@qpjoy/electron-tunnel 0.1.0

package/README.md

@@ -0,0 +1,53 @@
+# QPJoy Electron Tunnel
+
+Reusable tunnel runtime for Electron apps on macOS and Linux.
+
+```bash
+pnpm add @qpjoy/electron-tunnel
+```
+
+```ts
+import { app, ipcMain, session } from 'electron';
+import { createElectronTunnel } from '@qpjoy/electron-tunnel';
+
+const tunnel = createElectronTunnel({ app, ipcMain, session: session.defaultSession }, {
+  adminPort: 23456,
+  controllerPort: 23457,
+  mixedPort: 23458,
+  dnsPort: 23459
+});
+
+app.whenReady().then(async () => {
+  await tunnel.applyProxy();
+});
+
+app.on('before-quit', () => {
+  tunnel.close();
+});
+```
+
+The package also installs a CLI:
+
+```bash
+pnpm exec qpjoy-tunnel snippet
+pnpm exec qpjoy-tunnel init --out src-electron/qpjoy-tunnel.ts
+```
+
+For `electron-builder`, package the bundled engine resources:
+
+```ts
+extraResources: [
+  {
+    from: 'node_modules/@qpjoy/electron-tunnel/resources/engine',
+    to: 'qpjoy-tunnel-engine',
+    filter: ['**/*']
+  }
+]
+```
+
+Default admin backend:
+
+```text
+http://127.0.0.1:23456
+admin/admin
+```

package/dist/admin/AdminServer.d.ts

@@ -0,0 +1,10 @@
+import type { MihomoManager } from '../mihomo/MihomoManager';
+export declare class AdminServer {
+    private readonly manager;
+    private server;
+    constructor(manager: MihomoManager);
+    start(): void;
+    stop(): void;
+    private handle;
+    private route;
+}

package/dist/admin/AdminServer.js

@@ -0,0 +1,362 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminServer = void 0;
+const http_1 = require("http");
+const url_1 = require("url");
+const security_1 = require("../security");
+const defaults_1 = require("../defaults");
+const sessions = new Set();
+function sendJson(res, status, data) {
+    const body = JSON.stringify(data);
+    res.writeHead(status, {
+        'content-type': 'application/json; charset=utf-8',
+        'cache-control': 'no-store'
+    });
+    res.end(body);
+}
+function sendText(res, status, data, contentType = 'text/plain; charset=utf-8') {
+    res.writeHead(status, {
+        'content-type': contentType,
+        'cache-control': 'no-store'
+    });
+    res.end(data);
+}
+function adminHtml() {
+    const presets = Object.keys(defaults_1.DOMAIN_PRESETS)
+        .map((id) => `<button data-preset="${id}">${id}</button>`)
+        .join('');
+    return `<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>QPJoy Tunnel Admin</title>
+  <style>
+    body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;background:#f4f6f8;color:#121417}
+    header{height:64px;display:flex;align-items:center;justify-content:space-between;padding:0 24px;background:#fff;border-bottom:1px solid #dde1e6}
+    main{max-width:1160px;margin:0 auto;padding:24px;display:grid;gap:18px}
+    section{background:#fff;border:1px solid #dde1e6;border-radius:8px;padding:18px}
+    input,select,button{height:36px;border:1px solid #c9d1d9;border-radius:6px;padding:0 10px;font-size:14px}
+    button{background:#1264d8;color:#fff;border-color:#1264d8;cursor:pointer}
+    button.secondary{background:#fff;color:#202833}
+    .row{display:flex;gap:10px;flex-wrap:wrap;align-items:center}
+    .grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(260px,1fr));gap:14px}
+    .muted{color:#6b7280}
+    .card{border:1px solid #e3e7ec;border-radius:8px;padding:14px}
+    pre{white-space:pre-wrap;max-height:280px;overflow:auto;background:#101418;color:#dbeafe;border-radius:8px;padding:14px}
+    #login{max-width:360px;margin:12vh auto}
+    #app{display:none}
+  </style>
+</head>
+<body>
+  <section id="login">
+    <h2>QPJoy Tunnel</h2>
+    <div class="row"><input id="user" placeholder="admin" value="admin"><input id="pass" type="password" placeholder="password" value="admin"><button id="loginBtn">登录</button></div>
+  </section>
+  <div id="app">
+    <header><strong>QPJoy Tunnel Admin</strong><span id="status" class="muted"></span></header>
+    <main>
+      <section>
+        <h3>模式</h3>
+        <div class="row">
+          <select id="mode">
+            <option value="system-tun">虚拟网卡</option>
+            <option value="app-global">全局模式</option>
+            <option value="app-rule">App 模式</option>
+          </select>
+          <button id="saveMode">切换</button>
+          <button id="installTun" class="secondary">安装 TUN</button>
+          <button id="uninstallTun" class="secondary">卸载 TUN</button>
+          <button id="start">启动</button>
+          <button id="stop" class="secondary">停止</button>
+        </div>
