Merge pull request #747 from telemt/flow

Restore active IP observability for users without unique-IP limits

Cargo.lock

@@ -90,9 +90,9 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
 [[package]]
 name = "arc-swap"
-version = "1.9.0"
+version = "1.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a07d1f37ff60921c83bdfc7407723bdefe89b44b98a9b772f225c8f9d67141a6"
+checksum = "6a3a1fd6f75306b68087b831f025c712524bcb19aad54e557b1129cfa0a2b207"
 dependencies = [
  "rustversion",
 ]
@@ -173,9 +173,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
 [[package]]
 name = "aws-lc-rs"
-version = "1.16.2"
+version = "1.16.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
+checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f"
 dependencies = [
  "aws-lc-sys",
  "zeroize",
@@ -183,9 +183,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-sys"
-version = "0.39.1"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83a25cf98105baa966497416dbd42565ce3a8cf8dbfd59803ec9ad46f3126399"
+checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7"
 dependencies = [
  "cc",
  "cmake",
@@ -228,9 +228,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
 [[package]]
 name = "bitflags"
-version = "2.11.0"
+version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
+checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
 
 [[package]]
 name = "blake3"
@@ -299,9 +299,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.58"
+version = "1.2.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1e928d4b69e3077709075a938a05ffbedfa53a84c8f766efbf8220bb1ff60e1"
+checksum = "43c5703da9466b66a946814e1adf53ea2c90f10063b86290cc9eb67ce3478a20"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -346,7 +346,7 @@ checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
 dependencies = [
  "cfg-if",
  "cpufeatures 0.3.0",
- "rand_core 0.10.0",
+ "rand_core 0.10.1",
 ]
 
 [[package]]
@@ -416,9 +416,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.6.0"
+version = "4.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
+checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51"
 dependencies = [
  "clap_builder",
 ]
@@ -805,9 +805,9 @@ dependencies = [
 
 [[package]]
 name = "fastrand"
-version = "2.3.0"
+version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
 
 [[package]]
 name = "fiat-crypto"
@@ -997,7 +997,7 @@ dependencies = [
  "cfg-if",
  "libc",
  "r-efi 6.0.0",
- "rand_core 0.10.0",
+ "rand_core 0.10.1",
  "wasip2",
  "wasip3",
 ]
@@ -1068,6 +1068,12 @@ dependencies = [
  "foldhash 0.2.0",
 ]
 
+[[package]]
+name = "hashbrown"
+version = "0.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -1096,7 +1102,7 @@ dependencies = [
  "idna",
  "ipnet",
  "once_cell",
- "rand 0.9.2",
+ "rand 0.9.4",
  "ring",
  "thiserror 2.0.18",
  "tinyvec",
@@ -1118,7 +1124,7 @@ dependencies = [
  "moka",
  "once_cell",
  "parking_lot",
- "rand 0.9.2",
+ "rand 0.9.4",
  "resolv-conf",
  "smallvec",
  "thiserror 2.0.18",
@@ -1213,15 +1219,14 @@ dependencies = [
 
 [[package]]
 name = "hyper-rustls"
-version = "0.27.7"
+version = "0.27.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+checksum = "33ca68d021ef39cf6463ab54c1d0f5daf03377b70561305bb89a8f83aab66e0f"
 dependencies = [
  "http",
  "hyper",
  "hyper-util",
  "rustls",
- "rustls-pki-types",
  "tokio",
  "tokio-rustls",
  "tower-service",
@@ -1385,12 +1390,12 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.13.0"
+version = "2.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
 dependencies = [
  "equivalent",
- "hashbrown 0.16.1",
+ "hashbrown 0.17.0",
  "serde",
  "serde_core",
 ]
@@ -1401,7 +1406,7 @@ version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bd5b3eaf1a28b758ac0faa5a4254e8ab2705605496f1b1f3fbbc3988ad73d199"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "inotify-sys",
  "libc",
 ]
@@ -1534,9 +1539,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.94"
+version = "0.3.95"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9"
+checksum = "2964e92d1d9dc3364cae4d718d93f227e3abb088e747d92e0395bfdedf1c12ca"
 dependencies = [
  "cfg-if",
  "futures-util",
@@ -1578,9 +1583,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 
 [[package]]
 name = "libc"
-version = "0.2.184"
+version = "0.2.185"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af"
+checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f"
 
 [[package]]
 name = "linux-raw-sys"
@@ -1611,9 +1616,9 @@ checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
 [[package]]
 name = "lru"
-version = "0.16.3"
+version = "0.16.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1dc47f592c06f33f8e3aea9591776ec7c9f9e4124778ff8a3c3b87159f7e593"
+checksum = "7f66e8d5d03f609abc3a39e6f08e4164ebf1447a732906d39eb9b99b7919ef39"
 dependencies = [
  "hashbrown 0.16.1",
 ]
@@ -1705,7 +1710,7 @@ version = "0.31.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "cfg-if",
  "cfg_aliases",
  "libc",
@@ -1728,7 +1733,7 @@ version = "8.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "fsevent-sys",
  "inotify",
  "kqueue",
@@ -1746,7 +1751,7 @@ version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42b8cfee0e339a0337359f3c88165702ac6e600dc01c0cc9579a92d62b08477a"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
 ]
 
 [[package]]
@@ -2012,9 +2017,9 @@ checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
 dependencies = [
  "bit-set",
  "bit-vec",
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "num-traits",
- "rand 0.9.2",
+ "rand 0.9.4",
  "rand_chacha",
  "rand_xorshift",
  "regex-syntax",
@@ -2059,7 +2064,7 @@ dependencies = [
  "bytes",
  "getrandom 0.3.4",
  "lru-slab",
- "rand 0.9.2",
+ "rand 0.9.4",
  "ring",
  "rustc-hash",
  "rustls",
@@ -2108,9 +2113,9 @@ checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
 
 [[package]]
 name = "rand"
-version = "0.9.2"
+version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
 dependencies = [
  "rand_chacha",
  "rand_core 0.9.5",
@@ -2118,13 +2123,13 @@ dependencies = [
 
 [[package]]
 name = "rand"
-version = "0.10.0"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
+checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207"
 dependencies = [
  "chacha20 0.10.0",
  "getrandom 0.4.2",
- "rand_core 0.10.0",
+ "rand_core 0.10.1",
 ]
 
 [[package]]
@@ -2157,9 +2162,9 @@ dependencies = [
 
 [[package]]
 name = "rand_core"
-version = "0.10.0"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
+checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
 
 [[package]]
 name = "rand_xorshift"
@@ -2172,9 +2177,9 @@ dependencies = [
 
 [[package]]
 name = "rayon"
-version = "1.11.0"
+version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f"
+checksum = "fb39b166781f92d482534ef4b4b1b2568f42613b53e5b6c160e24cfbfa30926d"
 dependencies = [
  "either",
  "rayon-core",
@@ -2196,7 +2201,7 @@ version = "0.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
 ]
 
 [[package]]
@@ -2326,7 +2331,7 @@ version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "errno",
  "libc",
  "linux-raw-sys",
@@ -2335,9 +2340,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.37"
+version = "0.23.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
+checksum = "69f9466fb2c14ea04357e91413efb882e2a6d4a406e625449bc0a5d360d53a21"
 dependencies = [
  "aws-lc-rs",
  "once_cell",
@@ -2399,9 +2404,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
 dependencies = [
  "aws-lc-rs",
  "ring",
@@ -2474,7 +2479,7 @@ version = "3.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "core-foundation",
  "core-foundation-sys",
  "libc",
@@ -2493,9 +2498,9 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.27"
+version = "1.0.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
 
 [[package]]
 name = "sendfd"
@@ -2615,7 +2620,7 @@ dependencies = [
  "notify",
  "percent-encoding",
  "pin-project",
- "rand 0.9.2",
+ "rand 0.9.4",
  "sealed",
  "sendfd",
  "serde",
@@ -2646,7 +2651,7 @@ dependencies = [
  "chacha20poly1305",
  "hkdf",
  "md-5",
- "rand 0.9.2",
+ "rand 0.9.4",
  "ring-compat",
  "sha1",
 ]
@@ -2741,6 +2746,12 @@ version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
+[[package]]
+name = "symlink"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7973cce6668464ea31f176d85b13c7ab3bba2cb3b77a2ed26abd7801688010a"
+
 [[package]]
 name = "syn"
 version = "2.0.117"
@@ -2780,7 +2791,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
 
 [[package]]
 name = "telemt"
-version = "3.4.2"
+version = "3.4.8"
 dependencies = [
  "aes",
  "anyhow",
@@ -2812,7 +2823,7 @@ dependencies = [
  "num-traits",
  "parking_lot",
  "proptest",
- "rand 0.10.0",
+ "rand 0.10.1",
  "regex",
  "reqwest",
  "rustls",
@@ -2970,9 +2981,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.50.0"
+version = "1.52.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
 dependencies = [
  "bytes",
  "libc",
@@ -2988,9 +2999,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-macros"
-version = "2.6.1"
+version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
+checksum = "385a6cb71ab9ab790c5fe8d67f1645e6c450a7ce006a33de03daa956cf70a496"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3123,7 +3134,7 @@ version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "bytes",
  "futures-util",
  "http",
@@ -3160,11 +3171,12 @@ dependencies = [
 
 [[package]]
 name = "tracing-appender"
-version = "0.2.4"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "786d480bce6247ab75f005b14ae1624ad978d3029d9113f0a22fa1ac773faeaf"
+checksum = "050686193eb999b4bb3bc2acfa891a13da00f79734704c4b8b4ef1a10b368a3c"
 dependencies = [
  "crossbeam-channel",
+ "symlink",
  "thiserror 2.0.18",
  "time",
  "tracing-subscriber",
@@ -3239,9 +3251,9 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 
 [[package]]
 name = "typenum"
-version = "1.19.0"
+version = "1.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
+checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
 
 [[package]]
 name = "unarray"
@@ -3297,9 +3309,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
 [[package]]
 name = "uuid"
-version = "1.23.0"
+version = "1.23.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ac8b6f42ead25368cf5b098aeb3dc8a1a2c05a3eee8a9a1a68c640edbfc79d9"
+checksum = "ddd74a9687298c6858e9b88ec8935ec45d22e8fd5e6394fa1bd4e99a87789c76"
 dependencies = [
  "getrandom 0.4.2",
  "js-sys",
@@ -3354,11 +3366,11 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
 [[package]]
 name = "wasip2"
-version = "1.0.2+wasi-0.2.9"
+version = "1.0.3+wasi-0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6"
 dependencies = [
- "wit-bindgen",
+ "wit-bindgen 0.57.1",
 ]
 
 [[package]]
@@ -3367,14 +3379,14 @@ version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
 dependencies = [
- "wit-bindgen",
+ "wit-bindgen 0.51.0",
 ]
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.117"
+version = "0.2.118"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0551fc1bb415591e3372d0bc4780db7e587d84e2a7e79da121051c5c4b89d0b0"
+checksum = "0bf938a0bacb0469e83c1e148908bd7d5a6010354cf4fb73279b7447422e3a89"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -3385,9 +3397,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.67"
+version = "0.4.68"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03623de6905b7206edd0a75f69f747f134b7f0a2323392d664448bf2d3c5d87e"
+checksum = "f371d383f2fb139252e0bfac3b81b265689bf45b6874af544ffa4c975ac1ebf8"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -3395,9 +3407,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.117"
+version = "0.2.118"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fbdf9a35adf44786aecd5ff89b4563a90325f9da0923236f6104e603c7e86be"
+checksum = "eeff24f84126c0ec2db7a449f0c2ec963c6a49efe0698c4242929da037ca28ed"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -3405,9 +3417,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.117"
+version = "0.2.118"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dca9693ef2bab6d4e6707234500350d8dad079eb508dca05530c85dc3a529ff2"
+checksum = "9d08065faf983b2b80a79fd87d8254c409281cf7de75fc4b773019824196c904"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -3418,9 +3430,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.117"
+version = "0.2.118"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39129a682a6d2d841b6c429d0c51e5cb0ed1a03829d8b3d1e69a011e62cb3d3b"
+checksum = "5fd04d9e306f1907bd13c6361b5c6bfc7b3b3c095ed3f8a9246390f8dbdee129"
 dependencies = [
  "unicode-ident",
 ]
@@ -3453,7 +3465,7 @@ version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
 dependencies = [
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "hashbrown 0.15.5",
  "indexmap",
  "semver",
@@ -3461,9 +3473,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.94"
+version = "0.3.95"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd70027e39b12f0849461e08ffc50b9cd7688d942c1c8e3c7b22273236b4dd0a"
+checksum = "4f2dfbb17949fa2088e5d39408c48368947b86f7834484e87b73de55bc14d97d"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -3481,18 +3493,18 @@ dependencies = [
 
 [[package]]
 name = "webpki-root-certs"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "804f18a4ac2676ffb4e8b5b5fa9ae38af06df08162314f96a68d2a363e21a8ca"
+checksum = "f31141ce3fc3e300ae89b78c0dd67f9708061d1d2eda54b8209346fd6be9a92c"
 dependencies = [
  "rustls-pki-types",
 ]
 
 [[package]]
 name = "webpki-roots"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22cfaf3c063993ff62e73cb4311efde4db1efb31ab78a3e5c457939ad5cc0bed"
+checksum = "52f5ee44c96cf55f1b349600768e3ece3a8f26010c05265ab73f945bb1a2eb9d"
 dependencies = [
  "rustls-pki-types",
 ]
@@ -3841,6 +3853,12 @@ dependencies = [
  "wit-bindgen-rust-macro",
 ]
 
+[[package]]
+name = "wit-bindgen"
+version = "0.57.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e"
+
 [[package]]
 name = "wit-bindgen-core"
 version = "0.51.0"
@@ -3890,7 +3908,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
 dependencies = [
  "anyhow",
- "bitflags 2.11.0",
+ "bitflags 2.11.1",
  "indexmap",
  "log",
  "serde",
@@ -3922,9 +3940,9 @@ dependencies = [
 
 [[package]]
 name = "writeable"
-version = "0.6.2"
+version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+checksum = "1ffae5123b2d3fc086436f8834ae3ab053a283cfac8fe0a0b8eaae044768a4c4"
 
 [[package]]
 name = "x25519-dalek"

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.4.2"
+version = "3.4.8"
 edition = "2024"
 
 [features]

Dockerfile

@@ -77,6 +77,34 @@ COPY config.toml /app/config.toml
 
 EXPOSE 443 9090 9091
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 CMD ["/app/telemt", "healthcheck", "/app/config.toml", "--mode", "liveness"]
+
+ENTRYPOINT ["/app/telemt"]
+CMD ["config.toml"]
+
+# ==========================
+# Production Netfilter Profile
+# ==========================
+FROM debian:12-slim AS prod-netfilter
+
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        conntrack \
+        nftables \
+        iptables; \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY --from=minimal /telemt /app/telemt
+COPY config.toml /app/config.toml
+
+EXPOSE 443 9090 9091
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 CMD ["/app/telemt", "healthcheck", "/app/config.toml", "--mode", "liveness"]
+
 ENTRYPOINT ["/app/telemt"]
 CMD ["config.toml"]
 
@@ -94,5 +122,7 @@ USER nonroot:nonroot
 
 EXPOSE 443 9090 9091
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 CMD ["/app/telemt", "healthcheck", "/app/config.toml", "--mode", "liveness"]
+
 ENTRYPOINT ["/app/telemt"]
 CMD ["config.toml"]

docker-compose.host-netfilter.yml

@@ -0,0 +1,10 @@
+services:
+  telemt:
+    build:
+      context: .
+      target: prod-netfilter
+    network_mode: host
+    ports: []
+    cap_add:
+      - NET_BIND_SERVICE
+      - NET_ADMIN

docker-compose.netfilter.yml

@@ -0,0 +1,8 @@
+services:
+  telemt:
+    build:
+      context: .
+      target: prod-netfilter
+    cap_add:
+      - NET_BIND_SERVICE
+      - NET_ADMIN

docker-compose.yml

@@ -1,7 +1,9 @@
 services:
   telemt:
     image: ghcr.io/telemt/telemt:latest
-    build: .
+    build:
+      context: .
+      target: prod
     container_name: telemt
     restart: unless-stopped
     ports:
@@ -16,13 +18,18 @@ services:
       - /etc/telemt:rw,mode=1777,size=4m
     environment:
       - RUST_LOG=info
+    healthcheck:
+      test: [ "CMD", "/app/telemt", "healthcheck", "/etc/telemt/config.toml", "--mode", "liveness" ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 20s
     # Uncomment this line if you want to use host network for IPv6, but bridge is default and usually better
     # network_mode: host
     cap_drop:
       - ALL
     cap_add:
       - NET_BIND_SERVICE
-      - NET_ADMIN
     read_only: true
     security_opt:
       - no-new-privileges:true

docs/Config_params/CONFIG_PARAMS.en.md

@@ -255,13 +255,22 @@ This document lists all configuration keys accepted by `config.toml`.
     ```
 ## proxy_secret_path
   - **Constraints / validation**: `String`. When omitted, the default path is `"proxy-secret"`. Empty values are accepted by TOML/serde but will likely fail at runtime (invalid file path).
-  - **Description**: Path to Telegram infrastructure `proxy-secret` cache file used by ME handshake/RPC auth. Telemt always tries a fresh download from `https://core.telegram.org/getProxySecret` first, caches it to this path on success, and falls back to reading the cached file (any age) on download failure.
+  - **Description**: Path to Telegram infrastructure `proxy-secret` cache file used by ME handshake/RPC auth. Telemt always tries a fresh download from `https://core.telegram.org/getProxySecret` first (unless `proxy_secret_url` is set) , caches it to this path on success, and falls back to reading the cached file (any age) on download failure.
   - **Example**:
 
     ```toml
     [general]
     proxy_secret_path = "proxy-secret"
     ```
+## proxy_secret_url
+  - **Constraints / validation**: `String`. When omitted, the `"https://core.telegram.org/getProxySecret"` is used.
+  - **Description**: Optional URL to obtain `proxy-secret` file used by ME handshake/RPC auth. Telemt always tries a fresh download from this URL first (with fallback to `https://core.telegram.org/getProxySecret` if absent). 
+  - **Example**:
+
+    ```toml
+    [general]
+    proxy_secret_url = "https://core.telegram.org/getProxySecret"
+    ```
 ## proxy_config_v4_cache_path
   - **Constraints / validation**: `String`. When set, must not be empty/whitespace-only.
   - **Description**: Optional disk cache path for raw `getProxyConfig` (IPv4) snapshot. At startup Telemt tries to fetch a fresh snapshot first; on fetch failure or empty snapshot it falls back to this cache file when present and non-empty.
@@ -271,6 +280,15 @@ This document lists all configuration keys accepted by `config.toml`.
     [general]
     proxy_config_v4_cache_path = "cache/proxy-config-v4.txt"
     ```
+## proxy_config_v4_url
+- **Constraints / validation**: `String`. When omitted, the `"https://core.telegram.org/getProxyConfig"` is used.
+- **Description**: Optional URL to obtain raw `getProxyConfig` (IPv4). Telemt always tries a fresh download from this URL first (with fallback to `https://core.telegram.org/getProxyConfig` if absent).
+- **Example**:
+
+  ```toml
+  [general]
+  proxy_config_v4_url = "https://core.telegram.org/getProxyConfig"
+  ```
 ## proxy_config_v6_cache_path
   - **Constraints / validation**: `String`. When set, must not be empty/whitespace-only.
   - **Description**: Optional disk cache path for raw `getProxyConfigV6` (IPv6) snapshot. At startup Telemt tries to fetch a fresh snapshot first; on fetch failure or empty snapshot it falls back to this cache file when present and non-empty.
@@ -280,6 +298,15 @@ This document lists all configuration keys accepted by `config.toml`.
     [general]
     proxy_config_v6_cache_path = "cache/proxy-config-v6.txt"
     ```
+## proxy_config_v6_url
+- **Constraints / validation**: `String`. When omitted, the `"https://core.telegram.org/getProxyConfigV6"` is used.
+- **Description**: Optional URL to obtain raw `getProxyConfigV6` (IPv6). Telemt always tries a fresh download from this URL first (with fallback to `https://core.telegram.org/getProxyConfigV6` if absent).
+- **Example**:
+
+  ```toml
+  [general]
+  proxy_config_v6_url = "https://core.telegram.org/getProxyConfigV6"
+  ```
 ## ad_tag
   - **Constraints / validation**: `String` (optional). When set, must be exactly 32 hex characters; invalid values are disabled during config load.
   - **Description**: Global fallback sponsored-channel `ad_tag` (used when user has no override in `access.user_ad_tags`). An all-zero tag is accepted but has no effect (and is warned about) until replaced with a real tag from `@MTProxybot`.
@@ -2270,7 +2297,7 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
 | --- | ---- | ------- |
 | [`tls_domain`](#tls_domain) | `String` | `"petrovich.ru"` |
 | [`tls_domains`](#tls_domains) | `String[]` | `[]` |
-| [`unknown_sni_action`](#unknown_sni_action) | `"drop"`, `"mask"`, `"accept"` | `"drop"` |
+| [`unknown_sni_action`](#unknown_sni_action) | `"drop"`, `"mask"`, `"accept"`, `"reject_handshake"` | `"drop"` |
 | [`tls_fetch_scope`](#tls_fetch_scope) | `String` | `""` |
 | [`tls_fetch`](#tls_fetch) | `Table` | built-in defaults |
 | [`mask`](#mask) | `bool` | `true` |
@@ -2321,13 +2348,17 @@ Note: This section also accepts the legacy alias `[server.admin_api]` (same sche
     tls_domains = ["example.net", "example.org"]
     ```
 ## unknown_sni_action
-  - **Constraints / validation**: `"drop"`, `"mask"` or `"accept"`.
+  - **Constraints / validation**: `"drop"`, `"mask"`, `"accept"` or `"reject_handshake"`.
   - **Description**: Action for TLS ClientHello with unknown / non-configured SNI.
+    - `drop` — close the connection without any response (silent FIN after `server_hello_delay` is applied). Timing-indistinguishable from the Success branch, but wire-quieter than what a real web server would do.
+    - `mask` — transparently proxy the connection to `mask_host:mask_port` (TLS fronting). The client receives a real ServerHello from the backend with its real certificate. Maximum camouflage, but opens an outbound connection for every misdirected request.
+    - `accept` — pretend the SNI is valid and continue on the auth path. Weakens active-probing resistance; only meaningful in narrow scenarios.
+    - `reject_handshake` — emit a fatal TLS `unrecognized_name` alert (RFC 6066, AlertDescription = 112) and close the connection. Identical on the wire to a modern nginx with `ssl_reject_handshake on;` on its default vhost: looks like an ordinary HTTPS server that simply does not host the requested name. Recommended when the goal is maximal parity with a stock web server rather than TLS fronting. `server_hello_delay` is intentionally **not** applied to this branch, so the alert is emitted "instantly" the way a reference nginx would.
   - **Example**:
 
     ```toml
     [censorship]
-    unknown_sni_action = "drop"
+    unknown_sni_action = "reject_handshake"
     ```
 ## tls_fetch_scope
   - **Constraints / validation**: `String`. Value is trimmed during load; whitespace-only becomes empty.
@@ -3083,5 +3114,3 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
     username = "alice"
     password = "secret"
     ```
-
-

docs/Config_params/CONFIG_PARAMS.ru.md

@@ -255,13 +255,22 @@
     ```
 ## proxy_secret_path
   - **Ограничения / валидация**: `String`. Если этот параметр не указан, используется путь по умолчанию — «proxy-secret». Пустые значения принимаются TOML/serde, но во время выполнения произойдет ошибка (invalid file path).
-  - **Описание**: Путь к файлу кэша `proxy-secret` инфраструктуры Telegram, используемому ME-handshake/аутентификацией RPC. Telemt всегда сначала пытается выполнить новую загрузку с https://core.telegram.org/getProxySecret, в случае успеха кэширует ее по этому пути и возвращается к чтению кэшированного файла в случае сбоя загрузки.
+  - **Описание**: Путь к файлу кэша `proxy-secret` инфраструктуры Telegram, используемому ME-handshake/аутентификацией RPC. Telemt всегда сначала пытается выполнить новую загрузку с https://core.telegram.org/getProxySecret (если не установлен `proxy_secret_url`), в случае успеха кэширует ее по этому пути и возвращается к чтению кэшированного файла в случае сбоя загрузки.
   - **Пример**:
 
     ```toml
     [general]
     proxy_secret_path = "proxy-secret"
     ```
+## proxy_secret_url
+  - **Ограничения / валидация**: `String`. Если не указан, используется `"https://core.telegram.org/getProxySecret"`.
+  - **Описание**: Необязательный URL для получения файла `proxy-secret` используемого ME-handshake/аутентификацией RPC. Telemt всегда сначала пытается выполнить новую загрузку с этого URL (если не задан, используется https://core.telegram.org/getProxySecret).
+  - **Пример**:
+
+    ```toml
+    [general]
+    proxy_secret_url = "https://core.telegram.org/getProxySecret"
+    ```
 ## proxy_config_v4_cache_path
   - **Ограничения / валидация**: `String`. Если используется, значение не должно быть пустым или содержать только пробелы.
   - **Описание**: Необязательный путь к кэшу для необработанного (raw) снимка getProxyConfig (IPv4). При запуске Telemt сначала пытается получить свежий снимок; в случае сбоя выборки или пустого снимка он возвращается к этому файлу кэша, если он присутствует и не пуст.
@@ -271,6 +280,15 @@
     [general]
     proxy_config_v4_cache_path = "cache/proxy-config-v4.txt"
     ```
+## proxy_config_v4_url
+  - **Ограничения / валидация**: `String`. Если не указан, используется `"https://core.telegram.org/getProxyConfig"`.
+  - **Описание**: Необязательный URL для получения `getProxyConfig` (IPv4). Telemt при всегда пытается выполнить новую загрузку с этого URL (и если не задан, использует `https://core.telegram.org/getProxyConfig`).
+  - **Example**:
+  
+    ```toml
+    [general]
+    proxy_config_v4_url = "https://core.telegram.org/getProxyConfig"
+    ```
 ## proxy_config_v6_cache_path
   - **Ограничения / валидация**: `String`. Если используется, значение не должно быть пустым или содержать только пробелы.
   - **Описание**: Необязательный путь к кэшу для необработанного (raw) снимка getProxyConfigV6 (IPv6). При запуске Telemt сначала пытается получить свежий снимок; в случае сбоя выборки или пустого снимка он возвращается к этому файлу кэша, если он присутствует и не пуст.
@@ -280,6 +298,15 @@
     [general]
     proxy_config_v6_cache_path = "cache/proxy-config-v6.txt"
     ```
+## proxy_config_v6_url
+- **Ограничения / валидация**: `String`. Если не указан, используется `"https://core.telegram.org/getProxyConfigV6"`.
+- **Описание**: Необязательный URL для получения `getProxyConfigV6` (IPv6). Telemt при всегда пытается выполнить новую загрузку с этого URL (и если не задан, использует `https://core.telegram.org/getProxyConfigV6`).
+- **Example**:
+
+  ```toml
+  [general]
+  proxy_config_v6_url = "https://core.telegram.org/getProxyConfigV6"
+  ```
 ## ad_tag
   - **Ограничения / валидация**: `String` (необязательный параметр). Если используется, значение должно быть ровно 32 символа в шестнадцатеричной системе; недопустимые значения отключаются во время загрузки конфигурации.
   - **Описание**: Глобальный резервный спонсируемый канал `ad_tag` (используется, когда у пользователя нет переопределения в `access.user_ad_tags`). Тег со всеми нулями принимается, но не имеет никакого эффекта, пока не будет заменен реальным тегом от `@MTProxybot`.
@@ -2197,7 +2224,7 @@
     ```
 ## relay_client_idle_soft_secs
   - **Ограничения / валидация**: Должно быть `> 0`; Должно быть меньше или равно `relay_client_idle_hard_secs`.
-  - **Описание**: Мягкий порог простоя (в секундах) для неактивности uplink клиента в промежуточном узле. При достижении этого порога сессия помечается как кандидат на простой и может быть удалена в зависимости от политики.
+  - **Описание**: Мягкий порог простоя (в секундах) для неактивности uplink клиента в промежуточном узле. При достижении этого порога сессия помечается как кандидат на простой и может быть удалена в зависимости от политики.
   - **Пример**:
 
     ```toml
@@ -2276,7 +2303,7 @@
 | --- | ---- | ------- |
 | [`tls_domain`](#tls_domain) | `String` | `"petrovich.ru"` |
 | [`tls_domains`](#tls_domains) | `String[]` | `[]` |
-| [`unknown_sni_action`](#unknown_sni_action) | `"drop"`, `"mask"`, `"accept"` | `"drop"` |
+| [`unknown_sni_action`](#unknown_sni_action) | `"drop"`, `"mask"`, `"accept"`, `"reject_handshake"` | `"drop"` |
 | [`tls_fetch_scope`](#tls_fetch_scope) | `String` | `""` |
 | [`tls_fetch`](#tls_fetch) | `Table` | built-in defaults |
 | [`mask`](#mask) | `bool` | `true` |
@@ -2326,13 +2353,17 @@
     tls_domains = ["example.net", "example.org"]
     ```
 ## unknown_sni_action
-  - **Ограничения / валидация**: `"drop"`, `"mask"` или `"accept"`.
+  - **Ограничения / валидация**: `"drop"`, `"mask"`, `"accept"` или `"reject_handshake"`.
   - **Описание**: Действие для TLS ClientHello с неизвестным/ненастроенным SNI.
+    - `drop` — закрыть соединение без ответа (молчаливый FIN после применения `server_hello_delay`). Поведение, неотличимое по таймингу от Success-ветки, но более «тихое», чем у обычного веб-сервера.
+    - `mask` — прозрачно проксировать соединение на `mask_host:mask_port` (TLS-fronting). Клиент получает настоящий ServerHello от реального бэкенда с его сертификатом. Максимальный камуфляж, но порождает исходящее соединение на каждый чужой запрос.
+    - `accept` — притвориться, что SNI валиден, и продолжить auth-путь. Снижает защиту от активного пробинга; осмысленно только в узких сценариях.
+    - `reject_handshake` — отправить фатальный TLS-alert `unrecognized_name` (RFC 6066, AlertDescription = 112) и закрыть соединение. Поведение, идентичное современному nginx с `ssl_reject_handshake on;` на дефолтном vhost'е: на wire-уровне выглядит как обычный HTTPS-сервер, у которого просто нет такого домена. Рекомендуется, если цель — максимальная похожесть на стоковый веб-сервер, а не tls-fronting. `server_hello_delay` на эту ветку не применяется, чтобы alert улетал «мгновенно», как у эталонного nginx.
   - **Пример**:
 
     ```toml
     [censorship]
-    unknown_sni_action = "drop"
+    unknown_sni_action = "reject_handshake"
     ```
 ## tls_fetch_scope
   - **Ограничения / валидация**: `String`. Значение обрезается во время загрузки; значение, состоящее только из пробелов, становится пустым.
@@ -3090,5 +3121,3 @@
     username = "alice"
     password = "secret"
     ```
-
-

docs/FAQ.en.md

@@ -210,6 +210,13 @@ If you need to allow connections with any domains (ignoring SNI mismatches), add
 unknown_sni_action = "mask"
 ```
 
+Alternatively, if you want telemt to behave like a vanilla nginx with `ssl_reject_handshake on;` on unknown SNI (emit a TLS `unrecognized_name` alert and close the connection), use:
+```toml
+[censorship]
+unknown_sni_action = "reject_handshake"
+```
+This does not recover stale clients, but it makes port 443 wire-indistinguishable from a stock web server that simply does not host the requested vhost.
+
 ### How to view metrics
 
 1. Open the configuration file: `nano /etc/telemt/telemt.toml`.

docs/FAQ.ru.md

@@ -227,6 +227,13 @@ curl -s http://127.0.0.1:9091/v1/users | jq
 unknown_sni_action = "mask"
 ```
 
+Альтернатива: если вы хотите, чтобы telemt на неизвестный SNI вёл себя как обычный nginx с `ssl_reject_handshake on;` (отдавал TLS-alert `unrecognized_name` и закрывал соединение), используйте:
+```toml
+[censorship]
+unknown_sni_action = "reject_handshake"
+```
+Это не пропускает старых клиентов, но делает поведение на 443-м порту неотличимым от стокового веб-сервера, у которого просто нет такого виртуального хоста.
+
 ## Как посмотреть метрики
 
 1. Откройте файл конфигурации: `nano /etc/telemt/telemt.toml`.

src/api/mod.rs

@@ -28,6 +28,7 @@ mod config_store;
 mod events;
 mod http_utils;
 mod model;
+mod patch;
 mod runtime_edge;
 mod runtime_init;
 mod runtime_min;
@@ -41,8 +42,8 @@ use config_store::{current_revision, load_config_from_disk, parse_if_match};
 use events::ApiEventStore;
 use http_utils::{error_response, read_json, read_optional_json, success_response};
 use model::{
-    ApiFailure, CreateUserRequest, DeleteUserResponse, HealthData, PatchUserRequest,
-    RotateSecretRequest, SummaryData, UserActiveIps,
+    ApiFailure, ClassCount, CreateUserRequest, DeleteUserResponse, HealthData, HealthReadyData,
+    PatchUserRequest, RotateSecretRequest, SummaryData, UserActiveIps,
 };
 use runtime_edge::{
     EdgeConnectionsCacheEntry, build_runtime_connections_summary_data,
@@ -275,6 +276,33 @@ async fn handle(
                 };
                 Ok(success_response(StatusCode::OK, data, revision))
             }
+            ("GET", "/v1/health/ready") => {
+                let revision = current_revision(&shared.config_path).await?;
+                let admission_open = shared.runtime_state.admission_open.load(Ordering::Relaxed);
+                let upstream_health = shared.upstream_manager.api_health_summary().await;
+                let ready = admission_open && upstream_health.healthy_total > 0;
+                let reason = if ready {
+                    None
+                } else if !admission_open {
+                    Some("admission_closed")
+                } else {
+                    Some("no_healthy_upstreams")
+                };
+                let data = HealthReadyData {
+                    ready,
+                    status: if ready { "ready" } else { "not_ready" },
+                    reason,
+                    admission_open,
+                    healthy_upstreams: upstream_health.healthy_total,
+                    total_upstreams: upstream_health.configured_total,
+                };
+                let status_code = if ready {
+                    StatusCode::OK
+                } else {
+                    StatusCode::SERVICE_UNAVAILABLE
+                };
+                Ok(success_response(status_code, data, revision))
+            }
             ("GET", "/v1/system/info") => {
                 let revision = current_revision(&shared.config_path).await?;
                 let data = build_system_info_data(shared.as_ref(), cfg.as_ref(), &revision);
@@ -307,10 +335,24 @@ async fn handle(
             }
             ("GET", "/v1/stats/summary") => {
                 let revision = current_revision(&shared.config_path).await?;
+                let connections_bad_by_class = shared
+                    .stats
+                    .get_connects_bad_class_counts()
+                    .into_iter()
+                    .map(|(class, total)| ClassCount { class, total })
+                    .collect();
+                let handshake_failures_by_class = shared
+                    .stats
+                    .get_handshake_failure_class_counts()
+                    .into_iter()
+                    .map(|(class, total)| ClassCount { class, total })
+                    .collect();
                 let data = SummaryData {
                     uptime_seconds: shared.stats.uptime_secs(),
                     connections_total: shared.stats.get_connects_all(),
                     connections_bad_total: shared.stats.get_connects_bad(),
+                    connections_bad_by_class,
+                    handshake_failures_by_class,
                     handshake_timeouts_total: shared.stats.get_handshake_timeouts(),
                     configured_users: cfg.access.users.len(),
                 };

src/api/model.rs

@@ -5,6 +5,7 @@ use chrono::{DateTime, Utc};
 use hyper::StatusCode;
 use serde::{Deserialize, Serialize};
 
