Merge pull request #263 from kjljxybr/main

Translation update for the installation script

String-example.md

@@ -34,6 +34,7 @@ vless://4d21ce62-8723-4c4d-93e3-d586b107aa40@127.0.0.1:51394?type=ws&encryption=
 # gRPC
 vless://974b39e3-f7bf-42b9-933c-16699c635e77@127.0.0.1:15633?type=grpc&encryption=none&serviceName=TunService&authority=&security=none#vless-gRPC-none
 vless://651e7eca-5152-46f1-baf2-d502e0af7b27@127.0.0.1:28535?type=grpc&encryption=none&serviceName=TunService&authority=authority&security=reality&pbk=nhZ7NiKfcqESa5ZeBFfsq9o18W-OWOAHLln9UmuVXSk&fp=chrome&sni=google.com&sid=11cbaeaa&spx=%2F#vless-gRPC-reality
+vless://221ff905-b783-41a0-a6a6-8089eaf3b34b@abc.def.xyz:443?security=reality&type=grpc&headerType=&authority=abc.def.xyz&serviceName=name&mode=gun&sni=abc.def.xyz&fp=chrome&pbk=C3nhDJw02ZU_rjx4GbC54Sp79-ysF5lWIQVWdY4FOnE&sid=#vless-gRPC-reality-mode
 vless://af1f8b5f-26c9-4fe8-8ce7-6d6366c5c9ce@127.0.0.1:47904?type=grpc&encryption=none&serviceName=TunService&authority=authority&security=tls&fp=chrome&alpn=h2%2Chttp%2F1.1&sni=google.com#vless-gRPC-tls
 vless://95f2c4bb-abcb-47ba-bfad-e181c03e4659@127.0.0.1:34530?type=grpc&encryption=none&serviceName=TunService&authority=authority&security=tls&fp=chrome&alpn=h2%2Chttp%2F1.1&allowInsecure=1&sni=google.com#vless-gRPC-tls-insecure
 vless://bd39490f-9a4f-49b2-96b6-824190cf89e9@127.0.0.1:27779?type=grpc&encryption=none&serviceName=TunService&authority=authority&security=tls&fp=chrome&alpn=h2%2Chttp%2F1.1&sni=google.com&ech=AF3%2BDQBZAAAgACBc%2FiNdo4QkTt9eQCQgkOiJVSfA9G6UWAyipaBFtBD%2FVQAkAAEAAQABAAIAAQADAAIAAQACAAIAAgADAAMAAQADAAIAAwADAApnb29nbGUuY29tAAA%3D#vless-gRPC-tls-ech
@@ -82,3 +83,37 @@ trojan://ou8pLSyx9N@127.0.0.1:17737?type=httpupgrade&path=%2Fhttpupgradepath&hos
 # XHTTP
 trojan://VEetltxLtw@127.0.0.1:59072?type=xhttp&path=%2Fxhttppath&host=google.com&mode=auto&security=none#trojan-xhttp
 ```
+
+## Hysteria2
+
+hysteria2://
+```
+# With password
+hysteria2://password@example.com:443/#hysteria2-password
+hysteria2://password@example.com:443/?insecure=1#hysteria2-password-insecure
+
+# With SNI
+hysteria2://password@example.com:443/?sni=example.com#hysteria2-password-sni
+
+# With obfuscation
+hysteria2://password@example.com:443/?obfs=salamander&obfs-password=obfspassword#hysteria2-obfs
+
+# All parameters combined
+hysteria2://mypassword@example.com:8443/?sni=example.com&obfs=salamander&obfs-password=obfspass&insecure=1#hysteria2-all-params
+```
+
+hy2://
+```
+# With password
+hy2://password@example.com:443/#hysteria2-password
+hy2://password@example.com:443/?insecure=1#hysteria2-password-insecure
+
+# With SNI
+hy2://password@example.com:443/?sni=example.com#hysteria2-password-sni
+
+# With obfuscation
+hy2://password@example.com:443/?obfs=salamander&obfs-password=obfspassword#hysteria2-obfs
+
+# All parameters combined
+hy2://mypassword@example.com:8443/?sni=example.com&obfs=salamander&obfs-password=obfspass&insecure=1#hysteria2-all-params
+```

fe-app-podkop/locales/calls.json

@@ -3,35 +3,35 @@
     "call": "✔ Enabled",
     "key": "✔ Enabled",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:342"
+      "src/podkop/tabs/dashboard/initController.ts:345"
     ]
   },
   {
     "call": "✔ Running",
     "key": "✔ Running",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:353"
+      "src/podkop/tabs/dashboard/initController.ts:356"
     ]
   },
   {
     "call": "✘ Disabled",
     "key": "✘ Disabled",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:343"
+      "src/podkop/tabs/dashboard/initController.ts:346"
     ]
   },
   {
     "call": "✘ Stopped",
     "key": "✘ Stopped",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:354"
+      "src/podkop/tabs/dashboard/initController.ts:357"
     ]
   },
   {
     "call": "Active Connections",
     "key": "Active Connections",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:304"
+      "src/podkop/tabs/dashboard/initController.ts:307"
     ]
   },
   {
@@ -41,6 +41,13 @@
       "src/podkop/tabs/diagnostic/checks/runNftCheck.ts:106"
     ]
   },
+  {
+    "call": "Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall.",
+    "key": "Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall.",
+    "places": [
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:247"
+    ]
+  },
   {
     "call": "Applicable for SOCKS and Shadowsocks proxy",
     "key": "Applicable for SOCKS and Shadowsocks proxy",
@@ -101,14 +108,14 @@
     "call": "Cache File Path",
     "key": "Cache File Path",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:329"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:348"
     ]
   },
   {
     "call": "Cache file path cannot be empty",
     "key": "Cache file path cannot be empty",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:343"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:362"
     ]
   },
   {
@@ -178,7 +185,7 @@
     "call": "Config File Path",
     "key": "Config File Path",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:316"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:335"
     ]
   },
   {
@@ -276,14 +283,14 @@
     "call": "Disable QUIC",
     "key": "Disable QUIC",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:246"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:265"
     ]
   },
   {
     "call": "Disable the QUIC protocol to improve compatibility or fix issues with video streaming",
     "key": "Disable the QUIC protocol to improve compatibility or fix issues with video streaming",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:247"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:266"
     ]
   },
   {
@@ -365,15 +372,15 @@
     "call": "Dont Touch My DHCP!",
     "key": "Dont Touch My DHCP!",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:307"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:326"
     ]
   },
   {
     "call": "Downlink",
     "key": "Downlink",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:238",
-      "src/podkop/tabs/dashboard/initController.ts:272"
+      "src/podkop/tabs/dashboard/initController.ts:241",
+      "src/podkop/tabs/dashboard/initController.ts:275"
     ]
   },
   {
@@ -387,22 +394,22 @@
     "call": "Download Lists via Proxy/VPN",
     "key": "Download Lists via Proxy/VPN",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:269"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:288"
     ]
   },
   {
     "call": "Download Lists via specific proxy section",
     "key": "Download Lists via specific proxy section",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:278"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:297"
     ]
   },
   {
     "call": "Downloading all lists via specific Proxy/VPN",
     "key": "Downloading all lists via specific Proxy/VPN",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:270",
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:279"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:289",
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:298"
     ]
   },
   {
@@ -455,6 +462,13 @@
       "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:237"
     ]
   },
+  {
+    "call": "Enable YACD WAN Access",
+    "key": "Enable YACD WAN Access",
+    "places": [
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:246"
+    ]
+  },
   {
     "call": "Enter complete outbound configuration in JSON format",
     "key": "Enter complete outbound configuration in JSON format",
@@ -515,14 +529,14 @@
     "call": "Exclude NTP",
     "key": "Exclude NTP",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:365"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:384"
     ]
   },
   {
     "call": "Exclude NTP protocol traffic from the tunnel to prevent it from being routed through the proxy or VPN",
     "key": "Exclude NTP protocol traffic from the tunnel to prevent it from being routed through the proxy or VPN",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:366"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:385"
     ]
   },
   {
@@ -623,6 +637,97 @@
       "src/validators/validateSubnet.ts:11"
     ]
   },
+  {
+    "call": "Invalid HY2 URL: insecure must be 0 or 1",
+    "key": "Invalid HY2 URL: insecure must be 0 or 1",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:76"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: invalid port number",
+    "key": "Invalid HY2 URL: invalid port number",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:62"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: missing credentials/server",
+    "key": "Invalid HY2 URL: missing credentials/server",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:32"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: missing host",
+    "key": "Invalid HY2 URL: missing host",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:49"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: missing host & port",
+    "key": "Invalid HY2 URL: missing host & port",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:43"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: missing password",
+    "key": "Invalid HY2 URL: missing password",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:38"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: missing port",
+    "key": "Invalid HY2 URL: missing port",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:53"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: must not contain spaces",
+    "key": "Invalid HY2 URL: must not contain spaces",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:19"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: must start with hysteria2:// or hy2://",
+    "key": "Invalid HY2 URL: must start with hysteria2:// or hy2://",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:12"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: obfs-password required when obfs is set",
+    "key": "Invalid HY2 URL: obfs-password required when obfs is set",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:99"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: parsing failed",
+    "key": "Invalid HY2 URL: parsing failed",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:113"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: sni cannot be empty",
+    "key": "Invalid HY2 URL: sni cannot be empty",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:106"
+    ]
+  },
+  {
+    "call": "Invalid HY2 URL: unsupported obfs type",
+    "key": "Invalid HY2 URL: unsupported obfs type",
+    "places": [
+      "src/validators/validateHysteriaUrl.ts:88"
+    ]
+  },
   {
     "call": "Invalid IP address",
     "key": "Invalid IP address",
@@ -838,7 +943,7 @@
     "call": "List Update Frequency",
     "key": "List Update Frequency",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:257"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:276"
     ]
   },
   {
@@ -866,7 +971,7 @@
     "call": "Memory Usage",
     "key": "Memory Usage",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:308"
+      "src/podkop/tabs/dashboard/initController.ts:311"
     ]
   },
   {
@@ -977,21 +1082,21 @@
     "call": "Path must be absolute (start with /)",
     "key": "Path must be absolute (start with /)",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:347"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:366"
     ]
   },
   {
     "call": "Path must contain at least one directory (like /tmp/cache.db)",
     "key": "Path must contain at least one directory (like /tmp/cache.db)",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:356"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:375"
     ]
   },
   {
     "call": "Path must end with cache.db",
     "key": "Path must end with cache.db",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:351"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:370"
     ]
   },
   {
@@ -1009,7 +1114,7 @@
     "call": "Podkop",
     "key": "Podkop",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:340"
+      "src/podkop/tabs/dashboard/initController.ts:343"
     ]
   },
   {
@@ -1023,7 +1128,7 @@
     "call": "Podkop will not modify your DHCP configuration",
     "key": "Podkop will not modify your DHCP configuration",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:308"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:327"
     ]
   },
   {
@@ -1093,7 +1198,7 @@
     "call": "Routing Excluded IPs",
     "key": "Routing Excluded IPs",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:376"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:395"
     ]
   },
   {
@@ -1152,6 +1257,13 @@
       "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:328"
     ]
   },
+  {
+    "call": "Secret key for authenticating remote access to YACD when WAN access is enabled.",
+    "key": "Secret key for authenticating remote access to YACD when WAN access is enabled.",
+    "places": [
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:257"
+    ]
+  },
   {
     "call": "Sections",
     "key": "Sections",
@@ -1184,7 +1296,7 @@
     "call": "Select how often the domain or subnet lists are updated automatically",
     "key": "Select how often the domain or subnet lists are updated automatically",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:258"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:277"
     ]
   },
   {
@@ -1213,14 +1325,14 @@
     "call": "Select or enter path for sing-box cache file. Change this ONLY if you know what you are doing",
     "key": "Select or enter path for sing-box cache file. Change this ONLY if you know what you are doing",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:330"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:349"
     ]
   },
   {
     "call": "Select path for sing-box config file. Change this ONLY if you know what you are doing",
     "key": "Select path for sing-box config file. Change this ONLY if you know what you are doing",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:317"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:336"
     ]
   },
   {
@@ -1269,7 +1381,7 @@
     "call": "Services info",
     "key": "Services info",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:337"
+      "src/podkop/tabs/dashboard/initController.ts:340"
     ]
   },
   {
@@ -1291,7 +1403,7 @@
     "call": "Sing-box",
     "key": "Sing-box",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:351"
+      "src/podkop/tabs/dashboard/initController.ts:354"
     ]
   },
   {
@@ -1347,7 +1459,7 @@
     "call": "Specify a local IP address to be excluded from routing",
     "key": "Specify a local IP address to be excluded from routing",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:377"
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:396"
     ]
   },
   {
@@ -1404,7 +1516,7 @@
     "call": "System info",
     "key": "System info",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:301"
+      "src/podkop/tabs/dashboard/initController.ts:304"
     ]
   },
   {
@@ -1432,13 +1544,7 @@
     "call": "Text List",
     "key": "Text List",
     "places": [
-      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:368"
-    ]
-  },
-  {
-    "call": "Text List (comma/space/newline separated)",
-    "key": "Text List (comma/space/newline separated)",
-    "places": [
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:368",
       "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:448"
     ]
   },
@@ -1481,14 +1587,14 @@
     "call": "Traffic",
     "key": "Traffic",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:235"
+      "src/podkop/tabs/dashboard/initController.ts:238"
     ]
   },
   {
     "call": "Traffic Total",
     "key": "Traffic Total",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:265"
+      "src/podkop/tabs/dashboard/initController.ts:268"
     ]
   },
   {
@@ -1551,15 +1657,15 @@
     "call": "Uplink",
     "key": "Uplink",
     "places": [
-      "src/podkop/tabs/dashboard/initController.ts:237",
-      "src/podkop/tabs/dashboard/initController.ts:268"
+      "src/podkop/tabs/dashboard/initController.ts:240",
+      "src/podkop/tabs/dashboard/initController.ts:271"
     ]
   },
   {
-    "call": "URL must start with vless://, ss://, trojan://, or socks4/5://",
-    "key": "URL must start with vless://, ss://, trojan://, or socks4/5://",
+    "call": "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://",
+    "key": "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://",
     "places": [
-      "src/validators/validateProxyUrl.ts:29"
+      "src/validators/validateProxyUrl.ts:37"
     ]
   },
   {
@@ -1654,6 +1760,7 @@
       "src/validators/validateDns.ts:18",
       "src/validators/validateDomain.ts:13",
       "src/validators/validateDomain.ts:30",
+      "src/validators/validateHysteriaUrl.ts:111",
       "src/validators/validateIp.ts:8",
       "src/validators/validateOutboundJson.ts:7",
       "src/validators/validatePath.ts:16",
@@ -1702,6 +1809,13 @@
       "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:330"
     ]
   },
+  {
+    "call": "YACD Secret Key",
+    "key": "YACD Secret Key",
+    "places": [
+      "../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:256"
+    ]
+  },
   {
     "call": "You can select Output Network Interface, by default autodetect",
     "key": "You can select Output Network Interface, by default autodetect",

fe-app-podkop/locales/podkop.pot

@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PODKOP\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-10-27 11:15+0200\n"
-"PO-Revision-Date: 2025-10-27 11:15+0200\n"
+"POT-Creation-Date: 2025-12-01 14:30+0200\n"
+"PO-Revision-Date: 2025-12-01 14:30+0200\n"
 "Last-Translator: divocat <divocatt@gmail.com>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -16,23 +16,23 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: src/podkop/tabs/dashboard/initController.ts:342
+#: src/podkop/tabs/dashboard/initController.ts:345
 msgid "✔ Enabled"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:353
+#: src/podkop/tabs/dashboard/initController.ts:356
 msgid "✔ Running"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:343
+#: src/podkop/tabs/dashboard/initController.ts:346
 msgid "✘ Disabled"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:354
+#: src/podkop/tabs/dashboard/initController.ts:357
 msgid "✘ Stopped"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:304
+#: src/podkop/tabs/dashboard/initController.ts:307
 msgid "Active Connections"
 msgstr ""
 
@@ -40,6 +40,10 @@ msgstr ""
 msgid "Additional marking rules found"
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:247
+msgid "Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall."
