chore(version): update version to 0.67.3

feat(proxy): add traffic counting wrapper for connections
feat(controller): add API to close proxy by name
2026-03-10 03:49:09 +08:00 · 2026-03-08 18:35:40 +08:00 · 2026-03-08 18:33:42 +08:00 · 2026-02-21 07:42:17 +08:00 · 2026-02-20 15:28:31 +08:00 · 2026-02-20 15:15:16 +08:00
215 changed files with 7031 additions and 17240 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
 jobs:
  go-version-latest:
    docker:
-    - image: cimg/go:1.25-node
+    - image: cimg/go:1.24-node
    resource_class: large
    steps:
    - checkout
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,4 +0,0 @@
-# These are supported funding model platforms
-
-github: [fatedier]
-custom: ["https://afdian.com/a/fatedier"]
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,3 +0,0 @@
-### WHY
-
-<!-- author to complete -->
--- a/.github/workflows/build-all.yaml
+++ b/.github/workflows/build-all.yaml
@@ -0,0 +1,189 @@
+name: Build FRP Binaries
+
+on:
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build FRP ${{ matrix.goos }}-${{ matrix.goarch }}
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin, freebsd, openbsd, android]
+        goarch: [amd64, 386, arm, arm64]
+        exclude:
+          - goos: darwin
+            goarch: arm
+          - goos: darwin
+            goarch: 386
+          - goos: freebsd
+            goarch: arm
+          - goos: openbsd
+            goarch: arm
+          - goos: android
+            goarch: amd64
+          - goos: android
+            goarch: 386
+          # 排除 Android ARM 32位,在单独的 job 中处理
+          - goos: android
+            goarch: arm
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y zip tar make gcc g++ upx
+
+      - name: Build FRP for ${{ matrix.goos }}-${{ matrix.goarch }}
+        run: |
+          mkdir -p release/packages
+
+          echo "Building for ${{ matrix.goos }}-${{ matrix.goarch }}"
+
+          # 构建版本号
+          make
+          version=$(./bin/frps --version)
+          echo "Detected version: $version"
+
+          export GOOS=${{ matrix.goos }}
+          export GOARCH=${{ matrix.goarch }}
+          export CGO_ENABLED=0
+
+          # 构建可执行文件
+          make frpc frps
+
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            if [ -f "./bin/frpc" ]; then mv ./bin/frpc ./bin/frpc.exe; fi
+            if [ -f "./bin/frps" ]; then mv ./bin/frps ./bin/frps.exe; fi
+          fi
+
+          out_dir="release/packages/frp_${version}_${{ matrix.goos }}_${{ matrix.goarch }}"
+          mkdir -p "$out_dir"
+
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            mv ./bin/frpc.exe "$out_dir/frpc.exe"
+            mv ./bin/frps.exe "$out_dir/frps.exe"
+          else
+            mv ./bin/frpc "$out_dir/frpc"
+            mv ./bin/frps "$out_dir/frps"
+          fi
+
+          cp LICENSE "$out_dir"
+          cp -f conf/frpc.toml "$out_dir"
+          cp -f conf/frps.toml "$out_dir"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: LoliaFrp_${{ matrix.goos }}_${{ matrix.goarch }}
+          path: |
+            release/packages/frp_*
+          retention-days: 7
+
+  build-android-arm:
+    name: Build FRP android-arm
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Install dependencies and Android NDK
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y zip tar make gcc g++ upx wget unzip
+          
+          # 下载并安装 Android NDK
+          echo "Downloading Android NDK..."
+          wget -q https://dl.google.com/android/repository/android-ndk-r26c-linux.zip
+          echo "Extracting Android NDK..."
+          unzip -q android-ndk-r26c-linux.zip
+          echo "NDK installed at: $PWD/android-ndk-r26c"
+
+      - name: Build FRP for android-arm
+        run: |
+          mkdir -p release/packages
+          mkdir -p bin
+          
+          echo "Building for android-arm with CGO"
+          
+          # 首先构建一次获取版本号
+          CGO_ENABLED=0 make
+          version=$(./bin/frps --version)
+          echo "Detected version: $version"
+          
+          # 清理之前的构建
+          rm -rf ./bin/*
+          
+          # 设置 Android ARM 交叉编译环境
+          export GOOS=android
+          export GOARCH=arm
+          export GOARM=7
+          export CGO_ENABLED=1
+          export CC=$PWD/android-ndk-r26c/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi21-clang
+          export CXX=$PWD/android-ndk-r26c/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi21-clang++
+          
+          echo "Environment:"
+          echo "GOOS=$GOOS"
+          echo "GOARCH=$GOARCH"
+          echo "GOARM=$GOARM"
+          echo "CGO_ENABLED=$CGO_ENABLED"
+          echo "CC=$CC"
+          
+          # 直接使用 go build 命令，不通过 Makefile，防止 CGO_ENABLED 被覆盖
+          echo "Building frps..."
+          go build -trimpath -ldflags "-s -w" -tags frps -o bin/frps ./cmd/frps
+          
+          echo "Building frpc..."
+          go build -trimpath -ldflags "-s -w" -tags frpc -o bin/frpc ./cmd/frpc
+          
+          # 验证文件已生成
+          ls -lh ./bin/
+          file ./bin/frpc
+          file ./bin/frps
+          
+          out_dir="release/packages/frp_${version}_android_arm"
+          mkdir -p "$out_dir"
+          
+          mv ./bin/frpc "$out_dir/frpc"
+          mv ./bin/frps "$out_dir/frps"
+          
+          cp LICENSE "$out_dir"
+          cp -f conf/frpc.toml "$out_dir"
+          cp -f conf/frps.toml "$out_dir"
+          
+          echo "Build completed for android-arm"
+          ls -lh "$out_dir"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: LoliaFrp_android_arm
+          path: |
+            release/packages/frp_*
+          retention-days: 7
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@@ -1,83 +0,0 @@
-name: Build Image and Publish to Dockerhub & GPR
-
-on:
-  release:
-    types: [ published ]
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Image tag'
-        required: true
-        default: 'test'
-permissions:
-  contents: read
-
-jobs:
-  image:
-    name: Build Image from Dockerfile and binaries
-    runs-on: ubuntu-latest
-    steps:
-      # environment
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: '0'
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      # get image tag name
-      - name: Get Image Tag Name
-        run: |
-          if [ x${{ github.event.inputs.tag }} == x"" ]; then
-            echo "TAG_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
-          else
-            echo "TAG_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
-          fi
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-      - name: Login to the GPR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GPR_TOKEN }}
-
-      # prepare image tags
-      - name: Prepare Image Tags
-        run: |
-          echo "DOCKERFILE_FRPC_PATH=dockerfiles/Dockerfile-for-frpc" >> $GITHUB_ENV
-          echo "DOCKERFILE_FRPS_PATH=dockerfiles/Dockerfile-for-frps" >> $GITHUB_ENV
-          echo "TAG_FRPC=fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV
-          echo "TAG_FRPS=fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV
-          echo "TAG_FRPC_GPR=ghcr.io/fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV
-          echo "TAG_FRPS_GPR=ghcr.io/fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV
-
-      - name: Build and push frpc
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./dockerfiles/Dockerfile-for-frpc
-          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
-          push: true
-          tags: |
-            ${{ env.TAG_FRPC }}
-            ${{ env.TAG_FRPC_GPR }}
-
-      - name: Build and push frps
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./dockerfiles/Dockerfile-for-frps
-          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
-          push: true
-          tags: |
-            ${{ env.TAG_FRPS }}
-            ${{ env.TAG_FRPS_GPR }}
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -0,0 +1,82 @@
+name: Docker Build and Push
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+      - dev
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    strategy:
+      matrix:
+        include:
+          - name: frps
+            dockerfile: dockerfiles/Dockerfile-for-frps
+            image_name: ghcr.io/${{ github.repository_owner }}/loliacli-frps
+          - name: frpc
+            dockerfile: dockerfiles/Dockerfile-for-frpc
+            image_name: ghcr.io/${{ github.repository_owner }}/loliacli-frpc
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.image_name }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
+
+      - name: Generate image digest
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "Image pushed to: ${{ matrix.image_name }}"
+          echo "Tags: ${{ steps.meta.outputs.tags }}"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -17,7 +17,7 @@ jobs:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: '1.25'
+        go-version: '1.24'
        cache: false
    - uses: actions/setup-node@v4
      with:
@@ -29,7 +29,7 @@ jobs:
      run: make build
      working-directory: web/frpc
    - name: golangci-lint
-      uses: golangci/golangci-lint-action@v9
+      uses: golangci/golangci-lint-action@v8
      with:
        # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-        version: v2.10
+        version: v2.3
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -15,7 +15,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.25'
+          go-version: '1.24'
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,129 @@
+name: Release FRP Binaries
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to release (e.g., v1.0.0)"
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  # 调用 build-all workflow
+  build:
+    uses: ./.github/workflows/build-all.yaml
+    permissions:
+      contents: read
+
+  # 创建 release
+  release:
+    name: Create Release
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get tag name
+        id: tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Display artifact structure
+        run: |
+          echo "Artifact structure:"
+          ls -R artifacts/
+
+      - name: Organize release files
+        run: |
+          mkdir -p release_files
+
+          # 查找并复制所有压缩包
+          find artifacts -type f \( -name "*.zip" -o -name "*.tar.gz" \) -exec cp {} release_files/ \;
+
+          # 如果没有压缩包，尝试查找二进制文件并打包
+          if [ -z "$(ls -A release_files/)" ]; then
+            echo "No archives found, looking for directories to package..."
+            for dir in artifacts/*/; do
+              if [ -d "$dir" ]; then
+                artifact_name=$(basename "$dir")
+                echo "Packaging $artifact_name"
+                
+                # 检查是否是 Windows 构建
+                if echo "$artifact_name" | grep -q "windows"; then
+                  (cd "$dir" && zip -r "../../release_files/${artifact_name}.zip" .)
+                else
+                  tar -czf "release_files/${artifact_name}.tar.gz" -C "$dir" .
+                fi
+              fi
+            done
+          fi
+
+          echo "Files in release_files:"
+          ls -lh release_files/
+
+      - name: Generate checksums
+        run: |
+          cd release_files
+          if [ -n "$(ls -A .)" ]; then
+            sha256sum * > sha256sum.txt
+            cat sha256sum.txt
+          else
+            echo "No files to generate checksums for!"
+            exit 1
+          fi
+
+      - name: Debug - Check tags and commits
+        run: |
+          echo "Current tag: ${{ steps.tag.outputs.tag }}"
+          PREV_TAG=$(git describe --tags --abbrev=0 ${{ steps.tag.outputs.tag }}^ 2>/dev/null || echo "none")
+          echo "Previous tag: $PREV_TAG"
+
+          echo ""
+          echo "Commits between tags:"
+          if [ "$PREV_TAG" != "none" ]; then
+            git log --oneline $PREV_TAG..${{ steps.tag.outputs.tag }}
+          else
+            echo "First tag, showing all commits:"
+            git log --oneline ${{ steps.tag.outputs.tag }}
+          fi
+
+      - name: Build Changelog
+        id: changelog
+        uses: requarks/changelog-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.tag.outputs.tag }}
+          writeToFile: false
+          includeInvalidCommits: true
+          useGitmojis: false
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.tag.outputs.tag }}
+          name: Release ${{ steps.tag.outputs.tag }}
+          body: ${{ steps.changelog.outputs.changes }}
+          draft: false
+          prerelease: false
+          files: |
+            release_files/*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,18 @@
 _obj
 _test

+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
 *.exe
 *.test
 *.prof
@@ -30,5 +42,6 @@ client.key

 # AI
 CLAUDE.md
-AGENTS.md
-.sisyphus/
+
+# TLS
+.autotls-cache
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -18,7 +18,6 @@ linters:
  - lll
  - makezero
  - misspell
-  - modernize
  - prealloc
  - predeclared
  - revive
@@ -34,7 +33,13 @@ linters:
      disabled-checks:
      - exitAfterDefer
    gosec:
-      excludes: ["G115", "G117", "G204", "G401", "G402", "G404", "G501", "G703", "G704", "G705"]
+      excludes:
+      - G401
+      - G402
+      - G404
+      - G501
+      - G115
+      - G204
      severity: low
      confidence: low
    govet:
@@ -48,9 +53,6 @@ linters:
      ignore-rules:
      - cancelled
      - marshalled
-    modernize:
-      disable:
-      - omitzero
    unparam:
      check-exported: false
  exclusions:
@@ -75,9 +77,6 @@ linters:
    - linters:
      - revive
      text: "avoid meaningless package names"
-    - linters:
-      - revive
-      text: "Go standard library package names"
    - linters:
      - unparam
      text: is always false
--- a/21
+++ b/21
@@ -1,7 +1,6 @@
 export PATH := $(PATH):`go env GOPATH`/bin
 export GO111MODULE=on
 LDFLAGS := -s -w
-NOWEB_TAG = $(shell [ ! -d web/frps/dist ] || [ ! -d web/frpc/dist ] && echo ',noweb')

 .PHONY: web frps-web frpc-web frps frpc

@@ -29,23 +28,23 @@ fmt-more:
 gci:
 	gci write -s standard -s default -s "prefix(github.com/fatedier/frp/)" ./

-vet:
-	go vet -tags "$(NOWEB_TAG)" ./...
+vet: web
+	go vet ./...

 frps:
-	env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -tags "frps$(NOWEB_TAG)" -o bin/frps ./cmd/frps
+	env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -tags frps -o bin/frps ./cmd/frps

 frpc:
-	env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -tags "frpc$(NOWEB_TAG)" -o bin/frpc ./cmd/frpc
+	env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -tags frpc -o bin/frpc ./cmd/frpc

 test: gotest

-gotest:
-	go test -tags "$(NOWEB_TAG)" -v --cover ./assets/...
-	go test -tags "$(NOWEB_TAG)" -v --cover ./cmd/...
-	go test -tags "$(NOWEB_TAG)" -v --cover ./client/...
-	go test -tags "$(NOWEB_TAG)" -v --cover ./server/...
-	go test -tags "$(NOWEB_TAG)" -v --cover ./pkg/...
+gotest: web
+	go test -v --cover ./assets/...
+	go test -v --cover ./cmd/...
+	go test -v --cover ./client/...
+	go test -v --cover ./server/...
+	go test -v --cover ./pkg/...

 e2e:
 	./hack/run-e2e.sh
--- a/README.md
+++ b/README.md
@@ -13,16 +13,6 @@ frp is an open source project with its ongoing development made possible entirel

 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
-<div align="center">
-
-## Recall.ai - API for meeting recordings
-
-If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
-
-an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
-
-</div>
-
 <p align="center">
  <a href="https://requestly.com/?utm_source=github&utm_medium=partnered&utm_campaign=frp" target="_blank">
    <img width="480px" src="https://github.com/user-attachments/assets/24670320-997d-4d62-9bca-955c59fe883d">
@@ -50,6 +40,15 @@ an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
+<div align="center">
+
+## Recall.ai - API for meeting recordings
+
+If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
+
+an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
+
+</div>
 <!--gold sponsors end-->

 ## What is frp?
@@ -801,14 +800,6 @@ Then run command `frpc reload -c ./frpc.toml` and wait for about 10 seconds to l

 **Note that global client parameters won't be modified except 'start'.**

-`start` is a global allowlist evaluated after all sources are merged (config file/include/store).
-If `start` is non-empty, any proxy or visitor not listed there will not be started, including
-entries created via Store API.
-
-`start` is kept mainly for compatibility and is generally not recommended for new configurations.
-Prefer per-proxy/per-visitor `enabled`, and keep `start` empty unless you explicitly want this
-global allowlist behavior.
-
 You can run command `frpc verify -c ./frpc.toml` before reloading to check if there are config errors.

 ### Get proxy status from client
--- a/README_zh.md
+++ b/README_zh.md
@@ -15,16 +15,6 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者

 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
-<div align="center">
-
-## Recall.ai - API for meeting recordings
-
-If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
-
-an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
-
-</div>
-
 <p align="center">
  <a href="https://requestly.com/?utm_source=github&utm_medium=partnered&utm_campaign=frp" target="_blank">
    <img width="480px" src="https://github.com/user-attachments/assets/24670320-997d-4d62-9bca-955c59fe883d">
@@ -52,6 +42,15 @@ an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
+<div align="center">
+
+## Recall.ai - API for meeting recordings
+
+If you're looking for a meeting recording API, consider checking out [Recall.ai](https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp),
+
+an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.
+
+</div>
 <!--gold sponsors end-->

 ## 为什么使用 frp ？
--- a/Release.md
+++ b/Release.md
@@ -1,9 +1,8 @@
 ## Features

-* Added a built-in `store` capability for frpc, including persisted store source (`[store] path = "..."`), Store CRUD admin APIs (`/api/store/proxies*`, `/api/store/visitors*`) with runtime reload, and Store management pages in the frpc web dashboard.
+* frpc now supports a `clientID` option to uniquely identify client instances. The server dashboard displays all connected clients with their online/offline status, connection history, and metadata, making it easier to monitor and manage multiple frpc deployments.
+* Redesigned the frp web dashboard with a modern UI, dark mode support, and improved navigation.

-## Improvements
+## Fixes

-* Kept proxy/visitor names as raw config names during completion; moved user-prefix handling to explicit wire-level naming logic.
-* Added `noweb` build tag to allow compiling without frontend assets. `make build` now auto-detects missing `web/*/dist` directories and skips embedding, so a fresh clone can build without running `make web` first. The dashboard gracefully returns 404 when assets are not embedded.
-* Improved config parsing errors: for `.toml` files, syntax errors now return immediately with parser position details (line/column when available) instead of falling through to YAML/JSON parsing, and TOML type mismatches report field-level errors without misleading line numbers.
+* Fixed UDP proxy protocol sending header on every packet instead of only the first packet of each session.
--- a/assets/assets.go
+++ b/assets/assets.go
@@ -29,23 +29,14 @@ var (
 	prefixPath string
 )

-type emptyFS struct{}
-
-func (emptyFS) Open(name string) (http.File, error) {
-	return nil, &fs.PathError{Op: "open", Path: name, Err: fs.ErrNotExist}
-}
-
 // if path is empty, load assets in memory
 // or set FileSystem using disk files
 func Load(path string) {
 	prefixPath = path
-	switch {
-	case prefixPath != "":
+	if prefixPath != "" {
 		FileSystem = http.Dir(prefixPath)
-	case content != nil:
+	} else {
 		FileSystem = http.FS(content)
-	default:
-		FileSystem = emptyFS{}
 	}
 }

--- a/client/api_router.go
+++ b/client/api_router.go
@@ -17,7 +17,7 @@ package client
 import (
 	"net/http"

-	adminapi "github.com/fatedier/frp/client/http"
+	"github.com/fatedier/frp/client/api"
 	"github.com/fatedier/frp/client/proxy"
 	httppkg "github.com/fatedier/frp/pkg/util/http"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
@@ -38,20 +38,6 @@ func (svr *Service) registerRouteHandlers(helper *httppkg.RouterRegisterHelper)
 	subRouter.HandleFunc("/api/status", httppkg.MakeHTTPHandlerFunc(apiController.Status)).Methods(http.MethodGet)
 	subRouter.HandleFunc("/api/config", httppkg.MakeHTTPHandlerFunc(apiController.GetConfig)).Methods(http.MethodGet)
 	subRouter.HandleFunc("/api/config", httppkg.MakeHTTPHandlerFunc(apiController.PutConfig)).Methods(http.MethodPut)
-
-	if svr.storeSource != nil {
-		subRouter.HandleFunc("/api/store/proxies", httppkg.MakeHTTPHandlerFunc(apiController.ListStoreProxies)).Methods(http.MethodGet)
-		subRouter.HandleFunc("/api/store/proxies", httppkg.MakeHTTPHandlerFunc(apiController.CreateStoreProxy)).Methods(http.MethodPost)
-		subRouter.HandleFunc("/api/store/proxies/{name}", httppkg.MakeHTTPHandlerFunc(apiController.GetStoreProxy)).Methods(http.MethodGet)
-		subRouter.HandleFunc("/api/store/proxies/{name}", httppkg.MakeHTTPHandlerFunc(apiController.UpdateStoreProxy)).Methods(http.MethodPut)
-		subRouter.HandleFunc("/api/store/proxies/{name}", httppkg.MakeHTTPHandlerFunc(apiController.DeleteStoreProxy)).Methods(http.MethodDelete)
-		subRouter.HandleFunc("/api/store/visitors", httppkg.MakeHTTPHandlerFunc(apiController.ListStoreVisitors)).Methods(http.MethodGet)
-		subRouter.HandleFunc("/api/store/visitors", httppkg.MakeHTTPHandlerFunc(apiController.CreateStoreVisitor)).Methods(http.MethodPost)
-		subRouter.HandleFunc("/api/store/visitors/{name}", httppkg.MakeHTTPHandlerFunc(apiController.GetStoreVisitor)).Methods(http.MethodGet)
-		subRouter.HandleFunc("/api/store/visitors/{name}", httppkg.MakeHTTPHandlerFunc(apiController.UpdateStoreVisitor)).Methods(http.MethodPut)
-		subRouter.HandleFunc("/api/store/visitors/{name}", httppkg.MakeHTTPHandlerFunc(apiController.DeleteStoreVisitor)).Methods(http.MethodDelete)
-	}
-
 	subRouter.Handle("/favicon.ico", http.FileServer(helper.AssetsFS)).Methods("GET")
 	subRouter.PathPrefix("/static/").Handler(
 		netpkg.MakeHTTPGzipHandler(http.StripPrefix("/static/", http.FileServer(helper.AssetsFS))),
@@ -65,11 +51,14 @@ func healthz(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(http.StatusOK)
 }

-func newAPIController(svr *Service) *adminapi.Controller {
-	manager := newServiceConfigManager(svr)
-	return adminapi.NewController(adminapi.ControllerParams{
-		ServerAddr: svr.common.ServerAddr,
-		Manager:    manager,
+func newAPIController(svr *Service) *api.Controller {
+	return api.NewController(api.ControllerParams{
+		GetProxyStatus: svr.getAllProxyStatus,
+		ServerAddr:     svr.common.ServerAddr,
+		ConfigFilePath: svr.configFilePath,
+		UnsafeFeatures: svr.unsafeFeatures,
+		UpdateConfig:   svr.UpdateAllConfigurer,
+		GracefulClose:  svr.GracefulClose,
 	})
 }