+use super::patch::{Patch, patch_field};
 use crate::crypto::SecureRandom;
 
 const MAX_USERNAME_LEN: usize = 64;
@@ -60,11 +61,30 @@ pub(super) struct HealthData {
     pub(super) read_only: bool,
 }
 
+#[derive(Serialize)]
+pub(super) struct HealthReadyData {
+    pub(super) ready: bool,
+    pub(super) status: &'static str,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(super) reason: Option<&'static str>,
+    pub(super) admission_open: bool,
+    pub(super) healthy_upstreams: usize,
+    pub(super) total_upstreams: usize,
+}
+
+#[derive(Serialize, Clone)]
+pub(super) struct ClassCount {
+    pub(super) class: String,
+    pub(super) total: u64,
+}
+
 #[derive(Serialize)]
 pub(super) struct SummaryData {
     pub(super) uptime_seconds: f64,
     pub(super) connections_total: u64,
     pub(super) connections_bad_total: u64,
+    pub(super) connections_bad_by_class: Vec<ClassCount>,
+    pub(super) handshake_failures_by_class: Vec<ClassCount>,
     pub(super) handshake_timeouts_total: u64,
     pub(super) configured_users: usize,
 }
@@ -80,6 +100,8 @@ pub(super) struct ZeroCoreData {
     pub(super) uptime_seconds: f64,
     pub(super) connections_total: u64,
     pub(super) connections_bad_total: u64,
+    pub(super) connections_bad_by_class: Vec<ClassCount>,
+    pub(super) handshake_failures_by_class: Vec<ClassCount>,
     pub(super) handshake_timeouts_total: u64,
     pub(super) accept_permit_timeout_total: u64,
     pub(super) configured_users: usize,
@@ -486,11 +508,16 @@ pub(super) struct CreateUserRequest {
 #[derive(Deserialize)]
 pub(super) struct PatchUserRequest {
     pub(super) secret: Option<String>,
-    pub(super) user_ad_tag: Option<String>,
-    pub(super) max_tcp_conns: Option<usize>,
-    pub(super) expiration_rfc3339: Option<String>,
-    pub(super) data_quota_bytes: Option<u64>,
-    pub(super) max_unique_ips: Option<usize>,
+    #[serde(default, deserialize_with = "patch_field")]
+    pub(super) user_ad_tag: Patch<String>,
+    #[serde(default, deserialize_with = "patch_field")]
+    pub(super) max_tcp_conns: Patch<usize>,
+    #[serde(default, deserialize_with = "patch_field")]
+    pub(super) expiration_rfc3339: Patch<String>,
+    #[serde(default, deserialize_with = "patch_field")]
+    pub(super) data_quota_bytes: Patch<u64>,
+    #[serde(default, deserialize_with = "patch_field")]
+    pub(super) max_unique_ips: Patch<usize>,
 }
 
 #[derive(Default, Deserialize)]
@@ -509,6 +536,20 @@ pub(super) fn parse_optional_expiration(
     Ok(Some(parsed.with_timezone(&Utc)))
 }
 
+pub(super) fn parse_patch_expiration(
+    value: &Patch<String>,
+) -> Result<Patch<DateTime<Utc>>, ApiFailure> {
+    match value {
+        Patch::Unchanged => Ok(Patch::Unchanged),
+        Patch::Remove => Ok(Patch::Remove),
+        Patch::Set(raw) => {
+            let parsed = DateTime::parse_from_rfc3339(raw)
+                .map_err(|_| ApiFailure::bad_request("expiration_rfc3339 must be valid RFC3339"))?;
+            Ok(Patch::Set(parsed.with_timezone(&Utc)))
+        }
+    }
+}
+
 pub(super) fn is_valid_user_secret(secret: &str) -> bool {
     secret.len() == 32 && secret.chars().all(|c| c.is_ascii_hexdigit())
 }

src/api/patch.rs

@@ -0,0 +1,130 @@
+use serde::Deserialize;
+
+/// Three-state field for JSON Merge Patch semantics on the `PATCH /v1/users/{user}`
+/// endpoint.
+///
+/// `Unchanged` is produced when the JSON body omits the field entirely and tells the
+/// handler to leave the corresponding configuration entry untouched. `Remove` is
+/// produced when the JSON body sets the field to `null` and instructs the handler to
+/// drop the entry from the corresponding access HashMap. `Set` carries an explicit
+/// new value, including zero, which is preserved verbatim in the configuration.
+#[derive(Debug)]
+pub(super) enum Patch<T> {
+    Unchanged,
+    Remove,
+    Set(T),
+}
+
+impl<T> Default for Patch<T> {
+    fn default() -> Self {
+        Self::Unchanged
+    }
+}
+
+/// Serde deserializer adapter for fields that follow JSON Merge Patch semantics.
+///
+/// Pair this with `#[serde(default, deserialize_with = "patch_field")]` on a
+/// `Patch<T>` field. An omitted field falls back to `Patch::Unchanged` via
+/// `Default`; an explicit JSON `null` becomes `Patch::Remove`; any other value
+/// becomes `Patch::Set(v)`.
+pub(super) fn patch_field<'de, D, T>(deserializer: D) -> Result<Patch<T>, D::Error>
+where
+    D: serde::Deserializer<'de>,
+    T: serde::Deserialize<'de>,
+{
+    Option::<T>::deserialize(deserializer).map(|opt| match opt {
+        Some(value) => Patch::Set(value),
+        None => Patch::Remove,
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::api::model::{PatchUserRequest, parse_patch_expiration};
+    use chrono::{TimeZone, Utc};
+    use serde::Deserialize;
+
+    #[derive(Deserialize)]
+    struct Holder {
+        #[serde(default, deserialize_with = "patch_field")]
+        value: Patch<u64>,
+    }
+
+    fn parse(json: &str) -> Holder {
+        serde_json::from_str(json).expect("valid json")
+    }
+
+    #[test]
+    fn omitted_field_yields_unchanged() {
+        let h = parse("{}");
+        assert!(matches!(h.value, Patch::Unchanged));
+    }
+
+    #[test]
+    fn explicit_null_yields_remove() {
+        let h = parse(r#"{"value": null}"#);
+        assert!(matches!(h.value, Patch::Remove));
+    }
+
+    #[test]
+    fn explicit_value_yields_set() {
+        let h = parse(r#"{"value": 42}"#);
+        assert!(matches!(h.value, Patch::Set(42)));
+    }
+
+    #[test]
+    fn explicit_zero_yields_set_zero() {
+        let h = parse(r#"{"value": 0}"#);
+        assert!(matches!(h.value, Patch::Set(0)));
+    }
+
+    #[test]
+    fn parse_patch_expiration_passes_unchanged_and_remove_through() {
+        assert!(matches!(
+            parse_patch_expiration(&Patch::Unchanged),
+            Ok(Patch::Unchanged)
+        ));
+        assert!(matches!(
+            parse_patch_expiration(&Patch::Remove),
+            Ok(Patch::Remove)
+        ));
+    }
+
+    #[test]
+    fn parse_patch_expiration_parses_set_value() {
+        let parsed =
+            parse_patch_expiration(&Patch::Set("2030-01-02T03:04:05Z".into())).expect("valid");
+        match parsed {
+            Patch::Set(dt) => {
+                assert_eq!(dt, Utc.with_ymd_and_hms(2030, 1, 2, 3, 4, 5).unwrap());
+            }
+            other => panic!("expected Patch::Set, got {:?}", other),
+        }
+    }
+
+    #[test]
+    fn parse_patch_expiration_rejects_invalid_set_value() {
+        assert!(parse_patch_expiration(&Patch::Set("not-a-date".into())).is_err());
+    }
+
+    #[test]
+    fn patch_user_request_deserializes_mixed_states() {
+        let raw = r#"{
+            "secret": "00112233445566778899aabbccddeeff",
+            "max_tcp_conns": 0,
+            "max_unique_ips": null,
+            "data_quota_bytes": 1024
+        }"#;
+        let req: PatchUserRequest = serde_json::from_str(raw).expect("valid json");
+        assert_eq!(
+            req.secret.as_deref(),
+            Some("00112233445566778899aabbccddeeff")
+        );
+        assert!(matches!(req.max_tcp_conns, Patch::Set(0)));
+        assert!(matches!(req.max_unique_ips, Patch::Remove));
+        assert!(matches!(req.data_quota_bytes, Patch::Set(1024)));
+        assert!(matches!(req.expiration_rfc3339, Patch::Unchanged));
+        assert!(matches!(req.user_ad_tag, Patch::Unchanged));
+    }
+}

src/api/runtime_stats.rs

@@ -7,8 +7,8 @@ use crate::transport::upstream::IpPreference;
 
 use super::ApiShared;
 use super::model::{
-    DcEndpointWriters, DcStatus, DcStatusData, MeWriterStatus, MeWritersData, MeWritersSummary,
-    MinimalAllData, MinimalAllPayload, MinimalDcPathData, MinimalMeRuntimeData,
+    ClassCount, DcEndpointWriters, DcStatus, DcStatusData, MeWriterStatus, MeWritersData,
+    MeWritersSummary, MinimalAllData, MinimalAllPayload, MinimalDcPathData, MinimalMeRuntimeData,
     MinimalQuarantineData, UpstreamDcStatus, UpstreamStatus, UpstreamSummaryData, UpstreamsData,
     ZeroAllData, ZeroCodeCount, ZeroCoreData, ZeroDesyncData, ZeroMiddleProxyData, ZeroPoolData,
     ZeroUpstreamData,
@@ -26,6 +26,16 @@ pub(crate) struct MinimalCacheEntry {
 
 pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> ZeroAllData {
     let telemetry = stats.telemetry_policy();
+    let bad_connection_classes = stats
+        .get_connects_bad_class_counts()
+        .into_iter()
+        .map(|(class, total)| ClassCount { class, total })
+        .collect();
+    let handshake_failure_classes = stats
+        .get_handshake_failure_class_counts()
+        .into_iter()
+        .map(|(class, total)| ClassCount { class, total })
+        .collect();
     let handshake_error_codes = stats
         .get_me_handshake_error_code_counts()
         .into_iter()
@@ -38,6 +48,8 @@ pub(super) fn build_zero_all_data(stats: &Stats, configured_users: usize) -> Zer
             uptime_seconds: stats.uptime_secs(),
             connections_total: stats.get_connects_all(),
             connections_bad_total: stats.get_connects_bad(),
+            connections_bad_by_class: bad_connection_classes,
+            handshake_failures_by_class: handshake_failure_classes,
             handshake_timeouts_total: stats.get_handshake_timeouts(),
             accept_permit_timeout_total: stats.get_accept_permit_timeout_total(),
             configured_users,

src/api/users.rs

@@ -14,8 +14,9 @@ use super::config_store::{
 use super::model::{
     ApiFailure, CreateUserRequest, CreateUserResponse, PatchUserRequest, RotateSecretRequest,
     UserInfo, UserLinks, is_valid_ad_tag, is_valid_user_secret, is_valid_username,
-    parse_optional_expiration, random_user_secret,
+    parse_optional_expiration, parse_patch_expiration, random_user_secret,
 };
+use super::patch::Patch;
 
 pub(super) async fn create_user(
     body: CreateUserRequest,
@@ -182,14 +183,14 @@ pub(super) async fn patch_user(
             "secret must be exactly 32 hex characters",
         ));
     }
-    if let Some(ad_tag) = body.user_ad_tag.as_ref()
+    if let Patch::Set(ad_tag) = &body.user_ad_tag
         && !is_valid_ad_tag(ad_tag)
     {
         return Err(ApiFailure::bad_request(
             "user_ad_tag must be exactly 32 hex characters",
         ));
     }
-    let expiration = parse_optional_expiration(body.expiration_rfc3339.as_deref())?;
+    let expiration = parse_patch_expiration(&body.expiration_rfc3339)?;
     let _guard = shared.mutation_lock.lock().await;
     let mut cfg = load_config_from_disk(&shared.config_path).await?;
     ensure_expected_revision(&shared.config_path, expected_revision.as_deref()).await?;
@@ -205,38 +206,71 @@ pub(super) async fn patch_user(
     if let Some(secret) = body.secret {
         cfg.access.users.insert(user.to_string(), secret);
     }
-    if let Some(ad_tag) = body.user_ad_tag {
-        cfg.access.user_ad_tags.insert(user.to_string(), ad_tag);
+    match body.user_ad_tag {
+        Patch::Unchanged => {}
+        Patch::Remove => {
+            cfg.access.user_ad_tags.remove(user);
+        }
+        Patch::Set(ad_tag) => {
+            cfg.access.user_ad_tags.insert(user.to_string(), ad_tag);
+        }
     }
-    if let Some(limit) = body.max_tcp_conns {
-        cfg.access
-            .user_max_tcp_conns
-            .insert(user.to_string(), limit);
+    match body.max_tcp_conns {
+        Patch::Unchanged => {}
+        Patch::Remove => {
+            cfg.access.user_max_tcp_conns.remove(user);
+        }
+        Patch::Set(limit) => {
+            cfg.access
+                .user_max_tcp_conns
+                .insert(user.to_string(), limit);
+        }
     }
-    if let Some(expiration) = expiration {
-        cfg.access
-            .user_expirations
-            .insert(user.to_string(), expiration);
+    match expiration {
+        Patch::Unchanged => {}
+        Patch::Remove => {
+            cfg.access.user_expirations.remove(user);
+        }
+        Patch::Set(expiration) => {
+            cfg.access
+                .user_expirations
+                .insert(user.to_string(), expiration);
+        }
     }
-    if let Some(quota) = body.data_quota_bytes {
-        cfg.access.user_data_quota.insert(user.to_string(), quota);
-    }
-
-    let mut updated_limit = None;
-    if let Some(limit) = body.max_unique_ips {
-        cfg.access
-            .user_max_unique_ips
-            .insert(user.to_string(), limit);
-        updated_limit = Some(limit);
+    match body.data_quota_bytes {
+        Patch::Unchanged => {}
+        Patch::Remove => {
+            cfg.access.user_data_quota.remove(user);
+        }
+        Patch::Set(quota) => {
+            cfg.access.user_data_quota.insert(user.to_string(), quota);
+        }
     }
+    // Capture how the per-user IP limit changed, so the in-memory ip_tracker
+    // can be synced (set or removed) after the config is persisted.
+    let max_unique_ips_change = match body.max_unique_ips {
+        Patch::Unchanged => None,
+        Patch::Remove => {
+            cfg.access.user_max_unique_ips.remove(user);
+            Some(None)
+        }
+        Patch::Set(limit) => {
+            cfg.access
+                .user_max_unique_ips
+                .insert(user.to_string(), limit);
+            Some(Some(limit))
+        }
+    };
 
     cfg.validate()
         .map_err(|e| ApiFailure::bad_request(format!("config validation failed: {}", e)))?;
 
     let revision = save_config_to_disk(&shared.config_path, &cfg).await?;
     drop(_guard);
-    if let Some(limit) = updated_limit {
-        shared.ip_tracker.set_user_limit(user, limit).await;
+    match max_unique_ips_change {
+        Some(Some(limit)) => shared.ip_tracker.set_user_limit(user, limit).await,
+        Some(None) => shared.ip_tracker.remove_user_limit(user).await,
+        None => {}
     }
     let (detected_ip_v4, detected_ip_v6) = shared.detected_link_ips();
     let users = users_from_config(

src/cli.rs

@@ -6,12 +6,15 @@
 //! - `reload [--pid-file PATH]` - Reload configuration (SIGHUP)
 //! - `status [--pid-file PATH]` - Check daemon status
 //! - `run [OPTIONS] [config.toml]` - Run in foreground (default behavior)
+//! - `healthcheck [OPTIONS] [config.toml]` - Run control-plane health probe
 
 use rand::RngExt;
 use std::fs;
 use std::path::{Path, PathBuf};
 use std::process::Command;
 
+use crate::healthcheck::{self, HealthcheckMode};
+
 #[cfg(unix)]
 use crate::daemon::{self, DEFAULT_PID_FILE, DaemonOptions};
 
@@ -28,6 +31,8 @@ pub enum Subcommand {
     Reload,
     /// Check daemon status (`status` subcommand).
     Status,
+    /// Run health probe and exit with status code.
+    Healthcheck,
     /// Fire-and-forget setup (`--init`).
     Init,
 }
@@ -38,6 +43,8 @@ pub struct ParsedCommand {
     pub subcommand: Subcommand,
     pub pid_file: PathBuf,
     pub config_path: String,
+    pub healthcheck_mode: HealthcheckMode,
+    pub healthcheck_mode_invalid: Option<String>,
     #[cfg(unix)]
     pub daemon_opts: DaemonOptions,
     pub init_opts: Option<InitOptions>,
@@ -52,6 +59,8 @@ impl Default for ParsedCommand {
             #[cfg(not(unix))]
             pid_file: PathBuf::from("/var/run/telemt.pid"),
             config_path: "config.toml".to_string(),
+            healthcheck_mode: HealthcheckMode::Liveness,
+            healthcheck_mode_invalid: None,
             #[cfg(unix)]
             daemon_opts: DaemonOptions::default(),
             init_opts: None,
@@ -91,6 +100,9 @@ pub fn parse_command(args: &[String]) -> ParsedCommand {
             "status" => {
                 cmd.subcommand = Subcommand::Status;
             }
+            "healthcheck" => {
+                cmd.subcommand = Subcommand::Healthcheck;
+            }
             "run" => {
                 cmd.subcommand = Subcommand::Run;
                 #[cfg(unix)]
@@ -113,7 +125,35 @@ pub fn parse_command(args: &[String]) -> ParsedCommand {
     while i < args.len() {
         match args[i].as_str() {
             // Skip subcommand names
-            "start" | "stop" | "reload" | "status" | "run" => {}
+            "start" | "stop" | "reload" | "status" | "run" | "healthcheck" => {}
+            "--mode" => {
+                i += 1;
+                if i < args.len() {
+                    match HealthcheckMode::from_cli_arg(&args[i]) {
+                        Some(mode) => {
+                            cmd.healthcheck_mode = mode;
+                            cmd.healthcheck_mode_invalid = None;
+                        }
+                        None => {
+                            cmd.healthcheck_mode_invalid = Some(args[i].clone());
+                        }
+                    }
+                } else {
+                    cmd.healthcheck_mode_invalid = Some(String::new());
+                }
+            }
+            s if s.starts_with("--mode=") => {
+                let raw = s.trim_start_matches("--mode=");
+                match HealthcheckMode::from_cli_arg(raw) {
+                    Some(mode) => {
+                        cmd.healthcheck_mode = mode;
+                        cmd.healthcheck_mode_invalid = None;
+                    }
+                    None => {
+                        cmd.healthcheck_mode_invalid = Some(raw.to_string());
+                    }
+                }
+            }
             // PID file option (for stop/reload/status)
             "--pid-file" => {
                 i += 1;
@@ -152,6 +192,20 @@ pub fn execute_subcommand(cmd: &ParsedCommand) -> Option<i32> {
         Subcommand::Stop => Some(cmd_stop(&cmd.pid_file)),
         Subcommand::Reload => Some(cmd_reload(&cmd.pid_file)),
         Subcommand::Status => Some(cmd_status(&cmd.pid_file)),
+        Subcommand::Healthcheck => {
+            if let Some(invalid_mode) = cmd.healthcheck_mode_invalid.as_ref() {
+                if invalid_mode.is_empty() {
+                    eprintln!("[telemt] Missing value for --mode (supported: liveness, ready)");
+                } else {
+                    eprintln!(
+                        "[telemt] Invalid --mode value '{invalid_mode}' (supported: liveness, ready)"
+                    );
+                }
+                Some(2)
+            } else {
+                Some(healthcheck::run(&cmd.config_path, cmd.healthcheck_mode))
+            }
+        }
         Subcommand::Init => {
             if let Some(opts) = cmd.init_opts.clone() {
                 match run_init(opts) {
@@ -177,6 +231,20 @@ pub fn execute_subcommand(cmd: &ParsedCommand) -> Option<i32> {
             eprintln!("[telemt] Subcommand not supported on this platform");
             Some(1)
         }
+        Subcommand::Healthcheck => {
+            if let Some(invalid_mode) = cmd.healthcheck_mode_invalid.as_ref() {
+                if invalid_mode.is_empty() {
+                    eprintln!("[telemt] Missing value for --mode (supported: liveness, ready)");
+                } else {
+                    eprintln!(
+                        "[telemt] Invalid --mode value '{invalid_mode}' (supported: liveness, ready)"
+                    );
+                }
+                Some(2)
+            } else {
+                Some(healthcheck::run(&cmd.config_path, cmd.healthcheck_mode))
+            }
+        }
         Subcommand::Init => {
             if let Some(opts) = cmd.init_opts.clone() {
                 match run_init(opts) {
@@ -621,6 +689,7 @@ tls_domain = "{domain}"
 mask = true
 mask_port = 443
 fake_cert_len = 2048
+serverhello_compact = false
 tls_full_cert_ttl_secs = 90
 
 [access]

src/config/defaults.rs

@@ -21,6 +21,8 @@ const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_ACTIVE_WRITERS_PER_CORE: u16 = 64;
 const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_WARM_WRITERS_PER_CORE: u16 = 64;
 const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_ACTIVE_WRITERS_GLOBAL: u32 = 256;
 const DEFAULT_ME_ADAPTIVE_FLOOR_MAX_WARM_WRITERS_GLOBAL: u32 = 256;
+const DEFAULT_ME_ROUTE_BACKPRESSURE_ENABLED: bool = false;
+const DEFAULT_ME_ROUTE_FAIRSHARE_ENABLED: bool = false;
 const DEFAULT_ME_WRITER_CMD_CHANNEL_CAPACITY: usize = 4096;
 const DEFAULT_ME_ROUTE_CHANNEL_CAPACITY: usize = 768;
 const DEFAULT_ME_C2ME_CHANNEL_CAPACITY: usize = 1024;
@@ -529,6 +531,14 @@ pub(crate) fn default_me_route_backpressure_base_timeout_ms() -> u64 {
     25
 }
 
+pub(crate) fn default_me_route_backpressure_enabled() -> bool {
+    DEFAULT_ME_ROUTE_BACKPRESSURE_ENABLED
+}
+
+pub(crate) fn default_me_route_fairshare_enabled() -> bool {
+    DEFAULT_ME_ROUTE_FAIRSHARE_ENABLED
+}
+
 pub(crate) fn default_me_route_backpressure_high_timeout_ms() -> u64 {
     120
 }
@@ -565,6 +575,10 @@ pub(crate) fn default_tls_new_session_tickets() -> u8 {
     0
 }
 
+pub(crate) fn default_serverhello_compact() -> bool {
+    false
+}
+
 pub(crate) fn default_tls_full_cert_ttl_secs() -> u64 {
     90
 }

src/config/hot_reload.rs

@@ -86,6 +86,8 @@ pub struct HotFields {
     pub telemetry_user_enabled: bool,
     pub telemetry_me_level: MeTelemetryLevel,
     pub me_socks_kdf_policy: MeSocksKdfPolicy,
+    pub me_route_backpressure_enabled: bool,
+    pub me_route_fairshare_enabled: bool,
     pub me_floor_mode: MeFloorMode,
     pub me_adaptive_floor_idle_secs: u64,
     pub me_adaptive_floor_min_writers_single_endpoint: u8,
@@ -187,6 +189,8 @@ impl HotFields {
             telemetry_user_enabled: cfg.general.telemetry.user_enabled,
             telemetry_me_level: cfg.general.telemetry.me_level,
             me_socks_kdf_policy: cfg.general.me_socks_kdf_policy,
+            me_route_backpressure_enabled: cfg.general.me_route_backpressure_enabled,
+            me_route_fairshare_enabled: cfg.general.me_route_fairshare_enabled,
             me_floor_mode: cfg.general.me_floor_mode,
             me_adaptive_floor_idle_secs: cfg.general.me_adaptive_floor_idle_secs,
             me_adaptive_floor_min_writers_single_endpoint: cfg
@@ -529,6 +533,8 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
         new.general.me_route_backpressure_high_timeout_ms;
     cfg.general.me_route_backpressure_high_watermark_pct =
         new.general.me_route_backpressure_high_watermark_pct;
+    cfg.general.me_route_backpressure_enabled = new.general.me_route_backpressure_enabled;
+    cfg.general.me_route_fairshare_enabled = new.general.me_route_fairshare_enabled;
     cfg.general.me_reader_route_data_wait_ms = new.general.me_reader_route_data_wait_ms;
     cfg.general.me_d2c_flush_batch_max_frames = new.general.me_d2c_flush_batch_max_frames;
     cfg.general.me_d2c_flush_batch_max_bytes = new.general.me_d2c_flush_batch_max_bytes;
@@ -618,6 +624,7 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
         || old.censorship.server_hello_delay_min_ms != new.censorship.server_hello_delay_min_ms
         || old.censorship.server_hello_delay_max_ms != new.censorship.server_hello_delay_max_ms
         || old.censorship.tls_new_session_tickets != new.censorship.tls_new_session_tickets
+        || old.censorship.serverhello_compact != new.censorship.serverhello_compact
         || old.censorship.tls_full_cert_ttl_secs != new.censorship.tls_full_cert_ttl_secs
         || old.censorship.alpn_enforce != new.censorship.alpn_enforce
         || old.censorship.mask_proxy_protocol != new.censorship.mask_proxy_protocol
@@ -1053,6 +1060,8 @@ fn log_changes(
             != new_hot.me_route_backpressure_high_timeout_ms
         || old_hot.me_route_backpressure_high_watermark_pct
             != new_hot.me_route_backpressure_high_watermark_pct
+        || old_hot.me_route_backpressure_enabled != new_hot.me_route_backpressure_enabled
+        || old_hot.me_route_fairshare_enabled != new_hot.me_route_fairshare_enabled
         || old_hot.me_reader_route_data_wait_ms != new_hot.me_reader_route_data_wait_ms
         || old_hot.me_health_interval_ms_unhealthy != new_hot.me_health_interval_ms_unhealthy
         || old_hot.me_health_interval_ms_healthy != new_hot.me_health_interval_ms_healthy
@@ -1060,10 +1069,12 @@ fn log_changes(
         || old_hot.me_warn_rate_limit_ms != new_hot.me_warn_rate_limit_ms
     {
         info!(
-            "config reload: me_route_backpressure: base={}ms high={}ms watermark={}%; me_reader_route_data_wait_ms={}; me_health_interval: unhealthy={}ms healthy={}ms; me_admission_poll={}ms; me_warn_rate_limit={}ms",
+            "config reload: me_route_backpressure: enabled={} base={}ms high={}ms watermark={}%; me_route_fairshare_enabled={}; me_reader_route_data_wait_ms={}; me_health_interval: unhealthy={}ms healthy={}ms; me_admission_poll={}ms; me_warn_rate_limit={}ms",
+            new_hot.me_route_backpressure_enabled,
             new_hot.me_route_backpressure_base_timeout_ms,
             new_hot.me_route_backpressure_high_timeout_ms,
             new_hot.me_route_backpressure_high_watermark_pct,
+            new_hot.me_route_fairshare_enabled,
             new_hot.me_reader_route_data_wait_ms,
             new_hot.me_health_interval_ms_unhealthy,
             new_hot.me_health_interval_ms_healthy,

src/config/load.rs

@@ -343,6 +343,10 @@ impl ProxyConfig {
         let network_table = parsed_toml
             .get("network")
             .and_then(|value| value.as_table());
+        let server_table = parsed_toml.get("server").and_then(|value| value.as_table());
+        let conntrack_control_table = server_table
+            .and_then(|table| table.get("conntrack_control"))
+            .and_then(|value| value.as_table());
         let update_every_is_explicit = general_table
             .map(|table| table.contains_key("update_every"))
             .unwrap_or(false);
@@ -372,10 +376,17 @@ impl ProxyConfig {
         let stun_servers_is_explicit = network_table
             .map(|table| table.contains_key("stun_servers"))
             .unwrap_or(false);
+        let inline_conntrack_control_is_explicit = conntrack_control_table
+            .map(|table| table.contains_key("inline_conntrack_control"))
+            .unwrap_or(false);
 
         let mut config: ProxyConfig = parsed_toml
             .try_into()
             .map_err(|e| ProxyError::Config(e.to_string()))?;
+        config
+            .server
+            .conntrack_control
+            .inline_conntrack_control_explicit = inline_conntrack_control_is_explicit;
 
         if !update_every_is_explicit && (legacy_secret_is_explicit || legacy_config_is_explicit) {
             config.general.update_every = None;
@@ -629,12 +640,6 @@ impl ProxyConfig {
             ));
         }
 
-        if config.censorship.mask_relay_max_bytes == 0 {
-            return Err(ProxyError::Config(
-                "censorship.mask_relay_max_bytes must be > 0".to_string(),
-            ));
-        }
-
         if config.censorship.mask_relay_max_bytes > 67_108_864 {
             return Err(ProxyError::Config(
                 "censorship.mask_relay_max_bytes must be <= 67108864".to_string(),
@@ -1881,6 +1886,43 @@ mod tests {
         );
     }
 
+    #[test]
+    fn conntrack_inline_explicit_flag_is_false_when_omitted() {
+        let cfg = load_config_from_temp_toml(
+            r#"
+            [general]
+            [network]
+            [server]
+            [server.conntrack_control]
+            [access]
+            "#,
+        );
+        assert!(
+            !cfg.server
+                .conntrack_control
+                .inline_conntrack_control_explicit
+        );
+    }
+
+    #[test]
+    fn conntrack_inline_explicit_flag_is_true_when_present() {
+        let cfg = load_config_from_temp_toml(
+            r#"
+            [general]
+            [network]
+            [server]
+            [server.conntrack_control]
+            inline_conntrack_control = true
+            [access]
+            "#,
+        );
+        assert!(
+            cfg.server
+                .conntrack_control
+                .inline_conntrack_control_explicit
+        );
+    }
+
     #[test]
     fn unknown_sni_action_parses_and_defaults_to_drop() {
         let cfg_default: ProxyConfig = toml::from_str(
@@ -1929,6 +1971,22 @@ mod tests {
             cfg_accept.censorship.unknown_sni_action,
             UnknownSniAction::Accept
         );
+
+        let cfg_reject: ProxyConfig = toml::from_str(
+            r#"
+            [server]
+            [general]
+            [network]
+            [access]
+            [censorship]
+            unknown_sni_action = "reject_handshake"
+            "#,
+        )
+        .unwrap();
+        assert_eq!(
+            cfg_reject.censorship.unknown_sni_action,
+            UnknownSniAction::RejectHandshake
+        );
     }
 
     #[test]

src/config/tests/load_mask_shape_security_tests.rs

@@ -238,7 +238,7 @@ mask_shape_above_cap_blur_max_bytes = 8
 }
 
 #[test]
-fn load_rejects_zero_mask_relay_max_bytes() {
+fn load_accepts_zero_mask_relay_max_bytes_as_unlimited() {
     let path = write_temp_config(
         r#"
 [censorship]
@@ -246,12 +246,9 @@ mask_relay_max_bytes = 0
 "#,
     );
 
-    let err = ProxyConfig::load(&path).expect_err("mask_relay_max_bytes must be > 0");
-    let msg = err.to_string();
-    assert!(
-        msg.contains("censorship.mask_relay_max_bytes must be > 0"),
-        "error must explain non-zero relay cap invariant, got: {msg}"
-    );
+    let cfg = ProxyConfig::load(&path)
+        .expect("mask_relay_max_bytes=0 must be accepted as unlimited relay cap");
+    assert_eq!(cfg.censorship.mask_relay_max_bytes, 0);
 
     remove_temp_config(&path);
 }

src/config/types.rs

@@ -392,14 +392,26 @@ pub struct GeneralConfig {
     #[serde(default = "default_proxy_secret_path")]
     pub proxy_secret_path: Option<String>,
 
+    /// Optional custom URL for infrastructure secret (https://core.telegram.org/getProxySecret if absent).
+    #[serde(default)]
+    pub proxy_secret_url: Option<String>,
+
     /// Optional path to cache raw getProxyConfig (IPv4) snapshot for startup fallback.
     #[serde(default = "default_proxy_config_v4_cache_path")]
     pub proxy_config_v4_cache_path: Option<String>,
 
+    /// Optional custom URL for getProxyConfig (https://core.telegram.org/getProxyConfig if absent).
+    #[serde(default)]
+    pub proxy_config_v4_url: Option<String>,
+
     /// Optional path to cache raw getProxyConfigV6 snapshot for startup fallback.
     #[serde(default = "default_proxy_config_v6_cache_path")]
     pub proxy_config_v6_cache_path: Option<String>,
 
+    /// Optional custom URL for getProxyConfigV6 (https://core.telegram.org/getProxyConfigV6 if absent).
+    #[serde(default)]
+    pub proxy_config_v6_url: Option<String>,
+
     /// Global ad_tag (32 hex chars from @MTProxybot). Fallback when user has no per-user tag in access.user_ad_tags.
     #[serde(default)]
     pub ad_tag: Option<String>,
@@ -717,6 +729,14 @@ pub struct GeneralConfig {
     #[serde(default)]
     pub me_socks_kdf_policy: MeSocksKdfPolicy,
 
+    /// Enable route-level ME backpressure controls in reader fairness path.
+    #[serde(default = "default_me_route_backpressure_enabled")]
+    pub me_route_backpressure_enabled: bool,
+
+    /// Enable worker-local fairshare scheduler for ME reader routing.
+    #[serde(default = "default_me_route_fairshare_enabled")]
+    pub me_route_fairshare_enabled: bool,
+
     /// Base backpressure timeout in milliseconds for ME route channel send.
     #[serde(default = "default_me_route_backpressure_base_timeout_ms")]
     pub me_route_backpressure_base_timeout_ms: u64,
@@ -960,8 +980,11 @@ impl Default for GeneralConfig {
             use_middle_proxy: default_true(),
             ad_tag: None,
             proxy_secret_path: default_proxy_secret_path(),
+            proxy_secret_url: None,
             proxy_config_v4_cache_path: default_proxy_config_v4_cache_path(),
+            proxy_config_v4_url: None,
             proxy_config_v6_cache_path: default_proxy_config_v6_cache_path(),
+            proxy_config_v6_url: None,
             middle_proxy_nat_ip: None,
             middle_proxy_nat_probe: default_true(),
             middle_proxy_nat_stun: default_middle_proxy_nat_stun(),
@@ -1044,6 +1067,8 @@ impl Default for GeneralConfig {
             disable_colors: false,
             telemetry: TelemetryConfig::default(),
             me_socks_kdf_policy: MeSocksKdfPolicy::Strict,
+            me_route_backpressure_enabled: default_me_route_backpressure_enabled(),
+            me_route_fairshare_enabled: default_me_route_fairshare_enabled(),
             me_route_backpressure_base_timeout_ms: default_me_route_backpressure_base_timeout_ms(),
             me_route_backpressure_high_timeout_ms: default_me_route_backpressure_high_timeout_ms(),
             me_route_backpressure_high_watermark_pct:
@@ -1329,6 +1354,10 @@ pub struct ConntrackControlConfig {
     #[serde(default = "default_conntrack_control_enabled")]
     pub inline_conntrack_control: bool,
 
