Merge GANClient history into upstream-based main

Reapply SingboxForPanel integration on upstream stable
Bump version
2026-04-16 10:39:25 +08:00 · 2026-04-16 10:29:41 +08:00 · 2026-04-14 14:33:19 +08:00 · 2026-04-14 14:26:59 +08:00 · 2026-04-14 14:24:21 +08:00 · 2026-04-14 14:15:20 +08:00
291 changed files with 4479 additions and 23091 deletions
--- a/.config.example
+++ b/.config.example
@@ -1,12 +0,0 @@
 {
  "services": [
    {
      "type": "xboard",
      "panel_url": "https://your-panel.com",
      "key": "your-node-key",
      "node_id": 1,
      "sync_interval": "1m",
      "report_interval": "1m"
    }
  ]
 }
--- a/.env.example
+++ b/.env.example
@@ -1,10 +0,0 @@
 PANEL_URL=https://your-panel.com
 PANEL_TOKEN=your_node_key
 NODE_ID=1
 NODE_TYPE=v2ray
 # Separate URLs/IDs (Optional)
 # CONFIG_PANEL_URL=https://config-panel.com
 # CONFIG_NODE_ID=151
 # USER_PANEL_URL=https://user-panel.com
 # USER_NODE_ID=140
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -0,0 +1 @@
 e4926ba205fae5351e3d3eeafff7e7029654424a
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
 github: nekohasekai
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,88 @@
 name: Bug report
 description: "Report sing-box bug"
 body:
  - type: dropdown
    attributes:
      label: Operating system
      description: Operating system type
      options:
        - iOS
        - macOS
        - Apple tvOS
        - Android
        - Windows
        - Linux
        - Others
    validations:
      required: true
  - type: input
    attributes:
      label: System version
      description: Please provide the operating system version
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Installation type
      description: Please provide the sing-box installation type
      options:
        - Original sing-box Command Line
        - sing-box for iOS Graphical Client
        - sing-box for macOS Graphical Client
        - sing-box for Apple tvOS Graphical Client
        - sing-box for Android Graphical Client
        - Third-party graphical clients that advertise themselves as using sing-box (Windows)
        - Third-party graphical clients that advertise themselves as using sing-box (Android)
        - Others
    validations:
      required: true
  - type: input
    attributes:
      description: Graphical client version
      label: If you are using a graphical client, please provide the version of the client.
  - type: textarea
    attributes:
      label: Version
      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
      render: shell
  - type: textarea
    attributes:
      label: Description
      description: Please provide a detailed description of the error.
    validations:
      required: true
  - type: textarea
    attributes:
      label: Reproduction
      description: Please provide the steps to reproduce the error, including the configuration files and procedures that can locally (not dependent on the remote server) reproduce the error using the original command line program of sing-box.
    validations:
      required: true
  - type: textarea
    attributes:
      label: Logs
      description: |-
        In addition, if you encounter a crash with the graphical client, please also provide crash logs.
        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
      render: shell
  - type: checkboxes
    id: supporter
    attributes:
      label: Supporter
      options:
        - label: I am a [sponsor](https://github.com/sponsors/nekohasekai/)
  - type: checkboxes
    attributes:
      label: Integrity requirements
      description: |-
        Please check all of the following options to prove that you have read and understood the requirements, otherwise this issue will be closed.
        Sing-box is not a project aimed to please users who can't make any meaningful contributions and gain unethical influence. If you deceive here to deliberately waste the time of the developers, you will be permanently blocked.
      options:
        - label: I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
          required: true
        - label: I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
          required: true
        - label: I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
          required: true
        - label: I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
          required: true
--- a/.github/ISSUE_TEMPLATE/bug_report_zh.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report_zh.yml
@@ -0,0 +1,88 @@
 name: 错误反馈
 description: "提交 sing-box 漏洞"
 body:
  - type: dropdown
    attributes:
      label: 操作系统
      description: 请提供操作系统类型
      options:
        - iOS
        - macOS
        - Apple tvOS
        - Android
        - Windows
        - Linux
        - 其他
    validations:
      required: true
  - type: input
    attributes:
      label: 系统版本
      description: 请提供操作系统版本
    validations:
      required: true
  - type: dropdown
    attributes:
      label: 安装类型
      description: 请提供该 sing-box 安装类型
      options:
        - sing-box 原始命令行程序
        - sing-box for iOS 图形客户端程序
        - sing-box for macOS 图形客户端程序
        - sing-box for Apple tvOS 图形客户端程序
        - sing-box for Android 图形客户端程序
        - 宣传使用 sing-box 的第三方图形客户端程序 (Windows)
        - 宣传使用 sing-box 的第三方图形客户端程序 (Android)
        - 其他
    validations:
      required: true
  - type: input
    attributes:
      description: 图形客户端版本
      label: 如果您使用图形客户端程序，请提供该程序版本。
  - type: textarea
    attributes:
      label: 版本
      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
      render: shell
  - type: textarea
    attributes:
      label: 描述
      description: 请提供错误的详细描述。
    validations:
      required: true
  - type: textarea
    attributes:
      label: 重现方式
      description: 请提供重现错误的步骤，必须包括可以在本地（不依赖与远程服务器）使用 sing-box 原始命令行程序重现错误的配置文件与流程。
    validations:
      required: true
  - type: textarea
    attributes:
      label: 日志
      description: |-
        此外，如果您遭遇图形界面应用程序崩溃，请附加提供崩溃日志。
        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
      render: shell
  - type: checkboxes
    id: supporter
    attributes:
      label: 支持我们
      options:
        - label: 我已经 [赞助](https://github.com/sponsors/nekohasekai/)
  - type: checkboxes
    attributes:
      label: 完整性要求
      description: |-
        请勾选以下所有选项以证明您已经阅读并理解了以下要求，否则该 issue 将被关闭。
        sing-box 不是讨好无法作出任何意义上的贡献的最终用户并获取非道德影响力的项目，如果您在此处欺骗以故意浪费开发者的时间，您将被永久封锁。
      options:
        - label: 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
          required: true
        - label: 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
          required: true
        - label: 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
          required: true
        - label: 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
          required: true
--- a/.github/build_alpine_apk.sh
+++ b/.github/build_alpine_apk.sh
@@ -0,0 +1,81 @@
 #!/usr/bin/env bash
 set -e -o pipefail
 ARCHITECTURE="$1"
 VERSION="$2"
 BINARY_PATH="$3"
 OUTPUT_PATH="$4"
 if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
  exit 1
 fi
 PROJECT=$(cd "$(dirname "$0")/.."; pwd)
 # Convert version to APK format:
 #   1.13.0-beta.8  -> 1.13.0_beta8-r0
 #   1.13.0-rc.3    -> 1.13.0_rc3-r0
 #   1.13.0         -> 1.13.0-r0
 APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
 APK_VERSION="${APK_VERSION}-r0"
 ROOT_DIR=$(mktemp -d)
 trap 'rm -rf "$ROOT_DIR"' EXIT
 # Binary
 install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
 # Config files
 install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
 install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
 install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
 # Service files
 install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
 install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
 # Completions
 install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
 install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
 install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
 # License
 install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
 # APK metadata
 PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
 mkdir -p "$PACKAGES_DIR"
 # .conffiles
 cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
 /etc/conf.d/sing-box
 /etc/init.d/sing-box
 /etc/sing-box/config.json
 EOF
 # .conffiles_static (sha256 checksums)
 while IFS= read -r conffile; do
  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
  echo "$conffile $sha256"
 done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
 # .list (all files, excluding lib/apk/packages/ metadata)
 (cd "$ROOT_DIR" && find . -type f -o -type l) \
  | sed 's|^\./|/|' \
  | grep -v '^/lib/apk/packages/' \
  | sort > "$PACKAGES_DIR/.list"
 # Build APK
 apk mkpkg \
  --info "name:sing-box" \
  --info "version:${APK_VERSION}" \
  --info "description:The universal proxy platform." \
  --info "arch:${ARCHITECTURE}" \
  --info "license:GPL-3.0-or-later with name use or association addition" \
  --info "origin:sing-box" \
  --info "url:https://sing-box.sagernet.org/" \
  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
  --files "$ROOT_DIR" \
  --output "$OUTPUT_PATH"
--- a/.github/build_openwrt_apk.sh
+++ b/.github/build_openwrt_apk.sh
@@ -0,0 +1,80 @@
 #!/usr/bin/env bash
 set -e -o pipefail
 ARCHITECTURE="$1"
 VERSION="$2"
 BINARY_PATH="$3"
 OUTPUT_PATH="$4"
 if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
  exit 1
 fi
 PROJECT=$(cd "$(dirname "$0")/.."; pwd)
 # Convert version to APK format:
 #   1.13.0-beta.8  -> 1.13.0_beta8-r0
 #   1.13.0-rc.3    -> 1.13.0_rc3-r0
 #   1.13.0         -> 1.13.0-r0
 APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
 APK_VERSION="${APK_VERSION}-r0"
 ROOT_DIR=$(mktemp -d)
 trap 'rm -rf "$ROOT_DIR"' EXIT
 # Binary
 install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
 # Config files
 install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
 install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
 install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
 install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
 # Completions
 install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
 install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
 install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
 # License
 install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
 # APK metadata
 PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
 mkdir -p "$PACKAGES_DIR"
 # .conffiles
 cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
 /etc/config/sing-box
 /etc/sing-box/config.json
 EOF
 # .conffiles_static (sha256 checksums)
 while IFS= read -r conffile; do
  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
  echo "$conffile $sha256"
 done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
 # .list (all files, excluding lib/apk/packages/ metadata)
 (cd "$ROOT_DIR" && find . -type f -o -type l) \
  | sed 's|^\./|/|' \
  | grep -v '^/lib/apk/packages/' \
  | sort > "$PACKAGES_DIR/.list"
 # Build APK
 apk mkpkg \
  --info "name:sing-box" \
  --info "version:${APK_VERSION}" \
  --info "description:The universal proxy platform." \
  --info "arch:${ARCHITECTURE}" \
  --info "license:GPL-3.0-or-later" \
  --info "origin:sing-box" \
  --info "url:https://sing-box.sagernet.org/" \
  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
  --info "provider-priority:100" \
  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
  --files "$ROOT_DIR" \
  --output "$OUTPUT_PATH"
--- a/.github/deb2ipk.sh
+++ b/.github/deb2ipk.sh
@@ -0,0 +1,28 @@
 #!/usr/bin/env bash
 # mod from https://gist.github.com/pldubouilh/c5703052986bfdd404005951dee54683
 set -e -o pipefail
 PROJECT=$(dirname "$0")/../..
 TMP_PATH=`mktemp -d`
 cp $2 $TMP_PATH
 pushd $TMP_PATH
 DEB_NAME=`ls *.deb`
 ar x $DEB_NAME
 mkdir control
 pushd control
 tar xf ../control.tar.gz
 rm md5sums
 sed "s/Architecture:\\ \w*/Architecture:\\ $1/g" ./control -i
 cat control
 tar czf ../control.tar.gz ./*
 popd
 DEB_NAME=${DEB_NAME%.deb}
 tar czf $DEB_NAME.ipk control.tar.gz data.tar.gz debian-binary
 popd
 cp $TMP_PATH/$DEB_NAME.ipk $3
 rm -r $TMP_PATH
--- a/.github/detect_track.sh
+++ b/.github/detect_track.sh
@@ -0,0 +1,33 @@
 #!/usr/bin/env bash
 set -euo pipefail
 branches=$(git branch -r --contains HEAD)
 if echo "$branches" | grep -q 'origin/stable'; then
  track=stable
 elif echo "$branches" | grep -q 'origin/testing'; then
  track=testing
 elif echo "$branches" | grep -q 'origin/oldstable'; then
  track=oldstable
 else
  echo "ERROR: HEAD is not on any known release branch (stable/testing/oldstable)" >&2
  exit 1
 fi
 if [[ "$track" == "stable" ]]; then
  tag=$(git describe --tags --exact-match HEAD 2>/dev/null || true)
  if [[ -n "$tag" && "$tag" == *"-"* ]]; then
    track=beta
  fi
 fi
 case "$track" in
  stable)    name=sing-box;           docker_tag=latest ;;
  beta)      name=sing-box-beta;      docker_tag=latest-beta ;;
  testing)   name=sing-box-testing;   docker_tag=latest-testing ;;
  oldstable) name=sing-box-oldstable; docker_tag=latest-oldstable ;;
 esac
 echo "track=${track} name=${name} docker_tag=${docker_tag}" >&2
 echo "TRACK=${track}" >> "$GITHUB_ENV"
 echo "NAME=${name}" >> "$GITHUB_ENV"
 echo "DOCKER_TAG=${docker_tag}" >> "$GITHUB_ENV"
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -0,0 +1,28 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "commitMessagePrefix": "[dependencies]",
  "extends": [
    "config:base",
    ":disableRateLimiting"
  ],
  "baseBranches": [
    "unstable"
  ],
  "golang": {
    "enabled": false
  },
  "packageRules": [
    {
      "matchManagers": [
        "github-actions"
      ],
      "groupName": "github-actions"
    },
    {
      "matchManagers": [
        "dockerfile"
      ],
      "groupName": "Dockerfile"
    }
  ]
 }
--- a/.github/setup_go_for_macos1013.sh
+++ b/.github/setup_go_for_macos1013.sh
@@ -0,0 +1,45 @@
 #!/usr/bin/env bash
 set -euo pipefail
 VERSION="1.25.9"
 PATCH_COMMITS=(
  "afe69d3cec1c6dcf0f1797b20546795730850070"
  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
 )
 CURL_ARGS=(
  -fL
  --silent
  --show-error
 )
 if [[ -n "${GITHUB_TOKEN:-}" ]]; then
  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
 fi
 mkdir -p "$HOME/go"
 cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
 tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
 #cp -a go go_bootstrap
 mv go go_osx
 cd go_osx
 # these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
 # revert:
 # 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
 # 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
 for patch_commit in "${PATCH_COMMITS[@]}"; do
  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
 done
 # Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
 # linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
 # stdlib (crypto/x509) is compiled from patched src automatically.
 #cd src
 #GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
 #cd ../..
 #rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -0,0 +1,46 @@
 #!/usr/bin/env bash
 set -euo pipefail
 VERSION="1.25.9"
 PATCH_COMMITS=(
  "466f6c7a29bc098b0d4c987b803c779222894a11"
  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
  "a90777dcf692dd2168577853ba743b4338721b06"
  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
 )
 CURL_ARGS=(
  -fL
  --silent
  --show-error
 )
 if [[ -n "${GITHUB_TOKEN:-}" ]]; then
  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
 fi
 mkdir -p "$HOME/go"
 cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
 # these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
 # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
 # fixes:
 # bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
 # 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""
 for patch_commit in "${PATCH_COMMITS[@]}"; do
  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
 done
--- a/.github/update_clients.sh
+++ b/.github/update_clients.sh
@@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 PROJECTS=$(dirname "$0")/../..
 function updateClient() {
  pushd clients/$1
  git fetch
  git reset FETCH_HEAD --hard
  popd
  git add clients/$1
 }
 updateClient "apple"
 updateClient "android"
--- a/.github/update_cronet.sh
+++ b/.github/update_cronet.sh
@@ -0,0 +1,13 @@
 #!/usr/bin/env bash
 set -e -o pipefail
 SCRIPT_DIR=$(dirname "$0")
 PROJECTS=$SCRIPT_DIR/../..
 git -C $PROJECTS/cronet-go fetch origin main
 git -C $PROJECTS/cronet-go fetch origin go
 go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
 go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
 go mod tidy
 git -C $PROJECTS/cronet-go rev-parse origin/go > "$SCRIPT_DIR/CRONET_GO_VERSION"
--- a/.github/update_cronet_dev.sh
+++ b/.github/update_cronet_dev.sh
@@ -0,0 +1,13 @@
 #!/usr/bin/env bash
 set -e -o pipefail
 SCRIPT_DIR=$(dirname "$0")
 PROJECTS=$SCRIPT_DIR/../..
 git -C $PROJECTS/cronet-go fetch origin dev
 git -C $PROJECTS/cronet-go fetch origin go_dev
 go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
 go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
 go mod tidy
 git -C $PROJECTS/cronet-go rev-parse origin/dev > "$SCRIPT_DIR/CRONET_GO_VERSION"
--- a/.github/update_dependencies.sh
+++ b/.github/update_dependencies.sh
@@ -0,0 +1,5 @@
 #!/usr/bin/env bash
 PROJECTS=$(dirname "$0")/../..
 go get -x github.com/sagernet/$1@$(git -C $PROJECTS/$1 rev-parse HEAD)
 go mod tidy
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,295 @@
 name: Publish Docker Images
 on:
  #push:
  #  branches:
  #    - stable
  #    - testing
  release:
    types:
      - published
  workflow_dispatch:
    inputs:
      tag:
        description: "The tag version you want to build"
 env:
  REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
 jobs:
  build_binary:
    name: Build binary
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        include:
          # Naive-enabled builds (musl)
          - { arch: amd64, naive: true, docker_platform: "linux/amd64" }
          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
          - { arch: "386", naive: true, docker_platform: "linux/386" }
          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
          # Non-naive builds
          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
          - { arch: s390x, docker_platform: "linux/s390x" }
    steps:
      - name: Get commit to build
        id: ref
        run: |-
          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
            ref="${{ github.ref_name }}"
          else
            ref="${{ github.event.inputs.tag }}"
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.25.9
      - name: Clone cronet-go
        if: matrix.naive
        run: |
          set -xeuo pipefail
          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
          git init ~/cronet-go
          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
      - name: Regenerate Debian keyring
        if: matrix.naive
        run: |
          set -xeuo pipefail
          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
          cd ~/cronet-go
          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
            ~/cronet-go/naiveproxy/src/gn/out/
            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
        run: |
          set -xeuo pipefail
          cd ~/cronet-go
          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
      - name: Set version
        run: |
          set -xeuo pipefail
          VERSION=$(go run ./cmd/internal/read_tag)
          echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
      - name: Set Chromium toolchain environment
        if: matrix.naive
        run: |
          set -xeuo pipefail
          cd ~/cronet-go
          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
      - name: Set build tags
        run: |
          set -xeuo pipefail
          if [[ "${{ matrix.naive }}" == "true" ]]; then
            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Set shared ldflags
        run: |
          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GOMIPS: ${{ matrix.gomips }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
      - name: Prepare artifact
        run: |
          platform=${{ matrix.docker_platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
          # Rename binary to include arch info for Dockerfile.binary
          BINARY_NAME="sing-box-${{ matrix.arch }}"
          if [[ -n "${{ matrix.goarm }}" ]]; then
            BINARY_NAME="${BINARY_NAME}v${{ matrix.goarm }}"
          fi
          mv sing-box "${BINARY_NAME}"
          echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV
      - name: Upload binary
        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ env.PLATFORM_PAIR }}
          path: ${{ env.BINARY_NAME }}
          if-no-files-found: error
          retention-days: 1
  build_docker:
    name: Build Docker image
    runs-on: ubuntu-latest
    needs:
      - build_binary
    strategy:
      fail-fast: true
      matrix:
        include:
          - { platform: "linux/amd64" }
          - { platform: "linux/arm/v6" }
          - { platform: "linux/arm/v7" }
          - { platform: "linux/arm64" }
          - { platform: "linux/386" }
          # mipsle: no base Docker image available for this platform
          - { platform: "linux/ppc64le" }
          - { platform: "linux/riscv64" }
          - { platform: "linux/s390x" }
          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
    steps:
      - name: Get commit to build
        id: ref
        run: |-
          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
            ref="${{ github.ref_name }}"
          else
            ref="${{ github.event.inputs.tag }}"
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Download binary
        uses: actions/download-artifact@v5
        with:
          name: binary-${{ env.PLATFORM_PAIR }}
          path: .
      - name: Prepare binary
        run: |
          # Find and make the binary executable
          chmod +x sing-box-*
          ls -la sing-box-*
      - name: Setup QEMU
        uses: docker/setup-qemu-action@v3
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          platforms: ${{ matrix.platform }}
          context: .
          file: Dockerfile.binary
          build-args: |
            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  merge:
    if: github.event_name != 'push'
    runs-on: ubuntu-latest
    needs:
      - build_docker
    steps:
      - name: Get commit to build
        id: ref
        run: |-
          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
            ref="${{ github.ref_name }}"
          else
            ref="${{ github.event.inputs.tag }}"
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
      - name: Detect track
        run: bash .github/detect_track.sh
      - name: Download digests
        uses: actions/download-artifact@v5
        with:
          path: /tmp/digests
          pattern: digests-*
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Create manifest list and push
        if: github.event_name != 'push'
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create \
            -t "${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}" \
            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        if: github.event_name != 'push'
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,40 @@
 name: Lint
 on:
  push:
    branches:
      - oldstable
      - stable
      - testing
      - unstable
    paths-ignore:
      - '**.md'
      - '.github/**'
      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
      - oldstable
      - stable
      - testing
      - unstable
 jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.25
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v8
        with:
          version: latest
          args: --timeout=30m
          install-mode: binary
          verify: false
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -0,0 +1,243 @@
 name: Build Linux Packages
 on:
  #push:
  #  branches:
  #    - stable
  #    - testing
  workflow_dispatch:
    inputs:
      version:
        description: "Version name"
        required: true
        type: string
  release:
    types:
      - published
 jobs:
  calculate_version:
    name: Calculate version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.25.9
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
          echo "version=${{ inputs.version }}"
          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
      - name: Calculate version
        if: github.event_name != 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/read_tag --ci --nightly
      - name: Set outputs
        id: outputs
        run: |-
          echo "version=$version" >> "$GITHUB_OUTPUT"
  build:
    name: Build binary
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    strategy:
      matrix:
        include:
          # Naive-enabled builds (musl)
          - { os: linux, arch: amd64, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64 }
          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
          # Non-naive builds (unsupported architectures)
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.25.9
      - name: Clone cronet-go
        if: matrix.naive
        run: |
          set -xeuo pipefail
          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
          git init ~/cronet-go
          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
      - name: Regenerate Debian keyring
        if: matrix.naive
        run: |
          set -xeuo pipefail
          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
          cd ~/cronet-go
          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
            ~/cronet-go/naiveproxy/src/gn/out/
            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
            ~/cronet-go/naiveproxy/src/out/sysroot-build/
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
        run: |
          set -xeuo pipefail
          cd ~/cronet-go
          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
      - name: Set Chromium toolchain environment
        if: matrix.naive
        run: |
          set -xeuo pipefail
          cd ~/cronet-go
          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
      - name: Set build tags
        run: |
          set -xeuo pipefail
          if [[ "${{ matrix.naive }}" == "true" ]]; then
            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Set shared ldflags
        run: |
          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GOMIPS: ${{ matrix.gomips }}
          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
          GOOS: ${{ matrix.os }}
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set mtime
        run: |-
          TZ=UTC touch -t '197001010000' dist/sing-box
      - name: Detect track
        run: bash .github/detect_track.sh
      - name: Set version
        run: |-
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
          PKG_VERSION="${PKG_VERSION//-/\~}"
          echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
      - name: Package DEB
        if: matrix.debian != ''
        run: |
          set -xeuo pipefail
          sudo gem install fpm
          sudo apt-get install -y debsigs
          cp .fpm_systemd .fpm
          fpm -t deb \
            --name "${NAME}" \
            -v "$PKG_VERSION" \
            -p "dist/${NAME}_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.debian }}.deb" \
            --architecture ${{ matrix.debian }} \
            dist/sing-box=/usr/bin/sing-box
          curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
          sudo patch /usr/bin/debsigs < '/tmp/debsigs.diff'
          rm -rf $HOME/.gnupg
          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          debsigs --sign=origin -k ${{ secrets.GPG_KEY_ID }} --gpgopts '--pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}"' dist/*.deb
      - name: Package RPM
        if: matrix.rpm != ''
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
          cp .fpm_systemd .fpm
          fpm -t rpm \
            --name "${NAME}" \
            -v "$PKG_VERSION" \
            -p "dist/${NAME}_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.rpm }}.rpm" \
            --architecture ${{ matrix.rpm }} \
            dist/sing-box=/usr/bin/sing-box
          cat > $HOME/.rpmmacros <<EOF
          %_gpg_name ${{ secrets.GPG_KEY_ID }}
          %_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${{ secrets.GPG_PASSPHRASE }}
          EOF
          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          rpmsign --addsign dist/*.rpm
      - name: Cleanup
        run: rm dist/sing-box
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
          path: "dist"
  upload:
    name: Upload builds
    runs-on: ubuntu-latest
    needs:
      - calculate_version
      - build
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Download builds
        uses: actions/download-artifact@v5
        with:
          path: dist
          merge-multiple: true
      - name: Publish packages
        if: github.event_name != 'push'
        run: |-
          ls dist | xargs -I {} curl -F "package=@dist/{}" https://${{ secrets.FURY_TOKEN }}@push.fury.io/sagernet/
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,16 @@
 name: Mark stale issues and pull requests
 on:
  schedule:
    - cron: "30 1 * * *"
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@v9
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
          days-before-close: 5
          exempt-issue-labels: 'bug,enhancement'
--- a/.gitignore
+++ b/.gitignore
@@ -1,39 +1,23 @@
-# Binaries
+/.idea/
-sing-box
+/vendor/
-sing-box.exe
+/*.json
-*.exe
+/*.srs
-*.dll
+/*.db
-*.so
+/site/
-*.dylib
+/bin/
-.codex-go-Cache
+/dist/
-.codex-gopath
+/sing-box
-.codex-go-Build
+/sing-box.exe
-.codex-go-modcache
+/build/
-# Environment
+/*.jar
-.env
+/*.aar
-.env.local
+/*.xcframework/
-
+/experimental/libbox/*.aar
-# Build & Cache
+/experimental/libbox/*.xcframework/
-go.sum
+/experimental/libbox/*.nupkg
 bin/
 dist/
 /var/lib/sing-box/*
 # Logs
 *.log
 /var/log/sing-box/*
 # OS
 .DS_Store
-Thumbs.db
+/config.d/
-
+/venv/
-# Antigravity/Gemini Artifacts
+CLAUDE.md
-.gemini/
+AGENTS.md
-artifacts/
+/.claude/
 scratch/
 implementation_plan*.md
 walkthrough*.md
 task.md
 V2bX/
 reference/
--- a/5
+++ b/5
@@ -106,10 +106,13 @@ release_android: lib_android update_android_version build_android upload_android
 publish_android:
 	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle && ./gradlew --stop
 # TODO: find why and remove `-destination 'generic/platform=iOS'`
 # TODO: remove xcode clean when fix control widget fixed
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
-	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
+	xcodebuild clean -scheme SFI && \
 	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
--- a/adapter/certificate/adapter.go
+++ b/adapter/certificate/adapter.go
@@ -1,21 +0,0 @@
 package certificate
 type Adapter struct {
 	providerType string
 	providerTag  string
 }
 func NewAdapter(providerType string, providerTag string) Adapter {
 	return Adapter{
 		providerType: providerType,
 		providerTag:  providerTag,
 	}
 }
 func (a *Adapter) Type() string {
 	return a.providerType
 }
 func (a *Adapter) Tag() string {
 	return a.providerTag
 }
--- a/adapter/certificate/manager.go
+++ b/adapter/certificate/manager.go
@@ -1,158 +0,0 @@
 package certificate
 import (
 	"context"
 	"os"
 	"sync"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 var _ adapter.CertificateProviderManager = (*Manager)(nil)
 type Manager struct {
 	logger        log.ContextLogger
 	registry      adapter.CertificateProviderRegistry
 	access        sync.Mutex
 	started       bool
 	stage         adapter.StartStage
 	providers     []adapter.CertificateProviderService
 	providerByTag map[string]adapter.CertificateProviderService
 }
 func NewManager(logger log.ContextLogger, registry adapter.CertificateProviderRegistry) *Manager {
 	return &Manager{
 		logger:        logger,
 		registry:      registry,
 		providerByTag: make(map[string]adapter.CertificateProviderService),
 	}
 }
 func (m *Manager) Start(stage adapter.StartStage) error {
 	m.access.Lock()
 	if m.started && m.stage >= stage {
 		panic("already started")
 	}
 	m.started = true
 	m.stage = stage
 	providers := m.providers
 	m.access.Unlock()
 	for _, provider := range providers {
 		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
 		m.logger.Trace(stage, " ", name)
 		startTime := time.Now()
 		err := adapter.LegacyStart(provider, stage)
 		if err != nil {
 			return E.Cause(err, stage, " ", name)
 		}
 		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
 func (m *Manager) Close() error {
 	m.access.Lock()
 	defer m.access.Unlock()
 	if !m.started {
 		return nil
 	}
 	m.started = false
 	providers := m.providers
 	m.providers = nil
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, provider := range providers {
 		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
 		m.logger.Trace("close ", name)
 		startTime := time.Now()
 		monitor.Start("close ", name)
 		err = E.Append(err, provider.Close(), func(err error) error {
 			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
 		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return err
 }
 func (m *Manager) CertificateProviders() []adapter.CertificateProviderService {
 	m.access.Lock()
 	defer m.access.Unlock()
 	return m.providers
 }
 func (m *Manager) Get(tag string) (adapter.CertificateProviderService, bool) {
 	m.access.Lock()
 	provider, found := m.providerByTag[tag]
 	m.access.Unlock()
 	return provider, found
 }
 func (m *Manager) Remove(tag string) error {
 	m.access.Lock()
 	provider, found := m.providerByTag[tag]
 	if !found {
 		m.access.Unlock()
 		return os.ErrInvalid
 	}
 	delete(m.providerByTag, tag)
 	index := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
 		return it == provider
 	})
 	if index == -1 {
 		panic("invalid certificate provider index")
 	}
 	m.providers = append(m.providers[:index], m.providers[index+1:]...)
 	started := m.started
 	m.access.Unlock()
 	if started {
 		return provider.Close()
 	}
 	return nil
 }
 func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error {
 	provider, err := m.registry.Create(ctx, logger, tag, providerType, options)
 	if err != nil {
 		return err
 	}
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
 		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
 			m.logger.Trace(stage, " ", name)
 			startTime := time.Now()
 			err = adapter.LegacyStart(provider, stage)
 			if err != nil {
 				return E.Cause(err, stage, " ", name)
 			}
 			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsProvider, loaded := m.providerByTag[tag]; loaded {
 		if m.started {
 			err = existsProvider.Close()
 			if err != nil {
 				return E.Cause(err, "close certificate-provider/", existsProvider.Type(), "[", existsProvider.Tag(), "]")
 			}
 		}
 		existsIndex := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
 			return it == existsProvider
 		})
 		if existsIndex == -1 {
 			panic("invalid certificate provider index")
 		}
 		m.providers = append(m.providers[:existsIndex], m.providers[existsIndex+1:]...)