--- a/client/api/controller.go
+++ b/client/api/controller.go
@@ -0,0 +1,189 @@
+// Copyright 2025 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package api
+
+import (
+	"cmp"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"slices"
+	"strconv"
+	"time"
+
+	"github.com/fatedier/frp/client/proxy"
+	"github.com/fatedier/frp/pkg/config"
+	v1 "github.com/fatedier/frp/pkg/config/v1"
+	"github.com/fatedier/frp/pkg/config/v1/validation"
+	"github.com/fatedier/frp/pkg/policy/security"
+	httppkg "github.com/fatedier/frp/pkg/util/http"
+	"github.com/fatedier/frp/pkg/util/log"
+)
+
+// Controller handles HTTP API requests for frpc.
+type Controller struct {
+	// getProxyStatus returns the current proxy status.
+	// Returns nil if the control connection is not established.
+	getProxyStatus func() []*proxy.WorkingStatus
+
+	// serverAddr is the frps server address for display.
+	serverAddr string
+
+	// configFilePath is the path to the configuration file.
+	configFilePath string
+
+	// unsafeFeatures is used for validation.
+	unsafeFeatures *security.UnsafeFeatures
+
+	// updateConfig updates proxy and visitor configurations.
+	updateConfig func(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error
+
+	// gracefulClose gracefully stops the service.
+	gracefulClose func(d time.Duration)
+}
+
+// ControllerParams contains parameters for creating an APIController.
+type ControllerParams struct {
+	GetProxyStatus func() []*proxy.WorkingStatus
+	ServerAddr     string
+	ConfigFilePath string
+	UnsafeFeatures *security.UnsafeFeatures
+	UpdateConfig   func(proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) error
+	GracefulClose  func(d time.Duration)
+}
+
+// NewController creates a new Controller.
+func NewController(params ControllerParams) *Controller {
+	return &Controller{
+		getProxyStatus: params.GetProxyStatus,
+		serverAddr:     params.ServerAddr,
+		configFilePath: params.ConfigFilePath,
+		unsafeFeatures: params.UnsafeFeatures,
+		updateConfig:   params.UpdateConfig,
+		gracefulClose:  params.GracefulClose,
+	}
+}
+
+// Reload handles GET /api/reload
+func (c *Controller) Reload(ctx *httppkg.Context) (any, error) {
+	strictConfigMode := false
+	strictStr := ctx.Query("strictConfig")
+	if strictStr != "" {
+		strictConfigMode, _ = strconv.ParseBool(strictStr)
+	}
+
+	cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(c.configFilePath, strictConfigMode)
+	if err != nil {
+		log.Warnf("reload frpc proxy config error: %s", err.Error())
+		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
+	}
+
+	if _, err := validation.ValidateAllClientConfig(cliCfg, proxyCfgs, visitorCfgs, c.unsafeFeatures); err != nil {
+		log.Warnf("reload frpc proxy config error: %s", err.Error())
+		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
+	}
+
+	if err := c.updateConfig(proxyCfgs, visitorCfgs); err != nil {
+		log.Warnf("reload frpc proxy config error: %s", err.Error())
+		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
+	}
+
+	log.Infof("success reload conf")
+	return nil, nil
+}
+
+// Stop handles POST /api/stop
+func (c *Controller) Stop(ctx *httppkg.Context) (any, error) {
+	go c.gracefulClose(100 * time.Millisecond)
+	return nil, nil
+}
+
+// Status handles GET /api/status
+func (c *Controller) Status(ctx *httppkg.Context) (any, error) {
+	res := make(StatusResp)
+	ps := c.getProxyStatus()
+	if ps == nil {
+		return res, nil
+	}
+
+	for _, status := range ps {
+		res[status.Type] = append(res[status.Type], c.buildProxyStatusResp(status))
+	}
+
+	for _, arrs := range res {
+		if len(arrs) <= 1 {
+			continue
+		}
+		slices.SortFunc(arrs, func(a, b ProxyStatusResp) int {
+			return cmp.Compare(a.Name, b.Name)
+		})
+	}
+	return res, nil
+}
+
+// GetConfig handles GET /api/config
+func (c *Controller) GetConfig(ctx *httppkg.Context) (any, error) {
+	if c.configFilePath == "" {
+		return nil, httppkg.NewError(http.StatusBadRequest, "frpc has no config file path")
+	}
+
+	content, err := os.ReadFile(c.configFilePath)
+	if err != nil {
+		log.Warnf("load frpc config file error: %s", err.Error())
+		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
+	}
+	return string(content), nil
+}
+
+// PutConfig handles PUT /api/config
+func (c *Controller) PutConfig(ctx *httppkg.Context) (any, error) {
+	body, err := ctx.Body()
+	if err != nil {
+		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read request body error: %v", err))
+	}
+
+	if len(body) == 0 {
+		return nil, httppkg.NewError(http.StatusBadRequest, "body can't be empty")
+	}
+
+	if err := os.WriteFile(c.configFilePath, body, 0o600); err != nil {
+		return nil, httppkg.NewError(http.StatusInternalServerError, fmt.Sprintf("write content to frpc config file error: %v", err))
+	}
+	return nil, nil
+}
+
+// buildProxyStatusResp creates a ProxyStatusResp from proxy.WorkingStatus
+func (c *Controller) buildProxyStatusResp(status *proxy.WorkingStatus) ProxyStatusResp {
+	psr := ProxyStatusResp{
+		Name:   status.Name,
+		Type:   status.Type,
+		Status: status.Phase,
+		Err:    status.Err,
+	}
+	baseCfg := status.Cfg.GetBaseConfig()
+	if baseCfg.LocalPort != 0 {
+		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
+	}
+	psr.Plugin = baseCfg.Plugin.Type
+
+	if status.Err == "" {
+		psr.RemoteAddr = status.RemoteAddr
+		if slices.Contains([]string{"tcp", "udp"}, status.Type) {
+			psr.RemoteAddr = c.serverAddr + psr.RemoteAddr
+		}
+	}
+	return psr
+}
--- a/client/http/model/types.go
+++ b/client/http/model/types.go
@@ -12,9 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package model
-
-const SourceStore = "store"
+package api

 // StatusResp is the response for GET /api/status
 type StatusResp map[string][]ProxyStatusResp
@@ -28,15 +26,4 @@ type ProxyStatusResp struct {
 	LocalAddr  string `json:"local_addr"`
 	Plugin     string `json:"plugin"`
 	RemoteAddr string `json:"remote_addr"`
-	Source     string `json:"source,omitempty"` // "store" or "config"
-}
-
-// ProxyListResp is the response for GET /api/store/proxies
-type ProxyListResp struct {
-	Proxies []ProxyDefinition `json:"proxies"`
-}
-
-// VisitorListResp is the response for GET /api/store/visitors
-type VisitorListResp struct {
-	Visitors []VisitorDefinition `json:"visitors"`
 }
--- a/client/config_manager.go
+++ b/client/config_manager.go
@@ -1,422 +0,0 @@
-package client
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/fatedier/frp/client/configmgmt"
-	"github.com/fatedier/frp/client/proxy"
-	"github.com/fatedier/frp/pkg/config"
-	"github.com/fatedier/frp/pkg/config/source"
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/config/v1/validation"
-	"github.com/fatedier/frp/pkg/util/log"
-)
-
-type serviceConfigManager struct {
-	svr *Service
-}
-
-func newServiceConfigManager(svr *Service) configmgmt.ConfigManager {
-	return &serviceConfigManager{svr: svr}
-}
-
-func (m *serviceConfigManager) ReloadFromFile(strict bool) error {
-	if m.svr.configFilePath == "" {
-		return fmt.Errorf("%w: frpc has no config file path", configmgmt.ErrInvalidArgument)
-	}
-
-	result, err := config.LoadClientConfigResult(m.svr.configFilePath, strict)
-	if err != nil {
-		return fmt.Errorf("%w: %v", configmgmt.ErrInvalidArgument, err)
-	}
-
-	proxyCfgsForValidation, visitorCfgsForValidation := config.FilterClientConfigurers(
-		result.Common,
-		result.Proxies,
-		result.Visitors,
-	)
-	proxyCfgsForValidation = config.CompleteProxyConfigurers(proxyCfgsForValidation)
-	visitorCfgsForValidation = config.CompleteVisitorConfigurers(visitorCfgsForValidation)
-
-	if _, err := validation.ValidateAllClientConfig(result.Common, proxyCfgsForValidation, visitorCfgsForValidation, m.svr.unsafeFeatures); err != nil {
-		return fmt.Errorf("%w: %v", configmgmt.ErrInvalidArgument, err)
-	}
-
-	if err := m.svr.UpdateConfigSource(result.Common, result.Proxies, result.Visitors); err != nil {
-		return fmt.Errorf("%w: %v", configmgmt.ErrApplyConfig, err)
-	}
-
-	log.Infof("success reload conf")
-	return nil
-}
-
-func (m *serviceConfigManager) ReadConfigFile() (string, error) {
-	if m.svr.configFilePath == "" {
-		return "", fmt.Errorf("%w: frpc has no config file path", configmgmt.ErrInvalidArgument)
-	}
-
-	content, err := os.ReadFile(m.svr.configFilePath)
-	if err != nil {
-		return "", fmt.Errorf("%w: %v", configmgmt.ErrInvalidArgument, err)
-	}
-	return string(content), nil
-}
-
-func (m *serviceConfigManager) WriteConfigFile(content []byte) error {
-	if len(content) == 0 {
-		return fmt.Errorf("%w: body can't be empty", configmgmt.ErrInvalidArgument)
-	}
-
-	if err := os.WriteFile(m.svr.configFilePath, content, 0o600); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (m *serviceConfigManager) GetProxyStatus() []*proxy.WorkingStatus {
-	return m.svr.getAllProxyStatus()
-}
-
-func (m *serviceConfigManager) IsStoreProxyEnabled(name string) bool {
-	if name == "" {
-		return false
-	}
-
-	m.svr.reloadMu.Lock()
-	storeSource := m.svr.storeSource
-	m.svr.reloadMu.Unlock()
-
-	if storeSource == nil {
-		return false
-	}
-
-	cfg := storeSource.GetProxy(name)
-	if cfg == nil {
-		return false
-	}
-	enabled := cfg.GetBaseConfig().Enabled
-	return enabled == nil || *enabled
-}
-
-func (m *serviceConfigManager) StoreEnabled() bool {
-	m.svr.reloadMu.Lock()
-	storeSource := m.svr.storeSource
-	m.svr.reloadMu.Unlock()
-	return storeSource != nil
-}
-
-func (m *serviceConfigManager) ListStoreProxies() ([]v1.ProxyConfigurer, error) {
-	storeSource, err := m.storeSourceOrError()
-	if err != nil {
-		return nil, err
-	}
-	return storeSource.GetAllProxies()
-}
-
-func (m *serviceConfigManager) GetStoreProxy(name string) (v1.ProxyConfigurer, error) {
-	if name == "" {
-		return nil, fmt.Errorf("%w: proxy name is required", configmgmt.ErrInvalidArgument)
-	}
-
-	storeSource, err := m.storeSourceOrError()
-	if err != nil {
-		return nil, err
-	}
-
-	cfg := storeSource.GetProxy(name)
-	if cfg == nil {
-		return nil, fmt.Errorf("%w: proxy %q", configmgmt.ErrNotFound, name)
-	}
-	return cfg, nil
-}
-
-func (m *serviceConfigManager) CreateStoreProxy(cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-	if err := m.validateStoreProxyConfigurer(cfg); err != nil {
-		return nil, fmt.Errorf("%w: validation error: %v", configmgmt.ErrInvalidArgument, err)
-	}
-
-	name := cfg.GetBaseConfig().Name
-	persisted, err := m.withStoreProxyMutationAndReload(name, func(storeSource *source.StoreSource) error {
-		if err := storeSource.AddProxy(cfg); err != nil {
-			if errors.Is(err, source.ErrAlreadyExists) {
-				return fmt.Errorf("%w: %v", configmgmt.ErrConflict, err)
-			}
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-	log.Infof("store: created proxy %q", name)
-	return persisted, nil
-}
-
-func (m *serviceConfigManager) UpdateStoreProxy(name string, cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-	if name == "" {
-		return nil, fmt.Errorf("%w: proxy name is required", configmgmt.ErrInvalidArgument)
-	}
-	if cfg == nil {
-		return nil, fmt.Errorf("%w: invalid proxy config: type is required", configmgmt.ErrInvalidArgument)
-	}
-	bodyName := cfg.GetBaseConfig().Name
-	if bodyName != name {
-		return nil, fmt.Errorf("%w: proxy name in URL must match name in body", configmgmt.ErrInvalidArgument)
-	}
-	if err := m.validateStoreProxyConfigurer(cfg); err != nil {
-		return nil, fmt.Errorf("%w: validation error: %v", configmgmt.ErrInvalidArgument, err)
-	}
-
-	persisted, err := m.withStoreProxyMutationAndReload(name, func(storeSource *source.StoreSource) error {
-		if err := storeSource.UpdateProxy(cfg); err != nil {
-			if errors.Is(err, source.ErrNotFound) {
-				return fmt.Errorf("%w: %v", configmgmt.ErrNotFound, err)
-			}
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	log.Infof("store: updated proxy %q", name)
-	return persisted, nil
-}
-
-func (m *serviceConfigManager) DeleteStoreProxy(name string) error {
-	if name == "" {
-		return fmt.Errorf("%w: proxy name is required", configmgmt.ErrInvalidArgument)
-	}
-
-	if err := m.withStoreMutationAndReload(func(storeSource *source.StoreSource) error {
-		if err := storeSource.RemoveProxy(name); err != nil {
-			if errors.Is(err, source.ErrNotFound) {
-				return fmt.Errorf("%w: %v", configmgmt.ErrNotFound, err)
-			}
-			return err
-		}
-		return nil
-	}); err != nil {
-		return err
-	}
-
-	log.Infof("store: deleted proxy %q", name)
-	return nil
-}
-
-func (m *serviceConfigManager) ListStoreVisitors() ([]v1.VisitorConfigurer, error) {
-	storeSource, err := m.storeSourceOrError()
-	if err != nil {
-		return nil, err
-	}
-	return storeSource.GetAllVisitors()
-}
-
-func (m *serviceConfigManager) GetStoreVisitor(name string) (v1.VisitorConfigurer, error) {
-	if name == "" {
-		return nil, fmt.Errorf("%w: visitor name is required", configmgmt.ErrInvalidArgument)
-	}
-
-	storeSource, err := m.storeSourceOrError()
-	if err != nil {
-		return nil, err
-	}
-
-	cfg := storeSource.GetVisitor(name)
-	if cfg == nil {
-		return nil, fmt.Errorf("%w: visitor %q", configmgmt.ErrNotFound, name)
-	}
-	return cfg, nil
-}
-
-func (m *serviceConfigManager) CreateStoreVisitor(cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error) {
-	if err := m.validateStoreVisitorConfigurer(cfg); err != nil {
-		return nil, fmt.Errorf("%w: validation error: %v", configmgmt.ErrInvalidArgument, err)
-	}
-
-	name := cfg.GetBaseConfig().Name
-	persisted, err := m.withStoreVisitorMutationAndReload(name, func(storeSource *source.StoreSource) error {
-		if err := storeSource.AddVisitor(cfg); err != nil {
-			if errors.Is(err, source.ErrAlreadyExists) {
-				return fmt.Errorf("%w: %v", configmgmt.ErrConflict, err)
-			}
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	log.Infof("store: created visitor %q", name)
-	return persisted, nil
-}
-
-func (m *serviceConfigManager) UpdateStoreVisitor(name string, cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error) {
-	if name == "" {
-		return nil, fmt.Errorf("%w: visitor name is required", configmgmt.ErrInvalidArgument)
-	}
-	if cfg == nil {
-		return nil, fmt.Errorf("%w: invalid visitor config: type is required", configmgmt.ErrInvalidArgument)
-	}
-	bodyName := cfg.GetBaseConfig().Name
-	if bodyName != name {
-		return nil, fmt.Errorf("%w: visitor name in URL must match name in body", configmgmt.ErrInvalidArgument)
-	}
-	if err := m.validateStoreVisitorConfigurer(cfg); err != nil {
-		return nil, fmt.Errorf("%w: validation error: %v", configmgmt.ErrInvalidArgument, err)
-	}
-
-	persisted, err := m.withStoreVisitorMutationAndReload(name, func(storeSource *source.StoreSource) error {
-		if err := storeSource.UpdateVisitor(cfg); err != nil {
-			if errors.Is(err, source.ErrNotFound) {
-				return fmt.Errorf("%w: %v", configmgmt.ErrNotFound, err)
-			}
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	log.Infof("store: updated visitor %q", name)
-	return persisted, nil
-}
-
-func (m *serviceConfigManager) DeleteStoreVisitor(name string) error {
-	if name == "" {
-		return fmt.Errorf("%w: visitor name is required", configmgmt.ErrInvalidArgument)
-	}
-
-	if err := m.withStoreMutationAndReload(func(storeSource *source.StoreSource) error {
-		if err := storeSource.RemoveVisitor(name); err != nil {
-			if errors.Is(err, source.ErrNotFound) {
-				return fmt.Errorf("%w: %v", configmgmt.ErrNotFound, err)
-			}
-			return err
-		}
-		return nil
-	}); err != nil {
-		return err
-	}
-
-	log.Infof("store: deleted visitor %q", name)
-	return nil
-}
-
-func (m *serviceConfigManager) GracefulClose(d time.Duration) {
-	m.svr.GracefulClose(d)
-}
-
-func (m *serviceConfigManager) storeSourceOrError() (*source.StoreSource, error) {
-	m.svr.reloadMu.Lock()
-	storeSource := m.svr.storeSource
-	m.svr.reloadMu.Unlock()
-
-	if storeSource == nil {
-		return nil, fmt.Errorf("%w: store API is disabled", configmgmt.ErrStoreDisabled)
-	}
-	return storeSource, nil
-}
-
-func (m *serviceConfigManager) withStoreMutationAndReload(
-	fn func(storeSource *source.StoreSource) error,
-) error {
-	m.svr.reloadMu.Lock()
-	defer m.svr.reloadMu.Unlock()
-
-	storeSource := m.svr.storeSource
-	if storeSource == nil {
-		return fmt.Errorf("%w: store API is disabled", configmgmt.ErrStoreDisabled)
-	}
-
-	if err := fn(storeSource); err != nil {
-		return err
-	}
-
-	if err := m.svr.reloadConfigFromSourcesLocked(); err != nil {
-		return fmt.Errorf("%w: failed to apply config: %v", configmgmt.ErrApplyConfig, err)
-	}
-	return nil
-}
-
-func (m *serviceConfigManager) withStoreProxyMutationAndReload(
-	name string,
-	fn func(storeSource *source.StoreSource) error,
-) (v1.ProxyConfigurer, error) {
-	m.svr.reloadMu.Lock()
-	defer m.svr.reloadMu.Unlock()
-
-	storeSource := m.svr.storeSource
-	if storeSource == nil {
-		return nil, fmt.Errorf("%w: store API is disabled", configmgmt.ErrStoreDisabled)
-	}
-
-	if err := fn(storeSource); err != nil {
-		return nil, err
-	}
-	if err := m.svr.reloadConfigFromSourcesLocked(); err != nil {
-		return nil, fmt.Errorf("%w: failed to apply config: %v", configmgmt.ErrApplyConfig, err)
-	}
-
-	persisted := storeSource.GetProxy(name)
-	if persisted == nil {
-		return nil, fmt.Errorf("%w: proxy %q not found in store after mutation", configmgmt.ErrApplyConfig, name)
-	}
-	return persisted.Clone(), nil
-}
-
-func (m *serviceConfigManager) withStoreVisitorMutationAndReload(
-	name string,
-	fn func(storeSource *source.StoreSource) error,
-) (v1.VisitorConfigurer, error) {
-	m.svr.reloadMu.Lock()
-	defer m.svr.reloadMu.Unlock()
-
-	storeSource := m.svr.storeSource
-	if storeSource == nil {
-		return nil, fmt.Errorf("%w: store API is disabled", configmgmt.ErrStoreDisabled)
-	}
-
-	if err := fn(storeSource); err != nil {
-		return nil, err
-	}
-	if err := m.svr.reloadConfigFromSourcesLocked(); err != nil {
-		return nil, fmt.Errorf("%w: failed to apply config: %v", configmgmt.ErrApplyConfig, err)
-	}
-
-	persisted := storeSource.GetVisitor(name)
-	if persisted == nil {
-		return nil, fmt.Errorf("%w: visitor %q not found in store after mutation", configmgmt.ErrApplyConfig, name)
-	}
-	return persisted.Clone(), nil
-}
-
-func (m *serviceConfigManager) validateStoreProxyConfigurer(cfg v1.ProxyConfigurer) error {
-	if cfg == nil {
-		return fmt.Errorf("invalid proxy config")
-	}
-	runtimeCfg := cfg.Clone()
-	if runtimeCfg == nil {
-		return fmt.Errorf("invalid proxy config")
-	}
-	runtimeCfg.Complete()
-	return validation.ValidateProxyConfigurerForClient(runtimeCfg)
-}
-
-func (m *serviceConfigManager) validateStoreVisitorConfigurer(cfg v1.VisitorConfigurer) error {
-	if cfg == nil {
-		return fmt.Errorf("invalid visitor config")
-	}
-	runtimeCfg := cfg.Clone()
-	if runtimeCfg == nil {
-		return fmt.Errorf("invalid visitor config")
-	}
-	runtimeCfg.Complete()
-	return validation.ValidateVisitorConfigurer(runtimeCfg)
-}
--- a/client/config_manager_test.go
+++ b/client/config_manager_test.go
@@ -1,137 +0,0 @@
-package client
-
-import (
-	"errors"
-	"path/filepath"
-	"testing"
-
-	"github.com/fatedier/frp/client/configmgmt"
-	"github.com/fatedier/frp/pkg/config/source"
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-func newTestRawTCPProxyConfig(name string) *v1.TCPProxyConfig {
-	return &v1.TCPProxyConfig{
-		ProxyBaseConfig: v1.ProxyBaseConfig{
-			Name: name,
-			Type: "tcp",
-			ProxyBackend: v1.ProxyBackend{
-				LocalPort: 10080,
-			},
-		},
-	}
-}
-
-func TestServiceConfigManagerCreateStoreProxyConflict(t *testing.T) {
-	storeSource, err := source.NewStoreSource(source.StoreSourceConfig{
-		Path: filepath.Join(t.TempDir(), "store.json"),
-	})
-	if err != nil {
-		t.Fatalf("new store source: %v", err)
-	}
-	if err := storeSource.AddProxy(newTestRawTCPProxyConfig("p1")); err != nil {
-		t.Fatalf("seed proxy: %v", err)
-	}
-
-	agg := source.NewAggregator(source.NewConfigSource())
-	agg.SetStoreSource(storeSource)
-
-	mgr := &serviceConfigManager{
-		svr: &Service{
-			aggregator:   agg,
-			configSource: agg.ConfigSource(),
-			storeSource:  storeSource,
-			reloadCommon: &v1.ClientCommonConfig{},
-		},
-	}
-
-	_, err = mgr.CreateStoreProxy(newTestRawTCPProxyConfig("p1"))
-	if err == nil {
-		t.Fatal("expected conflict error")
-	}
-	if !errors.Is(err, configmgmt.ErrConflict) {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}
-
-func TestServiceConfigManagerCreateStoreProxyKeepsStoreOnReloadFailure(t *testing.T) {
-	storeSource, err := source.NewStoreSource(source.StoreSourceConfig{
-		Path: filepath.Join(t.TempDir(), "store.json"),
-	})
-	if err != nil {
-		t.Fatalf("new store source: %v", err)
-	}
-
-	mgr := &serviceConfigManager{
-		svr: &Service{
-			storeSource:  storeSource,
-			reloadCommon: &v1.ClientCommonConfig{},
-		},
-	}
-
-	_, err = mgr.CreateStoreProxy(newTestRawTCPProxyConfig("p1"))
-	if err == nil {
-		t.Fatal("expected apply config error")
-	}
-	if !errors.Is(err, configmgmt.ErrApplyConfig) {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if storeSource.GetProxy("p1") == nil {
-		t.Fatal("proxy should remain in store after reload failure")
-	}
-}
-
-func TestServiceConfigManagerCreateStoreProxyStoreDisabled(t *testing.T) {
-	mgr := &serviceConfigManager{
-		svr: &Service{
-			reloadCommon: &v1.ClientCommonConfig{},
-		},
-	}
-
-	_, err := mgr.CreateStoreProxy(newTestRawTCPProxyConfig("p1"))
-	if err == nil {
-		t.Fatal("expected store disabled error")
-	}
-	if !errors.Is(err, configmgmt.ErrStoreDisabled) {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}
-
-func TestServiceConfigManagerCreateStoreProxyDoesNotPersistRuntimeDefaults(t *testing.T) {
-	storeSource, err := source.NewStoreSource(source.StoreSourceConfig{
-		Path: filepath.Join(t.TempDir(), "store.json"),
-	})
-	if err != nil {
-		t.Fatalf("new store source: %v", err)
-	}
-	agg := source.NewAggregator(source.NewConfigSource())
-	agg.SetStoreSource(storeSource)
-
-	mgr := &serviceConfigManager{
-		svr: &Service{
-			aggregator:   agg,
-			configSource: agg.ConfigSource(),
-			storeSource:  storeSource,
-			reloadCommon: &v1.ClientCommonConfig{},
-		},
-	}
-
-	persisted, err := mgr.CreateStoreProxy(newTestRawTCPProxyConfig("raw-proxy"))
-	if err != nil {
-		t.Fatalf("create store proxy: %v", err)
-	}
-	if persisted == nil {
-		t.Fatal("expected persisted proxy to be returned")
-	}
-
-	got := storeSource.GetProxy("raw-proxy")
-	if got == nil {
-		t.Fatal("proxy not found in store")
-	}
-	if got.GetBaseConfig().LocalIP != "" {
-		t.Fatalf("localIP was persisted with runtime default: %q", got.GetBaseConfig().LocalIP)
-	}
-	if got.GetBaseConfig().Transport.BandwidthLimitMode != "" {
-		t.Fatalf("bandwidthLimitMode was persisted with runtime default: %q", got.GetBaseConfig().Transport.BandwidthLimitMode)
-	}
-}
--- a/client/configmgmt/types.go
+++ b/client/configmgmt/types.go
@@ -1,42 +0,0 @@
-package configmgmt
-
-import (
-	"errors"
-	"time"
-
-	"github.com/fatedier/frp/client/proxy"
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-var (
-	ErrInvalidArgument = errors.New("invalid argument")
-	ErrNotFound        = errors.New("not found")
-	ErrConflict        = errors.New("conflict")
-	ErrStoreDisabled   = errors.New("store disabled")
-	ErrApplyConfig     = errors.New("apply config failed")
-)
-
-type ConfigManager interface {
-	ReloadFromFile(strict bool) error
-
-	ReadConfigFile() (string, error)
-	WriteConfigFile(content []byte) error
-
-	GetProxyStatus() []*proxy.WorkingStatus
-	IsStoreProxyEnabled(name string) bool
-	StoreEnabled() bool
-
-	ListStoreProxies() ([]v1.ProxyConfigurer, error)
-	GetStoreProxy(name string) (v1.ProxyConfigurer, error)
-	CreateStoreProxy(cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error)
-	UpdateStoreProxy(name string, cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error)
-	DeleteStoreProxy(name string) error
-
-	ListStoreVisitors() ([]v1.VisitorConfigurer, error)
-	GetStoreVisitor(name string) (v1.VisitorConfigurer, error)
-	CreateStoreVisitor(cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error)
-	UpdateStoreVisitor(name string, cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error)
-	DeleteStoreVisitor(name string) error
-
-	GracefulClose(d time.Duration)
-}
--- a/client/control.go
+++ b/client/control.go
@@ -16,7 +16,9 @@ package client

