(err error) error {
-			return E.Cause(err, "close ", name)
-		})
-		monitor.Finish()
-		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-	}
-	return err
-}
-
-func (m *Manager) CertificateProviders() []adapter.CertificateProviderService {
-	m.access.Lock()
-	defer m.access.Unlock()
-	return m.providers
-}
-
-func (m *Manager) Get(tag string) (adapter.CertificateProviderService, bool) {
-	m.access.Lock()
-	provider, found := m.providerByTag[tag]
-	m.access.Unlock()
-	return provider, found
-}
-
-func (m *Manager) Remove(tag string) error {
-	m.access.Lock()
-	provider, found := m.providerByTag[tag]
-	if !found {
-		m.access.Unlock()
-		return os.ErrInvalid
-	}
-	delete(m.providerByTag, tag)
-	index := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
-		return it == provider
-	})
-	if index == -1 {
-		panic("invalid certificate provider index")
-	}
-	m.providers = append(m.providers[:index], m.providers[index+1:]...)
-	started := m.started
-	m.access.Unlock()
-	if started {
-		return provider.Close()
-	}
-	return nil
-}
-
-func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error {
-	provider, err := m.registry.Create(ctx, logger, tag, providerType, options)
-	if err != nil {
-		return err
-	}
-	m.access.Lock()
-	defer m.access.Unlock()
-	if m.started {
-		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
-		for _, stage := range adapter.ListStartStages {
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
-			err = adapter.LegacyStart(provider, stage)
-			if err != nil {
-				return E.Cause(err, stage, " ", name)
-			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-		}
-	}
-	if existsProvider, loaded := m.providerByTag[tag]; loaded {
-		if m.started {
-			err = existsProvider.Close()
-			if err != nil {
-				return E.Cause(err, "close certificate-provider/", existsProvider.Type(), "[", existsProvider.Tag(), "]")
-			}
-		}
-		existsIndex := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
-			return it == existsProvider
-		})
-		if existsIndex == -1 {
-			panic("invalid certificate provider index")
-		}
-		m.providers = append(m.providers[:existsIndex], m.providers[existsIndex+1:]...)
-	}
-	m.providers = append(m.providers, provider)
-	m.providerByTag[tag] = provider
-	return nil
-}
--- a/adapter/certificate/registry.go
+++ b/adapter/certificate/registry.go
@@ -1,72 +0,0 @@
-package certificate
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.CertificateProviderService, error)
-
-func Register[Options any](registry *Registry, providerType string, constructor ConstructorFunc[Options]) {
-	registry.register(providerType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.CertificateProviderService, error) {
-		var options *Options
-		if rawOptions != nil {
-			options = rawOptions.(*Options)
-		}
-		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
-	})
-}
-
-var _ adapter.CertificateProviderRegistry = (*Registry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.CertificateProviderService, error)
-)
-
-type Registry struct {
-	access      sync.Mutex
-	optionsType map[string]optionsConstructorFunc
-	constructor map[string]constructorFunc
-}
-
-func NewRegistry() *Registry {
-	return &Registry{
-		optionsType: make(map[string]optionsConstructorFunc),
-		constructor: make(map[string]constructorFunc),
-	}
-}
-
-func (m *Registry) CreateOptions(providerType string) (any, bool) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	optionsConstructor, loaded := m.optionsType[providerType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (adapter.CertificateProviderService, error) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	constructor, loaded := m.constructor[providerType]
-	if !loaded {
-		return nil, E.New("certificate provider type not found: " + providerType)
-	}
-	return constructor(ctx, logger, tag, options)
-}
-
-func (m *Registry) register(providerType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	m.optionsType[providerType] = optionsConstructor
-	m.constructor[providerType] = constructor
-}
--- a/adapter/certificate_provider.go
+++ b/adapter/certificate_provider.go
@@ -1,38 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"crypto/tls"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-)
-
-type CertificateProvider interface {
-	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
-}
-
-type ACMECertificateProvider interface {
-	CertificateProvider
-	GetACMENextProtos() []string
-}
-
-type CertificateProviderService interface {
-	Lifecycle
-	Type() string
-	Tag() string
-	CertificateProvider
-}
-
-type CertificateProviderRegistry interface {
-	option.CertificateProviderOptionsRegistry
-	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (CertificateProviderService, error)
-}
-
-type CertificateProviderManager interface {
-	Lifecycle
-	CertificateProviders() []CertificateProviderService
-	Get(tag string) (CertificateProviderService, bool)
-	Remove(tag string) error
-	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error
-}
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -104,10 +104,6 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
-	c.ResetRuleMatchCache()
-}
-
-func (c *InboundContext) ResetRuleMatchCache() {
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
--- a/adapter/platform.go
+++ b/adapter/platform.go
@@ -51,11 +51,11 @@ type FindConnectionOwnerRequest struct {
 }

 type ConnectionOwner struct {
-	ProcessID           uint32
-	UserId              int32
-	UserName            string
-	ProcessPath         string
-	AndroidPackageNames []string
+	ProcessID          uint32
+	UserId             int32
+	UserName           string
+	ProcessPath        string
+	AndroidPackageName string
 }

 type Notification struct {
--- a/box.go
+++ b/box.go
@@ -9,7 +9,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	boxCertificate "github.com/sagernet/sing-box/adapter/certificate"
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -38,21 +37,20 @@ import (
 var _ adapter.SimpleLifecycle = (*Box)(nil)

 type Box struct {
-	createdAt           time.Time
-	logFactory          log.Factory
-	logger              log.ContextLogger
-	network             *route.NetworkManager
-	endpoint            *endpoint.Manager
-	inbound             *inbound.Manager
-	outbound            *outbound.Manager
-	service             *boxService.Manager
-	certificateProvider *boxCertificate.Manager
-	dnsTransport        *dns.TransportManager
-	dnsRouter           *dns.Router
-	connection          *route.ConnectionManager
-	router              *route.Router
-	internalService     []adapter.LifecycleService
-	done                chan struct{}
+	createdAt       time.Time
+	logFactory      log.Factory
+	logger          log.ContextLogger
+	network         *route.NetworkManager
+	endpoint        *endpoint.Manager
+	inbound         *inbound.Manager
+	outbound        *outbound.Manager
+	service         *boxService.Manager
+	dnsTransport    *dns.TransportManager
+	dnsRouter       *dns.Router
+	connection      *route.ConnectionManager
+	router          *route.Router
+	internalService []adapter.LifecycleService
+	done            chan struct{}
 }

 type Options struct {
@@ -68,7 +66,6 @@ func Context(
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
 	serviceRegistry adapter.ServiceRegistry,
-	certificateProviderRegistry adapter.CertificateProviderRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -93,10 +90,6 @@ func Context(
 		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
 		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
 	}
-	if service.FromContext[adapter.CertificateProviderRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.CertificateProviderOptionsRegistry](ctx, certificateProviderRegistry)
-		ctx = service.ContextWith[adapter.CertificateProviderRegistry](ctx, certificateProviderRegistry)
-	}
 	return ctx
 }

@@ -113,7 +106,6 @@ func New(options Options) (*Box, error) {
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
 	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)
-	certificateProviderRegistry := service.FromContext[adapter.CertificateProviderRegistry](ctx)

 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -130,9 +122,6 @@ func New(options Options) (*Box, error) {
 	if serviceRegistry == nil {
 		return nil, E.New("missing service registry in context")
 	}
-	if certificateProviderRegistry == nil {
-		return nil, E.New("missing certificate provider registry in context")
-	}

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -190,13 +179,11 @@ func New(options Options) (*Box, error) {
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
-	certificateProviderManager := boxCertificate.NewManager(logFactory.NewLogger("certificate-provider"), certificateProviderRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
-	service.MustRegister[adapter.CertificateProviderManager](ctx, certificateProviderManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
@@ -285,24 +272,6 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
 	}
-	for i, serviceOptions := range options.Services {
-		var tag string
-		if serviceOptions.Tag != "" {
-			tag = serviceOptions.Tag
-		} else {
-			tag = F.ToString(i)
-		}
-		err = serviceManager.Create(
-			ctx,
-			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
-			tag,
-			serviceOptions.Type,
-			serviceOptions.Options,
-		)
-		if err != nil {
-			return nil, E.Cause(err, "initialize service[", i, "]")
-		}
-	}
 	for i, outboundOptions := range options.Outbounds {
 		var tag string
 		if outboundOptions.Tag != "" {
@@ -329,22 +298,22 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
-	for i, certificateProviderOptions := range options.CertificateProviders {
+	for i, serviceOptions := range options.Services {
 		var tag string
-		if certificateProviderOptions.Tag != "" {
-			tag = certificateProviderOptions.Tag
+		if serviceOptions.Tag != "" {
+			tag = serviceOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		err = certificateProviderManager.Create(
+		err = serviceManager.Create(
 			ctx,
-			logFactory.NewLogger(F.ToString("certificate-provider/", certificateProviderOptions.Type, "[", tag, "]")),
+			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
 			tag,
-			certificateProviderOptions.Type,
-			certificateProviderOptions.Options,
+			serviceOptions.Type,
+			serviceOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "initialize certificate provider[", i, "]")
+			return nil, E.Cause(err, "initialize service[", i, "]")
 		}
 	}
 	outboundManager.Initialize(func() (adapter.Outbound, error) {
@@ -414,21 +383,20 @@ func New(options Options) (*Box, error) {
 		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:             networkManager,
-		endpoint:            endpointManager,
-		inbound:             inboundManager,
-		outbound:            outboundManager,
-		dnsTransport:        dnsTransportManager,
-		service:             serviceManager,
-		certificateProvider: certificateProviderManager,
-		dnsRouter:           dnsRouter,
-		connection:          connectionManager,
-		router:              router,
-		createdAt:           createdAt,
-		logFactory:          logFactory,
-		logger:              logFactory.Logger(),
-		internalService:     internalServices,
-		done:                make(chan struct{}),
+		network:         networkManager,
+		endpoint:        endpointManager,
+		inbound:         inboundManager,
+		outbound:        outboundManager,
+		dnsTransport:    dnsTransportManager,
+		service:         serviceManager,
+		dnsRouter:       dnsRouter,
+		connection:      connectionManager,
+		router:          router,
+		createdAt:       createdAt,
+		logFactory:      logFactory,
+		logger:          logFactory.Logger(),
+		internalService: internalServices,
+		done:            make(chan struct{}),
 	}, nil
 }

@@ -482,7 +450,7 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service, s.certificateProvider)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
@@ -502,19 +470,11 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.endpoint)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.certificateProvider)
-	if err != nil {
-		return err
-	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.service)
-	if err != nil {
-		return err
-	}
-	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.endpoint, s.certificateProvider, s.inbound, s.service)
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
@@ -522,7 +482,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.endpoint, s.certificateProvider, s.inbound, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
@@ -546,9 +506,8 @@ func (s *Box) Close() error {
 		service adapter.Lifecycle
 	}{
 		{"service", s.service},
-		{"inbound", s.inbound},
-		{"certificate-provider", s.certificateProvider},
 		{"endpoint", s.endpoint},
+		{"inbound", s.inbound},
 		{"outbound", s.outbound},
 		{"router", s.router},
 		{"connection", s.connection},
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -239,7 +239,7 @@ func setMarkWrapper(networkManager adapter.NetworkManager, mark uint32, isDefaul
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
-	} else if address.IsDomain() {
+	} else if address.IsFqdn() {
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
@@ -329,9 +329,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd

 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return d.dialer4.Dialer
-	} else {
 		return d.dialer6.Dialer
+	} else {
+		return d.dialer4.Dialer
 	}
 }

--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -96,7 +96,7 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -116,7 +116,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -144,7 +144,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -167,7 +167,7 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
--- a/common/ktls/ktls_read.go
+++ b/common/ktls/ktls_read.go
@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"unsafe"
 )

 func (c *Conn) Read(b []byte) (int, error) {
@@ -230,7 +229,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
 		return
 	}
 	return
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -14,7 +14,6 @@ import (

 type Searcher interface {
 	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error)
-	Close() error
 }

 var ErrNotFound = E.New("process not found")
@@ -29,7 +28,7 @@ func FindProcessInfo(searcher Searcher, ctx context.Context, network string, sou
 	if err != nil {
 		return nil, err
 	}
-	if info.UserId != -1 && info.UserName == "" {
+	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.UserName = osUser.Username
--- a/common/process/searcher_android.go
+++ b/common/process/searcher_android.go
@@ -6,7 +6,6 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 )

 var _ Searcher = (*androidSearcher)(nil)
@@ -19,30 +18,22 @@ func NewSearcher(config Config) (Searcher, error) {
 	return &androidSearcher{config.PackageManager}, nil
 }

-func (s *androidSearcher) Close() error {
-	return nil
-}
-
 func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	family, protocol, err := socketDiagSettings(network, source)
+	_, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	_, uid, err := querySocketDiagOnce(family, protocol, source)
-	if err != nil {
-		return nil, err
+	if sharedPackage, loaded := s.packageManager.SharedPackageByID(uid % 100000); loaded {
+		return &adapter.ConnectionOwner{
+			UserId:             int32(uid),
+			AndroidPackageName: sharedPackage,
+		}, nil
 	}
-	appID := uid % 100000
-	var packageNames []string
-	if sharedPackage, loaded := s.packageManager.SharedPackageByID(appID); loaded {
-		packageNames = append(packageNames, sharedPackage)
+	if packageName, loaded := s.packageManager.PackageByID(uid % 100000); loaded {
+		return &adapter.ConnectionOwner{
+			UserId:             int32(uid),
+			AndroidPackageName: packageName,
+		}, nil
 	}
-	if packages, loaded := s.packageManager.PackagesByID(appID); loaded {
-		packageNames = append(packageNames, packages...)
-	}
-	packageNames = common.Uniq(packageNames)
-	return &adapter.ConnectionOwner{
-		UserId:              int32(uid),
-		AndroidPackageNames: packageNames,
-	}, nil
+	return &adapter.ConnectionOwner{UserId: int32(uid)}, nil
 }
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -1,15 +1,19 @@
-//go:build darwin
-
 package process

 import (
 	"context"
+	"encoding/binary"
 	"net/netip"
+	"os"
 	"strconv"
 	"strings"
 	"syscall"
+	"unsafe"

 	"github.com/sagernet/sing-box/adapter"
+	N "github.com/sagernet/sing/common/network"
+
+	"golang.org/x/sys/unix"
 )

 var _ Searcher = (*darwinSearcher)(nil)
@@ -20,12 +24,12 @@ func NewSearcher(_ Config) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }

-func (d *darwinSearcher) Close() error {
-	return nil
-}
-
 func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	return FindDarwinConnectionOwner(network, source, destination)
+	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
+	if err != nil {
+		return nil, err
+	}
+	return &adapter.ConnectionOwner{ProcessPath: processName, UserId: -1}, nil
 }