 	}
 	m.providers = append(m.providers, provider)
 	m.providerByTag[tag] = provider
 	return nil
 }
--- a/adapter/certificate/registry.go
+++ b/adapter/certificate/registry.go
@@ -1,72 +0,0 @@
 package certificate
 import (
 	"context"
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.CertificateProviderService, error)
 func Register[Options any](registry *Registry, providerType string, constructor ConstructorFunc[Options]) {
 	registry.register(providerType, func() any {
 		return new(Options)
 	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.CertificateProviderService, error) {
 		var options *Options
 		if rawOptions != nil {
 			options = rawOptions.(*Options)
 		}
 		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
 	})
 }
 var _ adapter.CertificateProviderRegistry = (*Registry)(nil)
 type (
 	optionsConstructorFunc func() any
 	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.CertificateProviderService, error)
 )
 type Registry struct {
 	access      sync.Mutex
 	optionsType map[string]optionsConstructorFunc
 	constructor map[string]constructorFunc
 }
 func NewRegistry() *Registry {
 	return &Registry{
 		optionsType: make(map[string]optionsConstructorFunc),
 		constructor: make(map[string]constructorFunc),
 	}
 }
 func (m *Registry) CreateOptions(providerType string) (any, bool) {
 	m.access.Lock()
 	defer m.access.Unlock()
 	optionsConstructor, loaded := m.optionsType[providerType]
 	if !loaded {
 		return nil, false
 	}
 	return optionsConstructor(), true
 }
 func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (adapter.CertificateProviderService, error) {
 	m.access.Lock()
 	defer m.access.Unlock()
 	constructor, loaded := m.constructor[providerType]
 	if !loaded {
 		return nil, E.New("certificate provider type not found: " + providerType)
 	}
 	return constructor(ctx, logger, tag, options)
 }
 func (m *Registry) register(providerType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
 	m.access.Lock()
 	defer m.access.Unlock()
 	m.optionsType[providerType] = optionsConstructor
 	m.constructor[providerType] = constructor
 }
--- a/adapter/certificate_provider.go
+++ b/adapter/certificate_provider.go
@@ -1,38 +0,0 @@
 package adapter
 import (
 	"context"
 	"crypto/tls"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 )
 type CertificateProvider interface {
 	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
 }
 type ACMECertificateProvider interface {
 	CertificateProvider
 	GetACMENextProtos() []string
 }
 type CertificateProviderService interface {
 	Lifecycle
 	Type() string
 	Tag() string
 	CertificateProvider
 }
 type CertificateProviderRegistry interface {
 	option.CertificateProviderOptionsRegistry
 	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (CertificateProviderService, error)
 }
 type CertificateProviderManager interface {
 	Lifecycle
 	CertificateProviders() []CertificateProviderService
 	Get(tag string) (CertificateProviderService, bool)
 	Remove(tag string) error
 	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error
 }
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -3,7 +3,6 @@ package adapter
 import (
 	"context"
 	"net/netip"
 	"time"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -26,19 +25,18 @@ type DNSRouter interface {
 type DNSClient interface {
 	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error)
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
 	ClearCache()
 }
 type DNSQueryOptions struct {
-	Transport              DNSTransport
+	Transport      DNSTransport
-	Strategy               C.DomainStrategy
+	Strategy       C.DomainStrategy
-	LookupStrategy         C.DomainStrategy
+	LookupStrategy C.DomainStrategy
-	DisableCache           bool
+	DisableCache   bool
-	DisableOptimisticCache bool
+	RewriteTTL     *uint32
-	RewriteTTL             *uint32
+	ClientSubnet   netip.Prefix
 	ClientSubnet           netip.Prefix
 }
 func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptions) (*DNSQueryOptions, error) {
@@ -51,12 +49,11 @@ func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptio
 		return nil, E.New("domain resolver not found: " + options.Server)
 	}
 	return &DNSQueryOptions{
-		Transport:              transport,
+		Transport:    transport,
-		Strategy:               C.DomainStrategy(options.Strategy),
+		Strategy:     C.DomainStrategy(options.Strategy),
-		DisableCache:           options.DisableCache,
+		DisableCache: options.DisableCache,
-		DisableOptimisticCache: options.DisableOptimisticCache,
+		RewriteTTL:   options.RewriteTTL,
-		RewriteTTL:             options.RewriteTTL,
+		ClientSubnet: options.ClientSubnet.Build(netip.Prefix{}),
 		ClientSubnet:           options.ClientSubnet.Build(netip.Prefix{}),
 	}, nil
 }
@@ -66,13 +63,6 @@ type RDRCStore interface {
 	SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger)
 }
 type DNSCacheStore interface {
 	LoadDNSCache(transportName string, qName string, qType uint16) (rawMessage []byte, expireAt time.Time, loaded bool)
 	SaveDNSCache(transportName string, qName string, qType uint16, rawMessage []byte, expireAt time.Time) error
 	SaveDNSCacheAsync(transportName string, qName string, qType uint16, rawMessage []byte, expireAt time.Time, logger logger.Logger)
 	ClearDNSCache() error
 }
 type DNSTransport interface {
 	Lifecycle
 	Type() string
@@ -82,6 +72,11 @@ type DNSTransport interface {
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 type LegacyDNSTransport interface {
 	LegacyStrategy() C.DomainStrategy
 	LegacyClientSubnet() netip.Prefix
 }
 type DNSTransportRegistry interface {
 	option.DNSTransportOptionsRegistry
 	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -47,12 +47,6 @@ type CacheFile interface {
 	StoreRDRC() bool
 	RDRCStore
 	StoreDNS() bool
 	DNSCacheStore
 	SetDisableExpire(disableExpire bool)
 	SetOptimisticTimeout(timeout time.Duration)
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -2,7 +2,6 @@ package adapter
 import (
 	"context"
 	"net"
 	"net/netip"
 	"time"
@@ -10,8 +9,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/miekg/dns"
 )
 type Inbound interface {
@@ -81,16 +78,12 @@ type InboundContext struct {
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration
-	DestinationAddresses                []netip.Addr
+	DestinationAddresses []netip.Addr
-	DNSResponse                         *dns.Msg
+	SourceGeoIPCode      string
-	DestinationAddressMatchFromResponse bool
+	GeoIPCode            string
-	SourceGeoIPCode                     string
+	ProcessInfo          *ConnectionOwner
-	GeoIPCode                           string
+	QueryType            uint16
-	ProcessInfo                         *ConnectionOwner
+	FakeIP               bool
 	SourceMACAddress                    net.HardwareAddr
 	SourceHostname                      string
 	QueryType                           uint16
 	FakeIP                              bool
 	// rule cache
@@ -119,51 +112,6 @@ func (c *InboundContext) ResetRuleMatchCache() {
 	c.DidMatch = false
 }
 func (c *InboundContext) DNSResponseAddressesForMatch() []netip.Addr {
 	return DNSResponseAddresses(c.DNSResponse)
 }
 func DNSResponseAddresses(response *dns.Msg) []netip.Addr {
 	if response == nil || response.Rcode != dns.RcodeSuccess {
 		return nil
 	}
 	addresses := make([]netip.Addr, 0, len(response.Answer))
 	for _, rawRecord := range response.Answer {
 		switch record := rawRecord.(type) {
 		case *dns.A:
 			addr := M.AddrFromIP(record.A)
 			if addr.IsValid() {
 				addresses = append(addresses, addr)
 			}
 		case *dns.AAAA:
 			addr := M.AddrFromIP(record.AAAA)
 			if addr.IsValid() {
 				addresses = append(addresses, addr)
 			}
 		case *dns.HTTPS:
 			for _, value := range record.SVCB.Value {
 				switch hint := value.(type) {
 				case *dns.SVCBIPv4Hint:
 					for _, ip := range hint.Hint {
 						addr := M.AddrFromIP(ip).Unmap()
 						if addr.IsValid() {
 							addresses = append(addresses, addr)
 						}
 					}
 				case *dns.SVCBIPv6Hint:
 					for _, ip := range hint.Hint {
 						addr := M.AddrFromIP(ip)
 						if addr.IsValid() {
 							addresses = append(addresses, addr)
 						}
 					}
 				}
 			}
 		}
 	}
 	return addresses
 }
 type inboundContextKey struct{}
 func WithContext(ctx context.Context, inboundContext *InboundContext) context.Context {
--- a/adapter/inbound_test.go
+++ b/adapter/inbound_test.go
@@ -1,45 +0,0 @@
 package adapter
 import (
 	"net"
 	"net/netip"
 	"testing"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/require"
 )
 func TestDNSResponseAddressesUnmapsHTTPSIPv4Hints(t *testing.T) {
 	t.Parallel()
 	ipv4Hint := net.ParseIP("1.1.1.1")
 	require.NotNil(t, ipv4Hint)
 	response := &dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			Response: true,
 			Rcode:    dns.RcodeSuccess,
 		},
 		Answer: []dns.RR{
 			&dns.HTTPS{
 				SVCB: dns.SVCB{
 					Hdr: dns.RR_Header{
 						Name:   dns.Fqdn("example.com"),
 						Rrtype: dns.TypeHTTPS,
 						Class:  dns.ClassINET,
 						Ttl:    60,
 					},
 					Priority: 1,
 					Target:   ".",
 					Value: []dns.SVCBKeyValue{
 						&dns.SVCBIPv4Hint{Hint: []net.IP{ipv4Hint}},
 					},
 				},
 			},
 		},
 	}
 	addresses := DNSResponseAddresses(response)
 	require.Equal(t, []netip.Addr{netip.MustParseAddr("1.1.1.1")}, addresses)
 	require.True(t, addresses[0].Is4())
 }
--- a/adapter/neighbor.go
+++ b/adapter/neighbor.go
@@ -1,23 +0,0 @@
 package adapter
 import (
 	"net"
 	"net/netip"
 )
 type NeighborEntry struct {
 	Address    netip.Addr
 	MACAddress net.HardwareAddr
 	Hostname   string
 }
 type NeighborResolver interface {
 	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
 	LookupHostname(address netip.Addr) (string, bool)
 	Start() error
 	Close() error
 }
 type NeighborUpdateListener interface {
 	UpdateNeighborTable(entries []NeighborEntry)
 }
--- a/adapter/platform.go
+++ b/adapter/platform.go
@@ -36,10 +36,6 @@ type PlatformInterface interface {
 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
 	UsePlatformNeighborResolver() bool
 	StartNeighborMonitor(listener NeighborUpdateListener) error
 	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }
 type FindConnectionOwnerRequest struct {
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -26,8 +26,6 @@ type Router interface {
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
 	NeedFindProcess() bool
 	NeedFindNeighbor() bool
 	NeighborResolver() NeighborResolver
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }
@@ -66,16 +64,10 @@ type RuleSet interface {
 type RuleSetUpdateCallback func(it RuleSet)
 type DNSRuleSetUpdateValidator interface {
 	ValidateRuleSetMetadataUpdate(tag string, metadata RuleSetMetadata) error
 }
 // ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
 type RuleSetMetadata struct {
-	ContainsProcessRule      bool
+	ContainsProcessRule bool
-	ContainsWIFIRule         bool
+	ContainsWIFIRule    bool
-	ContainsIPCIDRRule       bool
+	ContainsIPCIDRRule  bool
 	ContainsDNSQueryTypeRule bool
 }
 type HTTPStartContext struct {
 	ctx             context.Context
--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -2,8 +2,6 @@ package adapter
 import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/miekg/dns"
 )
 type HeadlessRule interface {
@@ -20,9 +18,8 @@ type Rule interface {
 type DNSRule interface {
 	Rule
 	LegacyPreMatch(metadata *InboundContext) bool
 	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext, response *dns.Msg) bool
+	MatchAddressLimit(metadata *InboundContext) bool
 }
 type RuleAction interface {
@@ -32,7 +29,7 @@ type RuleAction interface {
 func IsFinalAction(action RuleAction) bool {
 	switch action.Type() {
-	case C.RuleActionTypeSniff, C.RuleActionTypeResolve, C.RuleActionTypeEvaluate:
+	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
 		return false
 	default:
 		return true
--- a/adapter/tailscale.go
+++ b/adapter/tailscale.go
@@ -1,49 +0,0 @@
 package adapter
 import "context"
 type TailscaleEndpoint interface {
 	SubscribeTailscaleStatus(ctx context.Context, fn func(*TailscaleEndpointStatus)) error
 	StartTailscalePing(ctx context.Context, peerIP string, fn func(*TailscalePingResult)) error
 }
 type TailscalePingResult struct {
 	LatencyMs      float64
 	IsDirect       bool
 	Endpoint       string
 	DERPRegionID   int32
 	DERPRegionCode string
 	Error          string
 }
 type TailscaleEndpointStatus struct {
 	BackendState   string
 	AuthURL        string
 	NetworkName    string
 	MagicDNSSuffix string
 	Self           *TailscalePeer
 	UserGroups     []*TailscaleUserGroup
 }
 type TailscaleUserGroup struct {
 	UserID        int64
 	LoginName     string
 	DisplayName   string
 	ProfilePicURL string
 	Peers         []*TailscalePeer
 }
 type TailscalePeer struct {
 	HostName       string
 	DNSName        string
 	OS             string
 	TailscaleIPs   []string
 	Online         bool
 	ExitNode       bool
 	ExitNodeOption bool
 	Active         bool
 	RxBytes        int64
 	TxBytes        int64
 	UserID         int64
 	KeyExpiry      int64
 }
--- a/api.md
+++ b/api.md
@@ -1,975 +0,0 @@
 I made it with AI, but it seems great so far
 # Xboard API Documentation
 This document provides a comprehensive overview of all API endpoints available in the Xboard system, organized by access level.
 ## API Base URLs
 - **V1 API**: `/api/v1/`
 - **V2 API**: `/api/v2/`
 ## Authentication
 - **Guest**: No authentication required
 - **User**: Requires user authentication (`user` middleware)
 - **Staff**: Requires staff privileges (`staff` middleware)
 - **Admin**: Requires admin privileges (`admin` middleware)
 - **Client**: Requires client authentication (`client` middleware)
 - **Server**: Requires server authentication (`server` middleware)
 ---
 ## 🌐 Guest APIs (Public - No Authentication Required)
 ### Plans
 - **GET** `/api/v1/guest/plan/fetch`
  - **Purpose**: Get all available subscription plans for public viewing
  - **Returns**: List of available plans with pricing, features, and limits
  - **Data**: Plan ID, name, prices (monthly/quarterly/yearly), transfer limits, speed limits, device limits, capacity info
 ### Configuration
 - **GET** `/api/v1/guest/comm/config`
  - **Purpose**: Get public configuration settings
  - **Returns**: Public app configuration
  - **Data**: ToS URL, email verification settings, invite requirements, reCAPTCHA settings, app description, app URL, logo
 ### Payment Webhooks
 - **GET/POST** `/api/v1/guest/payment/notify/{method}/{uuid}`
  - **Purpose**: Handle payment notifications from payment providers
  - **Returns**: Payment processing status
  - **Data**: Payment confirmation and processing results
 ### Telegram Webhooks
 - **POST** `/api/v1/guest/telegram/webhook`
  - **Purpose**: Handle Telegram bot webhook events
  - **Returns**: Webhook processing status
  - **Data**: Telegram bot event processing results
 ---
 ## 🔐 Authentication APIs (Passport)
 ### V1 Authentication
 - **POST** `/api/v1/passport/auth/register`
  - **Purpose**: User registration
  - **Returns**: Registration success/failure
  - **Data**: User account creation status
 - **POST** `/api/v1/passport/auth/login`
  - **Purpose**: User login
  - **Returns**: Authentication token and user info
  - **Data**: JWT token, user details, session info
 - **GET** `/api/v1/passport/auth/token2Login`
  - **Purpose**: Token-based login
  - **Returns**: Login status
  - **Data**: Authentication status
 - **POST** `/api/v1/passport/auth/forget`
  - **Purpose**: Password reset request
  - **Returns**: Reset email status
  - **Data**: Password reset confirmation
 - **POST** `/api/v1/passport/auth/getQuickLoginUrl`
  - **Purpose**: Generate quick login URL
  - **Returns**: Quick login URL
  - **Data**: Temporary login URL
 - **POST** `/api/v1/passport/auth/loginWithMailLink`
  - **Purpose**: Login via email link
  - **Returns**: Login status
  - **Data**: Authentication confirmation
 ### Communication
 - **POST** `/api/v1/passport/comm/sendEmailVerify`
  - **Purpose**: Send email verification
  - **Returns**: Email sending status
  - **Data**: Verification email delivery confirmation
 - **POST** `/api/v1/passport/comm/pv`
  - **Purpose**: Page view tracking
  - **Returns**: Tracking status
  - **Data**: Analytics tracking confirmation
 ### V2 Authentication
 Same endpoints as V1 but under `/api/v2/passport/` prefix.
 ---
 ## 👤 User APIs (Authenticated Users)
 ### User Management
 - **GET** `/api/v1/user/info`
  - **Purpose**: Get current user information
  - **Returns**: User profile data
  - **Data**: Email, transfer limits, login history, subscription status, balance, commission info, telegram ID, avatar URL
 - **POST** `/api/v1/user/update`
  - **Purpose**: Update user preferences
  - **Returns**: Update status
  - **Data**: Updated user preferences (reminders, etc.)
 - **POST** `/api/v1/user/changePassword`
  - **Purpose**: Change user password
  - **Returns**: Password change status
  - **Data**: Password update confirmation
 - **GET** `/api/v1/user/resetSecurity`
  - **Purpose**: Reset security credentials (UUID, token)
  - **Returns**: New subscribe URL
  - **Data**: New subscription URL with updated token
 - **GET** `/api/v1/user/checkLogin`
  - **Purpose**: Check login status
  - **Returns**: Login status and permissions
  - **Data**: Login status, admin privileges
 - **GET** `/api/v1/user/getStat`
  - **Purpose**: Get user statistics
  - **Returns**: User statistics summary
  - **Data**: Pending orders count, open tickets count, invited users count
 - **GET** `/api/v1/user/getSubscribe`
  - **Purpose**: Get subscription information
  - **Returns**: Subscription details and URL
  - **Data**: Plan details, subscription URL, usage stats, reset schedule
 - **POST** `/api/v1/user/transfer`
  - **Purpose**: Transfer commission to balance
  - **Returns**: Transfer status
  - **Data**: Transfer confirmation and updated balances
 - **POST** `/api/v1/user/getQuickLoginUrl`
  - **Purpose**: Generate quick login URL
  - **Returns**: Quick login URL
  - **Data**: Temporary login URL
 ### Session Management
 - **GET** `/api/v1/user/getActiveSession`
  - **Purpose**: Get active sessions
  - **Returns**: List of active sessions
  - **Data**: Session details, login times, IP addresses
 - **POST** `/api/v1/user/removeActiveSession`
  - **Purpose**: Remove specific session
  - **Returns**: Session removal status
  - **Data**: Session termination confirmation
 ### Orders & Billing
 - **POST** `/api/v1/user/order/save`
  - **Purpose**: Create new order
  - **Returns**: Order creation status
  - **Data**: Order details, payment information
 - **POST** `/api/v1/user/order/checkout`
  - **Purpose**: Checkout order
  - **Returns**: Payment processing info
  - **Data**: Payment URL, order status
 - **GET** `/api/v1/user/order/check`
  - **Purpose**: Check order status
  - **Returns**: Order status
  - **Data**: Order processing status
 - **GET** `/api/v1/user/order/detail`
  - **Purpose**: Get order details
  - **Returns**: Detailed order information
  - **Data**: Order items, pricing, status, payment info
 - **GET** `/api/v1/user/order/fetch`
  - **Purpose**: Get user's orders
  - **Returns**: List of user orders
  - **Data**: Order history with status and details
 - **GET** `/api/v1/user/order/getPaymentMethod`
  - **Purpose**: Get available payment methods
  - **Returns**: List of payment options
  - **Data**: Payment providers, fees, availability
 - **POST** `/api/v1/user/order/cancel`
  - **Purpose**: Cancel order
  - **Returns**: Cancellation status
  - **Data**: Order cancellation confirmation
 ### Plans
 - **GET** `/api/v1/user/plan/fetch`
  - **Purpose**: Get available plans for authenticated user
  - **Returns**: List of plans with user-specific availability
  - **Data**: Plans with pricing, user eligibility, renewal options
 ### Invitations
 - **GET** `/api/v1/user/invite/save`
  - **Purpose**: Generate invitation code
  - **Returns**: Invitation code
  - **Data**: Invitation code and sharing info
 - **GET** `/api/v1/user/invite/fetch`
  - **Purpose**: Get invitation statistics
  - **Returns**: Invitation data
  - **Data**: Invitation codes, usage stats, commissions
 - **GET** `/api/v1/user/invite/details`
  - **Purpose**: Get detailed invitation information
  - **Returns**: Invitation details
  - **Data**: Detailed invitation statistics and earnings
 ### Support & Communication
 - **GET** `/api/v1/user/notice/fetch`
  - **Purpose**: Get user notices
  - **Returns**: List of notices
  - **Data**: System announcements, updates, alerts
 - **POST** `/api/v1/user/ticket/save`
  - **Purpose**: Create support ticket
  - **Returns**: Ticket creation status
  - **Data**: Ticket ID and details
 - **GET** `/api/v1/user/ticket/fetch`
  - **Purpose**: Get user's tickets
  - **Returns**: List of support tickets
  - **Data**: Ticket history, status, responses
 - **POST** `/api/v1/user/ticket/reply`
  - **Purpose**: Reply to ticket
  - **Returns**: Reply status
  - **Data**: Reply confirmation
 - **POST** `/api/v1/user/ticket/close`
  - **Purpose**: Close ticket
  - **Returns**: Closure status
  - **Data**: Ticket closure confirmation
 - **POST** `/api/v1/user/ticket/withdraw`
  - **Purpose**: Withdraw ticket
  - **Returns**: Withdrawal status
  - **Data**: Ticket withdrawal confirmation
 ### Servers
 - **GET** `/api/v1/user/server/fetch`
  - **Purpose**: Get available servers
  - **Returns**: List of servers user can access
  - **Data**: Server details, locations, status, protocols
 ### Coupons
 - **POST** `/api/v1/user/coupon/check`
  - **Purpose**: Validate coupon code
  - **Returns**: Coupon validity and discount info
  - **Data**: Coupon details, discount amount, validity
 ### Telegram Integration
 - **GET** `/api/v1/user/telegram/getBotInfo`
  - **Purpose**: Get Telegram bot information
  - **Returns**: Bot connection info
  - **Data**: Bot details, connection status
 ### Configuration
 - **GET** `/api/v1/user/comm/config`
  - **Purpose**: Get user-specific configuration
  - **Returns**: User configuration settings
  - **Data**: User preferences, feature availability
 - **POST** `/api/v1/user/comm/getStripePublicKey`
  - **Purpose**: Get Stripe public key for payments
  - **Returns**: Stripe configuration
  - **Data**: Stripe public key for payment processing
 ### Knowledge Base
 - **GET** `/api/v1/user/knowledge/fetch`
  - **Purpose**: Get knowledge base articles
  - **Returns**: List of help articles
  - **Data**: Articles, categories, content
 - **GET** `/api/v1/user/knowledge/getCategory`
  - **Purpose**: Get knowledge base categories
  - **Returns**: List of categories
  - **Data**: Category structure and organization
 ### Statistics
 - **GET** `/api/v1/user/stat/getTrafficLog`
  - **Purpose**: Get traffic usage logs
  - **Returns**: Traffic usage history
  - **Data**: Traffic logs, usage patterns, timestamps
 ### V2 User APIs
 - **GET** `/api/v2/user/resetSecurity`
  - **Purpose**: Reset security credentials
  - **Returns**: New security credentials
  - **Data**: Updated security tokens
 - **GET** `/api/v2/user/info`
  - **Purpose**: Get user information (V2)
  - **Returns**: User profile data
  - **Data**: Enhanced user profile information
 ---
 ## 📱 Client APIs (Client Authentication)
 ### Subscription
 - **GET** `/api/v1/client/subscribe`
  - **Purpose**: Get subscription configuration
  - **Returns**: Client configuration for VPN apps
  - **Data**: Server configurations, protocols, connection details
 ### App Configuration
 - **GET** `/api/v1/client/app/getConfig`
  - **Purpose**: Get app configuration
  - **Returns**: App configuration settings
  - **Data**: App settings, features, URLs
 - **GET** `/api/v1/client/app/getVersion`
  - **Purpose**: Get app version information
  - **Returns**: Version details
  - **Data**: Current version, update availability
 ---
 ## 🖥️ Server APIs (Server Authentication)
 ### UniProxy
 - **GET** `/api/v1/server/UniProxy/config`
  - **Purpose**: Get server configuration
  - **Returns**: Server configuration
  - **Data**: Server settings and parameters
  - **Example Response**:
 ```json
 {
  "protocol": "vless",
  "listen_ip": "0.0.0.0",
  "server_port": 18443,
  "network": "tcp",
  "tls": 2,
  "server_name": "git.example.com",
  "dest": "www.cloudflare.com:443",
  "private_key": "YOUR_REALITY_PRIVATE_KEY",
  "short_id": "01234567",
  "accept_proxy_protocol": true,
  "base_config": {
    "push_interval": 60,
    "pull_interval": 60
  }
 }
 ```
  - **Proxy Protocol Note**: Set `accept_proxy_protocol` to `true` only when this node is behind an L4 proxy or load balancer that really sends PROXY protocol headers. Direct client connections will fail if this is enabled without an upstream PROXY sender.
 - **GET** `/api/v1/server/UniProxy/user`
  - **Purpose**: Get user data for server
  - **Returns**: User information for server
  - **Data**: User access rights, quotas, settings
 - **POST** `/api/v1/server/UniProxy/push`
  - **Purpose**: Push data to server
  - **Returns**: Push status
  - **Data**: Data synchronization confirmation
 - **POST** `/api/v1/server/UniProxy/alive`
  - **Purpose**: Server heartbeat
  - **Returns**: Alive status
  - **Data**: Server health status
 - **GET** `/api/v1/server/UniProxy/alivelist`
  - **Purpose**: Get alive servers list
  - **Returns**: List of active servers
  - **Data**: Server status and availability
 - **POST** `/api/v1/server/UniProxy/status`
  - **Purpose**: Update server status
  - **Returns**: Status update confirmation
  - **Data**: Server status update
 ### Shadowsocks Tidalab
 - **GET** `/api/v1/server/ShadowsocksTidalab/user`
  - **Purpose**: Get user data for Shadowsocks
  - **Returns**: Shadowsocks user configuration
  - **Data**: Shadowsocks-specific user settings
 - **POST** `/api/v1/server/ShadowsocksTidalab/submit`
  - **Purpose**: Submit Shadowsocks data
  - **Returns**: Submission status
  - **Data**: Data submission confirmation
 ### Trojan Tidalab
 - **GET** `/api/v1/server/TrojanTidalab/config`
  - **Purpose**: Get Trojan server configuration
  - **Returns**: Trojan configuration
  - **Data**: Trojan server settings
 - **GET** `/api/v1/server/TrojanTidalab/user`
  - **Purpose**: Get user data for Trojan
  - **Returns**: Trojan user configuration
  - **Data**: Trojan-specific user settings
 - **POST** `/api/v1/server/TrojanTidalab/submit`
  - **Purpose**: Submit Trojan data
  - **Returns**: Submission status
  - **Data**: Data submission confirmation
 ---
 ## 👨‍💼 Staff APIs (Staff Authentication)
 **Note**: Staff functionality exists but appears to be integrated into admin routes rather than having dedicated staff routes. Staff users have `is_staff` flag and can access certain admin functions with limited permissions.