 import (
 	"context"
+	"fmt"
 	"net"
+	"strings"
 	"sync/atomic"
 	"time"

@@ -25,7 +27,6 @@ import (
 	"github.com/fatedier/frp/pkg/auth"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/naming"
 	"github.com/fatedier/frp/pkg/transport"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 	"github.com/fatedier/frp/pkg/util/wait"
@@ -157,8 +158,6 @@ func (ctl *Control) handleReqWorkConn(_ msg.Message) {
 		return
 	}

-	startMsg.ProxyName = naming.StripUserPrefix(ctl.sessionCtx.Common.User, startMsg.ProxyName)
-
 	// dispatch this work connection to related proxy
 	ctl.pm.HandleWorkConn(startMsg.ProxyName, workConn, &startMsg)
 }
@@ -168,12 +167,46 @@ func (ctl *Control) handleNewProxyResp(m msg.Message) {
 	inMsg := m.(*msg.NewProxyResp)
 	// Server will return NewProxyResp message to each NewProxy message.
 	// Start a new proxy handler if no error got
-	proxyName := naming.StripUserPrefix(ctl.sessionCtx.Common.User, inMsg.ProxyName)
-	err := ctl.pm.StartProxy(proxyName, inMsg.RemoteAddr, inMsg.Error)
+	err := ctl.pm.StartProxy(inMsg.ProxyName, inMsg.RemoteAddr, inMsg.Error)
 	if err != nil {
-		xl.Warnf("[%s] start error: %v", proxyName, err)
+		xl.Warnf("[%s] 启动失败: %v", inMsg.ProxyName, err)
 	} else {
-		xl.Infof("[%s] start proxy success", proxyName)
+		xl.Infof("[%s] 成功启动隧道", inMsg.ProxyName)
+		if inMsg.RemoteAddr != "" {
+			// Get proxy type to format access message
+			if status, ok := ctl.pm.GetProxyStatus(inMsg.ProxyName); ok {
+				proxyType := status.Type
+				remoteAddr := inMsg.RemoteAddr
+				var accessMsg string
+
+				switch proxyType {
+				case "tcp", "udp", "stcp", "xtcp", "sudp", "tcpmux":
+					// If remoteAddr only contains port (e.g., ":8080"), prepend server address
+					if strings.HasPrefix(remoteAddr, ":") {
+						serverAddr := ctl.sessionCtx.Common.ServerAddr
+						remoteAddr = serverAddr + remoteAddr
+					}
+					accessMsg = fmt.Sprintf("您可通过 %s 访问您的服务", remoteAddr)
+				case "http", "https":
+					// Format as URL with protocol
+					protocol := proxyType
+					addr := remoteAddr
+					// Remove standard ports for cleaner URL
+					if proxyType == "http" && strings.HasSuffix(addr, ":80") {
+						addr = strings.TrimSuffix(addr, ":80")
+					} else if proxyType == "https" && strings.HasSuffix(addr, ":443") {
+						addr = strings.TrimSuffix(addr, ":443")
+					}
+					accessMsg = fmt.Sprintf("您可通过 %s://%s 访问您的服务", protocol, addr)
+				default:
+					accessMsg = fmt.Sprintf("您可通过 %s 访问您的服务", remoteAddr)
+				}
+
+				xl.Infof("[%s] %s", inMsg.ProxyName, accessMsg)
+			} else {
+				xl.Infof("[%s] 您可通过 %s 访问您的服务", inMsg.ProxyName, inMsg.RemoteAddr)
+			}
+		}
 	}
 }