 var structSize = func() int {
@@ -43,3 +47,107 @@ var structSize = func() int {
 		return 384
 	}
 }()
+
+func findProcessName(network string, ip netip.Addr, port int) (string, error) {
+	var spath string
+	switch network {
+	case N.NetworkTCP:
+		spath = "net.inet.tcp.pcblist_n"
+	case N.NetworkUDP:
+		spath = "net.inet.udp.pcblist_n"
+	default:
+		return "", os.ErrInvalid
+	}
+
+	isIPv4 := ip.Is4()
+
+	value, err := unix.SysctlRaw(spath)
+	if err != nil {
+		return "", err
+	}
+
+	buf := value
+
+	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
+	// size/offset are round up (aligned) to 8 bytes in darwin
+	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
+	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
+	itemSize := structSize
+	if network == N.NetworkTCP {
+		// rup8(sizeof(xtcpcb_n))
+		itemSize += 208
+	}
+
+	var fallbackUDPProcess string
+	// skip the first xinpgen(24 bytes) block
+	for i := 24; i+itemSize <= len(buf); i += itemSize {
+		// offset of xinpcb_n and xsocket_n
+		inp, so := i, i+104
+
+		srcPort := binary.BigEndian.Uint16(buf[inp+18 : inp+20])
+		if uint16(port) != srcPort {
+			continue
+		}
+
+		// xinpcb_n.inp_vflag
+		flag := buf[inp+44]
+
+		var srcIP netip.Addr
+		srcIsIPv4 := false
+		switch {
+		case flag&0x1 > 0 && isIPv4:
+			// ipv4
+			srcIP = netip.AddrFrom4([4]byte(buf[inp+76 : inp+80]))
+			srcIsIPv4 = true
+		case flag&0x2 > 0 && !isIPv4:
+			// ipv6
+			srcIP = netip.AddrFrom16([16]byte(buf[inp+64 : inp+80]))
+		default:
+			continue
+		}
+
+		if ip == srcIP {
+			// xsocket_n.so_last_pid
+			pid := readNativeUint32(buf[so+68 : so+72])
+			return getExecPathFromPID(pid)
+		}
+
+		// udp packet connection may be not equal with srcIP
+		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
+			pid := readNativeUint32(buf[so+68 : so+72])
+			fallbackUDPProcess, _ = getExecPathFromPID(pid)
+		}
+	}
+
+	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
+		return fallbackUDPProcess, nil
+	}
+
+	return "", ErrNotFound
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	const (
+		procpidpathinfo     = 0xb
+		procpidpathinfosize = 1024
+		proccallnumpidinfo  = 0x2
+	)
+	buf := make([]byte, procpidpathinfosize)
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS_PROC_INFO,
+		proccallnumpidinfo,
+		uintptr(pid),
+		procpidpathinfo,
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		procpidpathinfosize)
+	if errno != 0 {
+		return "", errno
+	}
+
+	return unix.ByteSliceToString(buf), nil
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}
--- a/common/process/searcher_darwin_shared.go
+++ b/common/process/searcher_darwin_shared.go
@@ -1,269 +0,0 @@
-//go:build darwin
-
-package process
-
-import (
-	"encoding/binary"
-	"net/netip"
-	"os"
-	"sync"
-	"syscall"
-	"time"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/adapter"
-	N "github.com/sagernet/sing/common/network"
-
-	"golang.org/x/sys/unix"
-)
-
-const (
-	darwinSnapshotTTL = 200 * time.Millisecond
-
-	darwinXinpgenSize        = 24
-	darwinXsocketOffset      = 104
-	darwinXinpcbForeignPort  = 16
-	darwinXinpcbLocalPort    = 18
-	darwinXinpcbVFlag        = 44
-	darwinXinpcbForeignAddr  = 48
-	darwinXinpcbLocalAddr    = 64
-	darwinXinpcbIPv4Addr     = 12
-	darwinXsocketUID         = 64
-	darwinXsocketLastPID     = 68
-	darwinTCPExtraStructSize = 208
-)
-
-type darwinConnectionEntry struct {
-	localAddr  netip.Addr
-	remoteAddr netip.Addr
-	localPort  uint16
-	remotePort uint16
-	pid        uint32
-	uid        int32
-}
-
-type darwinConnectionMatchKind uint8
-
-const (
-	darwinConnectionMatchExact darwinConnectionMatchKind = iota
-	darwinConnectionMatchLocalFallback
-	darwinConnectionMatchWildcardFallback
-)
-
-type darwinSnapshot struct {
-	createdAt time.Time
-	entries   []darwinConnectionEntry
-}
-
-type darwinConnectionFinder struct {
-	access    sync.Mutex
-	ttl       time.Duration
-	snapshots map[string]darwinSnapshot
-	builder   func(string) (darwinSnapshot, error)
-}
-
-var sharedDarwinConnectionFinder = newDarwinConnectionFinder(darwinSnapshotTTL)
-
-func newDarwinConnectionFinder(ttl time.Duration) *darwinConnectionFinder {
-	return &darwinConnectionFinder{
-		ttl:       ttl,
-		snapshots: make(map[string]darwinSnapshot),
-		builder:   buildDarwinSnapshot,
-	}
-}
-
-func FindDarwinConnectionOwner(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	return sharedDarwinConnectionFinder.find(network, source, destination)
-}
-
-func (f *darwinConnectionFinder) find(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	networkName := N.NetworkName(network)
-	source = normalizeDarwinAddrPort(source)
-	destination = normalizeDarwinAddrPort(destination)
-	var lastOwner *adapter.ConnectionOwner
-	for attempt := 0; attempt < 2; attempt++ {
-		snapshot, fromCache, err := f.loadSnapshot(networkName, attempt > 0)
-		if err != nil {
-			return nil, err
-		}
-		entry, matchKind, err := matchDarwinConnectionEntry(snapshot.entries, networkName, source, destination)
-		if err != nil {
-			if err == ErrNotFound && fromCache {
-				continue
-			}
-			return nil, err
-		}
-		if fromCache && matchKind != darwinConnectionMatchExact {
-			continue
-		}
-		owner := &adapter.ConnectionOwner{
-			UserId: entry.uid,
-		}
-		lastOwner = owner
-		if entry.pid == 0 {
-			return owner, nil
-		}
-		processPath, err := getExecPathFromPID(entry.pid)
-		if err == nil {
-			owner.ProcessPath = processPath
-			return owner, nil
-		}
-		if fromCache {
-			continue
-		}
-		return owner, nil
-	}
-	if lastOwner != nil {
-		return lastOwner, nil
-	}
-	return nil, ErrNotFound
-}
-
-func (f *darwinConnectionFinder) loadSnapshot(network string, forceRefresh bool) (darwinSnapshot, bool, error) {
-	f.access.Lock()
-	defer f.access.Unlock()
-	if !forceRefresh {
-		if snapshot, loaded := f.snapshots[network]; loaded && time.Since(snapshot.createdAt) < f.ttl {
-			return snapshot, true, nil
-		}
-	}
-	snapshot, err := f.builder(network)
-	if err != nil {
-		return darwinSnapshot{}, false, err
-	}
-	f.snapshots[network] = snapshot
-	return snapshot, false, nil
-}
-
-func buildDarwinSnapshot(network string) (darwinSnapshot, error) {
-	spath, itemSize, err := darwinSnapshotSettings(network)
-	if err != nil {
-		return darwinSnapshot{}, err
-	}
-	value, err := unix.SysctlRaw(spath)
-	if err != nil {
-		return darwinSnapshot{}, err
-	}
-	return darwinSnapshot{
-		createdAt: time.Now(),
-		entries:   parseDarwinSnapshot(value, itemSize),
-	}, nil
-}
-
-func darwinSnapshotSettings(network string) (string, int, error) {
-	itemSize := structSize
-	switch network {
-	case N.NetworkTCP:
-		return "net.inet.tcp.pcblist_n", itemSize + darwinTCPExtraStructSize, nil
-	case N.NetworkUDP:
-		return "net.inet.udp.pcblist_n", itemSize, nil
-	default:
-		return "", 0, os.ErrInvalid
-	}
-}
-
-func parseDarwinSnapshot(buf []byte, itemSize int) []darwinConnectionEntry {
-	entries := make([]darwinConnectionEntry, 0, (len(buf)-darwinXinpgenSize)/itemSize)
-	for i := darwinXinpgenSize; i+itemSize <= len(buf); i += itemSize {
-		inp := i
-		so := i + darwinXsocketOffset
-		entry, ok := parseDarwinConnectionEntry(buf[inp:so], buf[so:so+structSize-darwinXsocketOffset])
-		if ok {
-			entries = append(entries, entry)
-		}
-	}
-	return entries
-}
-
-func parseDarwinConnectionEntry(inp []byte, so []byte) (darwinConnectionEntry, bool) {
-	if len(inp) < darwinXsocketOffset || len(so) < structSize-darwinXsocketOffset {
-		return darwinConnectionEntry{}, false
-	}
-	entry := darwinConnectionEntry{
-		remotePort: binary.BigEndian.Uint16(inp[darwinXinpcbForeignPort : darwinXinpcbForeignPort+2]),
-		localPort:  binary.BigEndian.Uint16(inp[darwinXinpcbLocalPort : darwinXinpcbLocalPort+2]),
-		pid:        binary.NativeEndian.Uint32(so[darwinXsocketLastPID : darwinXsocketLastPID+4]),
-		uid:        int32(binary.NativeEndian.Uint32(so[darwinXsocketUID : darwinXsocketUID+4])),
-	}
-	flag := inp[darwinXinpcbVFlag]
-	switch {
-	case flag&0x1 != 0:
-		entry.remoteAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr : darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr+4]))
-		entry.localAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr : darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr+4]))
-		return entry, true
-	case flag&0x2 != 0:
-		entry.remoteAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbForeignAddr : darwinXinpcbForeignAddr+16]))
-		entry.localAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbLocalAddr : darwinXinpcbLocalAddr+16]))
-		return entry, true
-	default:
-		return darwinConnectionEntry{}, false
-	}
-}
-
-func matchDarwinConnectionEntry(entries []darwinConnectionEntry, network string, source netip.AddrPort, destination netip.AddrPort) (darwinConnectionEntry, darwinConnectionMatchKind, error) {
-	sourceAddr := source.Addr()
-	if !sourceAddr.IsValid() {
-		return darwinConnectionEntry{}, darwinConnectionMatchExact, os.ErrInvalid
-	}
-	var localFallback darwinConnectionEntry
-	var hasLocalFallback bool
-	var wildcardFallback darwinConnectionEntry
-	var hasWildcardFallback bool
-	for _, entry := range entries {
-		if entry.localPort != source.Port() || sourceAddr.BitLen() != entry.localAddr.BitLen() {
-			continue
-		}
-		if entry.localAddr == sourceAddr && destination.IsValid() && entry.remotePort == destination.Port() && entry.remoteAddr == destination.Addr() {
-			return entry, darwinConnectionMatchExact, nil
-		}
-		if !destination.IsValid() && entry.localAddr == sourceAddr {
-			return entry, darwinConnectionMatchExact, nil
-		}
-		if network != N.NetworkUDP {
-			continue
-		}
-		if !hasLocalFallback && entry.localAddr == sourceAddr {
-			hasLocalFallback = true
-			localFallback = entry
-		}
-		if !hasWildcardFallback && entry.localAddr.IsUnspecified() {
-			hasWildcardFallback = true
-			wildcardFallback = entry
-		}
-	}
-	if hasLocalFallback {
-		return localFallback, darwinConnectionMatchLocalFallback, nil
-	}
-	if hasWildcardFallback {
-		return wildcardFallback, darwinConnectionMatchWildcardFallback, nil
-	}
-	return darwinConnectionEntry{}, darwinConnectionMatchExact, ErrNotFound
-}
-
-func normalizeDarwinAddrPort(addrPort netip.AddrPort) netip.AddrPort {
-	if !addrPort.IsValid() {
-		return addrPort
-	}
-	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())
-}
-
-func getExecPathFromPID(pid uint32) (string, error) {
-	const (
-		procpidpathinfo     = 0xb
-		procpidpathinfosize = 1024
-		proccallnumpidinfo  = 0x2
-	)
-	buf := make([]byte, procpidpathinfosize)
-	_, _, errno := syscall.Syscall6(
-		syscall.SYS_PROC_INFO,
-		proccallnumpidinfo,
-		uintptr(pid),
-		procpidpathinfo,
-		0,
-		uintptr(unsafe.Pointer(&buf[0])),
-		procpidpathinfosize)
-	if errno != 0 {
-		return "", errno
-	}
-	return unix.ByteSliceToString(buf), nil
-}
--- a/common/process/searcher_linux.go
+++ b/common/process/searcher_linux.go
@@ -4,82 +4,33 @@ package process

 import (
 	"context"
-	"errors"
 	"net/netip"
-	"syscall"
-	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
 )

 var _ Searcher = (*linuxSearcher)(nil)

 type linuxSearcher struct {
-	logger           log.ContextLogger
-	diagConns        [4]*socketDiagConn
-	processPathCache *uidProcessPathCache
+	logger log.ContextLogger
 }

 func NewSearcher(config Config) (Searcher, error) {
-	searcher := &linuxSearcher{
-		logger:           config.Logger,
-		processPathCache: newUIDProcessPathCache(time.Second),
-	}
-	for _, family := range []uint8{syscall.AF_INET, syscall.AF_INET6} {
-		for _, protocol := range []uint8{syscall.IPPROTO_TCP, syscall.IPPROTO_UDP} {
-			searcher.diagConns[socketDiagConnIndex(family, protocol)] = newSocketDiagConn(family, protocol)
-		}
-	}
-	return searcher, nil
-}
-
-func (s *linuxSearcher) Close() error {
-	var errs []error
-	for _, conn := range s.diagConns {
-		if conn == nil {
-			continue
-		}
-		errs = append(errs, conn.Close())
-	}
-	return E.Errors(errs...)
+	return &linuxSearcher{config.Logger}, nil
 }

 func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	inode, uid, err := s.resolveSocketByNetlink(network, source, destination)
+	inode, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	processInfo := &adapter.ConnectionOwner{
-		UserId: int32(uid),
-	}
-	processPath, err := s.processPathCache.findProcessPath(inode, uid)
+	processPath, err := resolveProcessNameByProcSearch(inode, uid)
 	if err != nil {
 		s.logger.DebugContext(ctx, "find process path: ", err)
-	} else {
-		processInfo.ProcessPath = processPath
 	}
-	return processInfo, nil
-}
-
-func (s *linuxSearcher) resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
-	family, protocol, err := socketDiagSettings(network, source)
-	if err != nil {
-		return 0, 0, err
-	}
-	conn := s.diagConns[socketDiagConnIndex(family, protocol)]
-	if conn == nil {
-		return 0, 0, E.New("missing socket diag connection for family=", family, " protocol=", protocol)
-	}
-	if destination.IsValid() && source.Addr().BitLen() == destination.Addr().BitLen() {
-		inode, uid, err = conn.query(source, destination)
-		if err == nil {
-			return inode, uid, nil
-		}
-		if !errors.Is(err, ErrNotFound) {
-			return 0, 0, err
-		}
-	}
-	return querySocketDiagOnce(family, protocol, source)
+	return &adapter.ConnectionOwner{
+		UserId:      int32(uid),
+		ProcessPath: processPath,
+	}, nil
 }
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -3,67 +3,43 @@
 package process

 import (
+	"bytes"
 	"encoding/binary"
-	"errors"
+	"fmt"
+	"net"
 	"net/netip"
 	"os"
-	"path/filepath"
+	"path"
 	"strings"
-	"sync"
 	"syscall"
-	"time"
 	"unicode"
+	"unsafe"

-	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/contrab/freelru"
-	"github.com/sagernet/sing/contrab/maphash"
 )

+// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
+var nativeEndian = func() binary.ByteOrder {
+	var x uint32 = 0x01020304
+	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
+		return binary.BigEndian
+	}
+
+	return binary.LittleEndian
+}()
+
 const (
-	sizeOfSocketDiagRequestData = 56
-	sizeOfSocketDiagRequest     = syscall.SizeofNlMsghdr + sizeOfSocketDiagRequestData
-	socketDiagResponseMinSize   = 72
-	socketDiagByFamily          = 20
-	pathProc                    = "/proc"
+	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
+	socketDiagByFamily      = 20
+	pathProc                = "/proc"
 )

-type socketDiagConn struct {
-	access   sync.Mutex
-	family   uint8
-	protocol uint8
-	fd       int
-}
+func resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	var family uint8
+	var protocol uint8

-type uidProcessPathCache struct {
-	cache freelru.Cache[uint32, *uidProcessPaths]
-}
-
-type uidProcessPaths struct {
-	entries map[uint32]string
-}
-
-func newSocketDiagConn(family, protocol uint8) *socketDiagConn {
-	return &socketDiagConn{
-		family:   family,
-		protocol: protocol,
-		fd:       -1,
-	}
-}
-
-func socketDiagConnIndex(family, protocol uint8) int {
-	index := 0
-	if protocol == syscall.IPPROTO_UDP {
-		index += 2
-	}
-	if family == syscall.AF_INET6 {
-		index++
-	}
-	return index
-}
-
-func socketDiagSettings(network string, source netip.AddrPort) (family, protocol uint8, err error) {
 	switch network {
 	case N.NetworkTCP:
 		protocol = syscall.IPPROTO_TCP
@@ -72,308 +48,151 @@ func socketDiagSettings(network string, source netip.AddrPort) (family, protocol
 	default:
 		return 0, 0, os.ErrInvalid
 	}
-	switch {
-	case source.Addr().Is4():
+
+	if source.Addr().Is4() {
 		family = syscall.AF_INET
-	case source.Addr().Is6():
+	} else {
 		family = syscall.AF_INET6
-	default:
-		return 0, 0, os.ErrInvalid
 	}
-	return family, protocol, nil
-}

-func newUIDProcessPathCache(ttl time.Duration) *uidProcessPathCache {
-	cache := common.Must1(freelru.NewSharded[uint32, *uidProcessPaths](64, maphash.NewHasher[uint32]().Hash32))
-	cache.SetLifetime(ttl)
-	return &uidProcessPathCache{cache: cache}
-}
+	req := packSocketDiagRequest(family, protocol, source)

-func (c *uidProcessPathCache) findProcessPath(targetInode, uid uint32) (string, error) {
-	if cached, ok := c.cache.Get(uid); ok {
-		if processPath, found := cached.entries[targetInode]; found {
-			return processPath, nil
-		}
-	}
-	processPaths, err := buildProcessPathByUIDCache(uid)
-	if err != nil {
-		return "", err
-	}
-	c.cache.Add(uid, &uidProcessPaths{entries: processPaths})
-	processPath, found := processPaths[targetInode]
-	if !found {
-		return "", E.New("process of uid(", uid, "), inode(", targetInode, ") not found")
-	}
-	return processPath, nil
-}
-
-func (c *socketDiagConn) Close() error {
-	c.access.Lock()
-	defer c.access.Unlock()
-	return c.closeLocked()
-}
-
-func (c *socketDiagConn) query(source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	request := packSocketDiagRequest(c.family, c.protocol, source, destination, false)
-	for attempt := 0; attempt < 2; attempt++ {
-		err = c.ensureOpenLocked()
-		if err != nil {
-			return 0, 0, E.Cause(err, "dial netlink")
-		}
-		inode, uid, err = querySocketDiag(c.fd, request)
-		if err == nil || errors.Is(err, ErrNotFound) {
-			return inode, uid, err
-		}
-		if !shouldRetrySocketDiag(err) {
-			return 0, 0, err
-		}
-		_ = c.closeLocked()
-	}
-	return 0, 0, err
-}
-
-func querySocketDiagOnce(family, protocol uint8, source netip.AddrPort) (inode, uid uint32, err error) {
-	fd, err := openSocketDiag()
+	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
 	if err != nil {
 		return 0, 0, E.Cause(err, "dial netlink")
 	}
-	defer syscall.Close(fd)
-	return querySocketDiag(fd, packSocketDiagRequest(family, protocol, source, netip.AddrPort{}, true))
-}
+	defer syscall.Close(socket)

-func (c *socketDiagConn) ensureOpenLocked() error {
-	if c.fd != -1 {
-		return nil
-	}
-	fd, err := openSocketDiag()
-	if err != nil {
-		return err
-	}
-	c.fd = fd
-	return nil
-}
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})

-func openSocketDiag() (int, error) {
-	fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM|syscall.SOCK_CLOEXEC, syscall.NETLINK_INET_DIAG)
-	if err != nil {
-		return -1, err
-	}
-	timeout := &syscall.Timeval{Usec: 100}
-	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, timeout); err != nil {
-		syscall.Close(fd)
-		return -1, err
-	}
-	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, timeout); err != nil {
-		syscall.Close(fd)
-		return -1, err
-	}
-	if err = syscall.Connect(fd, &syscall.SockaddrNetlink{
+	err = syscall.Connect(socket, &syscall.SockaddrNetlink{
 		Family: syscall.AF_NETLINK,
+		Pad:    0,
 		Pid:    0,
 		Groups: 0,
-	}); err != nil {
-		syscall.Close(fd)
-		return -1, err
+	})
+	if err != nil {
+		return
 	}
-	return fd, nil
-}