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:175
 msgid "Applicable for SOCKS and Shadowsocks proxy"
 msgstr ""
@@ -72,11 +76,11 @@ msgstr ""
 msgid "Browser is using FakeIP correctly"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:329
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:348
 msgid "Cache File Path"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:343
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:362
 msgid "Cache file path cannot be empty"
 msgstr ""
 
@@ -119,7 +123,7 @@ msgstr ""
 msgid "Community Lists"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:316
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:335
 msgid "Config File Path"
 msgstr ""
 
@@ -175,11 +179,11 @@ msgstr ""
 msgid "Disable autostart"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:246
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:265
 msgid "Disable QUIC"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:247
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:266
 msgid "Disable the QUIC protocol to improve compatibility or fix issues with video streaming"
 msgstr ""
 
@@ -228,12 +232,12 @@ msgstr ""
 msgid "Domain Resolver"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:307
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:326
 msgid "Dont Touch My DHCP!"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:238
-#: src/podkop/tabs/dashboard/initController.ts:272
+#: src/podkop/tabs/dashboard/initController.ts:241
+#: src/podkop/tabs/dashboard/initController.ts:275
 msgid "Downlink"
 msgstr ""
 
@@ -241,16 +245,16 @@ msgstr ""
 msgid "Download"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:269
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:288
 msgid "Download Lists via Proxy/VPN"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:278
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:297
 msgid "Download Lists via specific proxy section"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:270
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:279
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:289
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:298
 msgid "Downloading all lists via specific Proxy/VPN"
 msgstr ""
 
@@ -283,6 +287,10 @@ msgstr ""
 msgid "Enable YACD"
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:246
+msgid "Enable YACD WAN Access"
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:65
 msgid "Enter complete outbound configuration in JSON format"
 msgstr ""
@@ -315,11 +323,11 @@ msgstr ""
 msgid "Every 5 minutes"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:365
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:384
 msgid "Exclude NTP"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:366
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:385
 msgid "Exclude NTP protocol traffic from the tunnel to prevent it from being routed through the proxy or VPN"
 msgstr ""
 
@@ -382,6 +390,58 @@ msgstr ""
 msgid "Invalid format. Use X.X.X.X or X.X.X.X/Y"
 msgstr ""
 
+#: src/validators/validateHysteriaUrl.ts:76
+msgid "Invalid HY2 URL: insecure must be 0 or 1"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:62
+msgid "Invalid HY2 URL: invalid port number"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:32
+msgid "Invalid HY2 URL: missing credentials/server"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:49
+msgid "Invalid HY2 URL: missing host"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:43
+msgid "Invalid HY2 URL: missing host & port"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:38
+msgid "Invalid HY2 URL: missing password"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:53
+msgid "Invalid HY2 URL: missing port"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:19
+msgid "Invalid HY2 URL: must not contain spaces"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:12
+msgid "Invalid HY2 URL: must start with hysteria2:// or hy2://"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:99
+msgid "Invalid HY2 URL: obfs-password required when obfs is set"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:113
+msgid "Invalid HY2 URL: parsing failed"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:106
+msgid "Invalid HY2 URL: sni cannot be empty"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:88
+msgid "Invalid HY2 URL: unsupported obfs type"
+msgstr ""
+
 #: src/validators/validateIp.ts:11
 msgid "Invalid IP address"
 msgstr ""
@@ -503,7 +563,7 @@ msgstr ""
 msgid "Latest"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:257
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:276
 msgid "List Update Frequency"
 msgstr ""
 
@@ -519,7 +579,7 @@ msgstr ""
 msgid "Main DNS"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:308
+#: src/podkop/tabs/dashboard/initController.ts:311
 msgid "Memory Usage"
 msgstr ""
 
@@ -585,15 +645,15 @@ msgstr ""
 msgid "Path cannot be empty"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:347
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:366
 msgid "Path must be absolute (start with /)"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:356
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:375
 msgid "Path must contain at least one directory (like /tmp/cache.db)"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:351
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:370
 msgid "Path must end with cache.db"
 msgstr ""
 
@@ -605,7 +665,7 @@ msgstr ""
 msgid "Pending"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:340
+#: src/podkop/tabs/dashboard/initController.ts:343
 msgid "Podkop"
 msgstr ""
 
@@ -613,7 +673,7 @@ msgstr ""
 msgid "Podkop Settings"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:308
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:327
 msgid "Podkop will not modify your DHCP configuration"
 msgstr ""
 
@@ -653,7 +713,7 @@ msgstr ""
 msgid "Router DNS is routed through sing-box"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:376
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:395
 msgid "Routing Excluded IPs"
 msgstr ""
 
@@ -689,6 +749,10 @@ msgstr ""
 msgid "Russia inside restrictions"
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:257
+msgid "Secret key for authenticating remote access to YACD when WAN access is enabled."
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/podkop.js:36
 msgid "Sections"
 msgstr ""
@@ -705,7 +769,7 @@ msgstr ""
 msgid "Select DNS protocol to use"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:258
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:277
 msgid "Select how often the domain or subnet lists are updated automatically"
 msgstr ""
 
@@ -722,11 +786,11 @@ msgstr ""
 msgid "Select or enter DNS server address"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:330
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:349
 msgid "Select or enter path for sing-box cache file. Change this ONLY if you know what you are doing"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:317
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:336
 msgid "Select path for sing-box config file. Change this ONLY if you know what you are doing"
 msgstr ""
 
@@ -754,7 +818,7 @@ msgstr ""
 msgid "Select the WAN interfaces to be monitored"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:337
+#: src/podkop/tabs/dashboard/initController.ts:340
 msgid "Services info"
 msgstr ""
 
@@ -767,7 +831,7 @@ msgstr ""
 msgid "Show sing-box config"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:351
+#: src/podkop/tabs/dashboard/initController.ts:354
 msgid "Sing-box"
 msgstr ""
 
@@ -799,7 +863,7 @@ msgstr ""
 msgid "Source Network Interface"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:377
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:396
 msgid "Specify a local IP address to be excluded from routing"
 msgstr ""
 
@@ -832,7 +896,7 @@ msgstr ""
 msgid "Successfully copied!"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:301
+#: src/podkop/tabs/dashboard/initController.ts:304
 msgid "System info"
 msgstr ""
 
@@ -849,11 +913,8 @@ msgid "Test latency"
 msgstr ""
 
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:368
-msgid "Text List"
-msgstr ""
-
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:448
-msgid "Text List (comma/space/newline separated)"
+msgid "Text List"
 msgstr ""
 
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:46
@@ -876,11 +937,11 @@ msgstr ""
 msgid "Time in seconds for DNS record caching (default: 60)"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:235
+#: src/podkop/tabs/dashboard/initController.ts:238
 msgid "Traffic"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:265
+#: src/podkop/tabs/dashboard/initController.ts:268
 msgid "Traffic Total"
 msgstr ""
 
@@ -919,13 +980,13 @@ msgstr ""
 msgid "Unknown error"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:237
-#: src/podkop/tabs/dashboard/initController.ts:268
+#: src/podkop/tabs/dashboard/initController.ts:240
+#: src/podkop/tabs/dashboard/initController.ts:271
 msgid "Uplink"
 msgstr ""
 
-#: src/validators/validateProxyUrl.ts:29
-msgid "URL must start with vless://, ss://, trojan://, or socks4/5://"
+#: src/validators/validateProxyUrl.ts:37
+msgid "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://"
 msgstr ""
 
 #: src/validators/validateUrl.ts:17
@@ -980,6 +1041,7 @@ msgstr ""
 #: src/validators/validateDns.ts:18
 #: src/validators/validateDomain.ts:13
 #: src/validators/validateDomain.ts:30
+#: src/validators/validateHysteriaUrl.ts:111
 #: src/validators/validateIp.ts:8
 #: src/validators/validateOutboundJson.ts:7
 #: src/validators/validatePath.ts:16
@@ -1014,6 +1076,10 @@ msgstr ""
 msgid "Warning: Russia inside can only be used with %s. %s already in Russia inside and have been removed from selection."
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:256
+msgid "YACD Secret Key"
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:127
 msgid "You can select Output Network Interface, by default autodetect"
 msgstr ""

fe-app-podkop/locales/podkop.ru.po

@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PODKOP\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-10-27 13:15+0200\n"
-"PO-Revision-Date: 2025-10-27 13:15+0200\n"
+"POT-Creation-Date: 2025-12-01 16:30+0200\n"
+"PO-Revision-Date: 2025-12-01 16:30+0200\n"
 "Last-Translator: divocat\n"
 "Language-Team: none\n"
 "Language: ru\n"
@@ -35,6 +35,9 @@ msgstr "Активные соединения"
 msgid "Additional marking rules found"
 msgstr "Найдены дополнительные правила маркировки"
 
+msgid "Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall."
+msgstr "Обеспечивает доступ к YACD из WAN. Убедитесь, что в брандмауэре открыт соответствующий порт."
+
 msgid "Applicable for SOCKS and Shadowsocks proxy"
 msgstr "Применимо для SOCKS и Shadowsocks прокси"
 
@@ -206,6 +209,9 @@ msgstr "Включить смешанный прокси-сервер, разр
 msgid "Enable YACD"
 msgstr "Включить YACD"
 
+msgid "Enable YACD WAN Access"
+msgstr "Включить доступ YACD WAN"
+
 msgid "Enter complete outbound configuration in JSON format"
 msgstr "Введите полную конфигурацию исходящего соединения в формате JSON"
 
@@ -275,6 +281,45 @@ msgstr "Неверный домен"
 msgid "Invalid format. Use X.X.X.X or X.X.X.X/Y"
 msgstr "Неверный формат. Используйте X.X.X.X или X.X.X.X/Y"
 
+msgid "Invalid HY2 URL: insecure must be 0 or 1"
+msgstr "Неверный URL Hysteria2: параметр insecure должен быть 0 или 1"
+
+msgid "Invalid HY2 URL: invalid port number"
+msgstr "Неверный URL Hysteria2: неверный номер порта"
+
+msgid "Invalid HY2 URL: missing credentials/server"
+msgstr "Неверный URL Hysteria2: отсутствуют учетные данные/сервер"
+
+msgid "Invalid HY2 URL: missing host"
+msgstr "Неверный URL Hysteria2: отсутствует хост"
+
+msgid "Invalid HY2 URL: missing host & port"
+msgstr "Неверный URL Hysteria2: отсутствуют хост и порт"
+
+msgid "Invalid HY2 URL: missing password"
+msgstr "Неверный URL Hysteria2: отсутствует пароль"
+
+msgid "Invalid HY2 URL: missing port"
+msgstr "Неверный URL Hysteria2: отсутствует порт"
+
+msgid "Invalid HY2 URL: must not contain spaces"
+msgstr "Неверный URL Hysteria2: не должен содержать пробелов"
+
+msgid "Invalid HY2 URL: must start with hysteria2:// or hy2://"
+msgstr "Неверный URL Hysteria2: должен начинаться с hysteria2:// или hy2://"
+
+msgid "Invalid HY2 URL: obfs-password required when obfs is set"
+msgstr "Неверный URL Hysteria2: требуется obfs-password, когда установлен obfs"
+
+msgid "Invalid HY2 URL: parsing failed"
+msgstr "Неверный URL Hysteria2: ошибка разбора"
+
+msgid "Invalid HY2 URL: sni cannot be empty"
+msgstr "Неверный URL Hysteria2: sni не может быть пустым"
+
+msgid "Invalid HY2 URL: unsupported obfs type"
+msgstr "Неверный URL Hysteria2: неподдерживаемый тип obfs"
+
 msgid "Invalid IP address"
 msgstr "Неверный IP-адрес"
 
@@ -497,6 +542,9 @@ msgstr "Запустить диагностику"
 msgid "Russia inside restrictions"
 msgstr "Ограничения Russia inside"
 
+msgid "Secret key for authenticating remote access to YACD when WAN access is enabled."
+msgstr "Секретный ключ для аутентификации удаленного доступа к YACD при включенном доступе через WAN."
+
 msgid "Sections"
 msgstr "Секции"
 
@@ -617,9 +665,6 @@ msgstr "Тестирование задержки"
 msgid "Text List"
 msgstr "Текстовый список"
 
-msgid "Text List (comma/space/newline separated)"
-msgstr "Текстовый список (через запятую, пробел или новую строку)"
-
 msgid "The DNS server used to look up the IP address of an upstream DNS server"
 msgstr "DNS-сервер, используемый для поиска IP-адреса вышестоящего DNS-сервера"
 
@@ -665,8 +710,8 @@ msgstr "Неизвестная ошибка"
 msgid "Uplink"
 msgstr "Исходящий"
 
-msgid "URL must start with vless://, ss://, trojan://, or socks4/5://"
-msgstr "URL должен начинаться с vless://, ss://, trojan:// или socks4/5://"
+msgid "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://"
+msgstr "URL должен начинаться с vless://, ss://, trojan://, socks4/5:// или hysteria2:// hy2://"
 
 msgid "URL must use one of the following protocols:"
 msgstr "URL должен использовать один из следующих протоколов:"
@@ -722,5 +767,8 @@ msgstr "Предупреждение: %s нельзя использовать
 msgid "Warning: Russia inside can only be used with %s. %s already in Russia inside and have been removed from selection."
 msgstr "Предупреждение: Russia inside может быть использован только с %s. %s уже есть в Russia inside и будет удален из выбранных."
 
+msgid "YACD Secret Key"
+msgstr "Секретный ключ YACD"
+
 msgid "You can select Output Network Interface, by default autodetect"
 msgstr "Вы можете выбрать выходной сетевой интерфейс, по умолчанию он определяется автоматически."