+    /// Tracks whether inline_conntrack_control was explicitly set in config.
+    #[serde(skip)]
+    pub inline_conntrack_control_explicit: bool,
+
     /// Conntrack mode for listener ingress traffic.
     #[serde(default)]
     pub mode: ConntrackMode,
@@ -1363,6 +1392,7 @@ impl Default for ConntrackControlConfig {
     fn default() -> Self {
         Self {
             inline_conntrack_control: default_conntrack_control_enabled(),
+            inline_conntrack_control_explicit: false,
             mode: ConntrackMode::default(),
             backend: ConntrackBackend::default(),
             profile: ConntrackPressureProfile::default(),
@@ -1551,6 +1581,13 @@ pub enum UnknownSniAction {
     Drop,
     Mask,
     Accept,
+    /// Reject the TLS handshake by sending a fatal `unrecognized_name` alert
+    /// (RFC 6066, AlertDescription = 112) before closing the connection.
+    /// Mimics nginx `ssl_reject_handshake on;` behavior on the default vhost —
+    /// the wire response indistinguishable from a stock modern web server
+    /// that simply does not host the requested name.
+    #[serde(rename = "reject_handshake")]
+    RejectHandshake,
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
@@ -1686,9 +1723,16 @@ pub struct AntiCensorshipConfig {
     #[serde(default = "default_tls_new_session_tickets")]
     pub tls_new_session_tickets: u8,
 
+    /// Enable compact ServerHello payload mode.
+    /// When false, FakeTLS always uses full ServerHello payload behavior.
+    /// When true, compact certificate payload mode can be used by TTL policy.
+    #[serde(default = "default_serverhello_compact")]
+    pub serverhello_compact: bool,
+
     /// TTL in seconds for sending full certificate payload per client IP.
     /// First client connection per (SNI domain, client IP) gets full cert payload.
     /// Subsequent handshakes within TTL use compact cert metadata payload.
+    /// Applied only when `serverhello_compact` is enabled.
     #[serde(default = "default_tls_full_cert_ttl_secs")]
     pub tls_full_cert_ttl_secs: u64,
 
@@ -1731,6 +1775,7 @@ pub struct AntiCensorshipConfig {
     pub mask_shape_above_cap_blur_max_bytes: usize,
 
     /// Maximum bytes relayed per direction on unauthenticated masking fallback paths.
+    /// Set to 0 to disable byte cap (unlimited within relay/idle timeouts).
     #[serde(default = "default_mask_relay_max_bytes")]
     pub mask_relay_max_bytes: usize,
 
@@ -1782,6 +1827,7 @@ impl Default for AntiCensorshipConfig {
             server_hello_delay_min_ms: default_server_hello_delay_min_ms(),
             server_hello_delay_max_ms: default_server_hello_delay_max_ms(),
             tls_new_session_tickets: default_tls_new_session_tickets(),
+            serverhello_compact: default_serverhello_compact(),
             tls_full_cert_ttl_secs: default_tls_full_cert_ttl_secs(),
             alpn_enforce: default_alpn_enforce(),
             mask_proxy_protocol: 0,

src/conntrack_control.rs

@@ -24,6 +24,13 @@ enum NetfilterBackend {
     Iptables,
 }
 
+#[derive(Clone, Copy)]
+struct ConntrackRuntimeSupport {
+    netfilter_backend: Option<NetfilterBackend>,
+    has_cap_net_admin: bool,
+    has_conntrack_binary: bool,
+}
+
 #[derive(Clone, Copy)]
 struct PressureSample {
     conn_pct: Option<u8>,
@@ -56,11 +63,8 @@ pub(crate) fn spawn_conntrack_controller(
     shared: Arc<ProxySharedState>,
 ) {
     if !cfg!(target_os = "linux") {
-        let enabled = config_rx
-            .borrow()
-            .server
-            .conntrack_control
-            .inline_conntrack_control;
+        let cfg = config_rx.borrow();
+        let enabled = cfg.server.conntrack_control.inline_conntrack_control;
         stats.set_conntrack_control_enabled(enabled);
         stats.set_conntrack_control_available(false);
         stats.set_conntrack_pressure_active(false);
@@ -68,9 +72,14 @@ pub(crate) fn spawn_conntrack_controller(
         stats.set_conntrack_rule_apply_ok(false);
         shared.disable_conntrack_close_sender();
         shared.set_conntrack_pressure_active(false);
-        if enabled {
+        if enabled
+            && cfg
+                .server
+                .conntrack_control
+                .inline_conntrack_control_explicit
+        {
             warn!(
-                "conntrack control is configured but unsupported on this OS; disabling runtime worker"
+                "conntrack control explicitly enabled but unsupported on this OS; disabling runtime worker"
             );
         }
         return;
@@ -92,16 +101,17 @@ async fn run_conntrack_controller(
     let mut cfg = config_rx.borrow().clone();
     let mut pressure_state = PressureState::new(stats.as_ref());
     let mut delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
-    let mut backend = pick_backend(cfg.server.conntrack_control.backend);
+    let mut runtime_support = probe_runtime_support(cfg.server.conntrack_control.backend);
+    let mut effective_enabled = effective_conntrack_enabled(&cfg, runtime_support);
 
     apply_runtime_state(
         stats.as_ref(),
         shared.as_ref(),
         &cfg,
-        backend.is_some(),
+        runtime_support,
         false,
     );
-    reconcile_rules(&cfg, backend, stats.as_ref()).await;
+    reconcile_rules(&cfg, runtime_support, stats.as_ref()).await;
 
     loop {
         tokio::select! {
@@ -110,17 +120,18 @@ async fn run_conntrack_controller(
                     break;
                 }
                 cfg = config_rx.borrow_and_update().clone();
-                backend = pick_backend(cfg.server.conntrack_control.backend);
+                runtime_support = probe_runtime_support(cfg.server.conntrack_control.backend);
+                effective_enabled = effective_conntrack_enabled(&cfg, runtime_support);
                 delete_budget_tokens = cfg.server.conntrack_control.delete_budget_per_sec;
-                apply_runtime_state(stats.as_ref(), shared.as_ref(), &cfg, backend.is_some(), pressure_state.active);
-                reconcile_rules(&cfg, backend, stats.as_ref()).await;
+                apply_runtime_state(stats.as_ref(), shared.as_ref(), &cfg, runtime_support, pressure_state.active);
+                reconcile_rules(&cfg, runtime_support, stats.as_ref()).await;
             }
             event = close_rx.recv() => {
                 let Some(event) = event else {
                     break;
                 };
                 stats.set_conntrack_event_queue_depth(close_rx.len() as u64);
-                if !cfg.server.conntrack_control.inline_conntrack_control {
+                if !effective_enabled {
                     continue;
                 }
                 if !pressure_state.active {
@@ -156,6 +167,7 @@ async fn run_conntrack_controller(
                     stats.as_ref(),
                     shared.as_ref(),
                     &cfg,
+                    effective_enabled,
                     &sample,
                     &mut pressure_state,
                 );
@@ -175,20 +187,30 @@ fn apply_runtime_state(
     stats: &Stats,
     shared: &ProxySharedState,
     cfg: &ProxyConfig,
-    backend_available: bool,
+    runtime_support: ConntrackRuntimeSupport,
     pressure_active: bool,
 ) {
     let enabled = cfg.server.conntrack_control.inline_conntrack_control;
-    let available = enabled && backend_available && has_cap_net_admin();
-    if enabled && !available {
+    let available = effective_conntrack_enabled(cfg, runtime_support);
+    if enabled
+        && !available
+        && cfg
+            .server
+            .conntrack_control
+            .inline_conntrack_control_explicit
+    {
         warn!(
-            "conntrack control enabled but unavailable (missing CAP_NET_ADMIN or backend binaries)"
+            has_cap_net_admin = runtime_support.has_cap_net_admin,
+            backend_available = runtime_support.netfilter_backend.is_some(),
+            conntrack_binary_available = runtime_support.has_conntrack_binary,
+            configured_backend = ?cfg.server.conntrack_control.backend,
+            "conntrack control explicitly enabled but unavailable; disabling runtime features"
         );
     }
     stats.set_conntrack_control_enabled(enabled);
     stats.set_conntrack_control_available(available);
-    shared.set_conntrack_pressure_active(enabled && pressure_active);
-    stats.set_conntrack_pressure_active(enabled && pressure_active);
+    shared.set_conntrack_pressure_active(available && pressure_active);
+    stats.set_conntrack_pressure_active(available && pressure_active);
 }
 
 fn collect_pressure_sample(
@@ -228,10 +250,11 @@ fn update_pressure_state(
     stats: &Stats,
     shared: &ProxySharedState,
     cfg: &ProxyConfig,
+    effective_enabled: bool,
     sample: &PressureSample,
     state: &mut PressureState,
 ) {
-    if !cfg.server.conntrack_control.inline_conntrack_control {
+    if !effective_enabled {
         if state.active {
             state.active = false;
             state.low_streak = 0;
@@ -285,22 +308,26 @@ fn update_pressure_state(
     state.low_streak = 0;
 }
 
-async fn reconcile_rules(cfg: &ProxyConfig, backend: Option<NetfilterBackend>, stats: &Stats) {
+async fn reconcile_rules(
+    cfg: &ProxyConfig,
+    runtime_support: ConntrackRuntimeSupport,
+    stats: &Stats,
+) {
     if !cfg.server.conntrack_control.inline_conntrack_control {
         clear_notrack_rules_all_backends().await;
         stats.set_conntrack_rule_apply_ok(true);
         return;
     }
 
-    if !has_cap_net_admin() {
+    if !effective_conntrack_enabled(cfg, runtime_support) {
+        clear_notrack_rules_all_backends().await;
         stats.set_conntrack_rule_apply_ok(false);
         return;
     }
 
-    let Some(backend) = backend else {
-        stats.set_conntrack_rule_apply_ok(false);
-        return;
-    };
+    let backend = runtime_support
+        .netfilter_backend
+        .expect("netfilter backend must be available for effective conntrack control");
 
     let apply_result = match backend {
         NetfilterBackend::Nftables => apply_nft_rules(cfg).await,
@@ -315,6 +342,24 @@ async fn reconcile_rules(cfg: &ProxyConfig, backend: Option<NetfilterBackend>, s
     }
 }
 
+fn probe_runtime_support(configured_backend: ConntrackBackend) -> ConntrackRuntimeSupport {
+    ConntrackRuntimeSupport {
+        netfilter_backend: pick_backend(configured_backend),
+        has_cap_net_admin: has_cap_net_admin(),
+        has_conntrack_binary: command_exists("conntrack"),
+    }
+}
+
+fn effective_conntrack_enabled(
+    cfg: &ProxyConfig,
+    runtime_support: ConntrackRuntimeSupport,
+) -> bool {
+    cfg.server.conntrack_control.inline_conntrack_control
+        && runtime_support.has_cap_net_admin
+        && runtime_support.netfilter_backend.is_some()
+        && runtime_support.has_conntrack_binary
+}
+
 fn pick_backend(configured: ConntrackBackend) -> Option<NetfilterBackend> {
     match configured {
         ConntrackBackend::Auto => {
@@ -710,7 +755,7 @@ mod tests {
             me_queue_pressure_delta: 0,
         };
 
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &sample, &mut state);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, true, &sample, &mut state);
 
         assert!(state.active);
         assert!(shared.conntrack_pressure_active());
@@ -731,7 +776,14 @@ mod tests {
             accept_timeout_delta: 0,
             me_queue_pressure_delta: 0,
         };
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &high_sample, &mut state);
+        update_pressure_state(
+            &stats,
+            shared.as_ref(),
+            &cfg,
+            true,
+            &high_sample,
+            &mut state,
+        );
         assert!(state.active);
 
         let low_sample = PressureSample {
@@ -740,11 +792,11 @@ mod tests {
             accept_timeout_delta: 0,
             me_queue_pressure_delta: 0,
         };
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, true, &low_sample, &mut state);
         assert!(state.active);
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, true, &low_sample, &mut state);
         assert!(state.active);
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &low_sample, &mut state);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, true, &low_sample, &mut state);
 
         assert!(!state.active);
         assert!(!shared.conntrack_pressure_active());
@@ -765,7 +817,7 @@ mod tests {
             me_queue_pressure_delta: 10,
         };
 
-        update_pressure_state(&stats, shared.as_ref(), &cfg, &sample, &mut state);
+        update_pressure_state(&stats, shared.as_ref(), &cfg, false, &sample, &mut state);
 
         assert!(!state.active);
         assert!(!shared.conntrack_pressure_active());

src/healthcheck.rs

@@ -0,0 +1,211 @@
+use std::io::{Read, Write};
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, TcpStream};
+use std::time::Duration;
+
+use serde_json::Value;
+
+use crate::config::ProxyConfig;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) enum HealthcheckMode {
+    Liveness,
+    Ready,
+}
+
+impl HealthcheckMode {
+    pub(crate) fn from_cli_arg(value: &str) -> Option<Self> {
+        match value {
+            "liveness" => Some(Self::Liveness),
+            "ready" => Some(Self::Ready),
+            _ => None,
+        }
+    }
+
+    fn request_path(self) -> &'static str {
+        match self {
+            Self::Liveness => "/v1/health",
+            Self::Ready => "/v1/health/ready",
+        }
+    }
+}
+
+pub(crate) fn run(config_path: &str, mode: HealthcheckMode) -> i32 {
+    match run_inner(config_path, mode) {
+        Ok(()) => 0,
+        Err(error) => {
+            eprintln!("[telemt] healthcheck failed: {error}");
+            1
+        }
+    }
+}
+
+fn run_inner(config_path: &str, mode: HealthcheckMode) -> Result<(), String> {
+    let config =
+        ProxyConfig::load(config_path).map_err(|error| format!("config load failed: {error}"))?;
+    let api_cfg = &config.server.api;
+    if !api_cfg.enabled {
+        return Ok(());
+    }
+
+    let listen: SocketAddr = api_cfg
+        .listen
+        .parse()
+        .map_err(|_| format!("invalid API listen address: {}", api_cfg.listen))?;
+    if listen.port() == 0 {
+        return Err("API listen port is 0".to_string());
+    }
+    let target = probe_target(listen);
+
+    let mut stream = TcpStream::connect_timeout(&target, Duration::from_secs(2))
+        .map_err(|error| format!("connect {target} failed: {error}"))?;
+    stream
+        .set_read_timeout(Some(Duration::from_secs(2)))
+        .map_err(|error| format!("set read timeout failed: {error}"))?;
+    stream
+        .set_write_timeout(Some(Duration::from_secs(2)))
+        .map_err(|error| format!("set write timeout failed: {error}"))?;
+
+    let request = build_request(target, mode.request_path(), &api_cfg.auth_header);
+    stream
+        .write_all(request.as_bytes())
+        .map_err(|error| format!("request write failed: {error}"))?;
+    stream
+        .flush()
+        .map_err(|error| format!("request flush failed: {error}"))?;
+
+    let mut raw_response = Vec::new();
+    stream
+        .read_to_end(&mut raw_response)
+        .map_err(|error| format!("response read failed: {error}"))?;
+    let response =
+        String::from_utf8(raw_response).map_err(|_| "response is not valid UTF-8".to_string())?;
+
+    let (status_code, body) = split_response(&response)?;
+    if status_code != 200 {
+        return Err(format!("HTTP status {status_code}"));
+    }
+
+    validate_payload(mode, body)?;
+    Ok(())
+}
+
+fn probe_target(listen: SocketAddr) -> SocketAddr {
+    match listen {
+        SocketAddr::V4(addr) => {
+            let ip = if addr.ip().is_unspecified() {
+                Ipv4Addr::LOCALHOST
+            } else {
+                *addr.ip()
+            };
+            SocketAddr::from((ip, addr.port()))
+        }
+        SocketAddr::V6(addr) => {
+            let ip = if addr.ip().is_unspecified() {
+                Ipv6Addr::LOCALHOST
+            } else {
+                *addr.ip()
+            };
+            SocketAddr::from((ip, addr.port()))
+        }
+    }
+}
+
+fn build_request(target: SocketAddr, path: &str, auth_header: &str) -> String {
+    let mut request = format!(
+        "GET {path} HTTP/1.1\r\nHost: {}\r\nConnection: close\r\n",
+        target
+    );
+    if !auth_header.is_empty() {
+        request.push_str("Authorization: ");
+        request.push_str(auth_header);
+        request.push_str("\r\n");
+    }
+    request.push_str("\r\n");
+    request
+}
+
+fn split_response(response: &str) -> Result<(u16, &str), String> {
+    let header_end = response
+        .find("\r\n\r\n")
+        .ok_or_else(|| "invalid HTTP response headers".to_string())?;
+    let header = &response[..header_end];
+    let body = &response[header_end + 4..];
+    let status_line = header
+        .lines()
+        .next()
+        .ok_or_else(|| "missing HTTP status line".to_string())?;
+    let status_code = parse_status_code(status_line)?;
+    Ok((status_code, body))
+}
+
+fn parse_status_code(status_line: &str) -> Result<u16, String> {
+    let mut parts = status_line.split_whitespace();
+    let version = parts
+        .next()
+        .ok_or_else(|| "missing HTTP version".to_string())?;
+    if !version.starts_with("HTTP/") {
+        return Err(format!("invalid HTTP status line: {status_line}"));
+    }
+    let code = parts
+        .next()
+        .ok_or_else(|| "missing HTTP status code".to_string())?;
+    code.parse::<u16>()
+        .map_err(|_| format!("invalid HTTP status code: {code}"))
+}
+
+fn validate_payload(mode: HealthcheckMode, body: &str) -> Result<(), String> {
+    let payload: Value =
+        serde_json::from_str(body).map_err(|_| "response body is not valid JSON".to_string())?;
+    if payload.get("ok").and_then(Value::as_bool) != Some(true) {
+        return Err("response JSON has ok=false".to_string());
+    }
+
+    let data = payload
+        .get("data")
+        .ok_or_else(|| "response JSON has no data field".to_string())?;
+    match mode {
+        HealthcheckMode::Liveness => {
+            if data.get("status").and_then(Value::as_str) != Some("ok") {
+                return Err("liveness status is not ok".to_string());
+            }
+        }
+        HealthcheckMode::Ready => {
+            if data.get("ready").and_then(Value::as_bool) != Some(true) {
+                return Err("readiness flag is false".to_string());
+            }
+        }
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{HealthcheckMode, parse_status_code, split_response, validate_payload};
+
+    #[test]
+    fn parse_status_code_reads_http_200() {
+        let status = parse_status_code("HTTP/1.1 200 OK").expect("must parse status");
+        assert_eq!(status, 200);
+    }
+
+    #[test]
+    fn split_response_extracts_status_and_body() {
+        let response = "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\n\r\n{\"ok\":true}";
+        let (status, body) = split_response(response).expect("must split response");
+        assert_eq!(status, 200);
+        assert_eq!(body, "{\"ok\":true}");
+    }
+
+    #[test]
+    fn validate_payload_accepts_liveness_contract() {
+        let body = "{\"ok\":true,\"data\":{\"status\":\"ok\"}}";
+        validate_payload(HealthcheckMode::Liveness, body).expect("liveness payload must pass");
+    }
+
+    #[test]
+    fn validate_payload_rejects_not_ready() {
+        let body = "{\"ok\":true,\"data\":{\"ready\":false}}";
+        let result = validate_payload(HealthcheckMode::Ready, body);
+        assert!(result.is_err());
+    }
+}

src/ip_tracker.rs

@@ -22,7 +22,7 @@ pub struct UserIpTracker {
     limit_mode: Arc<RwLock<UserMaxUniqueIpsMode>>,
     limit_window: Arc<RwLock<Duration>>,
     last_compact_epoch_secs: Arc<AtomicU64>,
-    cleanup_queue: Arc<Mutex<Vec<(String, IpAddr)>>>,
+    cleanup_queue: Arc<Mutex<HashMap<(String, IpAddr), usize>>>,
     cleanup_drain_lock: Arc<AsyncMutex<()>>,
 }
 
@@ -45,17 +45,21 @@ impl UserIpTracker {
             limit_mode: Arc::new(RwLock::new(UserMaxUniqueIpsMode::ActiveWindow)),
             limit_window: Arc::new(RwLock::new(Duration::from_secs(30))),
             last_compact_epoch_secs: Arc::new(AtomicU64::new(0)),
-            cleanup_queue: Arc::new(Mutex::new(Vec::new())),
+            cleanup_queue: Arc::new(Mutex::new(HashMap::new())),
             cleanup_drain_lock: Arc::new(AsyncMutex::new(())),
         }
     }
 
     pub fn enqueue_cleanup(&self, user: String, ip: IpAddr) {
         match self.cleanup_queue.lock() {
-            Ok(mut queue) => queue.push((user, ip)),
+            Ok(mut queue) => {
+                let count = queue.entry((user, ip)).or_insert(0);
+                *count = count.saturating_add(1);
+            }
             Err(poisoned) => {
                 let mut queue = poisoned.into_inner();
-                queue.push((user.clone(), ip));
+                let count = queue.entry((user.clone(), ip)).or_insert(0);
+                *count = count.saturating_add(1);
                 self.cleanup_queue.clear_poison();
                 tracing::warn!(
                     "UserIpTracker cleanup_queue lock poisoned; recovered and enqueued IP cleanup for {} ({})",
@@ -75,7 +79,9 @@ impl UserIpTracker {
     }
 
     #[cfg(test)]
-    pub(crate) fn cleanup_queue_mutex_for_tests(&self) -> Arc<Mutex<Vec<(String, IpAddr)>>> {
+    pub(crate) fn cleanup_queue_mutex_for_tests(
+        &self,
+    ) -> Arc<Mutex<HashMap<(String, IpAddr), usize>>> {
         Arc::clone(&self.cleanup_queue)
     }
 
@@ -105,11 +111,14 @@ impl UserIpTracker {
         };
 
         let mut active_ips = self.active_ips.write().await;
-        for (user, ip) in to_remove {
+        for ((user, ip), pending_count) in to_remove {
+            if pending_count == 0 {
+                continue;
+            }
             if let Some(user_ips) = active_ips.get_mut(&user) {
                 if let Some(count) = user_ips.get_mut(&ip) {
-                    if *count > 1 {
-                        *count -= 1;
+                    if *count > pending_count {
+                        *count -= pending_count;
                     } else {
                         user_ips.remove(&ip);
                     }

src/maestro/helpers.rs

@@ -231,7 +231,11 @@ fn print_help() {
 
 #[cfg(test)]
 mod tests {
-    use super::resolve_runtime_config_path;
+    use super::{
+        expected_handshake_close_description, is_expected_handshake_eof, peer_close_description,
+        resolve_runtime_config_path,
+    };
+    use crate::error::{ProxyError, StreamError};
 
     #[test]
     fn resolve_runtime_config_path_anchors_relative_to_startup_cwd() {
@@ -299,6 +303,81 @@ mod tests {
 
         let _ = std::fs::remove_dir(&startup_cwd);
     }
+
+    #[test]
+    fn expected_handshake_eof_matches_connection_reset() {
+        let err = ProxyError::Io(std::io::Error::from(std::io::ErrorKind::ConnectionReset));
+        assert!(is_expected_handshake_eof(&err));
+    }
+
+    #[test]
+    fn expected_handshake_eof_matches_stream_io_unexpected_eof() {
+        let err = ProxyError::Stream(StreamError::Io(std::io::Error::from(
+            std::io::ErrorKind::UnexpectedEof,
+        )));
+        assert!(is_expected_handshake_eof(&err));
+    }
+
+    #[test]
+    fn peer_close_description_is_human_readable_for_all_peer_close_kinds() {
+        let cases = [
+            (
+                std::io::ErrorKind::ConnectionReset,
+                "Peer reset TCP connection (RST)",
+            ),
+            (
+                std::io::ErrorKind::ConnectionAborted,
+                "Peer aborted TCP connection during transport",
+            ),
+            (
+                std::io::ErrorKind::BrokenPipe,
+                "Peer closed write side (broken pipe)",
+            ),
+            (
+                std::io::ErrorKind::NotConnected,
+                "Socket was already closed by peer",
+            ),
+        ];
+
+        for (kind, expected) in cases {
+            let err = ProxyError::Io(std::io::Error::from(kind));
+            assert_eq!(peer_close_description(&err), Some(expected));
+        }
+    }
+
+    #[test]
+    fn handshake_close_description_is_human_readable_for_all_expected_kinds() {
+        let cases = [
+            (
+                ProxyError::Io(std::io::Error::from(std::io::ErrorKind::UnexpectedEof)),
+                "Peer closed before sending full 64-byte MTProto handshake",
+            ),
+            (
+                ProxyError::Io(std::io::Error::from(std::io::ErrorKind::ConnectionReset)),
+                "Peer reset TCP connection during initial MTProto handshake",
+            ),
+            (
+                ProxyError::Io(std::io::Error::from(std::io::ErrorKind::ConnectionAborted)),
+                "Peer aborted TCP connection during initial MTProto handshake",
+            ),
+            (
+                ProxyError::Io(std::io::Error::from(std::io::ErrorKind::BrokenPipe)),
+                "Peer closed write side before MTProto handshake completed",
+            ),
+            (
+                ProxyError::Io(std::io::Error::from(std::io::ErrorKind::NotConnected)),
+                "Handshake socket was already closed by peer",
+            ),
+            (
+                ProxyError::Stream(StreamError::UnexpectedEof),
+                "Peer closed before sending full 64-byte MTProto handshake",
+            ),
+        ];
+
+        for (err, expected) in cases {
+            assert_eq!(expected_handshake_close_description(&err), Some(expected));
+        }
+    }
 }
 
 pub(crate) fn print_proxy_links(host: &str, port: u16, config: &ProxyConfig) {
@@ -428,7 +507,63 @@ pub(crate) async fn wait_until_admission_open(admission_rx: &mut watch::Receiver
 }
 
 pub(crate) fn is_expected_handshake_eof(err: &crate::error::ProxyError) -> bool {
-    err.to_string().contains("expected 64 bytes, got 0")
+    expected_handshake_close_description(err).is_some()
+}
+
+pub(crate) fn peer_close_description(err: &crate::error::ProxyError) -> Option<&'static str> {
+    fn from_kind(kind: std::io::ErrorKind) -> Option<&'static str> {
+        match kind {
+            std::io::ErrorKind::ConnectionReset => Some("Peer reset TCP connection (RST)"),
+            std::io::ErrorKind::ConnectionAborted => {
+                Some("Peer aborted TCP connection during transport")
+            }
+            std::io::ErrorKind::BrokenPipe => Some("Peer closed write side (broken pipe)"),
+            std::io::ErrorKind::NotConnected => Some("Socket was already closed by peer"),
+            _ => None,
+        }
+    }
+
+    match err {
+        crate::error::ProxyError::Io(ioe) => from_kind(ioe.kind()),
+        crate::error::ProxyError::Stream(crate::error::StreamError::Io(ioe)) => {
+            from_kind(ioe.kind())
+        }
+        _ => None,
+    }
+}
+
+pub(crate) fn expected_handshake_close_description(
+    err: &crate::error::ProxyError,
+) -> Option<&'static str> {
+    fn from_kind(kind: std::io::ErrorKind) -> Option<&'static str> {
+        match kind {
+            std::io::ErrorKind::UnexpectedEof => {
+                Some("Peer closed before sending full 64-byte MTProto handshake")
+            }
+            std::io::ErrorKind::ConnectionReset => {
+                Some("Peer reset TCP connection during initial MTProto handshake")
+            }
+            std::io::ErrorKind::ConnectionAborted => {
+                Some("Peer aborted TCP connection during initial MTProto handshake")
+            }
+            std::io::ErrorKind::BrokenPipe => {
+                Some("Peer closed write side before MTProto handshake completed")
+            }
+            std::io::ErrorKind::NotConnected => Some("Handshake socket was already closed by peer"),
+            _ => None,
+        }
+    }
+
+    match err {
+        crate::error::ProxyError::Io(ioe) => from_kind(ioe.kind()),
+        crate::error::ProxyError::Stream(crate::error::StreamError::UnexpectedEof) => {
+            Some("Peer closed before sending full 64-byte MTProto handshake")
+        }
+        crate::error::ProxyError::Stream(crate::error::StreamError::Io(ioe)) => {
+            from_kind(ioe.kind())
+        }
+        _ => None,
+    }
 }
 
 pub(crate) async fn load_startup_proxy_config_snapshot(

src/maestro/listeners.rs

@@ -24,7 +24,10 @@ use crate::transport::middle_proxy::MePool;
 use crate::transport::socket::set_linger_zero;
 use crate::transport::{ListenOptions, UpstreamManager, create_listener, find_listener_processes};
 
-use super::helpers::{is_expected_handshake_eof, print_proxy_links};
+use super::helpers::{
+    expected_handshake_close_description, is_expected_handshake_eof, peer_close_description,
+    print_proxy_links,
+};
 
 pub(crate) struct BoundListeners {
     pub(crate) listeners: Vec<(TcpListener, bool)>,
@@ -485,29 +488,9 @@ pub(crate) fn spawn_tcp_accept_loops(
                                     Ok(guard) => *guard,
                                     Err(_) => None,
                                 };
-                                let peer_closed = matches!(
-                                    &e,
-                                    crate::error::ProxyError::Io(ioe)
-                                        if matches!(
-                                            ioe.kind(),
-                                            std::io::ErrorKind::ConnectionReset
-                                                | std::io::ErrorKind::ConnectionAborted
-                                                | std::io::ErrorKind::BrokenPipe
-                                                | std::io::ErrorKind::NotConnected
-                                        )
-                                ) || matches!(
-                                    &e,
-                                    crate::error::ProxyError::Stream(
-                                        crate::error::StreamError::Io(ioe)
-                                    )
-                                        if matches!(
-                                            ioe.kind(),
-                                            std::io::ErrorKind::ConnectionReset
-                                                | std::io::ErrorKind::ConnectionAborted
-                                                | std::io::ErrorKind::BrokenPipe
-                                                | std::io::ErrorKind::NotConnected
-                                        )
-                                );
+                                let peer_close_reason = peer_close_description(&e);
+                                let handshake_close_reason =
+                                    expected_handshake_close_description(&e);
 
                                 let me_closed = matches!(
                                     &e,
@@ -518,12 +501,23 @@ pub(crate) fn spawn_tcp_accept_loops(
                                     crate::error::ProxyError::Proxy(msg) if msg == ROUTE_SWITCH_ERROR_MSG
                                 );
 
-                                match (peer_closed, me_closed) {
-                                    (true, _) => {
+                                match (peer_close_reason, me_closed) {
+                                    (Some(reason), _) => {
                                         if let Some(real_peer) = real_peer {
-                                            debug!(peer = %peer_addr, real_peer = %real_peer, error = %e, "Connection closed by client");
+                                            debug!(
+                                                peer = %peer_addr,
+                                                real_peer = %real_peer,
+                                                error = %e,
+                                                close_reason = reason,
+                                                "Connection closed by peer"
+                                            );
                                         } else {
-                                            debug!(peer = %peer_addr, error = %e, "Connection closed by client");
+                                            debug!(
+                                                peer = %peer_addr,
+                                                error = %e,
+                                                close_reason = reason,
+                                                "Connection closed by peer"
+                                            );
                                         }
                                     }
                                     (_, true) => {
@@ -541,10 +535,23 @@ pub(crate) fn spawn_tcp_accept_loops(
                                         }
                                     }
                                     _ if is_expected_handshake_eof(&e) => {
+                                        let reason = handshake_close_reason
+                                            .unwrap_or("Peer closed during initial handshake");
                                         if let Some(real_peer) = real_peer {
-                                            info!(peer = %peer_addr, real_peer = %real_peer, error = %e, "Connection closed during initial handshake");
+                                            info!(
+                                                peer = %peer_addr,
+                                                real_peer = %real_peer,
+                                                error = %e,
+                                                close_reason = reason,
+                                                "Connection closed during initial handshake"
+                                            );
                                         } else {
-                                            info!(peer = %peer_addr, error = %e, "Connection closed during initial handshake");
+                                            info!(
+                                                peer = %peer_addr,
+                                                error = %e,
+                                                close_reason = reason,
+                                                "Connection closed during initial handshake"
+                                            );
                                         }
                                     }
                                     _ => {

src/maestro/me_startup.rs

@@ -66,6 +66,7 @@ pub(crate) async fn initialize_me_pool(
         match crate::transport::middle_proxy::fetch_proxy_secret_with_upstream(
             proxy_secret_path,
             config.general.proxy_secret_len_max,
+            config.general.proxy_secret_url.as_deref(),
             Some(upstream_manager.clone()),
         )
         .await
@@ -126,7 +127,11 @@ pub(crate) async fn initialize_me_pool(
                 .set_me_status(StartupMeStatus::Initializing, COMPONENT_ME_PROXY_CONFIG_V4)
                 .await;
             let cfg_v4 = load_startup_proxy_config_snapshot(
-                "https://core.telegram.org/getProxyConfig",
+                config
+                    .general
+                    .proxy_config_v4_url
+                    .as_deref()
+                    .unwrap_or("https://core.telegram.org/getProxyConfig"),
                 config.general.proxy_config_v4_cache_path.as_deref(),
                 me2dc_fallback,
                 "getProxyConfig",
@@ -158,7 +163,11 @@ pub(crate) async fn initialize_me_pool(
                 .set_me_status(StartupMeStatus::Initializing, COMPONENT_ME_PROXY_CONFIG_V6)
                 .await;
             let cfg_v6 = load_startup_proxy_config_snapshot(
-                "https://core.telegram.org/getProxyConfigV6",
+                config
+                    .general
+                    .proxy_config_v6_url
+                    .as_deref()
+                    .unwrap_or("https://core.telegram.org/getProxyConfigV6"),
                 config.general.proxy_config_v6_cache_path.as_deref(),
                 me2dc_fallback,
                 "getProxyConfigV6",
@@ -268,6 +277,8 @@ pub(crate) async fn initialize_me_pool(
                     config.general.me_socks_kdf_policy,
                     config.general.me_writer_cmd_channel_capacity,
                     config.general.me_route_channel_capacity,
+                    config.general.me_route_backpressure_enabled,
+                    config.general.me_route_fairshare_enabled,
                     config.general.me_route_backpressure_base_timeout_ms,
                     config.general.me_route_backpressure_high_timeout_ms,
                     config.general.me_route_backpressure_high_watermark_pct,

src/maestro/runtime_tasks.rs

@@ -122,6 +122,8 @@ pub(crate) async fn spawn_runtime_tasks(
             if let Some(pool) = &me_pool_for_policy {
                 pool.update_runtime_transport_policy(
                     cfg.general.me_socks_kdf_policy,
+                    cfg.general.me_route_backpressure_enabled,
+                    cfg.general.me_route_fairshare_enabled,
                     cfg.general.me_route_backpressure_base_timeout_ms,
                     cfg.general.me_route_backpressure_high_timeout_ms,
                     cfg.general.me_route_backpressure_high_watermark_pct,

src/main.rs

@@ -8,6 +8,7 @@ mod crypto;
 #[cfg(unix)]
 mod daemon;
 mod error;
+mod healthcheck;
 mod ip_tracker;
 #[cfg(test)]
 #[path = "tests/ip_tracker_encapsulation_adversarial_tests.rs"]

src/protocol/tests/tls_security_tests.rs

@@ -1383,6 +1383,8 @@ fn emulated_server_hello_never_places_alpn_in_server_hello_extensions() {
         &session_id,
         &cached,
         false,
+        true,
+        ClientHelloTlsVersion::Tls13,
         &rng,
         Some(b"h2".to_vec()),
         0,
@@ -1624,6 +1626,34 @@ fn test_extract_alpn_multiple() {
     assert_eq!(alpn_str, vec!["h2", "spdy", "h3"]);
 }
 