--- a/client/http/controller.go
+++ b/client/http/controller.go
@@ -1,395 +0,0 @@
-// Copyright 2025 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package http
-
-import (
-	"cmp"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"slices"
-	"strconv"
-	"time"
-
-	"github.com/fatedier/frp/client/configmgmt"
-	"github.com/fatedier/frp/client/http/model"
-	"github.com/fatedier/frp/client/proxy"
-	httppkg "github.com/fatedier/frp/pkg/util/http"
-	"github.com/fatedier/frp/pkg/util/jsonx"
-)
-
-// Controller handles HTTP API requests for frpc.
-type Controller struct {
-	serverAddr string
-	manager    configmgmt.ConfigManager
-}
-
-// ControllerParams contains parameters for creating an APIController.
-type ControllerParams struct {
-	ServerAddr string
-	Manager    configmgmt.ConfigManager
-}
-
-func NewController(params ControllerParams) *Controller {
-	return &Controller{
-		serverAddr: params.ServerAddr,
-		manager:    params.Manager,
-	}
-}
-
-func (c *Controller) toHTTPError(err error) error {
-	if err == nil {
-		return nil
-	}
-
-	code := http.StatusInternalServerError
-	switch {
-	case errors.Is(err, configmgmt.ErrInvalidArgument):
-		code = http.StatusBadRequest
-	case errors.Is(err, configmgmt.ErrNotFound), errors.Is(err, configmgmt.ErrStoreDisabled):
-		code = http.StatusNotFound
-	case errors.Is(err, configmgmt.ErrConflict):
-		code = http.StatusConflict
-	}
-	return httppkg.NewError(code, err.Error())
-}
-
-// Reload handles GET /api/reload
-func (c *Controller) Reload(ctx *httppkg.Context) (any, error) {
-	strictConfigMode := false
-	strictStr := ctx.Query("strictConfig")
-	if strictStr != "" {
-		strictConfigMode, _ = strconv.ParseBool(strictStr)
-	}
-
-	if err := c.manager.ReloadFromFile(strictConfigMode); err != nil {
-		return nil, c.toHTTPError(err)
-	}
-	return nil, nil
-}
-
-// Stop handles POST /api/stop
-func (c *Controller) Stop(ctx *httppkg.Context) (any, error) {
-	go c.manager.GracefulClose(100 * time.Millisecond)
-	return nil, nil
-}
-
-// Status handles GET /api/status
-func (c *Controller) Status(ctx *httppkg.Context) (any, error) {
-	res := make(model.StatusResp)
-	ps := c.manager.GetProxyStatus()
-	if ps == nil {
-		return res, nil
-	}
-
-	for _, status := range ps {
-		res[status.Type] = append(res[status.Type], c.buildProxyStatusResp(status))
-	}
-
-	for _, arrs := range res {
-		if len(arrs) <= 1 {
-			continue
-		}
-		slices.SortFunc(arrs, func(a, b model.ProxyStatusResp) int {
-			return cmp.Compare(a.Name, b.Name)
-		})
-	}
-	return res, nil
-}
-
-// GetConfig handles GET /api/config
-func (c *Controller) GetConfig(ctx *httppkg.Context) (any, error) {
-	content, err := c.manager.ReadConfigFile()
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-	return content, nil
-}
-
-// PutConfig handles PUT /api/config
-func (c *Controller) PutConfig(ctx *httppkg.Context) (any, error) {
-	body, err := ctx.Body()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read request body error: %v", err))
-	}
-
-	if len(body) == 0 {
-		return nil, httppkg.NewError(http.StatusBadRequest, "body can't be empty")
-	}
-
-	if err := c.manager.WriteConfigFile(body); err != nil {
-		return nil, c.toHTTPError(err)
-	}
-	return nil, nil
-}
-
-func (c *Controller) buildProxyStatusResp(status *proxy.WorkingStatus) model.ProxyStatusResp {
-	psr := model.ProxyStatusResp{
-		Name:   status.Name,
-		Type:   status.Type,
-		Status: status.Phase,
-		Err:    status.Err,
-	}
-	baseCfg := status.Cfg.GetBaseConfig()
-	if baseCfg.LocalPort != 0 {
-		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
-	}
-	psr.Plugin = baseCfg.Plugin.Type
-
-	if status.Err == "" {
-		psr.RemoteAddr = status.RemoteAddr
-		if slices.Contains([]string{"tcp", "udp"}, status.Type) {
-			psr.RemoteAddr = c.serverAddr + psr.RemoteAddr
-		}
-	}
-
-	if c.manager.IsStoreProxyEnabled(status.Name) {
-		psr.Source = model.SourceStore
-	}
-	return psr
-}
-
-func (c *Controller) ListStoreProxies(ctx *httppkg.Context) (any, error) {
-	proxies, err := c.manager.ListStoreProxies()
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	resp := model.ProxyListResp{Proxies: make([]model.ProxyDefinition, 0, len(proxies))}
-	for _, p := range proxies {
-		payload, err := model.ProxyDefinitionFromConfigurer(p)
-		if err != nil {
-			return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-		}
-		resp.Proxies = append(resp.Proxies, payload)
-	}
-	slices.SortFunc(resp.Proxies, func(a, b model.ProxyDefinition) int {
-		return cmp.Compare(a.Name, b.Name)
-	})
-	return resp, nil
-}
-
-func (c *Controller) GetStoreProxy(ctx *httppkg.Context) (any, error) {
-	name := ctx.Param("name")
-	if name == "" {
-		return nil, httppkg.NewError(http.StatusBadRequest, "proxy name is required")
-	}
-
-	p, err := c.manager.GetStoreProxy(name)
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	payload, err := model.ProxyDefinitionFromConfigurer(p)
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-	}
-
-	return payload, nil
-}
-
-func (c *Controller) CreateStoreProxy(ctx *httppkg.Context) (any, error) {
-	body, err := ctx.Body()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read body error: %v", err))
-	}
-
-	var payload model.ProxyDefinition
-	if err := jsonx.Unmarshal(body, &payload); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("parse JSON error: %v", err))
-	}
-
-	if err := payload.Validate("", false); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	cfg, err := payload.ToConfigurer()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	created, err := c.manager.CreateStoreProxy(cfg)
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	resp, err := model.ProxyDefinitionFromConfigurer(created)
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-	}
-	return resp, nil
-}
-
-func (c *Controller) UpdateStoreProxy(ctx *httppkg.Context) (any, error) {
-	name := ctx.Param("name")
-	if name == "" {
-		return nil, httppkg.NewError(http.StatusBadRequest, "proxy name is required")
-	}
-
-	body, err := ctx.Body()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read body error: %v", err))
-	}
-
-	var payload model.ProxyDefinition
-	if err := jsonx.Unmarshal(body, &payload); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("parse JSON error: %v", err))
-	}
-
-	if err := payload.Validate(name, true); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	cfg, err := payload.ToConfigurer()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	updated, err := c.manager.UpdateStoreProxy(name, cfg)
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	resp, err := model.ProxyDefinitionFromConfigurer(updated)
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-	}
-	return resp, nil
-}
-
-func (c *Controller) DeleteStoreProxy(ctx *httppkg.Context) (any, error) {
-	name := ctx.Param("name")
-	if name == "" {
-		return nil, httppkg.NewError(http.StatusBadRequest, "proxy name is required")
-	}
-
-	if err := c.manager.DeleteStoreProxy(name); err != nil {
-		return nil, c.toHTTPError(err)
-	}
-	return nil, nil
-}
-
-func (c *Controller) ListStoreVisitors(ctx *httppkg.Context) (any, error) {
-	visitors, err := c.manager.ListStoreVisitors()
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	resp := model.VisitorListResp{Visitors: make([]model.VisitorDefinition, 0, len(visitors))}
-	for _, v := range visitors {
-		payload, err := model.VisitorDefinitionFromConfigurer(v)
-		if err != nil {
-			return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-		}
-		resp.Visitors = append(resp.Visitors, payload)
-	}
-	slices.SortFunc(resp.Visitors, func(a, b model.VisitorDefinition) int {
-		return cmp.Compare(a.Name, b.Name)
-	})
-	return resp, nil
-}
-
-func (c *Controller) GetStoreVisitor(ctx *httppkg.Context) (any, error) {
-	name := ctx.Param("name")
-	if name == "" {
-		return nil, httppkg.NewError(http.StatusBadRequest, "visitor name is required")
-	}
-
-	v, err := c.manager.GetStoreVisitor(name)
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	payload, err := model.VisitorDefinitionFromConfigurer(v)
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-	}
-
-	return payload, nil
-}
-
-func (c *Controller) CreateStoreVisitor(ctx *httppkg.Context) (any, error) {
-	body, err := ctx.Body()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read body error: %v", err))
-	}
-
-	var payload model.VisitorDefinition
-	if err := jsonx.Unmarshal(body, &payload); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("parse JSON error: %v", err))
-	}
-
-	if err := payload.Validate("", false); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	cfg, err := payload.ToConfigurer()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	created, err := c.manager.CreateStoreVisitor(cfg)
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	resp, err := model.VisitorDefinitionFromConfigurer(created)
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-	}
-	return resp, nil
-}
-
-func (c *Controller) UpdateStoreVisitor(ctx *httppkg.Context) (any, error) {
-	name := ctx.Param("name")
-	if name == "" {
-		return nil, httppkg.NewError(http.StatusBadRequest, "visitor name is required")
-	}
-
-	body, err := ctx.Body()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("read body error: %v", err))
-	}
-
-	var payload model.VisitorDefinition
-	if err := jsonx.Unmarshal(body, &payload); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, fmt.Sprintf("parse JSON error: %v", err))
-	}
-
-	if err := payload.Validate(name, true); err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	cfg, err := payload.ToConfigurer()
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusBadRequest, err.Error())
-	}
-	updated, err := c.manager.UpdateStoreVisitor(name, cfg)
-	if err != nil {
-		return nil, c.toHTTPError(err)
-	}
-
-	resp, err := model.VisitorDefinitionFromConfigurer(updated)
-	if err != nil {
-		return nil, httppkg.NewError(http.StatusInternalServerError, err.Error())
-	}
-	return resp, nil
-}
-
-func (c *Controller) DeleteStoreVisitor(ctx *httppkg.Context) (any, error) {
-	name := ctx.Param("name")
-	if name == "" {
-		return nil, httppkg.NewError(http.StatusBadRequest, "visitor name is required")
-	}
-
-	if err := c.manager.DeleteStoreVisitor(name); err != nil {
-		return nil, c.toHTTPError(err)
-	}
-	return nil, nil
-}
--- a/client/http/controller_test.go
+++ b/client/http/controller_test.go
@@ -1,531 +0,0 @@
-package http
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/gorilla/mux"
-
-	"github.com/fatedier/frp/client/configmgmt"
-	"github.com/fatedier/frp/client/http/model"
-	"github.com/fatedier/frp/client/proxy"
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-	httppkg "github.com/fatedier/frp/pkg/util/http"
-)
-
-type fakeConfigManager struct {
-	reloadFromFileFn      func(strict bool) error
-	readConfigFileFn      func() (string, error)
-	writeConfigFileFn     func(content []byte) error
-	getProxyStatusFn      func() []*proxy.WorkingStatus
-	isStoreProxyEnabledFn func(name string) bool
-	storeEnabledFn        func() bool
-
-	listStoreProxiesFn  func() ([]v1.ProxyConfigurer, error)
-	getStoreProxyFn     func(name string) (v1.ProxyConfigurer, error)
-	createStoreProxyFn  func(cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error)
-	updateStoreProxyFn  func(name string, cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error)
-	deleteStoreProxyFn  func(name string) error
-	listStoreVisitorsFn func() ([]v1.VisitorConfigurer, error)
-	getStoreVisitorFn   func(name string) (v1.VisitorConfigurer, error)
-	createStoreVisitFn  func(cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error)
-	updateStoreVisitFn  func(name string, cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error)
-	deleteStoreVisitFn  func(name string) error
-	gracefulCloseFn     func(d time.Duration)
-}
-
-func (m *fakeConfigManager) ReloadFromFile(strict bool) error {
-	if m.reloadFromFileFn != nil {
-		return m.reloadFromFileFn(strict)
-	}
-	return nil
-}
-
-func (m *fakeConfigManager) ReadConfigFile() (string, error) {
-	if m.readConfigFileFn != nil {
-		return m.readConfigFileFn()
-	}
-	return "", nil
-}
-
-func (m *fakeConfigManager) WriteConfigFile(content []byte) error {
-	if m.writeConfigFileFn != nil {
-		return m.writeConfigFileFn(content)
-	}
-	return nil
-}
-
-func (m *fakeConfigManager) GetProxyStatus() []*proxy.WorkingStatus {
-	if m.getProxyStatusFn != nil {
-		return m.getProxyStatusFn()
-	}
-	return nil
-}
-
-func (m *fakeConfigManager) IsStoreProxyEnabled(name string) bool {
-	if m.isStoreProxyEnabledFn != nil {
-		return m.isStoreProxyEnabledFn(name)
-	}
-	return false
-}
-
-func (m *fakeConfigManager) StoreEnabled() bool {
-	if m.storeEnabledFn != nil {
-		return m.storeEnabledFn()
-	}
-	return false
-}
-
-func (m *fakeConfigManager) ListStoreProxies() ([]v1.ProxyConfigurer, error) {
-	if m.listStoreProxiesFn != nil {
-		return m.listStoreProxiesFn()
-	}
-	return nil, nil
-}
-
-func (m *fakeConfigManager) GetStoreProxy(name string) (v1.ProxyConfigurer, error) {
-	if m.getStoreProxyFn != nil {
-		return m.getStoreProxyFn(name)
-	}
-	return nil, nil
-}
-
-func (m *fakeConfigManager) CreateStoreProxy(cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-	if m.createStoreProxyFn != nil {
-		return m.createStoreProxyFn(cfg)
-	}
-	return cfg, nil
-}
-
-func (m *fakeConfigManager) UpdateStoreProxy(name string, cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-	if m.updateStoreProxyFn != nil {
-		return m.updateStoreProxyFn(name, cfg)
-	}
-	return cfg, nil
-}
-
-func (m *fakeConfigManager) DeleteStoreProxy(name string) error {
-	if m.deleteStoreProxyFn != nil {
-		return m.deleteStoreProxyFn(name)
-	}
-	return nil
-}
-
-func (m *fakeConfigManager) ListStoreVisitors() ([]v1.VisitorConfigurer, error) {
-	if m.listStoreVisitorsFn != nil {
-		return m.listStoreVisitorsFn()
-	}
-	return nil, nil
-}
-
-func (m *fakeConfigManager) GetStoreVisitor(name string) (v1.VisitorConfigurer, error) {
-	if m.getStoreVisitorFn != nil {
-		return m.getStoreVisitorFn(name)
-	}
-	return nil, nil
-}
-
-func (m *fakeConfigManager) CreateStoreVisitor(cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error) {
-	if m.createStoreVisitFn != nil {
-		return m.createStoreVisitFn(cfg)
-	}
-	return cfg, nil
-}
-
-func (m *fakeConfigManager) UpdateStoreVisitor(name string, cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error) {
-	if m.updateStoreVisitFn != nil {
-		return m.updateStoreVisitFn(name, cfg)
-	}
-	return cfg, nil
-}
-
-func (m *fakeConfigManager) DeleteStoreVisitor(name string) error {
-	if m.deleteStoreVisitFn != nil {
-		return m.deleteStoreVisitFn(name)
-	}
-	return nil
-}
-
-func (m *fakeConfigManager) GracefulClose(d time.Duration) {
-	if m.gracefulCloseFn != nil {
-		m.gracefulCloseFn(d)
-	}
-}
-
-func newRawTCPProxyConfig(name string) *v1.TCPProxyConfig {
-	return &v1.TCPProxyConfig{
-		ProxyBaseConfig: v1.ProxyBaseConfig{
-			Name: name,
-			Type: "tcp",
-			ProxyBackend: v1.ProxyBackend{
-				LocalPort: 10080,
-			},
-		},
-	}
-}
-
-func TestBuildProxyStatusRespStoreSourceEnabled(t *testing.T) {
-	status := &proxy.WorkingStatus{
-		Name:       "shared-proxy",
-		Type:       "tcp",
-		Phase:      proxy.ProxyPhaseRunning,
-		RemoteAddr: ":8080",
-		Cfg:        newRawTCPProxyConfig("shared-proxy"),
-	}
-
-	controller := &Controller{
-		serverAddr: "127.0.0.1",
-		manager: &fakeConfigManager{
-			isStoreProxyEnabledFn: func(name string) bool {
-				return name == "shared-proxy"
-			},
-		},
-	}
-
-	resp := controller.buildProxyStatusResp(status)
-	if resp.Source != "store" {
-		t.Fatalf("unexpected source: %q", resp.Source)
-	}
-	if resp.RemoteAddr != "127.0.0.1:8080" {
-		t.Fatalf("unexpected remote addr: %q", resp.RemoteAddr)
-	}
-}
-
-func TestReloadErrorMapping(t *testing.T) {
-	tests := []struct {
-		name         string
-		err          error
-		expectedCode int
-	}{
-		{name: "invalid arg", err: fmtError(configmgmt.ErrInvalidArgument, "bad cfg"), expectedCode: http.StatusBadRequest},
-		{name: "apply fail", err: fmtError(configmgmt.ErrApplyConfig, "reload failed"), expectedCode: http.StatusInternalServerError},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			controller := &Controller{
-				manager: &fakeConfigManager{reloadFromFileFn: func(bool) error { return tc.err }},
-			}
-			ctx := httppkg.NewContext(httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/api/reload", nil))
-			_, err := controller.Reload(ctx)
-			if err == nil {
-				t.Fatal("expected error")
-			}
-			assertHTTPCode(t, err, tc.expectedCode)
-		})
-	}
-}
-
-func TestStoreProxyErrorMapping(t *testing.T) {
-	tests := []struct {
-		name         string
-		err          error
-		expectedCode int
-	}{
-		{name: "not found", err: fmtError(configmgmt.ErrNotFound, "not found"), expectedCode: http.StatusNotFound},
-		{name: "conflict", err: fmtError(configmgmt.ErrConflict, "exists"), expectedCode: http.StatusConflict},
-		{name: "internal", err: errors.New("persist failed"), expectedCode: http.StatusInternalServerError},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			body := []byte(`{"name":"shared-proxy","type":"tcp","tcp":{"localPort":10080}}`)
-			req := httptest.NewRequest(http.MethodPut, "/api/store/proxies/shared-proxy", bytes.NewReader(body))
-			req = mux.SetURLVars(req, map[string]string{"name": "shared-proxy"})
-			ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-			controller := &Controller{
-				manager: &fakeConfigManager{
-					updateStoreProxyFn: func(_ string, _ v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-						return nil, tc.err
-					},
-				},
-			}
-
-			_, err := controller.UpdateStoreProxy(ctx)
-			if err == nil {
-				t.Fatal("expected error")
-			}
-			assertHTTPCode(t, err, tc.expectedCode)
-		})
-	}
-}
-
-func TestStoreVisitorErrorMapping(t *testing.T) {
-	body := []byte(`{"name":"shared-visitor","type":"xtcp","xtcp":{"serverName":"server","bindPort":10081,"secretKey":"secret"}}`)
-	req := httptest.NewRequest(http.MethodDelete, "/api/store/visitors/shared-visitor", bytes.NewReader(body))
-	req = mux.SetURLVars(req, map[string]string{"name": "shared-visitor"})
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			deleteStoreVisitFn: func(string) error {
-				return fmtError(configmgmt.ErrStoreDisabled, "disabled")
-			},
-		},
-	}
-
-	_, err := controller.DeleteStoreVisitor(ctx)
-	if err == nil {
-		t.Fatal("expected error")
-	}
-	assertHTTPCode(t, err, http.StatusNotFound)
-}
-
-func TestCreateStoreProxyIgnoresUnknownFields(t *testing.T) {
-	var gotName string
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			createStoreProxyFn: func(cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-				gotName = cfg.GetBaseConfig().Name
-				return cfg, nil
-			},
-		},
-	}
-
-	body := []byte(`{"name":"raw-proxy","type":"tcp","unexpected":"value","tcp":{"localPort":10080,"unknownInBlock":"value"}}`)
-	req := httptest.NewRequest(http.MethodPost, "/api/store/proxies", bytes.NewReader(body))
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	resp, err := controller.CreateStoreProxy(ctx)
-	if err != nil {
-		t.Fatalf("create store proxy: %v", err)
-	}
-	if gotName != "raw-proxy" {
-		t.Fatalf("unexpected proxy name: %q", gotName)
-	}
-
-	payload, ok := resp.(model.ProxyDefinition)
-	if !ok {
-		t.Fatalf("unexpected response type: %T", resp)
-	}
-	if payload.Type != "tcp" || payload.TCP == nil {
-		t.Fatalf("unexpected payload: %#v", payload)
-	}
-}
-
-func TestCreateStoreVisitorIgnoresUnknownFields(t *testing.T) {
-	var gotName string
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			createStoreVisitFn: func(cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error) {
-				gotName = cfg.GetBaseConfig().Name
-				return cfg, nil
-			},
-		},
-	}
-
-	body := []byte(`{
-			"name":"raw-visitor","type":"xtcp","unexpected":"value",
-			"xtcp":{"serverName":"server","bindPort":10081,"secretKey":"secret","unknownInBlock":"value"}
-		}`)
-	req := httptest.NewRequest(http.MethodPost, "/api/store/visitors", bytes.NewReader(body))
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	resp, err := controller.CreateStoreVisitor(ctx)
-	if err != nil {
-		t.Fatalf("create store visitor: %v", err)
-	}
-	if gotName != "raw-visitor" {
-		t.Fatalf("unexpected visitor name: %q", gotName)
-	}
-
-	payload, ok := resp.(model.VisitorDefinition)
-	if !ok {
-		t.Fatalf("unexpected response type: %T", resp)
-	}
-	if payload.Type != "xtcp" || payload.XTCP == nil {
-		t.Fatalf("unexpected payload: %#v", payload)
-	}
-}
-
-func TestCreateStoreProxyPluginUnknownFieldsAreIgnored(t *testing.T) {
-	var gotPluginType string
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			createStoreProxyFn: func(cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-				gotPluginType = cfg.GetBaseConfig().Plugin.Type
-				return cfg, nil
-			},
-		},
-	}
-
-	body := []byte(`{"name":"plugin-proxy","type":"tcp","tcp":{"plugin":{"type":"http2https","localAddr":"127.0.0.1:8080","unknownInPlugin":"value"}}}`)
-	req := httptest.NewRequest(http.MethodPost, "/api/store/proxies", bytes.NewReader(body))
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	resp, err := controller.CreateStoreProxy(ctx)
-	if err != nil {
-		t.Fatalf("create store proxy: %v", err)
-	}
-	if gotPluginType != "http2https" {
-		t.Fatalf("unexpected plugin type: %q", gotPluginType)
-	}
-	payload, ok := resp.(model.ProxyDefinition)
-	if !ok {
-		t.Fatalf("unexpected response type: %T", resp)
-	}
-	if payload.TCP == nil {
-		t.Fatalf("unexpected response payload: %#v", payload)
-	}
-	pluginType := payload.TCP.Plugin.Type
-
-	if pluginType != "http2https" {
-		t.Fatalf("unexpected plugin type in response payload: %q", pluginType)
-	}
-}
-
-func TestCreateStoreVisitorPluginUnknownFieldsAreIgnored(t *testing.T) {
-	var gotPluginType string
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			createStoreVisitFn: func(cfg v1.VisitorConfigurer) (v1.VisitorConfigurer, error) {
-				gotPluginType = cfg.GetBaseConfig().Plugin.Type
-				return cfg, nil
-			},
-		},
-	}
-
-	body := []byte(`{
-			"name":"plugin-visitor","type":"stcp",
-			"stcp":{"serverName":"server","bindPort":10081,"plugin":{"type":"virtual_net","destinationIP":"10.0.0.1","unknownInPlugin":"value"}}
-		}`)
-	req := httptest.NewRequest(http.MethodPost, "/api/store/visitors", bytes.NewReader(body))
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	resp, err := controller.CreateStoreVisitor(ctx)
-	if err != nil {
-		t.Fatalf("create store visitor: %v", err)
-	}
-	if gotPluginType != "virtual_net" {
-		t.Fatalf("unexpected plugin type: %q", gotPluginType)
-	}
-	payload, ok := resp.(model.VisitorDefinition)
-	if !ok {
-		t.Fatalf("unexpected response type: %T", resp)
-	}
-	if payload.STCP == nil {
-		t.Fatalf("unexpected response payload: %#v", payload)
-	}
-	pluginType := payload.STCP.Plugin.Type
-
-	if pluginType != "virtual_net" {
-		t.Fatalf("unexpected plugin type in response payload: %q", pluginType)
-	}
-}
-
-func TestUpdateStoreProxyRejectsMismatchedTypeBlock(t *testing.T) {
-	controller := &Controller{manager: &fakeConfigManager{}}
-	body := []byte(`{"name":"p1","type":"tcp","udp":{"localPort":10080}}`)
-	req := httptest.NewRequest(http.MethodPut, "/api/store/proxies/p1", bytes.NewReader(body))
-	req = mux.SetURLVars(req, map[string]string{"name": "p1"})
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	_, err := controller.UpdateStoreProxy(ctx)
-	if err == nil {
-		t.Fatal("expected error")
-	}
-	assertHTTPCode(t, err, http.StatusBadRequest)
-}
-
-func TestUpdateStoreProxyRejectsNameMismatch(t *testing.T) {
-	controller := &Controller{manager: &fakeConfigManager{}}
-	body := []byte(`{"name":"p2","type":"tcp","tcp":{"localPort":10080}}`)
-	req := httptest.NewRequest(http.MethodPut, "/api/store/proxies/p1", bytes.NewReader(body))
-	req = mux.SetURLVars(req, map[string]string{"name": "p1"})
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	_, err := controller.UpdateStoreProxy(ctx)
-	if err == nil {
-		t.Fatal("expected error")
-	}
-	assertHTTPCode(t, err, http.StatusBadRequest)
-}
-
-func TestListStoreProxiesReturnsSortedPayload(t *testing.T) {
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			listStoreProxiesFn: func() ([]v1.ProxyConfigurer, error) {
-				b := newRawTCPProxyConfig("b")
-				a := newRawTCPProxyConfig("a")
-				return []v1.ProxyConfigurer{b, a}, nil
-			},
-		},
-	}
-	ctx := httppkg.NewContext(httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/api/store/proxies", nil))
-
-	resp, err := controller.ListStoreProxies(ctx)
-	if err != nil {
-		t.Fatalf("list store proxies: %v", err)
-	}
-	out, ok := resp.(model.ProxyListResp)
-	if !ok {
-		t.Fatalf("unexpected response type: %T", resp)
-	}
-	if len(out.Proxies) != 2 {
-		t.Fatalf("unexpected proxy count: %d", len(out.Proxies))
-	}
-	if out.Proxies[0].Name != "a" || out.Proxies[1].Name != "b" {
-		t.Fatalf("proxies are not sorted by name: %#v", out.Proxies)
-	}
-}
-
-func fmtError(sentinel error, msg string) error {
-	return fmt.Errorf("%w: %s", sentinel, msg)
-}
-
-func assertHTTPCode(t *testing.T, err error, expected int) {
-	t.Helper()
-	var httpErr *httppkg.Error
-	if !errors.As(err, &httpErr) {
-		t.Fatalf("unexpected error type: %T", err)
-	}
-	if httpErr.Code != expected {
-		t.Fatalf("unexpected status code: got %d, want %d", httpErr.Code, expected)
-	}
-}
-
-func TestUpdateStoreProxyReturnsTypedPayload(t *testing.T) {
-	controller := &Controller{
-		manager: &fakeConfigManager{
-			updateStoreProxyFn: func(_ string, cfg v1.ProxyConfigurer) (v1.ProxyConfigurer, error) {
-				return cfg, nil
-			},
-		},
-	}
-
-	body := map[string]any{
-		"name": "shared-proxy",
-		"type": "tcp",
-		"tcp": map[string]any{
-			"localPort":  10080,
-			"remotePort": 7000,
-		},
-	}
-	data, err := json.Marshal(body)
-	if err != nil {
-		t.Fatalf("marshal request: %v", err)
-	}
-
-	req := httptest.NewRequest(http.MethodPut, "/api/store/proxies/shared-proxy", bytes.NewReader(data))
-	req = mux.SetURLVars(req, map[string]string{"name": "shared-proxy"})
-	ctx := httppkg.NewContext(httptest.NewRecorder(), req)
-
-	resp, err := controller.UpdateStoreProxy(ctx)
-	if err != nil {
-		t.Fatalf("update store proxy: %v", err)
-	}
-	payload, ok := resp.(model.ProxyDefinition)
-	if !ok {
-		t.Fatalf("unexpected response type: %T", resp)
-	}
-	if payload.TCP == nil || payload.TCP.RemotePort != 7000 {
-		t.Fatalf("unexpected response payload: %#v", payload)
-	}
-}
--- a/client/http/model/proxy_definition.go
+++ b/client/http/model/proxy_definition.go
@@ -1,148 +0,0 @@
-package model
-
-import (
-	"fmt"
-	"strings"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-type ProxyDefinition struct {
-	Name string `json:"name"`
-	Type string `json:"type"`
-
-	TCP    *v1.TCPProxyConfig    `json:"tcp,omitempty"`
-	UDP    *v1.UDPProxyConfig    `json:"udp,omitempty"`
-	HTTP   *v1.HTTPProxyConfig   `json:"http,omitempty"`
-	HTTPS  *v1.HTTPSProxyConfig  `json:"https,omitempty"`
-	TCPMux *v1.TCPMuxProxyConfig `json:"tcpmux,omitempty"`
-	STCP   *v1.STCPProxyConfig   `json:"stcp,omitempty"`
-	SUDP   *v1.SUDPProxyConfig   `json:"sudp,omitempty"`
-	XTCP   *v1.XTCPProxyConfig   `json:"xtcp,omitempty"`
-}
-
-func (p *ProxyDefinition) Validate(pathName string, isUpdate bool) error {
-	if strings.TrimSpace(p.Name) == "" {
-		return fmt.Errorf("proxy name is required")
-	}
-	if !IsProxyType(p.Type) {
-		return fmt.Errorf("invalid proxy type: %s", p.Type)
-	}
-	if isUpdate && pathName != "" && pathName != p.Name {
-		return fmt.Errorf("proxy name in URL must match name in body")
-	}
-
-	_, blockType, blockCount := p.activeBlock()
-	if blockCount != 1 {
-		return fmt.Errorf("exactly one proxy type block is required")
-	}
-	if blockType != p.Type {
-		return fmt.Errorf("proxy type block %q does not match type %q", blockType, p.Type)
-	}
-	return nil
-}
-
-func (p *ProxyDefinition) ToConfigurer() (v1.ProxyConfigurer, error) {
-	block, _, _ := p.activeBlock()
-	if block == nil {
-		return nil, fmt.Errorf("exactly one proxy type block is required")
-	}
-
-	cfg := block
-	cfg.GetBaseConfig().Name = p.Name
-	cfg.GetBaseConfig().Type = p.Type
-	return cfg, nil
-}
-
-func ProxyDefinitionFromConfigurer(cfg v1.ProxyConfigurer) (ProxyDefinition, error) {
-	if cfg == nil {
-		return ProxyDefinition{}, fmt.Errorf("proxy config is nil")
-	}
-
-	base := cfg.GetBaseConfig()
-	payload := ProxyDefinition{
-		Name: base.Name,
-		Type: base.Type,
-	}
-
-	switch c := cfg.(type) {
-	case *v1.TCPProxyConfig:
-		payload.TCP = c
-	case *v1.UDPProxyConfig:
-		payload.UDP = c
-	case *v1.HTTPProxyConfig:
-		payload.HTTP = c
-	case *v1.HTTPSProxyConfig:
-		payload.HTTPS = c
-	case *v1.TCPMuxProxyConfig:
-		payload.TCPMux = c
-	case *v1.STCPProxyConfig:
-		payload.STCP = c
-	case *v1.SUDPProxyConfig:
-		payload.SUDP = c
-	case *v1.XTCPProxyConfig:
-		payload.XTCP = c
-	default:
-		return ProxyDefinition{}, fmt.Errorf("unsupported proxy configurer type %T", cfg)
-	}
-
-	return payload, nil
-}
-
-func (p *ProxyDefinition) activeBlock() (v1.ProxyConfigurer, string, int) {
-	count := 0
-	var block v1.ProxyConfigurer
-	var blockType string
-
-	if p.TCP != nil {
-		count++
-		block = p.TCP
-		blockType = "tcp"
-	}
-	if p.UDP != nil {
-		count++
-		block = p.UDP
-		blockType = "udp"
-	}
-	if p.HTTP != nil {
-		count++
-		block = p.HTTP
-		blockType = "http"
-	}
-	if p.HTTPS != nil {
-		count++
-		block = p.HTTPS
-		blockType = "https"
-	}
-	if p.TCPMux != nil {
-		count++
-		block = p.TCPMux
-		blockType = "tcpmux"
-	}
-	if p.STCP != nil {
-		count++
-		block = p.STCP
-		blockType = "stcp"
-	}
-	if p.SUDP != nil {
-		count++
-		block = p.SUDP
-		blockType = "sudp"
-	}
-	if p.XTCP != nil {
-		count++
-		block = p.XTCP
-		blockType = "xtcp"
-	}
-
-	return block, blockType, count
-}
-
-func IsProxyType(typ string) bool {
-	switch typ {
-	case "tcp", "udp", "http", "https", "tcpmux", "stcp", "sudp", "xtcp":
-		return true
-	default:
-		return false
-	}
-}
--- a/client/http/model/visitor_definition.go
+++ b/client/http/model/visitor_definition.go
@@ -1,107 +0,0 @@
-package model
-
-import (
-	"fmt"
-	"strings"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-type VisitorDefinition struct {
-	Name string `json:"name"`
-	Type string `json:"type"`
-
-	STCP *v1.STCPVisitorConfig `json:"stcp,omitempty"`
-	SUDP *v1.SUDPVisitorConfig `json:"sudp,omitempty"`
-	XTCP *v1.XTCPVisitorConfig `json:"xtcp,omitempty"`
-}
-
-func (p *VisitorDefinition) Validate(pathName string, isUpdate bool) error {
-	if strings.TrimSpace(p.Name) == "" {
-		return fmt.Errorf("visitor name is required")
-	}
-	if !IsVisitorType(p.Type) {
-		return fmt.Errorf("invalid visitor type: %s", p.Type)
-	}
-	if isUpdate && pathName != "" && pathName != p.Name {
-		return fmt.Errorf("visitor name in URL must match name in body")
-	}
-
-	_, blockType, blockCount := p.activeBlock()
-	if blockCount != 1 {
-		return fmt.Errorf("exactly one visitor type block is required")
-	}
-	if blockType != p.Type {
-		return fmt.Errorf("visitor type block %q does not match type %q", blockType, p.Type)
-	}
-	return nil
-}
-
-func (p *VisitorDefinition) ToConfigurer() (v1.VisitorConfigurer, error) {
-	block, _, _ := p.activeBlock()
-	if block == nil {
-		return nil, fmt.Errorf("exactly one visitor type block is required")
-	}
-
-	cfg := block
-	cfg.GetBaseConfig().Name = p.Name
-	cfg.GetBaseConfig().Type = p.Type
-	return cfg, nil
-}
-
-func VisitorDefinitionFromConfigurer(cfg v1.VisitorConfigurer) (VisitorDefinition, error) {
-	if cfg == nil {
-		return VisitorDefinition{}, fmt.Errorf("visitor config is nil")
-	}
-
-	base := cfg.GetBaseConfig()
-	payload := VisitorDefinition{
-		Name: base.Name,
-		Type: base.Type,
-	}
-
-	switch c := cfg.(type) {
-	case *v1.STCPVisitorConfig:
-		payload.STCP = c
-	case *v1.SUDPVisitorConfig:
-		payload.SUDP = c
-	case *v1.XTCPVisitorConfig:
-		payload.XTCP = c
-	default:
-		return VisitorDefinition{}, fmt.Errorf("unsupported visitor configurer type %T", cfg)
-	}
-
-	return payload, nil
-}
-
-func (p *VisitorDefinition) activeBlock() (v1.VisitorConfigurer, string, int) {
-	count := 0
-	var block v1.VisitorConfigurer
-	var blockType string
-
-	if p.STCP != nil {
-		count++
-		block = p.STCP
-		blockType = "stcp"
-	}
-	if p.SUDP != nil {
-		count++
-		block = p.SUDP
-		blockType = "sudp"
-	}
-	if p.XTCP != nil {
-		count++
-		block = p.XTCP
-		blockType = "xtcp"
-	}
-	return block, blockType, count
-}
-
-func IsVisitorType(typ string) bool {
-	switch typ {
-	case "stcp", "sudp", "xtcp":
-		return true
-	default:
-		return false
-	}
-}
--- a/client/proxy/proxy.go
+++ b/client/proxy/proxy.go
@@ -16,11 +16,12 @@ package proxy

 import (
 	"context"
-	"fmt"
 	"io"
 	"net"
 	"reflect"
+	"slices"
 	"strconv"
+	"strings"
 	"sync"
 	"time"