fe-app-podkop/src/podkop/methods/custom/getClashApiSecret.ts

@@ -0,0 +1,9 @@
+import { getConfigSections } from './getConfigSections';
+
+export async function getClashApiSecret() {
+  const sections = await getConfigSections();
+
+  const settings = sections.find((section) => section['.type'] === 'settings');
+
+  return settings?.yacd_secret_key || '';
+}

fe-app-podkop/src/podkop/methods/custom/index.ts

@@ -1,7 +1,9 @@
 import { getConfigSections } from './getConfigSections';
 import { getDashboardSections } from './getDashboardSections';
+import { getClashApiSecret } from './getClashApiSecret';
 
 export const CustomPodkopMethods = {
   getConfigSections,
   getDashboardSections,
+  getClashApiSecret,
 };

fe-app-podkop/src/podkop/tabs/dashboard/initController.ts

@@ -8,6 +8,7 @@ import { CustomPodkopMethods, PodkopShellMethods } from '../../methods';
 import { logger, socket, store, StoreType } from '../../services';
 import { renderSections, renderWidget } from './partials';
 import { fetchServicesInfo } from '../../fetchers';
+import { getClashApiSecret } from '../../methods/custom/getClashApiSecret';
 
 // Fetchers
 
@@ -38,8 +39,10 @@ async function fetchDashboardSections() {
 }
 
 async function connectToClashSockets() {
+  const clashApiSecret = await getClashApiSecret();
+
   socket.subscribe(
-    `${getClashWsUrl()}/traffic?token=`,
+    `${getClashWsUrl()}/traffic?token=${clashApiSecret}`,
     (msg) => {
       const parsedMsg = JSON.parse(msg);
 
@@ -68,7 +71,7 @@ async function connectToClashSockets() {
   );
 
   socket.subscribe(
-    `${getClashWsUrl()}/connections?token=`,
+    `${getClashWsUrl()}/connections?token=${clashApiSecret}`,
     (msg) => {
       const parsedMsg = JSON.parse(msg);
 

fe-app-podkop/src/podkop/types.ts

@@ -126,6 +126,7 @@ export namespace Podkop {
   export type ConfigSection = ConfigBaseSection & {
     '.name': string;
     '.type': 'settings' | 'section';
+    yacd_secret_key?: string;
   };
 
   export interface MethodSuccessResponse<T> {

fe-app-podkop/src/validators/tests/validateHysteriaUrl.test.js

@@ -0,0 +1,74 @@
+import { describe, it, expect } from 'vitest';
+import { validateHysteria2Url } from '../validateHysteriaUrl.js';
+
+const validUrls = [
+  // Basic password-only
+  ['password basic', 'hysteria2://pass@example.com:443/#hy2-basic'],
+
+  // insecure=1
+  [
+    'insecure allowed',
+    'hysteria2://pass@example.com:443/?insecure=1#hy2-insecure',
+  ],
+
+  // SNI
+  ['SNI param', 'hysteria2://pass@example.com:443/?sni=google.com#hy2-sni'],
+
+  // Obfuscation
+  [
+    'Obfs + password',
+    'hysteria2://mypassword@1.1.1.1:8443/?obfs=salamander&obfs-password=abc123#hy2-obfs',
+  ],
+
+  // All params
+  [
+    'All options combined',
+    'hysteria2://pw@8.8.8.8:8443/?sni=example.com&obfs=salamander&obfs-password=hello&insecure=1#hy2-full',
+  ],
+
+  // Explicit obfs=none (valid)
+  ['obfs none = ok', 'hysteria2://pw@example.com:443/?obfs=none#hy2-none'],
+];
+
+const invalidUrls = [
+  ['No prefix', 'pw@example.com:443'],
+  ['Missing password', 'hysteria2://@example.com:443/'],
+  ['Missing host', 'hysteria2://pw@:443/'],
+  ['Missing port', 'hysteria2://pw@example.com/'],
+  ['Non-numeric port', 'hysteria2://pw@example.com:port/'],
+  ['Port out of range', 'hysteria2://pw@example.com:99999/'],
+
+  // Obfuscation errors
+  ['Unknown obfs type', 'hysteria2://pw@example.com:443/?obfs=weird'],
+  [
+    'obfs without obfs-password',
+    'hysteria2://pw@example.com:443/?obfs=salamander',
+  ],
+
+  // insecure only accepts 0/1
+  ['invalid insecure', 'hysteria2://pw@example.com:443/?insecure=5'],
+
+  // SNI empty
+  ['empty sni', 'hysteria2://pw@example.com:443/?sni='],
+];
+
+describe('validateHysteria2Url', () => {
+  describe.each(validUrls)('Valid HY2 URL: %s', (_desc, url) => {
+    it(`returns valid=true for "${url}"`, () => {
+      const res = validateHysteria2Url(url);
+      expect(res.valid).toBe(true);
+    });
+  });
+
+  describe.each(invalidUrls)('Invalid HY2 URL: %s', (_desc, url) => {
+    it(`returns valid=false for "${url}"`, () => {
+      const res = validateHysteria2Url(url);
+      expect(res.valid).toBe(false);
+    });
+  });
+
+  it('detects invalid port range', () => {
+    const res = validateHysteria2Url('hysteria2://pw@example.com:70000/');
+    expect(res.valid).toBe(false);
+  });
+});

fe-app-podkop/src/validators/validateHysteriaUrl.ts

@@ -0,0 +1,117 @@
+import { ValidationResult } from './types';
+import { parseQueryString } from '../helpers/parseQueryString';
+
+export function validateHysteria2Url(url: string): ValidationResult {
+  try {
+    const isHY2 = url.startsWith('hysteria2://');
+    const isHY2Short = url.startsWith('hy2://');
+
+    if (!isHY2 && !isHY2Short) {
+      return {
+        valid: false,
+        message: _('Invalid HY2 URL: must start with hysteria2:// or hy2://'),
+      };
+    }
+
+    if (/\s/.test(url)) {
+      return {
+        valid: false,
+        message: _('Invalid HY2 URL: must not contain spaces'),
+      };
+    }
+
+    const prefix = isHY2 ? 'hysteria2://' : 'hy2://';
+    const body = url.slice(prefix.length);
+
+    const [mainPart] = body.split('#');
+    const [authHostPort, queryString] = mainPart.split('?');
+
+    if (!authHostPort)
+      return {
+        valid: false,
+        message: _('Invalid HY2 URL: missing credentials/server'),
+      };
+
+    const [passwordPart, hostPortPart] = authHostPort.split('@');
+
+    if (!passwordPart)
+      return { valid: false, message: _('Invalid HY2 URL: missing password') };
+
+    if (!hostPortPart)
+      return {
+        valid: false,
+        message: _('Invalid HY2 URL: missing host & port'),
+      };
+
+    const [host, port] = hostPortPart.split(':');
+
+    if (!host) {
+      return { valid: false, message: _('Invalid HY2 URL: missing host') };
+    }
+
+    if (!port) {
+      return { valid: false, message: _('Invalid HY2 URL: missing port') };
+    }
+
+    const cleanedPort = port.replace('/', '');
+    const portNum = Number(cleanedPort);
+
+    if (!Number.isInteger(portNum) || portNum < 1 || portNum > 65535) {
+      return {
+        valid: false,
+        message: _('Invalid HY2 URL: invalid port number'),
+      };
+    }
+
+    if (queryString) {
+      const params = parseQueryString(queryString);
+      const paramsKeys = Object.keys(params);
+
+      if (
+        paramsKeys.includes('insecure') &&
+        !['0', '1'].includes(params.insecure)
+      ) {
+        return {
+          valid: false,
+          message: _('Invalid HY2 URL: insecure must be 0 or 1'),
+        };
+      }
+
+      const validObfsTypes = ['none', 'salamander'];
+
+      if (
+        paramsKeys.includes('obfs') &&
+        !validObfsTypes.includes(params.obfs)
+      ) {
+        return {
+          valid: false,
+          message: _('Invalid HY2 URL: unsupported obfs type'),
+        };
+      }
+
+      if (
+        paramsKeys.includes('obfs') &&
+        params.obfs !== 'none' &&
+        !params['obfs-password']
+      ) {
+        return {
+          valid: false,
+          message: _(
+            'Invalid HY2 URL: obfs-password required when obfs is set',
+          ),
+        };
+      }
+
+      if (paramsKeys.includes('sni') && !params.sni) {
+        return {
+          valid: false,
+          message: _('Invalid HY2 URL: sni cannot be empty'),
+        };
+      }
+    }
+
+    return { valid: true, message: _('Valid') };
+  } catch (_e) {
+    return { valid: false, message: _('Invalid HY2 URL: parsing failed') };
+  }
+}

fe-app-podkop/src/validators/validateProxyUrl.ts

@@ -3,6 +3,7 @@ import { validateShadowsocksUrl } from './validateShadowsocksUrl';
 import { validateVlessUrl } from './validateVlessUrl';
 import { validateTrojanUrl } from './validateTrojanUrl';
 import { validateSocksUrl } from './validateSocksUrl';
+import { validateHysteria2Url } from './validateHysteriaUrl';
 
 // TODO refactor current validation and add tests
 export function validateProxyUrl(url: string): ValidationResult {
@@ -24,10 +25,17 @@ export function validateProxyUrl(url: string): ValidationResult {
     return validateSocksUrl(trimmedUrl);
   }
 
+  if (
+    trimmedUrl.startsWith('hysteria2://') ||
+    trimmedUrl.startsWith('hy2://')
+  ) {
+    return validateHysteria2Url(trimmedUrl);
+  }
+
   return {
     valid: false,
     message: _(
-      'URL must start with vless://, ss://, trojan://, or socks4/5://',
+      'URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://',
     ),
   };
 }

install.sh

@@ -109,16 +109,16 @@ main() {
     pkg_list_update || { echo "Packages list update failed"; exit 1; }
 
     if [ -f "/etc/init.d/podkop" ]; then
-        msg "Podkop is already installed. Upgraded..."
+        msg "Podkop is already installed. Upgrading..."
     else
-        msg "Installed podkop..."
+        msg "Installing podkop..."
     fi
 
     if command -v curl >/dev/null 2>&1; then
         check_response=$(curl -s "https://api.github.com/repos/itdoginfo/podkop/releases/latest")
 
         if echo "$check_response" | grep -q 'API rate limit '; then
-            msg "You've reached rate limit from GitHub. Repeat in five minutes."
+            msg "You've reached the GitHub rate limit. Repeat in five minutes."
             exit 1
         fi
     fi
@@ -143,7 +143,7 @@ main() {
                     break
                 fi
             fi
-            msg "Download error $filename. Retry..."
+            msg "Download error for $filename. Retrying..."
             rm -f "$filepath"
             attempt=$((attempt+1))
         done
@@ -168,7 +168,7 @@ main() {
             fi
         done
         if [ -n "$file" ]; then
-            msg "Installing $file"
+            msg "Installing $file..."
             pkg_install "$DOWNLOAD_DIR/$file"
             sleep 3
         fi
@@ -183,11 +183,11 @@ main() {
     done
     if [ -n "$ru" ]; then
         if pkg_is_installed luci-i18n-podkop-ru; then
-                msg "Upgraded ru translation..."
+                msg "Upgrading Russian translation..."
                 pkg_remove luci-i18n-podkop*
                 pkg_install "$DOWNLOAD_DIR/$ru"
         else
-            msg "Русский язык интерфейса ставим? y/n (Need a Russian translation?)"
+            msg "Русский язык интерфейса ставим? y/n (Install the Russian interface language?)"
             while true; do
                 read -r -p '' RUS
                 case $RUS in
@@ -236,7 +236,7 @@ check_system() {
     fi
 
     if ! nslookup google.com >/dev/null 2>&1; then
-        msg "DNS not working"
+        msg "DNS is not working."
         exit 1
     fi
 
@@ -270,7 +270,7 @@ check_system() {
     fi
 
     if pkg_is_installed https-dns-proxy; then
-        msg "Сonflicting package detected: https-dns-proxy. Remove?"
+        msg "Conflicting package detected: https-dns-proxy. Remove?"
 
         while true; do
                 read -r -p '' DNSPROXY
@@ -300,7 +300,7 @@ sing_box() {
     required_version="1.12.4"
 
     if [ "$(printf '%s\n%s\n' "$sing_box_version" "$required_version" | sort -V | head -n 1)" != "$required_version" ]; then
-        msg "sing-box version $sing_box_version is older than required $required_version"
+        msg "sing-box version $sing_box_version is older than the required version $required_version."
         msg "Removing old version..."
         service podkop stop
         pkg_remove sing-box

luci-app-podkop/htdocs/luci-static/resources/view/podkop/main.js

@@ -448,6 +448,92 @@ function validateSocksUrl(url) {
   return { valid: true, message: _("Valid") };
 }
 
+// src/validators/validateHysteriaUrl.ts
+function validateHysteria2Url(url) {
+  try {
+    const isHY2 = url.startsWith("hysteria2://");
+    const isHY2Short = url.startsWith("hy2://");
+    if (!isHY2 && !isHY2Short) {
+      return {
+        valid: false,
+        message: _("Invalid HY2 URL: must start with hysteria2:// or hy2://")
+      };
+    }
+    if (/\s/.test(url)) {
+      return {
+        valid: false,
+        message: _("Invalid HY2 URL: must not contain spaces")
+      };
+    }
+    const prefix = isHY2 ? "hysteria2://" : "hy2://";
+    const body = url.slice(prefix.length);
+    const [mainPart] = body.split("#");
+    const [authHostPort, queryString] = mainPart.split("?");
+    if (!authHostPort)
+      return {
+        valid: false,
+        message: _("Invalid HY2 URL: missing credentials/server")
+      };
+    const [passwordPart, hostPortPart] = authHostPort.split("@");
+    if (!passwordPart)
+      return { valid: false, message: _("Invalid HY2 URL: missing password") };
+    if (!hostPortPart)
+      return {
+        valid: false,
+        message: _("Invalid HY2 URL: missing host & port")
+      };
+    const [host, port] = hostPortPart.split(":");
+    if (!host) {
+      return { valid: false, message: _("Invalid HY2 URL: missing host") };
+    }
+    if (!port) {
+      return { valid: false, message: _("Invalid HY2 URL: missing port") };
+    }
+    const cleanedPort = port.replace("/", "");
+    const portNum = Number(cleanedPort);
+    if (!Number.isInteger(portNum) || portNum < 1 || portNum > 65535) {
+      return {
+        valid: false,
+        message: _("Invalid HY2 URL: invalid port number")
+      };
+    }
+    if (queryString) {
+      const params = parseQueryString(queryString);
+      const paramsKeys = Object.keys(params);
+      if (paramsKeys.includes("insecure") && !["0", "1"].includes(params.insecure)) {
+        return {
+          valid: false,
+          message: _("Invalid HY2 URL: insecure must be 0 or 1")
+        };
+      }
+      const validObfsTypes = ["none", "salamander"];
+      if (paramsKeys.includes("obfs") && !validObfsTypes.includes(params.obfs)) {
+        return {
+          valid: false,
+          message: _("Invalid HY2 URL: unsupported obfs type")
+        };
+      }
+      if (paramsKeys.includes("obfs") && params.obfs !== "none" && !params["obfs-password"]) {
+        return {
+          valid: false,
+          message: _(
+            "Invalid HY2 URL: obfs-password required when obfs is set"
+          )
+        };
+      }
+      if (paramsKeys.includes("sni") && !params.sni) {
+        return {
+          valid: false,
+          message: _("Invalid HY2 URL: sni cannot be empty")
+        };
+      }
+    }
+    return { valid: true, message: _("Valid") };
+  } catch (_e) {
+    return { valid: false, message: _("Invalid HY2 URL: parsing failed") };
+  }
+}
+
 // src/validators/validateProxyUrl.ts
 function validateProxyUrl(url) {
   const trimmedUrl = url.trim();
@@ -463,10 +549,13 @@ function validateProxyUrl(url) {
   if (/^socks(4|4a|5):\/\//.test(trimmedUrl)) {
     return validateSocksUrl(trimmedUrl);
   }
+  if (trimmedUrl.startsWith("hysteria2://") || trimmedUrl.startsWith("hy2://")) {
+    return validateHysteria2Url(trimmedUrl);
+  }
   return {
     valid: false,
     message: _(
-      "URL must start with vless://, ss://, trojan://, or socks4/5://"
+      "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://"
     )
   };
 }
@@ -731,10 +820,18 @@ async function getDashboardSections() {
   };
 }
 
+// src/podkop/methods/custom/getClashApiSecret.ts
+async function getClashApiSecret() {
+  const sections = await getConfigSections();
+  const settings = sections.find((section) => section[".type"] === "settings");
+  return settings?.yacd_secret_key || "";
+}
+
 // src/podkop/methods/custom/index.ts
 var CustomPodkopMethods = {
   getConfigSections,
-  getDashboardSections
+  getDashboardSections,
+  getClashApiSecret
 };
 
 // src/constants.ts
@@ -1876,8 +1973,9 @@ async function fetchDashboardSections() {
   });
 }
 async function connectToClashSockets() {
+  const clashApiSecret = await getClashApiSecret();
   socket.subscribe(
-    `${getClashWsUrl()}/traffic?token=`,
+    `${getClashWsUrl()}/traffic?token=${clashApiSecret}`,
     (msg) => {
       const parsedMsg = JSON.parse(msg);
       store.set({
@@ -1904,7 +2002,7 @@ async function connectToClashSockets() {
     }
   );
   socket.subscribe(
-    `${getClashWsUrl()}/connections?token=`,
+    `${getClashWsUrl()}/connections?token=${clashApiSecret}`,
     (msg) => {
       const parsedMsg = JSON.parse(msg);
       store.set({

luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js

@@ -87,7 +87,7 @@ function createSectionContent(section) {
     _("URLTest Proxy Links"),
   );
   o.depends("proxy_config_type", "urltest");
-  o.placeholder = "vless://, ss://, trojan://, socks4/5:// links";
+  o.placeholder = "vless://, ss://, trojan://, socks4/5://, hy2/hysteria2:// links";
   o.rmempty = false;
   o.validate = function (section_id, value) {
     // Optional
@@ -445,7 +445,7 @@ function createSectionContent(section) {
   );
   o.value("disabled", _("Disabled"));
   o.value("dynamic", _("Dynamic List"));
-  o.value("text", _("Text List (comma/space/newline separated)"));
+  o.value("text", _("Text List"));
   o.default = "disabled";
   o.rmempty = false;
 

luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js

@@ -240,6 +240,25 @@ function createSettingsContent(section) {
   o.default = "0";
   o.rmempty = false;
 
+  o = section.option(
+    form.Flag,
+    "enable_yacd_wan_access",
+    _("Enable YACD WAN Access"),
+    _("Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall."),
+  );
+  o.depends("enable_yacd", "1");
+  o.default = "0";
+  o.rmempty = false;
+
+  o = section.option(
+    form.Value,
+    "yacd_secret_key",
+    _("YACD Secret Key"),
+    _("Secret key for authenticating remote access to YACD when WAN access is enabled."),
+  );
+  o.depends("enable_yacd_wan_access", "1");
+  o.rmempty = false;
+
   o = section.option(
     form.Flag,
     "disable_quic",

luci-app-podkop/po/ru/podkop.po

@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PODKOP\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-10-27 13:15+0200\n"
-"PO-Revision-Date: 2025-10-27 13:15+0200\n"
+"POT-Creation-Date: 2025-12-01 16:30+0200\n"
+"PO-Revision-Date: 2025-12-01 16:30+0200\n"
 "Last-Translator: divocat\n"
 "Language-Team: none\n"
 "Language: ru\n"
@@ -35,6 +35,9 @@ msgstr "Активные соединения"
 msgid "Additional marking rules found"
 msgstr "Найдены дополнительные правила маркировки"
 
+msgid "Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall."
+msgstr "Обеспечивает доступ к YACD из WAN. Убедитесь, что в брандмауэре открыт соответствующий порт."
+
 msgid "Applicable for SOCKS and Shadowsocks proxy"
 msgstr "Применимо для SOCKS и Shadowsocks прокси"
 
@@ -206,6 +209,9 @@ msgstr "Включить смешанный прокси-сервер, разр
 msgid "Enable YACD"
 msgstr "Включить YACD"
 
+msgid "Enable YACD WAN Access"
+msgstr "Включить доступ YACD WAN"
+
 msgid "Enter complete outbound configuration in JSON format"
 msgstr "Введите полную конфигурацию исходящего соединения в формате JSON"
 
@@ -275,6 +281,45 @@ msgstr "Неверный домен"
 msgid "Invalid format. Use X.X.X.X or X.X.X.X/Y"
 msgstr "Неверный формат. Используйте X.X.X.X или X.X.X.X/Y"
 
+msgid "Invalid HY2 URL: insecure must be 0 or 1"
+msgstr "Неверный URL Hysteria2: параметр insecure должен быть 0 или 1"
+
+msgid "Invalid HY2 URL: invalid port number"
+msgstr "Неверный URL Hysteria2: неверный номер порта"
+
+msgid "Invalid HY2 URL: missing credentials/server"
+msgstr "Неверный URL Hysteria2: отсутствуют учетные данные/сервер"
+
+msgid "Invalid HY2 URL: missing host"
+msgstr "Неверный URL Hysteria2: отсутствует хост"
+
+msgid "Invalid HY2 URL: missing host & port"
+msgstr "Неверный URL Hysteria2: отсутствуют хост и порт"
+
+msgid "Invalid HY2 URL: missing password"
+msgstr "Неверный URL Hysteria2: отсутствует пароль"
+
+msgid "Invalid HY2 URL: missing port"
+msgstr "Неверный URL Hysteria2: отсутствует порт"
+
+msgid "Invalid HY2 URL: must not contain spaces"
+msgstr "Неверный URL Hysteria2: не должен содержать пробелов"
+
+msgid "Invalid HY2 URL: must start with hysteria2:// or hy2://"
+msgstr "Неверный URL Hysteria2: должен начинаться с hysteria2:// или hy2://"
+
+msgid "Invalid HY2 URL: obfs-password required when obfs is set"
+msgstr "Неверный URL Hysteria2: требуется obfs-password, когда установлен obfs"
+
+msgid "Invalid HY2 URL: parsing failed"
+msgstr "Неверный URL Hysteria2: ошибка разбора"
+
+msgid "Invalid HY2 URL: sni cannot be empty"
+msgstr "Неверный URL Hysteria2: sni не может быть пустым"
+
+msgid "Invalid HY2 URL: unsupported obfs type"
+msgstr "Неверный URL Hysteria2: неподдерживаемый тип obfs"
+
 msgid "Invalid IP address"
 msgstr "Неверный IP-адрес"
 
@@ -497,6 +542,9 @@ msgstr "Запустить диагностику"
 msgid "Russia inside restrictions"
 msgstr "Ограничения Russia inside"
 
+msgid "Secret key for authenticating remote access to YACD when WAN access is enabled."