 ### User Management (Staff Level)
 - Staff can manage non-admin, non-staff users
 - Limited user update capabilities
 - Send emails to users
 - Ban users
 - Access user information
 ---
 ## 🔧 Admin APIs (Administrator Authentication)
 ### Configuration Management
 - **GET** `/api/v2/{admin_path}/config/fetch`
  - **Purpose**: Get system configuration
  - **Returns**: Complete system settings
  - **Data**: All configuration parameters
 - **POST** `/api/v2/{admin_path}/config/save`
  - **Purpose**: Save system configuration
  - **Returns**: Save status
  - **Data**: Configuration update confirmation
 - **GET** `/api/v2/{admin_path}/config/getEmailTemplate`
  - **Purpose**: Get email templates
  - **Returns**: Email template configurations
  - **Data**: Email templates and settings
 - **GET** `/api/v2/{admin_path}/config/getThemeTemplate`
  - **Purpose**: Get theme templates
  - **Returns**: Theme configurations
  - **Data**: Available themes and settings
 - **POST** `/api/v2/{admin_path}/config/setTelegramWebhook`
  - **Purpose**: Configure Telegram webhook
  - **Returns**: Webhook setup status
  - **Data**: Telegram integration status
 - **POST** `/api/v2/{admin_path}/config/testSendMail`
  - **Purpose**: Test email configuration
  - **Returns**: Email test results
  - **Data**: Email sending test status
 ### Plan Management
 - **GET** `/api/v2/{admin_path}/plan/fetch`
  - **Purpose**: Get all plans (admin view)
  - **Returns**: Complete plan list with admin details
  - **Data**: All plans with user counts, revenue, admin settings
 - **POST** `/api/v2/{admin_path}/plan/save`
  - **Purpose**: Create/update plan
  - **Returns**: Plan save status
  - **Data**: Plan creation/update confirmation
 - **POST** `/api/v2/{admin_path}/plan/drop`
  - **Purpose**: Delete plan
  - **Returns**: Deletion status
  - **Data**: Plan deletion confirmation
 - **POST** `/api/v2/{admin_path}/plan/update`
  - **Purpose**: Update plan details
  - **Returns**: Update status
  - **Data**: Plan update confirmation
 - **POST** `/api/v2/{admin_path}/plan/sort`
  - **Purpose**: Reorder plans
  - **Returns**: Sort status
  - **Data**: Plan ordering confirmation
 ### Server Management
 #### Server Groups
 - **GET** `/api/v2/{admin_path}/server/group/fetch`
  - **Purpose**: Get server groups
  - **Returns**: List of server groups
  - **Data**: Group configurations and permissions
 - **POST** `/api/v2/{admin_path}/server/group/save`
  - **Purpose**: Create/update server group
  - **Returns**: Group save status
  - **Data**: Group creation/update confirmation
 - **POST** `/api/v2/{admin_path}/server/group/drop`
  - **Purpose**: Delete server group
  - **Returns**: Deletion status
  - **Data**: Group deletion confirmation
 #### Server Routes
 - **GET** `/api/v2/{admin_path}/server/route/fetch`
  - **Purpose**: Get server routes
  - **Returns**: List of server routes
  - **Data**: Route configurations and rules
 - **POST** `/api/v2/{admin_path}/server/route/save`
  - **Purpose**: Create/update server route
  - **Returns**: Route save status
  - **Data**: Route creation/update confirmation
 - **POST** `/api/v2/{admin_path}/server/route/drop`
  - **Purpose**: Delete server route
  - **Returns**: Deletion status
  - **Data**: Route deletion confirmation
 #### Server Management
 - **GET** `/api/v2/{admin_path}/server/manage/getNodes`
  - **Purpose**: Get server nodes
  - **Returns**: List of server nodes
  - **Data**: Node details, status, configuration
 - **POST** `/api/v2/{admin_path}/server/manage/update`
  - **Purpose**: Update server
  - **Returns**: Update status
  - **Data**: Server update confirmation
 - **POST** `/api/v2/{admin_path}/server/manage/save`
  - **Purpose**: Create server
  - **Returns**: Creation status
  - **Data**: Server creation confirmation
 - **POST** `/api/v2/{admin_path}/server/manage/drop`
  - **Purpose**: Delete server
  - **Returns**: Deletion status
  - **Data**: Server deletion confirmation
 - **POST** `/api/v2/{admin_path}/server/manage/copy`
  - **Purpose**: Copy server configuration
  - **Returns**: Copy status
  - **Data**: Server copy confirmation
 - **POST** `/api/v2/{admin_path}/server/manage/sort`
  - **Purpose**: Reorder servers
  - **Returns**: Sort status
  - **Data**: Server ordering confirmation
 ### Order Management
 - **GET/POST** `/api/v2/{admin_path}/order/fetch`
  - **Purpose**: Get orders with filtering
  - **Returns**: Paginated order list
  - **Data**: Order details, user info, payment status
 - **POST** `/api/v2/{admin_path}/order/update`
  - **Purpose**: Update order
  - **Returns**: Update status
  - **Data**: Order update confirmation
 - **POST** `/api/v2/{admin_path}/order/assign`
  - **Purpose**: Assign order to plan
  - **Returns**: Assignment status
  - **Data**: Order assignment confirmation
 - **POST** `/api/v2/{admin_path}/order/paid`
  - **Purpose**: Mark order as paid
  - **Returns**: Payment status
  - **Data**: Payment confirmation
 - **POST** `/api/v2/{admin_path}/order/cancel`
  - **Purpose**: Cancel order
  - **Returns**: Cancellation status
  - **Data**: Order cancellation confirmation
 - **POST** `/api/v2/{admin_path}/order/detail`
  - **Purpose**: Get order details
  - **Returns**: Detailed order information
  - **Data**: Complete order information
 ### User Management
 - **GET/POST** `/api/v2/{admin_path}/user/fetch`
  - **Purpose**: Get users with filtering and pagination
  - **Returns**: Paginated user list
  - **Data**: User details, subscription info, usage stats
 - **POST** `/api/v2/{admin_path}/user/update`
  - **Purpose**: Update user
  - **Returns**: Update status
  - **Data**: User update confirmation
 - **GET** `/api/v2/{admin_path}/user/getUserInfoById`
  - **Purpose**: Get specific user info
  - **Returns**: User details
  - **Data**: Complete user information
 - **POST** `/api/v2/{admin_path}/user/generate`
  - **Purpose**: Generate user account
  - **Returns**: Generation status
  - **Data**: New user account details
 - **POST** `/api/v2/{admin_path}/user/dumpCSV`
  - **Purpose**: Export users to CSV
  - **Returns**: CSV export
  - **Data**: User data in CSV format
 - **POST** `/api/v2/{admin_path}/user/sendMail`
  - **Purpose**: Send email to users
  - **Returns**: Email sending status
  - **Data**: Email delivery confirmation
 - **POST** `/api/v2/{admin_path}/user/ban`
  - **Purpose**: Ban users
  - **Returns**: Ban status
  - **Data**: User ban confirmation
 - **POST** `/api/v2/{admin_path}/user/resetSecret`
  - **Purpose**: Reset user secrets
  - **Returns**: Reset status
  - **Data**: Secret reset confirmation
 - **POST** `/api/v2/{admin_path}/user/setInviteUser`
  - **Purpose**: Set invite relationships
  - **Returns**: Setting status
  - **Data**: Invite relationship confirmation
 - **POST** `/api/v2/{admin_path}/user/destroy`
  - **Purpose**: Delete user
  - **Returns**: Deletion status
  - **Data**: User deletion confirmation
 ### Statistics & Analytics
 - **GET** `/api/v2/{admin_path}/stat/getOverride`
  - **Purpose**: Get system overview
  - **Returns**: System statistics overview
  - **Data**: Key metrics, revenue, user counts
 - **GET** `/api/v2/{admin_path}/stat/getStats`
  - **Purpose**: Get detailed statistics
  - **Returns**: Comprehensive statistics
  - **Data**: Revenue, usage, growth metrics
 - **GET** `/api/v2/{admin_path}/stat/getServerLastRank`
  - **Purpose**: Get server performance ranking
  - **Returns**: Server ranking data
  - **Data**: Server performance metrics
 - **GET** `/api/v2/{admin_path}/stat/getServerYesterdayRank`
  - **Purpose**: Get yesterday's server ranking
  - **Returns**: Historical server data
  - **Data**: Previous day server metrics
 - **GET** `/api/v2/{admin_path}/stat/getOrder`
  - **Purpose**: Get order statistics
  - **Returns**: Order analytics
  - **Data**: Order trends, revenue data
 - **GET/POST** `/api/v2/{admin_path}/stat/getStatUser`
  - **Purpose**: Get user statistics
  - **Returns**: User analytics
  - **Data**: User growth, activity metrics
 - **GET** `/api/v2/{admin_path}/stat/getRanking`
  - **Purpose**: Get ranking data
  - **Returns**: Various rankings
  - **Data**: User, server, revenue rankings
 - **GET** `/api/v2/{admin_path}/stat/getStatRecord`
  - **Purpose**: Get statistical records
  - **Returns**: Historical statistics
  - **Data**: Historical data records
 - **GET** `/api/v2/{admin_path}/stat/getTrafficRank`
  - **Purpose**: Get traffic ranking
  - **Returns**: Traffic usage rankings
  - **Data**: Traffic usage by users/servers
 ### Notice Management
 - **GET** `/api/v2/{admin_path}/notice/fetch`
  - **Purpose**: Get system notices
  - **Returns**: List of notices
  - **Data**: Notice content, visibility, scheduling
 - **POST** `/api/v2/{admin_path}/notice/save`
  - **Purpose**: Create notice
  - **Returns**: Creation status
  - **Data**: Notice creation confirmation
 - **POST** `/api/v2/{admin_path}/notice/update`
  - **Purpose**: Update notice
  - **Returns**: Update status
  - **Data**: Notice update confirmation
 - **POST** `/api/v2/{admin_path}/notice/drop`
  - **Purpose**: Delete notice
  - **Returns**: Deletion status
  - **Data**: Notice deletion confirmation
 - **POST** `/api/v2/{admin_path}/notice/show`
  - **Purpose**: Toggle notice visibility
  - **Returns**: Visibility status
  - **Data**: Notice visibility confirmation
 - **POST** `/api/v2/{admin_path}/notice/sort`
  - **Purpose**: Reorder notices
  - **Returns**: Sort status
  - **Data**: Notice ordering confirmation
 ### Ticket Management
 - **GET/POST** `/api/v2/{admin_path}/ticket/fetch`
  - **Purpose**: Get support tickets
  - **Returns**: Paginated ticket list
  - **Data**: Ticket details, user info, status
 - **POST** `/api/v2/{admin_path}/ticket/reply`
  - **Purpose**: Reply to ticket
  - **Returns**: Reply status
  - **Data**: Ticket reply confirmation
 - **POST** `/api/v2/{admin_path}/ticket/close`
  - **Purpose**: Close ticket
  - **Returns**: Closure status
  - **Data**: Ticket closure confirmation
 ### Coupon Management
 - **GET/POST** `/api/v2/{admin_path}/coupon/fetch`
  - **Purpose**: Get coupons
  - **Returns**: List of coupons
  - **Data**: Coupon details, usage statistics
 - **POST** `/api/v2/{admin_path}/coupon/generate`
  - **Purpose**: Generate coupons
  - **Returns**: Generation status
  - **Data**: New coupon codes
 - **POST** `/api/v2/{admin_path}/coupon/drop`
  - **Purpose**: Delete coupon
  - **Returns**: Deletion status
  - **Data**: Coupon deletion confirmation
 - **POST** `/api/v2/{admin_path}/coupon/show`
  - **Purpose**: Toggle coupon visibility
  - **Returns**: Visibility status
  - **Data**: Coupon visibility confirmation
 - **POST** `/api/v2/{admin_path}/coupon/update`
  - **Purpose**: Update coupon
  - **Returns**: Update status
  - **Data**: Coupon update confirmation
 ### Knowledge Base Management
 - **GET** `/api/v2/{admin_path}/knowledge/fetch`
  - **Purpose**: Get knowledge articles
  - **Returns**: List of articles
  - **Data**: Article content, categories, visibility
 - **GET** `/api/v2/{admin_path}/knowledge/getCategory`
  - **Purpose**: Get knowledge categories
  - **Returns**: Category structure
  - **Data**: Category hierarchy and organization
 - **POST** `/api/v2/{admin_path}/knowledge/save`
  - **Purpose**: Create/update article
  - **Returns**: Save status
  - **Data**: Article save confirmation
 - **POST** `/api/v2/{admin_path}/knowledge/show`
  - **Purpose**: Toggle article visibility
  - **Returns**: Visibility status
  - **Data**: Article visibility confirmation
 - **POST** `/api/v2/{admin_path}/knowledge/drop`
  - **Purpose**: Delete article
  - **Returns**: Deletion status
  - **Data**: Article deletion confirmation
 - **POST** `/api/v2/{admin_path}/knowledge/sort`
  - **Purpose**: Reorder articles
  - **Returns**: Sort status
  - **Data**: Article ordering confirmation
 ### Payment Management
 - **GET** `/api/v2/{admin_path}/payment/fetch`
  - **Purpose**: Get payment methods
  - **Returns**: List of payment providers
  - **Data**: Payment method configurations
 - **GET** `/api/v2/{admin_path}/payment/getPaymentMethods`
  - **Purpose**: Get available payment methods
  - **Returns**: Payment method list
  - **Data**: Available payment options
 - **POST** `/api/v2/{admin_path}/payment/getPaymentForm`
  - **Purpose**: Get payment form configuration
  - **Returns**: Form configuration
  - **Data**: Payment form settings
 - **POST** `/api/v2/{admin_path}/payment/save`
  - **Purpose**: Save payment method
  - **Returns**: Save status
  - **Data**: Payment method save confirmation
 - **POST** `/api/v2/{admin_path}/payment/drop`
  - **Purpose**: Delete payment method
  - **Returns**: Deletion status
  - **Data**: Payment method deletion confirmation
 - **POST** `/api/v2/{admin_path}/payment/show`
  - **Purpose**: Toggle payment method visibility
  - **Returns**: Visibility status
  - **Data**: Payment method visibility confirmation
 - **POST** `/api/v2/{admin_path}/payment/sort`
  - **Purpose**: Reorder payment methods
  - **Returns**: Sort status
  - **Data**: Payment method ordering confirmation
 ### System Management
 - **GET** `/api/v2/{admin_path}/system/getSystemStatus`
  - **Purpose**: Get system status
  - **Returns**: System health information
  - **Data**: Server status, performance metrics
 - **GET** `/api/v2/{admin_path}/system/getQueueStats`
  - **Purpose**: Get queue statistics
  - **Returns**: Queue performance data
  - **Data**: Queue metrics, job statistics
 - **GET** `/api/v2/{admin_path}/system/getQueueWorkload`
  - **Purpose**: Get queue workload
  - **Returns**: Current queue workload
  - **Data**: Queue load and processing times
 - **GET** `/api/v2/{admin_path}/system/getQueueMasters`
  - **Purpose**: Get queue masters (Horizon)
  - **Returns**: Queue master status
  - **Data**: Horizon supervisor information
 - **GET** `/api/v2/{admin_path}/system/getSystemLog`
  - **Purpose**: Get system logs
  - **Returns**: System log entries
  - **Data**: Application logs, errors, events
 - **GET** `/api/v2/{admin_path}/system/getHorizonFailedJobs`
  - **Purpose**: Get failed jobs
  - **Returns**: Failed job list
  - **Data**: Failed job details and errors
 - **POST** `/api/v2/{admin_path}/system/clearSystemLog`
  - **Purpose**: Clear system logs
  - **Returns**: Clear status
  - **Data**: Log clearing confirmation
 - **GET** `/api/v2/{admin_path}/system/getLogClearStats`
  - **Purpose**: Get log clearing statistics
  - **Returns**: Log management stats
  - **Data**: Log storage and clearing metrics
 ### Theme Management
 - **GET** `/api/v2/{admin_path}/theme/getThemes`
  - **Purpose**: Get available themes
  - **Returns**: Theme list
  - **Data**: Theme details, configurations
 - **POST** `/api/v2/{admin_path}/theme/upload`
  - **Purpose**: Upload theme
  - **Returns**: Upload status
  - **Data**: Theme upload confirmation
 - **POST** `/api/v2/{admin_path}/theme/delete`
  - **Purpose**: Delete theme
  - **Returns**: Deletion status
  - **Data**: Theme deletion confirmation
 - **POST** `/api/v2/{admin_path}/theme/saveThemeConfig`
  - **Purpose**: Save theme configuration
  - **Returns**: Save status
  - **Data**: Theme configuration save confirmation
 - **POST** `/api/v2/{admin_path}/theme/getThemeConfig`
  - **Purpose**: Get theme configuration
  - **Returns**: Theme configuration
  - **Data**: Current theme settings
 ### Plugin Management
 - **GET** `/api/v2/{admin_path}/plugin/getPlugins`
  - **Purpose**: Get installed plugins
  - **Returns**: Plugin list
  - **Data**: Plugin details, status, configuration
 - **POST** `/api/v2/{admin_path}/plugin/upload`
  - **Purpose**: Upload plugin
  - **Returns**: Upload status
  - **Data**: Plugin upload confirmation
 - **POST** `/api/v2/{admin_path}/plugin/delete`
  - **Purpose**: Delete plugin
  - **Returns**: Deletion status
  - **Data**: Plugin deletion confirmation
 - **POST** `/api/v2/{admin_path}/plugin/install`
  - **Purpose**: Install plugin
  - **Returns**: Installation status
  - **Data**: Plugin installation confirmation
 - **POST** `/api/v2/{admin_path}/plugin/uninstall`
  - **Purpose**: Uninstall plugin
  - **Returns**: Uninstallation status
  - **Data**: Plugin uninstallation confirmation
 - **POST** `/api/v2/{admin_path}/plugin/enable`
  - **Purpose**: Enable plugin
  - **Returns**: Enable status
  - **Data**: Plugin enable confirmation
 - **POST** `/api/v2/{admin_path}/plugin/disable`
  - **Purpose**: Disable plugin
  - **Returns**: Disable status
  - **Data**: Plugin disable confirmation
 - **GET** `/api/v2/{admin_path}/plugin/config`
  - **Purpose**: Get plugin configuration
  - **Returns**: Plugin configuration
  - **Data**: Plugin settings
 - **POST** `/api/v2/{admin_path}/plugin/config`
  - **Purpose**: Update plugin configuration
  - **Returns**: Update status
  - **Data**: Plugin configuration update confirmation
 ### Traffic Reset Management
 - **GET** `/api/v2/{admin_path}/traffic-reset/logs`
  - **Purpose**: Get traffic reset logs
  - **Returns**: Reset log entries
  - **Data**: Traffic reset history and details
 - **GET** `/api/v2/{admin_path}/traffic-reset/stats`
  - **Purpose**: Get traffic reset statistics
  - **Returns**: Reset statistics
  - **Data**: Traffic reset metrics and trends
 - **GET** `/api/v2/{admin_path}/traffic-reset/user/{userId}/history`
  - **Purpose**: Get user traffic reset history
  - **Returns**: User-specific reset history
  - **Data**: Individual user reset records
 - **POST** `/api/v2/{admin_path}/traffic-reset/reset-user`
  - **Purpose**: Reset user traffic
  - **Returns**: Reset status
  - **Data**: User traffic reset confirmation
 ---
 ## 📝 Notes
 1. **Admin Path**: The `{admin_path}` in V2 admin routes is dynamically generated based on the `secure_path` or `frontend_admin_path` configuration setting.
 2. **Authentication Middleware**: 
   - `user`: Requires valid user authentication
   - `admin`: Requires admin privileges
   - `staff`: Requires staff privileges
   - `client`: Requires client token authentication
   - `server`: Requires server authentication
 3. **Response Format**: Most endpoints return data in a standardized format:
   ```json
   {
     "data": [...], // Actual response data
     "message": "Success message",
     "status": true/false
   }
   ```
 4. **Error Handling**: Failed requests return appropriate HTTP status codes with error messages.
 5. **Pagination**: Many list endpoints support pagination with `current` and `pageSize` parameters.
 6. **Filtering**: Admin endpoints often support filtering and sorting parameters.
 This documentation provides a comprehensive overview of all available API endpoints in the Xboard system. Each endpoint serves specific functionality within the VPN service management platform.
--- a/box.go
+++ b/box.go
@@ -2,12 +2,13 @@ package box
 import (
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"runtime/debug"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	boxCertificate "github.com/sagernet/sing-box/adapter/certificate"
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -35,21 +36,20 @@ import (
 var _ adapter.SimpleLifecycle = (*Box)(nil)
 type Box struct {
-	createdAt           time.Time
+	createdAt       time.Time
-	logFactory          log.Factory
+	logFactory      log.Factory
-	logger              log.ContextLogger
+	logger          log.ContextLogger
-	network             *route.NetworkManager
+	network         *route.NetworkManager
-	endpoint            *endpoint.Manager
+	endpoint        *endpoint.Manager
-	inbound             *inbound.Manager
+	inbound         *inbound.Manager
-	outbound            *outbound.Manager
+	outbound        *outbound.Manager
-	service             *boxService.Manager
+	service         *boxService.Manager
-	certificateProvider *boxCertificate.Manager
+	dnsTransport    *dns.TransportManager
-	dnsTransport        *dns.TransportManager
+	dnsRouter       *dns.Router
-	dnsRouter           *dns.Router
+	connection      *route.ConnectionManager
-	connection          *route.ConnectionManager
+	router          *route.Router
-	router              *route.Router
+	internalService []adapter.LifecycleService
-	internalService     []adapter.LifecycleService
+	done            chan struct{}
 	done                chan struct{}
 }
 type Options struct {
@@ -65,7 +65,6 @@ func Context(
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
 	serviceRegistry adapter.ServiceRegistry,
 	certificateProviderRegistry adapter.CertificateProviderRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -90,10 +89,6 @@ func Context(
 		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
 		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
 	}
 	if service.FromContext[adapter.CertificateProviderRegistry](ctx) == nil {
 		ctx = service.ContextWith[option.CertificateProviderOptionsRegistry](ctx, certificateProviderRegistry)
 		ctx = service.ContextWith[adapter.CertificateProviderRegistry](ctx, certificateProviderRegistry)
 	}
 	return ctx
 }
@@ -110,7 +105,6 @@ func New(options Options) (*Box, error) {
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
 	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)
 	certificateProviderRegistry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -127,9 +121,6 @@ func New(options Options) (*Box, error) {
 	if serviceRegistry == nil {
 		return nil, E.New("missing service registry in context")
 	}
 	if certificateProviderRegistry == nil {
 		return nil, E.New("missing certificate provider registry in context")
 	}
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -187,19 +178,13 @@ func New(options Options) (*Box, error) {
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
 	certificateProviderManager := boxCertificate.NewManager(logFactory.NewLogger("certificate-provider"), certificateProviderRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
-	service.MustRegister[adapter.CertificateProviderManager](ctx, certificateProviderManager)
+	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	dnsRouter, err := dns.NewRouter(ctx, logFactory, dnsOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize DNS router")
 	}
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	service.MustRegister[adapter.DNSRuleSetUpdateValidator](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
@@ -248,8 +233,15 @@ func New(options Options) (*Box, error) {
 		} else {
 			tag = F.ToString(i)
 		}
 		endpointCtx := ctx
 		if tag != "" {
 			// TODO: remove this
 			endpointCtx = adapter.WithContext(endpointCtx, &adapter.InboundContext{
 				Outbound: tag,
 			})
 		}
 		err = endpointManager.Create(
-			ctx,
+			endpointCtx,
 			router,
 			logFactory.NewLogger(F.ToString("endpoint/", endpointOptions.Type, "[", tag, "]")),
 			tag,
@@ -279,6 +271,32 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
 	}
 	for i, outboundOptions := range options.Outbounds {
 		var tag string
 		if outboundOptions.Tag != "" {
 			tag = outboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
 		outboundCtx := ctx
 		if tag != "" {
 			// TODO: remove this
 			outboundCtx = adapter.WithContext(outboundCtx, &adapter.InboundContext{
 				Outbound: tag,
 			})
 		}
 		err = outboundManager.Create(
 			outboundCtx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
 			outboundOptions.Type,
 			outboundOptions.Options,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
 	for i, serviceOptions := range options.Services {
 		var tag string
 		if serviceOptions.Tag != "" {
@@ -297,43 +315,6 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize service[", i, "]")
 		}
 	}
 	for i, outboundOptions := range options.Outbounds {
 		var tag string
 		if outboundOptions.Tag != "" {
 			tag = outboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
 		err = outboundManager.Create(
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
 			outboundOptions.Type,
 			outboundOptions.Options,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
 	for i, certificateProviderOptions := range options.CertificateProviders {
 		var tag string
 		if certificateProviderOptions.Tag != "" {
 			tag = certificateProviderOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
 		err = certificateProviderManager.Create(
 			ctx,
 			logFactory.NewLogger(F.ToString("certificate-provider/", certificateProviderOptions.Type, "[", tag, "]")),
 			tag,
 			certificateProviderOptions.Type,
 			certificateProviderOptions.Options,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "initialize certificate provider[", i, "]")
 		}
 	}
 	outboundManager.Initialize(func() (adapter.Outbound, error) {
 		return direct.NewOutbound(
 			ctx,
@@ -359,7 +340,7 @@ func New(options Options) (*Box, error) {
 		}
 	}
 	if needCacheFile {
-		cacheFile := cachefile.New(ctx, logFactory.NewLogger("cache-file"), common.PtrValueOrDefault(experimentalOptions.CacheFile))
+		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
 		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
 		internalServices = append(internalServices, cacheFile)
 	}
@@ -402,27 +383,35 @@ func New(options Options) (*Box, error) {
 		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:             networkManager,
+		network:         networkManager,
-		endpoint:            endpointManager,
+		endpoint:        endpointManager,
-		inbound:             inboundManager,
+		inbound:         inboundManager,
-		outbound:            outboundManager,
+		outbound:        outboundManager,
-		dnsTransport:        dnsTransportManager,
+		dnsTransport:    dnsTransportManager,
-		service:             serviceManager,
+		service:         serviceManager,
-		certificateProvider: certificateProviderManager,
+		dnsRouter:       dnsRouter,
-		dnsRouter:           dnsRouter,
+		connection:      connectionManager,
-		connection:          connectionManager,
+		router:          router,
-		router:              router,
+		createdAt:       createdAt,
-		createdAt:           createdAt,
+		logFactory:      logFactory,
-		logFactory:          logFactory,
+		logger:          logFactory.Logger(),
-		logger:              logFactory.Logger(),
+		internalService: internalServices,
-		internalService:     internalServices,
+		done:            make(chan struct{}),
 		done:                make(chan struct{}),
 	}, nil
 }
 func (s *Box) PreStart() error {
 	err := s.preStart()
 	if err != nil {
 		// TODO: remove catch error
 		defer func() {
 			v := recover()
 			if v != nil {
 				println(err.Error())
 				debug.PrintStack()
 				panic("panic on early close: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()
 		return err
 	}
@@ -433,6 +422,15 @@ func (s *Box) PreStart() error {
 func (s *Box) Start() error {
 	err := s.start()
 	if err != nil {
 		// TODO: remove catch error
 		defer func() {
 			v := recover()
 			if v != nil {
 				println(err.Error())
 				debug.PrintStack()
 				println("panic on early start: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()
 		return err
 	}
@@ -452,11 +450,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service, s.certificateProvider)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection, s.router, s.dnsRouter)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -472,19 +470,11 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.endpoint)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.certificateProvider)
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
 	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.service)
 	if err != nil {
 		return err
 	}
 	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.endpoint, s.certificateProvider, s.inbound, s.service)
 	if err != nil {
 		return err
 	}
@@ -492,7 +482,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.endpoint, s.certificateProvider, s.inbound, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
@@ -516,9 +506,8 @@ func (s *Box) Close() error {
 		service adapter.Lifecycle
 	}{
 		{"service", s.service},
 		{"inbound", s.inbound},
 		{"certificate-provider", s.certificateProvider},
 		{"endpoint", s.endpoint},
 		{"inbound", s.inbound},
 		{"outbound", s.outbound},
 		{"router", s.router},
 		{"connection", s.connection},
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -82,11 +82,6 @@ func compileRuleSet(sourcePath string) error {
 }
 func downgradeRuleSetVersion(version uint8, options option.PlainRuleSet) uint8 {
 	if version == C.RuleSetVersion5 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
 		return len(rule.PackageNameRegex) > 0
 	}) {
 		version = C.RuleSetVersion4
 	}
 	if version == C.RuleSetVersion4 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
 		return rule.NetworkInterfaceAddress != nil && rule.NetworkInterfaceAddress.Size() > 0 ||
 			len(rule.DefaultInterfaceAddress) > 0
--- a/cmd/sing-box/cmd_tools_networkquality.go
+++ b/cmd/sing-box/cmd_tools_networkquality.go
@@ -1,121 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/common/networkquality"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
 )
 var (
 	commandNetworkQualityFlagConfigURL  string
 	commandNetworkQualityFlagSerial     bool
 	commandNetworkQualityFlagMaxRuntime int
 	commandNetworkQualityFlagHTTP3      bool
 )
 var commandNetworkQuality = &cobra.Command{
 	Use:   "networkquality",
 	Short: "Run a network quality test",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := runNetworkQuality()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandNetworkQuality.Flags().StringVar(
 		&commandNetworkQualityFlagConfigURL,
 		"config-url", "",
 		"Network quality test config URL (default: Apple mensura)",
 	)
 	commandNetworkQuality.Flags().BoolVar(
 		&commandNetworkQualityFlagSerial,
 		"serial", false,
 		"Run download and upload tests sequentially instead of in parallel",
 	)
 	commandNetworkQuality.Flags().IntVar(
 		&commandNetworkQualityFlagMaxRuntime,
 		"max-runtime", int(networkquality.DefaultMaxRuntime/time.Second),
 		"Network quality maximum runtime in seconds",
 	)
 	commandNetworkQuality.Flags().BoolVar(
 		&commandNetworkQualityFlagHTTP3,
 		"http3", false,
 		"Use HTTP/3 (QUIC) for measurement traffic",
 	)
 	commandTools.AddCommand(commandNetworkQuality)
 }
 func runNetworkQuality() error {
 	instance, err := createPreStartedClient()
 	if err != nil {
 		return err
 	}
 	defer instance.Close()
 	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
 	httpClient := networkquality.NewHTTPClient(dialer)
 	defer httpClient.CloseIdleConnections()
 	measurementClientFactory, err := networkquality.NewOptionalHTTP3Factory(dialer, commandNetworkQualityFlagHTTP3)
 	if err != nil {
 		return err
 	}
 	fmt.Fprintln(os.Stderr, "==== NETWORK QUALITY TEST ====")
 	result, err := networkquality.Run(networkquality.Options{
 		ConfigURL:            commandNetworkQualityFlagConfigURL,
 		HTTPClient:           httpClient,
 		NewMeasurementClient: measurementClientFactory,
 		Serial:               commandNetworkQualityFlagSerial,
 		MaxRuntime:           time.Duration(commandNetworkQualityFlagMaxRuntime) * time.Second,
 		Context:              globalCtx,
 		OnProgress: func(p networkquality.Progress) {
 			if !commandNetworkQualityFlagSerial && p.Phase != networkquality.PhaseIdle {
 				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d  Upload: %s  RPM: %d",
 					networkquality.FormatBitrate(p.DownloadCapacity), p.DownloadRPM,
 					networkquality.FormatBitrate(p.UploadCapacity), p.UploadRPM)
 				return
 			}
 			switch networkquality.Phase(p.Phase) {
 			case networkquality.PhaseIdle:
 				if p.IdleLatencyMs > 0 {
 					fmt.Fprintf(os.Stderr, "\rIdle Latency: %d ms", p.IdleLatencyMs)
 				} else {
 					fmt.Fprint(os.Stderr, "\rMeasuring idle latency...")
 				}
 			case networkquality.PhaseDownload:
 				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d",
 					networkquality.FormatBitrate(p.DownloadCapacity), p.DownloadRPM)
 			case networkquality.PhaseUpload:
 				fmt.Fprintf(os.Stderr, "\rUpload: %s  RPM: %d",
 					networkquality.FormatBitrate(p.UploadCapacity), p.UploadRPM)
 			}
 		},
 	})
 	if err != nil {
 		return err
 	}
 	fmt.Fprintln(os.Stderr)
 	fmt.Fprintln(os.Stderr, strings.Repeat("-", 40))
 	fmt.Fprintf(os.Stderr, "Idle Latency:            %d ms\n", result.IdleLatencyMs)
 	fmt.Fprintf(os.Stderr, "Download Capacity:       %-20s Accuracy: %s\n", networkquality.FormatBitrate(result.DownloadCapacity), result.DownloadCapacityAccuracy)
 	fmt.Fprintf(os.Stderr, "Upload Capacity:         %-20s Accuracy: %s\n", networkquality.FormatBitrate(result.UploadCapacity), result.UploadCapacityAccuracy)
 	fmt.Fprintf(os.Stderr, "Download Responsiveness: %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.DownloadRPM), result.DownloadRPMAccuracy)
 	fmt.Fprintf(os.Stderr, "Upload Responsiveness:   %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.UploadRPM), result.UploadRPMAccuracy)
 	return nil
 }
--- a/cmd/sing-box/cmd_tools_stun.go
+++ b/cmd/sing-box/cmd_tools_stun.go
@@ -1,79 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"github.com/sagernet/sing-box/common/stun"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
 )
 var commandSTUNFlagServer string
 var commandSTUN = &cobra.Command{
 	Use:   "stun",
 	Short: "Run a STUN test",
 	Args:  cobra.NoArgs,
 	Run: func(cmd *cobra.Command, args []string) {
 		err := runSTUN()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandSTUN.Flags().StringVarP(&commandSTUNFlagServer, "server", "s", stun.DefaultServer, "STUN server address")
 	commandTools.AddCommand(commandSTUN)
 }
 func runSTUN() error {
 	instance, err := createPreStartedClient()
 	if err != nil {
 		return err
 	}
 	defer instance.Close()
 	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
 	fmt.Fprintln(os.Stderr, "==== STUN TEST ====")
 	result, err := stun.Run(stun.Options{
 		Server:  commandSTUNFlagServer,
 		Dialer:  dialer,
 		Context: globalCtx,
 		OnProgress: func(p stun.Progress) {
 			switch p.Phase {
 			case stun.PhaseBinding:
 				if p.ExternalAddr != "" {
 					fmt.Fprintf(os.Stderr, "\rExternal Address: %s (%d ms)", p.ExternalAddr, p.LatencyMs)
 				} else {
 					fmt.Fprint(os.Stderr, "\rSending binding request...")
 				}
 			case stun.PhaseNATMapping:
 				fmt.Fprint(os.Stderr, "\rDetecting NAT mapping behavior...")
 			case stun.PhaseNATFiltering:
 				fmt.Fprint(os.Stderr, "\rDetecting NAT filtering behavior...")