-func (c *socketDiagConn) closeLocked() error {
-	if c.fd == -1 {
-		return nil
-	}
-	err := syscall.Close(c.fd)
-	c.fd = -1
-	return err
-}
-
-func packSocketDiagRequest(family, protocol byte, source netip.AddrPort, destination netip.AddrPort, dump bool) []byte {
-	request := make([]byte, sizeOfSocketDiagRequest)
-
-	binary.NativeEndian.PutUint32(request[0:4], sizeOfSocketDiagRequest)
-	binary.NativeEndian.PutUint16(request[4:6], socketDiagByFamily)
-	flags := uint16(syscall.NLM_F_REQUEST)
-	if dump {
-		flags |= syscall.NLM_F_DUMP
-	}
-	binary.NativeEndian.PutUint16(request[6:8], flags)
-	binary.NativeEndian.PutUint32(request[8:12], 0)
-	binary.NativeEndian.PutUint32(request[12:16], 0)
-
-	request[16] = family
-	request[17] = protocol
-	request[18] = 0
-	request[19] = 0
-	if dump {
-		binary.NativeEndian.PutUint32(request[20:24], 0xFFFFFFFF)
-	}
-	requestSource := source
-	requestDestination := destination
-	if protocol == syscall.IPPROTO_UDP && !dump && destination.IsValid() {
-		// udp_dump_one expects the exact-match endpoints reversed for historical reasons.
-		requestSource, requestDestination = destination, source
-	}
-	binary.BigEndian.PutUint16(request[24:26], requestSource.Port())
-	binary.BigEndian.PutUint16(request[26:28], requestDestination.Port())
-	if family == syscall.AF_INET6 {
-		copy(request[28:44], requestSource.Addr().AsSlice())
-		if requestDestination.IsValid() {
-			copy(request[44:60], requestDestination.Addr().AsSlice())
-		}
-	} else {
-		copy(request[28:32], requestSource.Addr().AsSlice())
-		if requestDestination.IsValid() {
-			copy(request[44:48], requestDestination.Addr().AsSlice())
-		}
-	}
-	binary.NativeEndian.PutUint32(request[60:64], 0)
-	binary.NativeEndian.PutUint64(request[64:72], 0xFFFFFFFFFFFFFFFF)
-	return request
-}
-
-func querySocketDiag(fd int, request []byte) (inode, uid uint32, err error) {
-	_, err = syscall.Write(fd, request)
+	_, err = syscall.Write(socket, req)
 	if err != nil {
 		return 0, 0, E.Cause(err, "write netlink request")
 	}
-	buffer := make([]byte, 64<<10)
-	n, err := syscall.Read(fd, buffer)
+
+	buffer := buf.New()
+	defer buffer.Release()
+
+	n, err := syscall.Read(socket, buffer.FreeBytes())
 	if err != nil {
 		return 0, 0, E.Cause(err, "read netlink response")
 	}
-	messages, err := syscall.ParseNetlinkMessage(buffer[:n])
+
+	buffer.Truncate(n)
+
+	messages, err := syscall.ParseNetlinkMessage(buffer.Bytes())
 	if err != nil {
 		return 0, 0, E.Cause(err, "parse netlink message")
+	} else if len(messages) == 0 {
+		return 0, 0, E.New("unexcepted netlink response")
 	}
-	return unpackSocketDiagMessages(messages)
+
+	message := messages[0]
+	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
+		return 0, 0, E.New("netlink message: NLMSG_ERROR")
+	}
+
+	inode, uid = unpackSocketDiagResponse(&messages[0])
+	return
 }

-func unpackSocketDiagMessages(messages []syscall.NetlinkMessage) (inode, uid uint32, err error) {
-	for _, message := range messages {
-		switch message.Header.Type {
-		case syscall.NLMSG_DONE:
-			continue
-		case syscall.NLMSG_ERROR:
-			err = unpackSocketDiagError(&message)
-			if err != nil {
-				return 0, 0, err
-			}
-		case socketDiagByFamily:
-			inode, uid = unpackSocketDiagResponse(&message)
-			if inode != 0 || uid != 0 {
-				return inode, uid, nil
-			}
-		}
-	}
-	return 0, 0, ErrNotFound
+func packSocketDiagRequest(family, protocol byte, source netip.AddrPort) []byte {
+	s := make([]byte, 16)
+	copy(s, source.Addr().AsSlice())
+
+	buf := make([]byte, sizeOfSocketDiagRequest)
+
+	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
+	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
+	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
+	nativeEndian.PutUint32(buf[8:12], 0)
+	nativeEndian.PutUint32(buf[12:16], 0)
+
+	buf[16] = family
+	buf[17] = protocol
+	buf[18] = 0
+	buf[19] = 0
+	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
+
+	binary.BigEndian.PutUint16(buf[24:26], source.Port())
+	binary.BigEndian.PutUint16(buf[26:28], 0)
+
+	copy(buf[28:44], s)
+	copy(buf[44:60], net.IPv6zero)
+
+	nativeEndian.PutUint32(buf[60:64], 0)
+	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
+
+	return buf
 }

 func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
-	if len(msg.Data) < socketDiagResponseMinSize {
+	if len(msg.Data) < 72 {
 		return 0, 0
 	}
-	uid = binary.NativeEndian.Uint32(msg.Data[64:68])
-	inode = binary.NativeEndian.Uint32(msg.Data[68:72])
-	return inode, uid
+
+	data := msg.Data
+
+	uid = nativeEndian.Uint32(data[64:68])
+	inode = nativeEndian.Uint32(data[68:72])
+
+	return
 }

-func unpackSocketDiagError(msg *syscall.NetlinkMessage) error {
-	if len(msg.Data) < 4 {
-		return E.New("netlink message: NLMSG_ERROR")
-	}
-	errno := int32(binary.NativeEndian.Uint32(msg.Data[:4]))
-	if errno == 0 {
-		return nil
-	}
-	if errno < 0 {
-		errno = -errno
-	}
-	sysErr := syscall.Errno(errno)
-	switch sysErr {
-	case syscall.ENOENT, syscall.ESRCH:
-		return ErrNotFound
-	default:
-		return E.New("netlink message: ", sysErr)
-	}
-}
-
-func shouldRetrySocketDiag(err error) bool {
-	return err != nil && !errors.Is(err, ErrNotFound)
-}
-
-func buildProcessPathByUIDCache(uid uint32) (map[uint32]string, error) {
+func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
 	files, err := os.ReadDir(pathProc)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
+
 	buffer := make([]byte, syscall.PathMax)
-	processPaths := make(map[uint32]string)
-	for _, file := range files {
-		if !file.IsDir() || !isPid(file.Name()) {
+	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
+
+	for _, f := range files {
+		if !f.IsDir() || !isPid(f.Name()) {
 			continue
 		}
-		info, err := file.Info()
+
+		info, err := f.Info()
 		if err != nil {
-			if isIgnorableProcError(err) {
-				continue
-			}
-			return nil, err
+			return "", err
 		}
 		if info.Sys().(*syscall.Stat_t).Uid != uid {
 			continue
 		}
-		processPath := filepath.Join(pathProc, file.Name())
-		fdPath := filepath.Join(processPath, "fd")
-		exePath, err := os.Readlink(filepath.Join(processPath, "exe"))
-		if err != nil {
-			if isIgnorableProcError(err) {
-				continue
-			}
-			return nil, err
-		}
+
+		processPath := path.Join(pathProc, f.Name())
+		fdPath := path.Join(processPath, "fd")
+
 		fds, err := os.ReadDir(fdPath)
 		if err != nil {
 			continue
 		}
+
 		for _, fd := range fds {
-			n, err := syscall.Readlink(filepath.Join(fdPath, fd.Name()), buffer)
+			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
 			if err != nil {
 				continue
 			}
-			inode, ok := parseSocketInode(buffer[:n])
-			if !ok {
-				continue
-			}
-			if _, loaded := processPaths[inode]; !loaded {
-				processPaths[inode] = exePath
+
+			if bytes.Equal(buffer[:n], socket) {
+				return os.Readlink(path.Join(processPath, "exe"))
 			}
 		}
 	}
-	return processPaths, nil
-}

-func isIgnorableProcError(err error) bool {
-	return os.IsNotExist(err) || os.IsPermission(err)
-}
-
-func parseSocketInode(link []byte) (uint32, bool) {
-	const socketPrefix = "socket:["
-	if len(link) <= len(socketPrefix) || string(link[:len(socketPrefix)]) != socketPrefix || link[len(link)-1] != ']' {
-		return 0, false
-	}
-	var inode uint64
-	for _, char := range link[len(socketPrefix) : len(link)-1] {
-		if char < '0' || char > '9' {
-			return 0, false
-		}
-		inode = inode*10 + uint64(char-'0')
-		if inode > uint64(^uint32(0)) {
-			return 0, false
-		}
-	}
-	return uint32(inode), true
+	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
 }

 func isPid(s string) bool {
--- a/common/process/searcher_linux_shared_test.go
+++ b/common/process/searcher_linux_shared_test.go
@@ -1,60 +0,0 @@
-//go:build linux
-
-package process
-
-import (
-	"net"
-	"net/netip"
-	"os"
-	"syscall"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestQuerySocketDiagUDPExact(t *testing.T) {
-	t.Parallel()
-	server, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer server.Close()
-
-	client, err := net.DialUDP("udp4", nil, server.LocalAddr().(*net.UDPAddr))
-	require.NoError(t, err)
-	defer client.Close()
-
-	err = client.SetDeadline(time.Now().Add(time.Second))
-	require.NoError(t, err)
-	_, err = client.Write([]byte{0})
-	require.NoError(t, err)
-
-	err = server.SetReadDeadline(time.Now().Add(time.Second))
-	require.NoError(t, err)
-	buffer := make([]byte, 1)
-	_, _, err = server.ReadFromUDP(buffer)
-	require.NoError(t, err)
-
-	source := addrPortFromUDPAddr(t, client.LocalAddr())
-	destination := addrPortFromUDPAddr(t, client.RemoteAddr())
-
-	fd, err := openSocketDiag()
-	require.NoError(t, err)
-	defer syscall.Close(fd)
-
-	inode, uid, err := querySocketDiag(fd, packSocketDiagRequest(syscall.AF_INET, syscall.IPPROTO_UDP, source, destination, false))
-	require.NoError(t, err)
-	require.NotZero(t, inode)
-	require.EqualValues(t, os.Getuid(), uid)
-}
-
-func addrPortFromUDPAddr(t *testing.T, addr net.Addr) netip.AddrPort {
-	t.Helper()
-
-	udpAddr, ok := addr.(*net.UDPAddr)
-	require.True(t, ok)
-
-	ip, ok := netip.AddrFromSlice(udpAddr.IP)
-	require.True(t, ok)
-
-	return netip.AddrPortFrom(ip.Unmap(), uint16(udpAddr.Port))
-}
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@@ -28,10 +28,6 @@ func initWin32API() error {
 	return winiphlpapi.LoadExtendedTable()
 }

-func (s *windowsSearcher) Close() error {
-	return nil
-}
-
 func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	pid, err := winiphlpapi.FindPid(network, source)
 	if err != nil {
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -38,6 +38,37 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }

+type acmeLogWriter struct {
+	logger logger.Logger
+}
+
+func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
+	logLine := strings.ReplaceAll(string(p), "	", ": ")
+	switch {
+	case strings.HasPrefix(logLine, "error: "):
+		w.logger.Error(logLine[7:])
+	case strings.HasPrefix(logLine, "warn: "):
+		w.logger.Warn(logLine[6:])
+	case strings.HasPrefix(logLine, "info: "):
+		w.logger.Info(logLine[6:])
+	case strings.HasPrefix(logLine, "debug: "):
+		w.logger.Debug(logLine[7:])
+	default:
+		w.logger.Debug(logLine)
+	}
+	return len(p), nil
+}
+
+func (w *acmeLogWriter) Sync() error {
+	return nil
+}
+
+func encoderConfig() zapcore.EncoderConfig {
+	config := zap.NewProductionEncoderConfig()
+	config.TimeKey = zapcore.OmitKey
+	return config
+}
+
 func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
@@ -60,8 +91,8 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		storage = certmagic.Default.Storage
 	}
 	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(ACMEEncoderConfig()),
-		&ACMELogWriter{Logger: logger},
+		zapcore.NewConsoleEncoder(encoderConfig()),
+		&acmeLogWriter{logger: logger},
 		zap.DebugLevel,
 	))
 	config := &certmagic.Config{
@@ -127,7 +158,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{
 			GetCertificate: config.GetCertificate,
-			NextProtos:     []string{C.ACMETLS1Protocol},
+			NextProtos:     []string{ACMETLS1Protocol},
 		}
 	}
 	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
--- a/common/tls/acme_contstant.go
+++ b/common/tls/acme_contstant.go
@@ -1,3 +1,3 @@
-package constant
+package tls

 const ACMETLS1Protocol = "acme-tls/1"
--- a/common/tls/acme_logger.go
+++ b/common/tls/acme_logger.go
@@ -1,41 +0,0 @@
-package tls
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing/common/logger"
-
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
-)
-
-type ACMELogWriter struct {
-	Logger logger.Logger
-}
-
-func (w *ACMELogWriter) Write(p []byte) (n int, err error) {
-	logLine := strings.ReplaceAll(string(p), "	", ": ")
-	switch {
-	case strings.HasPrefix(logLine, "error: "):
-		w.Logger.Error(logLine[7:])
-	case strings.HasPrefix(logLine, "warn: "):
-		w.Logger.Warn(logLine[6:])
-	case strings.HasPrefix(logLine, "info: "):
-		w.Logger.Info(logLine[6:])
-	case strings.HasPrefix(logLine, "debug: "):
-		w.Logger.Debug(logLine[7:])
-	default:
-		w.Logger.Debug(logLine)
-	}
-	return len(p), nil
-}
-
-func (w *ACMELogWriter) Sync() error {
-	return nil
-}
-
-func ACMEEncoderConfig() zapcore.EncoderConfig {
-	config := zap.NewProductionEncoderConfig()
-	config.TimeKey = zapcore.OmitKey
-	return config
-}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -32,10 +32,6 @@ type RealityServerConfig struct {
 func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	var tlsConfig utls.RealityConfig

-	if options.CertificateProvider != nil {
-		return nil, E.New("certificate_provider is unavailable in reality")
-	}
-	//nolint:staticcheck
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -13,87 +13,19 @@ import (
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
-	"github.com/sagernet/sing/service"
 )

 var errInsecureUnused = E.New("tls: insecure unused")

-type managedCertificateProvider interface {
-	adapter.CertificateProvider
-	adapter.SimpleLifecycle
-}
-
-type sharedCertificateProvider struct {
-	tag      string
-	manager  adapter.CertificateProviderManager
-	provider adapter.CertificateProviderService
-}
-
-func (p *sharedCertificateProvider) Start() error {
-	provider, found := p.manager.Get(p.tag)
-	if !found {
-		return E.New("certificate provider not found: ", p.tag)
-	}
-	p.provider = provider
-	return nil
-}
-
-func (p *sharedCertificateProvider) Close() error {
-	return nil
-}
-
-func (p *sharedCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return p.provider.GetCertificate(hello)
-}
-
-func (p *sharedCertificateProvider) GetACMENextProtos() []string {
-	return getACMENextProtos(p.provider)
-}
-
-type inlineCertificateProvider struct {
-	provider adapter.CertificateProviderService
-}
-
-func (p *inlineCertificateProvider) Start() error {
-	for _, stage := range adapter.ListStartStages {
-		err := adapter.LegacyStart(p.provider, stage)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (p *inlineCertificateProvider) Close() error {
-	return p.provider.Close()
-}
-
-func (p *inlineCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return p.provider.GetCertificate(hello)
-}
-
-func (p *inlineCertificateProvider) GetACMENextProtos() []string {
-	return getACMENextProtos(p.provider)
-}
-
-func getACMENextProtos(provider adapter.CertificateProvider) []string {
-	if acmeProvider, isACME := provider.(adapter.ACMECertificateProvider); isACME {
-		return acmeProvider.GetACMENextProtos()
-	}
-	return nil
-}
-
 type STDServerConfig struct {
 	access                sync.RWMutex
 	config                *tls.Config
 	logger                log.Logger
-	certificateProvider   managedCertificateProvider
 	acmeService           adapter.SimpleLifecycle
 	certificate           []byte
 	key                   []byte
@@ -121,17 +53,18 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 func (c *STDServerConfig) NextProtos() []string {
 	c.access.RLock()
 	defer c.access.RUnlock()
-	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
+	} else {
+		return c.config.NextProtos
 	}
-	return c.config.NextProtos
 }

 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.access.Lock()
 	defer c.access.Unlock()
 	config := c.config.Clone()
-	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
 		config.NextProtos = nextProto
@@ -139,18 +72,6 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }

-func (c *STDServerConfig) hasACMEALPN() bool {
-	if c.acmeService != nil {
-		return true
-	}
-	if c.certificateProvider != nil {
-		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
-			return len(acmeProvider.GetACMENextProtos()) > 0
-		}
-	}
-	return false
-}
-
 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
@@ -170,39 +91,15 @@ func (c *STDServerConfig) Clone() Config {
 }

 func (c *STDServerConfig) Start() error {
-	if c.certificateProvider != nil {
-		err := c.certificateProvider.Start()
-		if err != nil {
-			return err
-		}
-		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
-			nextProtos := acmeProvider.GetACMENextProtos()
-			if len(nextProtos) > 0 {
-				c.access.Lock()
-				config := c.config.Clone()
-				mergedNextProtos := append([]string{}, nextProtos...)
-				for _, nextProto := range config.NextProtos {
-					if !common.Contains(mergedNextProtos, nextProto) {
-						mergedNextProtos = append(mergedNextProtos, nextProto)
-					}
-				}
-				config.NextProtos = mergedNextProtos
-				c.config = config
-				c.access.Unlock()
-			}
-		}
-	}
 	if c.acmeService != nil {
-		err := c.acmeService.Start()
+		return c.acmeService.Start()
+	} else {
+		err := c.startWatcher()
 		if err != nil {
-			return err
+			c.logger.Warn("create fsnotify watcher: ", err)
 		}
+		return nil
 	}
-	err := c.startWatcher()
-	if err != nil {
-		c.logger.Warn("create fsnotify watcher: ", err)
-	}
-	return nil
 }

 func (c *STDServerConfig) startWatcher() error {
@@ -306,34 +203,23 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 }

 func (c *STDServerConfig) Close() error {
-	return common.Close(c.certificateProvider, c.acmeService, c.watcher)
+	if c.acmeService != nil {
+		return c.acmeService.Close()
+	}
+	if c.watcher != nil {
+		return c.watcher.Close()
+	}
+	return nil
 }

 func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	//nolint:staticcheck
-	if options.CertificateProvider != nil && options.ACME != nil {
-		return nil, E.New("certificate_provider and acme are mutually exclusive")
-	}
 	var tlsConfig *tls.Config
-	var certificateProvider managedCertificateProvider
 	var acmeService adapter.SimpleLifecycle
 	var err error
-	if options.CertificateProvider != nil {
-		certificateProvider, err = newCertificateProvider(ctx, logger, options.CertificateProvider)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig = &tls.Config{
-			GetCertificate: certificateProvider.GetCertificate,
-		}
-		if options.Insecure {
-			return nil, errInsecureUnused
-		}
-	} else if options.ACME != nil && len(options.ACME.Domain) > 0 { //nolint:staticcheck
-		deprecated.Report(ctx, deprecated.OptionInlineACME)
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
 		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
@@ -386,7 +272,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		certificate []byte
 		key         []byte
 	)
-	if certificateProvider == nil && acmeService == nil {
+	if acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
@@ -474,7 +360,6 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	serverConfig := &STDServerConfig{
 		config:                tlsConfig,
 		logger:                logger,
-		certificateProvider:   certificateProvider,
 		acmeService:           acmeService,
 		certificate:           certificate,
 		key:                   key,
@@ -484,8 +369,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		echKeyPath:            echKeyPath,
 	}
 	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.RLock()
-		defer serverConfig.access.RUnlock()
+		serverConfig.access.Lock()
+		defer serverConfig.access.Unlock()
 		return serverConfig.config, nil
 	}
 	var config ServerConfig = serverConfig
@@ -502,27 +387,3 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	}
 	return config, nil
 }
-
-func newCertificateProvider(ctx context.Context, logger log.ContextLogger, options *option.CertificateProviderOptions) (managedCertificateProvider, error) {
-	if options.IsShared() {
-		manager := service.FromContext[adapter.CertificateProviderManager](ctx)
-		if manager == nil {
-			return nil, E.New("missing certificate provider manager in context")
-		}
-		return &sharedCertificateProvider{
-			tag:     options.Tag,
-			manager: manager,
-		}, nil
-	}
-	registry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
-	if registry == nil {
-		return nil, E.New("missing certificate provider registry in context")
-	}
-	provider, err := registry.Create(ctx, logger, "", options.Type, options.Options)
-	if err != nil {
-		return nil, E.Cause(err, "create inline certificate provider")
-	}
-	return &inlineCertificateProvider{
-		provider: provider,
-	}, nil
-}
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -1,38 +1,36 @@
 package constant

 const (
-	TypeTun                = "tun"
-	TypeRedirect           = "redirect"
-	TypeTProxy             = "tproxy"
-	TypeDirect             = "direct"
-	TypeBlock              = "block"
-	TypeDNS                = "dns"
-	TypeSOCKS              = "socks"
-	TypeHTTP               = "http"
-	TypeMixed              = "mixed"
-	TypeShadowsocks        = "shadowsocks"
-	TypeVMess              = "vmess"
-	TypeTrojan             = "trojan"
-	TypeNaive              = "naive"
-	TypeWireGuard          = "wireguard"
-	TypeHysteria           = "hysteria"
-	TypeTor                = "tor"
-	TypeSSH                = "ssh"
-	TypeShadowTLS          = "shadowtls"
-	TypeAnyTLS             = "anytls"
-	TypeShadowsocksR       = "shadowsocksr"
-	TypeVLESS              = "vless"
-	TypeTUIC               = "tuic"
-	TypeHysteria2          = "hysteria2"
-	TypeTailscale          = "tailscale"
-	TypeDERP               = "derp"
-	TypeResolved           = "resolved"
-	TypeSSMAPI             = "ssm-api"
-	TypeCCM                = "ccm"
-	TypeOCM                = "ocm"
-	TypeOOMKiller          = "oom-killer"
-	TypeACME               = "acme"
-	TypeCloudflareOriginCA = "cloudflare-origin-ca"
+	TypeTun          = "tun"
+	TypeRedirect     = "redirect"
+	TypeTProxy       = "tproxy"
+	TypeDirect       = "direct"
+	TypeBlock        = "block"
+	TypeDNS          = "dns"
+	TypeSOCKS        = "socks"
+	TypeHTTP         = "http"
+	TypeMixed        = "mixed"
+	TypeShadowsocks  = "shadowsocks"
+	TypeVMess        = "vmess"
+	TypeTrojan       = "trojan"
+	TypeNaive        = "naive"
+	TypeWireGuard    = "wireguard"
+	TypeHysteria     = "hysteria"
+	TypeTor          = "tor"
+	TypeSSH          = "ssh"
+	TypeShadowTLS    = "shadowtls"
+	TypeAnyTLS       = "anytls"
+	TypeShadowsocksR = "shadowsocksr"
+	TypeVLESS        = "vless"
+	TypeTUIC         = "tuic"
+	TypeHysteria2    = "hysteria2"
+	TypeTailscale    = "tailscale"
+	TypeDERP         = "derp"
+	TypeResolved     = "resolved"
+	TypeSSMAPI       = "ssm-api"
+	TypeCCM          = "ccm"
+	TypeOCM          = "ocm"
+	TypeOOMKiller    = "oom-killer"
 )

 const (
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -87,17 +87,12 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKillerEnabled {
+	if s.oomKiller && C.IsIos {
 		if !common.Any(options.Services, func(it option.Service) bool {
 			return it.Type == C.TypeOOMKiller
 		}) {
-			oomOptions := &option.OOMKillerServiceOptions{
-				KillerDisabled:      s.oomKillerDisabled,
-				MemoryLimitOverride: s.oomMemoryLimit,
-			}
 			options.Services = append(options.Services, option.Service{
-				Type:    C.TypeOOMKiller,
-				Options: oomOptions,
+				Type: C.TypeOOMKiller,
 			})
 		}
 	}
--- a/daemon/platform.go
+++ b/daemon/platform.go
@@ -5,6 +5,5 @@ type PlatformHandler interface {
 	ServiceReload() error
 	SystemProxyStatus() (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(enabled bool) error
-	TriggerNativeCrash() error
 	WriteDebugMessage(message string)
 }
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/protocol/group"
-	"github.com/sagernet/sing-box/service/oomkiller"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -25,8 +24,6 @@ import (

 	"github.com/gofrs/uuid/v5"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
 )

@@ -35,12 +32,10 @@ var _ StartedServiceServer = (*StartedService)(nil)
 type StartedService struct {
 	ctx context.Context
 	// platform adapter.PlatformInterface
-	handler           PlatformHandler
-	debug             bool
-	logMaxLines       int
-	oomKillerEnabled  bool
-	oomKillerDisabled bool
-	oomMemoryLimit    uint64
+	handler     PlatformHandler
+	debug       bool
+	logMaxLines int
+	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -69,12 +64,10 @@ type StartedService struct {
 type ServiceOptions struct {
 	Context context.Context
 	// Platform           adapter.PlatformInterface
-	Handler           PlatformHandler
-	Debug             bool
-	LogMaxLines       int
-	OOMKillerEnabled  bool
-	OOMKillerDisabled bool
-	OOMMemoryLimit    uint64
+	Handler     PlatformHandler
+	Debug       bool
+	LogMaxLines int
+	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -86,12 +79,10 @@ func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
 		ctx: options.Context,
 		// platform:                options.Platform,
-		handler:           options.Handler,
-		debug:             options.Debug,
-		logMaxLines:       options.LogMaxLines,
-		oomKillerEnabled:  options.OOMKillerEnabled,
-		oomKillerDisabled: options.OOMKillerDisabled,
-		oomMemoryLimit:    options.OOMMemoryLimit,
+		handler:     options.Handler,
+		debug:       options.Debug,
+		logMaxLines: options.LogMaxLines,
+		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -177,7 +168,7 @@ func (s *StartedService) waitForStarted(ctx context.Context) error {
 func (s *StartedService) StartOrReloadService(profileContent string, options *OverrideOptions) error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
-	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING, ServiceStatus_FATAL:
+	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING:
 	default:
 		s.serviceAccess.Unlock()
 		return os.ErrInvalid
@@ -235,14 +226,13 @@ func (s *StartedService) CloseService() error {
 		return os.ErrInvalid
 	}
 	s.updateStatus(ServiceStatus_STOPPING)
-	instance := s.instance
-	s.instance = nil
-	if instance != nil {
-		err := instance.Close()
+	if s.instance != nil {
+		err := s.instance.Close()
 		if err != nil {
 			return s.updateStatusError(err)
 		}
 	}
+	s.instance = nil
 	s.startedAt = time.Time{}
 	s.updateStatus(ServiceStatus_IDLE)
 	s.serviceAccess.Unlock()
@@ -694,41 +684,6 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 	return nil, err
 }

-func (s *StartedService) TriggerDebugCrash(ctx context.Context, request *DebugCrashRequest) (*emptypb.Empty, error) {
-	if !s.debug {
-		return nil, status.Error(codes.PermissionDenied, "debug crash trigger unavailable")
-	}
-	if request == nil {
-		return nil, status.Error(codes.InvalidArgument, "missing debug crash request")
-	}
-	switch request.Type {
-	case DebugCrashRequest_GO:
-		time.AfterFunc(200*time.Millisecond, func() {
-			panic("debug go crash")
-		})
-	case DebugCrashRequest_NATIVE:
-		err := s.handler.TriggerNativeCrash()
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, status.Error(codes.InvalidArgument, "unknown debug crash type")
-	}
-	return &emptypb.Empty{}, nil
-}
-
-func (s *StartedService) TriggerOOMReport(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error) {
-	instance := s.Instance()
-	if instance == nil {
-		return nil, status.Error(codes.FailedPrecondition, "service not started")
-	}
-	reporter := service.FromContext[oomkiller.OOMReporter](instance.ctx)
-	if reporter == nil {
-		return nil, status.Error(codes.Unavailable, "OOM reporter not available")
-	}
-	return &emptypb.Empty{}, reporter.WriteReport(memory.Total())
-}
-
 func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
@@ -994,11 +949,11 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 	var processInfo *ProcessInfo
 	if metadata.Metadata.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
-			ProcessId:    metadata.Metadata.ProcessInfo.ProcessID,
-			UserId:       metadata.Metadata.ProcessInfo.UserId,
-			UserName:     metadata.Metadata.ProcessInfo.UserName,
-			ProcessPath:  metadata.Metadata.ProcessInfo.ProcessPath,
-			PackageNames: metadata.Metadata.ProcessInfo.AndroidPackageNames,
+			ProcessId:   metadata.Metadata.ProcessInfo.ProcessID,
+			UserId:      metadata.Metadata.ProcessInfo.UserId,
+			UserName:    metadata.Metadata.ProcessInfo.UserName,
+			ProcessPath: metadata.Metadata.ProcessInfo.ProcessPath,
+			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
 		}
 	}
 	return &Connection{
--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
@@ -182,52 +182,6 @@ func (ServiceStatus_Type) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{0, 0}
 }

-type DebugCrashRequest_Type int32
-
-const (
-	DebugCrashRequest_GO     DebugCrashRequest_Type = 0
-	DebugCrashRequest_NATIVE DebugCrashRequest_Type = 1
-)
-
-// Enum value maps for DebugCrashRequest_Type.
-var (
-	DebugCrashRequest_Type_name = map[int32]string{
-		0: "GO",
-		1: "NATIVE",
-	}
-	DebugCrashRequest_Type_value = map[string]int32{
-		"GO":     0,
-		"NATIVE": 1,
-	}
-)
-
-func (x DebugCrashRequest_Type) Enum() *DebugCrashRequest_Type {
-	p := new(DebugCrashRequest_Type)
-	*p = x
-	return p
-}
-
-func (x DebugCrashRequest_Type) String() string {
-	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
-}
-
-func (DebugCrashRequest_Type) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_started_service_proto_enumTypes[3].Descriptor()
-}
-
-func (DebugCrashRequest_Type) Type() protoreflect.EnumType {
-	return &file_daemon_started_service_proto_enumTypes[3]
-}
-
-func (x DebugCrashRequest_Type) Number() protoreflect.EnumNumber {
-	return protoreflect.EnumNumber(x)
-}
-
-// Deprecated: Use DebugCrashRequest_Type.Descriptor instead.
-func (DebugCrashRequest_Type) EnumDescriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{16, 0}
-}
-
 type ServiceStatus struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Status        ServiceStatus_Type     `protobuf:"varint,1,opt,name=status,proto3,enum=daemon.ServiceStatus_Type" json:"status,omitempty"`
@@ -1108,50 +1062,6 @@ func (x *SetSystemProxyEnabledRequest) GetEnabled() bool {
 	return false
 }

-type DebugCrashRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Type          DebugCrashRequest_Type `protobuf:"varint,1,opt,name=type,proto3,enum=daemon.DebugCrashRequest_Type" json:"type,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *DebugCrashRequest) Reset() {
-	*x = DebugCrashRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[16]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *DebugCrashRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*DebugCrashRequest) ProtoMessage() {}
-
-func (x *DebugCrashRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[16]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use DebugCrashRequest.ProtoReflect.Descriptor instead.
-func (*DebugCrashRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{16}
-}
-
-func (x *DebugCrashRequest) GetType() DebugCrashRequest_Type {
-	if x != nil {
-		return x.Type
-	}
-	return DebugCrashRequest_GO
-}
-
 type SubscribeConnectionsRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Interval      int64                  `protobuf:"varint,1,opt,name=interval,proto3" json:"interval,omitempty"`
@@ -1161,7 +1071,7 @@ type SubscribeConnectionsRequest struct {

 func (x *SubscribeConnectionsRequest) Reset() {
 	*x = SubscribeConnectionsRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[17]
+	mi := &file_daemon_started_service_proto_msgTypes[16]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1173,7 +1083,7 @@ func (x *SubscribeConnectionsRequest) String() string {
 func (*SubscribeConnectionsRequest) ProtoMessage() {}

 func (x *SubscribeConnectionsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[17]
+	mi := &file_daemon_started_service_proto_msgTypes[16]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1186,7 +1096,7 @@ func (x *SubscribeConnectionsRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use SubscribeConnectionsRequest.ProtoReflect.Descriptor instead.
 func (*SubscribeConnectionsRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{16}
 }

 func (x *SubscribeConnectionsRequest) GetInterval() int64 {
@@ -1210,7 +1120,7 @@ type ConnectionEvent struct {

 func (x *ConnectionEvent) Reset() {
 	*x = ConnectionEvent{}
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1222,7 +1132,7 @@ func (x *ConnectionEvent) String() string {
 func (*ConnectionEvent) ProtoMessage() {}

 func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1235,7 +1145,7 @@ func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ConnectionEvent.ProtoReflect.Descriptor instead.
 func (*ConnectionEvent) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
 }

 func (x *ConnectionEvent) GetType() ConnectionEventType {
@@ -1290,7 +1200,7 @@ type ConnectionEvents struct {

 func (x *ConnectionEvents) Reset() {
 	*x = ConnectionEvents{}
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1302,7 +1212,7 @@ func (x *ConnectionEvents) String() string {
 func (*ConnectionEvents) ProtoMessage() {}

 func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1315,7 +1225,7 @@ func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ConnectionEvents.ProtoReflect.Descriptor instead.
 func (*ConnectionEvents) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
 }

 func (x *ConnectionEvents) GetEvents() []*ConnectionEvent {
@@ -1362,7 +1272,7 @@ type Connection struct {

 func (x *Connection) Reset() {
 	*x = Connection{}
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1374,7 +1284,7 @@ func (x *Connection) String() string {
 func (*Connection) ProtoMessage() {}

 func (x *Connection) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1387,7 +1297,7 @@ func (x *Connection) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Connection.ProtoReflect.Descriptor instead.
 func (*Connection) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
 }

 func (x *Connection) GetId() string {
@@ -1550,14 +1460,14 @@ type ProcessInfo struct {
 	UserId        int32                  `protobuf:"varint,2,opt,name=userId,proto3" json:"userId,omitempty"`
 	UserName      string                 `protobuf:"bytes,3,opt,name=userName,proto3" json:"userName,omitempty"`
 	ProcessPath   string                 `protobuf:"bytes,4,opt,name=processPath,proto3" json:"processPath,omitempty"`
-	PackageNames  []string               `protobuf:"bytes,5,rep,name=packageNames,proto3" json:"packageNames,omitempty"`
+	PackageName   string                 `protobuf:"bytes,5,opt,name=packageName,proto3" json:"packageName,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }

 func (x *ProcessInfo) Reset() {
 	*x = ProcessInfo{}
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1569,7 +1479,7 @@ func (x *ProcessInfo) String() string {
 func (*ProcessInfo) ProtoMessage() {}

 func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1582,7 +1492,7 @@ func (x *ProcessInfo) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ProcessInfo.ProtoReflect.Descriptor instead.
 func (*ProcessInfo) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
 }

 func (x *ProcessInfo) GetProcessId() uint32 {
@@ -1613,11 +1523,11 @@ func (x *ProcessInfo) GetProcessPath() string {
 	return ""
 }

-func (x *ProcessInfo) GetPackageNames() []string {
+func (x *ProcessInfo) GetPackageName() string {
 	if x != nil {
-		return x.PackageNames
+		return x.PackageName
 	}
-	return nil
+	return ""
 }

 type CloseConnectionRequest struct {
@@ -1629,7 +1539,7 @@ type CloseConnectionRequest struct {

 func (x *CloseConnectionRequest) Reset() {
 	*x = CloseConnectionRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1641,7 +1551,7 @@ func (x *CloseConnectionRequest) String() string {
 func (*CloseConnectionRequest) ProtoMessage() {}

 func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1654,7 +1564,7 @@ func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use CloseConnectionRequest.ProtoReflect.Descriptor instead.
 func (*CloseConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
 }

 func (x *CloseConnectionRequest) GetId() string {
@@ -1673,7 +1583,7 @@ type DeprecatedWarnings struct {

 func (x *DeprecatedWarnings) Reset() {
 	*x = DeprecatedWarnings{}
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1685,7 +1595,7 @@ func (x *DeprecatedWarnings) String() string {
 func (*DeprecatedWarnings) ProtoMessage() {}

 func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1698,7 +1608,7 @@ func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarnings.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarnings) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
 }

 func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
@@ -1719,7 +1629,7 @@ type DeprecatedWarning struct {

 func (x *DeprecatedWarning) Reset() {
 	*x = DeprecatedWarning{}
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1731,7 +1641,7 @@ func (x *DeprecatedWarning) String() string {
 func (*DeprecatedWarning) ProtoMessage() {}

 func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1744,7 +1654,7 @@ func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarning.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarning) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
 }

 func (x *DeprecatedWarning) GetMessage() string {
@@ -1777,7 +1687,7 @@ type StartedAt struct {

 func (x *StartedAt) Reset() {
 	*x = StartedAt{}
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1789,7 +1699,7 @@ func (x *StartedAt) String() string {
 func (*StartedAt) ProtoMessage() {}

 func (x *StartedAt) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1802,7 +1712,7 @@ func (x *StartedAt) ProtoReflect() protoreflect.Message {