+msgstr "Секретный ключ для аутентификации удаленного доступа к YACD при включенном доступе через WAN."
+
 msgid "Sections"
 msgstr "Секции"
 
@@ -617,9 +665,6 @@ msgstr "Тестирование задержки"
 msgid "Text List"
 msgstr "Текстовый список"
 
-msgid "Text List (comma/space/newline separated)"
-msgstr "Текстовый список (через запятую, пробел или новую строку)"
-
 msgid "The DNS server used to look up the IP address of an upstream DNS server"
 msgstr "DNS-сервер, используемый для поиска IP-адреса вышестоящего DNS-сервера"
 
@@ -665,8 +710,8 @@ msgstr "Неизвестная ошибка"
 msgid "Uplink"
 msgstr "Исходящий"
 
-msgid "URL must start with vless://, ss://, trojan://, or socks4/5://"
-msgstr "URL должен начинаться с vless://, ss://, trojan:// или socks4/5://"
+msgid "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://"
+msgstr "URL должен начинаться с vless://, ss://, trojan://, socks4/5:// или hysteria2:// hy2://"
 
 msgid "URL must use one of the following protocols:"
 msgstr "URL должен использовать один из следующих протоколов:"
@@ -681,10 +726,10 @@ msgid "URLTest Proxy Links"
 msgstr "Ссылки прокси для URLTest"
 
 msgid "URLTest Testing URL"
-msgstr "URL для тестирования URLTest"
+msgstr "URLTest ссылка для проверки"
 
 msgid "URLTest Tolerance"
-msgstr "Порог переключения URLTest"
+msgstr "URLTest допустимое отклонение"
 
 msgid "User Domain List Type"
 msgstr "Тип пользовательского списка доменов"
@@ -722,5 +767,8 @@ msgstr "Предупреждение: %s нельзя использовать
 msgid "Warning: Russia inside can only be used with %s. %s already in Russia inside and have been removed from selection."
 msgstr "Предупреждение: Russia inside может быть использован только с %s. %s уже есть в Russia inside и будет удален из выбранных."
 
+msgid "YACD Secret Key"
+msgstr "Секретный ключ YACD"
+
 msgid "You can select Output Network Interface, by default autodetect"
 msgstr "Вы можете выбрать выходной сетевой интерфейс, по умолчанию он определяется автоматически."

luci-app-podkop/po/templates/podkop.pot

@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PODKOP\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-10-27 11:15+0200\n"
-"PO-Revision-Date: 2025-10-27 11:15+0200\n"
+"POT-Creation-Date: 2025-12-01 14:30+0200\n"
+"PO-Revision-Date: 2025-12-01 14:30+0200\n"
 "Last-Translator: divocat <divocatt@gmail.com>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -16,23 +16,23 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: src/podkop/tabs/dashboard/initController.ts:342
+#: src/podkop/tabs/dashboard/initController.ts:345
 msgid "✔ Enabled"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:353
+#: src/podkop/tabs/dashboard/initController.ts:356
 msgid "✔ Running"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:343
+#: src/podkop/tabs/dashboard/initController.ts:346
 msgid "✘ Disabled"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:354
+#: src/podkop/tabs/dashboard/initController.ts:357
 msgid "✘ Stopped"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:304
+#: src/podkop/tabs/dashboard/initController.ts:307
 msgid "Active Connections"
 msgstr ""
 
@@ -40,6 +40,10 @@ msgstr ""
 msgid "Additional marking rules found"
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:247
+msgid "Allows access to YACD from the WAN. Make sure to open the appropriate port in your firewall."
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:175
 msgid "Applicable for SOCKS and Shadowsocks proxy"
 msgstr ""
@@ -72,11 +76,11 @@ msgstr ""
 msgid "Browser is using FakeIP correctly"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:329
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:348
 msgid "Cache File Path"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:343
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:362
 msgid "Cache file path cannot be empty"
 msgstr ""
 
@@ -119,7 +123,7 @@ msgstr ""
 msgid "Community Lists"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:316
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:335
 msgid "Config File Path"
 msgstr ""
 
@@ -175,11 +179,11 @@ msgstr ""
 msgid "Disable autostart"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:246
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:265
 msgid "Disable QUIC"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:247
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:266
 msgid "Disable the QUIC protocol to improve compatibility or fix issues with video streaming"
 msgstr ""
 
@@ -228,12 +232,12 @@ msgstr ""
 msgid "Domain Resolver"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:307
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:326
 msgid "Dont Touch My DHCP!"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:238
-#: src/podkop/tabs/dashboard/initController.ts:272
+#: src/podkop/tabs/dashboard/initController.ts:241
+#: src/podkop/tabs/dashboard/initController.ts:275
 msgid "Downlink"
 msgstr ""
 
@@ -241,16 +245,16 @@ msgstr ""
 msgid "Download"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:269
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:288
 msgid "Download Lists via Proxy/VPN"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:278
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:297
 msgid "Download Lists via specific proxy section"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:270
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:279
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:289
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:298
 msgid "Downloading all lists via specific Proxy/VPN"
 msgstr ""
 
@@ -283,6 +287,10 @@ msgstr ""
 msgid "Enable YACD"
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:246
+msgid "Enable YACD WAN Access"
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:65
 msgid "Enter complete outbound configuration in JSON format"
 msgstr ""
@@ -315,11 +323,11 @@ msgstr ""
 msgid "Every 5 minutes"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:365
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:384
 msgid "Exclude NTP"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:366
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:385
 msgid "Exclude NTP protocol traffic from the tunnel to prevent it from being routed through the proxy or VPN"
 msgstr ""
 
@@ -382,6 +390,58 @@ msgstr ""
 msgid "Invalid format. Use X.X.X.X or X.X.X.X/Y"
 msgstr ""
 
+#: src/validators/validateHysteriaUrl.ts:76
+msgid "Invalid HY2 URL: insecure must be 0 or 1"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:62
+msgid "Invalid HY2 URL: invalid port number"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:32
+msgid "Invalid HY2 URL: missing credentials/server"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:49
+msgid "Invalid HY2 URL: missing host"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:43
+msgid "Invalid HY2 URL: missing host & port"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:38
+msgid "Invalid HY2 URL: missing password"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:53
+msgid "Invalid HY2 URL: missing port"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:19
+msgid "Invalid HY2 URL: must not contain spaces"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:12
+msgid "Invalid HY2 URL: must start with hysteria2:// or hy2://"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:99
+msgid "Invalid HY2 URL: obfs-password required when obfs is set"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:113
+msgid "Invalid HY2 URL: parsing failed"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:106
+msgid "Invalid HY2 URL: sni cannot be empty"
+msgstr ""
+
+#: src/validators/validateHysteriaUrl.ts:88
+msgid "Invalid HY2 URL: unsupported obfs type"
+msgstr ""
+
 #: src/validators/validateIp.ts:11
 msgid "Invalid IP address"
 msgstr ""
@@ -503,7 +563,7 @@ msgstr ""
 msgid "Latest"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:257
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:276
 msgid "List Update Frequency"
 msgstr ""
 
@@ -519,7 +579,7 @@ msgstr ""
 msgid "Main DNS"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:308
+#: src/podkop/tabs/dashboard/initController.ts:311
 msgid "Memory Usage"
 msgstr ""
 
@@ -585,15 +645,15 @@ msgstr ""
 msgid "Path cannot be empty"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:347
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:366
 msgid "Path must be absolute (start with /)"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:356
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:375
 msgid "Path must contain at least one directory (like /tmp/cache.db)"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:351
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:370
 msgid "Path must end with cache.db"
 msgstr ""
 
@@ -605,7 +665,7 @@ msgstr ""
 msgid "Pending"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:340
+#: src/podkop/tabs/dashboard/initController.ts:343
 msgid "Podkop"
 msgstr ""
 
@@ -613,7 +673,7 @@ msgstr ""
 msgid "Podkop Settings"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:308
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:327
 msgid "Podkop will not modify your DHCP configuration"
 msgstr ""
 
@@ -653,7 +713,7 @@ msgstr ""
 msgid "Router DNS is routed through sing-box"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:376
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:395
 msgid "Routing Excluded IPs"
 msgstr ""
 
@@ -689,6 +749,10 @@ msgstr ""
 msgid "Russia inside restrictions"
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:257
+msgid "Secret key for authenticating remote access to YACD when WAN access is enabled."
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/podkop.js:36
 msgid "Sections"
 msgstr ""
@@ -705,7 +769,7 @@ msgstr ""
 msgid "Select DNS protocol to use"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:258
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:277
 msgid "Select how often the domain or subnet lists are updated automatically"
 msgstr ""
 
@@ -722,11 +786,11 @@ msgstr ""
 msgid "Select or enter DNS server address"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:330
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:349
 msgid "Select or enter path for sing-box cache file. Change this ONLY if you know what you are doing"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:317
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:336
 msgid "Select path for sing-box config file. Change this ONLY if you know what you are doing"
 msgstr ""
 
@@ -754,7 +818,7 @@ msgstr ""
 msgid "Select the WAN interfaces to be monitored"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:337
+#: src/podkop/tabs/dashboard/initController.ts:340
 msgid "Services info"
 msgstr ""
 
@@ -767,7 +831,7 @@ msgstr ""
 msgid "Show sing-box config"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:351
+#: src/podkop/tabs/dashboard/initController.ts:354
 msgid "Sing-box"
 msgstr ""
 
@@ -799,7 +863,7 @@ msgstr ""
 msgid "Source Network Interface"
 msgstr ""
 
-#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:377
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:396
 msgid "Specify a local IP address to be excluded from routing"
 msgstr ""
 
@@ -832,7 +896,7 @@ msgstr ""
 msgid "Successfully copied!"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:301
+#: src/podkop/tabs/dashboard/initController.ts:304
 msgid "System info"
 msgstr ""
 
@@ -849,11 +913,8 @@ msgid "Test latency"
 msgstr ""
 
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:368
-msgid "Text List"
-msgstr ""
-
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/section.js:448
-msgid "Text List (comma/space/newline separated)"
+msgid "Text List"
 msgstr ""
 
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:46
@@ -876,11 +937,11 @@ msgstr ""
 msgid "Time in seconds for DNS record caching (default: 60)"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:235
+#: src/podkop/tabs/dashboard/initController.ts:238
 msgid "Traffic"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:265
+#: src/podkop/tabs/dashboard/initController.ts:268
 msgid "Traffic Total"
 msgstr ""
 
@@ -919,13 +980,13 @@ msgstr ""
 msgid "Unknown error"
 msgstr ""
 
-#: src/podkop/tabs/dashboard/initController.ts:237
-#: src/podkop/tabs/dashboard/initController.ts:268
+#: src/podkop/tabs/dashboard/initController.ts:240
+#: src/podkop/tabs/dashboard/initController.ts:271
 msgid "Uplink"
 msgstr ""
 
-#: src/validators/validateProxyUrl.ts:29
-msgid "URL must start with vless://, ss://, trojan://, or socks4/5://"
+#: src/validators/validateProxyUrl.ts:37
+msgid "URL must start with vless://, ss://, trojan://, socks4/5://, or hysteria2://hy2://"
 msgstr ""
 
 #: src/validators/validateUrl.ts:17
@@ -980,6 +1041,7 @@ msgstr ""
 #: src/validators/validateDns.ts:18
 #: src/validators/validateDomain.ts:13
 #: src/validators/validateDomain.ts:30
+#: src/validators/validateHysteriaUrl.ts:111
 #: src/validators/validateIp.ts:8
 #: src/validators/validateOutboundJson.ts:7
 #: src/validators/validatePath.ts:16
@@ -1014,6 +1076,10 @@ msgstr ""
 msgid "Warning: Russia inside can only be used with %s. %s already in Russia inside and have been removed from selection."
 msgstr ""
 
+#: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:256
+msgid "YACD Secret Key"
+msgstr ""
+
 #: ../luci-app-podkop/htdocs/luci-static/resources/view/podkop/settings.js:127
 msgid "You can select Output Network Interface, by default autodetect"
 msgstr ""

podkop/files/usr/bin/podkop

@@ -18,6 +18,7 @@ check_required_file "$PODKOP_LIB/helpers.sh"
 check_required_file "$PODKOP_LIB/sing_box_config_manager.sh"
 check_required_file "$PODKOP_LIB/sing_box_config_facade.sh"
 check_required_file "$PODKOP_LIB/logging.sh"
+check_required_file "$PODKOP_LIB/rulesets.sh"
 . /lib/config/uci.sh
 . /lib/functions.sh
 . "$PODKOP_LIB/constants.sh"
@@ -26,6 +27,7 @@ check_required_file "$PODKOP_LIB/logging.sh"
 . "$PODKOP_LIB/sing_box_config_manager.sh"
 . "$PODKOP_LIB/sing_box_config_facade.sh"
 . "$PODKOP_LIB/logging.sh"
+. "$PODKOP_LIB/rulesets.sh"
 
 config_load "$PODKOP_CONFIG"
 
@@ -123,36 +125,19 @@ start_main() {
 
     # base
     route_table_rule_mark
-    create_nft_table
-    sing_box_uci
+    create_nft_rules
+    sing_box_configure_service
 
     # sing-box
     sing_box_init_config
     config_foreach add_cron_job "section"
     /etc/init.d/sing-box start
 
-    local exclude_ntp
-    config_get_bool exclude_ntp "settings" "exclude_ntp" "0"
-    if [ "$exclude_ntp" -eq 1 ]; then
-        log "NTP traffic exclude for proxy"
-        nft insert rule inet "$NFT_TABLE_NAME" mangle udp dport 123 return
-    fi
-
     log "Nice"
     list_update &
     echo $! > /var/run/podkop_list_update.pid
 }
 
-start() {
-    start_main
-    config_get_bool dont_touch_dhcp "settings" "dont_touch_dhcp" 0
-    if [ "$dont_touch_dhcp" -eq 0 ]; then
-        dnsmasq_add_resolver
-    fi
-    uci_set "podkop" "settings" "shutdown_correctly" 0
-    uci commit "podkop" && config_load "$PODKOP_CONFIG"
-}
-
 stop_main() {
     log "Stopping the podkop"
 
@@ -188,13 +173,27 @@ stop_main() {
     /etc/init.d/sing-box stop
 }
 
+start() {
+    start_main
+
+    config_get_bool dont_touch_dhcp "settings" "dont_touch_dhcp" 0
+    if [ "$dont_touch_dhcp" -eq 0 ]; then
+        dnsmasq_configure
+    fi
+
+    uci_set "podkop" "settings" "shutdown_correctly" 0
+    uci commit "podkop" && config_load "$PODKOP_CONFIG"
+}
+
 stop() {
     local dont_touch_dhcp
     config_get_bool dont_touch_dhcp "settings" "dont_touch_dhcp" 0
     if [ "$dont_touch_dhcp" -eq 0 ]; then
         dnsmasq_restore
     fi
+
     stop_main
+
     uci_set "podkop" "settings" "shutdown_correctly" 1
     uci commit "podkop" && config_load "$PODKOP_CONFIG"
 }
@@ -279,12 +278,10 @@ nft_init_interfaces_set() {
     done
 }
 
-create_nft_table() {
+create_nft_rules() {
     log "Create nft table"
     nft_create_table "$NFT_TABLE_NAME"
 
-    nft_init_interfaces_set
-
     log "Create localv4 set"
     nft_create_ipv4_set "$NFT_TABLE_NAME" "$NFT_LOCALV4_SET_NAME"
     nft add element inet "$NFT_TABLE_NAME" localv4 '{
@@ -326,7 +323,14 @@ create_nft_table() {
     nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto tcp meta mark set 0x105 counter
     nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "@$NFT_COMMON_SET_NAME" meta l4proto udp meta mark set 0x105 counter
     nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set 0x105 counter
-    nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto tcp meta mark set 0x105 counter
+    nft add rule inet "$NFT_TABLE_NAME" mangle_output ip daddr "$SB_FAKEIP_INET4_RANGE" meta l4proto udp meta mark set 0x105 counter
+
+    local exclude_ntp
+    config_get_bool exclude_ntp "settings" "exclude_ntp" "0"
+    if [ "$exclude_ntp" -eq 1 ]; then
+        log "NTP traffic exclude for proxy"
+        nft insert rule inet "$NFT_TABLE_NAME" mangle udp dport 123 return
+    fi
 }
 
 backup_dnsmasq_config_option() {
@@ -340,7 +344,7 @@ backup_dnsmasq_config_option() {
     fi
 }
 
-dnsmasq_add_resolver() {
+dnsmasq_configure() {
     local shutdown_correctly
     config_get shutdown_correctly "settings" "shutdown_correctly"
     if [ "$shutdown_correctly" -eq 0 ]; then
@@ -472,42 +476,55 @@ remove_cron_job() {
 list_update() {
     echolog "🔄 Starting lists update..."