 			}
 		},
 	})
 	if err != nil {
 		return err
 	}
 	fmt.Fprintln(os.Stderr)
 	fmt.Fprintf(os.Stderr, "External Address: %s\n", result.ExternalAddr)
 	fmt.Fprintf(os.Stderr, "Latency:          %d ms\n", result.LatencyMs)
 	if result.NATTypeSupported {
 		fmt.Fprintf(os.Stderr, "NAT Mapping:      %s\n", result.NATMapping)
 		fmt.Fprintf(os.Stderr, "NAT Filtering:    %s\n", result.NATFiltering)
 	} else {
 		fmt.Fprintln(os.Stderr, "NAT Type Detection: not supported by server")
 	}
 	return nil
 }
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -87,12 +87,11 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			}
 			server = dialOptions.DomainResolver.Server
 			dnsQueryOptions = adapter.DNSQueryOptions{
-				Transport:              transport,
+				Transport:    transport,
-				Strategy:               strategy,
+				Strategy:     strategy,
-				DisableCache:           dialOptions.DomainResolver.DisableCache,
+				DisableCache: dialOptions.DomainResolver.DisableCache,
-				DisableOptimisticCache: dialOptions.DomainResolver.DisableOptimisticCache,
+				RewriteTTL:   dialOptions.DomainResolver.RewriteTTL,
-				RewriteTTL:             dialOptions.DomainResolver.RewriteTTL,
+				ClientSubnet: dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),
 				ClientSubnet:           dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),
 			}
 			resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
 		} else if options.DirectResolver {
--- a/common/dnspod/provider.go
+++ b/common/dnspod/provider.go
@@ -44,8 +44,8 @@ type createRecordResponse struct {
 }
 type listRecordsResponse struct {
-	Status  apiStatus    `json:"status"`
+	Status  apiStatus   `json:"status"`
-	Records []apiRecord  `json:"records"`
+	Records []apiRecord `json:"records"`
 }
 func (p *Provider) GetRecords(ctx context.Context, zone string) ([]libdns.Record, error) {
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -21,6 +21,10 @@ import (
 )
 func (l *Listener) ListenTCP() (net.Listener, error) {
 	//nolint:staticcheck
 	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
 	var err error
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
 	var listenConfig net.ListenConfig
@@ -96,18 +100,6 @@ func (l *Listener) loopTCPIn() {
 			l.logger.Error("tcp listener closed: ", err)
 			continue
 		}
 		remoteAddr := conn.RemoteAddr()
 		//nolint:staticcheck
 		if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
 			//nolint:staticcheck
 			wrappedConn, wrapErr := wrapProxyProtocolConn(conn, l.listenOptions.ProxyProtocolAcceptNoHeader)
 			if wrapErr != nil {
 				conn.Close()
 				l.logger.Error("process connection from ", remoteAddr, ": PROXY protocol: ", wrapErr)
 				continue
 			}
 			conn = wrappedConn
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
--- a/common/listener/proxy_protocol.go
+++ b/common/listener/proxy_protocol.go
@@ -1,186 +0,0 @@
 package listener
 import (
 	"bufio"
 	"bytes"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 )
 var errProxyProtocolHeaderNotPresent = errors.New("proxy protocol header not present")
 var proxyProtocolV2Signature = []byte{
 	0x0d, 0x0a, 0x0d, 0x0a,
 	0x00, 0x0d, 0x0a, 0x51,
 	0x55, 0x49, 0x54, 0x0a,
 }
 type proxyProtocolConn struct {
 	net.Conn
 	reader     *bufio.Reader
 	remoteAddr net.Addr
 }
 func (c *proxyProtocolConn) Read(p []byte) (int, error) {
 	return c.reader.Read(p)
 }
 func (c *proxyProtocolConn) RemoteAddr() net.Addr {
 	return c.remoteAddr
 }
 func wrapProxyProtocolConn(conn net.Conn, allowNoHeader bool) (net.Conn, error) {
 	reader := bufio.NewReader(conn)
 	remoteAddr, err := readProxyProtocolRemoteAddr(reader)
 	if err != nil {
 		if allowNoHeader && errors.Is(err, errProxyProtocolHeaderNotPresent) {
 			return &proxyProtocolConn{
 				Conn:       conn,
 				reader:     reader,
 				remoteAddr: conn.RemoteAddr(),
 			}, nil
 		}
 		return nil, err
 	}
 	if remoteAddr == nil {
 		remoteAddr = conn.RemoteAddr()
 	}
 	return &proxyProtocolConn{
 		Conn:       conn,
 		reader:     reader,
 		remoteAddr: remoteAddr,
 	}, nil
 }
 func readProxyProtocolRemoteAddr(reader *bufio.Reader) (net.Addr, error) {
 	firstByte, err := reader.Peek(1)
 	if err != nil {
 		return nil, err
 	}
 	switch firstByte[0] {
 	case 'P':
 		return readProxyProtocolV1RemoteAddr(reader)
 	case '\r':
 		signature, err := reader.Peek(len(proxyProtocolV2Signature))
 		if err != nil {
 			return nil, err
 		}
 		if !bytes.Equal(signature, proxyProtocolV2Signature) {
 			return nil, errProxyProtocolHeaderNotPresent
 		}
 		return readProxyProtocolV2RemoteAddr(reader)
 	default:
 		return nil, errProxyProtocolHeaderNotPresent
 	}
 }
 func readProxyProtocolV1RemoteAddr(reader *bufio.Reader) (net.Addr, error) {
 	prefix, err := reader.Peek(6)
 	if err != nil {
 		return nil, err
 	}
 	if !bytes.Equal(prefix, []byte("PROXY ")) {
 		return nil, errProxyProtocolHeaderNotPresent
 	}
 	line, err := reader.ReadString('\n')
 	if err != nil {
 		return nil, err
 	}
 	if len(line) < 2 || line[len(line)-2:] != "\r\n" {
 		return nil, fmt.Errorf("invalid PROXY protocol v1 line ending")
 	}
 	fields := bytes.Fields([]byte(line[:len(line)-2]))
 	if len(fields) < 2 {
 		return nil, fmt.Errorf("invalid PROXY protocol v1 header")
 	}
 	if string(fields[1]) == "UNKNOWN" {
 		return nil, nil
 	}
 	if len(fields) != 6 {
 		return nil, fmt.Errorf("invalid PROXY protocol v1 field count")
 	}
 	sourceIP := net.ParseIP(string(fields[2]))
 	if sourceIP == nil {
 		return nil, fmt.Errorf("invalid PROXY protocol source ip")
 	}
 	sourcePort, err := parseProxyProtocolPort(fields[4])
 	if err != nil {
 		return nil, err
 	}
 	return &net.TCPAddr{
 		IP:   sourceIP,
 		Port: sourcePort,
 	}, nil
 }
 func readProxyProtocolV2RemoteAddr(reader *bufio.Reader) (net.Addr, error) {
 	header := make([]byte, 16)
 	if _, err := io.ReadFull(reader, header); err != nil {
 		return nil, err
 	}
 	if !bytes.Equal(header[:12], proxyProtocolV2Signature) {
 		return nil, errProxyProtocolHeaderNotPresent
 	}
 	version := header[12] >> 4
 	command := header[12] & 0x0f
 	if version != 0x2 {
 		return nil, fmt.Errorf("invalid PROXY protocol v2 version")
 	}
 	addressDataLen := int(binary.BigEndian.Uint16(header[14:16]))
 	addressData := make([]byte, addressDataLen)
 	if _, err := io.ReadFull(reader, addressData); err != nil {
 		return nil, err
 	}
 	if command == 0x0 {
 		return nil, nil
 	}
 	if command != 0x1 {
 		return nil, fmt.Errorf("unsupported PROXY protocol v2 command")
 	}
 	switch header[13] {
 	case 0x11, 0x12:
 		if len(addressData) < 12 {
 			return nil, fmt.Errorf("short PROXY protocol v2 ipv4 header")
 		}
 		return &net.TCPAddr{
 			IP:   net.IP(addressData[:4]),
 			Port: int(binary.BigEndian.Uint16(addressData[8:10])),
 		}, nil
 	case 0x21, 0x22:
 		if len(addressData) < 36 {
 			return nil, fmt.Errorf("short PROXY protocol v2 ipv6 header")
 		}
 		return &net.TCPAddr{
 			IP:   net.IP(addressData[:16]),
 			Port: int(binary.BigEndian.Uint16(addressData[32:34])),
 		}, nil
 	case 0x31, 0x32:
 		return nil, nil
 	default:
 		return nil, fmt.Errorf("unsupported PROXY protocol v2 family")
 	}
 }
 func parseProxyProtocolPort(raw []byte) (int, error) {
 	port := 0
 	for _, ch := range raw {
 		if ch < '0' || ch > '9' {
 			return 0, fmt.Errorf("invalid PROXY protocol port")
 		}
 		port = port*10 + int(ch-'0')
 		if port > 65535 {
 			return 0, fmt.Errorf("invalid PROXY protocol port")
 		}
 	}
 	return port, nil
 }
--- a/common/listener/proxy_protocol_test.go
+++ b/common/listener/proxy_protocol_test.go
@@ -1,114 +0,0 @@
 package listener
 import (
 	"bufio"
 	"encoding/binary"
 	"net"
 	"strings"
 	"testing"
 	"time"
 )
 func TestReadProxyProtocolV1RemoteAddr(t *testing.T) {
 	reader := bufio.NewReaderSize(newStaticConn("PROXY TCP4 203.0.113.10 192.0.2.1 45678 443\r\npayload"), 128)
 	remoteAddr, err := readProxyProtocolRemoteAddr(reader)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	tcpAddr, ok := remoteAddr.(*net.TCPAddr)
 	if !ok {
 		t.Fatalf("unexpected addr type: %T", remoteAddr)
 	}
 	if got := tcpAddr.IP.String(); got != "203.0.113.10" {
 		t.Fatalf("unexpected ip: %s", got)
 	}
 	if tcpAddr.Port != 45678 {
 		t.Fatalf("unexpected port: %d", tcpAddr.Port)
 	}
 }
 func TestReadProxyProtocolV2RemoteAddr(t *testing.T) {
 	header := make([]byte, 28)
 	copy(header[:12], proxyProtocolV2Signature)
 	header[12] = 0x21
 	header[13] = 0x11
 	binary.BigEndian.PutUint16(header[14:16], 12)
 	copy(header[16:20], net.ParseIP("198.51.100.12").To4())
 	copy(header[20:24], net.ParseIP("192.0.2.8").To4())
 	binary.BigEndian.PutUint16(header[24:26], 50000)
 	binary.BigEndian.PutUint16(header[26:28], 443)
 	reader := bufio.NewReaderSize(newStaticConn(string(header)+"payload"), 128)
 	remoteAddr, err := readProxyProtocolRemoteAddr(reader)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	tcpAddr, ok := remoteAddr.(*net.TCPAddr)
 	if !ok {
 		t.Fatalf("unexpected addr type: %T", remoteAddr)
 	}
 	if got := tcpAddr.IP.String(); got != "198.51.100.12" {
 		t.Fatalf("unexpected ip: %s", got)
 	}
 	if tcpAddr.Port != 50000 {
 		t.Fatalf("unexpected port: %d", tcpAddr.Port)
 	}
 }
 func TestWrapProxyProtocolConnAllowNoHeader(t *testing.T) {
 	rawConn := newStaticConn("hello")
 	conn, err := wrapProxyProtocolConn(rawConn, true)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if conn.RemoteAddr().String() != rawConn.RemoteAddr().String() {
 		t.Fatalf("remote addr changed unexpectedly: %s", conn.RemoteAddr())
 	}
 }
 type staticConn struct {
 	net.Conn
 	reader *bufio.Reader
 	local  net.Addr
 	remote net.Addr
 }
 func newStaticConn(payload string) *staticConn {
 	return &staticConn{
 		reader: bufio.NewReaderSize(strings.NewReader(payload), len(payload)+16),
 		local:  &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 443},
 		remote: &net.TCPAddr{IP: net.ParseIP("10.0.0.1"), Port: 12345},
 	}
 }
 func (c *staticConn) Read(p []byte) (int, error) {
 	return c.reader.Read(p)
 }
 func (c *staticConn) Write(p []byte) (int, error) {
 	return len(p), nil
 }
 func (c *staticConn) Close() error {
 	return nil
 }
 func (c *staticConn) LocalAddr() net.Addr {
 	return c.local
 }
 func (c *staticConn) RemoteAddr() net.Addr {
 	return c.remote
 }
 func (c *staticConn) SetDeadline(t time.Time) error {
 	return nil
 }
 func (c *staticConn) SetReadDeadline(t time.Time) error {
 	return nil
 }
 func (c *staticConn) SetWriteDeadline(t time.Time) error {
 	return nil
 }
--- a/common/networkquality/http.go
+++ b/common/networkquality/http.go
@@ -1,142 +0,0 @@
 package networkquality
 import (
 	"context"
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	C "github.com/sagernet/sing-box/constant"
 	sBufio "github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func FormatBitrate(bps int64) string {
 	switch {
 	case bps >= 1_000_000_000:
 		return fmt.Sprintf("%.1f Gbps", float64(bps)/1_000_000_000)
 	case bps >= 1_000_000:
 		return fmt.Sprintf("%.1f Mbps", float64(bps)/1_000_000)
 	case bps >= 1_000:
 		return fmt.Sprintf("%.1f Kbps", float64(bps)/1_000)
 	default:
 		return fmt.Sprintf("%d bps", bps)
 	}
 }
 func NewHTTPClient(dialer N.Dialer) *http.Client {
 	transport := &http.Transport{
 		ForceAttemptHTTP2:   true,
 		TLSHandshakeTimeout: C.TCPTimeout,
 	}
 	if dialer != nil {
 		transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
 			return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 		}
 	}
 	return &http.Client{Transport: transport}
 }
 func baseTransportFromClient(client *http.Client) (*http.Transport, error) {
 	if client == nil {
 		return nil, E.New("http client is nil")
 	}
 	if client.Transport == nil {
 		return http.DefaultTransport.(*http.Transport).Clone(), nil
 	}
 	transport, ok := client.Transport.(*http.Transport)
 	if !ok {
 		return nil, E.New("http client transport must be *http.Transport")
 	}
 	return transport.Clone(), nil
 }
 func newMeasurementClient(
 	baseClient *http.Client,
 	connectEndpoint string,
 	singleConnection bool,
 	disableKeepAlives bool,
 	readCounters []N.CountFunc,
 	writeCounters []N.CountFunc,
 ) (*http.Client, error) {
 	transport, err := baseTransportFromClient(baseClient)
 	if err != nil {
 		return nil, err
 	}
 	transport.DisableCompression = true
 	transport.DisableKeepAlives = disableKeepAlives
 	if singleConnection {
 		transport.MaxConnsPerHost = 1
 		transport.MaxIdleConnsPerHost = 1
 		transport.MaxIdleConns = 1
 	}
 	baseDialContext := transport.DialContext
 	if baseDialContext == nil {
 		dialer := &net.Dialer{}
 		baseDialContext = dialer.DialContext
 	}
 	transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
 		dialAddr := addr
 		if connectEndpoint != "" {
 			dialAddr = rewriteDialAddress(addr, connectEndpoint)
 		}
 		conn, dialErr := baseDialContext(ctx, network, dialAddr)
 		if dialErr != nil {
 			return nil, dialErr
 		}
 		if len(readCounters) > 0 || len(writeCounters) > 0 {
 			return sBufio.NewCounterConn(conn, readCounters, writeCounters), nil
 		}
 		return conn, nil
 	}
 	return &http.Client{
 		Transport:     transport,
 		CheckRedirect: baseClient.CheckRedirect,
 		Jar:           baseClient.Jar,
 		Timeout:       baseClient.Timeout,
 	}, nil
 }
 type MeasurementClientFactory func(
 	connectEndpoint string,
 	singleConnection bool,
 	disableKeepAlives bool,
 	readCounters []N.CountFunc,
 	writeCounters []N.CountFunc,
 ) (*http.Client, error)
 func defaultMeasurementClientFactory(baseClient *http.Client) MeasurementClientFactory {
 	return func(connectEndpoint string, singleConnection, disableKeepAlives bool, readCounters, writeCounters []N.CountFunc) (*http.Client, error) {
 		return newMeasurementClient(baseClient, connectEndpoint, singleConnection, disableKeepAlives, readCounters, writeCounters)
 	}
 }
 func NewOptionalHTTP3Factory(dialer N.Dialer, useHTTP3 bool) (MeasurementClientFactory, error) {
 	if !useHTTP3 {
 		return nil, nil
 	}
 	return NewHTTP3MeasurementClientFactory(dialer)
 }
 func rewriteDialAddress(addr string, connectEndpoint string) string {
 	connectEndpoint = strings.TrimSpace(connectEndpoint)
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return addr
 	}
 	endpointHost, endpointPort, err := net.SplitHostPort(connectEndpoint)
 	if err == nil {
 		host = endpointHost
 		if endpointPort != "" {
 			port = endpointPort
 		}
 	} else if connectEndpoint != "" {
 		host = connectEndpoint
 	}
 	return net.JoinHostPort(host, port)
 }
--- a/common/networkquality/http3.go
+++ b/common/networkquality/http3.go
@@ -1,55 +0,0 @@
 //go:build with_quic
 package networkquality
 import (
 	"context"
 	"crypto/tls"
 	"net"
 	"net/http"
 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
 	sBufio "github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func NewHTTP3MeasurementClientFactory(dialer N.Dialer) (MeasurementClientFactory, error) {
 	// singleConnection and disableKeepAlives are not applied:
 	// HTTP/3 multiplexes streams over a single QUIC connection by default.
 	return func(connectEndpoint string, _, _ bool, readCounters, writeCounters []N.CountFunc) (*http.Client, error) {
 		transport := &http3.Transport{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 				dialAddr := addr
 				if connectEndpoint != "" {
 					dialAddr = rewriteDialAddress(addr, connectEndpoint)
 				}
 				destination := M.ParseSocksaddr(dialAddr)
 				var udpConn net.Conn
 				var dialErr error
 				if dialer != nil {
 					udpConn, dialErr = dialer.DialContext(ctx, N.NetworkUDP, destination)
 				} else {
 					var netDialer net.Dialer
 					udpConn, dialErr = netDialer.DialContext(ctx, N.NetworkUDP, destination.String())
 				}
 				if dialErr != nil {
 					return nil, dialErr
 				}
 				wrappedConn := udpConn
 				if len(readCounters) > 0 || len(writeCounters) > 0 {
 					wrappedConn = sBufio.NewCounterConn(udpConn, readCounters, writeCounters)
 				}
 				packetConn := sBufio.NewUnbindPacketConn(wrappedConn)
 				quicConn, dialErr := quic.DialEarly(ctx, packetConn, udpConn.RemoteAddr(), tlsCfg, cfg)
 				if dialErr != nil {
 					udpConn.Close()
 					return nil, dialErr
 				}
 				return quicConn, nil
 			},
 		}
 		return &http.Client{Transport: transport}, nil
 	}, nil
 }
--- a/common/networkquality/http3_stub.go
+++ b/common/networkquality/http3_stub.go
@@ -1,12 +0,0 @@
 //go:build !with_quic
 package networkquality
 import (
 	C "github.com/sagernet/sing-box/constant"
 	N "github.com/sagernet/sing/common/network"
 )
 func NewHTTP3MeasurementClientFactory(dialer N.Dialer) (MeasurementClientFactory, error) {
 	return nil, C.ErrQUICNotIncluded
 }
--- a/common/networkquality/networkquality.go
+++ b/common/networkquality/networkquality.go
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -46,7 +46,6 @@ const (
 	ruleItemNetworkIsConstrained
 	ruleItemNetworkInterfaceAddress
 	ruleItemDefaultInterfaceAddress
 	ruleItemPackageNameRegex
 	ruleItemFinal uint8 = 0xFF
 )
@@ -216,8 +215,6 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			rule.ProcessPathRegex, err = readRuleItemString(reader)
 		case ruleItemPackageName:
 			rule.PackageName, err = readRuleItemString(reader)
 		case ruleItemPackageNameRegex:
 			rule.PackageNameRegex, err = readRuleItemString(reader)
 		case ruleItemWIFISSID:
 			rule.WIFISSID, err = readRuleItemString(reader)
 		case ruleItemWIFIBSSID:
@@ -397,15 +394,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 			return err
 		}
 	}
 	if len(rule.PackageNameRegex) > 0 {
 		if generateVersion < C.RuleSetVersion5 {
 			return E.New("`package_name_regex` rule item is only supported in version 5 or later")
 		}
 		err = writeRuleItemString(writer, ruleItemPackageNameRegex, rule.PackageNameRegex)
 		if err != nil {
 			return err
 		}
 	}
 	if len(rule.NetworkType) > 0 {
 		if generateVersion < C.RuleSetVersion3 {
 			return E.New("`network_type` rule item is only supported in version 3 or later")
--- a/common/stun/stun.go
+++ b/common/stun/stun.go
@@ -1,612 +0,0 @@
 package stun
 import (
 	"context"
 	"crypto/rand"
 	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
 	"time"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 const (
 	DefaultServer = "stun.voipgate.com:3478"
 	magicCookie = 0x2112A442
 	headerSize  = 20
 	bindingRequest         = 0x0001
 	bindingSuccessResponse = 0x0101
 	bindingErrorResponse   = 0x0111
 	attrMappedAddress    = 0x0001
 	attrChangeRequest    = 0x0003
 	attrErrorCode        = 0x0009
 	attrXORMappedAddress = 0x0020
 	attrOtherAddress     = 0x802c
 	familyIPv4 = 0x01
 	familyIPv6 = 0x02
 	changeIP   = 0x04
 	changePort = 0x02
 	defaultRTO    = 500 * time.Millisecond
 	minRTO        = 250 * time.Millisecond
 	maxRetransmit = 2
 )
 type Phase int32
 const (
 	PhaseBinding Phase = iota
 	PhaseNATMapping
 	PhaseNATFiltering
 	PhaseDone
 )
 type NATMapping int32
 const (
 	NATMappingUnknown NATMapping = iota
 	_                            // reserved
 	NATMappingEndpointIndependent
 	NATMappingAddressDependent
 	NATMappingAddressAndPortDependent
 )
 func (m NATMapping) String() string {
 	switch m {
 	case NATMappingEndpointIndependent:
 		return "Endpoint Independent"
 	case NATMappingAddressDependent:
 		return "Address Dependent"
 	case NATMappingAddressAndPortDependent:
 		return "Address and Port Dependent"
 	default:
 		return "Unknown"
 	}
 }
 type NATFiltering int32
 const (
 	NATFilteringUnknown NATFiltering = iota
 	NATFilteringEndpointIndependent
 	NATFilteringAddressDependent
 	NATFilteringAddressAndPortDependent
 )
 func (f NATFiltering) String() string {
 	switch f {
 	case NATFilteringEndpointIndependent:
 		return "Endpoint Independent"
 	case NATFilteringAddressDependent:
 		return "Address Dependent"
 	case NATFilteringAddressAndPortDependent:
 		return "Address and Port Dependent"
 	default:
 		return "Unknown"
 	}
 }
 type TransactionID [12]byte
 type Options struct {
 	Server     string
 	Dialer     N.Dialer
 	Context    context.Context
 	OnProgress func(Progress)
 }
 type Progress struct {
 	Phase        Phase
 	ExternalAddr string
 	LatencyMs    int32
 	NATMapping   NATMapping
 	NATFiltering NATFiltering
 }
 type Result struct {
 	ExternalAddr     string
 	LatencyMs        int32
 	NATMapping       NATMapping
 	NATFiltering     NATFiltering
 	NATTypeSupported bool
 }
 type parsedResponse struct {
 	xorMappedAddr netip.AddrPort
 	mappedAddr    netip.AddrPort
 	otherAddr     netip.AddrPort
 }
 func (r *parsedResponse) externalAddr() (netip.AddrPort, bool) {
 	if r.xorMappedAddr.IsValid() {
 		return r.xorMappedAddr, true
 	}
 	if r.mappedAddr.IsValid() {
 		return r.mappedAddr, true
 	}
 	return netip.AddrPort{}, false
 }
 type stunAttribute struct {
 	typ   uint16
 	value []byte
 }
 func newTransactionID() TransactionID {
 	var id TransactionID
 	_, _ = rand.Read(id[:])
 	return id
 }
 func buildBindingRequest(txID TransactionID, attrs ...stunAttribute) []byte {
 	attrLen := 0
 	for _, attr := range attrs {
 		attrLen += 4 + len(attr.value) + paddingLen(len(attr.value))
 	}
 	buf := make([]byte, headerSize+attrLen)
 	binary.BigEndian.PutUint16(buf[0:2], bindingRequest)
 	binary.BigEndian.PutUint16(buf[2:4], uint16(attrLen))
 	binary.BigEndian.PutUint32(buf[4:8], magicCookie)
 	copy(buf[8:20], txID[:])
 	offset := headerSize
 	for _, attr := range attrs {
 		binary.BigEndian.PutUint16(buf[offset:offset+2], attr.typ)
 		binary.BigEndian.PutUint16(buf[offset+2:offset+4], uint16(len(attr.value)))
 		copy(buf[offset+4:offset+4+len(attr.value)], attr.value)
 		offset += 4 + len(attr.value) + paddingLen(len(attr.value))
 	}
 	return buf
 }
 func changeRequestAttr(flags byte) stunAttribute {
 	return stunAttribute{
 		typ:   attrChangeRequest,
 		value: []byte{0, 0, 0, flags},
 	}
 }
 func parseResponse(data []byte, expectedTxID TransactionID) (*parsedResponse, error) {
 	if len(data) < headerSize {
 		return nil, E.New("response too short")
 	}
 	msgType := binary.BigEndian.Uint16(data[0:2])
 	if msgType&0xC000 != 0 {
 		return nil, E.New("invalid STUN message: top 2 bits not zero")
 	}
 	cookie := binary.BigEndian.Uint32(data[4:8])
 	if cookie != magicCookie {
 		return nil, E.New("invalid magic cookie")
 	}
 	var txID TransactionID
 	copy(txID[:], data[8:20])
 	if txID != expectedTxID {
 		return nil, E.New("transaction ID mismatch")
 	}
 	msgLen := int(binary.BigEndian.Uint16(data[2:4]))
 	if msgLen > len(data)-headerSize {
 		return nil, E.New("message length exceeds data")
 	}
 	attrData := data[headerSize : headerSize+msgLen]
 	if msgType == bindingErrorResponse {
 		return nil, parseErrorResponse(attrData)
 	}
 	if msgType != bindingSuccessResponse {
 		return nil, E.New("unexpected message type: ", fmt.Sprintf("0x%04x", msgType))
 	}
 	resp := &parsedResponse{}
 	offset := 0
 	for offset+4 <= len(attrData) {
 		attrType := binary.BigEndian.Uint16(attrData[offset : offset+2])
 		attrLen := int(binary.BigEndian.Uint16(attrData[offset+2 : offset+4]))
 		if offset+4+attrLen > len(attrData) {
 			break
 		}
 		attrValue := attrData[offset+4 : offset+4+attrLen]
 		switch attrType {
 		case attrXORMappedAddress:
 			addr, err := parseXORMappedAddress(attrValue, txID)
 			if err == nil {
 				resp.xorMappedAddr = addr
 			}
 		case attrMappedAddress:
 			addr, err := parseMappedAddress(attrValue)
 			if err == nil {
 				resp.mappedAddr = addr
 			}
 		case attrOtherAddress:
 			addr, err := parseMappedAddress(attrValue)
 			if err == nil {
 				resp.otherAddr = addr
 			}
 		}
 		offset += 4 + attrLen + paddingLen(attrLen)
 	}
 	return resp, nil
 }
 func parseErrorResponse(data []byte) error {
 	offset := 0
 	for offset+4 <= len(data) {
 		attrType := binary.BigEndian.Uint16(data[offset : offset+2])
 		attrLen := int(binary.BigEndian.Uint16(data[offset+2 : offset+4]))
 		if offset+4+attrLen > len(data) {
 			break
 		}
 		if attrType == attrErrorCode && attrLen >= 4 {
 			attrValue := data[offset+4 : offset+4+attrLen]
 			class := int(attrValue[2] & 0x07)
 			number := int(attrValue[3])
 			code := class*100 + number
 			if attrLen > 4 {
 				return E.New("STUN error ", code, ": ", string(attrValue[4:]))
 			}
 			return E.New("STUN error ", code)
 		}
 		offset += 4 + attrLen + paddingLen(attrLen)
 	}
 	return E.New("STUN error response")
 }
 func parseXORMappedAddress(data []byte, txID TransactionID) (netip.AddrPort, error) {
 	if len(data) < 4 {
 		return netip.AddrPort{}, E.New("XOR-MAPPED-ADDRESS too short")
 	}
 	family := data[1]
 	xPort := binary.BigEndian.Uint16(data[2:4])
 	port := xPort ^ uint16(magicCookie>>16)
 	switch family {
 	case familyIPv4:
 		if len(data) < 8 {
 			return netip.AddrPort{}, E.New("XOR-MAPPED-ADDRESS IPv4 too short")
 		}
 		var ip [4]byte
 		binary.BigEndian.PutUint32(ip[:], binary.BigEndian.Uint32(data[4:8])^magicCookie)
 		return netip.AddrPortFrom(netip.AddrFrom4(ip), port), nil
 	case familyIPv6:
 		if len(data) < 20 {
 			return netip.AddrPort{}, E.New("XOR-MAPPED-ADDRESS IPv6 too short")
 		}
 		var ip [16]byte
 		var xorKey [16]byte
 		binary.BigEndian.PutUint32(xorKey[0:4], magicCookie)
 		copy(xorKey[4:16], txID[:])
 		for i := range 16 {
 			ip[i] = data[4+i] ^ xorKey[i]
 		}
 		return netip.AddrPortFrom(netip.AddrFrom16(ip), port), nil
 	default:
 		return netip.AddrPort{}, E.New("unknown address family: ", family)
 	}
 }
 func parseMappedAddress(data []byte) (netip.AddrPort, error) {
 	if len(data) < 4 {
 		return netip.AddrPort{}, E.New("MAPPED-ADDRESS too short")
 	}
 	family := data[1]
 	port := binary.BigEndian.Uint16(data[2:4])
 	switch family {
 	case familyIPv4:
 		if len(data) < 8 {
 			return netip.AddrPort{}, E.New("MAPPED-ADDRESS IPv4 too short")
 		}
 		return netip.AddrPortFrom(
 			netip.AddrFrom4([4]byte{data[4], data[5], data[6], data[7]}), port,
 		), nil
 	case familyIPv6:
 		if len(data) < 20 {
 			return netip.AddrPort{}, E.New("MAPPED-ADDRESS IPv6 too short")
 		}
 		var ip [16]byte
 		copy(ip[:], data[4:20])
 		return netip.AddrPortFrom(netip.AddrFrom16(ip), port), nil
 	default:
 		return netip.AddrPort{}, E.New("unknown address family: ", family)
 	}
 }
 func roundTrip(conn net.PacketConn, addr net.Addr, txID TransactionID, attrs []stunAttribute, rto time.Duration) (*parsedResponse, time.Duration, error) {
 	request := buildBindingRequest(txID, attrs...)
 	currentRTO := rto
 	retransmitCount := 0
 	sendTime := time.Now()
 	_, err := conn.WriteTo(request, addr)
 	if err != nil {
 		return nil, 0, E.Cause(err, "send STUN request")
 	}
 	buf := make([]byte, 1024)
 	for {
 		err = conn.SetReadDeadline(sendTime.Add(currentRTO))
 		if err != nil {
 			return nil, 0, E.Cause(err, "set read deadline")
 		}
 		n, _, readErr := conn.ReadFrom(buf)
 		if readErr != nil {
 			if E.IsTimeout(readErr) && retransmitCount < maxRetransmit {
 				retransmitCount++
 				currentRTO *= 2
 				sendTime = time.Now()
 				_, err = conn.WriteTo(request, addr)
 				if err != nil {
 					return nil, 0, E.Cause(err, "retransmit STUN request")
 				}
 				continue
 			}
 			return nil, 0, E.Cause(readErr, "read STUN response")
 		}
 		if n < headerSize || buf[0]&0xC0 != 0 ||
 			binary.BigEndian.Uint32(buf[4:8]) != magicCookie {
 			continue
 		}
 		var receivedTxID TransactionID
 		copy(receivedTxID[:], buf[8:20])
 		if receivedTxID != txID {
 			continue
 		}
 		latency := time.Since(sendTime)
 		resp, parseErr := parseResponse(buf[:n], txID)
 		if parseErr != nil {
 			return nil, 0, parseErr
 		}
 		return resp, latency, nil
 	}
 }
 func Run(options Options) (*Result, error) {
 	ctx := options.Context
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	server := options.Server
 	if server == "" {
 		server = DefaultServer
 	}
 	serverSocksaddr := M.ParseSocksaddr(server)
 	if serverSocksaddr.Port == 0 {
 		serverSocksaddr.Port = 3478
 	}
 	reportProgress := options.OnProgress
 	if reportProgress == nil {
 		reportProgress = func(Progress) {}
 	}
 	var (
 		packetConn net.PacketConn
 		serverAddr net.Addr
 		err        error
 	)
 	if options.Dialer != nil {
 		packetConn, err = options.Dialer.ListenPacket(ctx, serverSocksaddr)
 		if err != nil {
 			return nil, E.Cause(err, "create UDP socket")
 		}
 		serverAddr = serverSocksaddr
 	} else {
 		serverUDPAddr, resolveErr := net.ResolveUDPAddr("udp", serverSocksaddr.String())
 		if resolveErr != nil {
 			return nil, E.Cause(resolveErr, "resolve STUN server")
 		}
 		packetConn, err = net.ListenPacket("udp", "")
 		if err != nil {
 			return nil, E.Cause(err, "create UDP socket")
 		}
 		serverAddr = serverUDPAddr
 	}
 	defer func() {
 		_ = packetConn.Close()
 	}()
 	if deadline.NeedAdditionalReadDeadline(packetConn) {
 		packetConn = deadline.NewPacketConn(bufio.NewPacketConn(packetConn))
 	}
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()
 	default:
 	}
 	rto := defaultRTO
 	// Phase 1: Binding
 	reportProgress(Progress{Phase: PhaseBinding})
 	txID := newTransactionID()
 	resp, latency, err := roundTrip(packetConn, serverAddr, txID, nil, rto)
 	if err != nil {
 		return nil, E.Cause(err, "binding request")
 	}
 	rto = max(minRTO, 3*latency)
 	externalAddr, ok := resp.externalAddr()
 	if !ok {
 		return nil, E.New("no mapped address in response")
 	}
 	result := &Result{
 		ExternalAddr: externalAddr.String(),
 		LatencyMs:    int32(latency.Milliseconds()),
 	}
 	reportProgress(Progress{
 		Phase:        PhaseBinding,
 		ExternalAddr: result.ExternalAddr,
 		LatencyMs:    result.LatencyMs,
 	})
 	otherAddr := resp.otherAddr
 	if !otherAddr.IsValid() {
 		result.NATTypeSupported = false
 		reportProgress(Progress{
 			Phase:        PhaseDone,
 			ExternalAddr: result.ExternalAddr,
 			LatencyMs:    result.LatencyMs,
 		})
 		return result, nil
 	}
 	result.NATTypeSupported = true
 	select {
 	case <-ctx.Done():
 		return result, nil
 	default:
 	}
 	// Phase 2: NAT Mapping Detection (RFC 5780 Section 4.3)
 	reportProgress(Progress{
 		Phase:        PhaseNATMapping,
 		ExternalAddr: result.ExternalAddr,
 		LatencyMs:    result.LatencyMs,
 	})
 	result.NATMapping = detectNATMapping(
 		packetConn, serverSocksaddr.Port, externalAddr, otherAddr, rto,
 	)
 	reportProgress(Progress{
 		Phase:        PhaseNATMapping,
 		ExternalAddr: result.ExternalAddr,
 		LatencyMs:    result.LatencyMs,
 		NATMapping:   result.NATMapping,
 	})
 	select {
 	case <-ctx.Done():
 		return result, nil
 	default:
 	}
 	// Phase 3: NAT Filtering Detection (RFC 5780 Section 4.4)
 	reportProgress(Progress{
 		Phase:        PhaseNATFiltering,
 		ExternalAddr: result.ExternalAddr,
 		LatencyMs:    result.LatencyMs,
 		NATMapping:   result.NATMapping,
 	})
 	result.NATFiltering = detectNATFiltering(packetConn, serverAddr, rto)
 	reportProgress(Progress{
 		Phase:        PhaseDone,
 		ExternalAddr: result.ExternalAddr,
 		LatencyMs:    result.LatencyMs,
 		NATMapping:   result.NATMapping,
 		NATFiltering: result.NATFiltering,
 	})
 	return result, nil
 }
 func detectNATMapping(
 	conn net.PacketConn,
 	serverPort uint16,
 	externalAddr netip.AddrPort,
 	otherAddr netip.AddrPort,
 	rto time.Duration,
 ) NATMapping {
 	// Mapping Test II: Send to other_ip:server_port
 	testIIAddr := net.UDPAddrFromAddrPort(
 		netip.AddrPortFrom(otherAddr.Addr(), serverPort),
 	)
 	txID2 := newTransactionID()
 	resp2, _, err := roundTrip(conn, testIIAddr, txID2, nil, rto)
 	if err != nil {
 		return NATMappingUnknown
 	}
 	externalAddr2, ok := resp2.externalAddr()
 	if !ok {
 		return NATMappingUnknown
 	}
 	if externalAddr == externalAddr2 {
 		return NATMappingEndpointIndependent
 	}
 	// Mapping Test III: Send to other_ip:other_port
 	testIIIAddr := net.UDPAddrFromAddrPort(otherAddr)
 	txID3 := newTransactionID()
 	resp3, _, err := roundTrip(conn, testIIIAddr, txID3, nil, rto)
 	if err != nil {
 		return NATMappingUnknown
 	}
 	externalAddr3, ok := resp3.externalAddr()
 	if !ok {
 		return NATMappingUnknown
 	}
 	if externalAddr2 == externalAddr3 {
 		return NATMappingAddressDependent
 	}
 	return NATMappingAddressAndPortDependent
 }
 func detectNATFiltering(
 	conn net.PacketConn,
 	serverAddr net.Addr,
 	rto time.Duration,
 ) NATFiltering {
 	// Filtering Test II: Request response from different IP and port
 	txID := newTransactionID()
 	_, _, err := roundTrip(conn, serverAddr, txID,
 		[]stunAttribute{changeRequestAttr(changeIP | changePort)}, rto)
 	if err == nil {
 		return NATFilteringEndpointIndependent
 	}
 	// Filtering Test III: Request response from different port only
 	txID = newTransactionID()
 	_, _, err = roundTrip(conn, serverAddr, txID,
 		[]stunAttribute{changeRequestAttr(changePort)}, rto)
 	if err == nil {
 		return NATFilteringAddressDependent
 	}
 	return NATFilteringAddressAndPortDependent
 }
 func paddingLen(n int) int {
 	if n%4 == 0 {
 		return 0
 	}
 	return 4 - n%4
 }
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -40,6 +40,37 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
 type acmeLogWriter struct {
 	logger logger.Logger
 }
 func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
 	logLine := strings.ReplaceAll(string(p), "	", ": ")
 	switch {
 	case strings.HasPrefix(logLine, "error: "):
 		w.logger.Error(logLine[7:])
 	case strings.HasPrefix(logLine, "warn: "):
 		w.logger.Warn(logLine[6:])
 	case strings.HasPrefix(logLine, "info: "):
 		w.logger.Info(logLine[6:])
 	case strings.HasPrefix(logLine, "debug: "):
 		w.logger.Debug(logLine[7:])
 	default:
 		w.logger.Debug(logLine)
 	}
 	return len(p), nil
 }
 func (w *acmeLogWriter) Sync() error {
 	return nil
 }
 func encoderConfig() zapcore.EncoderConfig {
 	config := zap.NewProductionEncoderConfig()
 	config.TimeKey = zapcore.OmitKey
 	return config
 }
 func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
@@ -62,8 +93,8 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		storage = certmagic.Default.Storage
 	}
 	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(ACMEEncoderConfig()),
+		zapcore.NewConsoleEncoder(encoderConfig()),
-		&ACMELogWriter{Logger: logger},
+		&acmeLogWriter{logger: logger},
 		zap.DebugLevel,
 	))
 	config := &certmagic.Config{
@@ -140,7 +171,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{
 			GetCertificate: config.GetCertificate,
-			NextProtos:     []string{C.ACMETLS1Protocol},
+			NextProtos:     []string{ACMETLS1Protocol},
 		}
 	}
 	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
--- a/common/tls/acme_contstant.go
+++ b/common/tls/acme_contstant.go
@@ -1,3 +1,3 @@
-package constant
+package tls
 const ACMETLS1Protocol = "acme-tls/1"
--- a/common/tls/acme_logger.go
+++ b/common/tls/acme_logger.go
@@ -1,41 +0,0 @@
 package tls
 import (
 	"strings"
 	"github.com/sagernet/sing/common/logger"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )
 type ACMELogWriter struct {
 	Logger logger.Logger
 }
 func (w *ACMELogWriter) Write(p []byte) (n int, err error) {
 	logLine := strings.ReplaceAll(string(p), "	", ": ")
 	switch {
 	case strings.HasPrefix(logLine, "error: "):
 		w.Logger.Error(logLine[7:])
 	case strings.HasPrefix(logLine, "warn: "):
 		w.Logger.Warn(logLine[6:])
 	case strings.HasPrefix(logLine, "info: "):
 		w.Logger.Info(logLine[6:])
 	case strings.HasPrefix(logLine, "debug: "):
 		w.Logger.Debug(logLine[7:])
 	default:
 		w.Logger.Debug(logLine)
 	}
 	return len(p), nil
 }
 func (w *ACMELogWriter) Sync() error {
 	return nil
 }
 func ACMEEncoderConfig() zapcore.EncoderConfig {
 	config := zap.NewProductionEncoderConfig()
 	config.TimeKey = zapcore.OmitKey
 	return config
 }
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -32,10 +32,6 @@ type RealityServerConfig struct {
 func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	var tlsConfig utls.RealityConfig
 	if options.CertificateProvider != nil {
 		return nil, E.New("certificate_provider is unavailable in reality")
 	}
 	//nolint:staticcheck
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -13,87 +13,19 @@ import (
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
 )
 var errInsecureUnused = E.New("tls: insecure unused")
 type managedCertificateProvider interface {
 	adapter.CertificateProvider
 	adapter.SimpleLifecycle
 }
 type sharedCertificateProvider struct {
 	tag      string
 	manager  adapter.CertificateProviderManager
 	provider adapter.CertificateProviderService
 }
 func (p *sharedCertificateProvider) Start() error {
 	provider, found := p.manager.Get(p.tag)
 	if !found {
 		return E.New("certificate provider not found: ", p.tag)
 	}
 	p.provider = provider
 	return nil
 }
 func (p *sharedCertificateProvider) Close() error {
 	return nil
 }
 func (p *sharedCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return p.provider.GetCertificate(hello)
 }
 func (p *sharedCertificateProvider) GetACMENextProtos() []string {
 	return getACMENextProtos(p.provider)
 }
 type inlineCertificateProvider struct {
 	provider adapter.CertificateProviderService
 }
 func (p *inlineCertificateProvider) Start() error {
 	for _, stage := range adapter.ListStartStages {
 		err := adapter.LegacyStart(p.provider, stage)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (p *inlineCertificateProvider) Close() error {
 	return p.provider.Close()
 }
 func (p *inlineCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return p.provider.GetCertificate(hello)
 }
 func (p *inlineCertificateProvider) GetACMENextProtos() []string {
 	return getACMENextProtos(p.provider)
 }
 func getACMENextProtos(provider adapter.CertificateProvider) []string {
 	if acmeProvider, isACME := provider.(adapter.ACMECertificateProvider); isACME {
 		return acmeProvider.GetACMENextProtos()
 	}
 	return nil
 }
 type STDServerConfig struct {
 	access                sync.RWMutex
 	config                *tls.Config
 	logger                log.Logger
 	certificateProvider   managedCertificateProvider
 	acmeService           adapter.SimpleLifecycle
 	certificate           []byte
 	key                   []byte
@@ -121,17 +53,18 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 func (c *STDServerConfig) NextProtos() []string {
 	c.access.RLock()
 	defer c.access.RUnlock()
-	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
 	} else {
 		return c.config.NextProtos
 	}
 	return c.config.NextProtos
 }
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.access.Lock()
 	defer c.access.Unlock()
 	config := c.config.Clone()
-	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
 		config.NextProtos = nextProto
@@ -139,18 +72,6 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }
 func (c *STDServerConfig) hasACMEALPN() bool {
 	if c.acmeService != nil {
 		return true
 	}
 	if c.certificateProvider != nil {
 		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
 			return len(acmeProvider.GetACMENextProtos()) > 0
 		}
 	}
 	return false
 }
 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
@@ -170,39 +91,15 @@ func (c *STDServerConfig) Clone() Config {
 }
 func (c *STDServerConfig) Start() error {
 	if c.certificateProvider != nil {
 		err := c.certificateProvider.Start()
 		if err != nil {
 			return err
 		}
 		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
 			nextProtos := acmeProvider.GetACMENextProtos()
 			if len(nextProtos) > 0 {
 				c.access.Lock()
 				config := c.config.Clone()
 				mergedNextProtos := append([]string{}, nextProtos...)