 // Deprecated: Use StartedAt.ProtoReflect.Descriptor instead.
 func (*StartedAt) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{25}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
 }

 func (x *StartedAt) GetStartedAt() int64 {
@@ -1822,7 +1732,7 @@ type Log_Message struct {

 func (x *Log_Message) Reset() {
 	*x = Log_Message{}
-	mi := &file_daemon_started_service_proto_msgTypes[26]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1834,7 +1744,7 @@ func (x *Log_Message) String() string {
 func (*Log_Message) ProtoMessage() {}

 func (x *Log_Message) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[26]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1935,13 +1845,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\tavailable\x18\x01 \x01(\bR\tavailable\x12\x18\n" +
 	"\aenabled\x18\x02 \x01(\bR\aenabled\"8\n" +
 	"\x1cSetSystemProxyEnabledRequest\x12\x18\n" +
-	"\aenabled\x18\x01 \x01(\bR\aenabled\"c\n" +
-	"\x11DebugCrashRequest\x122\n" +
-	"\x04type\x18\x01 \x01(\x0e2\x1e.daemon.DebugCrashRequest.TypeR\x04type\"\x1a\n" +
-	"\x04Type\x12\x06\n" +
-	"\x02GO\x10\x00\x12\n" +
-	"\n" +
-	"\x06NATIVE\x10\x01\"9\n" +
+	"\aenabled\x18\x01 \x01(\bR\aenabled\"9\n" +
 	"\x1bSubscribeConnectionsRequest\x12\x1a\n" +
 	"\binterval\x18\x01 \x01(\x03R\binterval\"\xea\x01\n" +
 	"\x0fConnectionEvent\x12/\n" +
@@ -1980,13 +1884,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\boutbound\x18\x13 \x01(\tR\boutbound\x12\"\n" +
 	"\foutboundType\x18\x14 \x01(\tR\foutboundType\x12\x1c\n" +
 	"\tchainList\x18\x15 \x03(\tR\tchainList\x125\n" +
-	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa5\x01\n" +
+	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa3\x01\n" +
 	"\vProcessInfo\x12\x1c\n" +
 	"\tprocessId\x18\x01 \x01(\rR\tprocessId\x12\x16\n" +
 	"\x06userId\x18\x02 \x01(\x05R\x06userId\x12\x1a\n" +
 	"\buserName\x18\x03 \x01(\tR\buserName\x12 \n" +
-	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12\"\n" +
-	"\fpackageNames\x18\x05 \x03(\tR\fpackageNames\"(\n" +
+	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12 \n" +
+	"\vpackageName\x18\x05 \x01(\tR\vpackageName\"(\n" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +
@@ -2008,7 +1912,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x13ConnectionEventType\x12\x18\n" +
 	"\x14CONNECTION_EVENT_NEW\x10\x00\x12\x1b\n" +
 	"\x17CONNECTION_EVENT_UPDATE\x10\x01\x12\x1b\n" +
-	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xf5\f\n" +
+	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe5\v\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
@@ -2025,9 +1929,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x0eSelectOutbound\x12\x1d.daemon.SelectOutboundRequest\x1a\x16.google.protobuf.Empty\"\x00\x12I\n" +
 	"\x0eSetGroupExpand\x12\x1d.daemon.SetGroupExpandRequest\x1a\x16.google.protobuf.Empty\"\x00\x12K\n" +
 	"\x14GetSystemProxyStatus\x12\x16.google.protobuf.Empty\x1a\x19.daemon.SystemProxyStatus\"\x00\x12W\n" +
-	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12H\n" +
-	"\x11TriggerDebugCrash\x12\x19.daemon.DebugCrashRequest\x1a\x16.google.protobuf.Empty\"\x00\x12D\n" +
-	"\x10TriggerOOMReport\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
+	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
 	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x18.daemon.ConnectionEvents\"\x000\x01\x12K\n" +
 	"\x0fCloseConnection\x12\x1e.daemon.CloseConnectionRequest\x1a\x16.google.protobuf.Empty\"\x00\x12G\n" +
 	"\x13CloseAllConnections\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12M\n" +
@@ -2047,108 +1949,101 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {
 }

 var (
-	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 27)
+	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 26)
 	file_daemon_started_service_proto_goTypes   = []any{
 		(LogLevel)(0),                        // 0: daemon.LogLevel
 		(ConnectionEventType)(0),             // 1: daemon.ConnectionEventType
 		(ServiceStatus_Type)(0),              // 2: daemon.ServiceStatus.Type
-		(DebugCrashRequest_Type)(0),          // 3: daemon.DebugCrashRequest.Type
-		(*ServiceStatus)(nil),                // 4: daemon.ServiceStatus
-		(*ReloadServiceRequest)(nil),         // 5: daemon.ReloadServiceRequest
-		(*SubscribeStatusRequest)(nil),       // 6: daemon.SubscribeStatusRequest
-		(*Log)(nil),                          // 7: daemon.Log
-		(*DefaultLogLevel)(nil),              // 8: daemon.DefaultLogLevel
-		(*Status)(nil),                       // 9: daemon.Status
-		(*Groups)(nil),                       // 10: daemon.Groups
-		(*Group)(nil),                        // 11: daemon.Group
-		(*GroupItem)(nil),                    // 12: daemon.GroupItem
-		(*URLTestRequest)(nil),               // 13: daemon.URLTestRequest
-		(*SelectOutboundRequest)(nil),        // 14: daemon.SelectOutboundRequest
-		(*SetGroupExpandRequest)(nil),        // 15: daemon.SetGroupExpandRequest
-		(*ClashMode)(nil),                    // 16: daemon.ClashMode
-		(*ClashModeStatus)(nil),              // 17: daemon.ClashModeStatus
-		(*SystemProxyStatus)(nil),            // 18: daemon.SystemProxyStatus
-		(*SetSystemProxyEnabledRequest)(nil), // 19: daemon.SetSystemProxyEnabledRequest
-		(*DebugCrashRequest)(nil),            // 20: daemon.DebugCrashRequest
-		(*SubscribeConnectionsRequest)(nil),  // 21: daemon.SubscribeConnectionsRequest
-		(*ConnectionEvent)(nil),              // 22: daemon.ConnectionEvent
-		(*ConnectionEvents)(nil),             // 23: daemon.ConnectionEvents
-		(*Connection)(nil),                   // 24: daemon.Connection
-		(*ProcessInfo)(nil),                  // 25: daemon.ProcessInfo
-		(*CloseConnectionRequest)(nil),       // 26: daemon.CloseConnectionRequest
-		(*DeprecatedWarnings)(nil),           // 27: daemon.DeprecatedWarnings
-		(*DeprecatedWarning)(nil),            // 28: daemon.DeprecatedWarning
-		(*StartedAt)(nil),                    // 29: daemon.StartedAt
-		(*Log_Message)(nil),                  // 30: daemon.Log.Message
-		(*emptypb.Empty)(nil),                // 31: google.protobuf.Empty
+		(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
+		(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
+		(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
+		(*Log)(nil),                          // 6: daemon.Log
+		(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
+		(*Status)(nil),                       // 8: daemon.Status
+		(*Groups)(nil),                       // 9: daemon.Groups
+		(*Group)(nil),                        // 10: daemon.Group
+		(*GroupItem)(nil),                    // 11: daemon.GroupItem
+		(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
+		(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
+		(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
+		(*ClashMode)(nil),                    // 15: daemon.ClashMode
+		(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
+		(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
+		(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
+		(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
+		(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
+		(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
+		(*Connection)(nil),                   // 22: daemon.Connection
+		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
+		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
+		(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
+		(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
+		(*StartedAt)(nil),                    // 27: daemon.StartedAt
+		(*Log_Message)(nil),                  // 28: daemon.Log.Message
+		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
 	}
 )

 var file_daemon_started_service_proto_depIdxs = []int32{
 	2,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
-	30, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
+	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
 	0,  // 2: daemon.DefaultLogLevel.level:type_name -> daemon.LogLevel
-	11, // 3: daemon.Groups.group:type_name -> daemon.Group
-	12, // 4: daemon.Group.items:type_name -> daemon.GroupItem
-	3,  // 5: daemon.DebugCrashRequest.type:type_name -> daemon.DebugCrashRequest.Type
-	1,  // 6: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
-	24, // 7: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
-	22, // 8: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
-	25, // 9: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
-	28, // 10: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
-	0,  // 11: daemon.Log.Message.level:type_name -> daemon.LogLevel
-	31, // 12: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
-	31, // 13: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
-	31, // 14: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
-	31, // 15: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
-	31, // 16: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
-	31, // 17: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	6,  // 18: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
-	31, // 19: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
-	31, // 20: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
-	31, // 21: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	16, // 22: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	13, // 23: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	14, // 24: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	15, // 25: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
-	31, // 26: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	19, // 27: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	20, // 28: daemon.StartedService.TriggerDebugCrash:input_type -> daemon.DebugCrashRequest
-	31, // 29: daemon.StartedService.TriggerOOMReport:input_type -> google.protobuf.Empty
-	21, // 30: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
-	26, // 31: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
-	31, // 32: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
-	31, // 33: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
-	31, // 34: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
-	31, // 35: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	31, // 36: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	4,  // 37: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	7,  // 38: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	8,  // 39: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	31, // 40: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	9,  // 41: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	10, // 42: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	17, // 43: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	16, // 44: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	31, // 45: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	31, // 46: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	31, // 47: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	31, // 48: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	18, // 49: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	31, // 50: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	31, // 51: daemon.StartedService.TriggerDebugCrash:output_type -> google.protobuf.Empty
-	31, // 52: daemon.StartedService.TriggerOOMReport:output_type -> google.protobuf.Empty
-	23, // 53: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
-	31, // 54: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	31, // 55: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	27, // 56: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	29, // 57: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
-	35, // [35:58] is the sub-list for method output_type
-	12, // [12:35] is the sub-list for method input_type
-	12, // [12:12] is the sub-list for extension type_name
-	12, // [12:12] is the sub-list for extension extendee
-	0,  // [0:12] is the sub-list for field type_name
+	10, // 3: daemon.Groups.group:type_name -> daemon.Group
+	11, // 4: daemon.Group.items:type_name -> daemon.GroupItem
+	1,  // 5: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
+	22, // 6: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
+	20, // 7: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
+	23, // 8: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
+	26, // 9: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
+	0,  // 10: daemon.Log.Message.level:type_name -> daemon.LogLevel
+	29, // 11: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
+	29, // 12: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
+	29, // 13: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
+	29, // 14: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
+	29, // 15: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
+	29, // 16: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
+	5,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	29, // 18: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
+	29, // 19: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
+	29, // 20: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
+	15, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	12, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	13, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	14, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	29, // 25: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
+	18, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	19, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	24, // 28: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
+	29, // 29: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
+	29, // 30: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
+	29, // 31: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
+	29, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	29, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	3,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	6,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	7,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	29, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
+	8,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	9,  // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	16, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	15, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	29, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	29, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	29, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	29, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	17, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	29, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
+	29, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	29, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	25, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	27, // 52: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
+	32, // [32:53] is the sub-list for method output_type
+	11, // [11:32] is the sub-list for method input_type
+	11, // [11:11] is the sub-list for extension type_name
+	11, // [11:11] is the sub-list for extension extendee
+	0,  // [0:11] is the sub-list for field type_name
 }

 func init() { file_daemon_started_service_proto_init() }
@@ -2161,8 +2056,8 @@ func file_daemon_started_service_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_started_service_proto_rawDesc), len(file_daemon_started_service_proto_rawDesc)),
-			NumEnums:      4,
-			NumMessages:   27,
+			NumEnums:      3,
+			NumMessages:   26,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -26,8 +26,6 @@ service StartedService {

  rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
  rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
-  rpc TriggerDebugCrash(DebugCrashRequest) returns(google.protobuf.Empty) {}
-  rpc TriggerOOMReport(google.protobuf.Empty) returns(google.protobuf.Empty) {}

  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
  rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
@@ -143,15 +141,6 @@ message SetSystemProxyEnabledRequest {
  bool enabled = 1;
 }

-message DebugCrashRequest {
-  enum Type {
-    GO = 0;
-    NATIVE = 1;
-  }
-
-  Type type = 1;
-}
-
 message SubscribeConnectionsRequest {
  int64 interval = 1;
 }
@@ -206,7 +195,7 @@ message ProcessInfo {
  int32 userId = 2;
  string userName = 3;
  string processPath = 4;
-  repeated string packageNames = 5;
+  string packageName = 5;
 }

 message CloseConnectionRequest {
@@ -225,4 +214,4 @@ message DeprecatedWarning {

 message StartedAt {
  int64 startedAt = 1;
-}
+}
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -31,8 +31,6 @@ const (
 	StartedService_SetGroupExpand_FullMethodName         = "/daemon.StartedService/SetGroupExpand"
 	StartedService_GetSystemProxyStatus_FullMethodName   = "/daemon.StartedService/GetSystemProxyStatus"
 	StartedService_SetSystemProxyEnabled_FullMethodName  = "/daemon.StartedService/SetSystemProxyEnabled"
-	StartedService_TriggerDebugCrash_FullMethodName      = "/daemon.StartedService/TriggerDebugCrash"
-	StartedService_TriggerOOMReport_FullMethodName       = "/daemon.StartedService/TriggerOOMReport"
 	StartedService_SubscribeConnections_FullMethodName   = "/daemon.StartedService/SubscribeConnections"
 	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
 	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
@@ -60,8 +58,6 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
@@ -282,26 +278,6 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }

-func (c *startedServiceClient) TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, StartedService_TriggerDebugCrash_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *startedServiceClient) TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, StartedService_TriggerOOMReport_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
@@ -381,8 +357,6 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
-	TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error)
-	TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
@@ -462,14 +436,6 @@ func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context,
 	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }

-func (UnimplementedStartedServiceServer) TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method TriggerDebugCrash not implemented")
-}
-
-func (UnimplementedStartedServiceServer) TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method TriggerOOMReport not implemented")
-}
-
 func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
@@ -763,42 +729,6 @@ func _StartedService_SetSystemProxyEnabled_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }

-func _StartedService_TriggerDebugCrash_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(DebugCrashRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: StartedService_TriggerDebugCrash_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, req.(*DebugCrashRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _StartedService_TriggerOOMReport_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(emptypb.Empty)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(StartedServiceServer).TriggerOOMReport(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: StartedService_TriggerOOMReport_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(StartedServiceServer).TriggerOOMReport(ctx, req.(*emptypb.Empty))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeConnectionsRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -933,14 +863,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetSystemProxyEnabled",
 			Handler:    _StartedService_SetSystemProxyEnabled_Handler,
 		},
-		{
-			MethodName: "TriggerDebugCrash",
-			Handler:    _StartedService_TriggerDebugCrash_Handler,
-		},
-		{
-			MethodName: "TriggerOOMReport",
-			Handler:    _StartedService_TriggerOOMReport_Handler,
-		},
 		{
 			MethodName: "CloseConnection",
 			Handler:    _StartedService_CloseConnection_Handler,
--- a/dns/transport/connector.go
+++ b/dns/transport/connector.go
@@ -55,12 +55,6 @@ type contextKeyConnecting struct{}

 var errRecursiveConnectorDial = E.New("recursive connector dial")

-type connectorDialResult[T any] struct {
-	connection T
-	cancel     context.CancelFunc
-	err        error
-}
-
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -106,37 +100,41 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			return zero, err
 		}

-		connecting := make(chan struct{})
-		c.connecting = connecting
-		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
-		dialResult := make(chan connectorDialResult[T], 1)
+		c.connecting = make(chan struct{})
 		c.access.Unlock()

-		go func() {
-			connection, cancel, err := c.dialWithCancellation(dialContext)
-			dialResult <- connectorDialResult[T]{
-				connection: connection,
-				cancel:     cancel,
-				err:        err,
-			}
-		}()
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		connection, cancel, err := c.dialWithCancellation(dialContext)

-		select {
-		case result := <-dialResult:
-			return c.completeDial(ctx, connecting, result)
-		case <-ctx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
-			return zero, ctx.Err()
-		case <-c.closeCtx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
+		c.access.Lock()
+		close(c.connecting)
+		c.connecting = nil
+
+		if err != nil {
+			c.access.Unlock()
+			return zero, err
+		}
+
+		if c.closed {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
 			return zero, ErrTransportClosed
 		}
+		if err = ctx.Err(); err != nil {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
+			return zero, err
+		}
+
+		c.connection = connection
+		c.hasConnection = true
+		c.connectionCancel = cancel
+		result := c.connection
+		c.access.Unlock()
+
+		return result, nil
 	}
 }

@@ -145,38 +143,6 @@ func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T
 	return loaded && dialConnector == connector
 }

-func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
-	var zero T
-
-	c.access.Lock()
-	defer c.access.Unlock()
-	defer func() {
-		if c.connecting == connecting {
-			c.connecting = nil
-		}
-		close(connecting)
-	}()
-
-	if result.err != nil {
-		return zero, result.err
-	}
-	if c.closed || c.closeCtx.Err() != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, ErrTransportClosed
-	}
-	if err := ctx.Err(); err != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, err
-	}
-
-	c.connection = result.connection
-	c.hasConnection = true
-	c.connectionCancel = result.cancel
-	return c.connection, nil
-}
-
 func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
 	var zero T
 	if err := ctx.Err(); err != nil {
--- a/dns/transport/connector_test.go
+++ b/dns/transport/connector_test.go
@@ -188,157 +188,13 @@ func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
 	err := <-result
 	require.ErrorIs(t, err, context.Canceled)
 	require.EqualValues(t, 1, dialCount.Load())
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
+	require.EqualValues(t, 1, closeCount.Load())

 	_, err = connector.Get(context.Background())
 	require.NoError(t, err)
 	require.EqualValues(t, 2, dialCount.Load())
 }

-func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	dialStarted := make(chan struct{}, 1)
-	releaseDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		select {
-		case dialStarted <- struct{}{}:
-		default:
-		}
-		<-releaseDial
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	result := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		result <- err
-	}()
-
-	<-dialStarted
-	cancel()
-
-	select {
-	case err := <-result:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("Get did not return after request cancel")
-	}
-
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 0, closeCount.Load())
-
-	close(releaseDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	_, err := connector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	firstDialStarted := make(chan struct{}, 1)
-	secondDialStarted := make(chan struct{}, 1)
-	releaseFirstDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		attempt := dialCount.Add(1)
-		switch attempt {
-		case 1:
-			select {
-			case firstDialStarted <- struct{}{}:
-			default:
-			}
-			<-releaseFirstDial
-		case 2:
-			select {
-			case secondDialStarted <- struct{}{}:
-			default:
-			}
-		}
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	firstResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		firstResult <- err
-	}()
-
-	<-firstDialStarted
-	cancel()
-
-	secondResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(context.Background())
-		secondResult <- err
-	}()
-
-	select {
-	case <-secondDialStarted:
-		t.Fatal("second dial started before first dial completed")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	select {
-	case err := <-firstResult:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("first Get did not return after request cancel")
-	}
-
-	close(releaseFirstDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	select {
-	case <-secondDialStarted:
-	case <-time.After(time.Second):
-		t.Fatal("second dial did not start after first dial completed")
-	}
-
-	err := <-secondResult
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
 func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
 	t.Parallel()

--- a/dns/transport/dhcp/dhcp_shared.go
+++ b/dns/transport/dhcp/dhcp_shared.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"syscall"

+	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -39,6 +40,13 @@ func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr,
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, servers, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = dns.RcodeSuccess
+			}
+		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -7,6 +7,7 @@ import (
 	"syscall"
 	"time"

+	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -48,6 +49,13 @@ func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfi
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = E.New(fqdn, ": empty result")
+			}
+		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,59 +2,7 @@
 icon: material/alert-decagram
 ---

-#### 1.14.0-alpha.9
-
-* Fixes and improvements
-
-#### 1.13.6
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.8
-
-* Add BBR profile and hop interval randomization for Hysteria2 **1**
-* Fixes and improvements
-
-**1**:
-
-See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
-
-#### 1.14.0-alpha.8
-
-* Fixes and improvements
-
-#### 1.13.5
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.7
-
-* Fixes and improvements
-
-#### 1.13.4
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.4
-
-* Refactor ACME support to certificate provider system **1**
-* Add Cloudflare Origin CA certificate provider **2**
-* Add Tailscale certificate provider **3**
-* Fixes and improvements
-
-**1**:
-
-See [Certificate Provider](/configuration/shared/certificate-provider/) and [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
-
-**2**:
-
-See [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca).
-
-**3**:
-
-See [Tailscale](/configuration/shared/certificate-provider/tailscale).
-
-#### 1.13.3
+#### 1.14.0-alpha.2

 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**
@@ -78,11 +26,7 @@ from [SagerNet/go](https://github.com/SagerNet/go).