@@ -70,6 +71,7 @@ func NewProxy(

 	baseProxy := BaseProxy{
 		baseCfg:        pxyConf.GetBaseConfig(),
+		configurer:     pxyConf,
 		clientCfg:      clientCfg,
 		encryptionKey:  encryptionKey,
 		limiter:        limiter,
@@ -88,6 +90,7 @@ func NewProxy(

 type BaseProxy struct {
 	baseCfg        *v1.ProxyBaseConfig
+	configurer     v1.ProxyConfigurer
 	clientCfg      *v1.ClientCommonConfig
 	encryptionKey  []byte
 	msgTransporter transport.MessageTransporter
@@ -107,6 +110,7 @@ func (pxy *BaseProxy) Run() error {
 	if pxy.baseCfg.Plugin.Type != "" {
 		p, err := plugin.Create(pxy.baseCfg.Plugin.Type, plugin.PluginContext{
 			Name:           pxy.baseCfg.Name,
+			HostAllowList:  pxy.getPluginHostAllowList(),
 			VnetController: pxy.vnetController,
 		}, pxy.baseCfg.Plugin.ClientPluginOptions)
 		if err != nil {
@@ -117,39 +121,45 @@ func (pxy *BaseProxy) Run() error {
 	return nil
 }

+func (pxy *BaseProxy) getPluginHostAllowList() []string {
+	dedupHosts := make([]string, 0)
+	addHost := func(host string) {
+		host = strings.TrimSpace(strings.ToLower(host))
+		if host == "" {
+			return
+		}
+		// autocert.HostWhitelist only supports exact host names.
+		if strings.Contains(host, "*") {
+			return
+		}
+		if !slices.Contains(dedupHosts, host) {
+			dedupHosts = append(dedupHosts, host)
+		}
+	}
+
+	switch cfg := pxy.configurer.(type) {
+	case *v1.HTTPProxyConfig:
+		for _, host := range cfg.CustomDomains {
+			addHost(host)
+		}
+	case *v1.HTTPSProxyConfig:
+		for _, host := range cfg.CustomDomains {
+			addHost(host)
+		}
+	case *v1.TCPMuxProxyConfig:
+		for _, host := range cfg.CustomDomains {
+			addHost(host)
+		}
+	}
+	return dedupHosts
+}
+
 func (pxy *BaseProxy) Close() {
 	if pxy.proxyPlugin != nil {
 		pxy.proxyPlugin.Close()
 	}
 }

-// wrapWorkConn applies rate limiting, encryption, and compression
-// to a work connection based on the proxy's transport configuration.
-// The returned recycle function should be called when the stream is no longer in use
-// to return compression resources to the pool. It is safe to not call recycle,
-// in which case resources will be garbage collected normally.
-func (pxy *BaseProxy) wrapWorkConn(conn net.Conn, encKey []byte) (io.ReadWriteCloser, func(), error) {
-	var rwc io.ReadWriteCloser = conn
-	if pxy.limiter != nil {
-		rwc = libio.WrapReadWriteCloser(limit.NewReader(conn, pxy.limiter), limit.NewWriter(conn, pxy.limiter), func() error {
-			return conn.Close()
-		})
-	}
-	if pxy.baseCfg.Transport.UseEncryption {
-		var err error
-		rwc, err = libio.WithEncryption(rwc, encKey)
-		if err != nil {
-			conn.Close()
-			return nil, nil, fmt.Errorf("create encryption stream error: %w", err)
-		}
-	}
-	var recycleFn func()
-	if pxy.baseCfg.Transport.UseCompression {
-		rwc, recycleFn = libio.WithCompressionFromPool(rwc)
-	}
-	return rwc, recycleFn, nil
-}
-
 func (pxy *BaseProxy) SetInWorkConnCallback(cb func(*v1.ProxyBaseConfig, net.Conn, *msg.StartWorkConn) bool) {
 	pxy.inWorkConnCallback = cb
 }
@@ -167,14 +177,30 @@ func (pxy *BaseProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
 func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWorkConn, encKey []byte) {
 	xl := pxy.xl
 	baseCfg := pxy.baseCfg
+	var (
+		remote io.ReadWriteCloser
+		err    error
+	)
+	remote = workConn
+	if pxy.limiter != nil {
+		remote = libio.WrapReadWriteCloser(limit.NewReader(workConn, pxy.limiter), limit.NewWriter(workConn, pxy.limiter), func() error {
+			return workConn.Close()
+		})
+	}

 	xl.Tracef("handle tcp work connection, useEncryption: %t, useCompression: %t",
 		baseCfg.Transport.UseEncryption, baseCfg.Transport.UseCompression)
-
-	remote, recycleFn, err := pxy.wrapWorkConn(workConn, encKey)
-	if err != nil {
-		xl.Errorf("wrap work connection: %v", err)
-		return
+	if baseCfg.Transport.UseEncryption {
+		remote, err = libio.WithEncryption(remote, encKey)
+		if err != nil {
+			workConn.Close()
+			xl.Errorf("create encryption stream error: %v", err)
+			return
+		}
+	}
+	var compressionResourceRecycleFn func()
+	if baseCfg.Transport.UseCompression {
+		remote, compressionResourceRecycleFn = libio.WithCompressionFromPool(remote)
 	}

 	// check if we need to send proxy protocol info
@@ -190,6 +216,7 @@ func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWor
 	}

 	if baseCfg.Transport.ProxyProtocolVersion != "" && m.SrcAddr != "" && m.SrcPort != 0 {
+		// Use the common proxy protocol builder function
 		header := netpkg.BuildProxyProtocolHeaderStruct(connInfo.SrcAddr, connInfo.DstAddr, baseCfg.Transport.ProxyProtocolVersion)
 		connInfo.ProxyProtocolHeader = header
 	}
@@ -198,18 +225,12 @@ func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWor

 	if pxy.proxyPlugin != nil {
 		// if plugin is set, let plugin handle connection first
-		// Don't recycle compression resources here because plugins may
-		// retain the connection after Handle returns.
 		xl.Debugf("handle by plugin: %s", pxy.proxyPlugin.Name())
 		pxy.proxyPlugin.Handle(pxy.ctx, &connInfo)
 		xl.Debugf("handle by plugin finished")
 		return
 	}

-	if recycleFn != nil {
-		defer recycleFn()
-	}
-
 	localConn, err := libnet.Dial(
 		net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort)),
 		libnet.WithTimeout(10*time.Second),
@@ -226,7 +247,6 @@ func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWor
 	if connInfo.ProxyProtocolHeader != nil {
 		if _, err := connInfo.ProxyProtocolHeader.WriteTo(localConn); err != nil {
 			workConn.Close()
-			localConn.Close()
 			xl.Errorf("write proxy protocol header to local conn error: %v", err)
 			return
 		}
@@ -237,4 +257,7 @@ func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWor
 	if len(errs) > 0 {
 		xl.Tracef("join connections errors: %v", errs)
 	}
+	if compressionResourceRecycleFn != nil {
+		compressionResourceRecycleFn()
+	}
 }
--- a/client/proxy/proxy_manager.go
+++ b/client/proxy/proxy_manager.go
@@ -118,9 +118,9 @@ func (pm *Manager) HandleEvent(payload any) error {
 }

 func (pm *Manager) GetAllProxyStatus() []*WorkingStatus {
+	ps := make([]*WorkingStatus, 0)
 	pm.mu.RLock()
 	defer pm.mu.RUnlock()
-	ps := make([]*WorkingStatus, 0, len(pm.proxies))
 	for _, pxy := range pm.proxies {
 		ps = append(ps, pxy.GetStatus())
 	}
@@ -159,7 +159,7 @@ func (pm *Manager) UpdateAll(proxyCfgs []v1.ProxyConfigurer) {
 		}
 	}
 	if len(delPxyNames) > 0 {
-		xl.Infof("proxy removed: %s", delPxyNames)
+		xl.Infof("隧道移除: %s", delPxyNames)
 	}

 	addPxyNames := make([]string, 0)
@@ -177,6 +177,6 @@ func (pm *Manager) UpdateAll(proxyCfgs []v1.ProxyConfigurer) {
 		}
 	}
 	if len(addPxyNames) > 0 {
-		xl.Infof("proxy added: %s", addPxyNames)
+		xl.Infof("添加隧道: %s", addPxyNames)
 	}
 }
--- a/client/proxy/proxy_wrapper.go
+++ b/client/proxy/proxy_wrapper.go
@@ -29,7 +29,6 @@ import (
 	"github.com/fatedier/frp/client/health"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/naming"
 	"github.com/fatedier/frp/pkg/transport"
 	"github.com/fatedier/frp/pkg/util/xlog"
 	"github.com/fatedier/frp/pkg/vnet"
@@ -87,8 +86,6 @@ type Wrapper struct {

 	xl  *xlog.Logger
 	ctx context.Context
-
-	wireName string
 }

 func NewWrapper(
@@ -116,7 +113,6 @@ func NewWrapper(
 		vnetController: vnetController,
 		xl:             xl,
 		ctx:            xlog.NewContext(ctx, xl),
-		wireName:       naming.AddUserPrefix(clientCfg.User, baseInfo.Name),
 	}

 	if baseInfo.HealthCheck.Type != "" && baseInfo.LocalPort > 0 {
@@ -186,7 +182,7 @@ func (pw *Wrapper) Stop() {
 func (pw *Wrapper) close() {
 	_ = pw.handler(&event.CloseProxyPayload{
 		CloseProxyMsg: &msg.CloseProxy{
-			ProxyName: pw.wireName,
+			ProxyName: pw.Name,
 		},
 	})
 }
@@ -212,7 +208,6 @@ func (pw *Wrapper) checkWorker() {

 				var newProxyMsg msg.NewProxy
 				pw.Cfg.MarshalToMsg(&newProxyMsg)
-				newProxyMsg.ProxyName = pw.wireName
 				pw.lastSendStartMsg = now
 				_ = pw.handler(&event.StartProxyPayload{
 					NewProxyMsg: &newProxyMsg,
--- a/client/proxy/sudp.go
+++ b/client/proxy/sudp.go
@@ -17,6 +17,7 @@
 package proxy

 import (
+	"io"
 	"net"
 	"reflect"
 	"strconv"
@@ -24,15 +25,17 @@ import (
 	"time"

 	"github.com/fatedier/golib/errors"
+	libio "github.com/fatedier/golib/io"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 	"github.com/fatedier/frp/pkg/proto/udp"
+	"github.com/fatedier/frp/pkg/util/limit"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )

 func init() {
-	RegisterProxyFactory(reflect.TypeFor[*v1.SUDPProxyConfig](), NewSUDPProxy)
+	RegisterProxyFactory(reflect.TypeOf(&v1.SUDPProxyConfig{}), NewSUDPProxy)
 }

 type SUDPProxy struct {
@@ -80,13 +83,27 @@ func (pxy *SUDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 	xl := pxy.xl
 	xl.Infof("incoming a new work connection for sudp proxy, %s", conn.RemoteAddr().String())

-	remote, _, err := pxy.wrapWorkConn(conn, pxy.encryptionKey)
-	if err != nil {
-		xl.Errorf("wrap work connection: %v", err)
-		return
+	var rwc io.ReadWriteCloser = conn
+	var err error
+	if pxy.limiter != nil {
+		rwc = libio.WrapReadWriteCloser(limit.NewReader(conn, pxy.limiter), limit.NewWriter(conn, pxy.limiter), func() error {
+			return conn.Close()
+		})
 	}
+	if pxy.cfg.Transport.UseEncryption {
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
+		if err != nil {
+			conn.Close()
+			xl.Errorf("create encryption stream error: %v", err)
+			return
+		}
+	}
+	if pxy.cfg.Transport.UseCompression {
+		rwc = libio.WithCompression(rwc)
+	}
+	conn = netpkg.WrapReadWriteCloserToConn(rwc, conn)

-	workConn := netpkg.WrapReadWriteCloserToConn(remote, conn)
+	workConn := conn
 	readCh := make(chan *msg.UDPPacket, 1024)
 	sendCh := make(chan msg.Message, 1024)
 	isClose := false
--- a/client/proxy/udp.go
+++ b/client/proxy/udp.go
@@ -17,21 +17,24 @@
 package proxy

 import (
+	"io"
 	"net"
 	"reflect"
 	"strconv"
 	"time"

 	"github.com/fatedier/golib/errors"
+	libio "github.com/fatedier/golib/io"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 	"github.com/fatedier/frp/pkg/proto/udp"
+	"github.com/fatedier/frp/pkg/util/limit"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )

 func init() {
-	RegisterProxyFactory(reflect.TypeFor[*v1.UDPProxyConfig](), NewUDPProxy)
+	RegisterProxyFactory(reflect.TypeOf(&v1.UDPProxyConfig{}), NewUDPProxy)
 }

 type UDPProxy struct {
@@ -87,18 +90,32 @@ func (pxy *UDPProxy) Close() {

 func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 	xl := pxy.xl
-	xl.Infof("incoming a new work connection for udp proxy, %s", conn.RemoteAddr().String())
+	xl.Infof("收到一条新的 UDP 代理工作连接, %s", conn.RemoteAddr().String())
 	// close resources related with old workConn
 	pxy.Close()

-	remote, _, err := pxy.wrapWorkConn(conn, pxy.encryptionKey)
-	if err != nil {
-		xl.Errorf("wrap work connection: %v", err)
-		return
+	var rwc io.ReadWriteCloser = conn
+	var err error
+	if pxy.limiter != nil {
+		rwc = libio.WrapReadWriteCloser(limit.NewReader(conn, pxy.limiter), limit.NewWriter(conn, pxy.limiter), func() error {
+			return conn.Close()
+		})
 	}
+	if pxy.cfg.Transport.UseEncryption {
+		rwc, err = libio.WithEncryption(rwc, pxy.encryptionKey)
+		if err != nil {
+			conn.Close()
+			xl.Errorf("create encryption stream error: %v", err)
+			return
+		}
+	}
+	if pxy.cfg.Transport.UseCompression {
+		rwc = libio.WithCompression(rwc)
+	}
+	conn = netpkg.WrapReadWriteCloserToConn(rwc, conn)

 	pxy.mu.Lock()
-	pxy.workConn = netpkg.WrapReadWriteCloserToConn(remote, conn)
+	pxy.workConn = conn
 	pxy.readCh = make(chan *msg.UDPPacket, 1024)
 	pxy.sendCh = make(chan msg.Message, 1024)
 	pxy.closed = false
@@ -112,7 +129,7 @@ func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 				return
 			}
 			if errRet := errors.PanicToError(func() {
-				xl.Tracef("get udp package from workConn, len: %d", len(udpMsg.Content))
+				xl.Tracef("get udp package from workConn: %s", udpMsg.Content)
 				readCh <- &udpMsg
 			}); errRet != nil {
 				xl.Infof("reader goroutine for udp work connection closed: %v", errRet)
@@ -128,7 +145,7 @@ func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 		for rawMsg := range sendCh {
 			switch m := rawMsg.(type) {
 			case *msg.UDPPacket:
-				xl.Tracef("send udp package to workConn, len: %d", len(m.Content))
+				xl.Tracef("send udp package to workConn: %s", m.Content)
 			case *msg.Ping:
 				xl.Tracef("send ping message to udp workConn")
 			}
--- a/client/proxy/xtcp.go
+++ b/client/proxy/xtcp.go
@@ -27,14 +27,13 @@ import (

 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/naming"
 	"github.com/fatedier/frp/pkg/nathole"
 	"github.com/fatedier/frp/pkg/transport"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )

 func init() {
-	RegisterProxyFactory(reflect.TypeFor[*v1.XTCPProxyConfig](), NewXTCPProxy)
+	RegisterProxyFactory(reflect.TypeOf(&v1.XTCPProxyConfig{}), NewXTCPProxy)
 }

 type XTCPProxy struct {
@@ -86,7 +85,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
 	transactionID := nathole.NewTransactionID()
 	natHoleClientMsg := &msg.NatHoleClient{
 		TransactionID: transactionID,
-		ProxyName:     naming.AddUserPrefix(pxy.clientCfg.User, pxy.cfg.Name),
+		ProxyName:     pxy.cfg.Name,
 		Sid:           natHoleSidMsg.Sid,
 		MappedAddrs:   prepareResult.Addrs,
 		AssistedAddrs: prepareResult.AssistedAddrs,
--- a/client/service.go
+++ b/client/service.go
@@ -29,8 +29,6 @@ import (

 	"github.com/fatedier/frp/client/proxy"
 	"github.com/fatedier/frp/pkg/auth"
-	"github.com/fatedier/frp/pkg/config"
-	"github.com/fatedier/frp/pkg/config/source"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 	"github.com/fatedier/frp/pkg/policy/security"
@@ -63,11 +61,9 @@ func (e cancelErr) Error() string {

 // ServiceOptions contains options for creating a new client service.
 type ServiceOptions struct {
-	Common *v1.ClientCommonConfig
-
-	// ConfigSourceAggregator manages internal config and optional store sources.
-	// It is required for creating a Service.
-	ConfigSourceAggregator *source.Aggregator
+	Common      *v1.ClientCommonConfig
+	ProxyCfgs   []v1.ProxyConfigurer
+	VisitorCfgs []v1.VisitorConfigurer

 	UnsafeFeatures *security.UnsafeFeatures

@@ -123,23 +119,11 @@ type Service struct {

 	vnetController *vnet.Controller

-	cfgMu sync.RWMutex
-	// reloadMu serializes reload transactions to keep reloadCommon and applied
-	// config in sync across concurrent API operations.
-	reloadMu sync.Mutex
-	common   *v1.ClientCommonConfig
-	// reloadCommon is used for filtering/defaulting during config-source reloads.
-	// It can be updated by /api/reload without mutating startup-only common behavior.
-	reloadCommon *v1.ClientCommonConfig
-	proxyCfgs    []v1.ProxyConfigurer
-	visitorCfgs  []v1.VisitorConfigurer
-	clientSpec   *msg.ClientSpec
-
-	// aggregator manages multiple configuration sources.
-	// When set, the service watches for config changes and reloads automatically.
-	aggregator   *source.Aggregator
-	configSource *source.ConfigSource
-	storeSource  *source.StoreSource
+	cfgMu       sync.RWMutex
+	common      *v1.ClientCommonConfig
+	proxyCfgs   []v1.ProxyConfigurer
+	visitorCfgs []v1.VisitorConfigurer
+	clientSpec  *msg.ClientSpec

 	unsafeFeatures *security.UnsafeFeatures

@@ -176,39 +160,19 @@ func NewService(options ServiceOptions) (*Service, error) {
 		return nil, err
 	}

-	if options.ConfigSourceAggregator == nil {
-		return nil, fmt.Errorf("config source aggregator is required")
-	}
-
-	configSource := options.ConfigSourceAggregator.ConfigSource()
-	storeSource := options.ConfigSourceAggregator.StoreSource()
-
-	proxyCfgs, visitorCfgs, loadErr := options.ConfigSourceAggregator.Load()
-	if loadErr != nil {
-		return nil, fmt.Errorf("failed to load config from aggregator: %w", loadErr)
-	}
-	proxyCfgs, visitorCfgs = config.FilterClientConfigurers(options.Common, proxyCfgs, visitorCfgs)
-	proxyCfgs = config.CompleteProxyConfigurers(proxyCfgs)
-	visitorCfgs = config.CompleteVisitorConfigurers(visitorCfgs)
-
 	s := &Service{
 		ctx:              context.Background(),
 		auth:             authRuntime,
 		webServer:        webServer,
 		common:           options.Common,
-		reloadCommon:     options.Common,
 		configFilePath:   options.ConfigFilePath,
 		unsafeFeatures:   options.UnsafeFeatures,
-		proxyCfgs:        proxyCfgs,
-		visitorCfgs:      visitorCfgs,
+		proxyCfgs:        options.ProxyCfgs,
+		visitorCfgs:      options.VisitorCfgs,
 		clientSpec:       options.ClientSpec,
-		aggregator:       options.ConfigSourceAggregator,
-		configSource:     configSource,
-		storeSource:      storeSource,
 		connectorCreator: options.ConnectorCreator,
 		handleWorkConnCb: options.HandleWorkConnCb,
 	}
-
 	if webServer != nil {
 		webServer.RouteRegister(s.registerRouteHandlers)
 	}
@@ -255,7 +219,7 @@ func (svr *Service) Run(ctx context.Context) error {
 	if svr.ctl == nil {
 		cancelCause := cancelErr{}
 		_ = errors.As(context.Cause(svr.ctx), &cancelCause)
-		return fmt.Errorf("login to the server failed: %v. With loginFailExit enabled, no additional retries will be attempted", cancelCause.Err)
+		return fmt.Errorf("登录服务器失败: %v. 启用 loginFailExit 后，将不再尝试重试", cancelCause.Err)
 	}

 	go svr.keepControllerWorking()
@@ -360,7 +324,7 @@ func (svr *Service) login() (conn net.Conn, connector Connector, err error) {
 	svr.runID = loginRespMsg.RunID
 	xl.AddPrefix(xlog.LogPrefix{Name: "runID", Value: svr.runID})