+#[test]
+fn detect_client_hello_tls_version_prefers_supported_versions_tls13() {
+    let supported_versions = vec![4, 0x03, 0x04, 0x03, 0x03];
+    let ch = build_client_hello_with_exts(vec![(0x002b, supported_versions)], "example.com");
+    assert_eq!(
+        detect_client_hello_tls_version(&ch),
+        Some(ClientHelloTlsVersion::Tls13)
+    );
+}
+
+#[test]
+fn detect_client_hello_tls_version_falls_back_to_legacy_tls12() {
+    let ch = build_client_hello_with_exts(Vec::new(), "example.com");
+    assert_eq!(
+        detect_client_hello_tls_version(&ch),
+        Some(ClientHelloTlsVersion::Tls12)
+    );
+}
+
+#[test]
+fn detect_client_hello_tls_version_rejects_malformed_supported_versions() {
+    // list_len=3 is invalid because version vector must contain u16 pairs.
+    let malformed_supported_versions = vec![3, 0x03, 0x04, 0x03];
+    let ch =
+        build_client_hello_with_exts(vec![(0x002b, malformed_supported_versions)], "example.com");
+    assert!(detect_client_hello_tls_version(&ch).is_none());
+}
+
 #[test]
 fn extract_sni_rejects_zero_length_host_name() {
     let mut sni_ext = Vec::new();

src/protocol/tls.rs

@@ -811,6 +811,122 @@ pub fn extract_alpn_from_client_hello(handshake: &[u8]) -> Vec<Vec<u8>> {
     out
 }
 
+/// ClientHello TLS generation inferred from handshake fields.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ClientHelloTlsVersion {
+    Tls12,
+    Tls13,
+}
+
+/// Detect TLS generation from a ClientHello.
+///
+/// The parser prefers `supported_versions` (0x002b) when present and falls back
+/// to `legacy_version` for compatibility with TLS 1.2 style hellos.
+pub fn detect_client_hello_tls_version(handshake: &[u8]) -> Option<ClientHelloTlsVersion> {
+    if handshake.len() < 5 || handshake[0] != TLS_RECORD_HANDSHAKE {
+        return None;
+    }
+
+    let record_len = u16::from_be_bytes([handshake[3], handshake[4]]) as usize;
+    if handshake.len() < 5 + record_len {
+        return None;
+    }
+
+    let mut pos = 5; // after record header
+    if handshake.get(pos) != Some(&0x01) {
+        return None; // not ClientHello
+    }
+    pos += 1; // message type
+
+    if pos + 3 > handshake.len() {
+        return None;
+    }
+    let handshake_len = ((handshake[pos] as usize) << 16)
+        | ((handshake[pos + 1] as usize) << 8)
+        | handshake[pos + 2] as usize;
+    pos += 3; // handshake length bytes
+    if pos + handshake_len > 5 + record_len {
+        return None;
+    }
+
+    if pos + 2 + 32 > handshake.len() {
+        return None;
+    }
+    let legacy_version = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]);
+    pos += 2 + 32; // version + random
+
+    let session_id_len = *handshake.get(pos)? as usize;
+    pos += 1 + session_id_len;
+    if pos + 2 > handshake.len() {
+        return None;
+    }
+
+    let cipher_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
+    pos += 2 + cipher_len;
+    if pos >= handshake.len() {
+        return None;
+    }
+
+    let comp_len = *handshake.get(pos)? as usize;
+    pos += 1 + comp_len;
+    if pos + 2 > handshake.len() {
+        return None;
+    }
+
+    let ext_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
+    pos += 2;
+    let ext_end = pos + ext_len;
+    if ext_end > handshake.len() {
+        return None;
+    }
+
+    while pos + 4 <= ext_end {
+        let etype = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]);
+        let elen = u16::from_be_bytes([handshake[pos + 2], handshake[pos + 3]]) as usize;
+        pos += 4;
+        if pos + elen > ext_end {
+            return None;
+        }
+
+        if etype == extension_type::SUPPORTED_VERSIONS {
+            if elen < 1 {
+                return None;
+            }
+            let list_len = handshake[pos] as usize;
+            if list_len == 0 || list_len % 2 != 0 || 1 + list_len > elen {
+                return None;
+            }
+
+            let mut has_tls12 = false;
+            let mut ver_pos = pos + 1;
+            let ver_end = ver_pos + list_len;
+            while ver_pos + 1 < ver_end {
+                let version = u16::from_be_bytes([handshake[ver_pos], handshake[ver_pos + 1]]);
+                if version == 0x0304 {
+                    return Some(ClientHelloTlsVersion::Tls13);
+                }
+                if version == 0x0303 || version == 0x0302 || version == 0x0301 {
+                    has_tls12 = true;
+                }
+                ver_pos += 2;
+            }
+
+            if has_tls12 {
+                return Some(ClientHelloTlsVersion::Tls12);
+            }
+            return None;
+        }
+
+        pos += elen;
+    }
+
+    if legacy_version >= 0x0303 {
+        Some(ClientHelloTlsVersion::Tls12)
+    } else {
+        None
+    }
+}
+
 /// Check if bytes look like a TLS ClientHello
 pub fn is_tls_handshake(first_bytes: &[u8]) -> bool {
     if first_bytes.len() < 3 {

src/proxy/client.rs

@@ -31,16 +31,24 @@ struct UserConnectionReservation {
     ip_tracker: Arc<UserIpTracker>,
     user: String,
     ip: IpAddr,
+    tracks_ip: bool,
     active: bool,
 }
 
 impl UserConnectionReservation {
-    fn new(stats: Arc<Stats>, ip_tracker: Arc<UserIpTracker>, user: String, ip: IpAddr) -> Self {
+    fn new(
+        stats: Arc<Stats>,
+        ip_tracker: Arc<UserIpTracker>,
+        user: String,
+        ip: IpAddr,
+        tracks_ip: bool,
+    ) -> Self {
         Self {
             stats,
             ip_tracker,
             user,
             ip,
+            tracks_ip,
             active: true,
         }
     }
@@ -49,7 +57,9 @@ impl UserConnectionReservation {
         if !self.active {
             return;
         }
-        self.ip_tracker.remove_ip(&self.user, self.ip).await;
+        if self.tracks_ip {
+            self.ip_tracker.remove_ip(&self.user, self.ip).await;
+        }
         self.active = false;
         self.stats.decrement_user_curr_connects(&self.user);
     }
@@ -62,7 +72,9 @@ impl Drop for UserConnectionReservation {
         }
         self.active = false;
         self.stats.decrement_user_curr_connects(&self.user);
-        self.ip_tracker.enqueue_cleanup(self.user.clone(), self.ip);
+        if self.tracks_ip {
+            self.ip_tracker.enqueue_cleanup(self.user.clone(), self.ip);
+        }
     }
 }
 
@@ -324,17 +336,38 @@ fn record_beobachten_class(
     beobachten.record(class, peer_ip, beobachten_ttl(config));
 }
 
+fn classify_expected_64_got_0(kind: std::io::ErrorKind) -> Option<&'static str> {
+    match kind {
+        std::io::ErrorKind::UnexpectedEof => Some("expected_64_got_0_unexpected_eof"),
+        std::io::ErrorKind::ConnectionReset => Some("expected_64_got_0_connection_reset"),
+        std::io::ErrorKind::ConnectionAborted => Some("expected_64_got_0_connection_aborted"),
+        std::io::ErrorKind::BrokenPipe => Some("expected_64_got_0_broken_pipe"),
+        std::io::ErrorKind::NotConnected => Some("expected_64_got_0_not_connected"),
+        _ => None,
+    }
+}
+
+fn classify_handshake_failure_class(error: &ProxyError) -> &'static str {
+    match error {
+        ProxyError::Io(err) => classify_expected_64_got_0(err.kind()).unwrap_or("other"),
+        ProxyError::Stream(StreamError::UnexpectedEof) => "expected_64_got_0_unexpected_eof",
+        ProxyError::Stream(StreamError::Io(err)) => {
+            classify_expected_64_got_0(err.kind()).unwrap_or("other")
+        }
+        _ => "other",
+    }
+}
+
 fn record_handshake_failure_class(
     beobachten: &BeobachtenStore,
     config: &ProxyConfig,
     peer_ip: IpAddr,
     error: &ProxyError,
 ) {
-    let class = match error {
-        ProxyError::Io(err) if err.kind() == std::io::ErrorKind::UnexpectedEof => {
-            "expected_64_got_0"
-        }
-        ProxyError::Stream(StreamError::UnexpectedEof) => "expected_64_got_0",
+    // Keep beobachten buckets stable while detailed per-kind classification
+    // is tracked in API counters.
+    let class = match classify_handshake_failure_class(error) {
+        value if value.starts_with("expected_64_got_0_") => "expected_64_got_0",
         _ => "other",
     };
     record_beobachten_class(beobachten, config, peer_ip, class);
@@ -343,7 +376,7 @@ fn record_handshake_failure_class(
 #[inline]
 fn increment_bad_on_unknown_tls_sni(stats: &Stats, error: &ProxyError) {
     if matches!(error, ProxyError::UnknownTlsSni) {
-        stats.increment_connects_bad();
+        stats.increment_connects_bad_with_class("unknown_tls_sni");
     }
 }
 
@@ -444,7 +477,7 @@ where
             Ok(Ok(info)) => {
                 if !is_trusted_proxy_source(peer.ip(), &config.server.proxy_protocol_trusted_cidrs)
                 {
-                    stats.increment_connects_bad();
+                    stats.increment_connects_bad_with_class("proxy_protocol_untrusted");
                     warn!(
                         peer = %peer,
                         trusted = ?config.server.proxy_protocol_trusted_cidrs,
@@ -465,13 +498,13 @@ where
                 }
             }
             Ok(Err(e)) => {
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("proxy_protocol_invalid_header");
                 warn!(peer = %peer, error = %e, "Invalid PROXY protocol header");
                 record_beobachten_class(&beobachten, &config, peer.ip(), "other");
                 return Err(e);
             }
             Err(_) => {
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("proxy_protocol_header_timeout");
                 warn!(peer = %peer, timeout_ms = proxy_header_timeout.as_millis(), "PROXY protocol header timeout");
                 record_beobachten_class(&beobachten, &config, peer.ip(), "other");
                 return Err(ProxyError::InvalidProxyProtocol);
@@ -561,7 +594,7 @@ where
             // third-party clients or future Telegram versions.
             if !tls_clienthello_len_in_bounds(tls_len) {
                 debug!(peer = %real_peer, tls_len = tls_len, max_tls_len = MAX_TLS_PLAINTEXT_SIZE, "TLS handshake length out of bounds");
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("tls_clienthello_len_out_of_bounds");
                 maybe_apply_mask_reject_delay(&config).await;
                 let (reader, writer) = tokio::io::split(stream);
                 return Ok(masking_outcome(
@@ -581,7 +614,7 @@ where
                 Ok(n) => n,
                 Err(e) => {
                     debug!(peer = %real_peer, error = %e, tls_len = tls_len, "TLS ClientHello body read failed; engaging masking fallback");
-                    stats.increment_connects_bad();
+                    stats.increment_connects_bad_with_class("tls_clienthello_read_error");
                     maybe_apply_mask_reject_delay(&config).await;
                     let initial_len = 5;
                     let (reader, writer) = tokio::io::split(stream);
@@ -599,7 +632,7 @@ where
 
             if body_read < tls_len {
                 debug!(peer = %real_peer, got = body_read, expected = tls_len, "Truncated in-range TLS ClientHello; engaging masking fallback");
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("tls_clienthello_truncated");
                 maybe_apply_mask_reject_delay(&config).await;
                 let initial_len = 5 + body_read;
                 let (reader, writer) = tokio::io::split(stream);
@@ -623,7 +656,7 @@ where
             ).await {
                 HandshakeResult::Success(result) => result,
                 HandshakeResult::BadClient { reader, writer } => {
-                    stats.increment_connects_bad();
+                    stats.increment_connects_bad_with_class("tls_handshake_bad_client");
                     return Ok(masking_outcome(
                         reader,
                         writer,
@@ -663,7 +696,7 @@ where
                         wrap_tls_application_record(&pending_plaintext)
                     };
                     let reader = tokio::io::AsyncReadExt::chain(std::io::Cursor::new(pending_record), reader);
-                    stats.increment_connects_bad();
+                    stats.increment_connects_bad_with_class("tls_mtproto_bad_client");
                     debug!(
                         peer = %peer,
                         "Authenticated TLS session failed MTProto validation; engaging masking fallback"
@@ -693,7 +726,7 @@ where
         } else {
             if !config.general.modes.classic && !config.general.modes.secure {
                 debug!(peer = %real_peer, "Non-TLS modes disabled");
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("direct_modes_disabled");
                 maybe_apply_mask_reject_delay(&config).await;
                 let (reader, writer) = tokio::io::split(stream);
                 return Ok(masking_outcome(
@@ -720,7 +753,7 @@ where
             ).await {
                 HandshakeResult::Success(result) => result,
                 HandshakeResult::BadClient { reader, writer } => {
-                    stats.increment_connects_bad();
+                    stats.increment_connects_bad_with_class("direct_mtproto_bad_client");
                     return Ok(masking_outcome(
                         reader,
                         writer,
@@ -757,6 +790,7 @@ where
         Ok(Ok(outcome)) => outcome,
         Ok(Err(e)) => {
             debug!(peer = %peer, error = %e, "Handshake failed");
+            stats_for_timeout.increment_handshake_failure_class(classify_handshake_failure_class(&e));
             record_handshake_failure_class(
                 &beobachten_for_timeout,
                 &config_for_timeout,
@@ -767,6 +801,7 @@ where
         }
         Err(_) => {
             stats_for_timeout.increment_handshake_timeouts();
+            stats_for_timeout.increment_handshake_failure_class("timeout");
             debug!(peer = %peer, "Handshake timeout");
             record_beobachten_class(
                 &beobachten_for_timeout,
@@ -956,7 +991,8 @@ impl RunningClientHandler {
                         self.peer.ip(),
                         &self.config.server.proxy_protocol_trusted_cidrs,
                     ) {
-                        self.stats.increment_connects_bad();
+                        self.stats
+                            .increment_connects_bad_with_class("proxy_protocol_untrusted");
                         warn!(
                             peer = %self.peer,
                             trusted = ?self.config.server.proxy_protocol_trusted_cidrs,
@@ -986,7 +1022,8 @@ impl RunningClientHandler {
                     }
                 }
                 Ok(Err(e)) => {
-                    self.stats.increment_connects_bad();
+                    self.stats
+                        .increment_connects_bad_with_class("proxy_protocol_invalid_header");
                     warn!(peer = %self.peer, error = %e, "Invalid PROXY protocol header");
                     record_beobachten_class(
                         &self.beobachten,
@@ -997,7 +1034,8 @@ impl RunningClientHandler {
                     return Err(e);
                 }
                 Err(_) => {
-                    self.stats.increment_connects_bad();
+                    self.stats
+                        .increment_connects_bad_with_class("proxy_protocol_header_timeout");
                     warn!(
                         peer = %self.peer,
                         timeout_ms = proxy_header_timeout.as_millis(),
@@ -1095,6 +1133,7 @@ impl RunningClientHandler {
             Ok(Ok(outcome)) => outcome,
             Ok(Err(e)) => {
                 debug!(peer = %peer_for_log, error = %e, "Handshake failed");
+                stats.increment_handshake_failure_class(classify_handshake_failure_class(&e));
                 record_handshake_failure_class(
                     &beobachten_for_timeout,
                     &config_for_timeout,
@@ -1105,6 +1144,7 @@ impl RunningClientHandler {
             }
             Err(_) => {
                 stats.increment_handshake_timeouts();
+                stats.increment_handshake_failure_class("timeout");
                 debug!(peer = %peer_for_log, "Handshake timeout");
                 record_beobachten_class(
                     &beobachten_for_timeout,
@@ -1140,7 +1180,8 @@ impl RunningClientHandler {
         // third-party clients or future Telegram versions.
         if !tls_clienthello_len_in_bounds(tls_len) {
             debug!(peer = %peer, tls_len = tls_len, max_tls_len = MAX_TLS_PLAINTEXT_SIZE, "TLS handshake length out of bounds");
-            self.stats.increment_connects_bad();
+            self.stats
+                .increment_connects_bad_with_class("tls_clienthello_len_out_of_bounds");
             maybe_apply_mask_reject_delay(&self.config).await;
             let (reader, writer) = self.stream.into_split();
             return Ok(masking_outcome(
@@ -1160,7 +1201,8 @@ impl RunningClientHandler {
             Ok(n) => n,
             Err(e) => {
                 debug!(peer = %peer, error = %e, tls_len = tls_len, "TLS ClientHello body read failed; engaging masking fallback");
-                self.stats.increment_connects_bad();
+                self.stats
+                    .increment_connects_bad_with_class("tls_clienthello_read_error");
                 maybe_apply_mask_reject_delay(&self.config).await;
                 let (reader, writer) = self.stream.into_split();
                 return Ok(masking_outcome(
@@ -1177,7 +1219,8 @@ impl RunningClientHandler {
 
         if body_read < tls_len {
             debug!(peer = %peer, got = body_read, expected = tls_len, "Truncated in-range TLS ClientHello; engaging masking fallback");
-            self.stats.increment_connects_bad();
+            self.stats
+                .increment_connects_bad_with_class("tls_clienthello_truncated");
             maybe_apply_mask_reject_delay(&self.config).await;
             let initial_len = 5 + body_read;
             let (reader, writer) = self.stream.into_split();
@@ -1214,7 +1257,7 @@ impl RunningClientHandler {
         {
             HandshakeResult::Success(result) => result,
             HandshakeResult::BadClient { reader, writer } => {
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("tls_handshake_bad_client");
                 return Ok(masking_outcome(
                     reader,
                     writer,
@@ -1264,7 +1307,7 @@ impl RunningClientHandler {
                 };
                 let reader =
                     tokio::io::AsyncReadExt::chain(std::io::Cursor::new(pending_record), reader);
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("tls_mtproto_bad_client");
                 debug!(
                     peer = %peer,
                     "Authenticated TLS session failed MTProto validation; engaging masking fallback"
@@ -1311,7 +1354,8 @@ impl RunningClientHandler {
 
         if !self.config.general.modes.classic && !self.config.general.modes.secure {
             debug!(peer = %peer, "Non-TLS modes disabled");
-            self.stats.increment_connects_bad();
+            self.stats
+                .increment_connects_bad_with_class("direct_modes_disabled");
             maybe_apply_mask_reject_delay(&self.config).await;
             let (reader, writer) = self.stream.into_split();
             return Ok(masking_outcome(
@@ -1351,7 +1395,7 @@ impl RunningClientHandler {
         {
             HandshakeResult::Success(result) => result,
             HandshakeResult::BadClient { reader, writer } => {
-                stats.increment_connects_bad();
+                stats.increment_connects_bad_with_class("direct_mtproto_bad_client");
                 return Ok(masking_outcome(
                     reader,
                     writer,
@@ -1589,6 +1633,7 @@ impl RunningClientHandler {
             ip_tracker,
             user.to_string(),
             peer_addr.ip(),
+            true,
         ))
     }
 
@@ -1634,7 +1679,6 @@ impl RunningClientHandler {
         match ip_tracker.check_and_add(user, peer_addr.ip()).await {
             Ok(()) => {
                 ip_tracker.remove_ip(user, peer_addr.ip()).await;
-                stats.decrement_user_curr_connects(user);
             }
             Err(reason) => {
                 stats.decrement_user_curr_connects(user);
@@ -1650,6 +1694,7 @@ impl RunningClientHandler {
             }
         }
 
+        stats.decrement_user_curr_connects(user);
         Ok(())
     }
 }

src/proxy/handshake.rs

@@ -55,6 +55,7 @@ const STICKY_HINT_MAX_ENTRIES: usize = 65_536;
 const CANDIDATE_HINT_TRACK_CAP: usize = 64;
 const OVERLOAD_CANDIDATE_BUDGET_HINTED: usize = 16;
 const OVERLOAD_CANDIDATE_BUDGET_UNHINTED: usize = 8;
+const EXPENSIVE_INVALID_SCAN_SATURATION_THRESHOLD: usize = 64;
 const RECENT_USER_RING_SCAN_LIMIT: usize = 32;
 
 type HmacSha256 = Hmac<Sha256>;
@@ -551,6 +552,19 @@ fn auth_probe_note_saturation_in(shared: &ProxySharedState, now: Instant) {
     }
 }
 
+fn auth_probe_note_expensive_invalid_scan_in(
+    shared: &ProxySharedState,
+    now: Instant,
+    validation_checks: usize,
+    overload: bool,
+) {
+    if overload || validation_checks < EXPENSIVE_INVALID_SCAN_SATURATION_THRESHOLD {
+        return;
+    }
+
+    auth_probe_note_saturation_in(shared, now);
+}
+
 fn auth_probe_record_failure_in(shared: &ProxySharedState, peer_ip: IpAddr, now: Instant) {
     let peer_ip = normalize_auth_probe_ip(peer_ip);
     let state = &shared.handshake.auth_probe;
@@ -1119,6 +1133,10 @@ where
     } else {
         None
     };
+    // Fail-closed to TLS 1.3 semantics when ClientHello version is ambiguous:
+    // this avoids leaking certificate payload on malformed probes.
+    let client_tls_version = tls::detect_client_hello_tls_version(handshake)
+        .unwrap_or(tls::ClientHelloTlsVersion::Tls13);
 
     if client_sni.is_some() && matched_tls_domain.is_none() && preferred_user_hint.is_none() {
         let sni = client_sni.as_deref().unwrap_or_default();
@@ -1132,9 +1150,20 @@ where
                     "TLS handshake accepted by unknown SNI policy"
                 );
             }
-            action @ (UnknownSniAction::Drop | UnknownSniAction::Mask) => {
+            action @ (UnknownSniAction::Drop
+            | UnknownSniAction::Mask
+            | UnknownSniAction::RejectHandshake) => {
                 auth_probe_record_failure_in(shared, peer.ip(), Instant::now());
-                maybe_apply_server_hello_delay(config).await;
+                // For Drop/Mask we apply the synthetic ServerHello delay so
+                // the fail-closed path is timing-indistinguishable from the
+                // success path. For RejectHandshake we deliberately skip the
+                // delay: a stock modern nginx with `ssl_reject_handshake on;`
+                // responds with the alert essentially immediately, so
+                // injecting 8-24ms here would itself become a distinguisher
+                // against the public baseline we are trying to blend into.
+                if !matches!(action, UnknownSniAction::RejectHandshake) {
+                    maybe_apply_server_hello_delay(config).await;
+                }
                 let log_now = Instant::now();
                 if should_emit_unknown_sni_warn_in(shared, log_now) {
                     warn!(
@@ -1153,8 +1182,33 @@ where
                         "TLS handshake rejected by unknown SNI policy"
                     );
                 }
+                if matches!(action, UnknownSniAction::RejectHandshake) {
+                    // TLS alert record layer:
+                    //   0x15            ContentType.alert
+                    //   0x03 0x03       legacy_record_version = TLS 1.2
+                    //                   (matches what modern nginx emits in
+                    //                   the first server -> client record,
+                    //                   per RFC 8446 5.1 guidance)
+                    //   0x00 0x02       length = 2
+                    // Alert payload:
+                    //   0x02            AlertLevel.fatal
+                    //   0x70            AlertDescription.unrecognized_name (112, RFC 6066)
+                    const TLS_ALERT_UNRECOGNIZED_NAME: [u8; 7] =
+                        [0x15, 0x03, 0x03, 0x00, 0x02, 0x02, 0x70];
+                    if let Err(e) = writer.write_all(&TLS_ALERT_UNRECOGNIZED_NAME).await {
+                        debug!(
+                            peer = %peer,
+                            error = %e,
+                            "Failed to write unrecognized_name TLS alert"
+                        );
+                    } else {
+                        let _ = writer.flush().await;
+                    }
+                }
                 return match action {
-                    UnknownSniAction::Drop => HandshakeResult::Error(ProxyError::UnknownTlsSni),
+                    UnknownSniAction::Drop | UnknownSniAction::RejectHandshake => {
+                        HandshakeResult::Error(ProxyError::UnknownTlsSni)
+                    }
                     UnknownSniAction::Mask => HandshakeResult::BadClient { reader, writer },
                     UnknownSniAction::Accept => unreachable!(),
                 };
@@ -1338,7 +1392,14 @@ where
         }
 
         if !matched {
-            auth_probe_record_failure_in(shared, peer.ip(), Instant::now());
+            let failure_now = Instant::now();
+            auth_probe_note_expensive_invalid_scan_in(
+                shared,
+                failure_now,
+                validation_checks,
+                overload,
+            );
+            auth_probe_record_failure_in(shared, peer.ip(), failure_now);
             maybe_apply_server_hello_delay(config).await;
             debug!(
                 peer = %peer,
@@ -1403,12 +1464,18 @@ where
             let selected_domain =
                 matched_tls_domain.unwrap_or(config.censorship.tls_domain.as_str());
             let cached_entry = cache.get(selected_domain).await;
-            let use_full_cert_payload = cache
-                .take_full_cert_budget_for_ip(
-                    peer.ip(),
-                    Duration::from_secs(config.censorship.tls_full_cert_ttl_secs),
-                )
-                .await;
+            let use_full_cert_payload = if config.censorship.serverhello_compact
+                && matches!(client_tls_version, tls::ClientHelloTlsVersion::Tls12)
+            {
+                cache
+                    .take_full_cert_budget_for_ip(
+                        peer.ip(),
+                        Duration::from_secs(config.censorship.tls_full_cert_ttl_secs),
+                    )
+                    .await
+            } else {
+                true
+            };
             Some((cached_entry, use_full_cert_payload))
         } else {
             None
@@ -1429,6 +1496,8 @@ where
             validation_session_id_slice,
             &cached_entry,
             use_full_cert_payload,
+            config.censorship.serverhello_compact,
+            client_tls_version,
             rng,
             selected_alpn.clone(),
             config.censorship.tls_new_session_tickets,
@@ -1705,7 +1774,14 @@ where
         }
 
         if !matched {
-            auth_probe_record_failure_in(shared, peer.ip(), Instant::now());
+            let failure_now = Instant::now();
+            auth_probe_note_expensive_invalid_scan_in(
+                shared,
+                failure_now,
+                validation_checks,
+                overload,
+            );
+            auth_probe_record_failure_in(shared, peer.ip(), failure_now);
             maybe_apply_server_hello_delay(config).await;
             debug!(
                 peer = %peer,

src/proxy/masking.rs

@@ -60,21 +60,18 @@ where
     let mut buf = Box::new([0u8; MASK_BUFFER_SIZE]);
     let mut total = 0usize;
     let mut ended_by_eof = false;
-
-    if byte_cap == 0 {
-        return CopyOutcome {
-            total,
-            ended_by_eof,
-        };
-    }
+    let unlimited = byte_cap == 0;
 
     loop {
-        let remaining_budget = byte_cap.saturating_sub(total);
-        if remaining_budget == 0 {
-            break;
-        }
-
-        let read_len = remaining_budget.min(MASK_BUFFER_SIZE);
+        let read_len = if unlimited {
+            MASK_BUFFER_SIZE
+        } else {
+            let remaining_budget = byte_cap.saturating_sub(total);
+            if remaining_budget == 0 {
+                break;
+            }
+            remaining_budget.min(MASK_BUFFER_SIZE)
+        };
         let read_res = timeout(idle_timeout, reader.read(&mut buf[..read_len])).await;
         let n = match read_res {
             Ok(Ok(n)) => n,
@@ -930,21 +927,21 @@ async fn consume_client_data<R: AsyncRead + Unpin>(
     byte_cap: usize,
     idle_timeout: Duration,
 ) {
-    if byte_cap == 0 {
-        return;
-    }
-
     // Keep drain path fail-closed under slow-loris stalls.
     let mut buf = Box::new([0u8; MASK_BUFFER_SIZE]);
     let mut total = 0usize;
+    let unlimited = byte_cap == 0;
 
     loop {
-        let remaining_budget = byte_cap.saturating_sub(total);
-        if remaining_budget == 0 {
-            break;
-        }
-
-        let read_len = remaining_budget.min(MASK_BUFFER_SIZE);
+        let read_len = if unlimited {
+            MASK_BUFFER_SIZE
+        } else {
+            let remaining_budget = byte_cap.saturating_sub(total);
+            if remaining_budget == 0 {
+                break;
+            }
+            remaining_budget.min(MASK_BUFFER_SIZE)
+        };
         let n = match timeout(idle_timeout, reader.read(&mut buf[..read_len])).await {
             Ok(Ok(n)) => n,
             Ok(Err(_)) | Err(_) => break,
@@ -955,7 +952,7 @@ async fn consume_client_data<R: AsyncRead + Unpin>(
         }
 
         total = total.saturating_add(n);
-        if total >= byte_cap {
+        if !unlimited && total >= byte_cap {
             break;
         }
     }

src/proxy/middle_relay.rs

@@ -12,7 +12,7 @@ use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{Duration, Instant};
 
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
-use tokio::sync::{mpsc, oneshot, watch};
+use tokio::sync::{OwnedSemaphorePermit, Semaphore, mpsc, oneshot, watch};
 use tokio::time::timeout;
 use tracing::{debug, info, trace, warn};
 
@@ -36,7 +36,11 @@ use crate::stream::{BufferPool, CryptoReader, CryptoWriter, PooledBuffer};
 use crate::transport::middle_proxy::{MePool, MeResponse, proto_flags_for_tag};
 
 enum C2MeCommand {
-    Data { payload: PooledBuffer, flags: u32 },
+    Data {
+        payload: PooledBuffer,
+        flags: u32,
+        _permit: OwnedSemaphorePermit,
+    },
     Close,
 }
 
@@ -47,6 +51,8 @@ const DESYNC_ERROR_CLASS: &str = "frame_too_large_crypto_desync";
 const C2ME_CHANNEL_CAPACITY_FALLBACK: usize = 128;
 const C2ME_SOFT_PRESSURE_MIN_FREE_SLOTS: usize = 64;
 const C2ME_SENDER_FAIRNESS_BUDGET: usize = 32;
+const C2ME_QUEUED_BYTE_PERMIT_UNIT: usize = 16 * 1024;
+const C2ME_QUEUED_PERMITS_PER_SLOT: usize = 4;
 const RELAY_IDLE_IO_POLL_MAX: Duration = Duration::from_secs(1);
 const TINY_FRAME_DEBT_PER_TINY: u32 = 8;
 const TINY_FRAME_DEBT_LIMIT: u32 = 512;
@@ -571,6 +577,43 @@ fn should_yield_c2me_sender(sent_since_yield: usize, has_backlog: bool) -> bool
     has_backlog && sent_since_yield >= C2ME_SENDER_FAIRNESS_BUDGET
 }
 
+fn c2me_payload_permits(payload_len: usize) -> u32 {
+    payload_len
+        .max(1)
+        .div_ceil(C2ME_QUEUED_BYTE_PERMIT_UNIT)
+        .min(u32::MAX as usize) as u32
+}
+
+fn c2me_queued_permit_budget(channel_capacity: usize, frame_limit: usize) -> usize {
+    channel_capacity
+        .saturating_mul(C2ME_QUEUED_PERMITS_PER_SLOT)
+        .max(c2me_payload_permits(frame_limit) as usize)
+        .max(1)
+}
+
+async fn acquire_c2me_payload_permit(
+    semaphore: &Arc<Semaphore>,
+    payload_len: usize,
+    send_timeout: Option<Duration>,
+    stats: &Stats,
+) -> Result<OwnedSemaphorePermit> {
+    let permits = c2me_payload_permits(payload_len);
+    let acquire = semaphore.clone().acquire_many_owned(permits);
+    match send_timeout {
+        Some(send_timeout) => match timeout(send_timeout, acquire).await {
+            Ok(Ok(permit)) => Ok(permit),
+            Ok(Err(_)) => Err(ProxyError::Proxy("ME sender byte budget closed".into())),
+            Err(_) => {
+                stats.increment_me_c2me_send_timeout_total();
+                Err(ProxyError::Proxy("ME sender byte budget timeout".into()))
+            }
+        },
+        None => acquire
+            .await
+            .map_err(|_| ProxyError::Proxy("ME sender byte budget closed".into())),
+    }
+}
+
 fn quota_soft_cap(limit: u64, overshoot: u64) -> u64 {
     limit.saturating_add(overshoot)
 }
@@ -1122,13 +1165,19 @@ where
         0 => None,
         timeout_ms => Some(Duration::from_millis(timeout_ms)),
     };
+    let c2me_byte_budget = c2me_queued_permit_budget(c2me_channel_capacity, frame_limit);
+    let c2me_byte_semaphore = Arc::new(Semaphore::new(c2me_byte_budget));
     let (c2me_tx, mut c2me_rx) = mpsc::channel::<C2MeCommand>(c2me_channel_capacity);
     let me_pool_c2me = me_pool.clone();
     let c2me_sender = tokio::spawn(async move {
         let mut sent_since_yield = 0usize;
         while let Some(cmd) = c2me_rx.recv().await {
             match cmd {
-                C2MeCommand::Data { payload, flags } => {
+                C2MeCommand::Data {
+                    payload,
+                    flags,
+                    _permit,
+                } => {
                     me_pool_c2me
                         .send_proxy_req(
                             conn_id,
@@ -1624,11 +1673,29 @@ where
                         if payload.len() >= 8 && payload[..8].iter().all(|b| *b == 0) {
                             flags |= RPC_FLAG_NOT_ENCRYPTED;
                         }
+                        let payload_permit = match acquire_c2me_payload_permit(
+                            &c2me_byte_semaphore,
+                            payload.len(),
+                            c2me_send_timeout,
+                            stats.as_ref(),
+                        )
+                        .await
+                        {
+                            Ok(permit) => permit,
+                            Err(e) => {
+                                main_result = Err(e);
+                                break;
+                            }
+                        };
                         // Keep client read loop lightweight: route heavy ME send path via a dedicated task.
                         if enqueue_c2me_command_in(
                             shared.as_ref(),
                             &c2me_tx,
-                            C2MeCommand::Data { payload, flags },
+                            C2MeCommand::Data {
+                                payload,
+                                flags,
+                                _permit: payload_permit,
+                            },
                             c2me_send_timeout,
                             stats.as_ref(),
                         )
@@ -2201,6 +2268,7 @@ enum MeWriterResponseOutcome {
     Close,
 }
 