 See [OCM](/configuration/service/ocm).

-#### 1.12.24
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.2
+#### 1.13.3-beta.1

 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**
--- a/docs/configuration/dns/fakeip.zh.md
+++ b/docs/configuration/dns/fakeip.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.12.0 废弃"

-    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。

 ### 结构

--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -220,7 +220,7 @@ icon: material/alert-decagram
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
+    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.

 #### inbound

@@ -577,4 +577,4 @@ Match any IP with query response.

 #### rules

-Included rules.
+Included rules.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -219,7 +219,7 @@ icon: material/alert-decagram
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。

 #### inbound

@@ -267,7 +267,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。

 匹配 Geosite。

@@ -275,7 +275,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。

 匹配源 GeoIP。

@@ -484,7 +484,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.12.0 废弃"

-    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项)。
+    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver)。

 匹配出站。

@@ -536,7 +536,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。


 与查询响应匹配 GeoIP。
@@ -581,4 +581,4 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 ==必填==

-包括的规则。
+包括的规则。
--- a/docs/configuration/dns/server/http3.zh.md
+++ b/docs/configuration/dns/server/http3.zh.md
@@ -64,7 +64,7 @@ DNS 服务器的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/dns/server/https.zh.md
+++ b/docs/configuration/dns/server/https.zh.md
@@ -64,7 +64,7 @@ DNS 服务器的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/dns/server/legacy.zh.md
+++ b/docs/configuration/dns/server/legacy.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "Deprecated in sing-box 1.12.0"

-    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。

 !!! quote "sing-box 1.9.0 中的更改"

--- a/docs/configuration/dns/server/quic.zh.md
+++ b/docs/configuration/dns/server/quic.zh.md
@@ -51,7 +51,7 @@ DNS 服务器的端口。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/dns/server/tls.zh.md
+++ b/docs/configuration/dns/server/tls.zh.md
@@ -51,7 +51,7 @@ DNS 服务器的端口。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@@ -42,7 +42,7 @@

 将拒绝的 DNS 响应缓存存储在缓存文件中。

-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#地址筛选字段) 的检查结果将被缓存至过期。
+[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。

 #### rdrc_timeout

--- a/docs/configuration/experimental/v2ray-api.zh.md
+++ b/docs/configuration/experimental/v2ray-api.zh.md
@@ -1,6 +1,6 @@
 !!! quote ""

-    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#_5)。

 ### 结构

--- a/docs/configuration/inbound/anytls.zh.md
+++ b/docs/configuration/inbound/anytls.zh.md
@@ -58,4 +58,4 @@ AnyTLS 填充方案行数组。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@@ -26,7 +26,7 @@

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### users

--- a/docs/configuration/inbound/hysteria.zh.md
+++ b/docs/configuration/inbound/hysteria.zh.md
@@ -104,4 +104,4 @@ base64 编码的认证密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -2,10 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "Changes in sing-box 1.11.0"

    :material-alert: [masquerade](#masquerade)  
@@ -35,7 +31,6 @@ icon: material/alert-decagram
  "ignore_client_bandwidth": false,
  "tls": {},
  "masquerade": "", // or {}
-  "bbr_profile": "",
  "brutal_debug": false
 }
 ```
@@ -146,14 +141,6 @@ Fixed response headers.

 Fixed response content.

-#### bbr_profile
-
-!!! question "Since sing-box 1.14.0"
-
-BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
-
-`standard` is used by default.
-
 #### brutal_debug

 Enable debug information logging for Hysteria Brutal CC.
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -2,10 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "sing-box 1.11.0 中的更改"

    :material-alert: [masquerade](#masquerade)  
@@ -35,7 +31,6 @@ icon: material/alert-decagram
  "ignore_client_bandwidth": false,
  "tls": {},
  "masquerade": "", // 或 {}
-  "bbr_profile": "",
  "brutal_debug": false
 }
 ```
@@ -43,7 +38,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 监听字段
@@ -90,7 +85,7 @@ Hysteria 用户

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### masquerade

@@ -143,14 +138,6 @@ HTTP3 服务器认证失败时的行为 （对象配置）。

 固定响应内容。

-#### bbr_profile
-
-!!! question "自 sing-box 1.14.0 起"
-
-BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
-
-默认使用 `standard`。
-
 #### brutal_debug

 启用 Hysteria Brutal CC 的调试信息日志记录。
--- a/docs/configuration/inbound/naive.zh.md
+++ b/docs/configuration/inbound/naive.zh.md
@@ -60,4 +60,4 @@ QUIC 拥塞控制算法。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -93,4 +93,4 @@

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -43,7 +43,7 @@ Trojan 用户。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### fallback

@@ -61,7 +61,7 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

 #### transport

--- a/docs/configuration/inbound/tuic.zh.md
+++ b/docs/configuration/inbound/tuic.zh.md
@@ -75,4 +75,4 @@ QUIC 拥塞控制算法

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -4,8 +4,8 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.14.0"

-    :material-plus: [include_mac_address](#include_mac_address)  
-    :material-plus: [exclude_mac_address](#exclude_mac_address)
+:material-plus: [include_mac_address](#include_mac_address)
+:material-plus: [exclude_mac_address](#exclude_mac_address)

 !!! quote "Changes in sing-box 1.13.3"

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "sing-box 1.14.0 中的更改"

-    :material-plus: [include_mac_address](#include_mac_address)  
+    :material-plus: [include_mac_address](#include_mac_address)
    :material-plus: [exclude_mac_address](#exclude_mac_address)

 !!! quote "sing-box 1.13.3 中的更改"
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -48,11 +48,11 @@ VLESS 子协议。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

 #### transport

--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -43,11 +43,11 @@ VMess 用户。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

 #### transport

--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -1,6 +1,7 @@
 # Introduction

 sing-box uses JSON for configuration files.
+
 ### Structure

 ```json
@@ -9,7 +10,6 @@ sing-box uses JSON for configuration files.
  "dns": {},
  "ntp": {},
  "certificate": {},
-  "certificate_providers": [],
  "endpoints": [],
  "inbounds": [],
  "outbounds": [],
@@ -27,7 +27,6 @@ sing-box uses JSON for configuration files.
 | `dns`          | [DNS](./dns/)                   |
 | `ntp`          | [NTP](./ntp/)                   |
 | `certificate`  | [Certificate](./certificate/)   |
-| `certificate_providers` | [Certificate Provider](./shared/certificate-provider/) |
 | `endpoints`    | [Endpoint](./endpoint/)         |
 | `inbounds`     | [Inbound](./inbound/)           |
 | `outbounds`    | [Outbound](./outbound/)         |
@@ -51,4 +50,4 @@ sing-box format -w -c config.json -D config_directory

 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```
--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -1,6 +1,7 @@
 # 引言

 sing-box 使用 JSON 作为配置文件格式。
+
 ### 结构

 ```json
@@ -9,7 +10,6 @@ sing-box 使用 JSON 作为配置文件格式。
  "dns": {},
  "ntp": {},
  "certificate": {},
-  "certificate_providers": [],
  "endpoints": [],
  "inbounds": [],
  "outbounds": [],
@@ -27,7 +27,6 @@ sing-box 使用 JSON 作为配置文件格式。
 | `dns`          | [DNS](./dns/)          |
 | `ntp`          | [NTP](./ntp/)          |
 | `certificate`  | [证书](./certificate/)   |
-| `certificate_providers` | [证书提供者](./shared/certificate-provider/) |
 | `endpoints`    | [端点](./endpoint/)      |
 | `inbounds`     | [入站](./inbound/)       |
 | `outbounds`    | [出站](./outbound/)      |
@@ -51,4 +50,4 @@ sing-box format -w -c config.json -D config_directory

 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```
--- a/docs/configuration/outbound/anytls.zh.md
+++ b/docs/configuration/outbound/anytls.zh.md
@@ -59,7 +59,7 @@ AnyTLS 密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/outbound/direct.zh.md
+++ b/docs/configuration/outbound/direct.zh.md
@@ -4,8 +4,8 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.11.0 中的更改"

-    :material-delete-clock: [override_address](#override_address)  
-    :material-delete-clock: [override_port](#override_port)
+    :material-alert-decagram: [override_address](#override_address)  
+    :material-alert-decagram: [override_port](#override_port)

 `direct` 出站直接发送请求。

@@ -29,7 +29,7 @@ icon: material/alert-decagram

 !!! failure "已在 sing-box 1.11.0 废弃"

-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。

 覆盖连接目标地址。

@@ -37,7 +37,7 @@ icon: material/alert-decagram

 !!! failure "已在 sing-box 1.11.0 废弃"

-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。

 覆盖连接目标端口。

--- a/docs/configuration/outbound/dns.zh.md
+++ b/docs/configuration/outbound/dns.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.11.0 废弃"

-    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作). 
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 

 `dns` 出站是一个内部 DNS 服务器。

--- a/docs/configuration/outbound/http.zh.md
+++ b/docs/configuration/outbound/http.zh.md
@@ -51,7 +51,7 @@ HTTP 请求的额外标头。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/outbound/hysteria.zh.md
+++ b/docs/configuration/outbound/hysteria.zh.md
@@ -134,7 +134,7 @@ base64 编码的认证密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。


 ### 拨号字段
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -1,8 +1,3 @@
-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [hop_interval_max](#hop_interval_max)  
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "Changes in sing-box 1.11.0"

    :material-plus: [server_ports](#server_ports)  
@@ -14,14 +9,13 @@
 {
  "type": "hysteria2",
  "tag": "hy2-out",
-
+  
  "server": "127.0.0.1",
  "server_port": 1080,
  "server_ports": [
    "2080:3000"
  ],
  "hop_interval": "",
-  "hop_interval_max": "",
  "up_mbps": 100,
  "down_mbps": 100,
  "obfs": {
@@ -31,9 +25,8 @@
  "password": "goofy_ahh_password",
  "network": "tcp",
  "tls": {},
-  "bbr_profile": "",
  "brutal_debug": false,
-
+  
  ... // Dial Fields
 }
 ```
@@ -82,14 +75,6 @@ Port hopping interval.

 `30s` is used by default.

-#### hop_interval_max
-
-!!! question "Since sing-box 1.14.0"
-
-Maximum port hopping interval, used for randomization.
-
-If set, the actual hop interval will be randomly chosen between `hop_interval` and `hop_interval_max`.
-
 #### up_mbps, down_mbps

 Max bandwidth, in Mbps.
@@ -124,14 +109,6 @@ Both is enabled by default.

 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

-#### bbr_profile
-
-!!! question "Since sing-box 1.14.0"
-
-BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
-
-`standard` is used by default.
-
 #### brutal_debug

 Enable debug information logging for Hysteria Brutal CC.
--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@@ -1,8 +1,3 @@
-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [hop_interval_max](#hop_interval_max)  
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "sing-box 1.11.0 中的更改"

    :material-plus: [server_ports](#server_ports)  
@@ -21,7 +16,6 @@
    "2080:3000"
  ],
  "hop_interval": "",
-  "hop_interval_max": "",
  "up_mbps": 100,
  "down_mbps": 100,
  "obfs": {
@@ -31,9 +25,8 @@
  "password": "goofy_ahh_password",
  "network": "tcp",
  "tls": {},
-  "bbr_profile": "",
  "brutal_debug": false,
-
+  
  ... // 拨号字段
 }
 ```
@@ -45,7 +38,7 @@
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 字段
@@ -80,14 +73,6 @@

 默认使用 `30s`。

-#### hop_interval_max
-
-!!! question "自 sing-box 1.14.0 起"
-
-最大端口跳跃间隔，用于随机化。
-
-如果设置，实际跳跃间隔将在 `hop_interval` 和 `hop_interval_max` 之间随机选择。
-
 #### up_mbps, down_mbps

 最大带宽。
@@ -120,15 +105,7 @@ QUIC 流量混淆器密码.

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
-
-#### bbr_profile
-
-!!! question "自 sing-box 1.14.0 起"
-
-BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
-
-默认使用 `standard`。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### brutal_debug

--- a/docs/configuration/outbound/naive.zh.md
+++ b/docs/configuration/outbound/naive.zh.md
@@ -105,7 +105,7 @@ QUIC 拥塞控制算法。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 只有 `server_name`、`certificate`、`certificate_path` 和 `ech` 是被支持的。

--- a/docs/configuration/outbound/selector.zh.md
+++ b/docs/configuration/outbound/selector.zh.md
@@ -17,7 +17,7 @@

 !!! quote ""

-    选择器目前只能通过 [Clash API](/zh/configuration/experimental/clash-api/) 来控制。
+    选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。

 ### 字段

--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@@ -95,7 +95,7 @@ UDP over TCP 配置。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 ### 拨号字段

--- a/docs/configuration/outbound/shadowtls.zh.md
+++ b/docs/configuration/outbound/shadowtls.zh.md
@@ -49,7 +49,7 @@ ShadowTLS 协议版本。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/outbound/tor.zh.md
+++ b/docs/configuration/outbound/tor.zh.md
@@ -18,7 +18,7 @@

 !!! info ""

-    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#_5)。

 ### 字段

--- a/docs/configuration/outbound/trojan.zh.md
+++ b/docs/configuration/outbound/trojan.zh.md
@@ -47,11 +47,11 @@ Trojan 密码。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 #### transport

--- a/docs/configuration/outbound/tuic.zh.md
+++ b/docs/configuration/outbound/tuic.zh.md
@@ -97,7 +97,7 @@ UDP 包中继模式

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 ### 拨号字段

--- a/docs/configuration/outbound/vless.zh.md
+++ b/docs/configuration/outbound/vless.zh.md
@@ -57,7 +57,7 @@ VLESS 子协议。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### packet_encoding

@@ -71,7 +71,7 @@ UDP 包编码，默认使用 xudp。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 #### transport

--- a/docs/configuration/outbound/vmess.zh.md
+++ b/docs/configuration/outbound/vmess.zh.md
@@ -82,7 +82,7 @@ VMess 用户 ID。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### packet_encoding

@@ -96,7 +96,7 @@ UDP 包编码。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 #### transport

--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.11.0 废弃"

-    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-wireguard-出站到端点)。
+    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。

 !!! quote "sing-box 1.11.0 中的更改"

--- a/docs/configuration/route/geoip.zh.md
+++ b/docs/configuration/route/geoip.zh.md
@@ -4,7 +4,7 @@ icon: material/note-remove

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。

 ### 结构

--- a/docs/configuration/route/geosite.zh.md
+++ b/docs/configuration/route/geosite.zh.md
@@ -4,7 +4,7 @@ icon: material/note-remove

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。

 ### 结构

--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@@ -17,7 +17,7 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.11.0 中的更改"

-    :material-plus: [default_network_strategy](#default_network_strategy)  
+    :material-plus: [network_strategy](#network_strategy)  
    :material-plus: [default_network_type](#default_network_type)  
    :material-plus: [default_fallback_network_type](#default_fallback_network_type)  
    :material-plus: [default_fallback_delay](#default_fallback_delay)
@@ -150,7 +150,7 @@ icon: material/alert-decagram

 !!! question "自 sing-box 1.12.0 起"

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#domain_resolver)。
+详情参阅 [拨号字段](/configuration/shared/dial/#domain_resolver)。

 可以被 `outbound.domain_resolver` 覆盖。

@@ -158,7 +158,7 @@ icon: material/alert-decagram

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_strategy)。
+详情参阅 [拨号字段](/configuration/shared/dial/#network_strategy)。

 当 `outbound.bind_interface`, `outbound.inet4_bind_address` 或 `outbound.inet6_bind_address` 已设置时不生效。

@@ -170,16 +170,16 @@ icon: material/alert-decagram

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#default_network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#default_network_type)。

 #### default_fallback_network_type

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#default_fallback_network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#default_fallback_network_type)。

 #### default_fallback_delay

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_delay)。
+详情参阅 [拨号字段](/configuration/shared/dial/#fallback_delay)。
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -210,7 +210,7 @@ icon: material/new-box
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
+    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.