-	xl.Infof("login to server success, get run id [%s]", loginRespMsg.RunID)
+	xl.Infof("登录服务器成功, 获取 run id [%s]", loginRespMsg.RunID)
 	return
 }

@@ -368,10 +332,10 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 	xl := xlog.FromContextSafe(svr.ctx)

 	loginFunc := func() (bool, error) {
-		xl.Infof("try to connect to server...")
+		xl.Infof("尝试连接到服务器...")
 		conn, connector, err := svr.login()
 		if err != nil {
-			xl.Warnf("connect to server error: %v", err)
+			xl.Warnf("连接服务器错误: %v", err)
 			if firstLoginExit {
 				svr.cancel(cancelErr{Err: err})
 			}
@@ -439,35 +403,6 @@ func (svr *Service) UpdateAllConfigurer(proxyCfgs []v1.ProxyConfigurer, visitorC
 	return nil
 }

-func (svr *Service) UpdateConfigSource(
-	common *v1.ClientCommonConfig,
-	proxyCfgs []v1.ProxyConfigurer,
-	visitorCfgs []v1.VisitorConfigurer,
-) error {
-	svr.reloadMu.Lock()
-	defer svr.reloadMu.Unlock()
-
-	cfgSource := svr.configSource
-	if cfgSource == nil {
-		return fmt.Errorf("config source is not available")
-	}
-
-	if err := cfgSource.ReplaceAll(proxyCfgs, visitorCfgs); err != nil {
-		return err
-	}
-
-	// Non-atomic update semantics: source has been updated at this point.
-	// Even if reload fails below, keep this common config for subsequent reloads.
-	svr.cfgMu.Lock()
-	svr.reloadCommon = common
-	svr.cfgMu.Unlock()
-
-	if err := svr.reloadConfigFromSourcesLocked(); err != nil {
-		return err
-	}
-	return nil
-}
-
 func (svr *Service) Close() {
 	svr.GracefulClose(time.Duration(0))
 }
@@ -478,15 +413,6 @@ func (svr *Service) GracefulClose(d time.Duration) {
 }

 func (svr *Service) stop() {
-	// Coordinate shutdown with reload/update paths that read source pointers.
-	svr.reloadMu.Lock()
-	if svr.aggregator != nil {
-		svr.aggregator = nil
-	}
-	svr.configSource = nil
-	svr.storeSource = nil
-	svr.reloadMu.Unlock()
-
 	svr.ctlMu.Lock()
 	defer svr.ctlMu.Unlock()
 	if svr.ctl != nil {
@@ -527,35 +453,3 @@ type statusExporterImpl struct {
 func (s *statusExporterImpl) GetProxyStatus(name string) (*proxy.WorkingStatus, bool) {
 	return s.getProxyStatusFunc(name)
 }
-
-func (svr *Service) reloadConfigFromSources() error {
-	svr.reloadMu.Lock()
-	defer svr.reloadMu.Unlock()
-	return svr.reloadConfigFromSourcesLocked()
-}
-
-func (svr *Service) reloadConfigFromSourcesLocked() error {
-	aggregator := svr.aggregator
-	if aggregator == nil {
-		return errors.New("config aggregator is not initialized")
-	}
-
-	svr.cfgMu.RLock()
-	reloadCommon := svr.reloadCommon
-	svr.cfgMu.RUnlock()
-
-	proxies, visitors, err := aggregator.Load()
-	if err != nil {
-		return fmt.Errorf("reload config from sources failed: %w", err)
-	}
-
-	proxies, visitors = config.FilterClientConfigurers(reloadCommon, proxies, visitors)
-	proxies = config.CompleteProxyConfigurers(proxies)
-	visitors = config.CompleteVisitorConfigurers(visitors)
-
-	// Atomically replace the entire configuration
-	if err := svr.UpdateAllConfigurer(proxies, visitors); err != nil {
-		return err
-	}
-	return nil
-}
--- a/client/service_test.go
+++ b/client/service_test.go
@@ -1,140 +0,0 @@
-package client
-
-import (
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/fatedier/frp/pkg/config/source"
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-func TestUpdateConfigSourceRollsBackReloadCommonOnReplaceAllFailure(t *testing.T) {
-	prevCommon := &v1.ClientCommonConfig{User: "old-user"}
-	newCommon := &v1.ClientCommonConfig{User: "new-user"}
-
-	svr := &Service{
-		configSource: source.NewConfigSource(),
-		reloadCommon: prevCommon,
-	}
-
-	invalidProxy := &v1.TCPProxyConfig{}
-	err := svr.UpdateConfigSource(newCommon, []v1.ProxyConfigurer{invalidProxy}, nil)
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	}
-
-	if !strings.Contains(err.Error(), "proxy name cannot be empty") {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if svr.reloadCommon != prevCommon {
-		t.Fatalf("reloadCommon should roll back on ReplaceAll failure")
-	}
-}
-
-func TestUpdateConfigSourceKeepsReloadCommonOnReloadFailure(t *testing.T) {
-	prevCommon := &v1.ClientCommonConfig{User: "old-user"}
-	newCommon := &v1.ClientCommonConfig{User: "new-user"}
-
-	svr := &Service{
-		// Keep configSource valid so ReplaceAll succeeds first.
-		configSource: source.NewConfigSource(),
-		reloadCommon: prevCommon,
-		// Keep aggregator nil to force reload failure.
-		aggregator: nil,
-	}
-
-	validProxy := &v1.TCPProxyConfig{
-		ProxyBaseConfig: v1.ProxyBaseConfig{
-			Name: "p1",
-			Type: "tcp",
-		},
-	}
-	err := svr.UpdateConfigSource(newCommon, []v1.ProxyConfigurer{validProxy}, nil)
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	}
-
-	if !strings.Contains(err.Error(), "config aggregator is not initialized") {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	if svr.reloadCommon != newCommon {
-		t.Fatalf("reloadCommon should keep new value on reload failure")
-	}
-}
-
-func TestReloadConfigFromSourcesDoesNotMutateStoreConfigs(t *testing.T) {
-	storeSource, err := source.NewStoreSource(source.StoreSourceConfig{
-		Path: filepath.Join(t.TempDir(), "store.json"),
-	})
-	if err != nil {
-		t.Fatalf("new store source: %v", err)
-	}
-
-	proxyCfg := &v1.TCPProxyConfig{
-		ProxyBaseConfig: v1.ProxyBaseConfig{
-			Name: "store-proxy",
-			Type: "tcp",
-		},
-	}
-	visitorCfg := &v1.STCPVisitorConfig{
-		VisitorBaseConfig: v1.VisitorBaseConfig{
-			Name: "store-visitor",
-			Type: "stcp",
-		},
-	}
-	if err := storeSource.AddProxy(proxyCfg); err != nil {
-		t.Fatalf("add proxy to store: %v", err)
-	}
-	if err := storeSource.AddVisitor(visitorCfg); err != nil {
-		t.Fatalf("add visitor to store: %v", err)
-	}
-
-	agg := source.NewAggregator(source.NewConfigSource())
-	agg.SetStoreSource(storeSource)
-	svr := &Service{
-		aggregator:   agg,
-		configSource: agg.ConfigSource(),
-		storeSource:  storeSource,
-		reloadCommon: &v1.ClientCommonConfig{},
-	}
-
-	if err := svr.reloadConfigFromSources(); err != nil {
-		t.Fatalf("reload config from sources: %v", err)
-	}
-
-	gotProxy := storeSource.GetProxy("store-proxy")
-	if gotProxy == nil {
-		t.Fatalf("proxy not found in store")
-	}
-	if gotProxy.GetBaseConfig().LocalIP != "" {
-		t.Fatalf("store proxy localIP should stay empty, got %q", gotProxy.GetBaseConfig().LocalIP)
-	}
-
-	gotVisitor := storeSource.GetVisitor("store-visitor")
-	if gotVisitor == nil {
-		t.Fatalf("visitor not found in store")
-	}
-	if gotVisitor.GetBaseConfig().BindAddr != "" {
-		t.Fatalf("store visitor bindAddr should stay empty, got %q", gotVisitor.GetBaseConfig().BindAddr)
-	}
-
-	svr.cfgMu.RLock()
-	defer svr.cfgMu.RUnlock()
-
-	if len(svr.proxyCfgs) != 1 {
-		t.Fatalf("expected 1 runtime proxy, got %d", len(svr.proxyCfgs))
-	}
-	if svr.proxyCfgs[0].GetBaseConfig().LocalIP != "127.0.0.1" {
-		t.Fatalf("runtime proxy localIP should be defaulted, got %q", svr.proxyCfgs[0].GetBaseConfig().LocalIP)
-	}
-
-	if len(svr.visitorCfgs) != 1 {
-		t.Fatalf("expected 1 runtime visitor, got %d", len(svr.visitorCfgs))
-	}
-	if svr.visitorCfgs[0].GetBaseConfig().BindAddr != "127.0.0.1" {
-		t.Fatalf("runtime visitor bindAddr should be defaulted, got %q", svr.visitorCfgs[0].GetBaseConfig().BindAddr)
-	}
-}
--- a/client/visitor/stcp.go
+++ b/client/visitor/stcp.go
@@ -15,12 +15,17 @@
 package visitor

 import (
+	"fmt"
+	"io"
 	"net"
 	"strconv"
+	"time"

 	libio "github.com/fatedier/golib/io"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/util/util"
 	"github.com/fatedier/frp/pkg/util/xlog"
 )

@@ -36,10 +41,10 @@ func (sv *STCPVisitor) Run() (err error) {
 		if err != nil {
 			return
 		}
-		go sv.acceptLoop(sv.l, "stcp local", sv.handleConn)
+		go sv.worker()
 	}

-	go sv.acceptLoop(sv.internalLn, "stcp internal", sv.handleConn)
+	go sv.internalConnWorker()

 	if sv.plugin != nil {
 		sv.plugin.Start()
@@ -51,10 +56,35 @@ func (sv *STCPVisitor) Close() {
 	sv.BaseVisitor.Close()
 }

+func (sv *STCPVisitor) worker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.l.Accept()
+		if err != nil {
+			xl.Warnf("stcp local listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *STCPVisitor) internalConnWorker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.internalLn.Accept()
+		if err != nil {
+			xl.Warnf("stcp internal listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
 func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
 	var tunnelErr error
 	defer func() {
+		// If there was an error and connection supports CloseWithError, use it
 		if tunnelErr != nil {
 			if eConn, ok := userConn.(interface{ CloseWithError(error) error }); ok {
 				_ = eConn.CloseWithError(tunnelErr)
@@ -65,21 +95,61 @@ func (sv *STCPVisitor) handleConn(userConn net.Conn) {
 	}()

 	xl.Debugf("get a new stcp user connection")
-	visitorConn, err := sv.dialRawVisitorConn(sv.cfg.GetBaseConfig())
+	visitorConn, err := sv.helper.ConnectServer()
 	if err != nil {
-		xl.Warnf("dialRawVisitorConn error: %v", err)
 		tunnelErr = err
 		return
 	}
 	defer visitorConn.Close()

-	remote, recycleFn, err := wrapVisitorConn(visitorConn, sv.cfg.GetBaseConfig())
+	now := time.Now().Unix()
+	newVisitorConnMsg := &msg.NewVisitorConn{
+		RunID:          sv.helper.RunID(),
+		ProxyName:      sv.cfg.ServerName,
+		SignKey:        util.GetAuthKey(sv.cfg.SecretKey, now),
+		Timestamp:      now,
+		UseEncryption:  sv.cfg.Transport.UseEncryption,
+		UseCompression: sv.cfg.Transport.UseCompression,
+	}
+	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
 	if err != nil {
-		xl.Warnf("wrapVisitorConn error: %v", err)
+		xl.Warnf("send newVisitorConnMsg to server error: %v", err)
 		tunnelErr = err
 		return
 	}
-	defer recycleFn()
+
+	var newVisitorConnRespMsg msg.NewVisitorConnResp
+	_ = visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
+	if err != nil {
+		xl.Warnf("get newVisitorConnRespMsg error: %v", err)
+		tunnelErr = err
+		return
+	}
+	_ = visitorConn.SetReadDeadline(time.Time{})
+
+	if newVisitorConnRespMsg.Error != "" {
+		xl.Warnf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
+		tunnelErr = fmt.Errorf("%s", newVisitorConnRespMsg.Error)
+		return
+	}
+
+	var remote io.ReadWriteCloser
+	remote = visitorConn
+	if sv.cfg.Transport.UseEncryption {
+		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.SecretKey))
+		if err != nil {
+			xl.Errorf("create encryption stream error: %v", err)
+			tunnelErr = err
+			return
+		}
+	}
+
+	if sv.cfg.Transport.UseCompression {
+		var recycleFn func()
+		remote, recycleFn = libio.WithCompressionFromPool(remote)
+		defer recycleFn()
+	}

 	libio.Join(userConn, remote)
 }
--- a/client/visitor/sudp.go
+++ b/client/visitor/sudp.go
@@ -16,17 +16,20 @@ package visitor

 import (
 	"fmt"
+	"io"
 	"net"
 	"strconv"
 	"sync"
 	"time"

 	"github.com/fatedier/golib/errors"
+	libio "github.com/fatedier/golib/io"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 	"github.com/fatedier/frp/pkg/proto/udp"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
+	"github.com/fatedier/frp/pkg/util/util"
 	"github.com/fatedier/frp/pkg/util/xlog"
 )

@@ -72,7 +75,6 @@ func (sv *SUDPVisitor) dispatcher() {

 	var (
 		visitorConn net.Conn
-		recycleFn   func()
 		err         error

 		firstPacket *msg.UDPPacket
@@ -90,17 +92,14 @@ func (sv *SUDPVisitor) dispatcher() {
 			return
 		}

-		visitorConn, recycleFn, err = sv.getNewVisitorConn()
+		visitorConn, err = sv.getNewVisitorConn()
 		if err != nil {
 			xl.Warnf("newVisitorConn to frps error: %v, try to reconnect", err)
 			continue
 		}

 		// visitorConn always be closed when worker done.
-		func() {
-			defer recycleFn()
-			sv.worker(visitorConn, firstPacket)
-		}()
+		sv.worker(visitorConn, firstPacket)

 		select {
 		case <-sv.checkCloseCh:
@@ -147,7 +146,7 @@ func (sv *SUDPVisitor) worker(workConn net.Conn, firstPacket *msg.UDPPacket) {
 			case *msg.UDPPacket:
 				if errRet := errors.PanicToError(func() {
 					sv.readCh <- m
-					xl.Tracef("frpc visitor get udp packet from workConn, len: %d", len(m.Content))
+					xl.Tracef("frpc visitor get udp packet from workConn: %s", m.Content)
 				}); errRet != nil {
 					xl.Infof("reader goroutine for udp work connection closed")
 					return
@@ -169,7 +168,7 @@ func (sv *SUDPVisitor) worker(workConn net.Conn, firstPacket *msg.UDPPacket) {
 				xl.Warnf("sender goroutine for udp work connection closed: %v", errRet)
 				return
 			}
-			xl.Tracef("send udp package to workConn, len: %d", len(firstPacket.Content))
+			xl.Tracef("send udp package to workConn: %s", firstPacket.Content)
 		}

 		for {
@@ -184,7 +183,7 @@ func (sv *SUDPVisitor) worker(workConn net.Conn, firstPacket *msg.UDPPacket) {
 					xl.Warnf("sender goroutine for udp work connection closed: %v", errRet)
 					return
 				}
-				xl.Tracef("send udp package to workConn, len: %d", len(udpMsg.Content))
+				xl.Tracef("send udp package to workConn: %s", udpMsg.Content)
 			case <-closeCh:
 				return
 			}
@@ -198,17 +197,52 @@ func (sv *SUDPVisitor) worker(workConn net.Conn, firstPacket *msg.UDPPacket) {
 	xl.Infof("sudp worker is closed")
 }

-func (sv *SUDPVisitor) getNewVisitorConn() (net.Conn, func(), error) {
-	rawConn, err := sv.dialRawVisitorConn(sv.cfg.GetBaseConfig())
+func (sv *SUDPVisitor) getNewVisitorConn() (net.Conn, error) {
+	xl := xlog.FromContextSafe(sv.ctx)
+	visitorConn, err := sv.helper.ConnectServer()
 	if err != nil {
-		return nil, func() {}, err
+		return nil, fmt.Errorf("frpc connect frps error: %v", err)
 	}
-	rwc, recycleFn, err := wrapVisitorConn(rawConn, sv.cfg.GetBaseConfig())
+
+	now := time.Now().Unix()
+	newVisitorConnMsg := &msg.NewVisitorConn{
+		RunID:          sv.helper.RunID(),
+		ProxyName:      sv.cfg.ServerName,
+		SignKey:        util.GetAuthKey(sv.cfg.SecretKey, now),
+		Timestamp:      now,
+		UseEncryption:  sv.cfg.Transport.UseEncryption,
+		UseCompression: sv.cfg.Transport.UseCompression,
+	}
+	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
 	if err != nil {
-		rawConn.Close()
-		return nil, func() {}, err
+		return nil, fmt.Errorf("frpc send newVisitorConnMsg to frps error: %v", err)
 	}
-	return netpkg.WrapReadWriteCloserToConn(rwc, rawConn), recycleFn, nil
+
+	var newVisitorConnRespMsg msg.NewVisitorConnResp
+	_ = visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
+	if err != nil {
+		return nil, fmt.Errorf("frpc read newVisitorConnRespMsg error: %v", err)
+	}
+	_ = visitorConn.SetReadDeadline(time.Time{})
+
+	if newVisitorConnRespMsg.Error != "" {
+		return nil, fmt.Errorf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
+	}
+
+	var remote io.ReadWriteCloser
+	remote = visitorConn
+	if sv.cfg.Transport.UseEncryption {
+		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.SecretKey))
+		if err != nil {
+			xl.Errorf("create encryption stream error: %v", err)
+			return nil, err
+		}
+	}
+	if sv.cfg.Transport.UseCompression {
+		remote = libio.WithCompression(remote)
+	}
+	return netpkg.WrapReadWriteCloserToConn(remote, visitorConn), nil
 }

 func (sv *SUDPVisitor) Close() {
--- a/client/visitor/visitor.go
+++ b/client/visitor/visitor.go
@@ -16,21 +16,13 @@ package visitor

 import (
 	"context"
-	"fmt"
-	"io"
 	"net"
 	"sync"
-	"time"
-
-	libio "github.com/fatedier/golib/io"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/naming"
 	plugin "github.com/fatedier/frp/pkg/plugin/visitor"
 	"github.com/fatedier/frp/pkg/transport"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
-	"github.com/fatedier/frp/pkg/util/util"
 	"github.com/fatedier/frp/pkg/util/xlog"
 	"github.com/fatedier/frp/pkg/vnet"
 )
@@ -127,18 +119,6 @@ func (v *BaseVisitor) AcceptConn(conn net.Conn) error {
 	return v.internalLn.PutConn(conn)
 }

-func (v *BaseVisitor) acceptLoop(l net.Listener, name string, handleConn func(net.Conn)) {
-	xl := xlog.FromContextSafe(v.ctx)
-	for {
-		conn, err := l.Accept()
-		if err != nil {
-			xl.Warnf("%s listener closed", name)
-			return
-		}
-		go handleConn(conn)
-	}
-}
-
 func (v *BaseVisitor) Close() {
 	if v.l != nil {
 		v.l.Close()
@@ -150,57 +130,3 @@ func (v *BaseVisitor) Close() {
 		v.plugin.Close()
 	}
 }
-
-func (v *BaseVisitor) dialRawVisitorConn(cfg *v1.VisitorBaseConfig) (net.Conn, error) {
-	visitorConn, err := v.helper.ConnectServer()
-	if err != nil {
-		return nil, fmt.Errorf("connect to server error: %v", err)
-	}
-
-	now := time.Now().Unix()
-	targetProxyName := naming.BuildTargetServerProxyName(v.clientCfg.User, cfg.ServerUser, cfg.ServerName)
-	newVisitorConnMsg := &msg.NewVisitorConn{
-		RunID:          v.helper.RunID(),
-		ProxyName:      targetProxyName,
-		SignKey:        util.GetAuthKey(cfg.SecretKey, now),
-		Timestamp:      now,
-		UseEncryption:  cfg.Transport.UseEncryption,
-		UseCompression: cfg.Transport.UseCompression,
-	}
-	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
-	if err != nil {
-		visitorConn.Close()
-		return nil, fmt.Errorf("send newVisitorConnMsg to server error: %v", err)
-	}
-
-	var newVisitorConnRespMsg msg.NewVisitorConnResp
-	_ = visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
-	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
-	if err != nil {
-		visitorConn.Close()
-		return nil, fmt.Errorf("read newVisitorConnRespMsg error: %v", err)
-	}
-	_ = visitorConn.SetReadDeadline(time.Time{})
-
-	if newVisitorConnRespMsg.Error != "" {
-		visitorConn.Close()
-		return nil, fmt.Errorf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
-	}
-	return visitorConn, nil
-}
-
-func wrapVisitorConn(conn io.ReadWriteCloser, cfg *v1.VisitorBaseConfig) (io.ReadWriteCloser, func(), error) {
-	rwc := conn
-	if cfg.Transport.UseEncryption {
-		var err error
-		rwc, err = libio.WithEncryption(rwc, []byte(cfg.SecretKey))
-		if err != nil {
-			return nil, func() {}, fmt.Errorf("create encryption stream error: %v", err)
-		}
-	}
-	recycleFn := func() {}
-	if cfg.Transport.UseCompression {
-		rwc, recycleFn = libio.WithCompressionFromPool(rwc)
-	}
-	return rwc, recycleFn, nil
-}
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@@ -31,7 +31,6 @@ import (