+#[cfg(test)]
 async fn process_me_writer_response<W>(
     response: MeResponse,
     client_writer: &mut CryptoWriter<W>,
@@ -2261,7 +2329,7 @@ where
     W: AsyncWrite + Unpin + Send + 'static,
 {
     match response {
-        MeResponse::Data { flags, data } => {
+        MeResponse::Data { flags, data, .. } => {
             if batched {
                 trace!(conn_id, bytes = data.len(), flags, "ME->C data (batched)");
             } else {

src/proxy/relay.rs

@@ -230,6 +230,7 @@ struct RateWaitState {
 }
 
 impl<S> StatsIo<S> {
+    #[cfg(test)]
     fn new(
         inner: S,
         counters: Arc<SharedCounters>,

src/proxy/tests/client_security_tests.rs

@@ -282,7 +282,7 @@ async fn user_connection_reservation_drop_enqueues_cleanup_synchronously() {
     assert_eq!(stats.get_user_curr_connects(&user), 1);
 
     let reservation =
-        UserConnectionReservation::new(stats.clone(), ip_tracker.clone(), user.clone(), ip);
+        UserConnectionReservation::new(stats.clone(), ip_tracker.clone(), user.clone(), ip, true);
 
     // Drop the reservation synchronously without any tokio::spawn/await yielding!
     drop(reservation);
@@ -320,6 +320,7 @@ async fn relay_task_abort_releases_user_gate_and_ip_reservation() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 8).await;
 
     let mut cfg = ProxyConfig::default();
     cfg.access.user_max_tcp_conns.insert(user.to_string(), 8);
@@ -437,6 +438,7 @@ async fn relay_cutover_releases_user_gate_and_ip_reservation() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 8).await;
 
     let mut cfg = ProxyConfig::default();
     cfg.access.user_max_tcp_conns.insert(user.to_string(), 8);
@@ -958,6 +960,36 @@ async fn reservation_limit_failure_does_not_leak_curr_connects_counter() {
     assert_eq!(ip_tracker.get_active_ip_count(user).await, 0);
 }
 
+#[tokio::test]
+async fn unlimited_unique_ip_user_is_still_visible_in_active_ip_tracker() {
+    let user = "active-ip-observed-user";
+    let config = crate::config::ProxyConfig::default();
+    let stats = Arc::new(crate::stats::Stats::new());
+    let ip_tracker = Arc::new(crate::ip_tracker::UserIpTracker::new());
+    let peer = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(198, 51, 200, 17)), 50017);
+
+    let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
+        user,
+        &config,
+        stats.clone(),
+        peer,
+        ip_tracker.clone(),
+    )
+    .await
+    .expect("reservation without unique-IP limit must succeed");
+
+    assert_eq!(stats.get_user_curr_connects(user), 1);
+    assert_eq!(
+        ip_tracker.get_active_ip_count(user).await,
+        1,
+        "active IP observability must not depend on unique-IP limit enforcement"
+    );
+
+    reservation.release().await;
+    assert_eq!(stats.get_user_curr_connects(user), 0);
+    assert_eq!(ip_tracker.get_active_ip_count(user).await, 0);
+}
+
 #[tokio::test]
 async fn short_tls_probe_is_masked_through_client_pipeline() {
     let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
@@ -2493,6 +2525,46 @@ fn unexpected_eof_is_classified_without_string_matching() {
     );
 }
 
+#[test]
+fn connection_reset_is_classified_as_expected_handshake_close() {
+    let beobachten = BeobachtenStore::new();
+    let mut config = ProxyConfig::default();
+    config.general.beobachten = true;
+    config.general.beobachten_minutes = 1;
+
+    let reset = ProxyError::Io(std::io::Error::from(std::io::ErrorKind::ConnectionReset));
+    let peer_ip: IpAddr = "198.51.100.202".parse().unwrap();
+
+    record_handshake_failure_class(&beobachten, &config, peer_ip, &reset);
+
+    let snapshot = beobachten.snapshot_text(Duration::from_secs(60));
+    assert!(
+        snapshot.contains("[expected_64_got_0]"),
+        "ConnectionReset must be classified as expected handshake close"
+    );
+}
+
+#[test]
+fn stream_io_unexpected_eof_is_classified_without_string_matching() {
+    let beobachten = BeobachtenStore::new();
+    let mut config = ProxyConfig::default();
+    config.general.beobachten = true;
+    config.general.beobachten_minutes = 1;
+
+    let eof = ProxyError::Stream(StreamError::Io(std::io::Error::from(
+        std::io::ErrorKind::UnexpectedEof,
+    )));
+    let peer_ip: IpAddr = "198.51.100.203".parse().unwrap();
+
+    record_handshake_failure_class(&beobachten, &config, peer_ip, &eof);
+
+    let snapshot = beobachten.snapshot_text(Duration::from_secs(60));
+    assert!(
+        snapshot.contains("[expected_64_got_0]"),
+        "StreamError::Io(UnexpectedEof) must be classified as expected handshake close"
+    );
+}
+
 #[test]
 fn non_eof_error_is_classified_as_other() {
     let beobachten = BeobachtenStore::new();
@@ -2839,6 +2911,7 @@ async fn explicit_reservation_release_cleans_user_and_ip_immediately() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 4).await;
 
     let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
         user,
@@ -2877,6 +2950,7 @@ async fn explicit_reservation_release_does_not_double_decrement_on_drop() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 4).await;
 
     let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
         user,
@@ -2907,6 +2981,7 @@ async fn drop_fallback_eventually_cleans_user_and_ip_reservation() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 1).await;
 
     let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
         user,
@@ -2989,6 +3064,7 @@ async fn release_abort_storm_does_not_leak_user_or_ip_reservations() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, ATTEMPTS + 16).await;
 
     for idx in 0..ATTEMPTS {
         let peer = SocketAddr::new(
@@ -3039,6 +3115,7 @@ async fn release_abort_loop_preserves_immediate_same_ip_reacquire() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 1).await;
 
     for _ in 0..ITERATIONS {
         let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
@@ -3097,6 +3174,7 @@ async fn adversarial_mixed_release_drop_abort_wave_converges_to_zero() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, RESERVATIONS + 8).await;
 
     let mut reservations = Vec::with_capacity(RESERVATIONS);
     for idx in 0..RESERVATIONS {
@@ -3177,6 +3255,8 @@ async fn parallel_users_abort_release_isolation_preserves_independent_cleanup()
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user_a, 64).await;
+    ip_tracker.set_user_limit(user_b, 64).await;
 
     let mut tasks = tokio::task::JoinSet::new();
     for idx in 0..64usize {
@@ -3238,6 +3318,7 @@ async fn concurrent_release_storm_leaves_zero_user_and_ip_footprint() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, RESERVATIONS + 8).await;
 
     let mut reservations = Vec::with_capacity(RESERVATIONS);
     for idx in 0..RESERVATIONS {
@@ -3292,6 +3373,7 @@ async fn relay_connect_error_releases_user_and_ip_before_return() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 8).await;
 
     let mut config = ProxyConfig::default();
     config.access.user_max_tcp_conns.insert(user.to_string(), 1);
@@ -3387,6 +3469,7 @@ async fn mixed_release_and_drop_same_ip_preserves_counter_correctness() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 1).await;
 
     let reservation_a = RunningClientHandler::acquire_user_connection_reservation_static(
         user,
@@ -3447,6 +3530,7 @@ async fn drop_one_of_two_same_ip_reservations_keeps_ip_active() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 1).await;
 
     let reservation_a = RunningClientHandler::acquire_user_connection_reservation_static(
         user,
@@ -3656,6 +3740,7 @@ async fn cross_thread_drop_uses_captured_runtime_for_ip_cleanup() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 8).await;
 
     let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
         user,
@@ -3700,6 +3785,7 @@ async fn immediate_reacquire_after_cross_thread_drop_succeeds() {
 
     let stats = Arc::new(Stats::new());
     let ip_tracker = Arc::new(UserIpTracker::new());
+    ip_tracker.set_user_limit(user, 1).await;
 
     let reservation = RunningClientHandler::acquire_user_connection_reservation_static(
         user,

src/proxy/tests/handshake_security_tests.rs

@@ -1007,6 +1007,55 @@ async fn tls_unknown_sni_mask_policy_falls_back_to_bad_client() {
     assert!(matches!(result, HandshakeResult::BadClient { .. }));
 }
 
+#[tokio::test]
+async fn tls_unknown_sni_reject_handshake_policy_emits_unrecognized_name_alert() {
+    use tokio::io::{AsyncReadExt, duplex};
+
+    let secret = [0x4Au8; 16];
+    let mut config = test_config_with_secret_hex("4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a");
+    config.censorship.unknown_sni_action = UnknownSniAction::RejectHandshake;
+
+    let replay_checker = ReplayChecker::new(128, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+    let peer: SocketAddr = "198.51.100.192:44326".parse().unwrap();
+    let handshake =
+        make_valid_tls_client_hello_with_sni_and_alpn(&secret, 0, "unknown.example", &[b"h2"]);
+
+    // Wire up a duplex so we can inspect what the server writes towards the
+    // client. We own the "peer side" half to read from it.
+    let (server_side, mut peer_side) = duplex(1024);
+    let (server_read, server_write) = tokio::io::split(server_side);
+
+    let result = handle_tls_handshake(
+        &handshake,
+        server_read,
+        server_write,
+        peer,
+        &config,
+        &replay_checker,
+        &rng,
+        None,
+    )
+    .await;
+
+    assert!(matches!(
+        result,
+        HandshakeResult::Error(ProxyError::UnknownTlsSni)
+    ));
+
+    // Drain what the server wrote. We expect exactly one TLS alert record:
+    //   0x15 0x03 0x03 0x00 0x02 0x02 0x70
+    // (ContentType.alert, TLS 1.2, length=2, fatal, unrecognized_name)
+    drop(result); // drops the server-side writer so peer_side sees EOF
+    let mut buf = Vec::new();
+    peer_side.read_to_end(&mut buf).await.unwrap();
+    assert_eq!(
+        buf,
+        [0x15, 0x03, 0x03, 0x00, 0x02, 0x02, 0x70],
+        "reject_handshake must emit a fatal unrecognized_name TLS alert"
+    );
+}
+
 #[tokio::test]
 async fn tls_unknown_sni_accept_policy_continues_auth_path() {
     let secret = [0x4Bu8; 16];
@@ -1203,6 +1252,97 @@ async fn tls_overload_budget_limits_candidate_scan_depth() {
     );
 }
 
+#[tokio::test]
+async fn tls_expensive_invalid_scan_activates_saturation_budget() {
+    let mut config = ProxyConfig::default();
+    config.access.users.clear();
+    config.access.ignore_time_skew = true;
+    for idx in 0..80u8 {
+        config.access.users.insert(
+            format!("user-{idx}"),
+            format!("{:032x}", u128::from(idx) + 1),
+        );
+    }
+    config.rebuild_runtime_user_auth().unwrap();
+
+    let replay_checker = ReplayChecker::new(128, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+    let shared = ProxySharedState::new();
+    let attacker_secret = [0xEFu8; 16];
+    let handshake = make_valid_tls_handshake(&attacker_secret, 0);
+
+    let first_peer: SocketAddr = "198.51.100.214:44326".parse().unwrap();
+    let first = handle_tls_handshake_with_shared(
+        &handshake,
+        tokio::io::empty(),
+        tokio::io::sink(),
+        first_peer,
+        &config,
+        &replay_checker,
+        &rng,
+        None,
+        shared.as_ref(),
+    )
+    .await;
+
+    assert!(matches!(first, HandshakeResult::BadClient { .. }));
+    assert!(
+        auth_probe_saturation_state_for_testing_in_shared(shared.as_ref())
+            .lock()
+            .unwrap()
+            .is_some(),
+        "expensive invalid scan must activate global saturation"
+    );
+    assert_eq!(
+        shared
+            .handshake
+            .auth_expensive_checks_total
+            .load(Ordering::Relaxed),
+        80,
+        "first invalid probe preserves full first-hit compatibility before enabling saturation"
+    );
+
+    {
+        let mut saturation = auth_probe_saturation_state_for_testing_in_shared(shared.as_ref())
+            .lock()
+            .unwrap();
+        let state = saturation.as_mut().expect("saturation must be present");
+        state.blocked_until = Instant::now() + Duration::from_millis(200);
+    }
+
+    let second_peer: SocketAddr = "198.51.100.215:44326".parse().unwrap();
+    let second = handle_tls_handshake_with_shared(
+        &handshake,
+        tokio::io::empty(),
+        tokio::io::sink(),
+        second_peer,
+        &config,
+        &replay_checker,
+        &rng,
+        None,
+        shared.as_ref(),
+    )
+    .await;
+
+    assert!(matches!(second, HandshakeResult::BadClient { .. }));
+    assert_eq!(
+        shared
+            .handshake
+            .auth_budget_exhausted_total
+            .load(Ordering::Relaxed),
+        1,
+        "second invalid probe must be capped by overload budget"
+    );
+    assert_eq!(
+        shared
+            .handshake
+            .auth_expensive_checks_total
+            .load(Ordering::Relaxed),
+        80 + OVERLOAD_CANDIDATE_BUDGET_UNHINTED as u64,
+        "saturation budget must bound follow-up invalid scans"
+    );
+}
+
 #[tokio::test]
 async fn mtproto_runtime_snapshot_prefers_preferred_user_hint() {
     let mut config = ProxyConfig::default();

src/proxy/tests/masking_consume_stress_adversarial_tests.rs

@@ -58,11 +58,22 @@ async fn consume_stall_stress_finishes_within_idle_budget() {
 }
 
 #[tokio::test]
-async fn consume_zero_cap_returns_immediately() {
+async fn consume_zero_cap_is_idle_bounded_on_stall() {
     let started = Instant::now();
-    consume_client_data(tokio::io::empty(), 0, MASK_RELAY_IDLE_TIMEOUT).await;
+    tokio::time::timeout(
+        MASK_RELAY_TIMEOUT,
+        consume_client_data(OneByteThenStall { sent: false }, 0, MASK_RELAY_IDLE_TIMEOUT),
+    )
+    .await
+    .expect("zero-cap consume path must remain bounded by timeout guards");
+
+    let elapsed = started.elapsed();
     assert!(
-        started.elapsed() < MASK_RELAY_IDLE_TIMEOUT,
-        "zero byte cap must return immediately"
+        elapsed >= (MASK_RELAY_IDLE_TIMEOUT / 2),
+        "zero cap must not short-circuit before idle timeout path, got {elapsed:?}"
+    );
+    assert!(
+        elapsed < MASK_RELAY_TIMEOUT,
+        "zero-cap consume path must complete before relay timeout, got {elapsed:?}"
     );
 }

src/proxy/tests/masking_production_cap_regression_security_tests.rs

@@ -148,9 +148,10 @@ async fn positive_copy_with_production_cap_stops_exactly_at_budget() {
 }
 
 #[tokio::test]
-async fn negative_consume_with_zero_cap_performs_no_reads() {
-    let read_calls = Arc::new(AtomicUsize::new(0));
-    let reader = FinitePatternReader::new(1024, 64, Arc::clone(&read_calls));
+async fn consume_with_zero_cap_drains_until_eof() {
+    let payload = 256 * 1024;
+    let total_read = Arc::new(AtomicUsize::new(0));
+    let reader = BudgetProbeReader::new(payload, Arc::clone(&total_read));
 
     consume_client_data_with_timeout_and_cap(
         reader,
@@ -161,9 +162,27 @@ async fn negative_consume_with_zero_cap_performs_no_reads() {
     .await;
 
     assert_eq!(
-        read_calls.load(Ordering::Relaxed),
-        0,
-        "zero cap must return before reading attacker-controlled bytes"
+        total_read.load(Ordering::Relaxed),
+        payload,
+        "zero cap must disable byte budget and drain finite payload to EOF"
+    );
+}
+
+#[tokio::test]
+async fn copy_with_zero_cap_drains_until_eof() {
+    let read_calls = Arc::new(AtomicUsize::new(0));
+    let payload = 73 * 1024;
+    let mut reader = FinitePatternReader::new(payload, 3072, read_calls);
+    let mut writer = CountingWriter::default();
+
+    let outcome =
+        copy_with_idle_timeout(&mut reader, &mut writer, 0, true, MASK_RELAY_IDLE_TIMEOUT).await;
+
+    assert_eq!(outcome.total, payload);
+    assert_eq!(writer.written, payload);
+    assert!(
+        outcome.ended_by_eof,
+        "zero cap must not terminate relay early on byte budget"
     );
 }
 

src/proxy/tests/middle_relay_atomic_quota_invariant_tests.rs

@@ -70,6 +70,7 @@ async fn me_writer_write_fail_keeps_reserved_quota_and_tracks_fail_metrics() {
         MeResponse::Data {
             flags: 0,
             data: payload.clone(),
+            route_permit: None,
         },
         &mut writer,
         ProtoTag::Intermediate,
@@ -139,6 +140,7 @@ async fn me_writer_pre_write_quota_reject_happens_before_writer_poll() {
         MeResponse::Data {
             flags: 0,
             data: Bytes::from_static(&[0xAA, 0xBB, 0xCC]),
+            route_permit: None,
         },
         &mut writer,
         ProtoTag::Intermediate,

src/proxy/tests/middle_relay_stub_completion_security_tests.rs

@@ -12,6 +12,12 @@ fn make_pooled_payload(data: &[u8]) -> PooledBuffer {
     payload
 }
 
+fn make_c2me_permit() -> tokio::sync::OwnedSemaphorePermit {
+    Arc::new(tokio::sync::Semaphore::new(1))
+        .try_acquire_many_owned(1)
+        .expect("test permit must be available")
+}
+
 #[test]
 #[ignore = "Tracking for M-04: Verify should_emit_full_desync returns true on first occurrence and false on duplicate within window"]
 fn should_emit_full_desync_filters_duplicates() {
@@ -107,6 +113,7 @@ async fn c2me_channel_full_path_yields_then_sends() {
     tx.send(C2MeCommand::Data {
         payload: make_pooled_payload(&[0xAA]),
         flags: 1,
+        _permit: make_c2me_permit(),
     })
     .await
     .expect("priming queue with one frame must succeed");
@@ -119,6 +126,7 @@ async fn c2me_channel_full_path_yields_then_sends() {
             C2MeCommand::Data {
                 payload: make_pooled_payload(&[0xBB, 0xCC]),
                 flags: 2,
+                _permit: make_c2me_permit(),
             },
             None,
             &stats,
@@ -138,7 +146,7 @@ async fn c2me_channel_full_path_yields_then_sends() {
         .expect("receiver should observe primed frame")
         .expect("first queued command must exist");
     match first {
-        C2MeCommand::Data { payload, flags } => {
+        C2MeCommand::Data { payload, flags, .. } => {
             assert_eq!(payload.as_ref(), &[0xAA]);
             assert_eq!(flags, 1);
         }
@@ -155,7 +163,7 @@ async fn c2me_channel_full_path_yields_then_sends() {
         .expect("receiver should observe backpressure-resumed frame")
         .expect("second queued command must exist");
     match second {
-        C2MeCommand::Data { payload, flags } => {
+        C2MeCommand::Data { payload, flags, .. } => {
             assert_eq!(payload.as_ref(), &[0xBB, 0xCC]);
             assert_eq!(flags, 2);
         }

src/stats/beobachten.rs

@@ -7,6 +7,7 @@ use std::time::{Duration, Instant};
 use parking_lot::Mutex;
 
 const CLEANUP_INTERVAL: Duration = Duration::from_secs(30);
+const MAX_BEOBACHTEN_ENTRIES: usize = 65_536;
 
 #[derive(Default)]
 struct BeobachtenInner {
@@ -48,12 +49,23 @@ impl BeobachtenStore {
         Self::cleanup_if_needed(&mut guard, now, ttl);
 
         let key = (class.to_string(), ip);
-        let entry = guard.entries.entry(key).or_insert(BeobachtenEntry {
-            tries: 0,
-            last_seen: now,
-        });
-        entry.tries = entry.tries.saturating_add(1);
-        entry.last_seen = now;
+        if let Some(entry) = guard.entries.get_mut(&key) {
+            entry.tries = entry.tries.saturating_add(1);
+            entry.last_seen = now;
+            return;
+        }
+
+        if guard.entries.len() >= MAX_BEOBACHTEN_ENTRIES {
+            return;
+        }
+
+        guard.entries.insert(
+            key,
+            BeobachtenEntry {
+                tries: 1,
+                last_seen: now,
+            },
+        );
     }
 
     pub fn snapshot_text(&self, ttl: Duration) -> String {

src/stats/mod.rs

@@ -88,6 +88,8 @@ impl Drop for RouteConnectionLease {
 pub struct Stats {
     connects_all: AtomicU64,
     connects_bad: AtomicU64,
+    connects_bad_classes: DashMap<&'static str, AtomicU64>,
+    handshake_failure_classes: DashMap<&'static str, AtomicU64>,
     current_connections_direct: AtomicU64,
     current_connections_me: AtomicU64,
     handshake_timeouts: AtomicU64,
@@ -518,10 +520,32 @@ impl Stats {
             self.connects_all.fetch_add(1, Ordering::Relaxed);
         }
     }
-    pub fn increment_connects_bad(&self) {
-        if self.telemetry_core_enabled() {
-            self.connects_bad.fetch_add(1, Ordering::Relaxed);
+
+    pub fn increment_connects_bad_with_class(&self, class: &'static str) {
+        if !self.telemetry_core_enabled() {
+            return;
         }
+        self.connects_bad.fetch_add(1, Ordering::Relaxed);
+        let entry = self
+            .connects_bad_classes
+            .entry(class)
+            .or_insert_with(|| AtomicU64::new(0));
+        entry.fetch_add(1, Ordering::Relaxed);
+    }
+
+    pub fn increment_connects_bad(&self) {
+        self.increment_connects_bad_with_class("other");
+    }
+
+    pub fn increment_handshake_failure_class(&self, class: &'static str) {
+        if !self.telemetry_core_enabled() {
+            return;
+        }
+        let entry = self
+            .handshake_failure_classes
+            .entry(class)
+            .or_insert_with(|| AtomicU64::new(0));
+        entry.fetch_add(1, Ordering::Relaxed);
     }
     pub fn increment_current_connections_direct(&self) {
         self.current_connections_direct
@@ -1640,6 +1664,37 @@ impl Stats {
     pub fn get_connects_bad(&self) -> u64 {
         self.connects_bad.load(Ordering::Relaxed)
     }
+
+    pub fn get_connects_bad_class_counts(&self) -> Vec<(String, u64)> {
+        let mut out: Vec<(String, u64)> = self
+            .connects_bad_classes
+            .iter()
+            .map(|entry| {
+                (
+                    entry.key().to_string(),
+                    entry.value().load(Ordering::Relaxed),
+                )
+            })
+            .collect();
+        out.sort_by(|a, b| a.0.cmp(&b.0));
+        out
+    }
+
+    pub fn get_handshake_failure_class_counts(&self) -> Vec<(String, u64)> {
+        let mut out: Vec<(String, u64)> = self
+            .handshake_failure_classes
+            .iter()
+            .map(|entry| {
+                (
+                    entry.key().to_string(),
+                    entry.value().load(Ordering::Relaxed),
+                )
+            })
+            .collect();
+        out.sort_by(|a, b| a.0.cmp(&b.0));
+        out
+    }
+
     pub fn get_accept_permit_timeout_total(&self) -> u64 {
         self.accept_permit_timeout_total.load(Ordering::Relaxed)
     }

src/tests/ip_tracker_regression_tests.rs

@@ -649,6 +649,25 @@ async fn duplicate_cleanup_entries_do_not_break_future_admission() {
     );
 }
 
+#[tokio::test]
+async fn duplicate_cleanup_entries_are_coalesced_until_drain() {
+    let tracker = UserIpTracker::new();
+    let ip = ip_from_idx(7150);
+
+    tracker.enqueue_cleanup("coalesced-cleanup".to_string(), ip);
+    tracker.enqueue_cleanup("coalesced-cleanup".to_string(), ip);
+    tracker.enqueue_cleanup("coalesced-cleanup".to_string(), ip);
+
+    assert_eq!(
+        tracker.cleanup_queue_len_for_tests(),
+        1,
+        "duplicate queued cleanup entries must retain one allocation slot"
+    );
+
+    tracker.drain_cleanup_queue().await;
+    assert_eq!(tracker.cleanup_queue_len_for_tests(), 0);
+}
+
 #[tokio::test]
 async fn stress_repeated_queue_poison_recovery_preserves_admission_progress() {
     let tracker = UserIpTracker::new();

src/tls_front/emulator.rs

@@ -5,7 +5,9 @@ use crate::protocol::constants::{
     MAX_TLS_CIPHERTEXT_SIZE, TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER,
     TLS_RECORD_HANDSHAKE, TLS_VERSION,
 };
-use crate::protocol::tls::{TLS_DIGEST_LEN, TLS_DIGEST_POS, gen_fake_x25519_key};
+use crate::protocol::tls::{
+    ClientHelloTlsVersion, TLS_DIGEST_LEN, TLS_DIGEST_POS, gen_fake_x25519_key,
+};
 use crate::tls_front::types::{CachedTlsData, ParsedCertificateInfo, TlsProfileSource};
 use crc32fast::Hasher;
 
@@ -18,9 +20,6 @@ fn jitter_and_clamp_sizes(sizes: &[usize], rng: &SecureRandom) -> Vec<usize> {
         .iter()
         .map(|&size| {
             let base = size.clamp(MIN_APP_DATA, MAX_APP_DATA);
-            if base == MIN_APP_DATA || base == MAX_APP_DATA {
-                return base;
-            }
             let jitter_range = ((base as f64) * 0.03).round() as i64;
             if jitter_range == 0 {
                 return base;
@@ -69,9 +68,19 @@ fn ensure_payload_capacity(mut sizes: Vec<usize>, payload_len: usize) -> Vec<usi
 fn emulated_app_data_sizes(cached: &CachedTlsData) -> Vec<usize> {
     match cached.behavior_profile.source {
         TlsProfileSource::Raw | TlsProfileSource::Merged => {
-            if !cached.behavior_profile.app_data_record_sizes.is_empty() {
-                return cached.behavior_profile.app_data_record_sizes.clone();
-            }
+            return cached
+                .app_data_records_sizes
+                .first()
+                .copied()
+                .or_else(|| {
+                    cached
+                        .behavior_profile
+                        .app_data_record_sizes
+                        .first()
+                        .copied()
+                })
+                .map(|size| vec![size])
+                .unwrap_or_else(|| vec![cached.total_app_data_len.max(1024)]);
         }
         TlsProfileSource::Default | TlsProfileSource::Rustls => {}
     }
@@ -83,8 +92,8 @@ fn emulated_app_data_sizes(cached: &CachedTlsData) -> Vec<usize> {
     sizes
 }
 
-fn emulated_change_cipher_spec_count(cached: &CachedTlsData) -> usize {
-    usize::from(cached.behavior_profile.change_cipher_spec_count.max(1))
+fn emulated_change_cipher_spec_count(_cached: &CachedTlsData) -> usize {
+    1
 }
 
 fn emulated_ticket_record_sizes(
@@ -92,19 +101,20 @@ fn emulated_ticket_record_sizes(
     new_session_tickets: u8,
     rng: &SecureRandom,
 ) -> Vec<usize> {
-    let mut sizes = match cached.behavior_profile.source {
+    let target_count = usize::from(new_session_tickets.min(MAX_TICKET_RECORDS as u8));
+    if target_count == 0 {
+        return Vec::new();
+    }
+
+    let profiled_sizes = match cached.behavior_profile.source {
         TlsProfileSource::Raw | TlsProfileSource::Merged => {
-            cached.behavior_profile.ticket_record_sizes.clone()
+            cached.behavior_profile.ticket_record_sizes.as_slice()
         }
-        TlsProfileSource::Default | TlsProfileSource::Rustls => Vec::new(),
+        TlsProfileSource::Default | TlsProfileSource::Rustls => &[],
     };
 
-    let target_count = sizes
-        .len()
-        .max(usize::from(
-            new_session_tickets.min(MAX_TICKET_RECORDS as u8),
-        ))
-        .min(MAX_TICKET_RECORDS);
+    let mut sizes = Vec::with_capacity(target_count);
+    sizes.extend(profiled_sizes.iter().copied().take(target_count));
 
     while sizes.len() < target_count {
         sizes.push(rng.range(48) + 48);
@@ -182,6 +192,8 @@ pub fn build_emulated_server_hello(
     session_id: &[u8],
     cached: &CachedTlsData,
     use_full_cert_payload: bool,
+    serverhello_compact: bool,
+    client_tls_version: ClientHelloTlsVersion,
     rng: &SecureRandom,
     alpn: Option<Vec<u8>>,
     new_session_tickets: u8,
@@ -245,21 +257,45 @@ pub fn build_emulated_server_hello(
     }
 
     // --- ApplicationData (fake encrypted records) ---
-    let mut sizes = jitter_and_clamp_sizes(&emulated_app_data_sizes(cached), rng);
-    let compact_payload = cached
-        .cert_info
-        .as_ref()
-        .and_then(build_compact_cert_info_payload)
-        .and_then(hash_compact_cert_info_payload);
-    let selected_payload: Option<&[u8]> = if use_full_cert_payload {
+    let mut sizes = {
+        let base_sizes = emulated_app_data_sizes(cached);
+        match cached.behavior_profile.source {
+            TlsProfileSource::Raw | TlsProfileSource::Merged => base_sizes
+                .into_iter()
+                .map(|size| size.clamp(MIN_APP_DATA, MAX_APP_DATA))
+                .collect(),
+            TlsProfileSource::Default | TlsProfileSource::Rustls => {
+                jitter_and_clamp_sizes(&base_sizes, rng)
+            }
+        }
+    };
+    let compact_payload = if serverhello_compact {
         cached
-            .cert_payload
+            .cert_info
             .as_ref()
-            .map(|payload| payload.certificate_message.as_slice())
-            .filter(|payload| !payload.is_empty())
-            .or(compact_payload.as_deref())
+            .and_then(build_compact_cert_info_payload)
+            .and_then(hash_compact_cert_info_payload)
     } else {
-        compact_payload.as_deref()
+        None
+    };
+    let full_payload = cached
+        .cert_payload
+        .as_ref()
+        .map(|payload| payload.certificate_message.as_slice())
+        .filter(|payload| !payload.is_empty());
+    let selected_payload: Option<&[u8]> = match client_tls_version {
+        ClientHelloTlsVersion::Tls13 => None,
+        ClientHelloTlsVersion::Tls12 => {
+            if serverhello_compact {
+                if use_full_cert_payload {
+                    full_payload.or(compact_payload.as_deref())
+                } else {
+                    compact_payload.as_deref()
+                }
+            } else {
+                full_payload
+            }
+        }
     };
 
     if let Some(payload) = selected_payload {
@@ -383,6 +419,7 @@ mod tests {
     use crate::protocol::constants::{
         TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
     };
+    use crate::protocol::tls::ClientHelloTlsVersion;
 
     fn first_app_data_payload(response: &[u8]) -> &[u8] {
         let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
@@ -429,6 +466,8 @@ mod tests {
             &[0x22; 16],
             &cached,
             true,
+            true,
+            ClientHelloTlsVersion::Tls12,
             &rng,
             None,
             0,
@@ -455,6 +494,8 @@ mod tests {
             &[0x33; 16],
             &cached,
             true,
+            true,
+            ClientHelloTlsVersion::Tls12,
             &rng,
             None,
             0,
@@ -487,6 +528,8 @@ mod tests {
             &[0x55; 16],
             &cached,
             false,
+            true,
+            ClientHelloTlsVersion::Tls12,
             &rng,
             None,
             0,
@@ -511,7 +554,69 @@ mod tests {
     }
 
     #[test]
-    fn test_build_emulated_server_hello_replays_tail_records_for_profiled_tls() {
+    fn test_build_emulated_server_hello_tls13_never_uses_cert_payload() {
+        let cert_msg = vec![0x0b, 0x00, 0x00, 0x05, 0x00, 0xaa, 0xbb, 0xcc, 0xdd];
+        let cached = make_cached(Some(TlsCertPayload {
+            cert_chain_der: vec![vec![0x30, 0x01, 0x00]],
+            certificate_message: cert_msg.clone(),
+        }));
+
+        let rng = SecureRandom::new();
+        let response = build_emulated_server_hello(
+            b"secret",
+            &[0x56; 32],
+            &[0x78; 16],
+            &cached,
+            true,
+            true,
+            ClientHelloTlsVersion::Tls13,
+            &rng,
+            None,
+            0,
+        );
+
+        let payload = first_app_data_payload(&response);
+        assert!(
+            !payload.starts_with(&cert_msg),
+            "TLS 1.3 response path must not expose certificate payload bytes"
+        );
+    }
+
+    #[test]
+    fn test_build_emulated_server_hello_compact_disabled_skips_compact_payload() {
+        let mut cached = make_cached(None);
+        cached.cert_info = Some(crate::tls_front::types::ParsedCertificateInfo {
+            not_after_unix: Some(1_900_000_000),
+            not_before_unix: Some(1_700_000_000),
+            issuer_cn: Some("Issuer".to_string()),
+            subject_cn: Some("example.com".to_string()),
+            san_names: vec!["example.com".to_string()],
+        });
+
+        let rng = SecureRandom::new();
+        let response = build_emulated_server_hello(
+            b"secret",
+            &[0x90; 32],
+            &[0x91; 16],
+            &cached,
+            false,
+            false,
+            ClientHelloTlsVersion::Tls12,
+            &rng,
+            Some(b"h2".to_vec()),
+            0,
+        );
+
+        let payload = first_app_data_payload(&response);
+        let expected_alpn_marker = [0x00u8, 0x10, 0x00, 0x05, 0x00, 0x03, 0x02, b'h', b'2'];
+        assert!(
+            payload.starts_with(&expected_alpn_marker),
+            "when compact mode is disabled and no full cert payload exists, the random/alpn path must be used"
+        );
+    }
+
+    #[test]
+    fn test_build_emulated_server_hello_ignores_tail_records_for_profiled_tls() {
         let mut cached = make_cached(None);
         cached.app_data_records_sizes = vec![27, 3905, 537, 69];
         cached.total_app_data_len = 4538;
@@ -526,6 +631,8 @@ mod tests {
             &[0x34; 16],
             &cached,
             false,
+            true,
+            ClientHelloTlsVersion::Tls13,
             &rng,
             None,
             0,
@@ -533,19 +640,11 @@ mod tests {
 
         let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
         let ccs_start = 5 + hello_len;
-        let mut pos = ccs_start + 6;
-        let mut app_lengths = Vec::new();
-        while pos + 5 <= response.len() {
-            assert_eq!(response[pos], TLS_RECORD_APPLICATION);
-            let record_len = u16::from_be_bytes([response[pos + 3], response[pos + 4]]) as usize;
-            app_lengths.push(record_len);
-            pos += 5 + record_len;
-        }
-
-        assert_eq!(app_lengths.len(), 4);
-        assert_eq!(app_lengths[0], 64);
-        assert_eq!(app_lengths[3], 69);
-        assert!(app_lengths[1] >= 64);
-        assert!(app_lengths[2] >= 64);
+        let app_start = ccs_start + 6;
+        let app_len =
+            u16::from_be_bytes([response[app_start + 3], response[app_start + 4]]) as usize;
+        assert_eq!(response[app_start], TLS_RECORD_APPLICATION);
+        assert_eq!(app_len, 64);
+        assert_eq!(app_start + 5 + app_len, response.len());
     }
 }

src/tls_front/fetcher.rs

@@ -20,6 +20,7 @@ use rustls::client::ClientConfig;
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use rustls::{DigitallySignedStruct, Error as RustlsError};
+use x25519_dalek::{X25519_BASEPOINT_BYTES, x25519};
 
 use x509_parser::certificate::X509Certificate;
 use x509_parser::prelude::FromDer;
@@ -275,7 +276,7 @@ fn remember_profile_success(
     );
 }
 