 #### inbound

--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -27,7 +27,6 @@ icon: material/new-box

    :material-plus: [client](#client)  
    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
    :material-plus: [process_path_regex](#process_path_regex)

 !!! quote "sing-box 1.8.0 中的更改"
@@ -208,7 +207,7 @@ icon: material/new-box
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。

 #### inbound

@@ -266,7 +265,7 @@ icon: material/new-box

 !!! failure "已在 sing-box 1.8.0 废弃"

-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。

 匹配 Geosite。

@@ -274,7 +273,7 @@ icon: material/new-box

 !!! failure "已在 sing-box 1.8.0 废弃"

-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。

 匹配源 GeoIP。

@@ -282,7 +281,7 @@ icon: material/new-box

 !!! failure "已在 sing-box 1.8.0 废弃"

-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。

 匹配 GeoIP。

@@ -532,4 +531,4 @@ icon: material/new-box

 ==必填==

-包括的规则。
+包括的规则。
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@@ -66,7 +66,7 @@ icon: material/new-box

 目标出站的标签。

-如果未指定，规则仅在来自 auto redirect 的[预匹配](/zh/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。
+如果未指定，规则仅在来自 auto redirect 的[预匹配](/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。

 #### route-options 字段

@@ -154,22 +154,22 @@ icon: material/new-box

 #### network_strategy

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_strategy)。
+详情参阅 [拨号字段](/configuration/shared/dial/#network_strategy)。

 仅当出站为 `direct` 且 `outbound.bind_interface`, `outbound.inet4_bind_address`
 且 `outbound.inet6_bind_address` 未设置时生效。

 #### network_type

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#network_type)。

 #### fallback_network_type

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_network_type)。
+详情参阅 [拨号字段](/configuration/shared/dial/#fallback_network_type)。

 #### fallback_delay

-详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_delay)。
+详情参阅 [拨号字段](/configuration/shared/dial/#fallback_delay)。

 #### udp_disable_domain_unmapping

--- a/docs/configuration/rule-set/headless-rule.zh.md
+++ b/docs/configuration/rule-set/headless-rule.zh.md
@@ -10,8 +10,8 @@ icon: material/new-box
 !!! quote "sing-box 1.11.0 中的更改"

    :material-plus: [network_type](#network_type)  
-    :material-plus: [network_is_expensive](#network_is_expensive)  
-    :material-plus: [network_is_constrained](#network_is_constrained)
+    :material-alert: [network_is_expensive](#network_is_expensive)  
+    :material-alert: [network_is_constrained](#network_is_constrained)

 ### 结构

--- a/docs/configuration/service/ccm.md
+++ b/docs/configuration/service/ccm.md
@@ -10,6 +10,11 @@ CCM (Claude Code Multiplexer) service is a multiplexing service that allows you

 It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### Structure

 ```json
@@ -19,6 +24,7 @@ It handles OAuth authentication with Claude's API on your local machine while al
  ... // Listen Fields

  "credential_path": "",
+  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -45,6 +51,77 @@ On macOS, credentials are read from the system keychain first, then fall back to

 Refreshed tokens are automatically written back to the same location.

+When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
+
+On macOS without an explicit `credential_path`, keychain changes are not watched. Automatic reload only applies to the credential file path.
+
+Conflict with `credentials`.
+
+#### credentials
+
+!!! question "Since sing-box 1.14.0"
+
+List of credential configurations for multi-credential mode.
+
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
+
+Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
+
+##### Default Credential
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/.credentials.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
+
+- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
+- `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the Claude API with this credential.
+- `reserve_5h`: Reserve threshold (1-99) for 5-hour window. Credential pauses at (100-N)% utilization.
+- `reserve_weekly`: Reserve threshold (1-99) for weekly window. Credential pauses at (100-N)% utilization.
+
+##### Balancer Credential
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
+
+- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
+- `credentials`: ==Required== List of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
+##### Fallback Credential
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+Uses credentials in order. Falls through to the next when the current one is exhausted.
+
+- `credentials`: ==Required== Ordered list of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
 #### usages_path

 Path to the file for storing aggregated API usage statistics.
@@ -60,6 +137,8 @@ Statistics are organized by model, context window (200k standard vs 1M premium),

 The statistics file is automatically saved every minute and upon service shutdown.

+Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
+
 #### users

 List of authorized users for token authentication.
@@ -71,7 +150,8 @@ Object format:
 ```json
 {
  "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```

@@ -79,6 +159,7 @@ Object fields:

 - `name`: Username identifier for tracking purposes.
 - `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.

 #### headers

@@ -90,6 +171,8 @@ These headers will override any existing headers with the same name.

 Outbound tag for connecting to the Claude API.

+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
@@ -129,3 +212,52 @@ export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"

 claude
 ```
+
+### Example with Multiple Credentials
+
+#### Server
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.claude-a/.credentials.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.claude-b/.credentials.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```
--- a/docs/configuration/service/ccm.zh.md
+++ b/docs/configuration/service/ccm.zh.md
@@ -10,6 +10,11 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许

 它在本地机器上处理与 Claude API 的 OAuth 身份验证，同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### 结构

 ```json
@@ -19,6 +24,7 @@ CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许
  ... // 监听字段

  "credential_path": "",
+  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -45,6 +51,77 @@ Claude Code OAuth 凭据文件的路径。

 刷新的令牌会自动写回相同位置。

+当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
+
+在 macOS 上如果未显式设置 `credential_path`，不会监听钥匙串变化。自动重载只作用于凭据文件路径。
+
+与 `credentials` 冲突。
+
+#### credentials
+
+!!! question "自 sing-box 1.14.0 起"
+
+多凭据模式的凭据配置列表。
+
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
+
+每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
+
+##### 默认凭据
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/.credentials.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
+
+- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
+- `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 Claude API 的出站标签。
+- `reserve_5h`：5 小时窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+- `reserve_weekly`：每周窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+
+##### 均衡凭据
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
+
+- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
+- `credentials`：==必填== 默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
+##### 回退凭据
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+按顺序使用凭据。当前凭据耗尽后切换到下一个。
+
+- `credentials`：==必填== 有序的默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
 #### usages_path

 用于存储聚合 API 使用统计信息的文件路径。
@@ -60,6 +137,8 @@ Claude Code OAuth 凭据文件的路径。

 统计文件每分钟自动保存一次，并在服务关闭时保存。

+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
+
 #### users

 用于令牌身份验证的授权用户列表。
@@ -71,7 +150,8 @@ Claude Code OAuth 凭据文件的路径。
 ```json
 {
  "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```

@@ -79,6 +159,7 @@ Claude Code OAuth 凭据文件的路径。

 - `name`：用于跟踪的用户名标识符。
 - `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。

 #### headers

@@ -90,9 +171,11 @@ Claude Code OAuth 凭据文件的路径。

 用于连接 Claude API 的出站标签。

+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 ### 示例

@@ -129,3 +212,52 @@ export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"

 claude
 ```
+
+### 多凭据示例
+
+#### 服务端
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.claude-a/.credentials.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.claude-b/.credentials.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```
--- a/docs/configuration/service/derp.zh.md
+++ b/docs/configuration/service/derp.zh.md
@@ -36,7 +36,7 @@ DERP 服务是一个 Tailscale DERP 服务器，类似于 [derper](https://pkg.g

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### config_path

@@ -96,7 +96,7 @@ Derper 配置文件路径。
 - `server`：**必填** DERP 服务器地址。
 - `server_port`：**必填** DERP 服务器端口。
 - `host`：自定义 DERP 主机名。
- `tls`：[TLS](/zh/configuration/shared/tls/#出站)
+- `tls`：[TLS](/zh/configuration/shared/tls/#outbound)
 - `拨号字段`：[拨号字段](/zh/configuration/shared/dial/)

 #### mesh_psk
--- a/docs/configuration/service/ocm.md
+++ b/docs/configuration/service/ocm.md
@@ -10,6 +10,11 @@ OCM (OpenAI Codex Multiplexer) service is a multiplexing service that allows you

 It handles OAuth authentication with OpenAI's API on your local machine while allowing remote clients to authenticate using custom tokens.

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### Structure

 ```json
@@ -19,6 +24,7 @@ It handles OAuth authentication with OpenAI's API on your local machine while al
  ... // Listen Fields

  "credential_path": "",
+  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -43,6 +49,75 @@ If not specified, defaults to:

 Refreshed tokens are automatically written back to the same location.

+When `credential_path` points to a file, the service can start before the file exists. The credential becomes available automatically after the file is created or updated, and becomes unavailable immediately if the file is later removed or becomes invalid.
+
+Conflict with `credentials`.
+
+#### credentials
+
+!!! question "Since sing-box 1.14.0"
+
+List of credential configurations for multi-credential mode.
+
+When set, top-level `credential_path`, `usages_path`, and `detour` are forbidden. Each user must specify a `credential` tag.
+
+Each credential has a `type` field (`default`, `balancer`, or `fallback`) and a required `tag` field.
+
+##### Default Credential
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/auth.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+A single OAuth credential file. The `type` field can be omitted (defaults to `default`). The service can start before the file exists, and reloads file updates automatically.
+
+- `credential_path`: Path to the credentials file. Same defaults as top-level `credential_path`.
+- `usages_path`: Optional usage tracking file for this credential.
+- `detour`: Outbound tag for connecting to the OpenAI API with this credential.
+- `reserve_5h`: Reserve threshold (1-99) for primary rate limit window. Credential pauses at (100-N)% utilization.
+- `reserve_weekly`: Reserve threshold (1-99) for secondary (weekly) rate limit window. Credential pauses at (100-N)% utilization.
+
+##### Balancer Credential
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+Assigns sessions to default credentials based on the selected strategy. Sessions are sticky until the assigned credential hits a rate limit.
+
+- `strategy`: Selection strategy. One of `least_used` `round_robin` `random`. `least_used` will be used by default.
+- `credentials`: ==Required== List of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
+##### Fallback Credential
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+Uses credentials in order. Falls through to the next when the current one is exhausted.
+
+- `credentials`: ==Required== Ordered list of default credential tags.
+- `poll_interval`: How often to poll upstream usage API. Default `60s`.
+
 #### usages_path

 Path to the file for storing aggregated API usage statistics.
@@ -58,6 +133,8 @@ Statistics are organized by model and optionally by user when authentication is

 The statistics file is automatically saved every minute and upon service shutdown.

+Conflict with `credentials`. In multi-credential mode, use `usages_path` on individual default credentials.
+
 #### users

 List of authorized users for token authentication.
@@ -69,7 +146,8 @@ Object format:
 ```json
 {
  "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```

@@ -77,6 +155,7 @@ Object fields:

 - `name`: Username identifier for tracking purposes.
 - `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer <token>` header.
+- `credential`: Credential tag to use for this user. ==Required== when `credentials` is set.

 #### headers

@@ -88,6 +167,8 @@ These headers will override any existing headers with the same name.

 Outbound tag for connecting to the OpenAI API.

+Conflict with `credentials`. In multi-credential mode, use `detour` on individual default credentials.
+
 #### tls

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
@@ -183,3 +264,52 @@ Then run:
 ```bash
 codex --profile ocm
 ```
+
+### Example with Multiple Credentials
+
+#### Server
+
+```json
+{
+  "services": [
+    {
+      "type": "ocm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.codex-a/auth.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.codex-b/auth.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "sk-ocm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "sk-ocm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```
--- a/docs/configuration/service/ocm.zh.md
+++ b/docs/configuration/service/ocm.zh.md
@@ -10,6 +10,11 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许