 				for _, nextProto := range config.NextProtos {
 					if !common.Contains(mergedNextProtos, nextProto) {
 						mergedNextProtos = append(mergedNextProtos, nextProto)
 					}
 				}
 				config.NextProtos = mergedNextProtos
 				c.config = config
 				c.access.Unlock()
 			}
 		}
 	}
 	if c.acmeService != nil {
-		err := c.acmeService.Start()
+		return c.acmeService.Start()
 	} else {
 		err := c.startWatcher()
 		if err != nil {
-			return err
+			c.logger.Warn("create fsnotify watcher: ", err)
 		}
 		return nil
 	}
 	err := c.startWatcher()
 	if err != nil {
 		c.logger.Warn("create fsnotify watcher: ", err)
 	}
 	return nil
 }
 func (c *STDServerConfig) startWatcher() error {
@@ -306,34 +203,23 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 }
 func (c *STDServerConfig) Close() error {
-	return common.Close(c.certificateProvider, c.acmeService, c.watcher)
+	if c.acmeService != nil {
 		return c.acmeService.Close()
 	}
 	if c.watcher != nil {
 		return c.watcher.Close()
 	}
 	return nil
 }
 func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	//nolint:staticcheck
 	if options.CertificateProvider != nil && options.ACME != nil {
 		return nil, E.New("certificate_provider and acme are mutually exclusive")
 	}
 	var tlsConfig *tls.Config
 	var certificateProvider managedCertificateProvider
 	var acmeService adapter.SimpleLifecycle
 	var err error
-	if options.CertificateProvider != nil {
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		certificateProvider, err = newCertificateProvider(ctx, logger, options.CertificateProvider)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig = &tls.Config{
 			GetCertificate: certificateProvider.GetCertificate,
 		}
 		if options.Insecure {
 			return nil, errInsecureUnused
 		}
 	} else if options.ACME != nil && len(options.ACME.Domain) > 0 { //nolint:staticcheck
 		deprecated.Report(ctx, deprecated.OptionInlineACME)
 		//nolint:staticcheck
 		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
@@ -386,7 +272,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		certificate []byte
 		key         []byte
 	)
-	if certificateProvider == nil && acmeService == nil {
+	if acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
@@ -474,7 +360,6 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	serverConfig := &STDServerConfig{
 		config:                tlsConfig,
 		logger:                logger,
 		certificateProvider:   certificateProvider,
 		acmeService:           acmeService,
 		certificate:           certificate,
 		key:                   key,
@@ -484,8 +369,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		echKeyPath:            echKeyPath,
 	}
 	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.RLock()
+		serverConfig.access.Lock()
-		defer serverConfig.access.RUnlock()
+		defer serverConfig.access.Unlock()
 		return serverConfig.config, nil
 	}
 	var config ServerConfig = serverConfig
@@ -502,27 +387,3 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	}
 	return config, nil
 }
 func newCertificateProvider(ctx context.Context, logger log.ContextLogger, options *option.CertificateProviderOptions) (managedCertificateProvider, error) {
 	if options.IsShared() {
 		manager := service.FromContext[adapter.CertificateProviderManager](ctx)
 		if manager == nil {
 			return nil, E.New("missing certificate provider manager in context")
 		}
 		return &sharedCertificateProvider{
 			tag:     options.Tag,
 			manager: manager,
 		}, nil
 	}
 	registry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
 	if registry == nil {
 		return nil, E.New("missing certificate provider registry in context")
 	}
 	provider, err := registry.Create(ctx, logger, "", options.Type, options.Options)
 	if err != nil {
 		return nil, E.Cause(err, "create inline certificate provider")
 	}
 	return &inlineCertificateProvider{
 		provider: provider,
 	}, nil
 }
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -17,24 +17,25 @@ const (
 )
 const (
-	DNSTypeLegacy    = "legacy"
+	DNSTypeLegacy      = "legacy"
-	DNSTypeUDP       = "udp"
+	DNSTypeLegacyRcode = "legacy_rcode"
-	DNSTypeTCP       = "tcp"
+	DNSTypeUDP         = "udp"
-	DNSTypeTLS       = "tls"
+	DNSTypeTCP         = "tcp"
-	DNSTypeHTTPS     = "https"
+	DNSTypeTLS         = "tls"
-	DNSTypeQUIC      = "quic"
+	DNSTypeHTTPS       = "https"
-	DNSTypeHTTP3     = "h3"
+	DNSTypeQUIC        = "quic"
-	DNSTypeLocal     = "local"
+	DNSTypeHTTP3       = "h3"
-	DNSTypeHosts     = "hosts"
+	DNSTypeLocal       = "local"
-	DNSTypeFakeIP    = "fakeip"
+	DNSTypeHosts       = "hosts"
-	DNSTypeDHCP      = "dhcp"
+	DNSTypeFakeIP      = "fakeip"
-	DNSTypeTailscale = "tailscale"
+	DNSTypeDHCP        = "dhcp"
 	DNSTypeTailscale   = "tailscale"
 )
 const (
-	DNSProviderAliDNS     = "alidns"
+	DNSProviderAliDNS       = "alidns"
-	DNSProviderCloudflare = "cloudflare"
+	DNSProviderCloudflare   = "cloudflare"
-	DNSProviderACMEDNS    = "acmedns"
+	DNSProviderACMEDNS      = "acmedns"
 	DNSProviderTencentCloud = "tencentcloud"
 	DNSProviderDNSPod       = "dnspod"
 )
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -1,40 +1,37 @@
 package constant
 const (
-	TypeTun                = "tun"
+	TypeTun          = "tun"
-	TypeRedirect           = "redirect"
+	TypeRedirect     = "redirect"
-	TypeTProxy             = "tproxy"
+	TypeTProxy       = "tproxy"
-	TypeDirect             = "direct"
+	TypeDirect       = "direct"
-	TypeBlock              = "block"
+	TypeBlock        = "block"
-	TypeDNS                = "dns"
+	TypeDNS          = "dns"
-	TypeSOCKS              = "socks"
+	TypeSOCKS        = "socks"
-	TypeHTTP               = "http"
+	TypeHTTP         = "http"
-	TypeMixed              = "mixed"
+	TypeMixed        = "mixed"
-	TypeShadowsocks        = "shadowsocks"
+	TypeShadowsocks  = "shadowsocks"
-	TypeVMess              = "vmess"
+	TypeVMess        = "vmess"
-	TypeTrojan             = "trojan"
+	TypeTrojan       = "trojan"
-	TypeNaive              = "naive"
+	TypeNaive        = "naive"
-	TypeWireGuard          = "wireguard"
+	TypeWireGuard    = "wireguard"
-	TypeHysteria           = "hysteria"
+	TypeHysteria     = "hysteria"
-	TypeTor                = "tor"
+	TypeTor          = "tor"
-	TypeSSH                = "ssh"
+	TypeSSH          = "ssh"
-	TypeShadowTLS          = "shadowtls"
+	TypeShadowTLS    = "shadowtls"
-	TypeAnyTLS             = "anytls"
+	TypeAnyTLS       = "anytls"
-	TypeShadowsocksR       = "shadowsocksr"
+	TypeShadowsocksR = "shadowsocksr"
-	TypeVLESS              = "vless"
+	TypeVLESS        = "vless"
-	TypeTUIC               = "tuic"
+	TypeTUIC         = "tuic"
-	TypeHysteria2          = "hysteria2"
+	TypeHysteria2    = "hysteria2"
-	TypeTailscale          = "tailscale"
+	TypeTailscale    = "tailscale"
-	TypeCloudflared        = "cloudflared"
+	TypeDERP         = "derp"
-	TypeDERP               = "derp"
+	TypeResolved     = "resolved"
-	TypeResolved           = "resolved"
+	TypeSSMAPI       = "ssm-api"
-	TypeSSMAPI             = "ssm-api"
+	TypeCCM          = "ccm"
-	TypeCCM                = "ccm"
+	TypeOCM          = "ocm"
-	TypeOCM                = "ocm"
+	TypeOOMKiller    = "oom-killer"
-	TypeOOMKiller          = "oom-killer"
+	TypeXBoard       = "xboard"
 	TypeACME               = "acme"
 	TypeCloudflareOriginCA = "cloudflare-origin-ca"
 	TypeXBoard             = "xboard"
 )
 const (
@@ -92,8 +89,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "AnyTLS"
 	case TypeTailscale:
 		return "Tailscale"
 	case TypeCloudflared:
 		return "Cloudflared"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -23,15 +23,12 @@ const (
 	RuleSetVersion2
 	RuleSetVersion3
 	RuleSetVersion4
-	RuleSetVersion5
+	RuleSetVersionCurrent = RuleSetVersion4
 	RuleSetVersionCurrent = RuleSetVersion5
 )
 const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
 	RuleActionTypeEvaluate     = "evaluate"
 	RuleActionTypeRespond      = "respond"
 	RuleActionTypeDirect       = "direct"
 	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -87,17 +87,12 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKillerEnabled {
+	if s.oomKiller && C.IsIos {
 		if !common.Any(options.Services, func(it option.Service) bool {
 			return it.Type == C.TypeOOMKiller
 		}) {
 			oomOptions := &option.OOMKillerServiceOptions{
 				KillerDisabled:      s.oomKillerDisabled,
 				MemoryLimitOverride: s.oomMemoryLimit,
 			}
 			options.Services = append(options.Services, option.Service{
-				Type:    C.TypeOOMKiller,
+				Type: C.TypeOOMKiller,
 				Options: oomOptions,
 			})
 		}
 	}
--- a/daemon/platform.go
+++ b/daemon/platform.go
@@ -5,6 +5,5 @@ type PlatformHandler interface {
 	ServiceReload() error
 	SystemProxyStatus() (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(enabled bool) error
 	TriggerNativeCrash() error
 	WriteDebugMessage(message string)
 }
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -6,20 +6,14 @@ import (
 	"runtime"
 	"sync"
 	"time"
 	"unsafe"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/networkquality"
 	"github.com/sagernet/sing-box/common/stun"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/service/oomkiller"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -30,8 +24,6 @@ import (
 	"github.com/gofrs/uuid/v5"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
 )
@@ -40,12 +32,10 @@ var _ StartedServiceServer = (*StartedService)(nil)
 type StartedService struct {
 	ctx context.Context
 	// platform adapter.PlatformInterface
-	handler           PlatformHandler
+	handler     PlatformHandler
-	debug             bool
+	debug       bool
-	logMaxLines       int
+	logMaxLines int
-	oomKillerEnabled  bool
+	oomKiller   bool
 	oomKillerDisabled bool
 	oomMemoryLimit    uint64
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -74,12 +64,10 @@ type StartedService struct {
 type ServiceOptions struct {
 	Context context.Context
 	// Platform           adapter.PlatformInterface
-	Handler           PlatformHandler
+	Handler     PlatformHandler
-	Debug             bool
+	Debug       bool
-	LogMaxLines       int
+	LogMaxLines int
-	OOMKillerEnabled  bool
+	OOMKiller   bool
 	OOMKillerDisabled bool
 	OOMMemoryLimit    uint64
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -91,12 +79,10 @@ func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
 		ctx: options.Context,
 		// platform:                options.Platform,
-		handler:           options.Handler,
+		handler:     options.Handler,
-		debug:             options.Debug,
+		debug:       options.Debug,
-		logMaxLines:       options.LogMaxLines,
+		logMaxLines: options.LogMaxLines,
-		oomKillerEnabled:  options.OOMKillerEnabled,
+		oomKiller:   options.OOMKiller,
 		oomKillerDisabled: options.OOMKillerDisabled,
 		oomMemoryLimit:    options.OOMMemoryLimit,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -696,42 +682,7 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 	if err != nil {
 		return nil, err
 	}
-	return &emptypb.Empty{}, nil
+	return nil, err
 }
 func (s *StartedService) TriggerDebugCrash(ctx context.Context, request *DebugCrashRequest) (*emptypb.Empty, error) {
 	if !s.debug {
 		return nil, status.Error(codes.PermissionDenied, "debug crash trigger unavailable")
 	}
 	if request == nil {
 		return nil, status.Error(codes.InvalidArgument, "missing debug crash request")
 	}
 	switch request.Type {
 	case DebugCrashRequest_GO:
 		time.AfterFunc(200*time.Millisecond, func() {
 			*(*int)(unsafe.Pointer(uintptr(0))) = 0
 		})
 	case DebugCrashRequest_NATIVE:
 		err := s.handler.TriggerNativeCrash()
 		if err != nil {
 			return nil, err
 		}
 	default:
 		return nil, status.Error(codes.InvalidArgument, "unknown debug crash type")
 	}
 	return &emptypb.Empty{}, nil
 }
 func (s *StartedService) TriggerOOMReport(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error) {
 	instance := s.Instance()
 	if instance == nil {
 		return nil, status.Error(codes.FailedPrecondition, "service not started")
 	}
 	reporter := service.FromContext[oomkiller.OOMReporter](instance.ctx)
 	if reporter == nil {
 		return nil, status.Error(codes.Unavailable, "OOM reporter not available")
 	}
 	return &emptypb.Empty{}, reporter.WriteReport(memory.Total())
 }
 func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
@@ -1068,12 +1019,9 @@ func (s *StartedService) GetDeprecatedWarnings(ctx context.Context, empty *empty
 	return &DeprecatedWarnings{
 		Warnings: common.Map(notes, func(it deprecated.Note) *DeprecatedWarning {
 			return &DeprecatedWarning{
-				Message:           it.Message(),
+				Message:       it.Message(),
-				Impending:         it.Impending(),
+				Impending:     it.Impending(),
-				MigrationLink:     it.MigrationLink,
+				MigrationLink: it.MigrationLink,
 				Description:       it.Description,
 				DeprecatedVersion: it.DeprecatedVersion,
 				ScheduledVersion:  it.ScheduledVersion,
 			}
 		}),
 	}, nil
@@ -1085,386 +1033,6 @@ func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty)
 	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
 }
 func (s *StartedService) SubscribeOutbounds(_ *emptypb.Empty, server grpc.ServerStreamingServer[OutboundList]) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
 		return err
 	}
 	subscription, done, err := s.urlTestObserver.Subscribe()
 	if err != nil {
 		return err
 	}
 	defer s.urlTestObserver.UnSubscribe(subscription)
 	for {
 		s.serviceAccess.RLock()
 		if s.serviceStatus.Status != ServiceStatus_STARTED {
 			s.serviceAccess.RUnlock()
 			return os.ErrInvalid
 		}
 		boxService := s.instance
 		s.serviceAccess.RUnlock()
 		historyStorage := boxService.urlTestHistoryStorage
 		var list OutboundList
 		for _, ob := range boxService.instance.Outbound().Outbounds() {
 			item := &GroupItem{
 				Tag:  ob.Tag(),
 				Type: ob.Type(),
 			}
 			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ob)); history != nil {
 				item.UrlTestTime = history.Time.Unix()
 				item.UrlTestDelay = int32(history.Delay)
 			}
 			list.Outbounds = append(list.Outbounds, item)
 		}
 		for _, ep := range boxService.instance.Endpoint().Endpoints() {
 			item := &GroupItem{
 				Tag:  ep.Tag(),
 				Type: ep.Type(),
 			}
 			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ep)); history != nil {
 				item.UrlTestTime = history.Time.Unix()
 				item.UrlTestDelay = int32(history.Delay)
 			}
 			list.Outbounds = append(list.Outbounds, item)
 		}
 		err = server.Send(&list)
 		if err != nil {
 			return err
 		}
 		select {
 		case <-subscription:
 		case <-s.ctx.Done():
 			return s.ctx.Err()
 		case <-server.Context().Done():
 			return server.Context().Err()
 		case <-done:
 			return nil
 		}
 	}
 }
 func resolveOutbound(instance *Instance, tag string) (adapter.Outbound, error) {
 	if tag == "" {
 		return instance.instance.Outbound().Default(), nil
 	}
 	outbound, loaded := instance.instance.Outbound().Outbound(tag)
 	if !loaded {
 		return nil, E.New("outbound not found: ", tag)
 	}
 	return outbound, nil
 }
 func (s *StartedService) StartNetworkQualityTest(
 	request *NetworkQualityTestRequest,
 	server grpc.ServerStreamingServer[NetworkQualityTestProgress],
 ) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
 		return err
 	}
 	s.serviceAccess.RLock()
 	boxService := s.instance
 	s.serviceAccess.RUnlock()
 	outbound, err := resolveOutbound(boxService, request.OutboundTag)
 	if err != nil {
 		return err
 	}
 	resolvedDialer := dialer.NewResolveDialer(boxService.ctx, outbound, true, "", adapter.DNSQueryOptions{}, 0)
 	httpClient := networkquality.NewHTTPClient(resolvedDialer)
 	defer httpClient.CloseIdleConnections()
 	measurementClientFactory, err := networkquality.NewOptionalHTTP3Factory(resolvedDialer, request.Http3)
 	if err != nil {
 		return err
 	}
 	result, nqErr := networkquality.Run(networkquality.Options{
 		ConfigURL:            request.ConfigURL,
 		HTTPClient:           httpClient,
 		NewMeasurementClient: measurementClientFactory,
 		Serial:               request.Serial,
 		MaxRuntime:           time.Duration(request.MaxRuntimeSeconds) * time.Second,
 		Context:              server.Context(),
 		OnProgress: func(p networkquality.Progress) {
 			_ = server.Send(&NetworkQualityTestProgress{
 				Phase:                    int32(p.Phase),
 				DownloadCapacity:         p.DownloadCapacity,
 				UploadCapacity:           p.UploadCapacity,
 				DownloadRPM:              p.DownloadRPM,
 				UploadRPM:                p.UploadRPM,
 				IdleLatencyMs:            p.IdleLatencyMs,
 				ElapsedMs:                p.ElapsedMs,
 				DownloadCapacityAccuracy: int32(p.DownloadCapacityAccuracy),
 				UploadCapacityAccuracy:   int32(p.UploadCapacityAccuracy),
 				DownloadRPMAccuracy:      int32(p.DownloadRPMAccuracy),
 				UploadRPMAccuracy:        int32(p.UploadRPMAccuracy),
 			})
 		},
 	})
 	if nqErr != nil {
 		return server.Send(&NetworkQualityTestProgress{
 			IsFinal: true,
 			Error:   nqErr.Error(),
 		})
 	}
 	return server.Send(&NetworkQualityTestProgress{
 		Phase:                    int32(networkquality.PhaseDone),
 		DownloadCapacity:         result.DownloadCapacity,
 		UploadCapacity:           result.UploadCapacity,
 		DownloadRPM:              result.DownloadRPM,
 		UploadRPM:                result.UploadRPM,
 		IdleLatencyMs:            result.IdleLatencyMs,
 		IsFinal:                  true,
 		DownloadCapacityAccuracy: int32(result.DownloadCapacityAccuracy),
 		UploadCapacityAccuracy:   int32(result.UploadCapacityAccuracy),
 		DownloadRPMAccuracy:      int32(result.DownloadRPMAccuracy),
 		UploadRPMAccuracy:        int32(result.UploadRPMAccuracy),
 	})
 }
 func (s *StartedService) StartSTUNTest(
 	request *STUNTestRequest,
 	server grpc.ServerStreamingServer[STUNTestProgress],
 ) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
 		return err
 	}
 	s.serviceAccess.RLock()
 	boxService := s.instance
 	s.serviceAccess.RUnlock()
 	outbound, err := resolveOutbound(boxService, request.OutboundTag)
 	if err != nil {
 		return err
 	}
 	resolvedDialer := dialer.NewResolveDialer(boxService.ctx, outbound, true, "", adapter.DNSQueryOptions{}, 0)
 	result, stunErr := stun.Run(stun.Options{
 		Server:  request.Server,
 		Dialer:  resolvedDialer,
 		Context: server.Context(),
 		OnProgress: func(p stun.Progress) {
 			_ = server.Send(&STUNTestProgress{
 				Phase:        int32(p.Phase),
 				ExternalAddr: p.ExternalAddr,
 				LatencyMs:    p.LatencyMs,
 				NatMapping:   int32(p.NATMapping),
 				NatFiltering: int32(p.NATFiltering),
 			})
 		},
 	})
 	if stunErr != nil {
 		return server.Send(&STUNTestProgress{
 			IsFinal: true,
 			Error:   stunErr.Error(),
 		})
 	}
 	return server.Send(&STUNTestProgress{
 		Phase:            int32(stun.PhaseDone),
 		ExternalAddr:     result.ExternalAddr,
 		LatencyMs:        result.LatencyMs,
 		NatMapping:       int32(result.NATMapping),
 		NatFiltering:     int32(result.NATFiltering),
 		IsFinal:          true,
 		NatTypeSupported: result.NATTypeSupported,
 	})
 }
 func (s *StartedService) SubscribeTailscaleStatus(
 	_ *emptypb.Empty,
 	server grpc.ServerStreamingServer[TailscaleStatusUpdate],
 ) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
 		return err
 	}
 	s.serviceAccess.RLock()
 	boxService := s.instance
 	s.serviceAccess.RUnlock()
 	endpointManager := service.FromContext[adapter.EndpointManager](boxService.ctx)
 	if endpointManager == nil {
 		return status.Error(codes.FailedPrecondition, "endpoint manager not available")
 	}
 	type tailscaleEndpoint struct {
 		tag      string
 		provider adapter.TailscaleEndpoint
 	}
 	var endpoints []tailscaleEndpoint
 	for _, endpoint := range endpointManager.Endpoints() {
 		if endpoint.Type() != C.TypeTailscale {
 			continue
 		}
 		provider, loaded := endpoint.(adapter.TailscaleEndpoint)
 		if !loaded {
 			continue
 		}
 		endpoints = append(endpoints, tailscaleEndpoint{
 			tag:      endpoint.Tag(),
 			provider: provider,
 		})
 	}
 	if len(endpoints) == 0 {
 		return status.Error(codes.NotFound, "no Tailscale endpoint found")
 	}
 	type taggedStatus struct {
 		tag    string
 		status *adapter.TailscaleEndpointStatus
 	}
 	updates := make(chan taggedStatus, len(endpoints))
 	ctx, cancel := context.WithCancel(server.Context())
 	defer cancel()
 	var waitGroup sync.WaitGroup
 	for _, endpoint := range endpoints {
 		waitGroup.Add(1)
 		go func(tag string, provider adapter.TailscaleEndpoint) {
 			defer waitGroup.Done()
 			_ = provider.SubscribeTailscaleStatus(ctx, func(endpointStatus *adapter.TailscaleEndpointStatus) {
 				select {
 				case updates <- taggedStatus{tag: tag, status: endpointStatus}:
 				case <-ctx.Done():
 				}
 			})
 		}(endpoint.tag, endpoint.provider)
 	}
 	go func() {
 		waitGroup.Wait()
 		close(updates)
 	}()
 	var tags []string
 	statuses := make(map[string]*adapter.TailscaleEndpointStatus, len(endpoints))
 	for update := range updates {
 		if _, exists := statuses[update.tag]; !exists {
 			tags = append(tags, update.tag)
 		}
 		statuses[update.tag] = update.status
 		protoEndpoints := make([]*TailscaleEndpointStatus, 0, len(statuses))
 		for _, tag := range tags {
 			protoEndpoints = append(protoEndpoints, tailscaleEndpointStatusToProto(tag, statuses[tag]))
 		}
 		sendErr := server.Send(&TailscaleStatusUpdate{
 			Endpoints: protoEndpoints,
 		})
 		if sendErr != nil {
 			return sendErr
 		}
 	}
 	return nil
 }
 func tailscaleEndpointStatusToProto(tag string, s *adapter.TailscaleEndpointStatus) *TailscaleEndpointStatus {
 	userGroups := make([]*TailscaleUserGroup, len(s.UserGroups))
 	for i, group := range s.UserGroups {
 		peers := make([]*TailscalePeer, len(group.Peers))
 		for j, peer := range group.Peers {
 			peers[j] = tailscalePeerToProto(peer)
 		}
 		userGroups[i] = &TailscaleUserGroup{
 			UserID:        group.UserID,
 			LoginName:     group.LoginName,
 			DisplayName:   group.DisplayName,
 			ProfilePicURL: group.ProfilePicURL,
 			Peers:         peers,
 		}
 	}
 	result := &TailscaleEndpointStatus{
 		EndpointTag:    tag,
 		BackendState:   s.BackendState,
 		AuthURL:        s.AuthURL,
 		NetworkName:    s.NetworkName,
 		MagicDNSSuffix: s.MagicDNSSuffix,
 		UserGroups:     userGroups,
 	}
 	if s.Self != nil {
 		result.Self = tailscalePeerToProto(s.Self)
 	}
 	return result
 }
 func tailscalePeerToProto(peer *adapter.TailscalePeer) *TailscalePeer {
 	return &TailscalePeer{
 		HostName:       peer.HostName,
 		DnsName:        peer.DNSName,
 		Os:             peer.OS,
 		TailscaleIPs:   peer.TailscaleIPs,
 		Online:         peer.Online,
 		ExitNode:       peer.ExitNode,
 		ExitNodeOption: peer.ExitNodeOption,
 		Active:         peer.Active,
 		RxBytes:        peer.RxBytes,
 		TxBytes:        peer.TxBytes,
 		KeyExpiry:      peer.KeyExpiry,
 	}
 }
 func (s *StartedService) StartTailscalePing(
 	request *TailscalePingRequest,
 	server grpc.ServerStreamingServer[TailscalePingResponse],
 ) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
 		return err
 	}
 	s.serviceAccess.RLock()
 	boxService := s.instance
 	s.serviceAccess.RUnlock()
 	endpointManager := service.FromContext[adapter.EndpointManager](boxService.ctx)
 	if endpointManager == nil {
 		return status.Error(codes.FailedPrecondition, "endpoint manager not available")
 	}
 	var provider adapter.TailscaleEndpoint
 	if request.EndpointTag != "" {
 		endpoint, loaded := endpointManager.Get(request.EndpointTag)
 		if !loaded {
 			return status.Error(codes.NotFound, "endpoint not found: "+request.EndpointTag)
 		}
 		if endpoint.Type() != C.TypeTailscale {
 			return status.Error(codes.InvalidArgument, "endpoint is not Tailscale: "+request.EndpointTag)
 		}
 		pingProvider, loaded := endpoint.(adapter.TailscaleEndpoint)
 		if !loaded {
 			return status.Error(codes.FailedPrecondition, "endpoint does not support ping")
 		}
 		provider = pingProvider
 	} else {
 		for _, endpoint := range endpointManager.Endpoints() {
 			if endpoint.Type() != C.TypeTailscale {
 				continue
 			}
 			pingProvider, loaded := endpoint.(adapter.TailscaleEndpoint)
 			if loaded {
 				provider = pingProvider
 				break
 			}
 		}
 		if provider == nil {
 			return status.Error(codes.NotFound, "no Tailscale endpoint found")
 		}
 	}
 	return provider.StartTailscalePing(server.Context(), request.PeerIP, func(result *adapter.TailscalePingResult) {
 		_ = server.Send(&TailscalePingResponse{
 			LatencyMs:      result.LatencyMs,
 			IsDirect:       result.IsDirect,
 			Endpoint:       result.Endpoint,
 			DerpRegionID:   result.DERPRegionID,
 			DerpRegionCode: result.DERPRegionCode,
 			Error:          result.Error,
 		})
 	})
 }
 func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 }
--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -26,20 +26,12 @@ service StartedService {
  rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
  rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
  rpc TriggerDebugCrash(DebugCrashRequest) returns(google.protobuf.Empty) {}
  rpc TriggerOOMReport(google.protobuf.Empty) returns(google.protobuf.Empty) {}
  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
  rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
  rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
  rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
  rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}
  rpc SubscribeOutbounds(google.protobuf.Empty) returns (stream OutboundList) {}
  rpc StartNetworkQualityTest(NetworkQualityTestRequest) returns (stream NetworkQualityTestProgress) {}
  rpc StartSTUNTest(STUNTestRequest) returns (stream STUNTestProgress) {}
  rpc SubscribeTailscaleStatus(google.protobuf.Empty) returns (stream TailscaleStatusUpdate) {}
  rpc StartTailscalePing(TailscalePingRequest) returns (stream TailscalePingResponse) {}
 }
 message ServiceStatus {
@@ -149,15 +141,6 @@ message SetSystemProxyEnabledRequest {
  bool enabled = 1;
 }
 message DebugCrashRequest {
  enum Type {
    GO = 0;
    NATIVE = 1;
  }
  Type type = 1;
 }
 message SubscribeConnectionsRequest {
  int64 interval = 1;
 }
@@ -227,105 +210,8 @@ message DeprecatedWarning {
  string message = 1;
  bool impending = 2;
  string migrationLink = 3;
  string description = 4;
  string deprecatedVersion = 5;
  string scheduledVersion = 6;
 }
 message StartedAt {
  int64 startedAt = 1;
-}
+}
 message OutboundList {
  repeated GroupItem outbounds = 1;
 }
 message NetworkQualityTestRequest {
  string configURL = 1;
  string outboundTag = 2;
  bool serial = 3;
  int32 maxRuntimeSeconds = 4;
  bool http3 = 5;
 }
 message NetworkQualityTestProgress {
  int32 phase = 1;
  int64 downloadCapacity = 2;
  int64 uploadCapacity = 3;
  int32 downloadRPM = 4;
  int32 uploadRPM = 5;
  int32 idleLatencyMs = 6;
  int64 elapsedMs = 7;
  bool isFinal = 8;
  string error = 9;
  int32 downloadCapacityAccuracy = 10;
  int32 uploadCapacityAccuracy = 11;
  int32 downloadRPMAccuracy = 12;
  int32 uploadRPMAccuracy = 13;
 }
 message STUNTestRequest {
  string server = 1;
  string outboundTag = 2;
 }
 message STUNTestProgress {
  int32 phase = 1;
  string externalAddr = 2;
  int32 latencyMs = 3;
  int32 natMapping = 4;
  int32 natFiltering = 5;
  bool isFinal = 6;
  string error = 7;
  bool natTypeSupported = 8;
 }
 message TailscaleStatusUpdate {
  repeated TailscaleEndpointStatus endpoints = 1;
 }
 message TailscaleEndpointStatus {
  string endpointTag = 1;
  string backendState = 2;
  string authURL = 3;
  string networkName = 4;
  string magicDNSSuffix = 5;
  TailscalePeer self = 6;
  repeated TailscaleUserGroup userGroups = 7;
 }
 message TailscaleUserGroup {
  int64 userID = 1;
  string loginName = 2;
  string displayName = 3;
  string profilePicURL = 4;
  repeated TailscalePeer peers = 5;
 }
 message TailscalePeer {
  string hostName = 1;
  string dnsName = 2;
  string os = 3;
  repeated string tailscaleIPs = 4;
  bool online = 5;
  bool exitNode = 6;
  bool exitNodeOption = 7;
  bool active = 8;
  int64 rxBytes = 9;
  int64 txBytes = 10;
  int64 keyExpiry = 11;
 }
 message TailscalePingRequest {
  string endpointTag = 1;
  string peerIP = 2;
 }
 message TailscalePingResponse {
  double latencyMs = 1;
  bool isDirect = 2;
  string endpoint = 3;
  int32 derpRegionID = 4;
  string derpRegionCode = 5;
  string error = 6;
 }
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -15,34 +15,27 @@ import (
 const _ = grpc.SupportPackageIsVersion9
 const (
-	StartedService_StopService_FullMethodName              = "/daemon.StartedService/StopService"
+	StartedService_StopService_FullMethodName            = "/daemon.StartedService/StopService"
-	StartedService_ReloadService_FullMethodName            = "/daemon.StartedService/ReloadService"
+	StartedService_ReloadService_FullMethodName          = "/daemon.StartedService/ReloadService"
-	StartedService_SubscribeServiceStatus_FullMethodName   = "/daemon.StartedService/SubscribeServiceStatus"
+	StartedService_SubscribeServiceStatus_FullMethodName = "/daemon.StartedService/SubscribeServiceStatus"
-	StartedService_SubscribeLog_FullMethodName             = "/daemon.StartedService/SubscribeLog"
+	StartedService_SubscribeLog_FullMethodName           = "/daemon.StartedService/SubscribeLog"
-	StartedService_GetDefaultLogLevel_FullMethodName       = "/daemon.StartedService/GetDefaultLogLevel"
+	StartedService_GetDefaultLogLevel_FullMethodName     = "/daemon.StartedService/GetDefaultLogLevel"
-	StartedService_ClearLogs_FullMethodName                = "/daemon.StartedService/ClearLogs"
+	StartedService_ClearLogs_FullMethodName              = "/daemon.StartedService/ClearLogs"
-	StartedService_SubscribeStatus_FullMethodName          = "/daemon.StartedService/SubscribeStatus"
+	StartedService_SubscribeStatus_FullMethodName        = "/daemon.StartedService/SubscribeStatus"
-	StartedService_SubscribeGroups_FullMethodName          = "/daemon.StartedService/SubscribeGroups"
+	StartedService_SubscribeGroups_FullMethodName        = "/daemon.StartedService/SubscribeGroups"
-	StartedService_GetClashModeStatus_FullMethodName       = "/daemon.StartedService/GetClashModeStatus"
+	StartedService_GetClashModeStatus_FullMethodName     = "/daemon.StartedService/GetClashModeStatus"
-	StartedService_SubscribeClashMode_FullMethodName       = "/daemon.StartedService/SubscribeClashMode"
+	StartedService_SubscribeClashMode_FullMethodName     = "/daemon.StartedService/SubscribeClashMode"
-	StartedService_SetClashMode_FullMethodName             = "/daemon.StartedService/SetClashMode"
+	StartedService_SetClashMode_FullMethodName           = "/daemon.StartedService/SetClashMode"
-	StartedService_URLTest_FullMethodName                  = "/daemon.StartedService/URLTest"
+	StartedService_URLTest_FullMethodName                = "/daemon.StartedService/URLTest"
-	StartedService_SelectOutbound_FullMethodName           = "/daemon.StartedService/SelectOutbound"
+	StartedService_SelectOutbound_FullMethodName         = "/daemon.StartedService/SelectOutbound"
-	StartedService_SetGroupExpand_FullMethodName           = "/daemon.StartedService/SetGroupExpand"
+	StartedService_SetGroupExpand_FullMethodName         = "/daemon.StartedService/SetGroupExpand"
-	StartedService_GetSystemProxyStatus_FullMethodName     = "/daemon.StartedService/GetSystemProxyStatus"
+	StartedService_GetSystemProxyStatus_FullMethodName   = "/daemon.StartedService/GetSystemProxyStatus"
-	StartedService_SetSystemProxyEnabled_FullMethodName    = "/daemon.StartedService/SetSystemProxyEnabled"
+	StartedService_SetSystemProxyEnabled_FullMethodName  = "/daemon.StartedService/SetSystemProxyEnabled"
-	StartedService_TriggerDebugCrash_FullMethodName        = "/daemon.StartedService/TriggerDebugCrash"
+	StartedService_SubscribeConnections_FullMethodName   = "/daemon.StartedService/SubscribeConnections"
-	StartedService_TriggerOOMReport_FullMethodName         = "/daemon.StartedService/TriggerOOMReport"
+	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
-	StartedService_SubscribeConnections_FullMethodName     = "/daemon.StartedService/SubscribeConnections"
+	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
-	StartedService_CloseConnection_FullMethodName          = "/daemon.StartedService/CloseConnection"
+	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
-	StartedService_CloseAllConnections_FullMethodName      = "/daemon.StartedService/CloseAllConnections"
+	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
 	StartedService_GetDeprecatedWarnings_FullMethodName    = "/daemon.StartedService/GetDeprecatedWarnings"
 	StartedService_GetStartedAt_FullMethodName             = "/daemon.StartedService/GetStartedAt"
 	StartedService_SubscribeOutbounds_FullMethodName       = "/daemon.StartedService/SubscribeOutbounds"
 	StartedService_StartNetworkQualityTest_FullMethodName  = "/daemon.StartedService/StartNetworkQualityTest"
 	StartedService_StartSTUNTest_FullMethodName            = "/daemon.StartedService/StartSTUNTest"
 	StartedService_SubscribeTailscaleStatus_FullMethodName = "/daemon.StartedService/SubscribeTailscaleStatus"
 	StartedService_StartTailscalePing_FullMethodName       = "/daemon.StartedService/StartTailscalePing"
 )
 // StartedServiceClient is the client API for StartedService service.