-fn build_client_config() -> Arc<ClientConfig> {
+fn build_client_config(alpn_protocols: &[&[u8]]) -> Arc<ClientConfig> {
     let root = rustls::RootCertStore::empty();
 
     let provider = rustls::crypto::ring::default_provider();
@@ -288,6 +289,7 @@ fn build_client_config() -> Arc<ClientConfig> {
     config
         .dangerous()
         .set_certificate_verifier(Arc::new(NoVerify));
+    config.alpn_protocols = alpn_protocols.iter().map(|proto| proto.to_vec()).collect();
 
     Arc::new(config)
 }
@@ -359,6 +361,22 @@ fn profile_alpn(profile: TlsFetchProfile) -> &'static [&'static [u8]] {
     }
 }
 
+fn profile_alpn_labels(profile: TlsFetchProfile) -> &'static [&'static str] {
+    const H2_HTTP11: &[&str] = &["h2", "http/1.1"];
+    const HTTP11: &[&str] = &["http/1.1"];
+    match profile {
+        TlsFetchProfile::ModernChromeLike | TlsFetchProfile::ModernFirefoxLike => H2_HTTP11,
+        TlsFetchProfile::CompatTls12 | TlsFetchProfile::LegacyMinimal => HTTP11,
+    }
+}
+
+fn profile_session_id_len(profile: TlsFetchProfile) -> usize {
+    match profile {
+        TlsFetchProfile::ModernChromeLike | TlsFetchProfile::ModernFirefoxLike => 32,
+        TlsFetchProfile::CompatTls12 | TlsFetchProfile::LegacyMinimal => 0,
+    }
+}
+
 fn profile_supported_versions(profile: TlsFetchProfile) -> &'static [u16] {
     const MODERN: &[u16] = &[0x0304, 0x0303];
     const COMPAT: &[u16] = &[0x0303, 0x0304];
@@ -413,8 +431,20 @@ fn build_client_hello(
         body.extend_from_slice(&rng.bytes(32));
     }
 
-    // Session ID: empty
-    body.push(0);
+    // Use non-empty Session ID for modern TLS 1.3-like profiles to reduce middlebox friction.
+    let session_id_len = profile_session_id_len(profile);
+    let session_id = if session_id_len == 0 {
+        Vec::new()
+    } else if deterministic {
+        deterministic_bytes(
+            &format!("tls-fetch-session:{sni}:{}", profile.as_str()),
+            session_id_len,
+        )
+    } else {
+        rng.bytes(session_id_len)
+    };
+    body.push(session_id.len() as u8);
+    body.extend_from_slice(&session_id);
 
     let mut cipher_suites = profile_cipher_suites(profile).to_vec();
     if grease_enabled {
@@ -433,16 +463,26 @@ fn build_client_hello(
     // === Extensions ===
     let mut exts = Vec::new();
 
+    let mut push_extension = |ext_type: u16, data: &[u8]| {
+        exts.extend_from_slice(&ext_type.to_be_bytes());
+        exts.extend_from_slice(&(data.len() as u16).to_be_bytes());
+        exts.extend_from_slice(data);
+    };
+
     // server_name (SNI)
     let sni_bytes = sni.as_bytes();
     let mut sni_ext = Vec::with_capacity(5 + sni_bytes.len());
     sni_ext.extend_from_slice(&(sni_bytes.len() as u16 + 3).to_be_bytes());
-    sni_ext.push(0); // host_name
+    sni_ext.push(0);
     sni_ext.extend_from_slice(&(sni_bytes.len() as u16).to_be_bytes());
     sni_ext.extend_from_slice(sni_bytes);
-    exts.extend_from_slice(&0x0000u16.to_be_bytes());
-    exts.extend_from_slice(&(sni_ext.len() as u16).to_be_bytes());
-    exts.extend_from_slice(&sni_ext);
+    push_extension(0x0000, &sni_ext);
+
+    // Chrome-like profile keeps browser-like ordering and extension set.
+    if matches!(profile, TlsFetchProfile::ModernChromeLike) {
+        // ec_point_formats: uncompressed only.
+        push_extension(0x000b, &[0x01, 0x00]);
+    }
 
     // supported_groups
     let mut groups = profile_groups(profile).to_vec();
@@ -450,11 +490,16 @@ fn build_client_hello(
         let grease = grease_value(rng, deterministic, &format!("group:{sni}"));
         groups.insert(0, grease);
     }
-    exts.extend_from_slice(&0x000au16.to_be_bytes());
-    exts.extend_from_slice(&((2 + groups.len() * 2) as u16).to_be_bytes());
-    exts.extend_from_slice(&(groups.len() as u16 * 2).to_be_bytes());
+    let mut groups_ext = Vec::with_capacity(2 + groups.len() * 2);
+    groups_ext.extend_from_slice(&(groups.len() as u16 * 2).to_be_bytes());
     for g in groups {
-        exts.extend_from_slice(&g.to_be_bytes());
+        groups_ext.extend_from_slice(&g.to_be_bytes());
+    }
+    push_extension(0x000a, &groups_ext);
+
+    if matches!(profile, TlsFetchProfile::ModernChromeLike) {
+        // session_ticket
+        push_extension(0x0023, &[]);
     }
 
     // signature_algorithms
@@ -463,12 +508,12 @@ fn build_client_hello(
         let grease = grease_value(rng, deterministic, &format!("sigalg:{sni}"));
         sig_algs.insert(0, grease);
     }
-    exts.extend_from_slice(&0x000du16.to_be_bytes());
-    exts.extend_from_slice(&((2 + sig_algs.len() * 2) as u16).to_be_bytes());
-    exts.extend_from_slice(&(sig_algs.len() as u16 * 2).to_be_bytes());
+    let mut sig_algs_ext = Vec::with_capacity(2 + sig_algs.len() * 2);
+    sig_algs_ext.extend_from_slice(&(sig_algs.len() as u16 * 2).to_be_bytes());
     for a in sig_algs {
-        exts.extend_from_slice(&a.to_be_bytes());
+        sig_algs_ext.extend_from_slice(&a.to_be_bytes());
     }
+    push_extension(0x000d, &sig_algs_ext);
 
     // supported_versions
     let mut versions = profile_supported_versions(profile).to_vec();
@@ -476,30 +521,32 @@ fn build_client_hello(
         let grease = grease_value(rng, deterministic, &format!("version:{sni}"));
         versions.insert(0, grease);
     }
-    exts.extend_from_slice(&0x002bu16.to_be_bytes());
-    exts.extend_from_slice(&((1 + versions.len() * 2) as u16).to_be_bytes());
-    exts.push((versions.len() * 2) as u8);
+    let mut versions_ext = Vec::with_capacity(1 + versions.len() * 2);
+    versions_ext.push((versions.len() * 2) as u8);
     for v in versions {
-        exts.extend_from_slice(&v.to_be_bytes());
+        versions_ext.extend_from_slice(&v.to_be_bytes());
+    }
+    push_extension(0x002b, &versions_ext);
+
+    if matches!(profile, TlsFetchProfile::ModernChromeLike) {
+        // psk_key_exchange_modes: psk_dhe_ke
+        push_extension(0x002d, &[0x01, 0x01]);
     }
 
     // key_share (x25519)
-    let key = if deterministic {
-        let det = deterministic_bytes(&format!("keyshare:{sni}"), 32);
-        let mut key = [0u8; 32];
-        key.copy_from_slice(&det);
-        key
-    } else {
-        gen_key_share(rng)
-    };
+    let key = gen_key_share(
+        rng,
+        deterministic,
+        &format!("tls-fetch-keyshare:{sni}:{}", profile.as_str()),
+    );
     let mut keyshare = Vec::with_capacity(4 + key.len());
-    keyshare.extend_from_slice(&0x001du16.to_be_bytes()); // group
+    keyshare.extend_from_slice(&0x001du16.to_be_bytes());
     keyshare.extend_from_slice(&(key.len() as u16).to_be_bytes());
     keyshare.extend_from_slice(&key);
-    exts.extend_from_slice(&0x0033u16.to_be_bytes());
-    exts.extend_from_slice(&((2 + keyshare.len()) as u16).to_be_bytes());
-    exts.extend_from_slice(&(keyshare.len() as u16).to_be_bytes());
-    exts.extend_from_slice(&keyshare);
+    let mut keyshare_ext = Vec::with_capacity(2 + keyshare.len());
+    keyshare_ext.extend_from_slice(&(keyshare.len() as u16).to_be_bytes());
+    keyshare_ext.extend_from_slice(&keyshare);
+    push_extension(0x0033, &keyshare_ext);
 
     // ALPN
     let mut alpn_list = Vec::new();
@@ -508,16 +555,15 @@ fn build_client_hello(
         alpn_list.extend_from_slice(proto);
     }
     if !alpn_list.is_empty() {
-        exts.extend_from_slice(&0x0010u16.to_be_bytes());
-        exts.extend_from_slice(&((2 + alpn_list.len()) as u16).to_be_bytes());
-        exts.extend_from_slice(&(alpn_list.len() as u16).to_be_bytes());
-        exts.extend_from_slice(&alpn_list);
+        let mut alpn_ext = Vec::with_capacity(2 + alpn_list.len());
+        alpn_ext.extend_from_slice(&(alpn_list.len() as u16).to_be_bytes());
+        alpn_ext.extend_from_slice(&alpn_list);
+        push_extension(0x0010, &alpn_ext);
     }
 
     if grease_enabled {
         let grease = grease_value(rng, deterministic, &format!("ext:{sni}"));
-        exts.extend_from_slice(&grease.to_be_bytes());
-        exts.extend_from_slice(&0u16.to_be_bytes());
+        push_extension(grease, &[]);
     }
 
     // padding to reduce recognizability and keep length ~500 bytes
@@ -553,10 +599,14 @@ fn build_client_hello(
     record
 }
 
-fn gen_key_share(rng: &SecureRandom) -> [u8; 32] {
-    let mut key = [0u8; 32];
-    key.copy_from_slice(&rng.bytes(32));
-    key
+fn gen_key_share(rng: &SecureRandom, deterministic: bool, seed: &str) -> [u8; 32] {
+    let mut scalar = [0u8; 32];
+    if deterministic {
+        scalar.copy_from_slice(&deterministic_bytes(seed, 32));
+    } else {
+        scalar.copy_from_slice(&rng.bytes(32));
+    }
+    x25519(scalar, X25519_BASEPOINT_BYTES)
 }
 
 async fn read_tls_record<S>(stream: &mut S) -> Result<(u8, Vec<u8>)>
@@ -1018,6 +1068,7 @@ async fn fetch_via_rustls_stream<S>(
     host: &str,
     sni: &str,
     proxy_header: Option<Vec<u8>>,
+    alpn_protocols: &[&[u8]],
 ) -> Result<TlsFetchResult>
 where
     S: AsyncRead + AsyncWrite + Unpin,
@@ -1028,7 +1079,7 @@ where
         stream.flush().await?;
     }
 
-    let config = build_client_config();
+    let config = build_client_config(alpn_protocols);
     let connector = TlsConnector::from(config);
 
     let server_name = ServerName::try_from(sni.to_owned())
@@ -1113,6 +1164,7 @@ async fn fetch_via_rustls(
     proxy_protocol: u8,
     unix_sock: Option<&str>,
     strict_route: bool,
+    alpn_protocols: &[&[u8]],
 ) -> Result<TlsFetchResult> {
     #[cfg(unix)]
     if let Some(sock_path) = unix_sock {
@@ -1124,7 +1176,8 @@ async fn fetch_via_rustls(
                     "Rustls fetch using mask unix socket"
                 );
                 let proxy_header = build_tls_fetch_proxy_header(proxy_protocol, None, None);
-                return fetch_via_rustls_stream(stream, host, sni, proxy_header).await;
+                return fetch_via_rustls_stream(stream, host, sni, proxy_header, alpn_protocols)
+                    .await;
             }
             Ok(Err(e)) => {
                 warn!(
@@ -1152,7 +1205,7 @@ async fn fetch_via_rustls(
             .await?;
     let (src_addr, dst_addr) = socket_addrs_from_upstream_stream(&stream);
     let proxy_header = build_tls_fetch_proxy_header(proxy_protocol, src_addr, dst_addr);
-    fetch_via_rustls_stream(stream, host, sni, proxy_header).await
+    fetch_via_rustls_stream(stream, host, sni, proxy_header, alpn_protocols).await
 }
 
 /// Fetch real TLS metadata with an adaptive multi-profile strategy.
@@ -1191,6 +1244,14 @@ pub async fn fetch_real_tls_with_strategy(
             break;
         }
         let timeout_for_attempt = attempt_timeout.min(total_budget - elapsed);
+        debug!(
+            sni = %sni,
+            profile = profile.as_str(),
+            alpn = ?profile_alpn_labels(profile),
+            grease_enabled = strategy.grease_enabled,
+            deterministic = strategy.deterministic,
+            "TLS fetch ClientHello params (raw)"
+        );
 
         match fetch_via_raw_tls(
             host,
@@ -1256,6 +1317,16 @@ pub async fn fetch_real_tls_with_strategy(
     }
 
     let rustls_timeout = attempt_timeout.min(total_budget - elapsed);
+    let rustls_profile = selected_profile.unwrap_or(TlsFetchProfile::ModernChromeLike);
+    let rustls_alpn_protocols = profile_alpn(rustls_profile);
+    debug!(
+        sni = %sni,
+        profile = rustls_profile.as_str(),
+        alpn = ?profile_alpn_labels(rustls_profile),
+        grease_enabled = strategy.grease_enabled,
+        deterministic = strategy.deterministic,
+        "TLS fetch ClientHello params (rustls)"
+    );
     let rustls_result = fetch_via_rustls(
         host,
         port,
@@ -1266,6 +1337,7 @@ pub async fn fetch_real_tls_with_strategy(
         proxy_protocol,
         unix_sock,
         strategy.strict_route,
+        rustls_alpn_protocols,
     )
     .await;
 
@@ -1327,8 +1399,8 @@ mod tests {
 
     use super::{
         ProfileCacheValue, TlsFetchStrategy, build_client_hello, build_tls_fetch_proxy_header,
-        derive_behavior_profile, encode_tls13_certificate_message, order_profiles, profile_cache,
-        profile_cache_key,
+        derive_behavior_profile, encode_tls13_certificate_message, fetch_via_rustls_stream,
+        order_profiles, profile_alpn, profile_cache, profile_cache_key,
     };
     use crate::config::TlsFetchProfile;
     use crate::crypto::SecureRandom;
@@ -1336,11 +1408,115 @@ mod tests {
         TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
     };
     use crate::tls_front::types::TlsProfileSource;
+    use tokio::io::AsyncReadExt;
+
+    struct ParsedClientHelloForTest {
+        session_id: Vec<u8>,
+        extensions: Vec<(u16, Vec<u8>)>,
+    }
 
     fn read_u24(bytes: &[u8]) -> usize {
         ((bytes[0] as usize) << 16) | ((bytes[1] as usize) << 8) | (bytes[2] as usize)
     }
 
+    fn parse_client_hello_for_test(record: &[u8]) -> ParsedClientHelloForTest {
+        assert!(record.len() >= 9, "record too short");
+        assert_eq!(record[0], TLS_RECORD_HANDSHAKE, "not a handshake record");
+        let record_len = u16::from_be_bytes([record[3], record[4]]) as usize;
+        assert_eq!(record.len(), 5 + record_len, "record length mismatch");
+
+        let handshake = &record[5..];
+        assert_eq!(handshake[0], 0x01, "not a ClientHello handshake");
+        let hello_len = read_u24(&handshake[1..4]);
+        assert_eq!(handshake.len(), 4 + hello_len, "handshake length mismatch");
+        let hello = &handshake[4..];
+
+        let mut pos = 0usize;
+        pos += 2;
+        pos += 32;
+
+        let session_len = hello[pos] as usize;
+        pos += 1;
+        let session_id = hello[pos..pos + session_len].to_vec();
+        pos += session_len;
+
+        let cipher_len = u16::from_be_bytes([hello[pos], hello[pos + 1]]) as usize;
+        pos += 2 + cipher_len;
+
+        let compression_len = hello[pos] as usize;
+        pos += 1 + compression_len;
+
+        let ext_len = u16::from_be_bytes([hello[pos], hello[pos + 1]]) as usize;
+        pos += 2;
+        let ext_end = pos + ext_len;
+        assert_eq!(ext_end, hello.len(), "extensions length mismatch");
+
+        let mut extensions = Vec::new();
+        while pos + 4 <= ext_end {
+            let ext_type = u16::from_be_bytes([hello[pos], hello[pos + 1]]);
+            let data_len = u16::from_be_bytes([hello[pos + 2], hello[pos + 3]]) as usize;
+            pos += 4;
+            let data = hello[pos..pos + data_len].to_vec();
+            pos += data_len;
+            extensions.push((ext_type, data));
+        }
+        assert_eq!(pos, ext_end, "extension parse did not consume all bytes");
+
+        ParsedClientHelloForTest {
+            session_id,
+            extensions,
+        }
+    }
+
+    fn parse_alpn_protocols(data: &[u8]) -> Vec<Vec<u8>> {
+        assert!(data.len() >= 2, "ALPN extension is too short");
+        let protocols_len = u16::from_be_bytes([data[0], data[1]]) as usize;
+        assert_eq!(protocols_len + 2, data.len(), "ALPN list length mismatch");
+        let mut pos = 2usize;
+        let mut out = Vec::new();
+        while pos < data.len() {
+            let len = data[pos] as usize;
+            pos += 1;
+            out.push(data[pos..pos + len].to_vec());
+            pos += len;
+        }
+        out
+    }
+
+    async fn capture_rustls_client_hello_record(
+        alpn_protocols: &'static [&'static [u8]],
+    ) -> Vec<u8> {
+        let (client, mut server) = tokio::io::duplex(32 * 1024);
+        let fetch_task = tokio::spawn(async move {
+            fetch_via_rustls_stream(client, "example.com", "example.com", None, alpn_protocols)
+                .await
+        });
+
+        let mut header = [0u8; 5];
+        server
+            .read_exact(&mut header)
+            .await
+            .expect("must read client hello record header");
+        let body_len = u16::from_be_bytes([header[3], header[4]]) as usize;
+        let mut body = vec![0u8; body_len];
+        server
+            .read_exact(&mut body)
+            .await
+            .expect("must read client hello record body");
+        drop(server);
+
+        let result = fetch_task.await.expect("fetch task must join");
+        assert!(
+            result.is_err(),
+            "capture task should end with handshake error"
+        );
+
+        let mut record = Vec::with_capacity(5 + body_len);
+        record.extend_from_slice(&header);
+        record.extend_from_slice(&body);
+        record
+    }
+
     #[test]
     fn test_encode_tls13_certificate_message_single_cert() {
         let cert = vec![0x30, 0x03, 0x02, 0x01, 0x01];
@@ -1470,6 +1646,186 @@ mod tests {
         assert_eq!(first, second);
     }
 
+    #[test]
+    fn test_raw_client_hello_alpn_matches_profile() {
+        let rng = SecureRandom::new();
+        for profile in [
+            TlsFetchProfile::ModernChromeLike,
+            TlsFetchProfile::ModernFirefoxLike,
+            TlsFetchProfile::CompatTls12,
+            TlsFetchProfile::LegacyMinimal,
+        ] {
+            let hello = build_client_hello("alpn.example", &rng, profile, false, true);
+            let parsed = parse_client_hello_for_test(&hello);
+            let alpn_ext = parsed
+                .extensions
+                .iter()
+                .find(|(ext_type, _)| *ext_type == 0x0010)
+                .expect("ALPN extension must exist");
+            let parsed_alpn = parse_alpn_protocols(&alpn_ext.1);
+            let expected_alpn = profile_alpn(profile)
+                .iter()
+                .map(|proto| proto.to_vec())
+                .collect::<Vec<_>>();
+            assert_eq!(
+                parsed_alpn,
+                expected_alpn,
+                "ALPN mismatch for {}",
+                profile.as_str()
+            );
+        }
+    }
+
+    #[test]
+    fn test_modern_chrome_like_browser_extension_layout() {
+        let rng = SecureRandom::new();
+        let hello = build_client_hello(
+            "chrome.example",
+            &rng,
+            TlsFetchProfile::ModernChromeLike,
+            false,
+            true,
+        );
+        let parsed = parse_client_hello_for_test(&hello);
+        assert_eq!(
+            parsed.session_id.len(),
+            32,
+            "modern chrome must use non-empty session id"
+        );
+
+        let extension_ids = parsed
+            .extensions
+            .iter()
+            .map(|(ext_type, _)| *ext_type)
+            .collect::<Vec<_>>();
+        let expected_prefix = [
+            0x0000, 0x000b, 0x000a, 0x0023, 0x000d, 0x002b, 0x002d, 0x0033, 0x0010,
+        ];
+        assert!(
+            extension_ids.as_slice().starts_with(&expected_prefix),
+            "unexpected extension order: {extension_ids:?}"
+        );
+        assert!(
+            extension_ids.contains(&0x0015),
+            "modern chrome profile should include padding extension"
+        );
+
+        let key_share = parsed
+            .extensions
+            .iter()
+            .find(|(ext_type, _)| *ext_type == 0x0033)
+            .expect("key_share extension must exist");
+        let key_share_data = &key_share.1;
+        assert!(
+            key_share_data.len() >= 2 + 4 + 32,
+            "key_share payload is too short"
+        );
+        let entry_len = u16::from_be_bytes([key_share_data[0], key_share_data[1]]) as usize;
+        assert_eq!(
+            entry_len,
+            key_share_data.len() - 2,
+            "key_share list length mismatch"
+        );
+        let group = u16::from_be_bytes([key_share_data[2], key_share_data[3]]);
+        let key_len = u16::from_be_bytes([key_share_data[4], key_share_data[5]]) as usize;
+        let key = &key_share_data[6..6 + key_len];
+        assert_eq!(group, 0x001d, "key_share group must be x25519");
+        assert_eq!(key_len, 32, "x25519 key length must be 32");
+        assert!(
+            key.iter().any(|b| *b != 0),
+            "x25519 key must not be all zero"
+        );
+    }
+
+    #[test]
+    fn test_fallback_profiles_keep_compat_extension_set() {
+        let rng = SecureRandom::new();
+        for profile in [
+            TlsFetchProfile::ModernFirefoxLike,
+            TlsFetchProfile::CompatTls12,
+            TlsFetchProfile::LegacyMinimal,
+        ] {
+            let hello = build_client_hello("fallback.example", &rng, profile, false, true);
+            let parsed = parse_client_hello_for_test(&hello);
+            let extension_ids = parsed
+                .extensions
+                .iter()
+                .map(|(ext_type, _)| *ext_type)
+                .collect::<Vec<_>>();
+
+            assert!(extension_ids.contains(&0x0000), "SNI extension must exist");
+            assert!(
+                extension_ids.contains(&0x000a),
+                "supported_groups extension must exist"
+            );
+            assert!(
+                extension_ids.contains(&0x000d),
+                "signature_algorithms extension must exist"
+            );
+            assert!(
+                extension_ids.contains(&0x002b),
+                "supported_versions extension must exist"
+            );
+            assert!(
+                extension_ids.contains(&0x0033),
+                "key_share extension must exist"
+            );
+            assert!(extension_ids.contains(&0x0010), "ALPN extension must exist");
+            assert!(
+                !extension_ids.contains(&0x000b),
+                "ec_point_formats must stay chrome-only"
+            );
+            assert!(
+                !extension_ids.contains(&0x0023),
+                "session_ticket must stay chrome-only"
+            );
+            assert!(
+                !extension_ids.contains(&0x002d),
+                "psk_key_exchange_modes must stay chrome-only"
+            );
+
+            let expected_session_len = if matches!(profile, TlsFetchProfile::ModernFirefoxLike) {
+                32
+            } else {
+                0
+            };
+            assert_eq!(
+                parsed.session_id.len(),
+                expected_session_len,
+                "unexpected session id length for {}",
+                profile.as_str()
+            );
+        }
+    }
+
+    #[tokio::test(flavor = "current_thread")]
+    async fn test_rustls_client_hello_alpn_matches_selected_profile() {
+        for profile in [
+            TlsFetchProfile::ModernChromeLike,
+            TlsFetchProfile::CompatTls12,
+            TlsFetchProfile::LegacyMinimal,
+        ] {
+            let record = capture_rustls_client_hello_record(profile_alpn(profile)).await;
+            let parsed = parse_client_hello_for_test(&record);
+            let alpn_ext = parsed
+                .extensions
+                .iter()
+                .find(|(ext_type, _)| *ext_type == 0x0010)
+                .expect("ALPN extension must exist");
+            let parsed_alpn = parse_alpn_protocols(&alpn_ext.1);
+            let expected_alpn = profile_alpn(profile)
+                .iter()
+                .map(|proto| proto.to_vec())
+                .collect::<Vec<_>>();
+            assert_eq!(
+                parsed_alpn,
+                expected_alpn,
+                "rustls ALPN mismatch for {}",
+                profile.as_str()
+            );
+        }
+    }
+
     #[test]
     fn test_build_tls_fetch_proxy_header_v2_with_tcp_addrs() {
         let src: SocketAddr = "198.51.100.10:42000".parse().expect("valid src");

src/tls_front/tests/emulator_profile_fidelity_security_tests.rs

@@ -4,6 +4,7 @@ use crate::crypto::SecureRandom;
 use crate::protocol::constants::{
     TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
 };
+use crate::protocol::tls::ClientHelloTlsVersion;
 use crate::tls_front::emulator::build_emulated_server_hello;
 use crate::tls_front::types::{
     CachedTlsData, ParsedServerHello, TlsBehaviorProfile, TlsProfileSource,
@@ -52,7 +53,7 @@ fn record_lengths_by_type(response: &[u8], wanted_type: u8) -> Vec<usize> {
 }
 
 #[test]
-fn emulated_server_hello_replays_profile_change_cipher_spec_count() {
+fn emulated_server_hello_keeps_single_change_cipher_spec_for_client_compatibility() {
     let cached = make_cached();
     let rng = SecureRandom::new();
 
@@ -62,6 +63,8 @@ fn emulated_server_hello_replays_profile_change_cipher_spec_count() {
         &[0x72; 16],
         &cached,
         false,
+        true,
+        ClientHelloTlsVersion::Tls13,
         &rng,
         None,
         0,
@@ -69,12 +72,12 @@ fn emulated_server_hello_replays_profile_change_cipher_spec_count() {
 
     assert_eq!(response[0], TLS_RECORD_HANDSHAKE);
     let ccs_records = record_lengths_by_type(&response, TLS_RECORD_CHANGE_CIPHER);
-    assert_eq!(ccs_records.len(), 2);
+    assert_eq!(ccs_records.len(), 1);
     assert!(ccs_records.iter().all(|len| *len == 1));
 }
 
 #[test]
-fn emulated_server_hello_replays_profile_ticket_tail_lengths() {
+fn emulated_server_hello_does_not_emit_profile_ticket_tail_when_disabled() {
     let cached = make_cached();
     let rng = SecureRandom::new();
 
@@ -84,12 +87,35 @@ fn emulated_server_hello_replays_profile_ticket_tail_lengths() {
         &[0x82; 16],
         &cached,
         false,
+        true,
+        ClientHelloTlsVersion::Tls13,
         &rng,
         None,
         0,
     );
 
     let app_records = record_lengths_by_type(&response, TLS_RECORD_APPLICATION);
-    assert!(app_records.len() >= 4);
-    assert_eq!(&app_records[app_records.len() - 2..], &[220, 180]);
+    assert_eq!(app_records, vec![1200]);
+}
+
+#[test]
+fn emulated_server_hello_uses_profile_ticket_lengths_when_enabled() {
+    let cached = make_cached();
+    let rng = SecureRandom::new();
+
+    let response = build_emulated_server_hello(
+        b"secret",
+        &[0x91; 32],
+        &[0x92; 16],
+        &cached,
+        false,
+        true,
+        ClientHelloTlsVersion::Tls13,
+        &rng,
+        None,
+        2,
+    );
+
+    let app_records = record_lengths_by_type(&response, TLS_RECORD_APPLICATION);
+    assert_eq!(app_records, vec![1200, 220, 180]);
 }

src/tls_front/tests/emulator_security_tests.rs

@@ -4,6 +4,7 @@ use crate::crypto::SecureRandom;
 use crate::protocol::constants::{
     TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
 };
+use crate::protocol::tls::ClientHelloTlsVersion;
 use crate::tls_front::emulator::build_emulated_server_hello;
 use crate::tls_front::types::{
     CachedTlsData, ParsedServerHello, TlsBehaviorProfile, TlsCertPayload, TlsProfileSource,
@@ -55,6 +56,8 @@ fn emulated_server_hello_ignores_oversized_alpn_when_marker_would_not_fit() {
         &[0x22; 16],
         &cached,
         true,
+        true,
+        ClientHelloTlsVersion::Tls13,
         &rng,
         Some(oversized_alpn),
         0,
@@ -91,6 +94,8 @@ fn emulated_server_hello_embeds_full_alpn_marker_when_body_can_fit() {
         &[0x41; 16],
         &cached,
         true,
+        true,
+        ClientHelloTlsVersion::Tls13,
         &rng,
         Some(b"h2".to_vec()),
         0,
@@ -119,6 +124,8 @@ fn emulated_server_hello_prefers_cert_payload_over_alpn_marker() {
         &[0x42; 16],
         &cached,
         true,
+        true,
+        ClientHelloTlsVersion::Tls12,
         &rng,
         Some(b"h2".to_vec()),
         0,

src/transport/middle_proxy/config_updater.rs

@@ -321,7 +321,14 @@ async fn run_update_cycle(
     let mut maps_changed = false;
 
     let mut ready_v4: Option<(ProxyConfigData, u64)> = None;
-    let cfg_v4 = retry_fetch("https://core.telegram.org/getProxyConfig", upstream.clone()).await;
+    let cfg_v4 = retry_fetch(
+        cfg.general
+            .proxy_config_v4_url
+            .as_deref()
+            .unwrap_or("https://core.telegram.org/getProxyConfig"),
+        upstream.clone(),
+    )
+    .await;
     if let Some(cfg_v4) = cfg_v4
         && snapshot_passes_guards(cfg, &cfg_v4, "getProxyConfig")
     {
@@ -346,7 +353,10 @@ async fn run_update_cycle(
 
     let mut ready_v6: Option<(ProxyConfigData, u64)> = None;
     let cfg_v6 = retry_fetch(
-        "https://core.telegram.org/getProxyConfigV6",
+        cfg.general
+            .proxy_config_v6_url
+            .as_deref()
+            .unwrap_or("https://core.telegram.org/getProxyConfigV6"),
         upstream.clone(),
     )
     .await;
@@ -430,6 +440,7 @@ async fn run_update_cycle(
         match download_proxy_secret_with_max_len_via_upstream(
             cfg.general.proxy_secret_len_max,
             upstream,
+            cfg.general.proxy_secret_url.as_deref(),
         )
         .await
         {

src/transport/middle_proxy/fairness/mod.rs

@@ -7,7 +7,6 @@ mod model;
 mod pressure;
 mod scheduler;
 
-#[cfg(test)]
 pub(crate) use model::PressureState;
 pub(crate) use model::{AdmissionDecision, DispatchAction, DispatchFeedback, SchedulerDecision};
 pub(crate) use scheduler::{WorkerFairnessConfig, WorkerFairnessSnapshot, WorkerFairnessState};

src/transport/middle_proxy/fairness/model.rs

@@ -77,11 +77,12 @@ pub(crate) struct FlowFairnessState {
     pub(crate) standing_state: StandingQueueState,
     pub(crate) scheduler_state: FlowSchedulerState,
     pub(crate) bucket_id: usize,
+    pub(crate) weight_quanta: u8,
     pub(crate) in_active_ring: bool,
 }
 
 impl FlowFairnessState {
-    pub(crate) fn new(flow_id: u64, worker_id: u16, bucket_id: usize) -> Self {
+    pub(crate) fn new(flow_id: u64, worker_id: u16, bucket_id: usize, weight_quanta: u8) -> Self {
         Self {
             _flow_id: flow_id,
             _worker_id: worker_id,
@@ -97,6 +98,7 @@ impl FlowFairnessState {
             standing_state: StandingQueueState::Transient,
             scheduler_state: FlowSchedulerState::Idle,
             bucket_id,
+            weight_quanta: weight_quanta.max(1),
             in_active_ring: false,
         }
     }

src/transport/middle_proxy/fairness/pressure.rs

@@ -12,6 +12,7 @@ pub(crate) struct PressureSignals {
 
 #[derive(Debug, Clone)]
 pub(crate) struct PressureConfig {
+    pub(crate) backpressure_enabled: bool,
     pub(crate) evaluate_every_rounds: u32,
     pub(crate) transition_hysteresis_rounds: u8,
     pub(crate) standing_ratio_pressured_pct: u8,
@@ -32,6 +33,7 @@ pub(crate) struct PressureConfig {
 impl Default for PressureConfig {
     fn default() -> Self {
         Self {
+            backpressure_enabled: true,
             evaluate_every_rounds: 8,
             transition_hysteresis_rounds: 3,
             standing_ratio_pressured_pct: 20,
@@ -99,6 +101,13 @@ impl PressureEvaluator {
         force: bool,
     ) -> PressureState {
         self.rotate_window_if_needed(now, cfg);
+        if !cfg.backpressure_enabled {
+            self.state = PressureState::Normal;
+            self.candidate_state = PressureState::Normal;
+            self.candidate_hits = 0;
+            self.rounds_since_eval = 0;
+            return self.state;
+        }
         self.rounds_since_eval = self.rounds_since_eval.saturating_add(1);
         if !force && self.rounds_since_eval < cfg.evaluate_every_rounds.max(1) {
             return self.state;
@@ -133,6 +142,10 @@ impl PressureEvaluator {
         max_total_queued_bytes: u64,
         signals: PressureSignals,
     ) -> PressureState {
+        if !cfg.backpressure_enabled {
+            return PressureState::Normal;
+        }
+
         let queue_ratio_pct = if max_total_queued_bytes == 0 {
             100
         } else {

src/transport/middle_proxy/fairness/scheduler.rs

@@ -1,6 +1,7 @@
-use std::collections::{HashMap, VecDeque};
+use std::collections::{HashMap, HashSet, VecDeque};
 use std::time::{Duration, Instant};
 