 它在本地机器上处理与 OpenAI API 的 OAuth 身份验证，同时允许远程客户端使用自定义令牌进行身份验证。

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [credentials](#credentials)  
+    :material-alert: [users](#users)
+
 ### 结构

 ```json
@@ -19,6 +24,7 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许
  ... // 监听字段

  "credential_path": "",
+  "credentials": [],
  "usages_path": "",
  "users": [],
  "headers": {},
@@ -43,6 +49,75 @@ OpenAI OAuth 凭据文件的路径。

 刷新的令牌会自动写回相同位置。

+当 `credential_path` 指向文件时，即使文件尚不存在，服务也可以启动。文件被创建或更新后，凭据会自动变为可用；如果文件之后被删除或变为无效，该凭据会立即变为不可用。
+
+与 `credentials` 冲突。
+
+#### credentials
+
+!!! question "自 sing-box 1.14.0 起"
+
+多凭据模式的凭据配置列表。
+
+设置后，顶层 `credential_path`、`usages_path` 和 `detour` 被禁止。每个用户必须指定 `credential` 标签。
+
+每个凭据有一个 `type` 字段（`default`、`balancer` 或 `fallback`）和一个必填的 `tag` 字段。
+
+##### 默认凭据
+
+```json
+{
+  "tag": "a",
+  "credential_path": "/path/to/auth.json",
+  "usages_path": "/path/to/usages.json",
+  "detour": "",
+  "reserve_5h": 20,
+  "reserve_weekly": 20
+}
+```
+
+单个 OAuth 凭据文件。`type` 字段可以省略（默认为 `default`）。即使文件尚不存在，服务也可以启动，并会自动重载文件更新。
+
+- `credential_path`：凭据文件的路径。默认值与顶层 `credential_path` 相同。
+- `usages_path`：此凭据的可选使用跟踪文件。
+- `detour`：此凭据用于连接 OpenAI API 的出站标签。
+- `reserve_5h`：主要速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+- `reserve_weekly`：次要（每周）速率限制窗口的保留阈值（1-99）。凭据在利用率达到 (100-N)% 时暂停。
+
+##### 均衡凭据
+
+```json
+{
+  "tag": "pool",
+  "type": "balancer",
+  "strategy": "",
+  "credentials": ["a", "b"],
+  "poll_interval": "60s"
+}
+```
+
+根据选择的策略将会话分配给默认凭据。会话保持粘性，直到分配的凭据触发速率限制。
+
+- `strategy`：选择策略。可选值：`least_used` `round_robin` `random`。默认使用 `least_used`。
+- `credentials`：==必填== 默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
+##### 回退凭据
+
+```json
+{
+  "tag": "backup",
+  "type": "fallback",
+  "credentials": ["a", "b"],
+  "poll_interval": "30s"
+}
+```
+
+按顺序使用凭据。当前凭据耗尽后切换到下一个。
+
+- `credentials`：==必填== 有序的默认凭据标签列表。
+- `poll_interval`：轮询上游使用 API 的间隔。默认 `60s`。
+
 #### usages_path

 用于存储聚合 API 使用统计信息的文件路径。
@@ -58,6 +133,8 @@ OpenAI OAuth 凭据文件的路径。

 统计文件每分钟自动保存一次，并在服务关闭时保存。

+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `usages_path`。
+
 #### users

 用于令牌身份验证的授权用户列表。
@@ -69,7 +146,8 @@ OpenAI OAuth 凭据文件的路径。
 ```json
 {
  "name": "",
-  "token": ""
+  "token": "",
+  "credential": ""
 }
 ```

@@ -77,6 +155,7 @@ OpenAI OAuth 凭据文件的路径。

 - `name`：用于跟踪的用户名标识符。
 - `token`：用于身份验证的 Bearer 令牌。客户端通过设置 `Authorization: Bearer <token>` 头进行身份验证。
+- `credential`：此用户使用的凭据标签。设置 `credentials` 时==必填==。

 #### headers

@@ -88,9 +167,11 @@ OpenAI OAuth 凭据文件的路径。

 用于连接 OpenAI API 的出站标签。

+与 `credentials` 冲突。在多凭据模式下，在各个默认凭据上使用 `detour`。
+
 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 ### 示例

@@ -184,3 +265,52 @@ model_provider = "ocm"
 ```bash
 codex --profile ocm
 ```
+
+### 多凭据示例
+
+#### 服务端
+
+```json
+{
+  "services": [
+    {
+      "type": "ocm",
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "credentials": [
+        {
+          "tag": "a",
+          "credential_path": "/home/user/.codex-a/auth.json",
+          "usages_path": "/data/usages-a.json",
+          "reserve_5h": 20,
+          "reserve_weekly": 20
+        },
+        {
+          "tag": "b",
+          "credential_path": "/home/user/.codex-b/auth.json",
+          "reserve_5h": 10,
+          "reserve_weekly": 10
+        },
+        {
+          "tag": "pool",
+          "type": "balancer",
+          "poll_interval": "60s",
+          "credentials": ["a", "b"]
+        }
+      ],
+      "users": [
+        {
+          "name": "alice",
+          "token": "sk-ocm-hello-world",
+          "credential": "pool"
+        },
+        {
+          "name": "bob",
+          "token": "sk-ocm-hello-bob",
+          "credential": "a"
+        }
+      ]
+    }
+  ]
+}
+```
--- a/docs/configuration/service/ssm-api.zh.md
+++ b/docs/configuration/service/ssm-api.zh.md
@@ -55,4 +55,4 @@ SSM API 服务是一个用于管理 Shadowsocks 服务器的 RESTful API 服务

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/shared/certificate-provider/acme.md
+++ b/docs/configuration/shared/certificate-provider/acme.md
@@ -1,150 +0,0 @@
---
-icon: material/new-box
---
-
-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [account_key](#account_key)  
-    :material-plus: [key_type](#key_type)  
-    :material-plus: [detour](#detour)
-
-# ACME
-
-!!! quote ""
-
-    `with_acme` build tag required.
-
-### Structure
-
-```json
-{
-  "type": "acme",
-  "tag": "",
-
-  "domain": [],
-  "data_directory": "",
-  "default_server_name": "",
-  "email": "",
-  "provider": "",
-  "account_key": "",
-  "disable_http_challenge": false,
-  "disable_tls_alpn_challenge": false,
-  "alternative_http_port": 0,
-  "alternative_tls_port": 0,
-  "external_account": {
-    "key_id": "",
-    "mac_key": ""
-  },
-  "dns01_challenge": {},
-  "key_type": "",
-  "detour": ""
-}
-```
-
-### Fields
-
-#### domain
-
-==Required==
-
-List of domains.
-
-#### data_directory
-
-The directory to store ACME data.
-
-`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
-
-#### default_server_name
-
-Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
-
-#### email
-
-The email address to use when creating or selecting an existing ACME server account.
-
-#### provider
-
-The ACME CA provider to use.
-
-| Value                   | Provider      |
-|-------------------------|---------------|
-| `letsencrypt (default)` | Let's Encrypt |
-| `zerossl`               | ZeroSSL       |
-| `https://...`           | Custom        |
-
-When `provider` is `zerossl`, sing-box will automatically request ZeroSSL EAB credentials if `email` is set and
-`external_account` is empty.
-
-When `provider` is `zerossl`, at least one of `external_account`, `email`, or `account_key` is required.
-
-#### account_key
-
-!!! question "Since sing-box 1.14.0"
-
-The PEM-encoded private key of an existing ACME account.
-
-#### disable_http_challenge
-
-Disable all HTTP challenges.
-
-#### disable_tls_alpn_challenge
-
-Disable all TLS-ALPN challenges
-
-#### alternative_http_port
-
-The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
-listener for the HTTP challenge.
-
-#### alternative_tls_port
-
-The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
-succeed.
-
-#### external_account
-
-EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
-by the CA.
-
-External account bindings are used to associate an ACME account with an existing account in a non-ACME system, such as
-a CA customer database.
-
-To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
-key identifier, using some mechanism outside of ACME. §7.3.4
-
-#### external_account.key_id
-
-The key identifier.
-
-#### external_account.mac_key
-
-The MAC key.
-
-#### dns01_challenge
-
-ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
-
-See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
-
-#### key_type
-
-!!! question "Since sing-box 1.14.0"
-
-The private key type to generate for new certificates.
-
-| Value      | Type    |
-|------------|---------|
-| `ed25519`  | Ed25519 |
-| `p256`     | P-256   |
-| `p384`     | P-384   |
-| `rsa2048`  | RSA     |
-| `rsa4096`  | RSA     |
-
-#### detour
-
-!!! question "Since sing-box 1.14.0"
-
-The tag of the upstream outbound.
-
-All provider HTTP requests will use this outbound.
--- a/docs/configuration/shared/certificate-provider/acme.zh.md
+++ b/docs/configuration/shared/certificate-provider/acme.zh.md
@@ -1,145 +0,0 @@
---
-icon: material/new-box
---
-
-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [account_key](#account_key)  
-    :material-plus: [key_type](#key_type)  
-    :material-plus: [detour](#detour)
-
-# ACME
-
-!!! quote ""
-
-    需要 `with_acme` 构建标签。
-
-### 结构
-
-```json
-{
-  "type": "acme",
-  "tag": "",
-
-  "domain": [],
-  "data_directory": "",
-  "default_server_name": "",
-  "email": "",
-  "provider": "",
-  "account_key": "",
-  "disable_http_challenge": false,
-  "disable_tls_alpn_challenge": false,
-  "alternative_http_port": 0,
-  "alternative_tls_port": 0,
-  "external_account": {
-    "key_id": "",
-    "mac_key": ""
-  },
-  "dns01_challenge": {},
-  "key_type": "",
-  "detour": ""
-}
-```
-
-### 字段
-
-#### domain
-
-==必填==
-
-域名列表。
-
-#### data_directory
-
-ACME 数据存储目录。
-
-如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。
-
-#### default_server_name
-
-如果 ClientHello 的 ServerName 字段为空，则选择证书时要使用的服务器名称。
-
-#### email
-
-创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
-
-#### provider
-
-要使用的 ACME CA 提供商。
-
-| 值                  | 提供商           |
-|--------------------|---------------|
-| `letsencrypt (默认)` | Let's Encrypt |
-| `zerossl`          | ZeroSSL       |
-| `https://...`      | 自定义           |
-
-当 `provider` 为 `zerossl` 时，如果设置了 `email` 且未设置 `external_account`，
-sing-box 会自动向 ZeroSSL 请求 EAB 凭据。
-
-当 `provider` 为 `zerossl` 时，必须至少设置 `external_account`、`email` 或 `account_key` 之一。
-
-#### account_key
-
-!!! question "自 sing-box 1.14.0 起"
-
-现有 ACME 帐户的 PEM 编码私钥。
-
-#### disable_http_challenge
-
-禁用所有 HTTP 质询。
-
-#### disable_tls_alpn_challenge
-
-禁用所有 TLS-ALPN 质询。
-
-#### alternative_http_port
-
-用于 ACME HTTP 质询的备用端口；如果非空，将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
-
-#### alternative_tls_port
-
-用于 ACME TLS-ALPN 质询的备用端口； 系统必须将 443 转发到此端口以使质询成功。
-
-#### external_account
-
-EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
-
-外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联，例如 CA 客户数据库。
-
-为了启用 ACME 帐户绑定，运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
-
-#### external_account.key_id
-
-密钥标识符。
-
-#### external_account.mac_key
-
-MAC 密钥。
-
-#### dns01_challenge
-
-ACME DNS01 质询字段。如果配置，将禁用其他质询方法。
-
-参阅 [DNS01 质询字段](/zh/configuration/shared/dns01_challenge/)。
-
-#### key_type
-
-!!! question "自 sing-box 1.14.0 起"
-
-为新证书生成的私钥类型。
-
-| 值         | 类型      |
-|-----------|----------|
-| `ed25519` | Ed25519 |
-| `p256`    | P-256   |
-| `p384`    | P-384   |
-| `rsa2048` | RSA     |
-| `rsa4096` | RSA     |
-
-#### detour
-
-!!! question "自 sing-box 1.14.0 起"
-
-上游出站的标签。
-
-所有提供者 HTTP 请求将使用此出站。
--- a/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md
+++ b/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md
@@ -1,82 +0,0 @@
---
-icon: material/new-box
---
-
-!!! question "Since sing-box 1.14.0"
-
-# Cloudflare Origin CA
-
-### Structure
-
-```json
-{
-  "type": "cloudflare-origin-ca",
-  "tag": "",
-
-  "domain": [],
-  "data_directory": "",
-  "api_token": "",
-  "origin_ca_key": "",
-  "request_type": "",
-  "requested_validity": 0,
-  "detour": ""
-}
-```
-
-### Fields
-
-#### domain
-
-==Required==
-
-List of domain names or wildcard domain names to include in the certificate.
-
-#### data_directory
-
-Root directory used to store the issued certificate, private key, and metadata.
-
-If empty, sing-box uses the same default data directory as the ACME certificate provider:
-`$XDG_DATA_HOME/certmagic` or `$HOME/.local/share/certmagic`.
-
-#### api_token
-
-Cloudflare API token used to create the certificate.
-
-Get or create one in [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens).
-
-Requires the `Zone / SSL and Certificates / Edit` permission.
-
-Conflict with `origin_ca_key`.
-
-#### origin_ca_key
-
-Cloudflare Origin CA Key.
-
-Get it in [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens).
-
-Conflict with `api_token`.
-
-#### request_type
-
-The signature type to request from Cloudflare.
-
-| Value                | Type        |
-|----------------------|-------------|
-| `origin-rsa`         | RSA         |
-| `origin-ecc`         | ECDSA P-256 |
-
-`origin-rsa` is used if empty.
-
-#### requested_validity
-
-The requested certificate validity in days.
-
-Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`.
-
-`5475` days (15 years) is used if empty.
-
-#### detour
-
-The tag of the upstream outbound.
-
-All provider HTTP requests will use this outbound.
--- a/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md
+++ b/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md
@@ -1,82 +0,0 @@
---
-icon: material/new-box
---
-
-!!! question "自 sing-box 1.14.0 起"
-
-# Cloudflare Origin CA
-
-### 结构
-
-```json
-{
-  "type": "cloudflare-origin-ca",
-  "tag": "",
-
-  "domain": [],
-  "data_directory": "",
-  "api_token": "",
-  "origin_ca_key": "",
-  "request_type": "",
-  "requested_validity": 0,
-  "detour": ""
-}
-```
-
-### 字段
-
-#### domain
-
-==必填==
-
-要写入证书的域名或通配符域名列表。
-
-#### data_directory
-
-保存签发证书、私钥和元数据的根目录。
-
-如果为空，sing-box 会使用与 ACME 证书提供者相同的默认数据目录：
-`$XDG_DATA_HOME/certmagic` 或 `$HOME/.local/share/certmagic`。
-
-#### api_token
-
-用于创建证书的 Cloudflare API Token。
-
-可在 [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens) 获取或创建。
-
-需要 `Zone / SSL and Certificates / Edit` 权限。
-
-与 `origin_ca_key` 冲突。
-
-#### origin_ca_key
-
-Cloudflare Origin CA Key。
-
-可在 [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens) 获取。
-
-与 `api_token` 冲突。
-
-#### request_type
-
-向 Cloudflare 请求的签名类型。
-
-| 值                   | 类型        |
-|----------------------|-------------|
-| `origin-rsa`         | RSA         |
-| `origin-ecc`         | ECDSA P-256 |
-
-如果为空，使用 `origin-rsa`。
-
-#### requested_validity
-
-请求的证书有效期，单位为天。
-
-可用值：`7`、`30`、`90`、`365`、`730`、`1095`、`5475`。
-
-如果为空，使用 `5475` 天（15 年）。
-
-#### detour
-
-上游出站的标签。
-
-所有提供者 HTTP 请求将使用此出站。
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	5b29fd3be4	ccm,ocm: add request ID context to HTTP request logging	2026-03-14 16:14:24 +08:00
世界	016e5e1b12	service/ocm: add default OpenAI-Beta header and log websocket error body The upstream OpenAI WebSocket endpoint requires the OpenAI-Beta: responses_websockets=2026-02-06 header. Set it automatically when the client doesn't provide it. Also capture and log the response body on non-429 WebSocket handshake failures to surface the actual error from upstream.	2026-03-14 16:07:58 +08:00
世界	92b3bde862	ccm,ocm: strip reverse proxy headers from upstream responses	2026-03-14 15:58:33 +08:00
世界	64f7349fca	service/ocm: unify websocket logging with HTTP request logging	2026-03-14 15:52:27 +08:00
世界	527372ba74	ccm,ocm: auto-detect plan weight for external credentials via status endpoint	2026-03-14 15:44:04 +08:00
世界	c6c07cb52f	service/ccm: update oauth token URL and remove unnecessary Accept header	2026-03-14 15:19:59 +08:00
世界	913f033d1a	ccm,ocm: improve balancer least_used with plan-weighted scoring and reset urgency Scale remaining capacity by plan weight (Pro=1, Max 5x=5, Max 20x=10 for CCM; Plus=1, Pro=10 for OCM) so higher-tier accounts contribute proportionally more. Factor in weekly reset proximity so credentials about to reset are preferred ("use it or lose it"). Auto-detect plan weight from subscriptionType + rateLimitTier (CCM) or plan_type (OCM). Fetch /api/oauth/profile when rateLimitTier is missing from the credential file. External credentials accept a manual plan_weight option.	2026-03-14 15:10:13 +08:00
世界	688f8cc4ef	service/ocm: only log new credential assignments and add websocket logging	2026-03-14 14:44:24 +08:00
世界	de51879ae9	service/ccm: only log new credential assignments and show context window in model	2026-03-14 14:31:21 +08:00
世界	2943e8e5f0	ccm,ocm: mark credentials unusable on usage poll failure and trigger poll on upstream error	2026-03-14 14:31:21 +08:00
世界	e2b2af8322	service/ccm: allow extended context (1m) for all credentials 1m context is now available to all subscribers and no longer consumes Extra Usage.	2026-03-14 13:48:23 +08:00
世界	c8d8d0a3e7	service/ccm: reject fast-mode external credentials	2026-03-13 23:31:19 +08:00
世界	8cd7713ca9	ccm,ocm: fix reserveWeekly default and remove dead reserve fields	2026-03-13 23:29:06 +08:00
世界	566abb00cd	ccm,ocm: add limit options and fix aggregated utilization scaling Add limit_5h and limit_weekly options as alternatives to reserve_5h and reserve_weekly for capping credential utilization. The two are mutually exclusive per window. Fix computeAggregatedUtilization to scale per-credential utilization relative to each credential's cap before averaging, so external users see correct available capacity regardless of per-credential caps. Fix pickLeastUsed to compare remaining capacity (cap - utilization) instead of raw utilization, ensuring fair comparison across credentials with different caps.	2026-03-13 23:13:44 +08:00
世界	ae7550b465	ocm: preserve websocket rate limit event fields	2026-03-13 22:24:08 +08:00
世界	63d4cdffef	ocm: rewrite codex.rate_limits WebSocket events for external users The HTTP path rewrites utilization headers for external users via rewriteResponseHeadersForExternalUser to show aggregated values. The WebSocket upgrade headers were also rewritten, but in-band codex.rate_limits events were forwarded unmodified, leaking per-credential utilization to external users.	2026-03-13 21:54:47 +08:00
世界	5516d7b045	ccm,ocm: fix passive usage update for WebSocket connections WebSocket 101 upgrade responses do not include utilization headers (confirmed via codex CLI source). Rate limit data is delivered exclusively through in-band events (codex.rate_limits and error events with status 429). Previously, updateStateFromHeaders unconditionally bumped lastUpdated even when no utilization headers were found, which suppressed polling and left credential utilization permanently stale during WebSocket sessions. - Only bump lastUpdated when actual utilization data is parsed - Parse in-band codex.rate_limits events to update credential state - Detect in-band 429 error events to markRateLimited - Fix WebSocket 429 retry to update old credential state before retry	2026-03-13 21:42:05 +08:00
世界	c639c27cdb	ccm,ocm: fix reverse session shutdown race	2026-03-13 21:31:23 +08:00
世界	f0022f59a2	ccm,ocm: block utilization decrease within same rate-limit window updateStateFromHeaders unconditionally applied header utilization values even when they were lower than the current state, causing poll-sourced values to be overwritten by stale header values. Parse reset timestamps before utilization and only allow decreases when the reset timestamp changes (indicating a new rate-limit window). Also add math.Ceil to CCM external credential for consistency with default credential.	2026-03-13 21:06:32 +08:00
世界	9e7d863ee7	ccm,ocm: fix connector-side bufio data loss in reverse proxy connectorConnect() creates a bufio.NewReader to read the HTTP 101 upgrade response, but then passes the raw conn to yamux.Server(). If TCP coalesces the 101 response with initial yamux frames, the bufio reader over-reads into its buffer and those bytes are lost to yamux, causing session failure. Wrap the bufio.Reader and raw conn into a bufferedConn so yamux reads through the buffer first.	2026-03-13 21:06:32 +08:00
世界	d5c6c6aed2	ccm,ocm: fix data race on reverseContext/reverseCancel InterfaceUpdated() writes reverseContext and reverseCancel without synchronization while connectorLoop/connectorConnect goroutines read them concurrently. close() also accesses reverseCancel without a lock. Fix by extending reverseAccess mutex to protect these fields: - Add getReverseContext()/resetReverseContext() methods - Pass context as parameter to connectorConnect - Merge close() into a single lock acquisition - Use resetReverseContext() in InterfaceUpdated()	2026-03-13 21:06:32 +08:00
世界	4d89d732e2	ccm,ocm: reset connector backoff after successful connection The consecutiveFailures counter in connectorLoop never resets, causing backoff to permanently cap at 30-45s even after a connection that served successfully for hours. Reset the counter when connectorConnect ran for at least one minute, indicating a successful session rather than a transient dial/handshake failure.	2026-03-13 21:05:50 +08:00
世界	f6821be8a3	ccm,ocm: unify HTTP request retry with fast retry and exponential backoff	2026-03-13 20:05:54 +08:00
世界	03b01efe49	Fix reverse external credential handling	2026-03-13 19:36:51 +08:00
世界	16aeba8ec0	ccm,ocm: add reverse proxy support for external credentials Allow two CCM/OCM instances to share credentials when only one has a public IP, using yamux-multiplexed reverse connections. Three credential modes: - Normal: URL set, reverse=false — standard HTTP proxy - Receiver: URL empty — waits for incoming reverse connection - Connector: URL set, reverse=true — dials out to establish connection Extend InterfaceUpdated to services so network changes trigger reverse connection reconnection.	2026-03-13 18:51:02 +08:00
世界	283a5aacee	ccm,ocm: strip reverse proxy headers before forwarding to upstream	2026-03-13 04:54:11 +08:00
世界	8d852bba9b	ccm,ocm,ssmapi: fix HTTP/2 over TLS with h2c handler aTLS.NewListener returns LazyConn, not tls.Conn, so Go's http.Server cannot detect TLS via type assertion and falls back to HTTP/1.x. When ALPN negotiates h2, the client sends HTTP/2 frames that the server fails to parse, causing HTTP 520 errors behind Cloudflare. Wrap HTTP handlers with h2c.NewHandler to intercept the HTTP/2 client preface and dispatch to http2.Server.ServeConn, consistent with DERP, v2rayhttp, naive, and v2raygrpclite services.	2026-03-13 04:52:31 +08:00
世界	29c8794f45	ccm,ocm: check credential file writability before token refresh Refuse to refresh tokens when the credential file is not writable, preventing server-side invalidation of the old refresh token that would make the credential permanently unusable after restart.	2026-03-13 03:27:42 +08:00
世界	c8d593503f	ccm,ocm: watch credential_path and allow delayed credentials	2026-03-13 02:47:06 +08:00
世界	a8934be7cd	ccm/ocm: Add external credential support for cross-instance usage sharing Extract credential interface from *defaultCredential to support both default (OAuth) and external (remote proxy) credential types. External credentials proxy requests to a remote ccm/ocm instance with bearer token auth, poll a /status endpoint for utilization, and parse aggregated rate limit headers from responses. Add allow_external_usage user flag to control whether balancer/fallback providers may select external credentials. Add status endpoint (/ccm/v1/status, /ocm/v1/status) returning averaged utilization across eligible credentials. Rewrite response rate limit headers for external users with aggregated values.	2026-03-13 01:47:45 +08:00
世界	7aef716ebc	ccm/ocm: Add multi-credential support with balancer and fallback strategies	2026-03-13 00:50:04 +08:00
世界	7df171ff20	Bump version	2026-03-11 21:31:42 +08:00
世界	46eda3e96f	cronet-go: Update chromium to 145.0.7632.159	2026-03-11 21:31:42 +08:00
世界	727a9d18d6	documentation: Update descriptions for neighbor rules	2026-03-11 21:31:42 +08:00
世界	20f60b8c7b	Add macOS support for MAC and hostname rule items	2026-03-11 21:31:42 +08:00
世界	84b0ddff7f	Add Android support for MAC and hostname rule items	2026-03-11 21:31:42 +08:00
世界	811ea13b73	Add MAC and hostname rule items	2026-03-11 21:31:41 +08:00
世界	bdb90f0a01	Bump version	2026-03-11 21:30:11 +08:00
世界	c9ab6458fa	tun：Fix auto_redirect dropping SO_BINDTODEVICE traffic	2026-03-11 21:30:11 +08:00
世界	16a249f672	tailscale: Fix system interface rules	2026-03-11 21:30:03 +08:00