@@ -65,18 +58,11 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
 	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
 	SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error)
 	StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error)
 	StartSTUNTest(ctx context.Context, in *STUNTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[STUNTestProgress], error)
 	SubscribeTailscaleStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscaleStatusUpdate], error)
 	StartTailscalePing(ctx context.Context, in *TailscalePingRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscalePingResponse], error)
 }
 type startedServiceClient struct {
@@ -292,26 +278,6 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }
 func (c *startedServiceClient) TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(emptypb.Empty)
 	err := c.cc.Invoke(ctx, StartedService_TriggerDebugCrash_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *startedServiceClient) TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(emptypb.Empty)
 	err := c.cc.Invoke(ctx, StartedService_TriggerOOMReport_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
@@ -371,101 +337,6 @@ func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Emp
 	return out, nil
 }
 func (c *startedServiceClient) SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeOutbounds_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	x := &grpc.GenericClientStream[emptypb.Empty, OutboundList]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
 	if err := x.ClientStream.CloseSend(); err != nil {
 		return nil, err
 	}
 	return x, nil
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_SubscribeOutboundsClient = grpc.ServerStreamingClient[OutboundList]
 func (c *startedServiceClient) StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[7], StartedService_StartNetworkQualityTest_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	x := &grpc.GenericClientStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
 	if err := x.ClientStream.CloseSend(); err != nil {
 		return nil, err
 	}
 	return x, nil
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_StartNetworkQualityTestClient = grpc.ServerStreamingClient[NetworkQualityTestProgress]
 func (c *startedServiceClient) StartSTUNTest(ctx context.Context, in *STUNTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[STUNTestProgress], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[8], StartedService_StartSTUNTest_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	x := &grpc.GenericClientStream[STUNTestRequest, STUNTestProgress]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
 	if err := x.ClientStream.CloseSend(); err != nil {
 		return nil, err
 	}
 	return x, nil
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_StartSTUNTestClient = grpc.ServerStreamingClient[STUNTestProgress]
 func (c *startedServiceClient) SubscribeTailscaleStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscaleStatusUpdate], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[9], StartedService_SubscribeTailscaleStatus_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	x := &grpc.GenericClientStream[emptypb.Empty, TailscaleStatusUpdate]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
 	if err := x.ClientStream.CloseSend(); err != nil {
 		return nil, err
 	}
 	return x, nil
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_SubscribeTailscaleStatusClient = grpc.ServerStreamingClient[TailscaleStatusUpdate]
 func (c *startedServiceClient) StartTailscalePing(ctx context.Context, in *TailscalePingRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscalePingResponse], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[10], StartedService_StartTailscalePing_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	x := &grpc.GenericClientStream[TailscalePingRequest, TailscalePingResponse]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
 	if err := x.ClientStream.CloseSend(); err != nil {
 		return nil, err
 	}
 	return x, nil
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_StartTailscalePingClient = grpc.ServerStreamingClient[TailscalePingResponse]
 // StartedServiceServer is the server API for StartedService service.
 // All implementations must embed UnimplementedStartedServiceServer
 // for forward compatibility.
@@ -486,18 +357,11 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
 	TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error)
 	TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
 	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
 	SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error
 	StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error
 	StartSTUNTest(*STUNTestRequest, grpc.ServerStreamingServer[STUNTestProgress]) error
 	SubscribeTailscaleStatus(*emptypb.Empty, grpc.ServerStreamingServer[TailscaleStatusUpdate]) error
 	StartTailscalePing(*TailscalePingRequest, grpc.ServerStreamingServer[TailscalePingResponse]) error
 	mustEmbedUnimplementedStartedServiceServer()
 }
@@ -572,14 +436,6 @@ func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context,
 	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }
 func (UnimplementedStartedServiceServer) TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method TriggerDebugCrash not implemented")
 }
 func (UnimplementedStartedServiceServer) TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method TriggerOOMReport not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
@@ -599,26 +455,6 @@ func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context,
 func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeOutbounds not implemented")
 }
 func (UnimplementedStartedServiceServer) StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error {
 	return status.Error(codes.Unimplemented, "method StartNetworkQualityTest not implemented")
 }
 func (UnimplementedStartedServiceServer) StartSTUNTest(*STUNTestRequest, grpc.ServerStreamingServer[STUNTestProgress]) error {
 	return status.Error(codes.Unimplemented, "method StartSTUNTest not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeTailscaleStatus(*emptypb.Empty, grpc.ServerStreamingServer[TailscaleStatusUpdate]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeTailscaleStatus not implemented")
 }
 func (UnimplementedStartedServiceServer) StartTailscalePing(*TailscalePingRequest, grpc.ServerStreamingServer[TailscalePingResponse]) error {
 	return status.Error(codes.Unimplemented, "method StartTailscalePing not implemented")
 }
 func (UnimplementedStartedServiceServer) mustEmbedUnimplementedStartedServiceServer() {}
 func (UnimplementedStartedServiceServer) testEmbeddedByValue()                        {}
@@ -893,42 +729,6 @@ func _StartedService_SetSystemProxyEnabled_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }
 func _StartedService_TriggerDebugCrash_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(DebugCrashRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: StartedService_TriggerDebugCrash_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, req.(*DebugCrashRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _StartedService_TriggerOOMReport_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(emptypb.Empty)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(StartedServiceServer).TriggerOOMReport(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: StartedService_TriggerOOMReport_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StartedServiceServer).TriggerOOMReport(ctx, req.(*emptypb.Empty))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeConnectionsRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -1012,61 +812,6 @@ func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }
 func _StartedService_SubscribeOutbounds_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(emptypb.Empty)
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
 	return srv.(StartedServiceServer).SubscribeOutbounds(m, &grpc.GenericServerStream[emptypb.Empty, OutboundList]{ServerStream: stream})
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_SubscribeOutboundsServer = grpc.ServerStreamingServer[OutboundList]
 func _StartedService_StartNetworkQualityTest_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(NetworkQualityTestRequest)
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
 	return srv.(StartedServiceServer).StartNetworkQualityTest(m, &grpc.GenericServerStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ServerStream: stream})
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_StartNetworkQualityTestServer = grpc.ServerStreamingServer[NetworkQualityTestProgress]
 func _StartedService_StartSTUNTest_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(STUNTestRequest)
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
 	return srv.(StartedServiceServer).StartSTUNTest(m, &grpc.GenericServerStream[STUNTestRequest, STUNTestProgress]{ServerStream: stream})
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_StartSTUNTestServer = grpc.ServerStreamingServer[STUNTestProgress]
 func _StartedService_SubscribeTailscaleStatus_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(emptypb.Empty)
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
 	return srv.(StartedServiceServer).SubscribeTailscaleStatus(m, &grpc.GenericServerStream[emptypb.Empty, TailscaleStatusUpdate]{ServerStream: stream})
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_SubscribeTailscaleStatusServer = grpc.ServerStreamingServer[TailscaleStatusUpdate]
 func _StartedService_StartTailscalePing_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(TailscalePingRequest)
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
 	return srv.(StartedServiceServer).StartTailscalePing(m, &grpc.GenericServerStream[TailscalePingRequest, TailscalePingResponse]{ServerStream: stream})
 }
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
 type StartedService_StartTailscalePingServer = grpc.ServerStreamingServer[TailscalePingResponse]
 // StartedService_ServiceDesc is the grpc.ServiceDesc for StartedService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1118,14 +863,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetSystemProxyEnabled",
 			Handler:    _StartedService_SetSystemProxyEnabled_Handler,
 		},
 		{
 			MethodName: "TriggerDebugCrash",
 			Handler:    _StartedService_TriggerDebugCrash_Handler,
 		},
 		{
 			MethodName: "TriggerOOMReport",
 			Handler:    _StartedService_TriggerOOMReport_Handler,
 		},
 		{
 			MethodName: "CloseConnection",
 			Handler:    _StartedService_CloseConnection_Handler,
@@ -1174,31 +911,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _StartedService_SubscribeConnections_Handler,
 			ServerStreams: true,
 		},
 		{
 			StreamName:    "SubscribeOutbounds",
 			Handler:       _StartedService_SubscribeOutbounds_Handler,
 			ServerStreams: true,
 		},
 		{
 			StreamName:    "StartNetworkQualityTest",
 			Handler:       _StartedService_StartNetworkQualityTest_Handler,
 			ServerStreams: true,
 		},
 		{
 			StreamName:    "StartSTUNTest",
 			Handler:       _StartedService_StartSTUNTest_Handler,
 			ServerStreams: true,
 		},
 		{
 			StreamName:    "SubscribeTailscaleStatus",
 			Handler:       _StartedService_SubscribeTailscaleStatus_Handler,
 			ServerStreams: true,
 		},
 		{
 			StreamName:    "StartTailscalePing",
 			Handler:       _StartedService_StartTailscalePing_Handler,
 			ServerStreams: true,
 		},
 	},
 	Metadata: "daemon/started_service.proto",
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
@@ -13,6 +14,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
@@ -30,63 +32,59 @@ var (
 var _ adapter.DNSClient = (*Client)(nil)
 type Client struct {
-	ctx               context.Context
+	timeout            time.Duration
-	timeout           time.Duration
+	disableCache       bool
-	disableCache      bool
+	disableExpire      bool
-	disableExpire     bool
+	independentCache   bool
-	optimisticTimeout time.Duration
+	clientSubnet       netip.Prefix
-	cacheCapacity     uint32
+	rdrc               adapter.RDRCStore
-	clientSubnet      netip.Prefix
+	initRDRCFunc       func() adapter.RDRCStore
-	rdrc              adapter.RDRCStore
+	logger             logger.ContextLogger
-	initRDRCFunc      func() adapter.RDRCStore
+	cache              freelru.Cache[dns.Question, *dns.Msg]
-	dnsCache          adapter.DNSCacheStore
+	cacheLock          compatible.Map[dns.Question, chan struct{}]
-	initDNSCacheFunc  func() adapter.DNSCacheStore
+	transportCache     freelru.Cache[transportCacheKey, *dns.Msg]
-	logger            logger.ContextLogger
+	transportCacheLock compatible.Map[dns.Question, chan struct{}]
 	cache             freelru.Cache[dnsCacheKey, *dns.Msg]
 	cacheLock         compatible.Map[dnsCacheKey, chan struct{}]
 	backgroundRefresh compatible.Map[dnsCacheKey, struct{}]
 }
 type ClientOptions struct {
-	Context           context.Context
+	Timeout          time.Duration
-	Timeout           time.Duration
+	DisableCache     bool
-	DisableCache      bool
+	DisableExpire    bool
-	DisableExpire     bool
+	IndependentCache bool
-	OptimisticTimeout time.Duration
+	CacheCapacity    uint32
-	CacheCapacity     uint32
+	ClientSubnet     netip.Prefix
-	ClientSubnet      netip.Prefix
+	RDRC             func() adapter.RDRCStore
-	RDRC              func() adapter.RDRCStore
+	Logger           logger.ContextLogger
 	DNSCache          func() adapter.DNSCacheStore
 	Logger            logger.ContextLogger
 }
 func NewClient(options ClientOptions) *Client {
 	cacheCapacity := options.CacheCapacity
 	if cacheCapacity < 1024 {
 		cacheCapacity = 1024
 	}
 	client := &Client{
-		ctx:               options.Context,
+		timeout:          options.Timeout,
-		timeout:           options.Timeout,
+		disableCache:     options.DisableCache,
-		disableCache:      options.DisableCache,
+		disableExpire:    options.DisableExpire,
-		disableExpire:     options.DisableExpire,
+		independentCache: options.IndependentCache,
-		optimisticTimeout: options.OptimisticTimeout,
+		clientSubnet:     options.ClientSubnet,
-		cacheCapacity:     cacheCapacity,
+		initRDRCFunc:     options.RDRC,
-		clientSubnet:      options.ClientSubnet,
+		logger:           options.Logger,
 		initRDRCFunc:      options.RDRC,
 		initDNSCacheFunc:  options.DNSCache,
 		logger:            options.Logger,
 	}
 	if client.timeout == 0 {
 		client.timeout = C.DNSTimeout
 	}
-	if !client.disableCache && client.initDNSCacheFunc == nil {
+	cacheCapacity := options.CacheCapacity
-		client.initializeMemoryCache()
+	if cacheCapacity < 1024 {
 		cacheCapacity = 1024
 	}
 	if !client.disableCache {
 		if !client.independentCache {
 			client.cache = common.Must1(freelru.NewSharded[dns.Question, *dns.Msg](cacheCapacity, maphash.NewHasher[dns.Question]().Hash32))
 		} else {
 			client.transportCache = common.Must1(freelru.NewSharded[transportCacheKey, *dns.Msg](cacheCapacity, maphash.NewHasher[transportCacheKey]().Hash32))
 		}
 	}
 	return client
 }
-type dnsCacheKey struct {
+type transportCacheKey struct {
 	dns.Question
 	transportTag string
 }
@@ -95,19 +93,6 @@ func (c *Client) Start() {
 	if c.initRDRCFunc != nil {
 		c.rdrc = c.initRDRCFunc()
 	}
 	if c.initDNSCacheFunc != nil {
 		c.dnsCache = c.initDNSCacheFunc()
 	}
 	if c.dnsCache == nil {
 		c.initializeMemoryCache()
 	}
 }
 func (c *Client) initializeMemoryCache() {
 	if c.disableCache || c.cache != nil {
 		return
 	}
 	c.cache = common.Must1(freelru.NewSharded[dnsCacheKey, *dns.Msg](c.cacheCapacity, maphash.NewHasher[dnsCacheKey]().Hash32))
 }
 func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
@@ -124,38 +109,7 @@ func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
 	return 0, false
 }
-func computeTimeToLive(response *dns.Msg) uint32 {
+func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	var timeToLive uint32
 	if len(response.Answer) == 0 {
 		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
 			return soaTTL
 		}
 	}
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			if record.Header().Rrtype == dns.TypeOPT {
 				continue
 			}
 			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
 				timeToLive = record.Header().Ttl
 			}
 		}
 	}
 	return timeToLive
 }
 func normalizeTTL(response *dns.Msg, timeToLive uint32) {
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			if record.Header().Rrtype == dns.TypeOPT {
 				continue
 			}
 			record.Header().Ttl = timeToLive
 		}
 	}
 }
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
@@ -169,7 +123,13 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 		return FixedResponseStatus(message, dns.RcodeSuccess), nil
 	}
-	message = c.prepareExchangeMessage(message, options)
+	clientSubnet := options.ClientSubnet
 	if !clientSubnet.IsValid() {
 		clientSubnet = c.clientSubnet
 	}
 	if clientSubnet.IsValid() {
 		message = SetClientSubnet(message, clientSubnet)
 	}
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
@@ -181,32 +141,40 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		!options.ClientSubnet.IsValid()
 	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
 	if !disableCache {
-		cacheKey := dnsCacheKey{Question: question, transportTag: transport.Tag()}
+		if c.cache != nil {
-		cond, loaded := c.cacheLock.LoadOrStore(cacheKey, make(chan struct{}))
+			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
-		if loaded {
+			if loaded {
-			select {
+				select {
-			case <-cond:
+				case <-cond:
-			case <-ctx.Done():
+				case <-ctx.Done():
-				return nil, ctx.Err()
+					return nil, ctx.Err()
 				}
 			} else {
 				defer func() {
 					c.cacheLock.Delete(question)
 					close(cond)
 				}()
 			}
 		} else if c.transportCache != nil {
 			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
 				select {
 				case <-cond:
 				case <-ctx.Done():
 					return nil, ctx.Err()
 				}
 			} else {
 				defer func() {
 					c.transportCacheLock.Delete(question)
 					close(cond)
 				}()
 			}
 		} else {
 			defer func() {
 				c.cacheLock.Delete(cacheKey)
 				close(cond)
 			}()
 		}
-		response, ttl, isStale := c.loadResponse(question, transport)
+		response, ttl := c.loadResponse(question, transport)
 		if response != nil {
-			if isStale && !options.DisableOptimisticCache {
+			logCachedResponse(c.logger, ctx, response, ttl)
-				c.backgroundRefreshDNS(transport, question, message.Copy(), options, responseChecker)
+			response.Id = message.Id
-				logOptimisticResponse(c.logger, ctx, response)
+			return response, nil
 				response.Id = message.Id
 				return response, nil
 			} else if !isStale {
 				logCachedResponse(c.logger, ctx, response, ttl)
 				response.Id = message.Id
 				return response, nil
 			}
 		}
 	}
@@ -222,17 +190,62 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return nil, ErrResponseRejectedCached
 		}
 	}
-	response, err := c.exchangeToTransport(ctx, transport, message)
+	ctx, cancel := context.WithTimeout(ctx, c.timeout)
 	response, err := transport.Exchange(ctx, message)
 	cancel()
 	if err != nil {
-		return nil, err
+		var rcodeError RcodeError
 		if errors.As(err, &rcodeError) {
 			response = FixedResponseStatus(message, int(rcodeError))
 		} else {
 			return nil, err
 		}
 	}
 	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
 		validResponse := response
 	loop:
 		for {
 			var (
 				addresses  int
 				queryCNAME string
 			)
 			for _, rawRR := range validResponse.Answer {
 				switch rr := rawRR.(type) {
 				case *dns.A:
 					break loop
 				case *dns.AAAA:
 					break loop
 				case *dns.CNAME:
 					queryCNAME = rr.Target
 				}
 			}
 			if queryCNAME == "" {
 				break
 			}
 			exMessage := *message
 			exMessage.Question = []dns.Question{{
 				Name:  queryCNAME,
 				Qtype: question.Qtype,
 			}}
 			validResponse, err = c.Exchange(ctx, transport, &exMessage, options, responseChecker)
 			if err != nil {
 				return nil, err
 			}
 		}
 		if validResponse != response {
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
 	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
 		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
 		} else if len(response.Answer) == 0 {
 			rejected = !responseChecker(nil)
 		} else {
-			rejected = !responseChecker(response)
+			rejected = !responseChecker(MessageToAddresses(response))
 		}
 		if rejected {
 			if !disableCache && c.rdrc != nil {
@@ -242,7 +255,54 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return response, ErrResponseRejected
 		}
 	}
-	timeToLive := applyResponseOptions(question, response, options)
+	if question.Qtype == dns.TypeHTTPS {
 		if options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only {
 			for _, rr := range response.Answer {
 				https, isHTTPS := rr.(*dns.HTTPS)
 				if !isHTTPS {
 					continue
 				}
 				content := https.SVCB
 				content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
 					if options.Strategy == C.DomainStrategyIPv4Only {
 						return it.Key() != dns.SVCB_IPV6HINT
 					} else {
 						return it.Key() != dns.SVCB_IPV4HINT
 					}
 				})
 				https.SVCB = content
 			}
 		}
 	}
 	var timeToLive uint32
 	if len(response.Answer) == 0 {
 		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
 			timeToLive = soaTTL
 		}
 	}
 	if timeToLive == 0 {
 		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 			for _, record := range recordList {
 				if record.Header().Rrtype == dns.TypeOPT {
 					continue
 				}
 				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
 					timeToLive = record.Header().Ttl
 				}
 			}
 		}
 	}
 	if options.RewriteTTL != nil {
 		timeToLive = *options.RewriteTTL
 	}
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			if record.Header().Rrtype == dns.TypeOPT {
 				continue
 			}
 			record.Header().Ttl = timeToLive
 		}
 	}
 	if !disableCache {
 		c.storeCache(transport, question, response, timeToLive)
 	}
@@ -261,7 +321,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	return response, nil
 }
-func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
+func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
 	var strategy C.DomainStrategy
@@ -308,12 +368,8 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 func (c *Client) ClearCache() {
 	if c.cache != nil {
 		c.cache.Purge()
-	}
+	} else if c.transportCache != nil {
-	if c.dnsCache != nil {
+		c.transportCache.Purge()
 		err := c.dnsCache.ClearDNSCache()
 		if err != nil && c.logger != nil {
 			c.logger.Warn("clear DNS cache: ", err)
 		}
 	}
 }
@@ -329,44 +385,46 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	if timeToLive == 0 {
 		return
 	}
 	if c.dnsCache != nil {
 		packed, err := message.Pack()
 		if err == nil {
 			expireAt := time.Now().Add(time.Second * time.Duration(timeToLive))
 			c.dnsCache.SaveDNSCacheAsync(transport.Tag(), question.Name, question.Qtype, packed, expireAt, c.logger)
 		}
 		return
 	}
 	if c.cache == nil {
 		return
 	}
 	key := dnsCacheKey{Question: question, transportTag: transport.Tag()}
 	if c.disableExpire {
-		c.cache.Add(key, message.Copy())
+		if !c.independentCache {
 			c.cache.Add(question, message.Copy())
 		} else {
 			c.transportCache.Add(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
 			}, message.Copy())
 		}
 	} else {
-		c.cache.AddWithLifetime(key, message.Copy(), time.Second*time.Duration(timeToLive))
+		if !c.independentCache {
 			c.cache.AddWithLifetime(question, message.Copy(), time.Second*time.Duration(timeToLive))
 		} else {
 			c.transportCache.AddWithLifetime(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
 			}, message.Copy(), time.Second*time.Duration(timeToLive))
 		}
 	}
 }
-func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
+func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	question := dns.Question{
 		Name:   name,
 		Qtype:  qType,
 		Qclass: dns.ClassINET,
 	}
 	disableCache := c.disableCache || options.DisableCache
 	if !disableCache {
 		cachedAddresses, err := c.questionCache(question, transport)
 		if err != ErrNotCached {
 			return cachedAddresses, err
 		}
 	}
 	message := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			RecursionDesired: true,
 		},
 		Question: []dns.Question{question},
 	}
 	disableCache := c.disableCache || options.DisableCache
 	if !disableCache {
 		cachedAddresses, err := c.questionCache(ctx, transport, &message, options, responseChecker)
 		if err != ErrNotCached {
 			return cachedAddresses, err
 		}
 	}
 	response, err := c.Exchange(ctx, transport, &message, options, responseChecker)
 	if err != nil {
 		return nil, err
@@ -377,181 +435,120 @@ func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTran
 	return MessageToAddresses(response), nil
 }
-func (c *Client) questionCache(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
+func (c *Client) questionCache(question dns.Question, transport adapter.DNSTransport) ([]netip.Addr, error) {
-	question := message.Question[0]
+	response, _ := c.loadResponse(question, transport)
 	response, _, isStale := c.loadResponse(question, transport)
 	if response == nil {
 		return nil, ErrNotCached
 	}
 	if isStale {
 		if options.DisableOptimisticCache {
 			return nil, ErrNotCached
 		}
 		c.backgroundRefreshDNS(transport, question, c.prepareExchangeMessage(message.Copy(), options), options, responseChecker)
 		logOptimisticResponse(c.logger, ctx, response)
 	}
 	if response.Rcode != dns.RcodeSuccess {
 		return nil, RcodeError(response.Rcode)
 	}
 	return MessageToAddresses(response), nil
 }
-func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int, bool) {
+func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int) {
-	if c.dnsCache != nil {
+	var (
-		return c.loadPersistentResponse(question, transport)
+		response *dns.Msg
-	}
+		loaded   bool
-	if c.cache == nil {
+	)
 		return nil, 0, false
 	}
 	key := dnsCacheKey{Question: question, transportTag: transport.Tag()}
 	if c.disableExpire {
-		response, loaded := c.cache.Get(key)
+		if !c.independentCache {
-		if !loaded {
+			response, loaded = c.cache.Get(question)
-			return nil, 0, false
+		} else {
-		}
+			response, loaded = c.transportCache.Get(transportCacheKey{
-		return response.Copy(), 0, false
+				Question:     question,
-	}
+				transportTag: transport.Tag(),
 	response, expireAt, loaded := c.cache.GetWithLifetimeNoExpire(key)
 	if !loaded {
 		return nil, 0, false
 	}
 	timeNow := time.Now()
 	if timeNow.After(expireAt) {
 		if c.optimisticTimeout > 0 && timeNow.Before(expireAt.Add(c.optimisticTimeout)) {
 			response = response.Copy()
 			normalizeTTL(response, 1)
 			return response, 0, true
 		}
 		c.cache.Remove(key)
 		return nil, 0, false
 	}
 	nowTTL := int(expireAt.Sub(timeNow).Seconds())
 	if nowTTL < 0 {
 		nowTTL = 0
 	}
 	response = response.Copy()
 	normalizeTTL(response, uint32(nowTTL))
 	return response, nowTTL, false
 }
 func (c *Client) loadPersistentResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int, bool) {
 	rawMessage, expireAt, loaded := c.dnsCache.LoadDNSCache(transport.Tag(), question.Name, question.Qtype)
 	if !loaded {
 		return nil, 0, false
 	}
 	response := new(dns.Msg)
 	err := response.Unpack(rawMessage)
 	if err != nil {
 		return nil, 0, false
 	}
 	if c.disableExpire {
 		return response, 0, false
 	}
 	timeNow := time.Now()
 	if timeNow.After(expireAt) {
 		if c.optimisticTimeout > 0 && timeNow.Before(expireAt.Add(c.optimisticTimeout)) {
 			normalizeTTL(response, 1)
 			return response, 0, true
 		}
 		return nil, 0, false
 	}
 	nowTTL := int(expireAt.Sub(timeNow).Seconds())
 	if nowTTL < 0 {
 		nowTTL = 0
 	}
 	normalizeTTL(response, uint32(nowTTL))
 	return response, nowTTL, false
 }
 func applyResponseOptions(question dns.Question, response *dns.Msg, options adapter.DNSQueryOptions) uint32 {
 	if question.Qtype == dns.TypeHTTPS && (options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only) {
 		for _, rr := range response.Answer {
 			https, isHTTPS := rr.(*dns.HTTPS)
 			if !isHTTPS {
 				continue
 			}
 			content := https.SVCB
 			content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
 				if options.Strategy == C.DomainStrategyIPv4Only {
 					return it.Key() != dns.SVCB_IPV6HINT
 				}
 				return it.Key() != dns.SVCB_IPV4HINT
 			})
 			https.SVCB = content
 		}
-	}
+		if !loaded {
-	timeToLive := computeTimeToLive(response)
+			return nil, 0
 	if options.RewriteTTL != nil {
 		timeToLive = *options.RewriteTTL
 	}
 	normalizeTTL(response, timeToLive)
 	return timeToLive
 }
 func (c *Client) backgroundRefreshDNS(transport adapter.DNSTransport, question dns.Question, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) {
 	key := dnsCacheKey{Question: question, transportTag: transport.Tag()}
 	_, loaded := c.backgroundRefresh.LoadOrStore(key, struct{}{})
 	if loaded {
 		return
 	}
 	go func() {
 		defer c.backgroundRefresh.Delete(key)
 		ctx := contextWithTransportTag(c.ctx, transport.Tag())
 		response, err := c.exchangeToTransport(ctx, transport, message)
 		if err != nil {
 			if c.logger != nil {
 				c.logger.Debug("optimistic refresh failed for ", FqdnToDomain(question.Name), ": ", err)
 			}
 			return
 		}
-		if responseChecker != nil {
+		return response.Copy(), 0
-			var rejected bool
+	} else {
-			if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
+		var expireAt time.Time
-				rejected = true
+		if !c.independentCache {
 			response, expireAt, loaded = c.cache.GetWithLifetime(question)
 		} else {
 			response, expireAt, loaded = c.transportCache.GetWithLifetime(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
 			})
 		}
 		if !loaded {
 			return nil, 0
 		}
 		timeNow := time.Now()
 		if timeNow.After(expireAt) {
 			if !c.independentCache {
 				c.cache.Remove(question)
 			} else {
-				rejected = !responseChecker(response)
+				c.transportCache.Remove(transportCacheKey{
 					Question:     question,
 					transportTag: transport.Tag(),
 				})
 			}
-			if rejected {
+			return nil, 0
 				if c.rdrc != nil {
 					c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
 				}
 				return
 			}
 		} else if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			return
 		}