 
+    local nslookup_timeout=3
+    local nslookup_attempts=10
+    local curl_timeout=5
+    local curl_attempts=10
+    local curl_max_timeout=10
+    local delay=3
     local i
 
-    for i in $(seq 1 60); do
-        if nslookup -timeout=1 openwrt.org > /dev/null 2>&1; then
+    # DNS Check
+    for i in $(seq 1 $nslookup_timeout); do
+        if nslookup -timeout=$nslookup_timeout openwrt.org > /dev/null 2>&1; then
             echolog "✅ DNS check passed"
             break
         fi
-        log "DNS is unavailable [$i/60]"
-        sleep 3
+        echolog "DNS is unavailable [$i/$nslookup_attempts]"
+        sleep $delay
     done
 
-    if [ "$i" -eq 60 ]; then
-        echolog "❌ DNS check failed after 60 attempts"
+    if [ "$i" -eq $nslookup_attempts ]; then
+        echolog "❌ DNS check failed after $nslookup_attempts attempts"
         return 1
     fi
 
-    for i in $(seq 1 60); do
-        config_get_bool download_lists_via_proxy "settings" "download_lists_via_proxy" "0"
-        if [ "$download_lists_via_proxy" -eq 1 ]; then
-            if http_proxy="http://127.0.0.1:4534" https_proxy="http://127.0.0.1:4534" curl -s -m 3 https://github.com > /dev/null; then
+    # Github Check
+    for i in $(seq 1 $curl_attempts); do
+        local service_proxy_address
+        service_proxy_address="$(get_service_proxy_address)"
+
+        if [ -n "$http_proxy_address" ]; then
+            if curl -s -x "http://$service_proxy_address" -m $curl_timeout https://github.com > /dev/null; then
                 echolog "✅ GitHub connection check passed (via proxy)"
                 break
             fi
         else
-            if curl -s -m 3 https://github.com > /dev/null; then
+            if curl -s -m $curl_timeout https://github.com > /dev/null; then
                 echolog "✅ GitHub connection check passed"
                 break
             fi
         fi
 
-        echolog "GitHub is unavailable [$i/60]"
-        sleep 3
+        echolog "GitHub is unavailable [$i/$curl_attempts] (max-timeout=$curl_timeout)"
+        if [ "$curl_timeout" -lt $curl_max_timeout ]; then
+            curl_timeout=$((curl_timeout + 1))
+        fi
+        sleep $delay
     done
 
-    if [ "$i" -eq 60 ]; then
-        echolog "❌ GitHub connection check failed after 60 attempts"
+    if [ "$i" -eq $curl_attempts ]; then
+        echolog "❌ GitHub connection check failed after $curl_attempts attempts"
         return 1
     fi
 
@@ -525,30 +542,30 @@ list_update() {
 }
 
 # sing-box funcs
-
-sing_box_uci() {
+sing_box_configure_service() {
     local sing_box_enabled sing_box_user sing_box_config_path sing_box_conffile
-    sing_box_enabled=$(uci get "sing-box.main.enabled")
-    sing_box_user=$(uci get "sing-box.main.user")
+    sing_box_enabled="$(uci_get "sing-box" "main" "enabled")"
+    sing_box_user="$(uci_get "sing-box" "main" "user")"
+
     if [ "$sing_box_enabled" -ne 1 ]; then
-        uci set "sing-box.main.enabled=1"
-        uci commit "sing-box"
+        uci_set "sing-box" "main" "enabled" 1
+        uci_commit "sing-box"
         log "sing-box service has been enabled"
     fi
 
     if [ "$sing_box_user" != "root" ]; then
-        uci set "sing-box.main.user=root"
-        uci commit "sing-box"
+        uci_set "sing-box" "main" "user" "root"
+        uci_commit "sing-box"
         log "sing-box service user has been changed to root"
     fi
 
     config_get sing_box_config_path "settings" "config_path"
-    sing_box_conffile=$(uci get "sing-box.main.conffile")
+    sing_box_conffile="$(uci_get "sing-box" "main" "conffile")"
     log "sing-box config path: $sing_box_config_path" "debug"
     log "sing-box service conffile: $sing_box_conffile" "debug"
     if [ "$sing_box_conffile" != "$sing_box_config_path" ]; then
-        uci set "sing-box.main.conffile=$sing_box_config_path"
-        uci commit "sing-box"
+        uci_set "sing-box" "main" "conffile" "$sing_box_config_path"
+        uci_commit "sing-box"
         log "Configuration file path has been set to $sing_box_config_path"
     fi
 
@@ -865,66 +882,37 @@ configure_routing_for_section_lists() {
 
     if [ "$user_domain_list_type" != "disabled" ]; then
         log "Processing user domains routing rules for '$section' section"
-        prepare_common_ruleset "$section" "domains" "$route_rule_tag"
-        configure_user_domain_or_subnets_list "$section" "domains" "$route_rule_tag"
+        configure_user_domain_list "$section" "$route_rule_tag"
     fi
 
     if [ "$user_subnet_list_type" != "disabled" ]; then
         log "Processing user subnets routing rules for '$section' section"
-        prepare_common_ruleset "$section" "subnets" "$route_rule_tag"
-        configure_user_domain_or_subnets_list "$section" "subnets" "$route_rule_tag"
+        configure_user_subnet_list "$section" "$route_rule_tag"
     fi
 
     if [ -n "$local_domain_lists" ]; then
         log "Processing local domains routing rules for '$section' section"
-        configure_local_domain_or_subnet_lists "$section" "domains" "$route_rule_tag"
+        configure_local_domain_lists "$section" "$route_rule_tag"
     fi
 
     if [ -n "$local_subnet_lists" ]; then
         log "Processing local subnets routing rules for '$section' section"
-        configure_local_domain_or_subnet_lists "$section" "subnets" "$route_rule_tag"
+        configure_local_subnet_lists "$section" "$route_rule_tag"
     fi
 
     if [ -n "$remote_domain_lists" ]; then
         log "Processing remote domains routing rules for '$section' section"
-        prepare_common_ruleset "$section" "domains" "$route_rule_tag"
         config_list_foreach "$section" "remote_domain_lists" configure_remote_domain_or_subnet_list_handler \
             "domains" "$section" "$route_rule_tag"
     fi
 
     if [ -n "$remote_subnet_lists" ]; then
         log "Processing remote subnets routing rules for '$section' section"
-        prepare_common_ruleset "$section" "subnets" "$route_rule_tag"
         config_list_foreach "$section" "remote_subnet_lists" configure_remote_domain_or_subnet_list_handler \
             "subnets" "$section" "$route_rule_tag"
     fi
 }
 
-prepare_common_ruleset() {
-    local section="$1"
-    local type="$2"
-    local route_rule_tag="$3"
-
-    log "Preparing a common $type ruleset for '$section' section" "debug"
-    ruleset_tag=$(get_ruleset_tag "$section" "common" "$type")
-    ruleset_filename="$ruleset_tag.json"
-    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_filename"
-    if file_exists "$ruleset_filepath"; then
-        log "Ruleset $ruleset_filepath already exists. Skipping." "debug"
-    else
-        sing_box_cm_create_local_source_ruleset "$ruleset_filepath"
-        config=$(sing_box_cm_add_local_ruleset "$config" "$ruleset_tag" "source" "$ruleset_filepath")
-        config=$(sing_box_cm_patch_route_rule "$config" "$route_rule_tag" "rule_set" "$ruleset_tag")
-        case "$type" in
-        domains)
-            config=$(sing_box_cm_patch_dns_route_rule "$config" "$SB_FAKEIP_DNS_RULE_TAG" "rule_set" "$ruleset_tag")
-            ;;
-        subnets) ;;
-        *) log "Unsupported remote rule set type: $type" "error" ;;
-        esac
-    fi
-}
-
 configure_community_list_handler() {
     local tag="$1"
     local section="$2"
@@ -942,99 +930,113 @@ configure_community_list_handler() {
     config=$(sing_box_cm_patch_dns_route_rule "$config" "$SB_FAKEIP_DNS_RULE_TAG" "rule_set" "$ruleset_tag")
 }
 
-configure_user_domain_or_subnets_list() {
+prepare_source_ruleset() {
     local section="$1"
-    local type="$2"
+    local name="$2"
+    local type="$3"
+    local route_rule_tag="$4"
 
-    local items ruleset_tag ruleset_filename ruleset_filepath json_array
+    log "Preparing a $name $type rule set for '$section' section" "debug"
+    ruleset_tag=$(get_ruleset_tag "$section" "$name" "$type")
+    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_tag.json"
+    create_source_rule_set "$ruleset_filepath"
+    case $? in
+    0)
+        config=$(sing_box_cm_add_local_ruleset "$config" "$ruleset_tag" "source" "$ruleset_filepath")
+        config=$(sing_box_cm_patch_route_rule "$config" "$route_rule_tag" "rule_set" "$ruleset_tag")
         case "$type" in
         domains)
-        local user_domain_list_type
+            config=$(sing_box_cm_patch_dns_route_rule "$config" "$SB_FAKEIP_DNS_RULE_TAG" "rule_set" "$ruleset_tag")
+            ;;
+        subnets) ;;
+        *)
+            log "Unsupported remote rule set type: $type" "error"
+            return 1
+            ;;
+        esac
+        ;;
+    3) log "Source rule set $ruleset_filepath already exists, skipping." "debug" ;;
+    esac
+}
+
+configure_user_domain_list() {
+    local section="$1"
+    local route_rule_tag="$2"
+
+    prepare_source_ruleset "$section" "user" "domains" "$route_rule_tag"
+
+    local user_domain_list_type items json_array
     config_get user_domain_list_type "$section" "user_domain_list_type"
     case "$user_domain_list_type" in
     dynamic) config_get items "$section" "user_domains" ;;
     text) config_get items "$section" "user_domains_text" ;;
     esac
-        ;;
-    subnets)
-        local user_subnet_list_type
+
+    items="$(parse_domain_or_subnet_string_to_commas_string "$items" "domains")"
+    json_array="$(comma_string_to_json_array "$items")"
+    patch_source_ruleset_rules "$ruleset_filepath" "domain_suffix" "$json_array"
+}
+
+configure_user_subnet_list() {
+    local section="$1"
+    local route_rule_tag="$2"
+
+    prepare_source_ruleset "$section" "user" "subnets" "$route_rule_tag"
+
+    local user_subnet_list_type items json_array
     config_get user_subnet_list_type "$section" "user_subnet_list_type"
     case "$user_subnet_list_type" in
     dynamic) config_get items "$section" "user_subnets" ;;
     text) config_get items "$section" "user_subnets_text" ;;
     esac
-        ;;
-    esac
 
-    ruleset_tag=$(get_ruleset_tag "$section" "common" "$type")
-    ruleset_filename="$ruleset_tag.json"
-    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_filename"
-    items="$(parse_domain_or_subnet_string_to_commas_string "$items" "$type")"
+    items="$(parse_domain_or_subnet_string_to_commas_string "$items" "subnets")"
     json_array="$(comma_string_to_json_array "$items")"
-    case "$type" in
-    domains) sing_box_cm_patch_local_source_ruleset_rules "$ruleset_filepath" "domain_suffix" "$json_array" ;;
-    subnets)
-        sing_box_cm_patch_local_source_ruleset_rules "$ruleset_filepath" "ip_cidr" "$json_array"
+    patch_source_ruleset_rules "$ruleset_filepath" "ip_cidr" "$json_array"
     nft_add_set_elements "$NFT_TABLE_NAME" "$NFT_COMMON_SET_NAME" "$items"
-        ;;
-    esac
 }
 
-configure_local_domain_or_subnet_lists() {
+configure_local_domain_lists() {
     local section="$1"
-    local type="$2"
-    local route_rule_tag="$3"
+    local route_rule_tag="$2"
 
-    local ruleset_tag ruleset_filename ruleset_filepath
-    ruleset_tag="$(get_ruleset_tag "$section" "local" "$type")"
-    ruleset_filename="$ruleset_tag.json"
-    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_filename"
+    prepare_source_ruleset "$section" "local" "domains" "$route_rule_tag"
 
-    sing_box_cm_create_local_source_ruleset "$ruleset_filepath"
-    config=$(sing_box_cm_add_local_ruleset "$config" "$ruleset_tag" "source" "$ruleset_filepath")
-    config=$(sing_box_cm_patch_route_rule "$config" "$route_rule_tag" "rule_set" "$ruleset_tag")
-
-    case "$type" in
-    domains)
-        config_list_foreach "$section" "local_domain_lists" import_local_domain_or_subnet_list "$type" \
-            "$section" "$ruleset_filepath"
-        config=$(sing_box_cm_patch_dns_route_rule "$config" "$SB_FAKEIP_DNS_RULE_TAG" "rule_set" "$ruleset_tag")
-        ;;
-    subnets)
-        config_list_foreach "$section" "local_subnet_lists" import_local_domain_or_subnet_list "$type" \
-            "$section" "$ruleset_filepath"
-        ;;
-    *) log "Unsupported local rule set type: $type" "error" ;;
-    esac
+    config_list_foreach "$section" "local_domain_lists" import_local_domain_list_handler "$ruleset_filepath"
 }
 
-import_local_domain_or_subnet_list() {
-    local filepath="$1"
-    local type="$2"
-    local section="$3"
-    local ruleset_filepath="$4"
+import_local_domain_list_handler() {
+    local local_domain_list_filepath="$1"
+    local ruleset_filepath="$2"
 
-    if ! file_exists "$filepath"; then
-        log "File $filepath not found" "error"
+    if ! file_exists "$local_domain_list_filepath"; then
+        log "Local domain list file $local_domain_list_filepath not found" "error"
         return 1
     fi
 
-    local items json_array
-    items="$(parse_domain_or_subnet_file_to_comma_string "$filepath" "$type")"
+    import_plain_domain_list_to_local_source_ruleset_chunked "$local_domain_list_filepath" "$ruleset_filepath"
+}
 
-    if [ -z "$items" ]; then
-        log "No valid $type found in $filepath" "warn"
-        return 0
+configure_local_subnet_lists() {
+    local section="$1"
+    local route_rule_tag="$2"
+
+    prepare_source_ruleset "$section" "local" "subnets" "$route_rule_tag"
+
+    config_list_foreach "$section" "local_subnet_lists" import_local_subnets_list_handler "$ruleset_filepath"
+}
+
+import_local_subnets_list_handler() {
+    local local_subnet_list_filepath="$1"
+    local ruleset_filepath="$2"
+
+    if ! file_exists "$local_subnet_list_filepath"; then
+        log "Local subnet list file $local_subnet_list_filepath not found" "error"
+        return 1
     fi
 
-    json_array="$(comma_string_to_json_array "$items")"
-    case "$type" in
-    domains) sing_box_cm_patch_local_source_ruleset_rules "$ruleset_filepath" "domain_suffix" "$json_array" ;;
-    subnets)
-        sing_box_cm_patch_local_source_ruleset_rules "$ruleset_filepath" "ip_cidr" "$json_array"
-        nft_add_set_elements_from_file_chunked "$filepath" "$NFT_TABLE_NAME" "$NFT_COMMON_SET_NAME"
-        ;;
-    esac
+    import_plain_subnet_list_to_local_source_ruleset_chunked "$local_subnet_list_filepath" "$ruleset_filepath"
+    nft_add_set_elements_from_file_chunked "$local_subnet_list_filepath" "$NFT_TABLE_NAME" "$NFT_COMMON_SET_NAME"
 }
 
 configure_remote_domain_or_subnet_list_handler() {
@@ -1045,9 +1047,10 @@ configure_remote_domain_or_subnet_list_handler() {
 
     local file_extension
     file_extension=$(url_get_file_extension "$url")
+    log "Detected file extension: '$file_extension'" "debug"
     case "$file_extension" in
     json | srs)
-        log "Detected file extension: '$file_extension' → proceeding with processing" "debug"
+        log "Creating a remote $type ruleset from the source URL" "info"
         local basename ruleset_tag format detour update_interval
         basename=$(url_get_basename "$url")
         ruleset_tag=$(get_ruleset_tag "$section" "$basename" "remote-$type")
@@ -1066,7 +1069,7 @@ configure_remote_domain_or_subnet_list_handler() {
         esac
         ;;
     *)
-        log "Detected file extension: '$file_extension' → no processing needed, managed on list_update" "debug"
+        prepare_source_ruleset "$section" "remote" "$type" "$route_rule_tag"
         ;;
     esac
 }
@@ -1079,16 +1082,39 @@ sing_box_configure_experimental() {
     config_get cache_file "settings" "cache_path" "/tmp/sing-box/cache.db"
     config=$(sing_box_cm_configure_cache_file "$config" true "$cache_file" true)
 
-    local enable_yacd external_controller_ui
-    config_get_bool enable_yacd "settings" "enable_yacd" 0
     log "Configuring Clash API"
+    local enable_yacd enable_yacd_wan_access clash_api_controller_address
+    config_get_bool enable_yacd "settings" "enable_yacd" 0
+    config_get_bool enable_yacd_wan_access "settings" "enable_yacd_wan_access" 0
+
+    if [ "$enable_yacd" -eq 1 ] && [ "$enable_yacd_wan_access" -eq 1 ]; then
+        clash_api_controller_address="0.0.0.0"
+    else
+        clash_api_controller_address="$(get_service_listen_address)"
+        if [ -z "$clash_api_controller_address" ]; then
+            log "Could not determine the listening IP address for the Clash API controller. It will run only on localhost." "warn"
+            clash_api_controller_address="127.0.0.1"
+        fi
+    fi
+
     if [ "$enable_yacd" -eq 1 ]; then
         log "YACD is enabled, enabling Clash API with downloadable YACD" "debug"
-        local external_controller_ui="ui"
-        config=$(sing_box_cm_configure_clash_api "$config" "$SB_CLASH_API_CONTROLLER" "$external_controller_ui")
+        local yacd_secret_key external_controller_ui
+        config_get yacd_secret_key "settings" "yacd_secret_key"
+        external_controller_ui="ui"
+
+        config=$(
+            sing_box_cm_configure_clash_api \
+                "$config" \
+                "$clash_api_controller_address:$SB_CLASH_API_CONTROLLER_PORT" \
+                "$external_controller_ui" \
+                "$yacd_secret_key"
+        )
     else
         log "YACD is disabled, enabling Clash API in online mode" "debug"
-        config=$(sing_box_cm_configure_clash_api "$config" "$SB_CLASH_API_CONTROLLER")
+        config=$(
+            sing_box_cm_configure_clash_api "$config" "$clash_api_controller_address:$SB_CLASH_API_CONTROLLER_PORT"
+        )
     fi
 }
 
@@ -1117,8 +1143,13 @@ sing_box_additional_inbounds() {
 configure_section_mixed_proxy() {
     local section="$1"
 
-    local mixed_inbound_enabled mixed_proxy_port mixed_inbound_tag mixed_outbound_tag
+    local mixed_inbound_enabled mixed_proxy_port mixed_inbound_tag mixed_outbound_tag mixed_proxy_address
     config_get_bool mixed_inbound_enabled "$section" "mixed_proxy_enabled" 0
+    mixed_proxy_address="$(get_service_listen_address)"
+    if [ -z "$mixed_proxy_address" ]; then
+        log "Could not determine the listening IP address for the Mixed Proxy. The proxy will not be created." "warn"
+        return 1
+    fi
     config_get mixed_proxy_port "$section" "mixed_proxy_port"
     if [ "$mixed_inbound_enabled" -eq 1 ]; then
         mixed_inbound_tag="$(get_inbound_tag_by_section "$section-mixed")"
@@ -1127,7 +1158,7 @@ configure_section_mixed_proxy() {
             sing_box_cf_add_mixed_inbound_and_route_rule \
                 "$config" \
                 "$mixed_inbound_tag" \
-                "$SB_MIXED_INBOUND_ADDRESS" \
+                "$mixed_proxy_address" \
                 "$mixed_proxy_port" \
                 "$mixed_outbound_tag"
         )
@@ -1251,17 +1282,41 @@ import_domains_from_remote_domain_list_handler() {
 
     local file_extension
     file_extension=$(url_get_file_extension "$url")
+    log "Detected file extension: '$file_extension'" "debug"
     case "$file_extension" in
     json | srs)
-        log "Detected file extension: '$file_extension' → no update needed, sing-box manages updates" "debug"
+        log "No update needed - sing-box manages updates automatically."