 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/naming"
 	"github.com/fatedier/frp/pkg/nathole"
 	"github.com/fatedier/frp/pkg/transport"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
@@ -65,10 +64,10 @@ func (sv *XTCPVisitor) Run() (err error) {
 		if err != nil {
 			return
 		}
-		go sv.acceptLoop(sv.l, "xtcp local", sv.handleConn)
+		go sv.worker()
 	}

-	go sv.acceptLoop(sv.internalLn, "xtcp internal", sv.handleConn)
+	go sv.internalConnWorker()
 	go sv.processTunnelStartEvents()
 	if sv.cfg.KeepTunnelOpen {
 		sv.retryLimiter = rate.NewLimiter(rate.Every(time.Hour/time.Duration(sv.cfg.MaxRetriesAnHour)), sv.cfg.MaxRetriesAnHour)
@@ -93,6 +92,30 @@ func (sv *XTCPVisitor) Close() {
 	}
 }

+func (sv *XTCPVisitor) worker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.l.Accept()
+		if err != nil {
+			xl.Warnf("xtcp local listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *XTCPVisitor) internalConnWorker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.internalLn.Accept()
+		if err != nil {
+			xl.Warnf("xtcp internal listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
 func (sv *XTCPVisitor) processTunnelStartEvents() {
 	for {
 		select {
@@ -182,14 +205,20 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 		return
 	}

-	muxConnRWCloser, recycleFn, err := wrapVisitorConn(tunnelConn, sv.cfg.GetBaseConfig())
-	if err != nil {
-		xl.Errorf("%v", err)
-		tunnelConn.Close()
-		tunnelErr = err
-		return
+	var muxConnRWCloser io.ReadWriteCloser = tunnelConn
+	if sv.cfg.Transport.UseEncryption {
+		muxConnRWCloser, err = libio.WithEncryption(muxConnRWCloser, []byte(sv.cfg.SecretKey))
+		if err != nil {
+			xl.Errorf("create encryption stream error: %v", err)
+			tunnelErr = err
+			return
+		}
+	}
+	if sv.cfg.Transport.UseCompression {
+		var recycleFn func()
+		muxConnRWCloser, recycleFn = libio.WithCompressionFromPool(muxConnRWCloser)
+		defer recycleFn()
 	}
-	defer recycleFn()

 	_, _, errs := libio.Join(userConn, muxConnRWCloser)
 	xl.Debugf("join connections closed")
@@ -251,9 +280,8 @@ func (sv *XTCPVisitor) getTunnelConn(ctx context.Context) (net.Conn, error) {
 // 4. Create a tunnel session using an underlying UDP connection.
 func (sv *XTCPVisitor) makeNatHole() {
 	xl := xlog.FromContextSafe(sv.ctx)
-	targetProxyName := naming.BuildTargetServerProxyName(sv.clientCfg.User, sv.cfg.ServerUser, sv.cfg.ServerName)
 	xl.Tracef("makeNatHole start")
-	if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), targetProxyName, 5*time.Second); err != nil {
+	if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
 		xl.Warnf("nathole precheck error: %v", err)
 		return
 	}
@@ -282,7 +310,7 @@ func (sv *XTCPVisitor) makeNatHole() {
 	transactionID := nathole.NewTransactionID()
 	natHoleVisitorMsg := &msg.NatHoleVisitor{
 		TransactionID: transactionID,
-		ProxyName:     targetProxyName,
+		ProxyName:     sv.cfg.ServerName,
 		Protocol:      sv.cfg.Protocol,
 		SignKey:       util.GetAuthKey(sv.cfg.SecretKey, now),
 		Timestamp:     now,
@@ -343,7 +371,6 @@ func (ks *KCPTunnelSession) Init(listenConn *net.UDPConn, raddr *net.UDPAddr) er
 	}
 	remote, err := netpkg.NewKCPConnFromUDP(lConn, true, raddr.String())
 	if err != nil {
-		lConn.Close()
 		return fmt.Errorf("create kcp connection from udp connection error: %v", err)
 	}

--- a/cmd/frpc/sub/admin.go
+++ b/cmd/frpc/sub/admin.go
@@ -54,7 +54,11 @@ func NewAdminCommand(name, short string, handler func(*v1.ClientCommonConfig) er
 		Use:   name,
 		Short: short,
 		Run: func(cmd *cobra.Command, args []string) {
-			cfg, _, _, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
+			if len(cfgFiles) == 0 || cfgFiles[0] == "" {
+				fmt.Println("frpc: the configuration file is not specified")
+				os.Exit(1)
+			}
+			cfg, _, _, _, err := config.LoadClientConfig(cfgFiles[0], strictConfigMode)
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
--- a/cmd/frpc/sub/nathole.go
+++ b/cmd/frpc/sub/nathole.go
@@ -47,9 +47,18 @@ var natholeDiscoveryCmd = &cobra.Command{
 	Use:   "discover",
 	Short: "Discover nathole information from stun server",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		// ignore error here, because we can use command line parameters
-		cfg, _, _, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
-		if err != nil {
+		// ignore error here, because we can use command line pameters
+		var cfg *v1.ClientCommonConfig
+		if len(cfgFiles) > 0 && cfgFiles[0] != "" {
+			_, _, _, _, err := config.LoadClientConfig(cfgFiles[0], strictConfigMode)
+			if err != nil {
+				cfg = &v1.ClientCommonConfig{}
+				if err := cfg.Complete(); err != nil {
+					fmt.Printf("failed to complete config: %v\n", err)
+					os.Exit(1)
+				}
+			}
+		} else {
 			cfg = &v1.ClientCommonConfig{}
 			if err := cfg.Complete(); err != nil {
 				fmt.Printf("failed to complete config: %v\n", err)
--- a/cmd/frpc/sub/proxy.go
+++ b/cmd/frpc/sub/proxy.go
@@ -22,7 +22,6 @@ import (
 	"github.com/spf13/cobra"

 	"github.com/fatedier/frp/pkg/config"
-	"github.com/fatedier/frp/pkg/config/source"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/security"
@@ -87,14 +86,13 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 				os.Exit(1)
 			}

+			c.Complete(clientCfg.User)
 			c.GetBaseConfig().Type = name
-			c.Complete()
-			proxyCfg := c
-			if err := validation.ValidateProxyConfigurerForClient(proxyCfg); err != nil {
+			if err := validation.ValidateProxyConfigurerForClient(c); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, []v1.ProxyConfigurer{proxyCfg}, nil, unsafeFeatures, "")
+			err := startService(clientCfg, []v1.ProxyConfigurer{c}, nil, unsafeFeatures, "", "", "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@@ -119,14 +117,13 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 				os.Exit(1)
 			}

+			c.Complete(clientCfg)
 			c.GetBaseConfig().Type = name
-			c.Complete()
-			visitorCfg := c
-			if err := validation.ValidateVisitorConfigurer(visitorCfg); err != nil {
+			if err := validation.ValidateVisitorConfigurer(c); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
-			err := startService(clientCfg, nil, []v1.VisitorConfigurer{visitorCfg}, unsafeFeatures, "")
+			err := startService(clientCfg, nil, []v1.VisitorConfigurer{c}, unsafeFeatures, "", "", "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@@ -134,18 +131,3 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 		},
 	}
 }
-
-func startService(
-	cfg *v1.ClientCommonConfig,
-	proxyCfgs []v1.ProxyConfigurer,
-	visitorCfgs []v1.VisitorConfigurer,
-	unsafeFeatures *security.UnsafeFeatures,
-	cfgFile string,
-) error {
-	configSource := source.NewConfigSource()
-	if err := configSource.ReplaceAll(proxyCfgs, visitorCfgs); err != nil {
-		return fmt.Errorf("failed to set config source: %w", err)
-	}
-	aggregator := source.NewAggregator(configSource)
-	return startServiceWithAggregator(cfg, aggregator, unsafeFeatures, cfgFile)
-}
--- a/cmd/frpc/sub/root.go
+++ b/cmd/frpc/sub/root.go
@@ -16,8 +16,11 @@ package sub

 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io/fs"
+	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -30,29 +33,32 @@ import (

 	"github.com/fatedier/frp/client"
 	"github.com/fatedier/frp/pkg/config"
-	"github.com/fatedier/frp/pkg/config/source"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/policy/featuregate"
 	"github.com/fatedier/frp/pkg/policy/security"
+	"github.com/fatedier/frp/pkg/util/banner"
 	"github.com/fatedier/frp/pkg/util/log"
 	"github.com/fatedier/frp/pkg/util/version"
 )

 var (
-	cfgFile          string
+	cfgFiles         []string
 	cfgDir           string
 	showVersion      bool
 	strictConfigMode bool
 	allowUnsafe      []string
+	authTokens       []string
+
+	bannerDisplayed bool
 )

 func init() {
-	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "./frpc.ini", "config file of frpc")
+	rootCmd.PersistentFlags().StringSliceVarP(&cfgFiles, "config", "c", []string{"./frpc.ini"}, "config files of frpc (support multiple files)")
 	rootCmd.PersistentFlags().StringVarP(&cfgDir, "config_dir", "", "", "config directory, run one frpc service for each file in config directory")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
 	rootCmd.PersistentFlags().BoolVarP(&strictConfigMode, "strict_config", "", true, "strict config parsing mode, unknown fields will cause an errors")
-
+	rootCmd.PersistentFlags().StringSliceVarP(&authTokens, "token", "t", []string{}, "authentication tokens in format 'id:token' (LoliaFRP only)")
 	rootCmd.PersistentFlags().StringSliceVarP(&allowUnsafe, "allow-unsafe", "", []string{},
 		fmt.Sprintf("allowed unsafe features, one or more of: %s", strings.Join(security.ClientUnsafeFeatures, ", ")))
 }
@@ -68,15 +74,30 @@ var rootCmd = &cobra.Command{

 		unsafeFeatures := security.NewUnsafeFeatures(allowUnsafe)

+		// If authTokens is provided, fetch config from API
+		if len(authTokens) > 0 {
+			err := runClientWithTokens(authTokens, unsafeFeatures)
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			return nil
+		}
+
 		// If cfgDir is not empty, run multiple frpc service for each config file in cfgDir.
-		// Note that it's only designed for testing. It's not guaranteed to be stable.
 		if cfgDir != "" {
 			_ = runMultipleClients(cfgDir, unsafeFeatures)
 			return nil
 		}

+		// If multiple config files are specified, run one frpc service for each file
+		if len(cfgFiles) > 1 {
+			runMultipleClientsFromFiles(cfgFiles, unsafeFeatures)
+			return nil
+		}
+
 		// Do not show command usage here.
-		err := runClient(cfgFile, unsafeFeatures)
+		err := runClient(cfgFiles[0], unsafeFeatures)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -106,6 +127,29 @@ func runMultipleClients(cfgDir string, unsafeFeatures *security.UnsafeFeatures)
 	return err
 }

+func runMultipleClientsFromFiles(cfgFiles []string, unsafeFeatures *security.UnsafeFeatures) {
+	var wg sync.WaitGroup
+
+	// Display banner first
+	banner.DisplayBanner()
+	bannerDisplayed = true
+	log.Infof("检测到 %d 个配置文件，将启动多个 frpc 服务实例", len(cfgFiles))
+
+	for _, cfgFile := range cfgFiles {
+		wg.Add(1)
+		// Add a small delay to avoid log output mixing
+		time.Sleep(100 * time.Millisecond)
+		go func(path string) {
+			defer wg.Done()
+			err := runClient(path, unsafeFeatures)
+			if err != nil {
+				fmt.Printf("\n配置文件 [%s] 启动失败: %v\n", path, err)
+			}
+		}(cfgFile)
+	}
+	wg.Wait()
+}
+
 func Execute() {
 	rootCmd.SetGlobalNormalizationFunc(config.WordSepNormalizeFunc)
 	if err := rootCmd.Execute(); err != nil {
@@ -121,64 +165,22 @@ func handleTermSignal(svr *client.Service) {
 }

 func runClient(cfgFilePath string, unsafeFeatures *security.UnsafeFeatures) error {
-	// Load configuration
-	result, err := config.LoadClientConfigResult(cfgFilePath, strictConfigMode)
+	cfg, proxyCfgs, visitorCfgs, isLegacyFormat, err := config.LoadClientConfig(cfgFilePath, strictConfigMode)
 	if err != nil {
 		return err
 	}
-	if result.IsLegacyFormat {
+	if isLegacyFormat {
 		fmt.Printf("WARNING: ini format is deprecated and the support will be removed in the future, " +
 			"please use yaml/json/toml format instead!\n")
 	}

-	if len(result.Common.FeatureGates) > 0 {
-		if err := featuregate.SetFromMap(result.Common.FeatureGates); err != nil {
+	if len(cfg.FeatureGates) > 0 {
+		if err := featuregate.SetFromMap(cfg.FeatureGates); err != nil {
 			return err
 		}
 	}

-	return runClientWithAggregator(result, unsafeFeatures, cfgFilePath)
-}
-
-// runClientWithAggregator runs the client using the internal source aggregator.
-func runClientWithAggregator(result *config.ClientConfigLoadResult, unsafeFeatures *security.UnsafeFeatures, cfgFilePath string) error {
-	configSource := source.NewConfigSource()
-	if err := configSource.ReplaceAll(result.Proxies, result.Visitors); err != nil {
-		return fmt.Errorf("failed to set config source: %w", err)
-	}
-
-	var storeSource *source.StoreSource
-
-	if result.Common.Store.IsEnabled() {
-		storePath := result.Common.Store.Path
-		if storePath != "" && cfgFilePath != "" && !filepath.IsAbs(storePath) {
-			storePath = filepath.Join(filepath.Dir(cfgFilePath), storePath)
-		}
-
-		s, err := source.NewStoreSource(source.StoreSourceConfig{
-			Path: storePath,
-		})
-		if err != nil {
-			return fmt.Errorf("failed to create store source: %w", err)
-		}
-		storeSource = s
-	}
-
-	aggregator := source.NewAggregator(configSource)
-	if storeSource != nil {
-		aggregator.SetStoreSource(storeSource)
-	}
-
-	proxyCfgs, visitorCfgs, err := aggregator.Load()
-	if err != nil {
-		return fmt.Errorf("failed to load config from sources: %w", err)
-	}
-
-	proxyCfgs, visitorCfgs = config.FilterClientConfigurers(result.Common, proxyCfgs, visitorCfgs)
-	proxyCfgs = config.CompleteProxyConfigurers(proxyCfgs)
-	visitorCfgs = config.CompleteVisitorConfigurers(visitorCfgs)
-
-	warning, err := validation.ValidateAllClientConfig(result.Common, proxyCfgs, visitorCfgs, unsafeFeatures)
+	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs, unsafeFeatures)
 	if warning != nil {
 		fmt.Printf("WARNING: %v\n", warning)
 	}
@@ -186,34 +188,234 @@ func runClientWithAggregator(result *config.ClientConfigLoadResult, unsafeFeatur
 		return err
 	}

-	return startServiceWithAggregator(result.Common, aggregator, unsafeFeatures, cfgFilePath)
+	return startService(cfg, proxyCfgs, visitorCfgs, unsafeFeatures, cfgFilePath, "", "")
 }

-func startServiceWithAggregator(
+func startService(
 	cfg *v1.ClientCommonConfig,
-	aggregator *source.Aggregator,
+	proxyCfgs []v1.ProxyConfigurer,
+	visitorCfgs []v1.VisitorConfigurer,
 	unsafeFeatures *security.UnsafeFeatures,
 	cfgFile string,
+	nodeName string,
+	tunnelRemark string,
 ) error {
 	log.InitLogger(cfg.Log.To, cfg.Log.Level, int(cfg.Log.MaxDays), cfg.Log.DisablePrintColor)

+	// Display banner only once before starting the first service
+	if !bannerDisplayed {
+		banner.DisplayBanner()
+		bannerDisplayed = true
+	}
+
+	// Display node information if available
+	if nodeName != "" {
+		log.Info("已获取到配置文件", "隧道名称", tunnelRemark, "使用节点", nodeName)
+	}
+
 	if cfgFile != "" {
-		log.Infof("start frpc service for config file [%s] with aggregated configuration", cfgFile)
-		defer log.Infof("frpc service for config file [%s] stopped", cfgFile)
+		log.Infof("启动 frpc 服务 [%s]", cfgFile)
+		defer log.Infof("frpc 服务 [%s] 已停止", cfgFile)
 	}
 	svr, err := client.NewService(client.ServiceOptions{
-		Common:                 cfg,
-		ConfigSourceAggregator: aggregator,
-		UnsafeFeatures:         unsafeFeatures,
-		ConfigFilePath:         cfgFile,
+		Common:         cfg,
+		ProxyCfgs:      proxyCfgs,
+		VisitorCfgs:    visitorCfgs,
+		UnsafeFeatures: unsafeFeatures,
+		ConfigFilePath: cfgFile,
 	})
 	if err != nil {
 		return err
 	}

 	shouldGracefulClose := cfg.Transport.Protocol == "kcp" || cfg.Transport.Protocol == "quic"
+	// Capture the exit signal if we use kcp or quic.
 	if shouldGracefulClose {
 		go handleTermSignal(svr)
 	}
 	return svr.Run(context.Background())
 }
+
+// APIResponse represents the response from LoliaFRP API
+type APIResponse struct {
+	Code int    `json:"code"`
+	Msg  string `json:"msg"`
+	Data struct {
+		Config       string `json:"config"`
+		NodeName     string `json:"node_name"`
+		TunnelRemark string `json:"tunnel_remark"`
+	} `json:"data"`
+}
+
+// TokenInfo stores parsed id and token from the -t parameter
+type TokenInfo struct {
+	ID    string
+	Token string
+}
+
+func runClientWithTokens(tokens []string, unsafeFeatures *security.UnsafeFeatures) error {
+	// Parse all tokens (format: id:token)
+	tokenInfos := make([]TokenInfo, 0, len(tokens))
+	for _, t := range tokens {
+		parts := strings.SplitN(t, ":", 2)
+		if len(parts) != 2 {
+			return fmt.Errorf("invalid token format '%s', expected 'id:token'", t)
+		}
+		tokenInfos = append(tokenInfos, TokenInfo{
+			ID:    strings.TrimSpace(parts[0]),
+			Token: strings.TrimSpace(parts[1]),
+		})
+	}
+
+	// Group tokens by token value (same token can have multiple IDs)
+	tokenToIDs := make(map[string][]string)
+	for _, ti := range tokenInfos {
+		tokenToIDs[ti.Token] = append(tokenToIDs[ti.Token], ti.ID)
+	}
+
+	// If we have multiple different tokens, start one service for each token group
+	if len(tokenToIDs) > 1 {
+		return runMultipleClientsWithTokens(tokenToIDs, unsafeFeatures)
+	}
+
+	// Get the single token and all its IDs
+	var token string
+	var ids []string
+	for t, idList := range tokenToIDs {
+		token = t
+		ids = idList
+		break
+	}
+
+	return runClientWithTokenAndIDs(token, ids, unsafeFeatures)
+}
+
+func runClientWithTokenAndIDs(token string, ids []string, unsafeFeatures *security.UnsafeFeatures) error {
+	// Get API server address from environment variable
+	apiServer := os.Getenv("LOLIA_API")
+	if apiServer == "" {
+		apiServer = "https://api.lolia.link"
+	}
+
+	// Build URL with query parameters
+	url := fmt.Sprintf("%s/api/v1/tunnel/frpc/config?token=%s&id=%s", apiServer, token, strings.Join(ids, ","))
+	// #nosec G107 -- URL is constructed from trusted source (environment variable or hardcoded)
+	resp, err := http.Get(url)
+	if err != nil {
+		return fmt.Errorf("failed to fetch config from API: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("API returned status code: %d", resp.StatusCode)
+	}
+
+	var apiResp APIResponse
+	if err := json.NewDecoder(resp.Body).Decode(&apiResp); err != nil {
+		return fmt.Errorf("failed to decode API response: %v", err)
+	}
+
+	if apiResp.Code != 200 {
+		return fmt.Errorf("API error: %s", apiResp.Msg)
+	}
+
+	// Decode base64 config
+	configBytes, err := base64.StdEncoding.DecodeString(apiResp.Data.Config)
+	if err != nil {
+		return fmt.Errorf("failed to decode base64 config: %v", err)
+	}
+
+	// Load config directly from bytes
+	return runClientWithConfig(configBytes, unsafeFeatures, apiResp.Data.NodeName, apiResp.Data.TunnelRemark)
+}
+
+func runMultipleClientsWithTokens(tokenToIDs map[string][]string, unsafeFeatures *security.UnsafeFeatures) error {
+	var wg sync.WaitGroup
+
+	// Display banner first
+	banner.DisplayBanner()
+	bannerDisplayed = true
+	log.Infof("检测到 %d 个不同的 token，将并行启动多个 frpc 服务实例", len(tokenToIDs))
+
+	index := 0
+	for token, ids := range tokenToIDs {
+		wg.Add(1)
+		currentIndex := index
+		currentToken := token
+		currentIDs := ids
+		totalCount := len(tokenToIDs)
+
+		// Add a small delay to avoid log output mixing
+		time.Sleep(100 * time.Millisecond)
+
+		go func() {
+			defer wg.Done()
+			maskedToken := currentToken
+			if len(maskedToken) > 6 {
+				maskedToken = maskedToken[:3] + "***" + maskedToken[len(maskedToken)-3:]
+			} else {
+				maskedToken = "***"
+			}
+			log.Infof("[%d/%d] 启动 token: %s (IDs: %v)", currentIndex+1, totalCount, maskedToken, currentIDs)
+			err := runClientWithTokenAndIDs(currentToken, currentIDs, unsafeFeatures)
+			if err != nil {
+				fmt.Printf("\nToken [%s] 启动失败: %v\n", maskedToken, err)
+			}
+		}()
+		index++
+	}
+	wg.Wait()
+	return nil
+}
+
+func runClientWithConfig(configBytes []byte, unsafeFeatures *security.UnsafeFeatures, nodeName, tunnelRemark string) error {
+	// Render template first
+	renderedBytes, err := config.RenderWithTemplate(configBytes, config.GetValues())
+	if err != nil {
+		return fmt.Errorf("failed to render template: %v", err)
+	}
+
+	var allCfg v1.ClientConfig
+	if err := config.LoadConfigure(renderedBytes, &allCfg, strictConfigMode); err != nil {
+		return fmt.Errorf("failed to parse config: %v", err)
+	}
+
+	cfg := &allCfg.ClientCommonConfig
+	proxyCfgs := make([]v1.ProxyConfigurer, 0, len(allCfg.Proxies))
+	for _, c := range allCfg.Proxies {
+		proxyCfgs = append(proxyCfgs, c.ProxyConfigurer)
+	}
+	visitorCfgs := make([]v1.VisitorConfigurer, 0, len(allCfg.Visitors))
+	for _, c := range allCfg.Visitors {
+		visitorCfgs = append(visitorCfgs, c.VisitorConfigurer)
+	}
+
+	// Call Complete to fill in default values
+	if err := cfg.Complete(); err != nil {
+		return fmt.Errorf("failed to complete config: %v", err)
+	}
+
+	// Call Complete for all proxies to add name prefix (e.g., user.tunnel_name)
+	for _, c := range proxyCfgs {
+		c.Complete(cfg.User)
+	}
+	for _, c := range visitorCfgs {
+		c.Complete(cfg)
+	}
+
+	if len(cfg.FeatureGates) > 0 {
+		if err := featuregate.SetFromMap(cfg.FeatureGates); err != nil {
+			return err
+		}
+	}
+
+	warning, err := validation.ValidateAllClientConfig(cfg, proxyCfgs, visitorCfgs, unsafeFeatures)
+	if warning != nil {
+		fmt.Printf("WARNING: %v\n", warning)
+	}
+	if err != nil {
+		return err
+	}
+
+	return startService(cfg, proxyCfgs, visitorCfgs, unsafeFeatures, "", nodeName, tunnelRemark)
+}
--- a/cmd/frpc/sub/verify.go
+++ b/cmd/frpc/sub/verify.go
@@ -33,11 +33,12 @@ var verifyCmd = &cobra.Command{
 	Use:   "verify",
 	Short: "Verify that the configures is valid",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if cfgFile == "" {
+		if len(cfgFiles) == 0 || cfgFiles[0] == "" {
 			fmt.Println("frpc: the configuration file is not specified")
 			return nil
 		}