+use crate::protocol::constants::RPC_FLAG_QUICKACK;
 use bytes::Bytes;
 
 use super::model::{
@@ -13,6 +14,7 @@ use super::pressure::{PressureConfig, PressureEvaluator, PressureSignals};
 #[derive(Debug, Clone)]
 pub(crate) struct WorkerFairnessConfig {
     pub(crate) worker_id: u16,
+    pub(crate) backpressure_enabled: bool,
     pub(crate) max_active_flows: usize,
     pub(crate) max_total_queued_bytes: u64,
     pub(crate) max_flow_queued_bytes: u64,
@@ -26,6 +28,8 @@ pub(crate) struct WorkerFairnessConfig {
     pub(crate) max_consecutive_stalls_before_close: u8,
     pub(crate) soft_bucket_count: usize,
     pub(crate) soft_bucket_share_pct: u8,
+    pub(crate) default_flow_weight: u8,
+    pub(crate) quickack_flow_weight: u8,
     pub(crate) pressure: PressureConfig,
 }
 
@@ -33,6 +37,7 @@ impl Default for WorkerFairnessConfig {
     fn default() -> Self {
         Self {
             worker_id: 0,
+            backpressure_enabled: true,
             max_active_flows: 4096,
             max_total_queued_bytes: 16 * 1024 * 1024,
             max_flow_queued_bytes: 512 * 1024,
@@ -46,6 +51,8 @@ impl Default for WorkerFairnessConfig {
             max_consecutive_stalls_before_close: 16,
             soft_bucket_count: 64,
             soft_bucket_share_pct: 25,
+            default_flow_weight: 1,
+            quickack_flow_weight: 4,
             pressure: PressureConfig::default(),
         }
     }
@@ -57,9 +64,9 @@ struct FlowEntry {
 }
 
 impl FlowEntry {
-    fn new(flow_id: u64, worker_id: u16, bucket_id: usize) -> Self {
+    fn new(flow_id: u64, worker_id: u16, bucket_id: usize, weight_quanta: u8) -> Self {
         Self {
-            fairness: FlowFairnessState::new(flow_id, worker_id, bucket_id),
+            fairness: FlowFairnessState::new(flow_id, worker_id, bucket_id, weight_quanta),
             queue: VecDeque::new(),
         }
     }
@@ -86,6 +93,7 @@ pub(crate) struct WorkerFairnessState {
     pressure: PressureEvaluator,
     flows: HashMap<u64, FlowEntry>,
     active_ring: VecDeque<u64>,
+    active_ring_members: HashSet<u64>,
     total_queued_bytes: u64,
     bucket_queued_bytes: Vec<u64>,
     bucket_active_flows: Vec<usize>,
@@ -101,13 +109,15 @@ pub(crate) struct WorkerFairnessState {
 }
 
 impl WorkerFairnessState {
-    pub(crate) fn new(config: WorkerFairnessConfig, now: Instant) -> Self {
+    pub(crate) fn new(mut config: WorkerFairnessConfig, now: Instant) -> Self {
+        config.pressure.backpressure_enabled = config.backpressure_enabled;
         let bucket_count = config.soft_bucket_count.max(1);
         Self {
             config,
             pressure: PressureEvaluator::new(now),
             flows: HashMap::new(),
             active_ring: VecDeque::new(),
+            active_ring_members: HashSet::new(),
             total_queued_bytes: 0,
             bucket_queued_bytes: vec![0; bucket_count],
             bucket_active_flows: vec![0; bucket_count],
@@ -127,6 +137,15 @@ impl WorkerFairnessState {
         self.pressure.state()
     }
 
+    pub(crate) fn set_backpressure_enabled(&mut self, enabled: bool) {
+        if self.config.backpressure_enabled == enabled {
+            return;
+        }
+        self.config.backpressure_enabled = enabled;
+        self.config.pressure.backpressure_enabled = enabled;
+        self.evaluate_pressure(Instant::now(), true);
+    }
+
     pub(crate) fn snapshot(&self) -> WorkerFairnessSnapshot {
         WorkerFairnessSnapshot {
             pressure_state: self.pressure.state(),
@@ -159,7 +178,7 @@ impl WorkerFairnessState {
         };
         let frame_bytes = frame.queued_bytes();
 
-        if self.pressure.state() == PressureState::Saturated {
+        if self.config.backpressure_enabled && self.pressure.state() == PressureState::Saturated {
             self.pressure
                 .note_admission_reject(now, &self.config.pressure);
             self.enqueue_rejects = self.enqueue_rejects.saturating_add(1);
@@ -184,6 +203,7 @@ impl WorkerFairnessState {
         }
 
         let bucket_id = self.bucket_for(conn_id);
+        let frame_weight = Self::weight_for_flags(&self.config, flags);
         let bucket_cap = self
             .config
             .max_total_queued_bytes
@@ -205,12 +225,13 @@ impl WorkerFairnessState {
                 self.bucket_active_flows[bucket_id].saturating_add(1);
             self.flows.insert(
                 conn_id,
-                FlowEntry::new(conn_id, self.config.worker_id, bucket_id),
+                FlowEntry::new(conn_id, self.config.worker_id, bucket_id, frame_weight),
             );
             self.flows
                 .get_mut(&conn_id)
                 .expect("flow inserted must be retrievable")
         };
+        entry.fairness.weight_quanta = entry.fairness.weight_quanta.max(frame_weight);
 
         if entry.fairness.pending_bytes.saturating_add(frame_bytes)
             > self.config.max_flow_queued_bytes
@@ -222,7 +243,8 @@ impl WorkerFairnessState {
             return AdmissionDecision::RejectFlowCap;
         }
 
-        if self.pressure.state() >= PressureState::Shedding
+        if self.config.backpressure_enabled
+            && self.pressure.state() >= PressureState::Shedding
             && entry.fairness.standing_state == StandingQueueState::Standing
         {
             self.pressure
@@ -242,11 +264,24 @@ impl WorkerFairnessState {
         self.bucket_queued_bytes[bucket_id] =
             self.bucket_queued_bytes[bucket_id].saturating_add(frame_bytes);
 
+        let mut enqueue_active = false;
         if !entry.fairness.in_active_ring {
             entry.fairness.in_active_ring = true;
-            self.active_ring.push_back(conn_id);
+            enqueue_active = true;
         }
 
+        let pressure_state = self.pressure.state();
+        let (before_membership, after_membership) = {
+            let before = Self::flow_membership(&entry.fairness);
+            Self::classify_flow(&self.config, pressure_state, now, &mut entry.fairness);
+            let after = Self::flow_membership(&entry.fairness);
+            (before, after)
+        };
+        if enqueue_active {
+            self.enqueue_active_conn(conn_id);
+        }
+        self.apply_flow_membership_delta(before_membership, after_membership);
+
         self.evaluate_pressure(now, true);
         AdmissionDecision::Admit
     }
@@ -260,62 +295,89 @@ impl WorkerFairnessState {
             let Some(conn_id) = self.active_ring.pop_front() else {
                 break;
             };
+            if !self.active_ring_members.remove(&conn_id) {
+                continue;
+            }
 
             let mut candidate = None;
             let mut requeue_active = false;
             let mut drained_bytes = 0u64;
             let mut bucket_id = 0usize;
+            let mut should_continue = false;
+            let mut enqueue_active = false;
+            let mut membership_delta = None;
             let pressure_state = self.pressure.state();
 
             if let Some(flow) = self.flows.get_mut(&conn_id) {
                 bucket_id = flow.fairness.bucket_id;
+                flow.fairness.in_active_ring = false;
+                let before_membership = Self::flow_membership(&flow.fairness);
 
                 if flow.queue.is_empty() {
                     flow.fairness.in_active_ring = false;
                     flow.fairness.scheduler_state = FlowSchedulerState::Idle;
                     flow.fairness.pending_bytes = 0;
+                    flow.fairness.deficit_bytes = 0;
                     flow.fairness.queue_started_at = None;
-                    continue;
-                }
+                    should_continue = true;
+                } else {
+                    Self::classify_flow(&self.config, pressure_state, now, &mut flow.fairness);
 
-                Self::classify_flow(&self.config, pressure_state, now, &mut flow.fairness);
-
-                let quantum =
-                    Self::effective_quantum_bytes(&self.config, pressure_state, &flow.fairness);
-                flow.fairness.deficit_bytes = flow
-                    .fairness
-                    .deficit_bytes
-                    .saturating_add(i64::from(quantum));
-                self.deficit_grants = self.deficit_grants.saturating_add(1);
-
-                let front_len = flow.queue.front().map_or(0, |front| front.queued_bytes());
-                if flow.fairness.deficit_bytes < front_len as i64 {
-                    flow.fairness.consecutive_skips =
-                        flow.fairness.consecutive_skips.saturating_add(1);
-                    self.deficit_skips = self.deficit_skips.saturating_add(1);
-                    requeue_active = true;
-                } else if let Some(frame) = flow.queue.pop_front() {
-                    drained_bytes = frame.queued_bytes();
-                    flow.fairness.pending_bytes =
-                        flow.fairness.pending_bytes.saturating_sub(drained_bytes);
+                    let quantum =
+                        Self::effective_quantum_bytes(&self.config, pressure_state, &flow.fairness);
                     flow.fairness.deficit_bytes = flow
                         .fairness
                         .deficit_bytes
-                        .saturating_sub(drained_bytes as i64);
-                    flow.fairness.consecutive_skips = 0;
-                    flow.fairness.queue_started_at =
-                        flow.queue.front().map(|front| front.enqueued_at);
-                    requeue_active = !flow.queue.is_empty();
-                    if !requeue_active {
-                        flow.fairness.scheduler_state = FlowSchedulerState::Idle;
-                        flow.fairness.in_active_ring = false;
+                        .saturating_add(i64::from(quantum));
+                    Self::clamp_deficit_bytes(&self.config, &mut flow.fairness);
+                    self.deficit_grants = self.deficit_grants.saturating_add(1);
+
+                    let front_len = flow.queue.front().map_or(0, |front| front.queued_bytes());
+                    if flow.fairness.deficit_bytes < front_len as i64 {
+                        flow.fairness.consecutive_skips =
+                            flow.fairness.consecutive_skips.saturating_add(1);
+                        self.deficit_skips = self.deficit_skips.saturating_add(1);
+                        requeue_active = true;
+                        flow.fairness.in_active_ring = true;
+                        enqueue_active = true;
+                    } else if let Some(frame) = flow.queue.pop_front() {
+                        drained_bytes = frame.queued_bytes();
+                        flow.fairness.pending_bytes =
+                            flow.fairness.pending_bytes.saturating_sub(drained_bytes);
+                        flow.fairness.deficit_bytes = flow
+                            .fairness
+                            .deficit_bytes
+                            .saturating_sub(drained_bytes as i64);
+                        Self::clamp_deficit_bytes(&self.config, &mut flow.fairness);
+                        flow.fairness.consecutive_skips = 0;
+                        flow.fairness.queue_started_at =
+                            flow.queue.front().map(|front| front.enqueued_at);
+                        requeue_active = !flow.queue.is_empty();
+                        if !requeue_active {
+                            flow.fairness.scheduler_state = FlowSchedulerState::Idle;
+                            flow.fairness.in_active_ring = false;
+                            flow.fairness.deficit_bytes = 0;
+                        } else {
+                            flow.fairness.in_active_ring = true;
+                            enqueue_active = true;
+                        }
+                        candidate = Some(DispatchCandidate {
+                            pressure_state,
+                            flow_class: flow.fairness.pressure_class,
+                            frame,
+                        });
                     }
-                    candidate = Some(DispatchCandidate {
-                        pressure_state,
-                        flow_class: flow.fairness.pressure_class,
-                        frame,
-                    });
                 }
+
+                membership_delta = Some((before_membership, Self::flow_membership(&flow.fairness)));
+            }
+
+            if let Some((before_membership, after_membership)) = membership_delta {
+                self.apply_flow_membership_delta(before_membership, after_membership);
+            }
+
+            if should_continue {
+                continue;
             }
 
             if drained_bytes > 0 {
@@ -324,11 +386,8 @@ impl WorkerFairnessState {
                     self.bucket_queued_bytes[bucket_id].saturating_sub(drained_bytes);
             }
 
-            if requeue_active {
-                if let Some(flow) = self.flows.get_mut(&conn_id) {
-                    flow.fairness.in_active_ring = true;
-                }
-                self.active_ring.push_back(conn_id);
+            if requeue_active && enqueue_active {
+                self.enqueue_active_conn(conn_id);
             }
 
             if let Some(candidate) = candidate {
@@ -348,7 +407,9 @@ impl WorkerFairnessState {
     ) -> DispatchAction {
         match feedback {
             DispatchFeedback::Routed => {
+                let mut membership_delta = None;
                 if let Some(flow) = self.flows.get_mut(&conn_id) {
+                    let before_membership = Self::flow_membership(&flow.fairness);
                     flow.fairness.last_drain_at = Some(now);
                     flow.fairness.recent_drain_bytes = flow
                         .fairness
@@ -358,54 +419,89 @@ impl WorkerFairnessState {
                     if flow.fairness.scheduler_state != FlowSchedulerState::Idle {
                         flow.fairness.scheduler_state = FlowSchedulerState::Active;
                     }
+                    Self::classify_flow(
+                        &self.config,
+                        self.pressure.state(),
+                        now,
+                        &mut flow.fairness,
+                    );
+                    membership_delta =
+                        Some((before_membership, Self::flow_membership(&flow.fairness)));
+                }
+                if let Some((before_membership, after_membership)) = membership_delta {
+                    self.apply_flow_membership_delta(before_membership, after_membership);
                 }
                 self.evaluate_pressure(now, false);
                 DispatchAction::Continue
             }
             DispatchFeedback::QueueFull => {
-                self.pressure.note_route_stall(now, &self.config.pressure);
-                self.downstream_stalls = self.downstream_stalls.saturating_add(1);
+                if self.config.backpressure_enabled {
+                    self.pressure.note_route_stall(now, &self.config.pressure);
+                    self.downstream_stalls = self.downstream_stalls.saturating_add(1);
+                }
+                let state = self.pressure.state();
                 let Some(flow) = self.flows.get_mut(&conn_id) else {
                     self.evaluate_pressure(now, true);
                     return DispatchAction::Continue;
                 };
+                let (before_membership, after_membership, should_close_flow, enqueue_active) = {
+                    let before_membership = Self::flow_membership(&flow.fairness);
+                    let mut enqueue_active = false;
 
-                flow.fairness.consecutive_stalls =
-                    flow.fairness.consecutive_stalls.saturating_add(1);
-                flow.fairness.scheduler_state = FlowSchedulerState::Backpressured;
-                flow.fairness.pressure_class = FlowPressureClass::Backpressured;
-
-                let state = self.pressure.state();
-                let should_shed_frame = matches!(state, PressureState::Saturated)
-                    || (matches!(state, PressureState::Shedding)
-                        && flow.fairness.standing_state == StandingQueueState::Standing
-                        && flow.fairness.consecutive_stalls
-                            >= self.config.max_consecutive_stalls_before_shed);
-
-                if should_shed_frame {
-                    self.shed_drops = self.shed_drops.saturating_add(1);
-                    self.fairness_penalties = self.fairness_penalties.saturating_add(1);
-                } else {
-                    let frame_bytes = candidate.frame.queued_bytes();
-                    flow.queue.push_front(candidate.frame);
-                    flow.fairness.pending_bytes =
-                        flow.fairness.pending_bytes.saturating_add(frame_bytes);
-                    flow.fairness.queue_started_at =
-                        flow.queue.front().map(|front| front.enqueued_at);
-                    self.total_queued_bytes = self.total_queued_bytes.saturating_add(frame_bytes);
-                    self.bucket_queued_bytes[flow.fairness.bucket_id] = self.bucket_queued_bytes
-                        [flow.fairness.bucket_id]
-                        .saturating_add(frame_bytes);
-                    if !flow.fairness.in_active_ring {
-                        flow.fairness.in_active_ring = true;
-                        self.active_ring.push_back(conn_id);
+                    if self.config.backpressure_enabled {
+                        flow.fairness.consecutive_stalls =
+                            flow.fairness.consecutive_stalls.saturating_add(1);
+                        flow.fairness.scheduler_state = FlowSchedulerState::Backpressured;
+                        flow.fairness.pressure_class = FlowPressureClass::Backpressured;
                     }
-                }
 
-                if flow.fairness.consecutive_stalls
-                    >= self.config.max_consecutive_stalls_before_close
-                    && self.pressure.state() == PressureState::Saturated
-                {
+                    let should_shed_frame = self.config.backpressure_enabled
+                        && (matches!(state, PressureState::Saturated)
+                            || (matches!(state, PressureState::Shedding)
+                                && flow.fairness.standing_state == StandingQueueState::Standing
+                                && flow.fairness.consecutive_stalls
+                                    >= self.config.max_consecutive_stalls_before_shed));
+
+                    if should_shed_frame {
+                        self.shed_drops = self.shed_drops.saturating_add(1);
+                        self.fairness_penalties = self.fairness_penalties.saturating_add(1);
+                    } else {
+                        let frame_bytes = candidate.frame.queued_bytes();
+                        flow.queue.push_front(candidate.frame);
+                        flow.fairness.pending_bytes =
+                            flow.fairness.pending_bytes.saturating_add(frame_bytes);
+                        flow.fairness.queue_started_at =
+                            flow.queue.front().map(|front| front.enqueued_at);
+                        self.total_queued_bytes =
+                            self.total_queued_bytes.saturating_add(frame_bytes);
+                        self.bucket_queued_bytes[flow.fairness.bucket_id] = self
+                            .bucket_queued_bytes[flow.fairness.bucket_id]
+                            .saturating_add(frame_bytes);
+                        if !flow.fairness.in_active_ring {
+                            flow.fairness.in_active_ring = true;
+                            enqueue_active = true;
+                        }
+                    }
+
+                    Self::classify_flow(&self.config, state, now, &mut flow.fairness);
+                    let after_membership = Self::flow_membership(&flow.fairness);
+                    let should_close_flow = self.config.backpressure_enabled
+                        && flow.fairness.consecutive_stalls
+                            >= self.config.max_consecutive_stalls_before_close
+                        && self.pressure.state() == PressureState::Saturated;
+                    (
+                        before_membership,
+                        after_membership,
+                        should_close_flow,
+                        enqueue_active,
+                    )
+                };
+                if enqueue_active {
+                    self.enqueue_active_conn(conn_id);
+                }
+                self.apply_flow_membership_delta(before_membership, after_membership);
+
+                if should_close_flow {
                     self.remove_flow(conn_id);
                     self.evaluate_pressure(now, true);
                     return DispatchAction::CloseFlow;
@@ -426,6 +522,16 @@ impl WorkerFairnessState {
         let Some(entry) = self.flows.remove(&conn_id) else {
             return;
         };
+        self.active_ring_members.remove(&conn_id);
+        self.active_ring
+            .retain(|queued_conn_id| *queued_conn_id != conn_id);
+        let (was_standing, was_backpressured) = Self::flow_membership(&entry.fairness);
+        if was_standing {
+            self.standing_flow_count = self.standing_flow_count.saturating_sub(1);
+        }
+        if was_backpressured {
+            self.backpressured_flow_count = self.backpressured_flow_count.saturating_sub(1);
+        }
 
         self.bucket_active_flows[entry.fairness.bucket_id] =
             self.bucket_active_flows[entry.fairness.bucket_id].saturating_sub(1);
@@ -440,27 +546,6 @@ impl WorkerFairnessState {
     }
 
     fn evaluate_pressure(&mut self, now: Instant, force: bool) {
-        let mut standing = 0usize;
-        let mut backpressured = 0usize;
-
-        for flow in self.flows.values_mut() {
-            Self::classify_flow(&self.config, self.pressure.state(), now, &mut flow.fairness);
-            if flow.fairness.standing_state == StandingQueueState::Standing {
-                standing = standing.saturating_add(1);
-            }
-            if matches!(
-                flow.fairness.scheduler_state,
-                FlowSchedulerState::Backpressured
-                    | FlowSchedulerState::Penalized
-                    | FlowSchedulerState::SheddingCandidate
-            ) {
-                backpressured = backpressured.saturating_add(1);
-            }
-        }
-
-        self.standing_flow_count = standing;
-        self.backpressured_flow_count = backpressured;
-
         let _ = self.pressure.maybe_evaluate(
             now,
             &self.config.pressure,
@@ -468,8 +553,8 @@ impl WorkerFairnessState {
             PressureSignals {
                 active_flows: self.flows.len(),
                 total_queued_bytes: self.total_queued_bytes,
-                standing_flows: standing,
-                backpressured_flows: backpressured,
+                standing_flows: self.standing_flow_count,
+                backpressured_flows: self.backpressured_flow_count,
             },
             force,
         );
@@ -481,12 +566,39 @@ impl WorkerFairnessState {
         now: Instant,
         fairness: &mut FlowFairnessState,
     ) {
-        if fairness.pending_bytes == 0 {
-            fairness.pressure_class = FlowPressureClass::Healthy;
-            fairness.standing_state = StandingQueueState::Transient;
-            fairness.scheduler_state = FlowSchedulerState::Idle;
+        let (pressure_class, standing_state, scheduler_state, standing) =
+            Self::derive_flow_classification(config, pressure_state, now, fairness);
+        fairness.pressure_class = pressure_class;
+        fairness.standing_state = standing_state;
+        fairness.scheduler_state = scheduler_state;
+        if scheduler_state == FlowSchedulerState::Idle {
+            fairness.deficit_bytes = 0;
+        }
+        if standing {
+            fairness.penalty_score = fairness.penalty_score.saturating_add(1);
+        } else {
             fairness.penalty_score = fairness.penalty_score.saturating_sub(1);
-            return;
+        }
+    }
+
+    fn derive_flow_classification(
+        config: &WorkerFairnessConfig,
+        pressure_state: PressureState,
+        now: Instant,
+        fairness: &FlowFairnessState,
+    ) -> (
+        FlowPressureClass,
+        StandingQueueState,
+        FlowSchedulerState,
+        bool,
+    ) {
+        if fairness.pending_bytes == 0 {
+            return (
+                FlowPressureClass::Healthy,
+                StandingQueueState::Transient,
+                FlowSchedulerState::Idle,
+                false,
+            );
         }
 
         let queue_age = fairness
@@ -503,29 +615,165 @@ impl WorkerFairnessState {
             && (fairness.consecutive_stalls >= config.standing_stall_threshold || drain_stalled);
 
         if standing {
-            fairness.standing_state = StandingQueueState::Standing;
-            fairness.pressure_class = FlowPressureClass::Standing;
-            fairness.penalty_score = fairness.penalty_score.saturating_add(1);
-            fairness.scheduler_state = if pressure_state >= PressureState::Shedding {
+            let scheduler_state = if pressure_state >= PressureState::Shedding {
                 FlowSchedulerState::SheddingCandidate
             } else {
                 FlowSchedulerState::Penalized
             };
-            return;
+            return (
+                FlowPressureClass::Standing,
+                StandingQueueState::Standing,
+                scheduler_state,
+                true,
+            );
         }
 
-        fairness.standing_state = StandingQueueState::Transient;
         if fairness.consecutive_stalls > 0 {
-            fairness.pressure_class = FlowPressureClass::Backpressured;
-            fairness.scheduler_state = FlowSchedulerState::Backpressured;
-        } else if fairness.pending_bytes >= config.standing_queue_min_backlog_bytes {
-            fairness.pressure_class = FlowPressureClass::Bursty;
-            fairness.scheduler_state = FlowSchedulerState::Active;
-        } else {
-            fairness.pressure_class = FlowPressureClass::Healthy;
-            fairness.scheduler_state = FlowSchedulerState::Active;
+            return (
+                FlowPressureClass::Backpressured,
+                StandingQueueState::Transient,
+                FlowSchedulerState::Backpressured,
+                false,
+            );
         }
-        fairness.penalty_score = fairness.penalty_score.saturating_sub(1);
+
+        if fairness.pending_bytes >= config.standing_queue_min_backlog_bytes {
+            return (
+                FlowPressureClass::Bursty,
+                StandingQueueState::Transient,
+                FlowSchedulerState::Active,
+                false,
+            );
+        }
+
+        (
+            FlowPressureClass::Healthy,
+            StandingQueueState::Transient,
+            FlowSchedulerState::Active,
+            false,
+        )
+    }
+
+    #[inline]
+    fn flow_membership(fairness: &FlowFairnessState) -> (bool, bool) {
+        (
+            fairness.standing_state == StandingQueueState::Standing,
+            Self::scheduler_state_is_backpressured(fairness.scheduler_state),
+        )
+    }
+
+    #[inline]
+    fn scheduler_state_is_backpressured(state: FlowSchedulerState) -> bool {
+        matches!(
+            state,
+            FlowSchedulerState::Backpressured
+                | FlowSchedulerState::Penalized
+                | FlowSchedulerState::SheddingCandidate
+        )
+    }
+
+    fn apply_flow_membership_delta(
+        &mut self,
+        before_membership: (bool, bool),
+        after_membership: (bool, bool),
+    ) {
+        if before_membership.0 != after_membership.0 {
+            if after_membership.0 {
+                self.standing_flow_count = self.standing_flow_count.saturating_add(1);
+            } else {
+                self.standing_flow_count = self.standing_flow_count.saturating_sub(1);
+            }
+        }
+        if before_membership.1 != after_membership.1 {
+            if after_membership.1 {
+                self.backpressured_flow_count = self.backpressured_flow_count.saturating_add(1);
+            } else {
+                self.backpressured_flow_count = self.backpressured_flow_count.saturating_sub(1);
+            }
+        }
+    }
+
+    #[inline]
+    fn clamp_deficit_bytes(config: &WorkerFairnessConfig, fairness: &mut FlowFairnessState) {
+        let max_deficit = config.max_flow_queued_bytes.min(i64::MAX as u64) as i64;
+        fairness.deficit_bytes = fairness.deficit_bytes.clamp(0, max_deficit);
+    }
+
+    #[inline]
+    fn enqueue_active_conn(&mut self, conn_id: u64) {
+        if self.active_ring_members.insert(conn_id) {
+            self.active_ring.push_back(conn_id);
+        }
+    }
+
+    #[inline]
+    fn weight_for_flags(config: &WorkerFairnessConfig, flags: u32) -> u8 {
+        if (flags & RPC_FLAG_QUICKACK) != 0 {
+            return config.quickack_flow_weight.max(1);
+        }
+        config.default_flow_weight.max(1)
+    }
+
+    #[cfg(test)]
+    pub(crate) fn debug_recompute_flow_counters(&self, now: Instant) -> (usize, usize) {
+        let pressure_state = self.pressure.state();
+        let mut standing = 0usize;
+        let mut backpressured = 0usize;
+        for flow in self.flows.values() {
+            let (_, standing_state, scheduler_state, _) =
+                Self::derive_flow_classification(&self.config, pressure_state, now, &flow.fairness);
+            if standing_state == StandingQueueState::Standing {
+                standing = standing.saturating_add(1);
+            }
+            if Self::scheduler_state_is_backpressured(scheduler_state) {
+                backpressured = backpressured.saturating_add(1);
+            }
+        }
+        (standing, backpressured)
+    }
+
+    #[cfg(test)]
+    pub(crate) fn debug_check_active_ring_consistency(&self) -> bool {
+        if self.active_ring.len() != self.active_ring_members.len() {
+            return false;
+        }
+
+        let mut seen = HashSet::with_capacity(self.active_ring.len());
+        for conn_id in self.active_ring.iter().copied() {
+            if !seen.insert(conn_id) {
+                return false;
+            }
+            if !self.active_ring_members.contains(&conn_id) {
+                return false;
+            }
+            let Some(flow) = self.flows.get(&conn_id) else {
+                return false;
+            };
+            if !flow.fairness.in_active_ring || flow.queue.is_empty() {
+                return false;
+            }
+        }
+
+        for (conn_id, flow) in self.flows.iter() {
+            let in_ring = self.active_ring_members.contains(conn_id);
+            if flow.fairness.in_active_ring != in_ring {
+                return false;
+            }
+            if in_ring && flow.queue.is_empty() {
+                return false;
+            }
+        }
+
+        true
+    }
+
+    #[cfg(test)]
+    pub(crate) fn debug_max_deficit_bytes(&self) -> i64 {
+        self.flows
+            .values()
+            .map(|entry| entry.fairness.deficit_bytes)
+            .max()
+            .unwrap_or(0)
     }
 
     fn effective_quantum_bytes(
@@ -542,12 +790,14 @@ impl WorkerFairnessState {
             return config.penalized_quantum_bytes.max(1);
         }
 
-        match pressure_state {
+        let base_quantum = match pressure_state {
             PressureState::Normal => config.base_quantum_bytes.max(1),
             PressureState::Pressured => config.pressured_quantum_bytes.max(1),
             PressureState::Shedding => config.pressured_quantum_bytes.max(1),
             PressureState::Saturated => config.penalized_quantum_bytes.max(1),
-        }
+        };
+        let weighted_quantum = base_quantum.saturating_mul(fairness.weight_quanta.max(1) as u32);
+        weighted_quantum.max(1)
     }
 
     fn bucket_for(&self, conn_id: u64) -> usize {

src/transport/middle_proxy/health.rs

@@ -1794,6 +1794,8 @@ mod tests {
             MeSocksKdfPolicy::default(),
             general.me_writer_cmd_channel_capacity,
             general.me_route_channel_capacity,
+            general.me_route_backpressure_enabled,
+            general.me_route_fairshare_enabled,
             general.me_route_backpressure_base_timeout_ms,
             general.me_route_backpressure_high_timeout_ms,
             general.me_route_backpressure_high_watermark_pct,

src/transport/middle_proxy/mod.rs

@@ -46,6 +46,7 @@ mod send_adversarial_tests;
 mod wire;
 
 use bytes::Bytes;
+use tokio::sync::OwnedSemaphorePermit;
 
 #[allow(unused_imports)]
 pub use config_updater::{
@@ -68,9 +69,32 @@ pub use secret::{fetch_proxy_secret, fetch_proxy_secret_with_upstream};
 pub(crate) use selftest::{bnd_snapshot, timeskew_snapshot, upstream_bnd_snapshots};
 pub use wire::proto_flags_for_tag;
 
+/// Holds D2C queued-byte capacity until a routed payload is consumed or dropped.
+pub struct RouteBytePermit {
+    _permit: OwnedSemaphorePermit,
+}
+
+impl std::fmt::Debug for RouteBytePermit {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("RouteBytePermit").finish_non_exhaustive()
+    }
+}
+
+impl RouteBytePermit {
+    pub(crate) fn new(permit: OwnedSemaphorePermit) -> Self {
+        Self { _permit: permit }
+    }
+}
+
+/// Response routed from middle proxy readers to client relay tasks.
 #[derive(Debug)]
 pub enum MeResponse {
-    Data { flags: u32, data: Bytes },
+    /// Downstream payload with its queued-byte reservation.
+    Data {
+        flags: u32,
+        data: Bytes,
+        route_permit: Option<RouteBytePermit>,
+    },
     Ack(u32),
     Close,
 }

src/transport/middle_proxy/pool.rs

@@ -396,6 +396,8 @@ pub(super) struct WriterSelectionPolicyCore {
 
 pub(super) struct TransportPolicyCore {
     pub(super) me_socks_kdf_policy: AtomicU8,
+    pub(super) me_route_backpressure_enabled: Arc<AtomicBool>,
+    pub(super) me_route_fairshare_enabled: Arc<AtomicBool>,
     pub(super) me_reader_route_data_wait_ms: Arc<AtomicU64>,
 }
 
@@ -548,6 +550,8 @@ impl MePool {
         me_socks_kdf_policy: MeSocksKdfPolicy,
         me_writer_cmd_channel_capacity: usize,
         me_route_channel_capacity: usize,
+        me_route_backpressure_enabled: bool,
+        me_route_fairshare_enabled: bool,
         me_route_backpressure_base_timeout_ms: u64,
         me_route_backpressure_high_timeout_ms: u64,
         me_route_backpressure_high_watermark_pct: u8,
@@ -783,6 +787,10 @@ impl MePool {
             }),
             transport_policy: Arc::new(TransportPolicyCore {
                 me_socks_kdf_policy: AtomicU8::new(me_socks_kdf_policy.as_u8()),
+                me_route_backpressure_enabled: Arc::new(AtomicBool::new(
+                    me_route_backpressure_enabled,
+                )),
+                me_route_fairshare_enabled: Arc::new(AtomicBool::new(me_route_fairshare_enabled)),
                 me_reader_route_data_wait_ms: Arc::new(AtomicU64::new(
                     me_reader_route_data_wait_ms,
                 )),
@@ -1245,6 +1253,8 @@ impl MePool {
     pub fn update_runtime_transport_policy(
         &self,
         socks_kdf_policy: MeSocksKdfPolicy,
+        route_backpressure_enabled: bool,
+        route_fairshare_enabled: bool,
         route_backpressure_base_timeout_ms: u64,
         route_backpressure_high_timeout_ms: u64,
         route_backpressure_high_watermark_pct: u8,
@@ -1253,6 +1263,12 @@ impl MePool {
         self.transport_policy
             .me_socks_kdf_policy
             .store(socks_kdf_policy.as_u8(), Ordering::Relaxed);
+        self.transport_policy
+            .me_route_backpressure_enabled
+            .store(route_backpressure_enabled, Ordering::Relaxed);
+        self.transport_policy
+            .me_route_fairshare_enabled
+            .store(route_fairshare_enabled, Ordering::Relaxed);
         self.transport_policy
             .me_reader_route_data_wait_ms
             .store(reader_route_data_wait_ms, Ordering::Relaxed);

src/transport/middle_proxy/pool_writer.rs

@@ -436,6 +436,9 @@ impl MePool {
         let cancel_signal = cancel.clone();
         let cancel_select = cancel.clone();
         let cancel_cleanup = cancel.clone();
+        let route_backpressure_enabled =
+            self.transport_policy.me_route_backpressure_enabled.clone();
+        let route_fairshare_enabled = self.transport_policy.me_route_fairshare_enabled.clone();
         let reader_route_data_wait_ms = self.transport_policy.me_reader_route_data_wait_ms.clone();
 
         tokio::spawn(async move {
@@ -458,6 +461,8 @@ impl MePool {
                     writer_id,
                     degraded,
                     rtt_ema_ms_x10,
+                    route_backpressure_enabled,
+                    route_fairshare_enabled,
                     reader_route_data_wait_ms,
                     cancel_reader,
                 ) => WriterLifecycleExit::Reader(reader_res),

src/transport/middle_proxy/reader.rs

@@ -4,7 +4,7 @@ use std::collections::HashMap;
 use std::io::ErrorKind;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, AtomicU32, AtomicU64, Ordering};
-use std::time::Instant;
+use std::time::{Duration, Instant};
 
 use bytes::{Bytes, BytesMut};
 use tokio::io::AsyncReadExt;
@@ -21,8 +21,8 @@ use crate::stats::Stats;
 
 use super::codec::{RpcChecksumMode, WriterCommand, rpc_crc};
 use super::fairness::{
-    AdmissionDecision, DispatchAction, DispatchFeedback, SchedulerDecision, WorkerFairnessConfig,
-    WorkerFairnessSnapshot, WorkerFairnessState,
+    AdmissionDecision, DispatchAction, DispatchFeedback, PressureState, SchedulerDecision,
+    WorkerFairnessConfig, WorkerFairnessSnapshot, WorkerFairnessState,
 };
 use super::registry::RouteResult;
 use super::{ConnRegistry, MeResponse};
@@ -45,10 +45,30 @@ fn is_data_route_queue_full(result: RouteResult) -> bool {
     )
 }
 