+      </section>
+      <section>
+        <h3>高级设置</h3>
+        <div class="row">
+          <input id="corePath" placeholder="自动使用内置隧道引擎" style="flex:1;min-width:320px">
+          <button id="saveCorePath">保存引擎路径</button>
+        </div>
+      </section>
+      <section>
+        <h3>本地端口</h3>
+        <div class="row">
+          <input id="mixedPort" placeholder="23458">
+          <input id="dnsPort" placeholder="23459">
+          <button id="savePorts">保存端口</button>
+        </div>
+      </section>
+      <section>
+        <h3>订阅</h3>
+        <div class="row">
+          <input id="subName" placeholder="名称">
+          <input id="subUrl" placeholder="订阅文件链接" style="flex:1;min-width:320px">
+          <input id="subUser" placeholder="用户">
+          <input id="subPass" placeholder="密码" type="password">
+          <button id="addSub">新建</button>
+          <button id="updateSub" class="secondary">更新当前</button>
+        </div>
+        <div id="subs" class="grid"></div>
+      </section>
+      <section>
+        <h3>白名单 / 黑名单</h3>
+        <div class="row">
+          ${presets}
+          <input id="ruleDomain" placeholder="example.com">
+          <select id="ruleKind"><option value="allow">白名单</option><option value="block">黑名单</option></select>
+          <button id="addRule">添加</button>
+        </div>
+        <div id="rules" class="grid"></div>
+      </section>
+      <section>
+        <h3>日志</h3>
+        <pre id="events"></pre>
+      </section>
+    </main>
+  </div>
+  <script>
+    let token = '';
+    async function api(path, options = {}) {
+      const res = await fetch(path, {
+        ...options,
+        headers: { 'content-type': 'application/json', authorization: token ? 'Bearer ' + token : '', ...(options.headers || {}) }
+      });
+      if (!res.ok) throw new Error(await res.text());
+      return res.json();
+    }
+    async function refresh() {
+      const data = await api('/api/snapshot');
+      document.querySelector('#status').textContent = data.status.running ? '运行中' : '已停止';
+      document.querySelector('#mode').value = data.status.mode;
+      document.querySelector('#corePath').value = data.status.corePath || '';
+      document.querySelector('#mixedPort').value = data.status.ports.mixed;
+      document.querySelector('#dnsPort').value = data.status.ports.dns;
+      document.querySelector('#subs').innerHTML = data.subscriptions.map(s => '<div class="card"><strong>'+s.name+'</strong><p class="muted">'+s.url+'</p><p>'+(s.active?'当前':'')+' '+(s.lastUpdatedAt||'未更新')+'</p><button data-active="'+s.id+'">启用</button> <button class="secondary" data-refresh="'+s.id+'">刷新</button> <button class="secondary" data-sub-remove="'+s.id+'">删除</button></div>').join('');
+      document.querySelector('#rules').innerHTML = data.rules.map(r => '<div class="card"><strong>'+r.kind+'</strong> '+r.domain+'<p class="muted">'+r.source+'</p><button class="secondary" data-rule-remove="'+r.id+'">删除</button></div>').join('');
+      document.querySelector('#events').textContent = data.events.map(e => '['+e.level+'] '+e.createdAt+' '+e.message).join('\\n');
+    }
+    document.querySelector('#loginBtn').onclick = async () => {
+      const result = await api('/api/login', { method:'POST', body: JSON.stringify({ username:user.value, password:pass.value }) });
+      token = result.token;
+      login.style.display = 'none';
+      app.style.display = 'block';
+      refresh();
+    };
+    document.querySelector('#saveMode').onclick = async () => { await api('/api/mode', { method:'POST', body: JSON.stringify({ mode: mode.value }) }); refresh(); };
+    document.querySelector('#saveCorePath').onclick = async () => { await api('/api/core/path', { method:'POST', body: JSON.stringify({ corePath: corePath.value }) }); refresh(); };
+    document.querySelector('#savePorts').onclick = async () => { await api('/api/ports', { method:'POST', body: JSON.stringify({ mixed: Number(mixedPort.value), dns: Number(dnsPort.value) }) }); refresh(); };
+    document.querySelector('#installTun').onclick = async () => { await api('/api/tun/install', { method:'POST' }); refresh(); };
+    document.querySelector('#uninstallTun').onclick = async () => { await api('/api/tun/uninstall', { method:'POST' }); refresh(); };
+    document.querySelector('#start').onclick = async () => { await api('/api/core/start', { method:'POST' }); refresh(); };
+    document.querySelector('#stop').onclick = async () => { await api('/api/core/stop', { method:'POST' }); refresh(); };