         ;;
     *)
-        log "Detected file extension: '$file_extension' → proceeding with processing" "debug"
-        import_domains_or_subnets_from_remote_file "$url" "$section" "domains"
+        log "Import domains from a remote plain-text list"
+        import_domains_from_remote_plain_file "$url" "$section"
         ;;
     esac
 }
 
+import_domains_from_remote_plain_file() {
+    local url="$1"
+    local section="$2"
+
+    local tmpfile http_proxy_address items json_array
+    tmpfile=$(mktemp)
+    http_proxy_address="$(get_service_proxy_address)"
+
+    download_to_file "$url" "$tmpfile" "$http_proxy_address"
+
+    if [ $? -ne 0 ] || [ ! -s "$tmpfile" ]; then
+        log "Download $url list failed" "error"
+        return 1
+    fi
+
+    convert_crlf_to_lf "$tmpfile"
+    ruleset_tag=$(get_ruleset_tag "$section" "remote" "domains")
+    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_tag.json"
+    import_plain_domain_list_to_local_source_ruleset_chunked "$tmpfile" "$ruleset_filepath"
+
+    rm -f "$tmpfile"
+}
+
 import_subnets_from_remote_subnet_lists() {
     local section="$1"
     local remote_subnet_lists
@@ -1280,61 +1335,23 @@ import_subnets_from_remote_subnet_list_handler() {
 
     local file_extension
     file_extension="$(url_get_file_extension "$url")"
+    log "Detected file extension: '$file_extension'" "debug"
     case "$file_extension" in
     json)
-        log "Detected file extension: '$file_extension' → proceeding with processing" "debug"
+        log "Import subnets from a remote JSON list" "info"
         import_subnets_from_remote_json_file "$url"
         ;;
     srs)
-        log "Detected file extension: '$file_extension' → proceeding with processing" "debug"
+        log "Import subnets from a remote SRS list" "info"
         import_subnets_from_remote_srs_file "$url"
         ;;
     *)
-        log "Detected file extension: '$file_extension' → proceeding with processing" "debug"
-        import_domains_or_subnets_from_remote_file "$url" "$section" "subnets"
+        log "Import subnets from a remote plain-text list" "info"
+        import_subnets_from_remote_plain_file "$url" "$section"
         ;;
     esac
 }
 
-import_domains_or_subnets_from_remote_file() {
-    local url="$1"
-    local section="$2"
-    local type="$3"
-
-    local tmpfile http_proxy_address items json_array
-    tmpfile=$(mktemp)
-    http_proxy_address="$(get_service_proxy_address)"
-
-    download_to_file "$url" "$tmpfile" "$http_proxy_address"
-
-    if [ $? -ne 0 ] || [ ! -s "$tmpfile" ]; then
-        log "Download $url list failed" "error"
-        return 1
-    fi
-
-    convert_crlf_to_lf "$tmpfile"
-    items="$(parse_domain_or_subnet_file_to_comma_string "$tmpfile" "$type")"
-
-    if [ -z "$items" ]; then
-        log "No valid $type found in $url" "warn"
-        return 0
-    fi
-
-    ruleset_tag=$(get_ruleset_tag "$section" "common" "$type")
-    ruleset_filename="$ruleset_tag.json"
-    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_filename"
-    json_array="$(comma_string_to_json_array "$items")"
-    case "$type" in
-    domains) sing_box_cm_patch_local_source_ruleset_rules "$ruleset_filepath" "domain_suffix" "$json_array" ;;
-    subnets)
-        sing_box_cm_patch_local_source_ruleset_rules "$ruleset_filepath" "ip_cidr" "$json_array"
-        nft_add_set_elements_from_file_chunked "$tmpfile" "$NFT_TABLE_NAME" "$NFT_COMMON_SET_NAME"
-        ;;
-    esac
-
-    rm -f "$tmpfile"
-}
-
 import_subnets_from_remote_json_file() {
     local url="$1"
     local json_tmpfile subnets_tmpfile http_proxy_address
@@ -1370,8 +1387,8 @@ import_subnets_from_remote_srs_file() {
         return 1
     fi
 
-    if ! decompile_srs_file "$binary_tmpfile" "$json_tmpfile"; then
-        log "Failed to decompile SRS file" "error"
+    if ! decompile_binary_ruleset "$binary_tmpfile" "$json_tmpfile"; then
+        log "Failed to decompile binary rule set file" "error"
         return 1
     fi
 
@@ -1380,6 +1397,31 @@ import_subnets_from_remote_srs_file() {
     rm -f "$binary_tmpfile" "$json_tmpfile" "$subnets_tmpfile"
 }
 
+import_subnets_from_remote_plain_file() {
+    local url="$1"
+    local section="$2"
+
+    local tmpfile http_proxy_address items json_array
+    tmpfile=$(mktemp)
+    http_proxy_address="$(get_service_proxy_address)"
+
+    download_to_file "$url" "$tmpfile" "$http_proxy_address"
+
+    if [ $? -ne 0 ] || [ ! -s "$tmpfile" ]; then
+        log "Download $url list failed" "error"
+        return 1
+    fi
+
+    convert_crlf_to_lf "$tmpfile"
+
+    ruleset_tag=$(get_ruleset_tag "$section" "remote" "subnets")
+    ruleset_filepath="$TMP_RULESET_FOLDER/$ruleset_tag.json"
+    import_plain_subnet_list_to_local_source_ruleset_chunked "$tmpfile" "$ruleset_filepath"
+    nft_add_set_elements_from_file_chunked "$tmpfile" "$NFT_TABLE_NAME" "$NFT_COMMON_SET_NAME"
+
+    rm -f "$tmpfile"
+}
+
 ## Support functions
 get_service_proxy_address() {
     local download_lists_via_proxy
@@ -1460,6 +1502,26 @@ section_has_enabled_lists() {
     fi
 }
 
+get_service_listen_address() {
+    local service_listen_address
+
+    config_get service_listen_address "settings" "service_listen_address"
+    if [ -n "$service_listen_address" ]; then
+        log "Attention! The service_listen_address option is being used, overriding the automatic detection of the listening IP address!" "warn"
+        echo "$service_listen_address"
+        return 0
+    fi
+
+    service_listen_address="$(uci_get "network" "lan" "ipaddr" | awk '{print $1}' | cut -d'/' -f1)"
+
+    if [ -z "$service_listen_address" ]; then
+        log "Failed to determine the listening IP address. Please open an issue to report this problem: https://github.com/itdoginfo/podkop/issues" "error"
+        return 1
+    fi
+
+    echo "$service_listen_address"
+}
+
 ## nftables
 nft_list_all_traffic_from_ip() {
     local ip="$1"
@@ -1471,46 +1533,6 @@ nft_list_all_traffic_from_ip() {
     fi
 }
 
-nft_add_set_elements_from_file_chunked() {
-    local filepath="$1"
-    local nft_table_name="$2"
-    local nft_set_name="$3"
-    local chunk_size="${4:-5000}"
-
-    local array count
-    count=0
-    while IFS= read -r line; do
-        line=$(echo "$line" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
-
-        [ -z "$line" ] && continue
-
-        if ! is_ipv4 "$line" && ! is_ipv4_cidr "$line"; then
-            log "'$line' is not IPv4 or IPv4 CIDR" "debug"
-            continue
-        fi
-
-        if [ -z "$array" ]; then
-            array="$line"
-        else
-            array="$array,$line"
-        fi
-
-        count=$((count + 1))
-
-        if [ "$count" = "$chunk_size" ]; then
-            log "Adding $count elements to nft set $nft_set_name" "debug"
-            nft_add_set_elements "$nft_table_name" "$nft_set_name" "$array"
-            array=""
-            count=0
-        fi
-    done < "$filepath"
-
-    if [ -n "$array" ]; then
-        log "Adding $count elements to nft set $nft_set_name" "debug"
-        nft_add_set_elements "$nft_table_name" "$nft_set_name" "$array"
-    fi
-}
-
 # Diagnotics
 check_proxy() {
     local sing_box_config_path
@@ -1671,7 +1693,7 @@ check_logs() {
         nolog "Logs not found"
         return 1
     fi
-    ы
+
     # Find the last occurrence of "Starting podkop"
     local start_line
     start_line=$(echo "$logs" | grep -n "podkop.*Starting podkop" | tail -n 1 | cut -d: -f1)
@@ -1733,6 +1755,7 @@ show_config() {
         -e 's/\(list urltest_proxy_links\).*/\1 '\''MASKED'\''/g' \
         -e "s@\\(option dns_server '[^/]*\\)/[^']*'@\\1/MASKED'@g" \
         -e "s@\\(option domain_resolver_dns_server '[^/]*\\)/[^']*'@\\1/MASKED'@g" \
+        -e 's/\(option yacd_secret_key\).*/\1 '\''MASKED'\''/g' \
         "$PODKOP_CONFIG" > "$tmp_config"
 
     cat "$tmp_config"
@@ -2112,13 +2135,28 @@ check_fakeip() {
 #######################################
 
 clash_api() {
-    local CLASH_URL="127.0.0.1:9090"
-    local TEST_URL="https://www.gstatic.com/generate_204"
     local action="$1"
+    local clash_api_controller_address CLASH_URL TEST_URL
+    clash_api_controller_address="$(get_service_listen_address)"
+    if [ -z "$clash_api_controller_address" ]; then
+        clash_api_controller_address="127.0.0.1"
+    fi
+    CLASH_URL="$clash_api_controller_address:$SB_CLASH_API_CONTROLLER_PORT"
+    TEST_URL="https://www.gstatic.com/generate_204"
+
+    local enable_yacd_wan_access yacd_secret_key auth_header
+    config_get_bool enable_yacd_wan_access "settings" "enable_yacd_wan_access" 0
+    config_get yacd_secret_key "settings" "yacd_secret_key"
+
+    if [ "$enable_yacd_wan_access" -eq 1 ]; then
+        auth_header="Authorization: Bearer $yacd_secret_key"
+    else
+        auth_header=""
+    fi
 
     case "$action" in
     get_proxies)
-        curl -s "$CLASH_URL/proxies" | jq .
+        curl -s --header "$auth_header" "$CLASH_URL/proxies" | jq .
         ;;
 
     get_proxy_latency)
@@ -2131,6 +2169,7 @@ clash_api() {
         fi
 
         curl -G -s "$CLASH_URL/proxies/$proxy_tag/delay" \
+            --header "$auth_header" \
             --data-urlencode "url=$TEST_URL" \
             --data-urlencode "timeout=$timeout" | jq .
         ;;
@@ -2145,6 +2184,7 @@ clash_api() {
         fi
 
         curl -G -s "$CLASH_URL/group/$group_tag/delay" \
+            --header "$auth_header" \
             --data-urlencode "url=$TEST_URL" \
             --data-urlencode "timeout=$timeout" | jq .
         ;;
@@ -2159,8 +2199,11 @@ clash_api() {
         fi
 
         local response
-        response=$(curl -X PUT -s -w "\n%{http_code}" "$CLASH_URL/proxies/$group_tag" \
-            --data-raw "{\"name\":\"$proxy_tag\"}")
+        response=$(
+            curl -X PUT -s -w "\n%{http_code}" "$CLASH_URL/proxies/$group_tag" \
+                --header "$auth_header" \
+                --data-raw "{\"name\":\"$proxy_tag\"}"
+        )
 
         local http_code
         local body

podkop/files/usr/lib/constants.sh

@@ -38,7 +38,6 @@ SB_TPROXY_INBOUND_PORT=1602
 SB_DNS_INBOUND_TAG="dns-in"
 SB_DNS_INBOUND_ADDRESS="127.0.0.42"
 SB_DNS_INBOUND_PORT=53
-SB_MIXED_INBOUND_ADDRESS="0.0.0.0" # TODO(ampetelin): maybe to determine address?
