§5: TCP/443 fallback now described as real outer TLS-443 (was the lighter
HTTP/1.1 masquerade in v1).
§6 rewritten "Честные ограничения v1" -> "v2 — что устранено и что остаётся":
- Resolved: UDP multi-client demux, server IP pool + per-client routing,
OS-level split-tunnel (no more send_direct stub), real TLS-443, auto-NAT,
privilege drop, Windows admin named pipe, daily protocol-mask rotation
at 05:00 MSK.
- Remaining honest limits: TUN creation still needs root (privilege drop
shrinks the window), IPv6 in OS routes / iptables not yet, Windows OS
routes stubbed, CRL still out-of-band (in-band push deferred), native
phone client via sing-box still a plan, no auto-detect of egress iface.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
xah30
278bcced95