+    document.querySelector('#updateSub').onclick = async () => { await api('/api/subscriptions/active/update', { method:'POST' }); refresh(); };
+    document.querySelector('#addSub').onclick = async () => { await api('/api/subscriptions', { method:'POST', body: JSON.stringify({ name: subName.value, url: subUrl.value, username: subUser.value, password: subPass.value }) }); refresh(); };
+    document.querySelector('#addRule').onclick = async () => { await api('/api/rules', { method:'POST', body: JSON.stringify({ kind: ruleKind.value, domain: ruleDomain.value }) }); refresh(); };
+    document.body.onclick = async (event) => {
+      const target = event.target;
+      if (!(target instanceof HTMLElement)) return;
+      if (target.dataset.preset) await api('/api/presets/'+target.dataset.preset, { method:'POST' });
+      if (target.dataset.active) await api('/api/subscriptions/'+target.dataset.active+'/active', { method:'POST' });
+      if (target.dataset.refresh) await api('/api/subscriptions/'+target.dataset.refresh+'/update', { method:'POST' });
+      if (target.dataset.subRemove) await api('/api/subscriptions/'+target.dataset.subRemove, { method:'DELETE' });
+      if (target.dataset.ruleRemove) await api('/api/rules/'+target.dataset.ruleRemove, { method:'DELETE' });
+      if (target.dataset.preset || target.dataset.active || target.dataset.refresh || target.dataset.subRemove || target.dataset.ruleRemove) refresh();
+    };
+  </script>
+</body>
+</html>`;
+}
+async function readBody(req) {
+    const chunks = [];
+    for await (const chunk of req) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    const raw = Buffer.concat(chunks).toString('utf8');
+    if (!raw) {
+        return {};
+    }
+    return JSON.parse(raw);
+}
+function isAuthed(req) {
+    const header = req.headers.authorization ?? '';
+    if (!header.startsWith('Bearer ')) {
+        return false;
+    }
+    return sessions.has(header.slice('Bearer '.length));
+}
+class AdminServer {
+    manager;
+    server = null;
+    constructor(manager) {
+        this.manager = manager;
+    }
+    start() {
+        if (this.server) {
+            return;
+        }
+        const settings = this.manager.db.getSettings();
+        this.server = (0, http_1.createServer)(async (req, res) => {
+            try {
+                await this.handle(req, res);
+            }
+            catch (error) {
+                sendJson(res, 500, { error: error instanceof Error ? error.message : String(error) });
+            }
+        });
+        this.server.listen(settings.ports.admin, '127.0.0.1');
+    }
+    stop() {
+        this.server?.close();
+        this.server = null;
+    }
+    async handle(req, res) {
+        const method = req.method ?? 'GET';
+        const pathname = (0, url_1.parse)(req.url ?? '/', true).pathname ?? '/';
+        if (method === 'GET' && pathname === '/') {
+            sendText(res, 200, adminHtml(), 'text/html; charset=utf-8');
+            return;
+        }
+        const body = await readBody(req);
+        if (method === 'POST' && pathname === '/api/login') {
+            const { username, password } = body;
+            const settings = this.manager.db.getSettings();
+            if (username === settings.adminUser && password && (0, security_1.verifyPassword)(password, settings.adminPasswordHash)) {
+                const token = (0, security_1.createSessionToken)();
+                sessions.add(token);
+                sendJson(res, 200, { token });
+                return;
+            }
+            sendJson(res, 401, { error: 'invalid credentials' });
+            return;
+        }
+        if (!isAuthed(req)) {
+            sendJson(res, 401, { error: 'unauthorized' });
+            return;
+        }
+        const route = this.route(method, pathname);
+        if (!route) {
+            sendJson(res, 404, { error: 'not found' });
+            return;
+        }
+        await route(req, res, body);
+    }
+    route(method, pathname) {
+        if (method === 'GET' && pathname === '/api/snapshot') {
+            return async (_req, res) => sendJson(res, 200, await this.manager.snapshot());
+        }
+        if (method === 'POST' && pathname === '/api/mode') {
+            return async (_req, res, body) => {
+                const { mode } = body;
+                const changedMode = this.manager.setMode(mode);
+                if (changedMode) {
+                    await this.manager.applyRuntimeConfigChange();
+                }