 SB_SERVICE_MIXED_INBOUND_TAG="service-mixed-in"
 SB_SERVICE_MIXED_INBOUND_ADDRESS="127.0.0.1"
 SB_SERVICE_MIXED_INBOUND_PORT=4534
@@ -47,7 +46,7 @@ SB_DIRECT_OUTBOUND_TAG="direct-out"
 # Route
 SB_REJECT_RULE_TAG="reject-rule-tag"
 # Experimental
-SB_CLASH_API_CONTROLLER="0.0.0.0:9090"
+SB_CLASH_API_CONTROLLER_PORT=9090
 
 ## Lists
 GITHUB_RAW_URL="https://raw.githubusercontent.com/itdoginfo/allow-domains/main"

podkop/files/usr/lib/helpers.sh

@@ -105,37 +105,6 @@ get_domain_resolver_tag() {
     echo "$section-$postfix"
 }
 
-# Constructs and returns a ruleset tag using section, name, optional type, and a fixed postfix
-get_ruleset_tag() {
-    local section="$1"
-    local name="$2"
-    local type="$3"
-    local postfix="ruleset"
-
-    if [ -n "$type" ]; then
-        echo "$section-$name-$type-$postfix"
-    else
-        echo "$section-$name-$postfix"
-    fi
-}
-
-# Determines the ruleset format based on the file extension (json → source, srs → binary)
-get_ruleset_format_by_file_extension() {
-    local file_extension="$1"
-
-    local format
-    case "$file_extension" in
-    json) format="source" ;;
-    srs) format="binary" ;;
-    *)
-        log "Unsupported file extension: .$file_extension" "error"
-        return 1
-        ;;
-    esac
-
-    echo "$format"
-}
-
 # Converts a comma-separated string into a JSON array string
 comma_string_to_json_array() {
     local input="$1"
@@ -156,6 +125,12 @@ url_decode() {
     printf '%b' "$(echo "$encoded" | sed 's/+/ /g; s/%/\\x/g')"
 }
 
+# Returns the scheme (protocol) part of a URL
+url_get_scheme() {
+    local url="$1"
+    echo "${url%%://*}"
+}
+
 # Extracts the userinfo (username[:password]) part from a URL
 url_get_userinfo() {
     local url="$1"
@@ -165,13 +140,23 @@ url_get_userinfo() {
 # Extracts the host part from a URL
 url_get_host() {
     local url="$1"
-    echo "$url" | sed -n -e 's#^[^:/?]*://##' -e 's#^[^/]*@##' -e 's#\([:/].*\|$\)##p'
+
+    url="${url#*://}"
+    url="${url#*@}"
+    url="${url%%[/?#]*}"
+
+    echo "${url%%:*}"
 }
 
 # Extracts the port number from a URL
 url_get_port() {
     local url="$1"
-    echo "$url" | sed -n -e 's#^[^:/?]*://##' -e 's#^[^/]*@##' -e 's#^[^/]*:\([0-9][0-9]*\).*#\1#p'
+
+    url="${url#*://}"
+    url="${url#*@}"
+    url="${url%%[/?#]*}"
+
+    [[ "$url" == *:* ]] && echo "${url#*:}" || echo ""
 }
 
 # Extracts the path from a URL (without query or fragment; returns "/" if empty)
@@ -300,25 +285,6 @@ convert_crlf_to_lf() {
     fi
 }
 
-# Decompiles a sing-box SRS binary file into a JSON ruleset file
-decompile_srs_file() {
-    local binary_filepath="$1"
-    local output_filepath="$2"
-
-    log "Decompiling $binary_filepath to $output_filepath" "debug"
-
-    if ! file_exists "$binary_filepath"; then
-        log "File $binary_filepath not found" "error"
-        return 1
-    fi
-
-    sing-box rule-set decompile "$binary_filepath" -o "$output_filepath"
-    if [[ $? -ne 0 ]]; then
-        log "Decompilation command failed for $binary_filepath" "error"
-        return 1
-    fi
-}
-
 #######################################
 # Parses a whitespace-separated string, validates items as either domains
 # or IPv4 addresses/subnets, and returns a comma-separated string of valid items.
@@ -388,17 +354,3 @@ parse_domain_or_subnet_file_to_comma_string() {
 
     echo "$result"
 }
-
-# Extracts all ip_cidr entries from a JSON ruleset file and writes them to an output file.
-extract_ip_cidr_from_json_ruleset_to_file() {
-    local json_file="$1"
-    local output_file="$2"
-
-    if [ ! -f "$json_file" ]; then
-        log "JSON file not found: $json_file" "error"
-        return 1
-    fi
-
-    log "Extracting ip_cidr entries from $json_file to $output_file" "debug"
-    jq -r '.rules[].ip_cidr[]' "$json_file" > "$output_file"
-}

podkop/files/usr/lib/nft.sh

@@ -28,3 +28,43 @@ nft_add_set_elements() {
 
     nft add element inet "$table" "$set" "{ $elements }"
 }
+
+nft_add_set_elements_from_file_chunked() {
+    local filepath="$1"
+    local nft_table_name="$2"
+    local nft_set_name="$3"
+    local chunk_size="${4:-5000}"
+
+    local array count
+    count=0
+    while IFS= read -r line; do
+        line=$(echo "$line" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+        [ -z "$line" ] && continue
+
+        if ! is_ipv4 "$line" && ! is_ipv4_cidr "$line"; then
+            log "'$line' is not IPv4 or IPv4 CIDR" "debug"
+            continue
+        fi
+
+        if [ -z "$array" ]; then
+            array="$line"
+        else
+            array="$array,$line"
+        fi
+
+        count=$((count + 1))
+
+        if [ "$count" = "$chunk_size" ]; then
+            log "Adding $count elements to nft set $nft_set_name" "debug"
+            nft_add_set_elements "$nft_table_name" "$nft_set_name" "$array"
+            array=""
+            count=0
+        fi
+    done < "$filepath"
+
+    if [ -n "$array" ]; then
+        log "Adding $count elements to nft set $nft_set_name" "debug"
+        nft_add_set_elements "$nft_table_name" "$nft_set_name" "$array"
+    fi
+}

podkop/files/usr/lib/rulesets.sh

@@ -0,0 +1,180 @@
+# Constructs and returns a ruleset tag using section, name, optional type, and a fixed postfix
+get_ruleset_tag() {
+    local section="$1"
+    local name="$2"
+    local type="$3"
+    local postfix="ruleset"
+
+    if [ -n "$type" ]; then
+        echo "$section-$name-$type-$postfix"
+    else
+        echo "$section-$name-$postfix"
+    fi
+}
+
+# Creates a new ruleset JSON file if it doesn't already exist
+create_source_rule_set() {
+    local ruleset_filepath="$1"
+
+    if file_exists "$ruleset_filepath"; then
+        return 3
+    fi
+
+    jq -n '{version: 3, rules: []}' > "$ruleset_filepath"
+}
+
+#######################################
+# Patch a source ruleset JSON file for sing-box by appending a new ruleset object containing the provided key
+# and value.
+# Arguments:
+#   filepath: path to the JSON file to patch
+#   key: the ruleset key to insert (e.g., "ip_cidr")
+#   value: a JSON array of values to assign to the key
+# Example:
+#   patch_source_ruleset_rules "/tmp/sing-box/ruleset.json" "ip_cidr" '["1.1.1.1","2.2.2.2"]'
+#######################################
+patch_source_ruleset_rules() {
+    local filepath="$1"
+    local key="$2"
+    local value="$3"
+
+    local tmpfile=$(mktemp)
+
+    jq --arg key "$key" --argjson value "$value" \
+        '( .rules | map(has($key)) | index(true) ) as $idx |
+        if $idx != null then
+            .rules[$idx][$key] = (.rules[$idx][$key] + $value | unique)
+        else
+            .rules += [{ ($key): $value }]
+        end' "$filepath" > "$tmpfile"
+
+    if [ $? -ne 0 ]; then
+        rm -f "$tmpfile"
+        return 1
+    fi
+
+    mv "$tmpfile" "$filepath"
+}
+
+# Imports a plain domain list into a ruleset in chunks, validating domains and appending them as domain_suffix rules
+import_plain_domain_list_to_local_source_ruleset_chunked() {
+    local plain_list_filepath="$1"
+    local ruleset_filepath="$2"
+    local chunk_size="${3:-5000}"
+
+    local array count json_array
+    count=0
+    while IFS= read -r line; do
+        line=$(echo "$line" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+        [ -z "$line" ] && continue
+
+        if ! is_domain_suffix "$line"; then
+            log "'$line' is not a valid domain" "debug"
+            continue
+        fi
+
+        if [ -z "$array" ]; then
+            array="$line"
+        else
+            array="$array,$line"
+        fi
+
+        count=$((count + 1))
+
+        if [ "$count" = "$chunk_size" ]; then
+            log "Adding $count elements to rule set at $ruleset_filepath" "debug"
+            json_array="$(comma_string_to_json_array "$array")"
+            patch_source_ruleset_rules "$ruleset_filepath" "domain_suffix" "$json_array"
+            array=""
+            count=0
+        fi
+    done < "$plain_list_filepath"
+
+    if [ -n "$array" ]; then
+        log "Adding $count elements to rule set at $ruleset_filepath" "debug"
+        json_array="$(comma_string_to_json_array "$array")"
+        patch_source_ruleset_rules "$ruleset_filepath" "domain_suffix" "$json_array"
+    fi
+}
+
+# Imports a plain IPv4/CIDR list into a ruleset in chunks, validating entries and appending them as ip_cidr rules
+import_plain_subnet_list_to_local_source_ruleset_chunked() {
+    local plain_list_filepath="$1"
+    local ruleset_filepath="$2"
+    local chunk_size="${3:-5000}"
+
+    local array count json_array
+    count=0
+    while IFS= read -r line; do
+        line=$(echo "$line" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+        [ -z "$line" ] && continue
+
+        if ! is_ipv4 "$line" && ! is_ipv4_cidr "$line"; then
+            log "'$line' is not IPv4 or IPv4 CIDR" "debug"
+            continue
+        fi
+
+        if [ -z "$array" ]; then
+            array="$line"
+        else
+            array="$array,$line"
+        fi
+
+        count=$((count + 1))
+
+        if [ "$count" = "$chunk_size" ]; then
+            log "Adding $count elements to ruleset at $ruleset_filepath" "debug"
+            json_array="$(comma_string_to_json_array "$array")"
+            patch_source_ruleset_rules "$ruleset_filepath" "ip_cidr" "$json_array"
+            array=""
+            count=0
+        fi
+    done < "$plain_list_filepath"
+
+    if [ -n "$array" ]; then
+        log "Adding $count elements to ruleset at $ruleset_filepath" "debug"
+        json_array="$(comma_string_to_json_array "$array")"
+        patch_source_ruleset_rules "$ruleset_filepath" "ip_cidr" "$json_array"
+    fi
+}
+
+# Determines the ruleset format based on the file extension (json → source, srs → binary)
+get_ruleset_format_by_file_extension() {
+    local file_extension="$1"
+
+    local format
+    case "$file_extension" in
+    json) format="source" ;;
+    srs) format="binary" ;;
+    *)
+        log "Unsupported file extension: .$file_extension" "error"
+        return 1
+        ;;
+    esac
+
+    echo "$format"
+}
+
+# Decompiles a sing-box SRS binary file into a JSON ruleset file
+decompile_binary_ruleset() {
+    local binary_filepath="$1"
+    local output_filepath="$2"
+
+    log "Decompiling $binary_filepath to $output_filepath" "debug"
+    sing-box rule-set decompile "$binary_filepath" -o "$output_filepath"
+    if [[ $? -ne 0 ]]; then
+        log "Decompilation command failed for $binary_filepath" "error"
+        return 1
+    fi
+}
+
+# Extracts all ip_cidr entries from a JSON ruleset file and writes them to an output file.
+extract_ip_cidr_from_json_ruleset_to_file() {
+    local json_file="$1"
+    local output_file="$2"
+
+    log "Extracting ip_cidr entries from $json_file to $output_file" "debug"
+    jq -r '.rules[].ip_cidr[]' "$json_file" > "$output_file"
+}

podkop/files/usr/lib/sing_box_config_facade.sh

@@ -64,7 +64,8 @@ sing_box_cf_add_proxy_outbound() {
     url=$(url_decode "$url")
     url=$(url_strip_fragment "$url")
 
-    local scheme="${url%%://*}"
+    local scheme
+    scheme="$(url_get_scheme "$url")"
     case "$scheme" in
     socks4 | socks4a | socks5)
         local tag host port version userinfo username password udp_over_tcp
@@ -146,6 +147,21 @@ sing_box_cf_add_proxy_outbound() {
         config=$(_add_outbound_security "$config" "$tag" "$url")
         config=$(_add_outbound_transport "$config" "$tag" "$url")
         ;;
+    hysteria2 | hy2)
+        local tag host port password obfuscator_type obfuscator_password upload_mbps download_mbps
+        tag=$(get_outbound_tag_by_section "$section")
+        host=$(url_get_host "$url")
+        port="$(url_get_port "$url")"
+        password=$(url_get_userinfo "$url")
+        obfuscator_type=$(url_get_query_param "$url" "obfs")
+        obfuscator_password=$(url_get_query_param "$url" "obfs-password")
+        upload_mbps=$(url_get_query_param "$url" "upmbps")
+        download_mbps=$(url_get_query_param "$url" "downmbps")
+
+        config=$(sing_box_cm_add_hysteria2_outbound "$config" "$tag" "$host" "$port" "$password" "$obfuscator_type" \
+            "$obfuscator_password" "$upload_mbps" "$download_mbps")
+        config=$(_add_outbound_security "$config" "$tag" "$url")
+        ;;
     *)
         log "Unsupported proxy $scheme type. Aborted." "fatal"
         exit 1
@@ -160,13 +176,20 @@ _add_outbound_security() {
     local outbound_tag="$2"
     local url="$3"
 
-    local security
+    local security scheme
     security=$(url_get_query_param "$url" "security")
+    if [ -z "$security" ]; then
+        scheme="$(url_get_scheme "$url")"
+        if [ "$scheme" = "hysteria2" ] || [ "$scheme" = "hy2" ]; then
+            security="tls"
+        fi
+    fi
+
     case "$security" in
     tls | reality)
         local sni insecure alpn fingerprint public_key short_id
         sni=$(url_get_query_param "$url" "sni")
-        insecure=$(url_get_query_param "$url" "allowInsecure")
+        insecure=$(_get_insecure_query_param_from_url "$url")
         alpn=$(comma_string_to_json_array "$(url_get_query_param "$url" "alpn")")
         fingerprint=$(url_get_query_param "$url" "fp")
         public_key=$(url_get_query_param "$url" "pbk")
@@ -193,6 +216,18 @@ _add_outbound_security() {
     echo "$config"
 }
 
+_get_insecure_query_param_from_url() {
+    local url="$1"
+
+    local insecure
+    insecure=$(url_get_query_param "$url" "allowInsecure")
+    if [ -z "$insecure" ]; then
+        insecure=$(url_get_query_param "$url" "insecure")
+    fi
+
+    echo "$insecure"
+}
+
 _add_outbound_transport() {
     local config="$1"
     local outbound_tag="$2"
@@ -214,7 +249,12 @@ _add_outbound_transport() {
         ;;
     grpc)
         # TODO(ampetelin): Add handling of optional gRPC parameters; example links are needed.
-        config=$(sing_box_cm_set_grpc_transport_for_outbound "$config" "$outbound_tag")
+        local grpc_service_name
+        grpc_service_name=$(url_get_query_param "$url" "serviceName")
+
+        config=$(
+            sing_box_cm_set_grpc_transport_for_outbound "$config" "$outbound_tag" "$grpc_service_name"
+        )
         ;;
     *)
         log "Unknown transport '$transport' detected." "error"

podkop/files/usr/lib/sing_box_config_manager.sh

@@ -21,9 +21,9 @@ SERVICE_TAG="__service_tag"
 #######################################
 # Configure the logging section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string, JSON configuration
 #   disabled: boolean, true to disable logging
-#   level: string, e.g., "info", "debug", "warn"
+#   level: string, log level. One of: trace debug info warn error fatal panic.