-fn should_close_on_queue_full_streak(streak: u8) -> bool {
+fn should_close_on_queue_full_streak_with_policy(
+    streak: u8,
+    pressure_state: PressureState,
+    backpressure_enabled: bool,
+) -> bool {
+    if !backpressure_enabled {
+        return false;
+    }
+
+    if pressure_state < PressureState::Shedding {
+        return false;
+    }
+
     streak >= DATA_ROUTE_QUEUE_FULL_STARVATION_THRESHOLD
 }
 
+fn should_schedule_fairness_retry(snapshot: &WorkerFairnessSnapshot) -> bool {
+    snapshot.total_queued_bytes > 0
+}
+
+fn fairness_retry_delay(route_wait_ms: u64) -> Duration {
+    Duration::from_millis(route_wait_ms.max(1))
+}
+
 async fn route_data_with_retry(
     reg: &ConnRegistry,
     conn_id: u64,
@@ -64,6 +84,7 @@ async fn route_data_with_retry(
                 MeResponse::Data {
                     flags,
                     data: data.clone(),
+                    route_permit: None,
                 },
                 timeout_ms,
             )
@@ -148,6 +169,7 @@ async fn drain_fairness_scheduler(
     reg: &ConnRegistry,
     tx: &mpsc::Sender<WriterCommand>,
     data_route_queue_full_streak: &mut HashMap<u64, u8>,
+    backpressure_enabled: bool,
     route_wait_ms: u64,
     stats: &Stats,
 ) {
@@ -157,7 +179,7 @@ async fn drain_fairness_scheduler(
             break;
         };
         let cid = candidate.frame.conn_id;
-        let _pressure_state = candidate.pressure_state;
+        let pressure_state = candidate.pressure_state;
         let _flow_class = candidate.flow_class;
         let routed = route_data_with_retry(
             reg,
@@ -176,7 +198,11 @@ async fn drain_fairness_scheduler(
         if is_data_route_queue_full(routed) {
             let streak = data_route_queue_full_streak.entry(cid).or_insert(0);
             *streak = streak.saturating_add(1);
-            if should_close_on_queue_full_streak(*streak) {
+            if should_close_on_queue_full_streak_with_policy(
+                *streak,
+                pressure_state,
+                backpressure_enabled,
+            ) {
                 fairness.remove_flow(cid);
                 data_route_queue_full_streak.remove(&cid);
                 reg.unregister(cid).await;
@@ -208,6 +234,8 @@ pub(crate) async fn reader_loop(
     writer_id: u64,
     degraded: Arc<AtomicBool>,
     writer_rtt_ema_ms_x10: Arc<AtomicU32>,
+    route_backpressure_enabled: Arc<AtomicBool>,
+    route_fairshare_enabled: Arc<AtomicBool>,
     reader_route_data_wait_ms: Arc<AtomicU64>,
     cancel: CancellationToken,
 ) -> Result<()> {
@@ -224,17 +252,46 @@ pub(crate) async fn reader_loop(
             max_flow_queued_bytes: (reg.route_channel_capacity() as u64)
                 .saturating_mul(2 * 1024)
                 .clamp(64 * 1024, 2 * 1024 * 1024),
+            backpressure_enabled: route_backpressure_enabled.load(Ordering::Relaxed),
             ..WorkerFairnessConfig::default()
         },
         Instant::now(),
     );
     let mut fairness_snapshot = fairness.snapshot();
     loop {
+        let backpressure_enabled = route_backpressure_enabled.load(Ordering::Relaxed);
+        let fairshare_enabled = route_fairshare_enabled.load(Ordering::Relaxed);
+        fairness.set_backpressure_enabled(backpressure_enabled);
+        let fairness_has_backlog = should_schedule_fairness_retry(&fairness_snapshot);
         let mut tmp = [0u8; 65_536];
+        let backlog_retry_enabled = fairness_has_backlog;
+        let backlog_retry_delay =
+            fairness_retry_delay(reader_route_data_wait_ms.load(Ordering::Relaxed));
+        let mut retry_only = false;
         let n = tokio::select! {
             res = rd.read(&mut tmp) => res.map_err(ProxyError::Io)?,
+            _ = tokio::time::sleep(backlog_retry_delay), if backlog_retry_enabled => {
+                retry_only = true;
+                0usize
+            },
             _ = cancel.cancelled() => return Ok(()),
         };
+        if retry_only {
+            let route_wait_ms = reader_route_data_wait_ms.load(Ordering::Relaxed);
+            drain_fairness_scheduler(
+                &mut fairness,
+                reg.as_ref(),
+                &tx,
+                &mut data_route_queue_full_streak,
+                backpressure_enabled,
+                route_wait_ms,
+                stats.as_ref(),
+            )
+            .await;
+            let current_snapshot = fairness.snapshot();
+            apply_fairness_metrics_delta(stats.as_ref(), &mut fairness_snapshot, current_snapshot);
+            continue;
+        }
         if n == 0 {
             stats.increment_me_reader_eof_total();
             return Err(ProxyError::Io(std::io::Error::new(
@@ -311,23 +368,56 @@ pub(crate) async fn reader_loop(
                 let data = body.slice(12..);
                 trace!(cid, flags, len = data.len(), "RPC_PROXY_ANS");
 
-                let admission = fairness.enqueue_data(cid, flags, data, Instant::now());
-                if !matches!(admission, AdmissionDecision::Admit) {
-                    stats.increment_me_route_drop_queue_full();
-                    stats.increment_me_route_drop_queue_full_high();
-                    let streak = data_route_queue_full_streak.entry(cid).or_insert(0);
-                    *streak = streak.saturating_add(1);
-                    if should_close_on_queue_full_streak(*streak)
-                        || matches!(
-                            admission,
-                            AdmissionDecision::RejectSaturated
-                                | AdmissionDecision::RejectStandingFlow
-                        )
-                    {
+                if fairshare_enabled {
+                    let admission = fairness.enqueue_data(cid, flags, data, Instant::now());
+                    if !matches!(admission, AdmissionDecision::Admit) {
+                        stats.increment_me_route_drop_queue_full();
+                        stats.increment_me_route_drop_queue_full_high();
+                        let streak = data_route_queue_full_streak.entry(cid).or_insert(0);
+                        *streak = streak.saturating_add(1);
+                        let pressure_state = fairness.pressure_state();
+                        if should_close_on_queue_full_streak_with_policy(
+                            *streak,
+                            pressure_state,
+                            backpressure_enabled,
+                        ) || (backpressure_enabled
+                            && matches!(admission, AdmissionDecision::RejectSaturated))
+                        {
+                            fairness.remove_flow(cid);
+                            data_route_queue_full_streak.remove(&cid);
+                            reg.unregister(cid).await;
+                            send_close_conn(&tx, cid).await;
+                        }
+                    }
+                } else {
+                    let route_wait_ms = reader_route_data_wait_ms.load(Ordering::Relaxed);
+                    let routed =
+                        route_data_with_retry(reg.as_ref(), cid, flags, data, route_wait_ms).await;
+                    if matches!(routed, RouteResult::Routed) {
+                        data_route_queue_full_streak.remove(&cid);
+                        continue;
+                    }
+                    report_route_drop(routed, stats.as_ref());
+                    if should_close_on_route_result_for_data(routed) {
                         fairness.remove_flow(cid);
                         data_route_queue_full_streak.remove(&cid);
                         reg.unregister(cid).await;
                         send_close_conn(&tx, cid).await;
+                        continue;
+                    }
+                    if is_data_route_queue_full(routed) {
+                        let streak = data_route_queue_full_streak.entry(cid).or_insert(0);
+                        *streak = streak.saturating_add(1);
+                        if should_close_on_queue_full_streak_with_policy(
+                            *streak,
+                            PressureState::Shedding,
+                            backpressure_enabled,
+                        ) {
+                            fairness.remove_flow(cid);
+                            data_route_queue_full_streak.remove(&cid);
+                            reg.unregister(cid).await;
+                            send_close_conn(&tx, cid).await;
+                        }
                     }
                 }
             } else if pt == RPC_SIMPLE_ACK_U32 && body.len() >= 12 {
@@ -433,6 +523,7 @@ pub(crate) async fn reader_loop(
                 reg.as_ref(),
                 &tx,
                 &mut data_route_queue_full_streak,
+                backpressure_enabled,
                 route_wait_ms,
                 stats.as_ref(),
             )
@@ -445,14 +536,18 @@ pub(crate) async fn reader_loop(
 
 #[cfg(test)]
 mod tests {
+    use std::time::Duration;
+
     use bytes::Bytes;
 
+    use super::PressureState;
     use crate::transport::middle_proxy::ConnRegistry;
 
     use super::{
-        MeResponse, RouteResult, is_data_route_queue_full, route_data_with_retry,
-        should_close_on_queue_full_streak, should_close_on_route_result_for_ack,
-        should_close_on_route_result_for_data,
+        MeResponse, RouteResult, WorkerFairnessSnapshot, fairness_retry_delay,
+        is_data_route_queue_full, route_data_with_retry,
+        should_close_on_queue_full_streak_with_policy, should_close_on_route_result_for_ack,
+        should_close_on_route_result_for_data, should_schedule_fairness_retry,
     };
 
     #[test]
@@ -475,10 +570,51 @@ mod tests {
         assert!(is_data_route_queue_full(RouteResult::QueueFullBase));
         assert!(is_data_route_queue_full(RouteResult::QueueFullHigh));
         assert!(!is_data_route_queue_full(RouteResult::NoConn));
-        assert!(!should_close_on_queue_full_streak(1));
-        assert!(!should_close_on_queue_full_streak(2));
-        assert!(should_close_on_queue_full_streak(3));
-        assert!(should_close_on_queue_full_streak(u8::MAX));
+        assert!(!should_close_on_queue_full_streak_with_policy(
+            1,
+            PressureState::Normal,
+            true
+        ));
+        assert!(!should_close_on_queue_full_streak_with_policy(
+            2,
+            PressureState::Pressured,
+            true
+        ));
+        assert!(!should_close_on_queue_full_streak_with_policy(
+            3,
+            PressureState::Pressured,
+            true
+        ));
+        assert!(should_close_on_queue_full_streak_with_policy(
+            3,
+            PressureState::Shedding,
+            true
+        ));
+        assert!(should_close_on_queue_full_streak_with_policy(
+            u8::MAX,
+            PressureState::Saturated,
+            true
+        ));
+        assert!(!should_close_on_queue_full_streak_with_policy(
+            u8::MAX,
+            PressureState::Saturated,
+            false
+        ));
+    }
+
+    #[test]
+    fn fairness_retry_is_scheduled_only_when_queue_has_pending_bytes() {
+        let mut snapshot = WorkerFairnessSnapshot::default();
+        assert!(!should_schedule_fairness_retry(&snapshot));
+
+        snapshot.total_queued_bytes = 1;
+        assert!(should_schedule_fairness_retry(&snapshot));
+    }
+
+    #[test]
+    fn fairness_retry_delay_never_drops_below_one_millisecond() {
+        assert_eq!(fairness_retry_delay(0), Duration::from_millis(1));
+        assert_eq!(fairness_retry_delay(2), Duration::from_millis(2));
     }
 
     #[test]
@@ -504,7 +640,7 @@ mod tests {
         let routed = route_data_with_retry(&reg, conn_id, 0, Bytes::from_static(b"a"), 20).await;
         assert!(matches!(routed, RouteResult::Routed));
         match rx.recv().await {
-            Some(MeResponse::Data { flags, data }) => {
+            Some(MeResponse::Data { flags, data, .. }) => {
                 assert_eq!(flags, 0);
                 assert_eq!(data, Bytes::from_static(b"a"));
             }

src/transport/middle_proxy/registry.rs

@@ -1,18 +1,22 @@
 use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
+use std::sync::Arc;
 use std::sync::atomic::{AtomicU8, AtomicU64, Ordering};
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
 use dashmap::DashMap;
 use tokio::sync::mpsc::error::TrySendError;
-use tokio::sync::{Mutex, mpsc};
+use tokio::sync::{Mutex, Semaphore, mpsc};
 
-use super::MeResponse;
 use super::codec::WriterCommand;
+use super::{MeResponse, RouteBytePermit};
 
 const ROUTE_BACKPRESSURE_BASE_TIMEOUT_MS: u64 = 25;
 const ROUTE_BACKPRESSURE_HIGH_TIMEOUT_MS: u64 = 120;
 const ROUTE_BACKPRESSURE_HIGH_WATERMARK_PCT: u8 = 80;
+const ROUTE_QUEUED_BYTE_PERMIT_UNIT: usize = 16 * 1024;
+const ROUTE_QUEUED_PERMITS_PER_SLOT: usize = 4;
+const ROUTE_QUEUED_MAX_FRAME_PERMITS: usize = 1024;
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RouteResult {
@@ -53,6 +57,7 @@ pub(super) struct WriterActivitySnapshot {
 
 struct RoutingTable {
     map: DashMap<u64, mpsc::Sender<MeResponse>>,
+    byte_budget: DashMap<u64, Arc<Semaphore>>,
 }
 
 struct WriterTable {
@@ -105,6 +110,7 @@ pub struct ConnRegistry {
     route_backpressure_base_timeout_ms: AtomicU64,
     route_backpressure_high_timeout_ms: AtomicU64,
     route_backpressure_high_watermark_pct: AtomicU8,
+    route_byte_permits_per_conn: usize,
 }
 
 impl ConnRegistry {
@@ -116,10 +122,23 @@ impl ConnRegistry {
     }
 
     pub fn with_route_channel_capacity(route_channel_capacity: usize) -> Self {
+        let route_channel_capacity = route_channel_capacity.max(1);
+        Self::with_route_limits(
+            route_channel_capacity,
+            Self::route_byte_permit_budget(route_channel_capacity),
+        )
+    }
+
+    fn with_route_limits(
+        route_channel_capacity: usize,
+        route_byte_permits_per_conn: usize,
+    ) -> Self {
         let start = rand::random::<u64>() | 1;
+        let route_channel_capacity = route_channel_capacity.max(1);
         Self {
             routing: RoutingTable {
                 map: DashMap::new(),
+                byte_budget: DashMap::new(),
             },
             writers: WriterTable {
                 map: DashMap::new(),
@@ -131,15 +150,30 @@ impl ConnRegistry {
                 inner: Mutex::new(BindingInner::new()),
             },
             next_id: AtomicU64::new(start),
-            route_channel_capacity: route_channel_capacity.max(1),
+            route_channel_capacity,
             route_backpressure_base_timeout_ms: AtomicU64::new(ROUTE_BACKPRESSURE_BASE_TIMEOUT_MS),
             route_backpressure_high_timeout_ms: AtomicU64::new(ROUTE_BACKPRESSURE_HIGH_TIMEOUT_MS),
             route_backpressure_high_watermark_pct: AtomicU8::new(
                 ROUTE_BACKPRESSURE_HIGH_WATERMARK_PCT,
             ),
+            route_byte_permits_per_conn: route_byte_permits_per_conn.max(1),
         }
     }
 
+    fn route_data_permits(data_len: usize) -> u32 {
+        data_len
+            .max(1)
+            .div_ceil(ROUTE_QUEUED_BYTE_PERMIT_UNIT)
+            .min(u32::MAX as usize) as u32
+    }
+
+    fn route_byte_permit_budget(route_channel_capacity: usize) -> usize {
+        route_channel_capacity
+            .saturating_mul(ROUTE_QUEUED_PERMITS_PER_SLOT)
+            .max(ROUTE_QUEUED_MAX_FRAME_PERMITS)
+            .max(1)
+    }
+
     pub fn route_channel_capacity(&self) -> usize {
         self.route_channel_capacity
     }
@@ -149,6 +183,14 @@ impl ConnRegistry {
         Self::with_route_channel_capacity(4096)
     }
 
+    #[cfg(test)]
+    fn with_route_byte_permits_for_tests(
+        route_channel_capacity: usize,
+        route_byte_permits_per_conn: usize,
+    ) -> Self {
+        Self::with_route_limits(route_channel_capacity, route_byte_permits_per_conn)
+    }
+
     pub fn update_route_backpressure_policy(
         &self,
         base_timeout_ms: u64,
@@ -170,6 +212,10 @@ impl ConnRegistry {
         let id = self.next_id.fetch_add(1, Ordering::Relaxed);
         let (tx, rx) = mpsc::channel(self.route_channel_capacity);
         self.routing.map.insert(id, tx);
+        self.routing.byte_budget.insert(
+            id,
+            Arc::new(Semaphore::new(self.route_byte_permits_per_conn)),
+        );
         (id, rx)
     }
 
@@ -186,6 +232,7 @@ impl ConnRegistry {
     /// Unregister connection, returning associated writer_id if any.
     pub async fn unregister(&self, id: u64) -> Option<u64> {
         self.routing.map.remove(&id);
+        self.routing.byte_budget.remove(&id);
         self.hot_binding.map.remove(&id);
         let mut binding = self.binding.inner.lock().await;
         binding.meta.remove(&id);
@@ -206,6 +253,64 @@ impl ConnRegistry {
         None
     }
 
+    async fn attach_route_byte_permit(
+        &self,
+        id: u64,
+        resp: MeResponse,
+        timeout_ms: Option<u64>,
+    ) -> std::result::Result<MeResponse, RouteResult> {
+        let MeResponse::Data {
+            flags,
+            data,
+            route_permit,
+        } = resp
+        else {
+            return Ok(resp);
+        };
+
+        if route_permit.is_some() {
+            return Ok(MeResponse::Data {
+                flags,
+                data,
+                route_permit,
+            });
+        }
+
+        let Some(semaphore) = self
+            .routing
+            .byte_budget
+            .get(&id)
+            .map(|entry| entry.value().clone())
+        else {
+            return Err(RouteResult::NoConn);
+        };
+        let permits = Self::route_data_permits(data.len());
+        let permit = match timeout_ms {
+            Some(0) => semaphore
+                .try_acquire_many_owned(permits)
+                .map_err(|_| RouteResult::QueueFullHigh)?,
+            Some(timeout_ms) => {
+                let acquire = semaphore.acquire_many_owned(permits);
+                match tokio::time::timeout(Duration::from_millis(timeout_ms.max(1)), acquire).await
+                {
+                    Ok(Ok(permit)) => permit,
+                    Ok(Err(_)) => return Err(RouteResult::ChannelClosed),
+                    Err(_) => return Err(RouteResult::QueueFullHigh),
+                }
+            }
+            None => semaphore
+                .acquire_many_owned(permits)
+                .await
+                .map_err(|_| RouteResult::ChannelClosed)?,
+        };
+
+        Ok(MeResponse::Data {
+            flags,
+            data,
+            route_permit: Some(RouteBytePermit::new(permit)),
+        })
+    }
+
     #[allow(dead_code)]
     pub async fn route(&self, id: u64, resp: MeResponse) -> RouteResult {
         let tx = self.routing.map.get(&id).map(|entry| entry.value().clone());
@@ -214,15 +319,23 @@ impl ConnRegistry {
             return RouteResult::NoConn;
         };
 
+        let base_timeout_ms = self
+            .route_backpressure_base_timeout_ms
+            .load(Ordering::Relaxed)
+            .max(1);
+        let resp = match self
+            .attach_route_byte_permit(id, resp, Some(base_timeout_ms))
+            .await
+        {
+            Ok(resp) => resp,
+            Err(result) => return result,
+        };
+
         match tx.try_send(resp) {
             Ok(()) => RouteResult::Routed,
             Err(TrySendError::Closed(_)) => RouteResult::ChannelClosed,
             Err(TrySendError::Full(resp)) => {
                 // Absorb short bursts without dropping/closing the session immediately.
-                let base_timeout_ms = self
-                    .route_backpressure_base_timeout_ms
-                    .load(Ordering::Relaxed)
-                    .max(1);
                 let high_timeout_ms = self
                     .route_backpressure_high_timeout_ms
                     .load(Ordering::Relaxed)
@@ -266,6 +379,10 @@ impl ConnRegistry {
         let Some(tx) = tx else {
             return RouteResult::NoConn;
         };
+        let resp = match self.attach_route_byte_permit(id, resp, Some(0)).await {
+            Ok(resp) => resp,
+            Err(result) => return result,
+        };
 
         match tx.try_send(resp) {
             Ok(()) => RouteResult::Routed,
@@ -289,6 +406,13 @@ impl ConnRegistry {
         let Some(tx) = tx else {
             return RouteResult::NoConn;
         };
+        let resp = match self
+            .attach_route_byte_permit(id, resp, Some(timeout_ms))
+            .await
+        {
+            Ok(resp) => resp,
+            Err(result) => return result,
+        };
 
         match tx.try_send(resp) {
             Ok(()) => RouteResult::Routed,
@@ -541,8 +665,10 @@ impl ConnRegistry {
 mod tests {
     use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 
-    use super::ConnMeta;
-    use super::ConnRegistry;
+    use bytes::Bytes;
+
+    use super::{ConnMeta, ConnRegistry, RouteResult};
+    use crate::transport::middle_proxy::MeResponse;
 
     #[tokio::test]
     async fn writer_activity_snapshot_tracks_writer_and_dc_load() {
@@ -608,6 +734,55 @@ mod tests {
         assert_eq!(snapshot.active_sessions_by_target_dc.get(&4), Some(&1));
     }
 
+    #[tokio::test]
+    async fn route_data_is_bounded_by_byte_permits_before_channel_capacity() {
+        let registry = ConnRegistry::with_route_byte_permits_for_tests(4, 1);
+        let (conn_id, mut rx) = registry.register().await;
+        let routed = registry
+            .route_nowait(
+                conn_id,
+                MeResponse::Data {
+                    flags: 0,
+                    data: Bytes::from_static(&[0xAA]),
+                    route_permit: None,
+                },
+            )
+            .await;
+        assert!(matches!(routed, RouteResult::Routed));
+
+        let blocked = registry
+            .route_nowait(
+                conn_id,
+                MeResponse::Data {
+                    flags: 0,
+                    data: Bytes::from_static(&[0xBB]),
+                    route_permit: None,
+                },
+            )
+            .await;
+        assert!(
+            matches!(blocked, RouteResult::QueueFullHigh),
+            "byte budget must reject data before count capacity is exhausted"
+        );
+
+        drop(rx.recv().await);
+
+        let routed_after_drain = registry
+            .route_nowait(
+                conn_id,
+                MeResponse::Data {
+                    flags: 0,
+                    data: Bytes::from_static(&[0xCC]),
+                    route_permit: None,
+                },
+            )
+            .await;
+        assert!(
+            matches!(routed_after_drain, RouteResult::Routed),
+            "receiving queued data must release byte permits"
+        );
+    }
+
     #[tokio::test]
     async fn bind_writer_rebinds_conn_atomically() {
         let registry = ConnRegistry::new();

src/transport/middle_proxy/secret.rs

@@ -37,20 +37,26 @@ pub(super) fn validate_proxy_secret_len(data_len: usize, max_len: usize) -> Resu
 
 /// Fetch Telegram proxy-secret binary.
 #[allow(dead_code)]
-pub async fn fetch_proxy_secret(cache_path: Option<&str>, max_len: usize) -> Result<Vec<u8>> {
-    fetch_proxy_secret_with_upstream(cache_path, max_len, None).await
+pub async fn fetch_proxy_secret(
+    cache_path: Option<&str>,
+    max_len: usize,
+    proxy_secret_url: Option<&str>,
+) -> Result<Vec<u8>> {
+    fetch_proxy_secret_with_upstream(cache_path, max_len, proxy_secret_url, None).await
 }
 
 /// Fetch Telegram proxy-secret binary, optionally through upstream routing.
 pub async fn fetch_proxy_secret_with_upstream(
     cache_path: Option<&str>,
     max_len: usize,
+    proxy_secret_url: Option<&str>,
     upstream: Option<Arc<UpstreamManager>>,
 ) -> Result<Vec<u8>> {
     let cache = cache_path.unwrap_or("proxy-secret");
 
     // 1) Try fresh download first.
-    match download_proxy_secret_with_max_len_via_upstream(max_len, upstream).await {
+    match download_proxy_secret_with_max_len_via_upstream(max_len, upstream, proxy_secret_url).await
+    {
         Ok(data) => {
             if let Err(e) = tokio::fs::write(cache, &data).await {
                 warn!(error = %e, "Failed to cache proxy-secret (non-fatal)");
@@ -91,14 +97,19 @@ pub async fn fetch_proxy_secret_with_upstream(
 
 #[allow(dead_code)]
 pub async fn download_proxy_secret_with_max_len(max_len: usize) -> Result<Vec<u8>> {
-    download_proxy_secret_with_max_len_via_upstream(max_len, None).await
+    download_proxy_secret_with_max_len_via_upstream(max_len, None, None).await
 }
 
 pub async fn download_proxy_secret_with_max_len_via_upstream(
     max_len: usize,
     upstream: Option<Arc<UpstreamManager>>,
+    proxy_secret_url: Option<&str>,
 ) -> Result<Vec<u8>> {
-    let resp = https_get("https://core.telegram.org/getProxySecret", upstream).await?;
+    let resp = https_get(
+        proxy_secret_url.unwrap_or("https://core.telegram.org/getProxySecret"),
+        upstream,
+    )
+    .await?;
 
     if !(200..=299).contains(&resp.status) {
         return Err(ProxyError::Proxy(format!(

src/transport/middle_proxy/tests/fairness_security_tests.rs

@@ -2,6 +2,7 @@ use std::time::{Duration, Instant};
 
 use bytes::Bytes;
 
+use crate::protocol::constants::RPC_FLAG_QUICKACK;
 use crate::transport::middle_proxy::fairness::{
     AdmissionDecision, DispatchAction, DispatchFeedback, PressureState, SchedulerDecision,
     WorkerFairnessConfig, WorkerFairnessState,
@@ -114,6 +115,62 @@ fn fairness_keeps_fast_flow_progress_under_slow_neighbor() {
     assert!(snapshot.total_queued_bytes <= 64 * 1024);
 }
 
+#[test]
+fn fairness_prioritizes_quickack_flow_when_weights_enabled() {
+    let mut now = Instant::now();
+    let mut fairness = WorkerFairnessState::new(
+        WorkerFairnessConfig {
+            max_total_queued_bytes: 256 * 1024,
+            max_flow_queued_bytes: 128 * 1024,
+            base_quantum_bytes: 8 * 1024,
+            pressured_quantum_bytes: 8 * 1024,
+            penalized_quantum_bytes: 8 * 1024,
+            default_flow_weight: 1,
+            quickack_flow_weight: 4,
+            ..WorkerFairnessConfig::default()
+        },
+        now,
+    );
+
+    for _ in 0..8 {
+        assert_eq!(
+            fairness.enqueue_data(10, RPC_FLAG_QUICKACK, enqueue_payload(16 * 1024), now),
+            AdmissionDecision::Admit
+        );
+        assert_eq!(
+            fairness.enqueue_data(20, 0, enqueue_payload(16 * 1024), now),
+            AdmissionDecision::Admit
+        );
+    }
+
+    let mut quickack_dispatched = 0u64;
+    let mut bulk_dispatched = 0u64;
+    for _ in 0..64 {
+        now += Duration::from_millis(1);
+        let SchedulerDecision::Dispatch(candidate) = fairness.next_decision(now) else {
+            break;
+        };
+
+        if candidate.frame.conn_id == 10 {
+            quickack_dispatched = quickack_dispatched.saturating_add(1);
+        } else if candidate.frame.conn_id == 20 {
+            bulk_dispatched = bulk_dispatched.saturating_add(1);
+        }
+
+        let _ = fairness.apply_dispatch_feedback(
+            candidate.frame.conn_id,
+            candidate,
+            DispatchFeedback::Routed,
+            now,
+        );
+    }
+
+    assert!(
+        quickack_dispatched > bulk_dispatched,
+        "quickack flow must receive higher dispatch rate with larger weight"
+    );
+}
+
 #[test]
 fn fairness_pressure_hysteresis_prevents_instant_flapping() {
     let mut now = Instant::now();
@@ -128,7 +185,7 @@ fn fairness_pressure_hysteresis_prevents_instant_flapping() {
 
     let mut fairness = WorkerFairnessState::new(cfg, now);
 
-    for _ in 0..4 {
+    for _ in 0..3 {
         assert_eq!(
             fairness.enqueue_data(9, 0, enqueue_payload(900), now),
             AdmissionDecision::Admit
@@ -180,6 +237,12 @@ fn fairness_randomized_sequence_preserves_memory_bounds() {
         }
 
         let snapshot = fairness.snapshot();
+        let (standing_recomputed, backpressured_recomputed) =
+            fairness.debug_recompute_flow_counters(now);
         assert!(snapshot.total_queued_bytes <= 32 * 1024);
+        assert_eq!(snapshot.standing_flows, standing_recomputed);
+        assert_eq!(snapshot.backpressured_flows, backpressured_recomputed);
+        assert!(fairness.debug_check_active_ring_consistency());
+        assert!(fairness.debug_max_deficit_bytes() <= 4 * 1024);
     }
 }

src/transport/middle_proxy/tests/health_adversarial_tests.rs

@@ -104,6 +104,8 @@ async fn make_pool(
         MeSocksKdfPolicy::default(),
         general.me_writer_cmd_channel_capacity,
         general.me_route_channel_capacity,
+        general.me_route_backpressure_enabled,
+        general.me_route_fairshare_enabled,
         general.me_route_backpressure_base_timeout_ms,
         general.me_route_backpressure_high_timeout_ms,
         general.me_route_backpressure_high_watermark_pct,

src/transport/middle_proxy/tests/health_integration_tests.rs

@@ -102,6 +102,8 @@ async fn make_pool(
         MeSocksKdfPolicy::default(),
         general.me_writer_cmd_channel_capacity,
         general.me_route_channel_capacity,
+        general.me_route_backpressure_enabled,
+        general.me_route_fairshare_enabled,
         general.me_route_backpressure_base_timeout_ms,
         general.me_route_backpressure_high_timeout_ms,
         general.me_route_backpressure_high_watermark_pct,

src/transport/middle_proxy/tests/health_regression_tests.rs

@@ -97,6 +97,8 @@ async fn make_pool(me_pool_drain_threshold: u64) -> Arc<MePool> {
         MeSocksKdfPolicy::default(),
         general.me_writer_cmd_channel_capacity,
         general.me_route_channel_capacity,
+        general.me_route_backpressure_enabled,
+        general.me_route_fairshare_enabled,
         general.me_route_backpressure_base_timeout_ms,
         general.me_route_backpressure_high_timeout_ms,
         general.me_route_backpressure_high_watermark_pct,

src/transport/middle_proxy/tests/pool_refill_security_tests.rs

@@ -86,6 +86,8 @@ async fn make_pool() -> Arc<MePool> {
         MeSocksKdfPolicy::default(),
         general.me_writer_cmd_channel_capacity,
         general.me_route_channel_capacity,
+        general.me_route_backpressure_enabled,
+        general.me_route_fairshare_enabled,
         general.me_route_backpressure_base_timeout_ms,
         general.me_route_backpressure_high_timeout_ms,
         general.me_route_backpressure_high_watermark_pct,

src/transport/middle_proxy/tests/pool_writer_security_tests.rs

@@ -91,6 +91,8 @@ async fn make_pool() -> Arc<MePool> {
         MeSocksKdfPolicy::default(),
         general.me_writer_cmd_channel_capacity,
         general.me_route_channel_capacity,
+        general.me_route_backpressure_enabled,
+        general.me_route_fairshare_enabled,
         general.me_route_backpressure_base_timeout_ms,
         general.me_route_backpressure_high_timeout_ms,
         general.me_route_backpressure_high_watermark_pct,

src/transport/middle_proxy/tests/send_adversarial_tests.rs

@@ -97,6 +97,8 @@ async fn make_pool() -> (Arc<MePool>, Arc<SecureRandom>) {
         MeSocksKdfPolicy::default(),
         general.me_writer_cmd_channel_capacity,
         general.me_route_channel_capacity,
+        general.me_route_backpressure_enabled,
+        general.me_route_fairshare_enabled,
         general.me_route_backpressure_base_timeout_ms,
         general.me_route_backpressure_high_timeout_ms,
         general.me_route_backpressure_high_watermark_pct,

src/transport/upstream.rs

@@ -279,6 +279,12 @@ pub struct UpstreamApiSummarySnapshot {
     pub shadowsocks_total: usize,
 }
 
+#[derive(Debug, Clone, Copy, Default)]
+pub struct UpstreamApiHealthSummary {
+    pub configured_total: usize,
+    pub healthy_total: usize,
+}
+
 #[derive(Debug, Clone)]
 pub struct UpstreamApiSnapshot {
     pub summary: UpstreamApiSummarySnapshot,
@@ -444,6 +450,20 @@ impl UpstreamManager {
         Some(UpstreamApiSnapshot { summary, upstreams })
     }
 
+    pub async fn api_health_summary(&self) -> UpstreamApiHealthSummary {
+        let guard = self.upstreams.read().await;
+        let mut summary = UpstreamApiHealthSummary {
+            configured_total: guard.len(),
+            healthy_total: 0,
+        };
+        for upstream in guard.iter() {
+            if upstream.healthy {
+                summary.healthy_total += 1;
+            }
+        }
+        summary
+    }
+
     fn describe_upstream(upstream_type: &UpstreamType) -> (UpstreamRouteKind, String) {
         match upstream_type {
             UpstreamType::Direct { .. } => (UpstreamRouteKind::Direct, "direct".to_string()),