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/ports') {
+            return async (_req, res, body) => {
+                const { mixed, dns } = body;
+                await this.manager.setLocalPorts({ mixed, dns });
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/tun/install') {
+            return async (_req, res) => {
+                this.manager.installTunFeature();
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/tun/uninstall') {
+            return async (_req, res) => {
+                this.manager.uninstallTunFeature();
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/core/start') {
+            return async (_req, res) => {
+                await this.manager.start();
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/core/stop') {
+            return async (_req, res) => {
+                await this.manager.stop();
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/core/path') {
+            return (_req, res, body) => {
+                const { corePath } = body;
+                this.manager.setCorePath(corePath);
+                sendJson(res, 200, this.manager.status());
+            };
+        }
+        if (method === 'POST' && pathname === '/api/subscriptions') {
+            return async (_req, res, body) => {
+                sendJson(res, 200, await this.manager.createSubscription(body));
+            };
+        }
+        if (method === 'POST' && pathname === '/api/subscriptions/active/update') {
+            return async (_req, res) => {
+                const subscription = await this.manager.updateActiveSubscription();
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, subscription);
+            };
+        }
+        const activeMatch = pathname.match(/^\/api\/subscriptions\/(\d+)\/active$/);
+        if (method === 'POST' && activeMatch) {
+            return async (_req, res) => {
+                const subscription = this.manager.setActiveSubscription(Number(activeMatch[1]));
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, subscription);
+            };
+        }
+        const updateMatch = pathname.match(/^\/api\/subscriptions\/(\d+)\/update$/);
+        if (method === 'POST' && updateMatch) {
+            return async (_req, res) => {
+                const subscription = await this.manager.updateSubscription(Number(updateMatch[1]));
+                if (subscription.active) {
+                    await this.manager.applyRuntimeConfigChange();
+                }
+                sendJson(res, 200, subscription);
+            };
+        }
+        const deleteSubscriptionMatch = pathname.match(/^\/api\/subscriptions\/(\d+)$/);
+        if (method === 'DELETE' && deleteSubscriptionMatch) {
+            return async (_req, res) => {
+                this.manager.deleteSubscription(Number(deleteSubscriptionMatch[1]));
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, { ok: true });
+            };
+        }
+        if (method === 'POST' && pathname === '/api/rules') {
+            return async (_req, res, body) => {
+                const { kind, domain } = body;
+                const rule = this.manager.addDomainRule(kind, domain);
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, rule);
+            };
+        }
+        const ruleDeleteMatch = pathname.match(/^\/api\/rules\/(\d+)$/);
+        if (method === 'DELETE' && ruleDeleteMatch) {
+            return async (_req, res) => {
+                this.manager.removeDomainRule(Number(ruleDeleteMatch[1]));
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, { ok: true });
+            };
+        }
+        const presetMatch = pathname.match(/^\/api\/presets\/([a-z]+)$/);
+        if (method === 'POST' && presetMatch) {
+            return async (_req, res) => {
+                const rules = this.manager.addPreset(presetMatch[1]);
+                await this.manager.applyRuntimeConfigChange();
+                sendJson(res, 200, rules);
+            };
+        }
+        return null;
+    }
+}
+exports.AdminServer = AdminServer;

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,92 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs_1 = require("fs");
+const path_1 = require("path");
+const command = process.argv[2] ?? 'help';
+function help() {
+    process.stdout.write(`QPJoy Electron Tunnel CLI
+
+Usage:
+  qpjoy-tunnel help
+  qpjoy-tunnel snippet
+  qpjoy-tunnel init [--out <path>]
+
+Commands:
+  snippet   Print the minimal Electron main-process integration.
+  init      Create a small integration module in the current project.