 #   timestamp: boolean, true to include timestamps
 # Outputs:
 #   Writes updated JSON configuration to stdout
@@ -50,7 +50,7 @@ sing_box_cm_configure_log() {
 #######################################
 # Configure the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   final: string, default dns server tag
 #   strategy: string, default domain strategy for resolving the domain names
 #   independent_cache: boolean, whether to use an independent DNS cache
@@ -82,12 +82,12 @@ sing_box_cm_configure_dns() {
 #######################################
 # Add a UDP DNS server to the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the DNS server
 #   server_address: string, IP address or hostname of the DNS server
-#   server_port: string or number, port of the DNS server
-#   domain_resolver: string, domain resolver to use for resolving domain names
-#   detour: string, tag of the upstream outbound
+#   server_port: string or integer, port of the DNS server
+#   domain_resolver: string, domain resolver to use for resolving domain names (optional)
+#   detour: string, tag of the upstream outbound (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -122,12 +122,12 @@ sing_box_cm_add_udp_dns_server() {
 #######################################
 # Add a TLS DNS server to the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the DNS server
 #   server_address: string, IP address or hostname of the DNS server
-#   server_port: string or number, port of the DNS server
-#   domain_resolver: string, domain resolver to use for resolving domain names
-#   detour: string, tag of the upstream outbound
+#   server_port: string or integer, port of the DNS server
+#   domain_resolver: string, domain resolver to use for resolving domain names (optional)
+#   detour: string, tag of the upstream outbound (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -162,14 +162,14 @@ sing_box_cm_add_tls_dns_server() {
 #######################################
 # Add an HTTPS DNS server to the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the DNS server
 #   server_address: string, IP address or hostname of the DNS server
-#   server_port: string or number, port of the DNS server
-#   path: string, optional URL path for HTTPS DNS requests
-#   headers: string, optional additional headers for HTTPS DNS requests
-#   domain_resolver: string, domain resolver to use for resolving domain names
-#   detour: string, tag of the upstream outbound
+#   server_port: string or integer, port of the DNS server
+#   path: string, URL path for HTTPS DNS requests (optional)
+#   headers: string, additional headers for HTTPS DNS requests (optional)
+#   domain_resolver: string, domain resolver to use for resolving domain names (optional)
+#   detour: string, tag of the upstream outbound (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -210,7 +210,7 @@ sing_box_cm_add_https_dns_server() {
 #######################################
 # Add a FakeIP DNS server to the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the DNS server
 #   inet4_range: string, IPv4 range used for fake IP mapping
 # Outputs:
@@ -236,7 +236,7 @@ sing_box_cm_add_fakeip_dns_server() {
 #######################################
 # Add a DNS routing rule to the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   server: string, target DNS server for the rule
 #   tag: string, identifier for the route rule
 # Outputs:
@@ -263,10 +263,10 @@ sing_box_cm_add_dns_route_rule() {
 #######################################
 # Patch a DNS routing rule in the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier of the rule to patch
 #   key: string, the key in the rule to update or add
-#   value: JSON value to assign to the key
+#   value: string, JSON value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -304,9 +304,9 @@ sing_box_cm_patch_dns_route_rule() {
 #######################################
 # Add a DNS reject rule to the DNS section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   key: string, the key to set for the reject rule
-#   value: JSON value to assign to the key
+#   value: string, JSON value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -331,10 +331,10 @@ sing_box_cm_add_dns_reject_rule() {
 #######################################
 # Add a TProxy inbound to the inbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the inbound
 #   listen_address: string, IP address to listen on
-#   listen_port: number, port to listen on
+#   listen_port: integer, port to listen on
 #   tcp_fast_open: boolean, enable or disable TCP Fast Open
 #   udp_fragment: boolean, enable or disable UDP fragmentation
 # Outputs:
@@ -369,10 +369,10 @@ sing_box_cm_add_tproxy_inbound() {
 #######################################
 # Add a Direct inbound to the inbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the inbound
 #   listen_address: string, IP address to listen on
-#   listen_port: number, port to listen on
+#   listen_port: integer, port to listen on
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -399,10 +399,10 @@ sing_box_cm_add_direct_inbound() {
 #######################################
 # Add a Mixed inbound to the inbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the inbound
 #   listen_address: string, IP address to listen on
-#   listen_port: number, port to listen on
+#   listen_port: integer, port to listen on
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -429,7 +429,7 @@ sing_box_cm_add_mixed_inbound() {
 #######################################
 # Add a Direct outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
 # Outputs:
 #   Writes updated JSON configuration to stdout
@@ -451,15 +451,15 @@ sing_box_cm_add_direct_outbound() {
 #######################################
 # Add a SOCKS outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
 #   server_address: string, IP address or hostname of the SOCKS server
-#   server_port: number, port of the SOCKS server
-#   version: string, optional SOCKS version
-#   username: string, optional username for authentication
-#   password: string, optional password for authentication
-#   network: string, optional network type (e.g., "tcp")
-#   udp_over_tcp: number, optional version for UDP over TCP
+#   server_port: integer, port of the SOCKS server
+#   version: string, SOCKS version (optional)
+#   username: string, username for authentication (optional)
+#   password: string, password for authentication (optional)
+#   network: string, network type (e.g., "tcp") (optional)
+#   udp_over_tcp: integer, version for UDP over TCP (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -509,16 +509,16 @@ sing_box_cm_add_socks_outbound() {
 #######################################
 # Add a Shadowsocks outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
 #   server_address: string, IP address or hostname of the Shadowsocks server
-#   server_port: number, port of the Shadowsocks server
+#   server_port: integer, port of the Shadowsocks server
 #   method: string, encryption method
 #   password: string, password for encryption
-#   network: string, optional network type (e.g., "tcp")
-#   udp_over_tcp: number, optional version for UDP over TCP
-#   plugin: string, optional plugin name
-#   plugin_opts: string, optional plugin options
+#   network: string, network type (e.g., "tcp") (optional)
+#   udp_over_tcp: integer, version for UDP over TCP (optional)
+#   plugin: string, plugin name (optional)
+#   plugin_opts: string, plugin options (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -573,14 +573,14 @@ sing_box_cm_add_shadowsocks_outbound() {
 #######################################
 # Add a VLESS outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
 #   server_address: string, IP address or hostname of the VLESS server
-#   server_port: number, port of the VLESS server
+#   server_port: integer, port of the VLESS server
 #   uuid: string, user UUID
-#   flow: string, optional flow setting
-#   network: string, optional network type (e.g., "tcp")
-#   packet_encoding: string, optional packet encoding method
+#   flow: string, flow setting (optional)
+#   network: string, network type (e.g., "tcp") (optional)
+#   packet_encoding: string, packet encoding method (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -624,12 +624,12 @@ sing_box_cm_add_vless_outbound() {
 #######################################
 # Add a Trojan outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: string, JSON configuration
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
 #   server_address: string, IP address or hostname of the Trojan server
-#   server_port: number, port of the Trojan server
+#   server_port: integer, port of the Trojan server
 #   password: string, password for authentication
-#   network: string, optional network type (e.g., "tcp")
+#   network: string, network type (e.g., "tcp") (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -661,15 +661,76 @@ sing_box_cm_add_trojan_outbound() {
     )]'
 }
 
+#######################################
+# Add a Hysteria2 outbound to the outbounds section of a sing-box JSON configuration.
+# Arguments:
+#   config: string (JSON), sing-box configuration to modify
+#   tag: string, identifier for the outbound
+#   server_address: string, IP address or hostname of the Hysteria2 server
+#   server_port: integer, port of the Hysteria2 server
+#   password: string, password for authentication
+#   obfuscator_type: string, obfuscation type (optional)
+#   obfuscator_password: string, obfuscation password (optional)
+#   upload_mbps: integer, upload bandwidth limit in Mbps (optional)
+#   download_mbps: integer, download bandwidth limit in Mbps (optional)
+#   network: string, network type (e.g., "udp") (optional)
+# Outputs:
+#   Writes updated JSON configuration to stdout
+# Example:
+#   CONFIG=$(sing_box_cm_add_hysteria2_outbound "$CONFIG" "hysteria2-out" "example.com" 443 "supersecret" \
+#       "salamander" "obfs-pass" "50" "200" "udp")
+#######################################
+sing_box_cm_add_hysteria2_outbound() {
+    local config="$1"
+    local tag="$2"
+    local server_address="$3"
+    local server_port="$4"
+    local password="$5"
+    local obfuscator_type="$6"
+    local obfuscator_password="$7"
+    local upload_mbps="$8"
+    local download_mbps="$9"
+    local network="${10}"
+
+    echo "$config" | jq \
+        --arg tag "$tag" \
+        --arg server_address "$server_address" \
+        --arg server_port "$server_port" \
+        --arg password "$password" \
+        --arg obfuscator_type "$obfuscator_type" \
+        --arg obfuscator_password "$obfuscator_password" \
+        --arg upload_mbps "$upload_mbps" \
+        --arg download_mbps "$download_mbps" \
+        --arg network "$network" \
+        '.outbounds += [(
+        {
+          type: "hysteria2",
+          tag: $tag,
+          server: $server_address,
+          server_port: ($server_port | tonumber),
+          password: $password
+        }
+        + (if $obfuscator_type != "" and $obfuscator_password != "" then {
+            obfs: {
+                type: $obfuscator_type,
+                password: $obfuscator_password
+            }
+        } else {} end)
+        + (if $upload_mbps != "" then {up_mbps: ($upload_mbps | tonumber)} else {} end)
+        + (if $download_mbps != "" then {down_mbps: ($download_mbps | tonumber)} else {} end)
+        + (if $network != "" then {network: $network} else {} end)
+    )]'
+}
+
 #######################################
 # Set gRPC transport settings for an outbound in a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier of the outbound to modify
-#   service_name: string, optional gRPC service name
-#   idle_timeout: string or number, optional idle timeout
-#   ping_timeout: string or number, optional ping timeout
-#   permit_without_stream: boolean, optional flag for permitting without stream
+#   service_name: string, gRPC service name (optional)
+#   idle_timeout: string or integer, idle timeout (optional)
+#   ping_timeout: string or integer, ping timeout (optional)
+#   permit_without_stream: boolean, flag for permitting without stream (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -709,12 +770,12 @@ sing_box_cm_set_grpc_transport_for_outbound() {
 #######################################
 # Set WebSocket transport settings for an outbound in a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier of the outbound to modify
 #   path: string, WebSocket path
-#   host: string, optional Host header for WebSocket
-#   max_early_data: number, optional maximum early data
-#   early_data_header_name: string, optional header name for early data
+#   host: string, Host header for WebSocket (optional)
+#   max_early_data: integer, maximum early data (optional)
+#   early_data_header_name: string, header name for early data (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -759,14 +820,14 @@ sing_box_cm_set_ws_transport_for_outbound() {
 #######################################
 # Set TLS settings for an outbound in a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier of the outbound to modify
-#   server_name: string, optional, used to verify the hostname on the returned certificates
-#   insecure: boolean, accept any server certificate
-#   alpn: JSON value or null, optional supported application level protocols
-#   utls_fingerprint: string, optional uTLS fingerprint
-#   reality_public_key: string, optional Reality public key
-#   reality_short_id: string, optional Reality short ID
+#   server_name: string, used to verify the hostname on the returned certificates (optional)
+#   insecure: boolean, accept any server certificate (optional)
+#   alpn: string, JSON value, supported application level protocols (optional)
+#   utls_fingerprint: string, uTLS fingerprint (optional)
+#   reality_public_key: string, Reality public key (optional)
+#   reality_short_id: string, Reality short ID (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -825,7 +886,7 @@ sing_box_cm_set_tls_for_outbound() {
 #######################################
 # Add a Direct outbound with a specific network interface to a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
 #   interface: string, network interface to bind the outbound
 #   domain_resolver: string, tag of the domain resolver to be used for this outbound (optional)
@@ -857,9 +918,9 @@ sing_box_cm_add_interface_outbound() {
 #######################################
 # Add a raw outbound JSON object to the outbounds section of a sing-box configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the outbound
-#   raw_outbound: JSON object, the raw outbound configuration to add
+#   raw_outbound: string, JSON object, the raw outbound configuration to add
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -881,14 +942,14 @@ sing_box_cm_add_raw_outbound() {
 #######################################
 # Add a URLTest outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the URLTest outbound
-#   outbounds: JSON array of outbound tags to test
-#   url: URL to probe (optional)
-#   interval: test interval (e.g., "10s") (optional)
-#   tolerance: max latency difference tolerated (optional)
-#   idle_timeout: idle timeout duration (optional)
-#   interrupt_exist_connections: flag to interrupt existing connections ("true"/"false") (optional)
+#   outbounds: string, JSON array of outbound tags to test
+#   url: string, URL to probe (optional)
+#   interval: string, test interval (e.g., "10s") (optional)
+#   tolerance: string or integer, max latency difference tolerated (optional)
+#   idle_timeout: string or integer, idle timeout duration (optional)
+#   interrupt_exist_connections: boolean, flag to interrupt existing connections ("true"/"false") (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -929,11 +990,11 @@ sing_box_cm_add_urltest_outbound() {
 #######################################
 # Add a Selector outbound to the outbounds section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the Selector outbound
-#   outbounds: JSON array of outbound tags to choose from
-#   default: default outbound tag if none selected (optional)
-#   interrupt_exist_connections: flag to interrupt existing connections ("true"/"false") (optional)
+#   outbounds: string (JSON), array of outbound tags to choose from
+#   default: string, default outbound tag if none selected
+#   interrupt_exist_connections: boolean, flag to interrupt existing connections ("true"/"false") (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -965,11 +1026,11 @@ sing_box_cm_add_selector_outbound() {
 #######################################
 # Configure the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   final: string, final outbound tag for unmatched traffic
 #   auto_detect_interface: boolean, enable or disable automatic interface detection
 #   default_domain_resolver: string, default DNS resolver for domain-based routing
-#   default_interface: string, default network interface to use when auto detection is disabled
+#   default_interface: string, default network interface to use when auto detection is disabled (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1001,7 +1062,7 @@ sing_box_cm_configure_route() {
 #######################################
 # Add a routing rule to the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the route rule
 #   inbound: string, inbound tag to match
 #   outbound: string, outbound tag to route matched traffic to
@@ -1032,10 +1093,10 @@ sing_box_cm_add_route_rule() {
 #######################################
 # Patch a routing rule in the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier of the route rule to patch
 #   key: string, the key in the rule to update or add
-#   value: JSON value to assign to the key
+#   value: string (JSON), value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1071,9 +1132,9 @@ sing_box_cm_patch_route_rule() {
 #######################################
 # Add a reject rule to the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   key: string, the key to set for the reject rule
-#   value: JSON value to assign to the key
+#   value: string (JSON), value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1098,9 +1159,9 @@ sing_box_cm_add_reject_route_rule() {
 #######################################
 # Add a hijack-dns rule to the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   key: string, the key to set for the hijack-dns rule
-#   value: JSON value to assign to the key
+#   value: string (JSON), value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1125,7 +1186,7 @@ sing_box_cm_add_hijack_dns_route_rule() {
 #######################################
 # Add a route-options rule to the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the route-options rule
 # Outputs:
 #   Writes updated JSON configuration to stdout
@@ -1148,9 +1209,9 @@ sing_box_cm_add_options_route_rule() {
 #######################################
 # Add a sniff rule to the route section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   key: string, the key to set for the sniff rule
-#   value: JSON value to assign to the key
+#   value: string (JSON), value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1176,7 +1237,7 @@ sing_box_cm_sniff_route_rule() {
 #######################################
 # Add an inline ruleset to the route.rule_set section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the inline ruleset
 # Outputs:
 #   Writes updated JSON configuration to stdout
@@ -1198,10 +1259,10 @@ sing_box_cm_add_inline_ruleset() {
 #######################################
 # Add or update a rule in an inline ruleset within the route.rule_set section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier of the inline ruleset
 #   key: string, the key in the ruleset to update or add
-#   value: JSON value to assign to the key
+#   value: string (JSON), value to assign to the key
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1238,7 +1299,7 @@ sing_box_cm_add_inline_ruleset_rule() {
 #######################################
 # Add a local ruleset to the route.rule_set section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the local ruleset
 #   format: string, format of the local ruleset ("source" or "binary")
 #   path: string, file path to the local ruleset
@@ -1269,12 +1330,12 @@ sing_box_cm_add_local_ruleset() {
 #######################################
 # Add a remote ruleset to the route.rule_set section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   tag: string, identifier for the remote ruleset
 #   format: string, format of the remote ruleset ("source" or "binary")
 #   url: string, URL to download the ruleset from
-#   download_detour: string, optional detour tag for downloading
-#   update_interval: string, optional update interval for the ruleset
+#   download_detour: string, detour tag for downloading (optional)
+#   update_interval: string, update interval for the ruleset (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1310,7 +1371,7 @@ sing_box_cm_add_remote_ruleset() {
 #######################################
 # Configure the experimental cache_file section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   enabled: boolean, enable or disable file caching
 #   path: string, file path for cache storage
 #   store_fakeip: boolean, whether to store fake IPs in the cache
@@ -1339,9 +1400,10 @@ sing_box_cm_configure_cache_file() {
 #######################################
 # Configure the experimental clash_api section of a sing-box JSON configuration.
 # Arguments:
-#   config: JSON configuration (string)
-#   external_controller: API listening address; Clash API will be disabled if empty
-#   external_ui: Optional path to static web resources to serve at http://{{external-controller}}/ui
+#   config: string (JSON), sing-box configuration to modify
+#   external_controller: string, API listening address; Clash API will be disabled if empty
+#   external_ui: string, path to static web resources to serve at http://{{external-controller}}/ui (optional)
+#   secret: string, secret for the RESTful API Authenticate by specifying HTTP header (optional)
 # Outputs:
 #   Writes updated JSON configuration to stdout
 # Example:
@@ -1351,65 +1413,23 @@ sing_box_cm_configure_clash_api() {
     local config="$1"
     local external_controller="$2"
     local external_ui="$3"
+    local secret="$4"
 
     echo "$config" | jq \
         --arg external_controller "$external_controller" \
         --arg external_ui "$external_ui" \
+        --arg secret "$secret" \
         '.experimental.clash_api = {
             external_controller: $external_controller,
         }
-        + (if $external_ui != "" then { external_ui: $external_ui } else {} end)'
-}
-
-#######################################
-# Create a local source ruleset JSON file for sing-box.
-# Arguments:
-#   filepath: path to the JSON file to create
-# Example:
-#   sing_box_cm_create_local_source_ruleset "/tmp/sing-box/ruleset.json"
-#######################################
-sing_box_cm_create_local_source_ruleset() {
-    local filepath="$1"
-
-    jq -n '{version: 3, rules: []}' > "$filepath"
-}
-
-#######################################
-# Patch a local source ruleset JSON file for sing-box by adding unique! values to a given key.
-# Arguments:
-#   filepath: path to the JSON file to patch
-#   key: the ruleset key to update (e.g., "ip_cidr")
-#   value: a JSON array of values to add to the key
-# Example:
-#   sing_box_cm_patch_local_source_ruleset_rules "/tmp/sing-box/ruleset.json" "ip_cidr" '["1.1.1.1","2.2.2.2"]'
-#######################################
-sing_box_cm_patch_local_source_ruleset_rules() {
-    local filepath="$1"
-    local key="$2"
-    local value="$3"
-
-    value=$(_normalize_arg "$value")
-
-    local content
-    content="$(cat "$filepath")"
-
-    echo "$content" | jq \
-        --arg key "$key" \
-        --argjson value "$value" '
-        ([.rules[]?[$key][]] | unique) as $existing
-        | ($value - $existing) as $value
-        | if ($value | length) > 0 then
-            .rules += [{($key): $value}]
-          else
-            .
-          end
-        ' > "$filepath"
+        + (if $external_ui != "" then { external_ui: $external_ui } else {} end)
+        + (if $secret != "" then { secret: $secret } else {} end)'
 }
 
 #######################################
 # Save a sing-box JSON configuration to a file, removing service-specific tags.
 # Arguments:
-#   config: JSON configuration (string)
+#   config: string (JSON), sing-box configuration to modify
 #   file_path: string, path to save the configuration file
 # Outputs:
 #   Writes the cleaned JSON configuration to the specified file