-		timeToLive := applyResponseOptions(question, response, options)
+		var originTTL int
-		c.storeCache(transport, question, response, timeToLive)
+		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-	}()
+			for _, record := range recordList {
-}
+				if record.Header().Rrtype == dns.TypeOPT {
-
+					continue
-func (c *Client) prepareExchangeMessage(message *dns.Msg, options adapter.DNSQueryOptions) *dns.Msg {
+				}
-	clientSubnet := options.ClientSubnet
+				if originTTL == 0 || record.Header().Ttl > 0 && int(record.Header().Ttl) < originTTL {
-	if !clientSubnet.IsValid() {
+					originTTL = int(record.Header().Ttl)
-		clientSubnet = c.clientSubnet
+				}
 			}
 		}
 		nowTTL := int(expireAt.Sub(timeNow).Seconds())
 		if nowTTL < 0 {
 			nowTTL = 0
 		}
 		response = response.Copy()
 		if originTTL > 0 {
 			duration := uint32(originTTL - nowTTL)
 			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 				for _, record := range recordList {
 					if record.Header().Rrtype == dns.TypeOPT {
 						continue
 					}
 					record.Header().Ttl = record.Header().Ttl - duration
 				}
 			}
 		} else {
 			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 				for _, record := range recordList {
 					if record.Header().Rrtype == dns.TypeOPT {
 						continue
 					}
 					record.Header().Ttl = uint32(nowTTL)
 				}
 			}
 		}
 		return response, nowTTL
 	}
 	if clientSubnet.IsValid() {
 		message = SetClientSubnet(message, clientSubnet)
 	}
 	return message
 }
 func (c *Client) exchangeToTransport(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg) (*dns.Msg, error) {
 	ctx, cancel := context.WithTimeout(ctx, c.timeout)
 	defer cancel()
 	response, err := transport.Exchange(ctx, message)
 	if err == nil {
 		return response, nil
 	}
 	var rcodeError RcodeError
 	if errors.As(err, &rcodeError) {
 		return FixedResponseStatus(message, int(rcodeError)), nil
 	}
 	return nil, err
 }
 func MessageToAddresses(response *dns.Msg) []netip.Addr {
-	return adapter.DNSResponseAddresses(response)
+	if response == nil || response.Rcode != dns.RcodeSuccess {
 		return nil
 	}
 	addresses := make([]netip.Addr, 0, len(response.Answer))
 	for _, rawAnswer := range response.Answer {
 		switch answer := rawAnswer.(type) {
 		case *dns.A:
 			addresses = append(addresses, M.AddrFromIP(answer.A))
 		case *dns.AAAA:
 			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
 		case *dns.HTTPS:
 			for _, value := range answer.SVCB.Value {
 				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
 					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
 				}
 			}
 		}
 	}
 	return addresses
 }
 func wrapError(err error) error {
--- a/dns/client_log.go
+++ b/dns/client_log.go
@@ -22,19 +22,6 @@ func logCachedResponse(logger logger.ContextLogger, ctx context.Context, respons
 	}
 }
 func logOptimisticResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg) {
 	if logger == nil || len(response.Question) == 0 {
 		return
 	}
 	domain := FqdnToDomain(response.Question[0].Name)
 	logger.DebugContext(ctx, "optimistic ", domain, " ", dns.RcodeToString[response.Rcode])
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			logger.InfoContext(ctx, "optimistic ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
 		}
 	}
 }
 func logExchangedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl uint32) {
 	if logger == nil || len(response.Question) == 0 {
 		return
--- a/dns/rcode.go
+++ b/dns/rcode.go
@@ -5,11 +5,10 @@ import (
 )
 const (
-	RcodeSuccess       RcodeError = mDNS.RcodeSuccess
+	RcodeSuccess     RcodeError = mDNS.RcodeSuccess
-	RcodeServerFailure RcodeError = mDNS.RcodeServerFailure
+	RcodeFormatError RcodeError = mDNS.RcodeFormatError
-	RcodeFormatError   RcodeError = mDNS.RcodeFormatError
+	RcodeNameError   RcodeError = mDNS.RcodeNameError
-	RcodeNameError     RcodeError = mDNS.RcodeNameError
+	RcodeRefused     RcodeError = mDNS.RcodeRefused
 	RcodeRefused       RcodeError = mDNS.RcodeRefused
 )
 type RcodeError int
--- a/dns/repro_test.go
+++ b/dns/repro_test.go
@@ -1,111 +0,0 @@
 package dns
 import (
 	"context"
 	"net/netip"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json/badoption"
 	mDNS "github.com/miekg/dns"
 	"github.com/stretchr/testify/require"
 )
 func TestReproLookupWithRulesUsesRequestStrategy(t *testing.T) {
 	t.Parallel()
 	defaultTransport := &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP}
 	var qTypes []uint16
 	router := newTestRouter(t, nil, &fakeDNSTransportManager{
 		defaultTransport: defaultTransport,
 		transports: map[string]adapter.DNSTransport{
 			"default": defaultTransport,
 		},
 	}, &fakeDNSClient{
 		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
 			qTypes = append(qTypes, message.Question[0].Qtype)
 			if message.Question[0].Qtype == mDNS.TypeA {
 				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2.2.2.2")}, 60), nil
 			}
 			return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2001:db8::1")}, 60), nil
 		},
 	})
 	addresses, err := router.Lookup(context.Background(), "example.com", adapter.DNSQueryOptions{
 		Strategy: C.DomainStrategyIPv4Only,
 	})
 	require.NoError(t, err)
 	require.Equal(t, []uint16{mDNS.TypeA}, qTypes)
 	require.Equal(t, []netip.Addr{netip.MustParseAddr("2.2.2.2")}, addresses)
 }
 func TestReproLogicalMatchResponseIPCIDR(t *testing.T) {
 	t.Parallel()
 	transportManager := &fakeDNSTransportManager{
 		defaultTransport: &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
 		transports: map[string]adapter.DNSTransport{
 			"upstream": &fakeDNSTransport{tag: "upstream", transportType: C.DNSTypeUDP},
 			"selected": &fakeDNSTransport{tag: "selected", transportType: C.DNSTypeUDP},
 			"default":  &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
 		},
 	}
 	client := &fakeDNSClient{
 		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
 			switch transport.Tag() {
 			case "upstream":
 				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("1.1.1.1")}, 60), nil
 			case "selected":
 				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("8.8.8.8")}, 60), nil
 			default:
 				return nil, E.New("unexpected transport")
 			}
 		},
 	}
 	rules := []option.DNSRule{
 		{
 			Type: C.RuleTypeDefault,
 			DefaultOptions: option.DefaultDNSRule{
 				RawDefaultDNSRule: option.RawDefaultDNSRule{
 					Domain: badoption.Listable[string]{"example.com"},
 				},
 				DNSRuleAction: option.DNSRuleAction{
 					Action:       C.RuleActionTypeEvaluate,
 					RouteOptions: option.DNSRouteActionOptions{Server: "upstream"},
 				},
 			},
 		},
 		{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalDNSRule{
 				RawLogicalDNSRule: option.RawLogicalDNSRule{
 					Mode: C.LogicalTypeOr,
 					Rules: []option.DNSRule{{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultDNSRule{
 							RawDefaultDNSRule: option.RawDefaultDNSRule{
 								MatchResponse: true,
 								IPCIDR:        badoption.Listable[string]{"1.1.1.0/24"},
 							},
 						},
 					}},
 				},
 				DNSRuleAction: option.DNSRuleAction{
 					Action:       C.RuleActionTypeRoute,
 					RouteOptions: option.DNSRouteActionOptions{Server: "selected"},
 				},
 			},
 		},
 	}
 	router := newTestRouter(t, rules, transportManager, client)
 	response, err := router.Exchange(context.Background(), &mDNS.Msg{
 		Question: []mDNS.Question{fixedQuestion("example.com", mDNS.TypeA)},
 	}, adapter.DNSQueryOptions{})
 	require.NoError(t, err)
 	require.Equal(t, []netip.Addr{netip.MustParseAddr("8.8.8.8")}, MessageToAddresses(response))
 }
--- a/dns/router.go
+++ b/dns/router.go
--- a/dns/router_test.go
+++ b/dns/router_test.go
--- a/dns/transport/local/local_darwin.go
+++ b/dns/transport/local/local_darwin.go
@@ -4,6 +4,8 @@ package local
 import (
 	"context"
 	"errors"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -12,6 +14,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -32,8 +35,10 @@ type Transport struct {
 	logger        logger.ContextLogger
 	hosts         *hosts.File
 	dialer        N.Dialer
 	preferGo      bool
 	fallback      bool
 	dhcpTransport dhcpTransport
 	resolver      net.Resolver
 }
 type dhcpTransport interface {
@@ -47,12 +52,14 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 	if err != nil {
 		return nil, err
 	}
 	transportAdapter := dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options)
 	return &Transport{
-		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options),
+		TransportAdapter: transportAdapter,
 		ctx:              ctx,
 		logger:           logger,
 		hosts:            hosts.NewFile(hosts.DefaultPath),
 		dialer:           transportDialer,
 		preferGo:         options.PreferGo,
 	}, nil
 }
@@ -99,11 +106,35 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	if t.fallback && t.dhcpTransport != nil {
+	if !t.fallback {
-		dhcpServers := t.dhcpTransport.Fetch()
+		return t.exchange(ctx, message, question.Name)
-		if len(dhcpServers) > 0 {
+	}
-			return t.dhcpTransport.Exchange0(ctx, message, dhcpServers)
+	if t.dhcpTransport != nil {
 		dhcpTransports := t.dhcpTransport.Fetch()
 		if len(dhcpTransports) > 0 {
 			return t.dhcpTransport.Exchange0(ctx, message, dhcpTransports)
 		}
 	}
-	return t.exchange(ctx, message, question.Name)
+	if t.preferGo {
 		// Assuming the user knows what they are doing, we still execute the query which will fail.
 		return t.exchange(ctx, message, question.Name)
 	}
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 		var network string
 		if question.Qtype == mDNS.TypeA {
 			network = "ip4"
 		} else {
 			network = "ip6"
 		}
 		addresses, err := t.resolver.LookupNetIP(ctx, network, question.Name)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
 				return nil, dns.RcodeRefused
 			}
 			return nil, err
 		}
 		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 	}
 	return nil, E.New("only A and AAAA queries are supported on Apple platforms when using TUN and DHCP unavailable.")
 }
--- a/dns/transport/local/local_darwin_cgo.go
+++ b/dns/transport/local/local_darwin_cgo.go
@@ -1,249 +0,0 @@
 //go:build darwin
 package local
 /*
 #include <stdlib.h>
 #include <dns.h>
 #include <resolv.h>
 static void *cgo_dns_open_super() {
 	return (void *)dns_open(NULL);
 }
 static void cgo_dns_close(void *opaque) {
 	if (opaque != NULL) dns_free((dns_handle_t)opaque);
 }
 static int cgo_dns_search(void *opaque, const char *name, int class, int type,
 	unsigned char *answer, int anslen) {
 	dns_handle_t handle = (dns_handle_t)opaque;
 	struct sockaddr_storage from;
 	uint32_t fromlen = sizeof(from);
 	return dns_search(handle, name, class, type, (char *)answer, anslen, (struct sockaddr *)&from, &fromlen);
 }
 static void *cgo_res_init() {
 	res_state state = calloc(1, sizeof(struct __res_state));
 	if (state == NULL) return NULL;
 	if (res_ninit(state) != 0) {
 		free(state);
 		return NULL;
 	}
 	return state;
 }
 static void cgo_res_destroy(void *opaque) {
 	res_state state = (res_state)opaque;
 	res_ndestroy(state);
 	free(state);
 }
 static int cgo_res_nsearch(void *opaque, const char *dname, int class, int type,
 	unsigned char *answer, int anslen,
 	int timeout_seconds,
 	int *out_h_errno) {
 	res_state state = (res_state)opaque;
 	state->retrans = timeout_seconds;
 	state->retry = 1;
 	int n = res_nsearch(state, dname, class, type, answer, anslen);
 	if (n < 0) {
 		*out_h_errno = state->res_h_errno;
 	}
 	return n;
 }
 */
 import "C"
 import (
 	"context"
 	"errors"
 	"time"
 	"unsafe"
 	boxC "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	mDNS "github.com/miekg/dns"
 )
 const (
 	darwinResolverHostNotFound = 1
 	darwinResolverTryAgain     = 2
 	darwinResolverNoRecovery   = 3
 	darwinResolverNoData       = 4
 	darwinResolverMaxPacketSize = 65535
 )
 var errDarwinNeedLargerBuffer = errors.New("darwin resolver response truncated")
 func darwinLookupSystemDNS(name string, class, qtype, timeoutSeconds int) (*mDNS.Msg, error) {
 	response, err := darwinSearchWithSystemRouting(name, class, qtype)
 	if err == nil {
 		return response, nil
 	}
 	fallbackResponse, fallbackErr := darwinSearchWithResolv(name, class, qtype, timeoutSeconds)
 	if fallbackErr == nil || fallbackResponse != nil {
 		return fallbackResponse, fallbackErr
 	}
 	return nil, E.Errors(
 		E.Cause(err, "dns_search"),
 		E.Cause(fallbackErr, "res_nsearch"),
 	)
 }
 func darwinSearchWithSystemRouting(name string, class, qtype int) (*mDNS.Msg, error) {
 	handle := C.cgo_dns_open_super()
 	if handle == nil {
 		return nil, E.New("dns_open failed")
 	}
 	defer C.cgo_dns_close(handle)
 	cName := C.CString(name)
 	defer C.free(unsafe.Pointer(cName))
 	bufSize := 1232
 	for {
 		answer := make([]byte, bufSize)
 		n := C.cgo_dns_search(handle, cName, C.int(class), C.int(qtype),
 			(*C.uchar)(unsafe.Pointer(&answer[0])), C.int(len(answer)))
 		if n <= 0 {
 			return nil, E.New("dns_search failed for ", name)
 		}
 		if int(n) > bufSize {
 			bufSize = int(n)
 			continue
 		}
 		return unpackDarwinResolverMessage(answer[:int(n)], "dns_search")
 	}
 }
 func darwinSearchWithResolv(name string, class, qtype int, timeoutSeconds int) (*mDNS.Msg, error) {
 	state := C.cgo_res_init()
 	if state == nil {
 		return nil, E.New("res_ninit failed")
 	}
 	defer C.cgo_res_destroy(state)
 	cName := C.CString(name)
 	defer C.free(unsafe.Pointer(cName))
 	bufSize := 1232
 	for {
 		answer := make([]byte, bufSize)
 		var hErrno C.int
 		n := C.cgo_res_nsearch(state, cName, C.int(class), C.int(qtype),
 			(*C.uchar)(unsafe.Pointer(&answer[0])), C.int(len(answer)),
 			C.int(timeoutSeconds),
 			&hErrno)
 		if n >= 0 {
 			if int(n) > bufSize {
 				bufSize = int(n)
 				continue
 			}
 			return unpackDarwinResolverMessage(answer[:int(n)], "res_nsearch")
 		}
 		response, err := handleDarwinResolvFailure(name, answer, int(hErrno))
 		if err == nil {
 			return response, nil
 		}
 		if errors.Is(err, errDarwinNeedLargerBuffer) && bufSize < darwinResolverMaxPacketSize {
 			bufSize *= 2
 			if bufSize > darwinResolverMaxPacketSize {
 				bufSize = darwinResolverMaxPacketSize
 			}
 			continue
 		}
 		return nil, err
 	}
 }
 func unpackDarwinResolverMessage(packet []byte, source string) (*mDNS.Msg, error) {
 	var response mDNS.Msg
 	err := response.Unpack(packet)
 	if err != nil {
 		return nil, E.Cause(err, "unpack ", source, " response")
 	}
 	return &response, nil
 }
 func handleDarwinResolvFailure(name string, answer []byte, hErrno int) (*mDNS.Msg, error) {
 	response, err := unpackDarwinResolverMessage(answer, "res_nsearch failure")
 	if err == nil && response.Response {
 		if response.Truncated && len(answer) < darwinResolverMaxPacketSize {
 			return nil, errDarwinNeedLargerBuffer
 		}
 		return response, nil
 	}
 	return nil, darwinResolverHErrno(name, hErrno)
 }
 func darwinResolverHErrno(name string, hErrno int) error {
 	switch hErrno {
 	case darwinResolverHostNotFound:
 		return dns.RcodeNameError
 	case darwinResolverTryAgain:
 		return dns.RcodeServerFailure
 	case darwinResolverNoRecovery:
 		return dns.RcodeServerFailure
 	case darwinResolverNoData:
 		return dns.RcodeSuccess
 	default:
 		return E.New("res_nsearch: unknown error ", hErrno, " for ", name)
 	}
 }
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, boxC.DefaultDNSTTL), nil
 		}
 	}
 	if t.fallback && t.dhcpTransport != nil {
 		dhcpServers := t.dhcpTransport.Fetch()
 		if len(dhcpServers) > 0 {
 			return t.dhcpTransport.Exchange0(ctx, message, dhcpServers)
 		}
 	}
 	name := question.Name
 	timeoutSeconds := int(boxC.DNSTimeout / time.Second)
 	if deadline, hasDeadline := ctx.Deadline(); hasDeadline {
 		remaining := time.Until(deadline)
 		if remaining <= 0 {
 			return nil, context.DeadlineExceeded
 		}
 		seconds := int(remaining.Seconds())
 		if seconds < 1 {
 			seconds = 1
 		}
 		timeoutSeconds = seconds
 	}
 	type resolvResult struct {
 		response *mDNS.Msg
 		err      error
 	}
 	resultCh := make(chan resolvResult, 1)
 	go func() {
 		response, err := darwinLookupSystemDNS(name, int(question.Qclass), int(question.Qtype), timeoutSeconds)
 		resultCh <- resolvResult{response, err}
 	}()
 	var result resolvResult
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()
 	case result = <-resultCh:
 	}
 	if result.err != nil {
 		var rcodeError dns.RcodeError
 		if errors.As(result.err, &rcodeError) {
 			return dns.FixedResponseStatus(message, int(rcodeError)), nil
 		}
 		return nil, result.err
 	}
 	result.response.Id = message.Id
 	return result.response, nil
 }
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -1,5 +1,3 @@
 //go:build !windows
 package local
 import (
--- a/dns/transport_adapter.go
+++ b/dns/transport_adapter.go
@@ -1,13 +1,21 @@
 package dns
 import (
 	"net/netip"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 )
 var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
 type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
 	strategy      C.DomainStrategy
 	clientSubnet  netip.Prefix
 }
 func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
@@ -27,6 +35,8 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
 		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
 		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
 }
@@ -35,10 +45,15 @@ func NewTransportAdapterWithRemoteOptions(transportType string, transportTag str
 	if remoteOptions.DomainResolver != nil && remoteOptions.DomainResolver.Server != "" {
 		dependencies = append(dependencies, remoteOptions.DomainResolver.Server)
 	}
 	if remoteOptions.LegacyAddressResolver != "" {
 		dependencies = append(dependencies, remoteOptions.LegacyAddressResolver)
 	}
 	return TransportAdapter{
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
 		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
 		clientSubnet:  remoteOptions.LegacyClientSubnet,
 	}
 }
@@ -53,3 +68,11 @@ func (a *TransportAdapter) Tag() string {
 func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
 func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
 	return a.strategy
 }
 func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
 	return a.clientSubnet
 }
--- a/dns/transport_dialer.go
+++ b/dns/transport_dialer.go
@@ -2,25 +2,104 @@ package dns
 import (
 	"context"
 	"net"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
 func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
-	return dialer.NewWithOptions(dialer.Options{
+	if options.LegacyDefaultDialer {
-		Context:        ctx,
+		return dialer.NewDefaultOutbound(ctx), nil
-		Options:        options.DialerOptions,
+	} else {
-		DirectResolver: true,
+		return dialer.NewWithOptions(dialer.Options{
-	})
+			Context:         ctx,
 			Options:         options.DialerOptions,
 			DirectResolver:  true,
 			LegacyDNSDialer: options.Legacy,
 		})
 	}
 }
 func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
-	return dialer.NewWithOptions(dialer.Options{
+	if options.LegacyDefaultDialer {
-		Context:        ctx,
+		transportDialer := dialer.NewDefaultOutbound(ctx)
-		Options:        options.DialerOptions,
+		if options.LegacyAddressResolver != "" {
-		RemoteIsDomain: options.ServerIsDomain(),
+			transport := service.FromContext[adapter.DNSTransportManager](ctx)
-		DirectResolver: true,
+			resolverTransport, loaded := transport.Transport(options.LegacyAddressResolver)
-	})
+			if !loaded {
 				return nil, E.New("address resolver not found: ", options.LegacyAddressResolver)
 			}
 			transportDialer = newTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.LegacyAddressStrategy), time.Duration(options.LegacyAddressFallbackDelay))
 		} else if options.ServerIsDomain() {
 			return nil, E.New("missing address resolver for server: ", options.Server)
 		}
 		return transportDialer, nil
 	} else {
 		return dialer.NewWithOptions(dialer.Options{
 			Context:         ctx,
 			Options:         options.DialerOptions,
 			RemoteIsDomain:  options.ServerIsDomain(),
 			DirectResolver:  true,
 			LegacyDNSDialer: options.Legacy,
 		})
 	}
 }
 type legacyTransportDialer struct {
 	dialer        N.Dialer
 	dnsRouter     adapter.DNSRouter
 	transport     adapter.DNSTransport
 	strategy      C.DomainStrategy
 	fallbackDelay time.Duration
 }
 func newTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *legacyTransportDialer {
 	return &legacyTransportDialer{
 		dialer,
 		dnsRouter,
 		transport,
 		strategy,
 		fallbackDelay,
 	}
 }
 func (d *legacyTransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if destination.IsIP() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
 		Transport: d.transport,
 		Strategy:  d.strategy,
 	})
 	if err != nil {
 		return nil, err
 	}
 	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
 }
 func (d *legacyTransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if destination.IsIP() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
 		Transport: d.transport,
 		Strategy:  d.strategy,
 	})
 	if err != nil {
 		return nil, err
 	}
 	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
 	return conn, err
 }
 func (d *legacyTransportDialer) Upstream() any {
 	return d.dialer
 }
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,143 +2,28 @@
 icon: material/alert-decagram
 ---
 #### 1.14.0-alpha.12
 * Fix fake-ip DNS server should return SUCCESS when another address type is not configured
 * Fixes and improvements
 #### 1.13.8
 * Update naiveproxy to v147.0.7727.49-1
 * Fix fake-ip DNS server should return SUCCESS when another address type is not configured
 * Fixes and improvements
 #### 1.14.0-alpha.11
 * Add optimistic DNS cache **1**
 * Update NaiveProxy to 147.0.7727.49
 * Fixes and improvements
 **1**:
 Optimistic DNS cache returns an expired cached response immediately while
 refreshing it in the background, reducing tail latency for repeated
 queries. Enabled via [`optimistic`](/configuration/dns/#optimistic)
 in DNS options, and can be persisted across restarts with the new
 [`store_dns`](/configuration/experimental/cache-file/#store_dns) cache
 file option. A per-query
 [`disable_optimistic_cache`](/configuration/dns/rule_action/#disable_optimistic_cache)
 field is also available on DNS rule actions and the `resolve` route rule
 action.
 This deprecates the `independent_cache` DNS option (the DNS cache now
 always keys by transport) and the `store_rdrc` cache file option
 (replaced by `store_dns`); both will be removed in sing-box 1.16.0.
 See [Migration](/migration/#migrate-independent-dns-cache).
 #### 1.14.0-alpha.10
 * Add `evaluate` DNS rule action and Response Match Fields **1**
 * `ip_version` and `query_type` now also take effect on internal DNS lookups **2**
 * Add `package_name_regex` route, DNS and headless rule item **3**
 * Add cloudflared inbound **4**
 * Fixes and improvements
 **1**:
 Response Match Fields
 ([`response_rcode`](/configuration/dns/rule/#response_rcode),
 [`response_answer`](/configuration/dns/rule/#response_answer),
 [`response_ns`](/configuration/dns/rule/#response_ns),
 and [`response_extra`](/configuration/dns/rule/#response_extra))
 match the evaluated DNS response. They are gated by the new
 [`match_response`](/configuration/dns/rule/#match_response) field and
 populated by a preceding
 [`evaluate`](/configuration/dns/rule_action/#evaluate) DNS rule action;
 the evaluated response can also be returned directly by a
 [`respond`](/configuration/dns/rule_action/#respond) action.
 This deprecates the Legacy Address Filter Fields (`ip_cidr`,
 `ip_is_private` without `match_response`) in DNS rules, the Legacy
 `strategy` DNS rule action option, and the Legacy
 `rule_set_ip_cidr_accept_empty` DNS rule item; all three will be removed
 in sing-box 1.16.0.
 See [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
 **2**:
 `ip_version` and `query_type` in DNS rules, together with `query_type` in
 referenced rule-sets, now take effect on every DNS rule evaluation,
 including matches from internal domain resolutions that do not target a
 specific DNS server (for example a `resolve` route rule action without
 `server` set). In earlier versions they were silently ignored in that
 path. Combining these fields with any of the legacy DNS fields deprecated
 in **1** in the same DNS configuration is no longer supported and is
 rejected at startup.
 See [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules).
 **3**:
 See [Route Rule](/configuration/route/rule/#package_name_regex),
 [DNS Rule](/configuration/dns/rule/#package_name_regex) and
 [Headless Rule](/configuration/rule-set/headless-rule/#package_name_regex).
 **4**:
 See [Cloudflared](/configuration/inbound/cloudflared/).
 #### 1.13.7
-* Fixes and improvement
+* Fixes and improvements
 #### 1.13.6
 * Fixes and improvements
 #### 1.14.0-alpha.8
 * Add BBR profile and hop interval randomization for Hysteria2 **1**
 * Fixes and improvements
 **1**:
 See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
 #### 1.14.0-alpha.8
 * Fixes and improvements
 #### 1.13.5
 * Fixes and improvements
 #### 1.14.0-alpha.7
 * Fixes and improvements
 #### 1.13.4
 * Fixes and improvements
 #### 1.14.0-alpha.4
 * Refactor ACME support to certificate provider system **1**
 * Add Cloudflare Origin CA certificate provider **2**
 * Add Tailscale certificate provider **3**
 * Fixes and improvements
 **1**:
 See [Certificate Provider](/configuration/shared/certificate-provider/) and [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
 **2**:
 See [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca).
 **3**:
 See [Tailscale](/configuration/shared/certificate-provider/tailscale).
 #### 1.13.3
 * Add OpenWrt and Alpine APK packages to release **1**
@@ -163,59 +48,6 @@ from [SagerNet/go](https://github.com/SagerNet/go).
 See [OCM](/configuration/service/ocm).
 #### 1.12.24
 * Fixes and improvements
 #### 1.14.0-alpha.2
 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**
 * OCM service: Add WebSocket support for Responses API **3**
 * Fixes and improvements
 **1**:
 Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
 - OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
 - Alpine: `sing-box_{version}_linux_{architecture}.apk`
 **2**:
 Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
 macOS 10.13 High Sierra, built using Go 1.25 with patches
 from [SagerNet/go](https://github.com/SagerNet/go).
 **3**:
 See [OCM](/configuration/service/ocm).
 #### 1.14.0-alpha.1
 * Add `source_mac_address` and `source_hostname` rule items **1**
 * Add `include_mac_address` and `exclude_mac_address` TUN options **2**
 * Update NaiveProxy to 145.0.7632.159 **3**
 * Fixes and improvements
 **1**:
 New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
 Supported on Linux, macOS, or in graphical clients on Android and macOS.
 See [Route Rule](/configuration/route/rule/#source_mac_address), [DNS Rule](/configuration/dns/rule/#source_mac_address) and [Neighbor Resolution](/configuration/shared/neighbor/).
 **2**:
 Limit or exclude devices from TUN routing by MAC address.
 Only supported on Linux with `auto_route` and `auto_redirect` enabled.
 See [TUN](/configuration/inbound/tun/#include_mac_address).
 **3**:
 This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
 #### 1.13.2
 * Fixes and improvements
@@ -837,7 +669,7 @@ DNS servers are refactored for better performance and scalability.
 See [DNS server](/configuration/dns/server/).
-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
 Compatibility for old formats will be removed in sing-box 1.14.0.
@@ -1307,7 +1139,7 @@ DNS servers are refactored for better performance and scalability.
 See [DNS server](/configuration/dns/server/).
-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
 Compatibility for old formats will be removed in sing-box 1.14.0.
@@ -2143,7 +1975,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.
-See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).
+See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
@@ -2157,7 +1989,7 @@ the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users
 **5**:
 The new feature allows you to cache the check results of
-[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.
+[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
 **6**:
@@ -2338,7 +2170,7 @@ See [TUN](/configuration/inbound/tun) inbound.
 **1**:
 The new feature allows you to cache the check results of
-[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.
+[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
 #### 1.9.0-alpha.7
@@ -2385,7 +2217,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.
-See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).
+See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@@ -42,7 +42,6 @@ SFA provides an unprivileged TUN implementation through Android VpnService.
 | `process_path`        | :material-close: | No permission                     |
 | `process_path_regex`  | :material-close: | No permission                     |
 | `package_name`        | :material-check: | /                                 |
 | `package_name_regex`  | :material-check: | /                                 |
 | `user`                | :material-close: | Use `package_name` instead        |
 | `user_id`             | :material-close: | Use `package_name` instead        |
 | `wifi_ssid`           | :material-check: | Fine location permission required |
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@@ -44,7 +44,6 @@ SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension
 | `process_path`        | :material-close: | No permission         |
 | `process_path_regex`  | :material-close: | No permission         |
 | `package_name`        | :material-close: | /                     |
 | `package_name_regex`  | :material-close: | /                     |
 | `user`                | :material-close: | No permission         |
 | `user_id`             | :material-close: | No permission         |
 | `wifi_ssid`           | :material-alert: | Only supported on iOS |
--- a/docs/configuration/dns/fakeip.md
+++ b/docs/configuration/dns/fakeip.md
@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
-!!! failure "Removed in sing-box 1.14.0"
+!!! failure "Deprecated in sing-box 1.12.0"
-    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).