+`);
+}
+function snippet() {
+    return `import { app, ipcMain, session } from 'electron'
+import { createElectronTunnel } from '@qpjoy/electron-tunnel'
+
+const tunnel = createElectronTunnel(
+  { app, ipcMain, session: session.defaultSession },
+  {
+    adminPort: 23456,
+    controllerPort: 23457,
+    mixedPort: 23458,
+    dnsPort: 23459
+  }
+)
+
+app.whenReady().then(async () => {
+  await tunnel.applyProxy()
+})
+
+app.on('before-quit', () => {
+  tunnel.close()
+})
+`;
+}
+function argValue(name) {
+    const index = process.argv.indexOf(name);
+    if (index < 0) {
+        return null;
+    }
+    return process.argv[index + 1] ?? null;
+}
+function init() {
+    const outPath = (0, path_1.resolve)(process.cwd(), argValue('--out') ?? 'src-electron/qpjoy-tunnel.ts');
+    if ((0, fs_1.existsSync)(outPath)) {
+        throw new Error(`File already exists: ${outPath}`);
+    }
+    (0, fs_1.mkdirSync)((0, path_1.dirname)(outPath), { recursive: true });
+    (0, fs_1.writeFileSync)(outPath, snippet(), 'utf8');
+    process.stdout.write(`Created ${outPath}
+
+Next steps:
+  1. Import this module from your Electron main process.
+  2. Add the QPJoy tunnel engine resources to your Electron package config.
+
+electron-builder example:
+  extraResources: [
+    {
+      from: 'node_modules/@qpjoy/electron-tunnel/resources/engine',
+      to: 'qpjoy-tunnel-engine',
+      filter: ['**/*']
+    }
+  ]
+`);
+}
+try {
+    if (command === 'help' || command === '--help' || command === '-h') {
+        help();
+    }
+    else if (command === 'snippet') {
+        process.stdout.write(snippet());
+    }
+    else if (command === 'init') {
+        init();
+    }
+    else {
+        process.stderr.write(`Unknown command: ${command}\n`);
+        help();
+        process.exitCode = 1;
+    }
+}
+catch (error) {
+    process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
+    process.exitCode = 1;
+}

package/dist/config/renderRuntimeConfig.d.ts

@@ -0,0 +1,3 @@
+import type { RenderRuntimeConfigInput, RenderedRuntimeConfig } from '../types';
+export declare function renderRuntimeConfig(input: RenderRuntimeConfigInput): RenderedRuntimeConfig;
+export declare function proxyPolicyNames(configYaml: string): string[];

package/dist/config/renderRuntimeConfig.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderRuntimeConfig = renderRuntimeConfig;
+exports.proxyPolicyNames = proxyPolicyNames;
+const yaml_1 = require("yaml");
+const defaults_1 = require("../defaults");
+const PRIVATE_DIRECT_RULES = [
+    'DOMAIN-SUFFIX,local,DIRECT',
+    'IP-CIDR,127.0.0.0/8,DIRECT,no-resolve',
+    'IP-CIDR,10.0.0.0/8,DIRECT,no-resolve',
+    'IP-CIDR,172.16.0.0/12,DIRECT,no-resolve',
+    'IP-CIDR,192.168.0.0/16,DIRECT,no-resolve',
+    'IP-CIDR,169.254.0.0/16,DIRECT,no-resolve',
+    'IP-CIDR6,::1/128,DIRECT,no-resolve',
+    'IP-CIDR6,fc00::/7,DIRECT,no-resolve',
+    'IP-CIDR6,fe80::/10,DIRECT,no-resolve'
+];
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function stringArray(value) {
+    return Array.isArray(value) ? value.filter((item) => typeof item === 'string') : [];
+}
+function findProxyPolicyName(config) {
+    const groups = Array.isArray(config['proxy-groups']) ? config['proxy-groups'] : [];
+    for (const group of groups) {
+        if (isRecord(group) && typeof group.name === 'string') {
+            return group.name;
+        }
+    }
+    const proxies = Array.isArray(config.proxies) ? config.proxies : [];
+    for (const proxy of proxies) {
+        if (isRecord(proxy) && typeof proxy.name === 'string') {
+            return proxy.name;
+        }
+    }
+    return 'PROXY';
+}
+function ensureProxyGroup(config, proxyPolicyName) {
+    if (proxyPolicyName !== 'PROXY') {
+        return;
+    }
+    const groups = Array.isArray(config['proxy-groups']) ? config['proxy-groups'] : [];
+    if (groups.some((group) => isRecord(group) && group.name === 'PROXY')) {
+        return;
+    }
+    const proxies = Array.isArray(config.proxies) ? config.proxies : [];
+    const proxyNames = proxies
+        .filter(isRecord)
+        .map((proxy) => proxy.name)
+        .filter((name) => typeof name === 'string');
+    if (proxyNames.length === 0) {
+        return;
+    }
+    config['proxy-groups'] = [
+        {
+            name: 'PROXY',
+            type: 'select',
+            proxies: proxyNames
+        },
+        ...groups
+    ];
+}
+function dnsOverlay(dnsPort) {
+    return {
+        enable: true,
+        listen: `0.0.0.0:${dnsPort}`,
+        ipv6: false,
+        'use-hosts': true,
+        'use-system-hosts': true,
+        'cache-algorithm': 'arc',
+        'enhanced-mode': 'fake-ip',
+        'fake-ip-range': '198.18.0.1/16',
+        'default-nameserver': ['223.5.5.5', '119.29.29.29', '1.1.1.1'],
+        nameserver: ['https://dns.alidns.com/dns-query', 'https://doh.pub/dns-query'],
+        fallback: ['tls://1.1.1.1', 'tls://8.8.8.8'],
+        'fallback-filter': {
+            geoip: true,
+            'geoip-code': 'CN',
+            geosite: ['gfw']
+        }
+    };
+}
+function tunOverlay(enable) {
+    return {
+        enable,
+        stack: 'system',
+        'auto-route': true,
+        'auto-redirect': true,
+        'auto-detect-interface': true,
+        'strict-route': true,
+        'dns-hijack': ['any:53', 'tcp://any:53']
+    };
+}
+function domainRule(rule, target) {
+    return `DOMAIN-SUFFIX,${rule.domain},${target}`;
+}
+function buildRules(mode, proxyPolicyName, rules) {
+    const enabled = rules.filter((rule) => rule.enabled);
+    const blockRules = enabled.filter((rule) => rule.kind === 'block').map((rule) => domainRule(rule, 'REJECT'));
+    const allowRules = enabled.filter((rule) => rule.kind === 'allow').map((rule) => domainRule(rule, proxyPolicyName));
+    if (mode === 'system-tun' || mode === 'app-global') {
+        return [
+            ...PRIVATE_DIRECT_RULES,
+            ...blockRules,
+            `MATCH,${proxyPolicyName}`
+        ];
+    }
+    const appModeTail = allowRules.length > 0 ? 'MATCH,REJECT' : `MATCH,${proxyPolicyName}`;
+    return [
+        ...PRIVATE_DIRECT_RULES,
+        ...blockRules,
+        ...allowRules,
+        'GEOSITE,CN,DIRECT',
+        'GEOIP,CN,DIRECT',
+        appModeTail
+    ];
+}
+function renderRuntimeConfig(input) {
+    const parsed = (0, yaml_1.parse)(input.baseYaml);
+    const config = isRecord(parsed) ? parsed : {};
+    const proxyPolicyName = findProxyPolicyName(config);
+    ensureProxyGroup(config, proxyPolicyName);
+    config['mixed-port'] = input.settings.ports.mixed;
+    config['allow-lan'] = false;
+    config.mode = 'rule';
+    config['log-level'] = 'info';
+    config['external-controller'] = `127.0.0.1:${input.settings.ports.controller}`;
+    config.secret = input.settings.controllerSecret;
+    config['geodata-mode'] = true;
+    config['geo-auto-update'] = true;
+    config['geo-update-interval'] = 24;
+    config['geox-url'] = defaults_1.GEOX_URL;
+    config.dns = {
+        ...(isRecord(config.dns) ? config.dns : {}),
+        ...dnsOverlay(input.settings.ports.dns)
+    };
+    config.tun = tunOverlay(input.settings.mode === 'system-tun' && input.settings.tunInstalled);
+    config.rules = buildRules(input.settings.mode, proxyPolicyName, input.rules);
+    return {
+        yaml: (0, yaml_1.stringify)(config, { lineWidth: 0 }),
+        proxyPolicyName
+    };
+}
+function proxyPolicyNames(configYaml) {
+    const parsed = (0, yaml_1.parse)(configYaml);
+    if (!isRecord(parsed)) {
+        return [];
+    }
+    return stringArray(parsed['proxy-groups']?.[0]?.proxies);
+}