+    Legacy fake-ip configuration is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
 ### Structure
@@ -26,6 +26,6 @@ Enable FakeIP service.
 IPv4 address range for FakeIP.
-#### inet6_range
+#### inet6_address
 IPv6 address range for FakeIP.
--- a/docs/configuration/dns/fakeip.zh.md
+++ b/docs/configuration/dns/fakeip.zh.md
@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
-!!! failure "已在 sing-box 1.14.0 移除"
+!!! failure "已在 sing-box 1.12.0 废弃"
-    旧的 fake-ip 配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
 ### 结构
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.14.0"
    :material-delete-clock: [independent_cache](#independent_cache)  
    :material-plus: [optimistic](#optimistic)
 !!! quote "Changes in sing-box 1.12.0"
    :material-decagram: [servers](#servers)
@@ -30,7 +25,6 @@ icon: material/alert-decagram
    "disable_expire": false,
    "independent_cache": false,
    "cache_capacity": 0,
    "optimistic": false, // or {}
    "reverse_mapping": false,
    "client_subnet": "",
    "fakeip": {}
@@ -45,7 +39,7 @@ icon: material/alert-decagram
 |----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
-| `fakeip` | :material-note-remove: [FakeIP](./fakeip/) |
+| `fakeip` | [FakeIP](./fakeip/)             |
 #### final
@@ -63,20 +57,12 @@ One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 Disable dns cache.
 Conflict with `optimistic`.
 #### disable_expire
 Disable dns cache expire.
 Conflict with `optimistic`.
 #### independent_cache
 !!! failure "Deprecated in sing-box 1.14.0"
    `independent_cache` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-independent-dns-cache).
 Make each DNS server's cache independent for special purposes. If enabled, will slightly degrade performance.
 #### cache_capacity
@@ -87,34 +73,6 @@ LRU cache capacity.
 Value less than 1024 will be ignored.
 #### optimistic
 !!! question "Since sing-box 1.14.0"
 Enable optimistic DNS caching. When a cached DNS entry has expired but is still within the timeout window,
 the stale response is returned immediately while a background refresh is triggered.
 Conflict with `disable_cache` and `disable_expire`.
 Accepts a boolean or an object. When set to `true`, the default timeout of `3d` is used.
 ```json
 {
  "enabled": true,
  "timeout": "3d"
 }
 ```
 ##### enabled
 Enable optimistic DNS caching.
 ##### timeout
 The maximum time an expired cache entry can be served optimistically.
 `3d` is used by default.
 #### reverse_mapping
 Stores a reverse mapping of IP addresses after responding to a DNS query in order to provide domain names when routing.
@@ -130,4 +88,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-Can be overridden by `servers.[].client_subnet` or `rules.[].client_subnet`.
+Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.14.0 中的更改"
    :material-delete-clock: [independent_cache](#independent_cache)  
    :material-plus: [optimistic](#optimistic)
 !!! quote "sing-box 1.12.0 中的更改"
    :material-decagram: [servers](#servers)
@@ -30,7 +25,6 @@ icon: material/alert-decagram
    "disable_expire": false,
    "independent_cache": false,
    "cache_capacity": 0,
    "optimistic": false, // or {}
    "reverse_mapping": false,
    "client_subnet": "",
    "fakeip": {}
@@ -62,20 +56,12 @@ icon: material/alert-decagram
 禁用 DNS 缓存。
 与 `optimistic` 冲突。
 #### disable_expire
 禁用 DNS 缓存过期。
 与 `optimistic` 冲突。
 #### independent_cache
 !!! failure "已在 sing-box 1.14.0 废弃"
    `independent_cache` 已在 sing-box 1.14.0 废弃，且将在 sing-box 1.16.0 中被移除，参阅[迁移指南](/zh/migration/#迁移-independent-dns-cache)。
 使每个 DNS 服务器的缓存独立，以满足特殊目的。如果启用，将轻微降低性能。
 #### cache_capacity
@@ -86,34 +72,6 @@ LRU 缓存容量。
 小于 1024 的值将被忽略。
 #### optimistic
 !!! question "自 sing-box 1.14.0 起"
 启用乐观 DNS 缓存。当缓存的 DNS 条目已过期但仍在超时窗口内时，
 立即返回过期的响应，同时在后台触发刷新。
 与 `disable_cache` 和 `disable_expire` 冲突。
 接受布尔值或对象。当设置为 `true` 时，使用默认超时 `3d`。
 ```json
 {
  "enabled": true,
  "timeout": "3d"
 }
 ```
 ##### enabled
 启用乐观 DNS 缓存。
 ##### timeout
 过期缓存条目可被乐观提供的最长时间。
 默认使用 `3d`。
 #### reverse_mapping
 在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
@@ -130,6 +88,6 @@ LRU 缓存容量。
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
-#### fakeip :material-note-remove:
+#### fakeip
 [FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -2,20 +2,6 @@
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.14.0"
    :material-plus: [source_mac_address](#source_mac_address)  
    :material-plus: [source_hostname](#source_hostname)  
    :material-plus: [match_response](#match_response)  
    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-plus: [response_rcode](#response_rcode)  
    :material-plus: [response_answer](#response_answer)  
    :material-plus: [response_ns](#response_ns)  
    :material-plus: [response_extra](#response_extra)  
    :material-plus: [package_name_regex](#package_name_regex)  
    :material-alert: [ip_version](#ip_version)  
    :material-alert: [query_type](#query_type)
 !!! quote "Changes in sing-box 1.13.0"
    :material-plus: [interface_address](#interface_address)  
@@ -103,6 +89,12 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "ip_accept_any": false,
        "source_port": [
          12345
        ],
@@ -132,9 +124,6 @@ icon: material/alert-decagram
        "package_name": [
          "com.termux"
        ],
        "package_name_regex": [
          "^com\\.termux.*"
        ],
        "user": [
          "sekai"
        ],
@@ -160,12 +149,6 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
        "source_mac_address": [
          "00:11:22:33:44:55"
        ],
        "source_hostname": [
          "my-device"
        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -177,17 +160,7 @@ icon: material/alert-decagram
          "geosite-cn"
        ],
        "rule_set_ip_cidr_match_source": false,
-        "match_response": false,
+        "rule_set_ip_cidr_accept_empty": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "ip_accept_any": false,
        "response_rcode": "",
        "response_answer": [],
        "response_ns": [],
        "response_extra": [],
        "invert": false,
        "outbound": [
          "direct"
@@ -196,8 +169,7 @@ icon: material/alert-decagram
        "server": "local",
        // Deprecated
-
+        
        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
          "cn"
@@ -245,46 +217,12 @@ Tags of [Inbound](/configuration/inbound/).
 #### ip_version
 !!! quote "Changes in sing-box 1.14.0"
    This field now also applies when a DNS rule is matched from an internal
    domain resolution that does not target a specific DNS server, such as a
    [`resolve`](../../route/rule_action/#resolve) route rule action without a
    `server` set. In earlier versions, only DNS queries received from a
    client evaluated this field. See
    [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules)
    for the full list.
    Setting this field makes the DNS rule incompatible in the same DNS
    configuration with Legacy Address Filter Fields in DNS rules, the Legacy
    `strategy` DNS rule action option, and the Legacy
    `rule_set_ip_cidr_accept_empty` DNS rule item. To combine with
    address-based filtering, use the [`evaluate`](../rule_action/#evaluate)
    action and [`match_response`](#match_response).
 4 (A DNS query) or 6 (AAAA DNS query).
 Not limited if empty.
 #### query_type
 !!! quote "Changes in sing-box 1.14.0"
    This field now also applies when a DNS rule is matched from an internal
    domain resolution that does not target a specific DNS server, such as a
    [`resolve`](../../route/rule_action/#resolve) route rule action without a
    `server` set. In earlier versions, only DNS queries received from a
    client evaluated this field. See
    [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules)
    for the full list.
    Setting this field makes the DNS rule incompatible in the same DNS
    configuration with Legacy Address Filter Fields in DNS rules, the Legacy
    `strategy` DNS rule action option, and the Legacy
    `rule_set_ip_cidr_accept_empty` DNS rule item. To combine with
    address-based filtering, use the [`evaluate`](../rule_action/#evaluate)
    action and [`match_response`](#match_response).
 DNS query type. Values can be integers or type name strings.
 #### network
@@ -387,12 +325,6 @@ Match process path using regular expression.
 Match android package name.
 #### package_name_regex
 !!! question "Since sing-box 1.14.0"
 Match android package name using regular expression.
 #### user
 !!! quote ""
@@ -476,26 +408,6 @@ Matches network interface (same values as `network_type`) address.
 Match default interface address.
 #### source_mac_address
 !!! question "Since sing-box 1.14.0"
 !!! quote ""
    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
 Match source device MAC address.
 #### source_hostname
 !!! question "Since sing-box 1.14.0"
 !!! quote ""
    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
 Match source device hostname from DHCP leases.
 #### wifi_ssid
 !!! quote ""
@@ -534,25 +446,6 @@ Make `ip_cidr` rule items in rule-sets match the source IP.
 Make `ip_cidr` rule items in rule-sets match the source IP.
 #### match_response
 !!! question "Since sing-box 1.14.0"
 Enable response-based matching. When enabled, this rule matches against the evaluated response
 (set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
 instead of only matching the original query.
 The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
 Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`).
 Also required for `ip_cidr`, `ip_is_private`, and `ip_accept_any` when used with `evaluate` or Response Match Fields.
 #### ip_accept_any
 !!! question "Since sing-box 1.12.0"
 Match when the DNS query response contains at least one address.
 #### invert
 Invert match result.
@@ -597,12 +490,7 @@ See [DNS Rule Actions](../rule_action/) for details.
    Moved to [DNS Rule Action](../rule_action#route).
-### Legacy Address Filter Fields
+### Address Filter Fields
 !!! failure "Deprecated in sing-box 1.14.0"
    Legacy Address Filter Fields are deprecated and will be removed in sing-box 1.16.0,
    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
 Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.
@@ -628,61 +516,23 @@ Match GeoIP with query response.
 Match IP CIDR with query response.
 As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
 check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
 #### ip_is_private
 !!! question "Since sing-box 1.9.0"
 Match private IP with query response.
 As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
 check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
 #### rule_set_ip_cidr_accept_empty
 !!! question "Since sing-box 1.10.0"
 !!! failure "Deprecated in sing-box 1.14.0"
    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0,
    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
 Make `ip_cidr` rules in rule-sets accept empty query response.
-### Response Match Fields
+#### ip_accept_any
-!!! question "Since sing-box 1.14.0"
+!!! question "Since sing-box 1.12.0"
-Match fields for the evaluated response. Require `match_response` to be set to `true`
+Match any IP with query response.
 and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.
 That evaluated response may also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
 #### response_rcode
 Match DNS response code.
 Accepted values are the same as in the [predefined action rcode](/configuration/dns/rule_action/#rcode).
 #### response_answer
 Match DNS answer records.
 Record format is the same as in [predefined action answer](/configuration/dns/rule_action/#answer).
 #### response_ns
 Match DNS name server records.
 Record format is the same as in [predefined action ns](/configuration/dns/rule_action/#ns).
 #### response_extra
 Match DNS extra records.
 Record format is the same as in [predefined action extra](/configuration/dns/rule_action/#extra).
 ### Logical Fields
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -2,20 +2,6 @@
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.14.0 中的更改"
    :material-plus: [source_mac_address](#source_mac_address)  
    :material-plus: [source_hostname](#source_hostname)  
    :material-plus: [match_response](#match_response)  
    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-plus: [response_rcode](#response_rcode)  
    :material-plus: [response_answer](#response_answer)  
    :material-plus: [response_ns](#response_ns)  
    :material-plus: [response_extra](#response_extra)  
    :material-plus: [package_name_regex](#package_name_regex)  
    :material-alert: [ip_version](#ip_version)  
    :material-alert: [query_type](#query_type)
 !!! quote "sing-box 1.13.0 中的更改"
    :material-plus: [interface_address](#interface_address)  
@@ -103,6 +89,12 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "ip_accept_any": false,
        "source_port": [
          12345
        ],
@@ -132,9 +124,6 @@ icon: material/alert-decagram
        "package_name": [
          "com.termux"
        ],
        "package_name_regex": [
          "^com\\.termux.*"
        ],
        "user": [
          "sekai"
        ],
@@ -160,12 +149,6 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
        "source_mac_address": [
          "00:11:22:33:44:55"
        ],
        "source_hostname": [
          "my-device"
        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -177,17 +160,7 @@ icon: material/alert-decagram
          "geosite-cn"
        ],
        "rule_set_ip_cidr_match_source": false,
-        "match_response": false,
+        "rule_set_ip_cidr_accept_empty": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "ip_accept_any": false,
        "response_rcode": "",
        "response_answer": [],
        "response_ns": [],
        "response_extra": [],
        "invert": false,
        "outbound": [
          "direct"
@@ -196,8 +169,6 @@ icon: material/alert-decagram
        "server": "local",
        // 已弃用
        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
          "cn"
@@ -245,38 +216,12 @@ icon: material/alert-decagram
 #### ip_version
 !!! quote "sing-box 1.14.0 中的更改"
    此字段现在也会在 DNS 规则被未指定具体 DNS 服务器的内部域名解析匹配时生效，
    例如未设置 `server` 的 [`resolve`](../../route/rule_action/#resolve) 路由规则动作。
    此前只有来自客户端的 DNS 查询才会评估此字段。完整列表参阅
    [迁移指南](/zh/migration/#dns-规则中的-ip_version-和-query_type-行为更改)。
    在 DNS 规则中设置此字段后，该 DNS 规则在同一 DNS 配置中不能与
    旧版地址筛选字段 (DNS 规则)、旧版 DNS 规则动作 `strategy` 选项，
    或旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项共存。如需与
    基于地址的筛选组合，请使用 [`evaluate`](../rule_action/#evaluate) 动作和
    [`match_response`](#match_response)。
 4 (A DNS 查询) 或 6 (AAAA DNS 查询)。
 默认不限制。
 #### query_type
 !!! quote "sing-box 1.14.0 中的更改"
    此字段现在也会在 DNS 规则被未指定具体 DNS 服务器的内部域名解析匹配时生效，
    例如未设置 `server` 的 [`resolve`](../../route/rule_action/#resolve) 路由规则动作。
    此前只有来自客户端的 DNS 查询才会评估此字段。完整列表参阅
    [迁移指南](/zh/migration/#dns-规则中的-ip_version-和-query_type-行为更改)。
    在 DNS 规则中设置此字段后，该 DNS 规则在同一 DNS 配置中不能与
    旧版地址筛选字段 (DNS 规则)、旧版 DNS 规则动作 `strategy` 选项，
    或旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项共存。如需与
    基于地址的筛选组合，请使用 [`evaluate`](../rule_action/#evaluate) 动作和
    [`match_response`](#match_response)。
 DNS 查询类型。值可以为整数或者类型名称字符串。
 #### network
@@ -379,12 +324,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 匹配 Android 应用包名。
 #### package_name_regex
 !!! question "自 sing-box 1.14.0 起"
 使用正则表达式匹配 Android 应用包名。
 #### user
 !!! quote ""
@@ -468,26 +407,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 匹配默认接口地址。
 #### source_mac_address
 !!! question "自 sing-box 1.14.0 起"
 !!! quote ""
    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
 匹配源设备 MAC 地址。
 #### source_hostname
 !!! question "自 sing-box 1.14.0 起"
 !!! quote ""
    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
 匹配源设备从 DHCP 租约获取的主机名。
 #### wifi_ssid
 !!! quote ""
@@ -526,23 +445,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 使规则集中的 `ip_cidr` 规则匹配源 IP。
 #### match_response
 !!! question "自 sing-box 1.14.0 起"
 启用响应匹配。启用后，此规则将匹配已评估的响应（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。
 该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
 响应匹配字段（`response_rcode`、`response_answer`、`response_ns`、`response_extra`）需要此选项。
 当与 `evaluate` 或响应匹配字段一起使用时，`ip_cidr`、`ip_is_private` 和 `ip_accept_any` 也需要此选项。
 #### ip_accept_any
 !!! question "自 sing-box 1.12.0 起"
 当 DNS 查询响应包含至少一个地址时匹配。
 #### invert
 反选匹配结果。
@@ -587,12 +489,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
    已移动到 [DNS 规则动作](../rule_action#route).
-### 旧版地址筛选字段
+### 地址筛选字段
 !!! failure "已在 sing-box 1.14.0 废弃"
    旧版地址筛选字段已废弃，且将在 sing-box 1.16.0 中被移除，
    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
 仅对地址请求 (A/AAAA/HTTPS) 生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。
@@ -619,62 +516,24 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 与查询响应匹配 IP CIDR。
 作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
 参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
 #### ip_is_private
 !!! question "自 sing-box 1.9.0 起"
 与查询响应匹配非公开 IP。
-作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
+#### ip_accept_any
-参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
 !!! question "自 sing-box 1.12.0 起"
 匹配任意 IP。
 #### rule_set_ip_cidr_accept_empty
 !!! question "自 sing-box 1.10.0 起"
 !!! failure "已在 sing-box 1.14.0 废弃"
    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除，
    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
 使规则集中的 `ip_cidr` 规则接受空查询响应。
 ### 响应匹配字段
 !!! question "自 sing-box 1.14.0 起"
 已评估的响应的匹配字段。需要将 `match_response` 设为 `true`，
 且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。
 该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
 #### response_rcode
 匹配 DNS 响应码。
 接受的值与 [predefined 动作 rcode](/zh/configuration/dns/rule_action/#rcode) 中相同。
 #### response_answer
 匹配 DNS 应答记录。
 记录格式与 [predefined 动作 answer](/zh/configuration/dns/rule_action/#answer) 中相同。
 #### response_ns
 匹配 DNS 名称服务器记录。
 记录格式与 [predefined 动作 ns](/zh/configuration/dns/rule_action/#ns) 中相同。
 #### response_extra
 匹配 DNS 额外记录。
 记录格式与 [predefined 动作 extra](/zh/configuration/dns/rule_action/#extra) 中相同。
 ### 逻辑字段
 #### type
--- a/docs/configuration/dns/rule_action.md
+++ b/docs/configuration/dns/rule_action.md
@@ -2,13 +2,6 @@
 icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.14.0"
    :material-delete-clock: [strategy](#strategy)  
    :material-plus: [evaluate](#evaluate)  
    :material-plus: [respond](#respond)  
    :material-plus: [disable_optimistic_cache](#disable_optimistic_cache)
 !!! quote "Changes in sing-box 1.12.0"
    :material-plus: [strategy](#strategy)  
@@ -24,7 +17,6 @@ icon: material/new-box
  "server": "",
  "strategy": "",
  "disable_cache": false,
  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
@@ -42,10 +34,6 @@ Tag of target server.
 !!! question "Since sing-box 1.12.0"
 !!! failure "Deprecated in sing-box 1.14.0"
    `strategy` is deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0.
 Set domain strategy for this query.
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
@@ -54,12 +42,6 @@ One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 Disable cache and save cache in this query.
 #### disable_optimistic_cache
 !!! question "Since sing-box 1.14.0"
 Disable optimistic DNS caching in this query.
 #### rewrite_ttl
 Rewrite TTL in DNS responses.
@@ -70,75 +52,7 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-Will override `dns.client_subnet`.
+Will overrides `dns.client_subnet`.
 ### evaluate
 !!! question "Since sing-box 1.14.0"
 ```json
 {
  "action": "evaluate",
  "server": "",
  "disable_cache": false,
  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
 ```
 `evaluate` sends a DNS query to the specified server and saves the evaluated response for subsequent rules
 to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
 Unlike `route`, it does **not** terminate rule evaluation.
 Only allowed on top-level DNS rules (not inside logical sub-rules).
 Rules that use [`match_response`](/configuration/dns/rule/#match_response) or Response Match Fields
 require a preceding top-level rule with `evaluate` action. A rule's own `evaluate` action
 does not satisfy this requirement, because matching happens before the action runs.
 #### server
 ==Required==
 Tag of target server.
 #### disable_cache
 Disable cache and save cache in this query.
 #### disable_optimistic_cache
 !!! question "Since sing-box 1.14.0"
 Disable optimistic DNS caching in this query.
 #### rewrite_ttl
 Rewrite TTL in DNS responses.
 #### client_subnet
 Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 Will override `dns.client_subnet`.
 ### respond
 !!! question "Since sing-box 1.14.0"
 ```json
 {
  "action": "respond"
 }
 ```
 `respond` terminates rule evaluation and returns the evaluated response from a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action.
 This action does not send a new DNS query and has no extra options.
 Only allowed after a preceding top-level `evaluate` rule. If the action is reached without an evaluated response at runtime, the request fails with an error instead of falling through to later rules.
 ### route-options
@@ -146,7 +60,6 @@ Only allowed after a preceding top-level `evaluate` rule. If the action is reach
 {
  "action": "route-options",
  "disable_cache": false,
  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
--- a/docs/configuration/dns/rule_action.zh.md
+++ b/docs/configuration/dns/rule_action.zh.md
@@ -2,13 +2,6 @@
 icon: material/new-box
 ---
 !!! quote "sing-box 1.14.0 中的更改"
    :material-delete-clock: [strategy](#strategy)  
    :material-plus: [evaluate](#evaluate)  
    :material-plus: [respond](#respond)  
    :material-plus: [disable_optimistic_cache](#disable_optimistic_cache)
 !!! quote "sing-box 1.12.0 中的更改"
    :material-plus: [strategy](#strategy)  
@@ -24,7 +17,6 @@ icon: material/new-box
  "server": "",
  "strategy": "",
  "disable_cache": false,
  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
@@ -42,10 +34,6 @@ icon: material/new-box
 !!! question "自 sing-box 1.12.0 起"
 !!! failure "已在 sing-box 1.14.0 废弃"
    `strategy` 已在 sing-box 1.14.0 废弃，且将在 sing-box 1.16.0 中被移除。
 为此查询设置域名策略。
 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
@@ -54,12 +42,6 @@ icon: material/new-box
 在此查询中禁用缓存。
 #### disable_optimistic_cache
 !!! question "自 sing-box 1.14.0 起"
 在此查询中禁用乐观 DNS 缓存。
 #### rewrite_ttl
 重写 DNS 回应中的 TTL。
@@ -72,79 +54,12 @@ icon: material/new-box
 将覆盖 `dns.client_subnet`.
 ### evaluate
 !!! question "自 sing-box 1.14.0 起"
 ```json
 {
  "action": "evaluate",
  "server": "",
  "disable_cache": false,
  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
 ```
 `evaluate` 向指定服务器发送 DNS 查询并保存已评估的响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。
 仅允许在顶层 DNS 规则中使用（不可在逻辑子规则内部使用）。
 使用 [`match_response`](/zh/configuration/dns/rule/#match_response) 或响应匹配字段的规则，
 需要位于更早的顶层 `evaluate` 规则之后。规则自身的 `evaluate` 动作不能满足这个条件，
 因为匹配发生在动作执行之前。
 #### server
 ==必填==
 目标 DNS 服务器的标签。
 #### disable_cache
 在此查询中禁用缓存。
 #### disable_optimistic_cache
 !!! question "自 sing-box 1.14.0 起"
 在此查询中禁用乐观 DNS 缓存。
 #### rewrite_ttl
 重写 DNS 回应中的 TTL。
 #### client_subnet
 默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
 如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
 将覆盖 `dns.client_subnet`.
 ### respond
 !!! question "自 sing-box 1.14.0 起"
 ```json
 {
  "action": "respond"
 }
 ```
 `respond` 会终止规则评估，并直接返回前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作保存的已评估的响应。
 此动作不会发起新的 DNS 查询，也没有额外选项。
 只能用于前面已有顶层 `evaluate` 规则的场景。如果运行时命中该动作时没有已评估的响应，则请求会直接返回错误，而不是继续匹配后续规则。
 ### route-options
 ```json
 {
  "action": "route-options",
  "disable_cache": false,
  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
@@ -169,7 +84,7 @@ icon: material/new-box
 - `default`: 返回 REFUSED。
 - `drop`: 丢弃请求。
-默认使用 `default`。
+默认使用 `defualt`。
 #### no_drop
--- a/docs/configuration/dns/server/hosts.md
+++ b/docs/configuration/dns/server/hosts.md
@@ -73,55 +73,24 @@ Example:
 === "Use hosts if available"
-    === ":material-card-multiple: sing-box 1.14.0"
+    ```json
-
+    {
-        ```json
+      "dns": {
-        {
+        "servers": [
-          "dns": {
+          {
-            "servers": [
+            ...
-              {
+          },
-                ...
+          {
-              },
+            "type": "hosts",
-              {
+            "tag": "hosts"
                "type": "hosts",
                "tag": "hosts"
              }
            ],
            "rules": [
              {
                "action": "evaluate",
                "server": "hosts"
              },
              {
                "match_response": true,
                "ip_accept_any": true,
                "action": "respond"
              }
            ]
          }
-        }
+        ],
-        ```
+        "rules": [
-
+          {
-    === ":material-card-remove: sing-box < 1.14.0"
+            "ip_accept_any": true,
-
+            "server": "hosts"
        ```json
        {
          "dns": {
            "servers": [
              {
                ...
              },
              {
                "type": "hosts",
                "tag": "hosts"
              }
            ],
            "rules": [
              {
                "ip_accept_any": true,
                "server": "hosts"
              }
            ]
          }
-        }
+        ]
-        ```
+      }
    }
    ```
--- a/docs/configuration/dns/server/hosts.zh.md
+++ b/docs/configuration/dns/server/hosts.zh.md
@@ -73,55 +73,24 @@ hosts 文件路径列表。
 === "如果可用则使用 hosts"
-    === ":material-card-multiple: sing-box 1.14.0"
+    ```json
-
+    {
-        ```json
+      "dns": {
-        {
+        "servers": [
-          "dns": {
+          {
-            "servers": [
+            ...
-              {
+          },
-                ...
+          {
-              },
+            "type": "hosts",
-              {
+            "tag": "hosts"
                "type": "hosts",
                "tag": "hosts"
              }
            ],
            "rules": [
              {
                "action": "evaluate",
                "server": "hosts"
              },
              {
                "match_response": true,
                "ip_accept_any": true,
                "action": "respond"
              }
            ]
          }
-        }
+        ],
-        ```
+        "rules": [
-
+          {
-    === ":material-card-remove: sing-box < 1.14.0"
+            "ip_accept_any": true,
-
+            "server": "hosts"
        ```json
        {
          "dns": {
            "servers": [
              {
                ...
              },
              {
                "type": "hosts",
                "tag": "hosts"
              }
            ],
            "rules": [
              {
                "ip_accept_any": true,
                "server": "hosts"
              }
            ]
          }
-        }
+        ]
-        ```
+      }
    }
    ```
--- a/docs/configuration/dns/server/index.md
+++ b/docs/configuration/dns/server/index.md
@@ -29,7 +29,7 @@ The type of the DNS server.
 | Type            | Format                    |
 |-----------------|---------------------------|
-| empty (default) | :material-note-remove: [Legacy](./legacy/) |
+| empty (default) | [Legacy](./legacy/)       |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |
--- a/docs/configuration/dns/server/index.zh.md
+++ b/docs/configuration/dns/server/index.zh.md
@@ -29,7 +29,7 @@ DNS 服务器的类型。
 | 类型              | 格式                        |
 |-----------------|---------------------------|
-| empty (default) | :material-note-remove: [Legacy](./legacy/) |
+| empty (default) | [Legacy](./legacy/)       |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |
--- a/docs/configuration/dns/server/legacy.md
+++ b/docs/configuration/dns/server/legacy.md
@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
-!!! failure "Removed in sing-box 1.14.0"
+!!! failure "Deprecated in sing-box 1.12.0"
-    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).
+    Legacy DNS servers is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
 !!! quote "Changes in sing-box 1.9.0"
@@ -108,6 +108,6 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-Can be overridden by `rules.[].client_subnet`.
+Can be overrides by `rules.[].client_subnet`.
-Will override `dns.client_subnet`.
+Will overrides `dns.client_subnet`.
--- a/docs/configuration/dns/server/legacy.zh.md
+++ b/docs/configuration/dns/server/legacy.zh.md
@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
-!!! failure "已在 sing-box 1.14.0 移除"
+!!! failure "Deprecated in sing-box 1.12.0"
-    旧的 DNS 服务器配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
 !!! quote "sing-box 1.9.0 中的更改"
--- a/docs/configuration/dns/server/resolved.md
+++ b/docs/configuration/dns/server/resolved.md
@@ -43,62 +43,29 @@ If not enabled, `NXDOMAIN` will be returned for requests that do not match searc
 === "Split DNS only"
-    === ":material-card-multiple: sing-box 1.14.0"
+    ```json
-
+    {
-        ```json
+      "dns": {
-        {
+        "servers": [
-          "dns": {
+          {
-            "servers": [
+            "type": "local",
-              {
+            "tag": "local"
-                "type": "local",
+          },
-                "tag": "local"
+          {
-              },
+            "type": "resolved",
-              {
+            "tag": "resolved",
-                "type": "resolved",
+            "service": "resolved"
                "tag": "resolved",
                "service": "resolved"
              }
            ],
            "rules": [
              {
                "action": "evaluate",
                "server": "resolved"
              },
              {
                "match_response": true,
                "ip_accept_any": true,
                "action": "respond"
              }
            ]
          }
-        }
+        ],
-        ```
+        "rules": [
-
+          {
-    === ":material-card-remove: sing-box < 1.14.0"
+            "ip_accept_any": true,
-
+            "server": "resolved"
        ```json
        {
          "dns": {
            "servers": [
              {
                "type": "local",
                "tag": "local"
              },
              {
                "type": "resolved",
                "tag": "resolved",
                "service": "resolved"
              }
            ],
            "rules": [
              {
                "ip_accept_any": true,
                "server": "resolved"
              }
            ]
          }
-        }
+        ]
-        ```
+      }
    }
    ```
 === "Use as global DNS"
--- a/docs/configuration/dns/server/resolved.zh.md
+++ b/docs/configuration/dns/server/resolved.zh.md
@@ -42,62 +42,29 @@ icon: material/new-box
 === "仅分割 DNS"
-    === ":material-card-multiple: sing-box 1.14.0"
+    ```json
-
+    {
-        ```json
+      "dns": {
-        {
+        "servers": [
-          "dns": {
+          {
-            "servers": [
+            "type": "local",
-              {
+            "tag": "local"
-                "type": "local",
+          },
-                "tag": "local"
+          {
-              },
+            "type": "resolved",
-              {
+            "tag": "resolved",
-                "type": "resolved",
+            "service": "resolved"
                "tag": "resolved",
                "service": "resolved"
              }
            ],
            "rules": [
              {
                "action": "evaluate",
                "server": "resolved"
              },
              {
                "match_response": true,
                "ip_accept_any": true,
                "action": "respond"
              }
            ]
          }
-        }
+        ],
-        ```
+        "rules": [
-
+          {
-    === ":material-card-remove: sing-box < 1.14.0"
+            "ip_accept_any": true,
-
+            "server": "resolved"
        ```json
        {
          "dns": {
            "servers": [
              {
                "type": "local",
                "tag": "local"
              },
              {
                "type": "resolved",
                "tag": "resolved",
                "service": "resolved"
              }
            ],
            "rules": [
              {
                "ip_accept_any": true,
                "server": "resolved"
              }
            ]
          }
-        }
+        ]
-        ```
+      }
    }
    ```
 === "用作全局 DNS"
--- a/docs/configuration/dns/server/tailscale.md
+++ b/docs/configuration/dns/server/tailscale.md
@@ -42,62 +42,29 @@ if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
 === "MagicDNS only"
-    === ":material-card-multiple: sing-box 1.14.0"
+    ```json
-
+    {
-        ```json
+      "dns": {
-        {
+        "servers": [
-          "dns": {
+          {
-            "servers": [
+            "type": "local",
-              {
+            "tag": "local"
-                "type": "local",
+          },
-                "tag": "local"
+          {
-              },
+            "type": "tailscale",
-              {
+            "tag": "ts",
-                "type": "tailscale",
+            "endpoint": "ts-ep"
                "tag": "ts",
                "endpoint": "ts-ep"
              }
            ],
            "rules": [
              {
                "action": "evaluate",
                "server": "ts"
              },
              {
                "match_response": true,
                "ip_accept_any": true,
                "action": "respond"
              }
            ]
          }
-        }
+        ],
-        ```
+        "rules": [
-
+          {
-    === ":material-card-remove: sing-box < 1.14.0"
+            "ip_accept_any": true,
-
+            "server": "ts"
        ```json
        {
          "dns": {
            "servers": [
              {
                "type": "local",
                "tag": "local"
              },
              {
                "type": "tailscale",
                "tag": "ts",
                "endpoint": "ts-ep"
              }
            ],
            "rules": [
              {
                "ip_accept_any": true,
                "server": "ts"
              }
            ]
          }
-        }
+        ]
-        ```
+      }
    }
    ```
 === "Use as global DNS"
--- a/Show More
+++ b/Show More
`@@ -1,3 +1,3 @@`
	`package constant`	`package tls`

	`const ACMETLS1Protocol = "acme-tls/1"`	`const ACMETLS1Protocol = "acme-tls/1"`