+		cfgFile := cfgFiles[0]
 		cliCfg, proxyCfgs, visitorCfgs, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
 		if err != nil {
 			fmt.Println(err)
--- a/conf/frpc_full_example.toml
+++ b/conf/frpc_full_example.toml
@@ -143,9 +143,6 @@ transport.tls.enable = true

 # Proxy names you want to start.
 # Default is empty, means all proxies.
-# This list is a global allowlist after config + store are merged, so entries
-# created via Store API are also filtered by this list.
-# If start is non-empty, any proxy/visitor not listed here will not be started.
 # start = ["ssh", "dns"]

 # Alternative to 'start': You can control each proxy individually using the 'enabled' field.
@@ -332,6 +329,14 @@ type = "https2http"
 localAddr = "127.0.0.1:80"
 crtPath = "./server.crt"
 keyPath = "./server.key"
+# autoTLS can replace crtPath/keyPath and automatically apply/renew certificates.
+# [proxies.plugin.autoTLS]
+# enable = true
+# email = "admin@example.com"
+# cacheDir = "./.autotls-cache"
+# hostAllowList is optional. If omitted, frpc will use customDomains automatically.
+# hostAllowList = ["test.yourdomain.com"]
+# caDirURL = "https://acme-v02.api.letsencrypt.org/directory"
 hostHeaderRewrite = "127.0.0.1"
 requestHeaders.set.x-from-where = "frp"

@@ -344,6 +349,14 @@ type = "https2https"
 localAddr = "127.0.0.1:443"
 crtPath = "./server.crt"
 keyPath = "./server.key"
+# autoTLS can replace crtPath/keyPath and automatically apply/renew certificates.
+# [proxies.plugin.autoTLS]
+# enable = true
+# email = "admin@example.com"
+# cacheDir = "./.autotls-cache"
+# hostAllowList is optional. If omitted, frpc will use customDomains automatically.
+# hostAllowList = ["test.yourdomain.com"]
+# caDirURL = "https://acme-v02.api.letsencrypt.org/directory"
 hostHeaderRewrite = "127.0.0.1"
 requestHeaders.set.x-from-where = "frp"

@@ -376,6 +389,14 @@ type = "tls2raw"
 localAddr = "127.0.0.1:80"
 crtPath = "./server.crt"
 keyPath = "./server.key"
+# autoTLS can replace crtPath/keyPath and automatically apply/renew certificates.
+# [proxies.plugin.autoTLS]
+# enable = true
+# email = "admin@example.com"
+# cacheDir = "./.autotls-cache"
+# hostAllowList is optional. If omitted, frpc will use customDomains automatically.
+# hostAllowList = ["test.yourdomain.com"]
+# caDirURL = "https://acme-v02.api.letsencrypt.org/directory"

 [[proxies]]
 name = "secret_tcp"
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/fatedier/frp

-go 1.25.0
+go 1.24.0

 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
@@ -39,10 +39,18 @@ require (

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/log v0.4.2 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-logfmt/logfmt v0.6.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
@@ -51,6 +59,10 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/klauspost/reedsolomon v1.12.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/pion/dtls/v2 v2.2.7 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/transport/v2 v2.2.1 // indirect
@@ -60,13 +72,16 @@ require (
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/templexxx/cpu v0.1.1 // indirect
 	github.com/templexxx/xorsimd v0.4.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.27.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -4,11 +4,25 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzS
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
+github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
+github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
+github.com/charmbracelet/log v0.4.2 h1:hYt8Qj6a8yLnvR+h7MwsJv/XvmBJXiueUcI3cIxsyig=
+github.com/charmbracelet/log v0.4.2/go.mod h1:qifHGX/tc7eluv2R6pWIpyHDDrrb/AG71Pf2ysQu5nw=
+github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
+github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd h1:vy0GVL4jeHEwG5YOXDmi86oYw2yuYUGqz6a8sLwg0X8=
+github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
+github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
+github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
@@ -26,6 +40,8 @@ github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6 h1:u92UUy6FURPmNsMB
 github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6/go.mod h1:c5/tk6G0dSpXGzJN7Wk1OEie8grdSJAmeawId9Zvd34=
 github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
 github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
+github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -70,8 +86,16 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
+github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
@@ -109,6 +133,8 @@ github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9M
 github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rodaine/table v1.2.0 h1:38HEnwK4mKSHQJIkavVj+bst1TEY7j9zhLMWu4QJrMA=
 github.com/rodaine/table v1.2.0/go.mod h1:wejb/q/Yd4T/SVmBSRMr7GCq3KlcZp3gyNYdLSBhkaE=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
@@ -149,6 +175,8 @@ github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQ
 github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/xtaci/kcp-go/v5 v5.6.13 h1:FEjtz9+D4p8t2x4WjciGt/jsIuhlWjjgPCCWjrVR4Hk=
 github.com/xtaci/kcp-go/v5 v5.6.13/go.mod h1:75S1AKYYzNUSXIv30h+jPKJYZUwqpfvLshu63nCNSOM=
 github.com/xtaci/lossyconn v0.0.0-20200209145036-adba10fffc37 h1:EWU6Pktpas0n8lLQwDsRyZfmkPeRbdgPtW609es+/9E=
@@ -167,6 +195,8 @@ golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98y
 golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
 golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -209,6 +239,7 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
--- a/package.sh
+++ b/package.sh
@@ -18,7 +18,7 @@ rm -rf ./release/packages
 mkdir -p ./release/packages

 os_all='linux windows darwin freebsd openbsd android'
-arch_all='386 amd64 arm arm64 mips64 mips64le mips mipsle riscv64 loong64'
+arch_all='amd64 arm arm64'
 extra_all='_ hf'

 cd ./release
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -23,7 +23,6 @@ import (
 	"net/url"
 	"os"
 	"slices"
-	"sync"

 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
@@ -206,8 +205,7 @@ type OidcAuthConsumer struct {
 	additionalAuthScopes []v1.AuthScope

 	verifier          TokenVerifier
-	mu                sync.RWMutex
-	subjectsFromLogin map[string]struct{}
+	subjectsFromLogin []string
 }

 func NewTokenVerifier(cfg v1.AuthOIDCServerConfig) TokenVerifier {
@@ -228,7 +226,7 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVeri
 	return &OidcAuthConsumer{
 		additionalAuthScopes: additionalAuthScopes,
 		verifier:             verifier,
-		subjectsFromLogin:    make(map[string]struct{}),
+		subjectsFromLogin:    []string{},
 	}
 }

@@ -237,9 +235,9 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in login: %v", err)
 	}
-	auth.mu.Lock()
-	auth.subjectsFromLogin[token.Subject] = struct{}{}
-	auth.mu.Unlock()
+	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
+		auth.subjectsFromLogin = append(auth.subjectsFromLogin, token.Subject)
+	}
 	return nil
 }

@@ -248,13 +246,11 @@ func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err err
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in ping: %v", err)
 	}
-	auth.mu.RLock()
-	_, ok := auth.subjectsFromLogin[token.Subject]
-	auth.mu.RUnlock()
-	if !ok {
+	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
 		return fmt.Errorf("received different OIDC subject in login and ping. "+
+			"original subjects: %s, "+
 			"new subject: %s",
-			token.Subject)
+			auth.subjectsFromLogin, token.Subject)
 	}
 	return nil
 }
--- a/pkg/config/legacy/conversion.go
+++ b/pkg/config/legacy/conversion.go
@@ -171,14 +171,15 @@ func Convert_ServerCommonConf_To_v1(conf *ServerCommonConf) *v1.ServerConfig {
 func transformHeadersFromPluginParams(params map[string]string) v1.HeaderOperations {
 	out := v1.HeaderOperations{}
 	for k, v := range params {
-		k, ok := strings.CutPrefix(k, "plugin_header_")
-		if !ok || k == "" {
+		if !strings.HasPrefix(k, "plugin_header_") {
 			continue
 		}
-		if out.Set == nil {
-			out.Set = make(map[string]string)
+		if k = strings.TrimPrefix(k, "plugin_header_"); k != "" {
+			if out.Set == nil {
+				out.Set = make(map[string]string)
+			}
+			out.Set[k] = v
 		}
-		out.Set[k] = v
 	}
 	return out
 }
--- a/pkg/config/legacy/proxy.go
+++ b/pkg/config/legacy/proxy.go
@@ -39,14 +39,14 @@ const (
 // Proxy
 var (
 	proxyConfTypeMap = map[ProxyType]reflect.Type{
-		ProxyTypeTCP:    reflect.TypeFor[TCPProxyConf](),
-		ProxyTypeUDP:    reflect.TypeFor[UDPProxyConf](),
-		ProxyTypeTCPMUX: reflect.TypeFor[TCPMuxProxyConf](),
-		ProxyTypeHTTP:   reflect.TypeFor[HTTPProxyConf](),
-		ProxyTypeHTTPS:  reflect.TypeFor[HTTPSProxyConf](),
-		ProxyTypeSTCP:   reflect.TypeFor[STCPProxyConf](),
-		ProxyTypeXTCP:   reflect.TypeFor[XTCPProxyConf](),
-		ProxyTypeSUDP:   reflect.TypeFor[SUDPProxyConf](),
+		ProxyTypeTCP:    reflect.TypeOf(TCPProxyConf{}),
+		ProxyTypeUDP:    reflect.TypeOf(UDPProxyConf{}),
+		ProxyTypeTCPMUX: reflect.TypeOf(TCPMuxProxyConf{}),
+		ProxyTypeHTTP:   reflect.TypeOf(HTTPProxyConf{}),
+		ProxyTypeHTTPS:  reflect.TypeOf(HTTPSProxyConf{}),
+		ProxyTypeSTCP:   reflect.TypeOf(STCPProxyConf{}),
+		ProxyTypeXTCP:   reflect.TypeOf(XTCPProxyConf{}),
+		ProxyTypeSUDP:   reflect.TypeOf(SUDPProxyConf{}),
 	}
 )

--- a/pkg/config/legacy/utils.go
+++ b/pkg/config/legacy/utils.go
@@ -22,8 +22,8 @@ func GetMapWithoutPrefix(set map[string]string, prefix string) map[string]string
 	m := make(map[string]string)

 	for key, value := range set {
-		if trimmed, ok := strings.CutPrefix(key, prefix); ok {
-			m[trimmed] = value
+		if strings.HasPrefix(key, prefix) {
+			m[strings.TrimPrefix(key, prefix)] = value
 		}
 	}

--- a/pkg/config/legacy/visitor.go
+++ b/pkg/config/legacy/visitor.go
@@ -32,9 +32,9 @@ const (
 // Visitor
 var (
 	visitorConfTypeMap = map[VisitorType]reflect.Type{
-		VisitorTypeSTCP: reflect.TypeFor[STCPVisitorConf](),
-		VisitorTypeXTCP: reflect.TypeFor[XTCPVisitorConf](),
-		VisitorTypeSUDP: reflect.TypeFor[SUDPVisitorConf](),
+		VisitorTypeSTCP: reflect.TypeOf(STCPVisitorConf{}),
+		VisitorTypeXTCP: reflect.TypeOf(XTCPVisitorConf{}),
+		VisitorTypeSUDP: reflect.TypeOf(SUDPVisitorConf{}),
 	}
 )

--- a/pkg/config/load.go
+++ b/pkg/config/load.go
@@ -17,7 +17,6 @@ package config
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -34,7 +33,6 @@ import (
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/config/v1/validation"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/util/jsonx"
 	"github.com/fatedier/frp/pkg/util/util"
 )

@@ -110,21 +108,7 @@ func LoadConfigureFromFile(path string, c any, strict bool) error {
 	if err != nil {
 		return err
 	}
-	return LoadConfigure(content, c, strict, detectFormatFromPath(path))
-}
-
-// detectFormatFromPath returns a format hint based on the file extension.
-func detectFormatFromPath(path string) string {
-	switch strings.ToLower(filepath.Ext(path)) {
-	case ".toml":
-		return "toml"
-	case ".yaml", ".yml":
-		return "yaml"
-	case ".json":
-		return "json"
-	default:
-		return ""
-	}
+	return LoadConfigure(content, c, strict)
 }

 // parseYAMLWithDotFieldsHandling parses YAML with dot-prefixed fields handling
@@ -145,136 +129,48 @@ func parseYAMLWithDotFieldsHandling(content []byte, target any) error {
 	}

 	// Convert to JSON and decode with strict validation
-	jsonBytes, err := jsonx.Marshal(temp)
+	jsonBytes, err := json.Marshal(temp)
 	if err != nil {
 		return err
 	}
-	return decodeJSONContent(jsonBytes, target, true)
-}
-
-func decodeJSONContent(content []byte, target any, strict bool) error {
-	if clientCfg, ok := target.(*v1.ClientConfig); ok {
-		decoded, err := v1.DecodeClientConfigJSON(content, v1.DecodeOptions{
-			DisallowUnknownFields: strict,
-		})
-		if err != nil {
-			return err
-		}
-		*clientCfg = decoded
-		return nil
-	}
-
-	return jsonx.UnmarshalWithOptions(content, target, jsonx.DecodeOptions{
-		RejectUnknownMembers: strict,
-	})
+	decoder := json.NewDecoder(bytes.NewReader(jsonBytes))
+	decoder.DisallowUnknownFields()
+	return decoder.Decode(target)
 }

 // LoadConfigure loads configuration from bytes and unmarshal into c.
 // Now it supports json, yaml and toml format.
-// An optional format hint (e.g. "toml", "yaml", "json") can be provided
-// to enable better error messages with line number information.
-func LoadConfigure(b []byte, c any, strict bool, formats ...string) error {
-	format := ""
-	if len(formats) > 0 {
-		format = formats[0]
-	}
-
-	originalBytes := b
-	parsedFromTOML := false
+func LoadConfigure(b []byte, c any, strict bool) error {
+	v1.DisallowUnknownFieldsMu.Lock()
+	defer v1.DisallowUnknownFieldsMu.Unlock()
+	v1.DisallowUnknownFields = strict

 	var tomlObj any
-	tomlErr := toml.Unmarshal(b, &tomlObj)
-	if tomlErr == nil {
-		parsedFromTOML = true
-		var err error
-		b, err = jsonx.Marshal(&tomlObj)
+	// Try to unmarshal as TOML first; swallow errors from that (assume it's not valid TOML).
+	if err := toml.Unmarshal(b, &tomlObj); err == nil {
+		b, err = json.Marshal(&tomlObj)
 		if err != nil {
 			return err
 		}
-	} else if format == "toml" {
-		// File is known to be TOML but has syntax errors.
-		return formatTOMLError(tomlErr)
 	}
-
 	// If the buffer smells like JSON (first non-whitespace character is '{'), unmarshal as JSON directly.
 	if yaml.IsJSONBuffer(b) {
-		if err := decodeJSONContent(b, c, strict); err != nil {
-			return enhanceDecodeError(err, originalBytes, !parsedFromTOML)
+		decoder := json.NewDecoder(bytes.NewBuffer(b))
+		if strict {
+			decoder.DisallowUnknownFields()
 		}
-		return nil
+		return decoder.Decode(c)
 	}

 	// Handle YAML content
 	if strict {
 		// In strict mode, always use our custom handler to support YAML merge
-		if err := parseYAMLWithDotFieldsHandling(b, c); err != nil {
-			return enhanceDecodeError(err, originalBytes, !parsedFromTOML)
-		}
-		return nil
+		return parseYAMLWithDotFieldsHandling(b, c)
 	}
 	// Non-strict mode, parse normally
 	return yaml.Unmarshal(b, c)
 }

-// formatTOMLError extracts line/column information from TOML decode errors.
-func formatTOMLError(err error) error {
-	var decErr *toml.DecodeError
-	if errors.As(err, &decErr) {
-		row, col := decErr.Position()
-		return fmt.Errorf("toml: line %d, column %d: %s", row, col, decErr.Error())
-	}
-	var strictErr *toml.StrictMissingError
-	if errors.As(err, &strictErr) {
-		return strictErr
-	}
-	return err
-}
-
-// enhanceDecodeError tries to add field path and line number information to JSON/YAML decode errors.
-func enhanceDecodeError(err error, originalContent []byte, includeLine bool) error {
-	var typeErr *json.UnmarshalTypeError
-	if errors.As(err, &typeErr) && typeErr.Field != "" {
-		if includeLine {
-			line := findFieldLineInContent(originalContent, typeErr.Field)
-			if line > 0 {
-				return fmt.Errorf("line %d: field \"%s\": cannot unmarshal %s into %s", line, typeErr.Field, typeErr.Value, typeErr.Type)
-			}
-		}
-		return fmt.Errorf("field \"%s\": cannot unmarshal %s into %s", typeErr.Field, typeErr.Value, typeErr.Type)
-	}
-	return err
-}
-
-// findFieldLineInContent searches the original config content for a field name
-// and returns the 1-indexed line number where it appears, or 0 if not found.
-func findFieldLineInContent(content []byte, fieldPath string) int {
-	if fieldPath == "" {
-		return 0
-	}
-
-	// Use the last component of the field path (e.g. "proxies" from "proxies" or
-	// "protocol" from "transport.protocol").
-	parts := strings.Split(fieldPath, ".")
-	searchKey := parts[len(parts)-1]
-
-	lines := bytes.Split(content, []byte("\n"))
-	for i, line := range lines {
-		trimmed := bytes.TrimSpace(line)
-		// Match TOML key assignments like: key = ...
-		if bytes.HasPrefix(trimmed, []byte(searchKey)) {
-			rest := bytes.TrimSpace(trimmed[len(searchKey):])
-			if len(rest) > 0 && rest[0] == '=' {
-				return i + 1
-			}
-		}
-		// Match TOML table array headers like: [[proxies]]
-		if bytes.Contains(trimmed, []byte("[["+searchKey+"]]")) {
-			return i + 1
-		}
-	}
-	return 0
-}
-
 func NewProxyConfigurerFromMsg(m *msg.NewProxy, serverCfg *v1.ServerConfig) (v1.ProxyConfigurer, error) {
 	m.ProxyType = util.EmptyOr(m.ProxyType, string(v1.ProxyTypeTCP))

@@ -284,7 +180,7 @@ func NewProxyConfigurerFromMsg(m *msg.NewProxy, serverCfg *v1.ServerConfig) (v1.
 	}

 	configurer.UnmarshalFromMsg(m)
-	configurer.Complete()
+	configurer.Complete("")

 	if err := validation.ValidateProxyConfigurerForServer(configurer, serverCfg); err != nil {
 		return nil, err
@@ -323,132 +219,60 @@ func LoadServerConfig(path string, strict bool) (*v1.ServerConfig, bool, error)
 	return svrCfg, isLegacyFormat, nil
 }

-// ClientConfigLoadResult contains the result of loading a client configuration file.
-type ClientConfigLoadResult struct {
-	// Common contains the common client configuration.
-	Common *v1.ClientCommonConfig
-
-	// Proxies contains proxy configurations from inline [[proxies]] and includeConfigFiles.
-	// These are NOT completed (user prefix not added).
-	Proxies []v1.ProxyConfigurer
-
-	// Visitors contains visitor configurations from inline [[visitors]] and includeConfigFiles.
-	// These are NOT completed.
-	Visitors []v1.VisitorConfigurer
-
-	// IsLegacyFormat indicates whether the config file is in legacy INI format.
-	IsLegacyFormat bool
-}
-
-// LoadClientConfigResult loads and parses a client configuration file.
-// It returns the raw configuration without completing proxies/visitors.
-// The caller should call Complete on the configs manually for legacy behavior.
-func LoadClientConfigResult(path string, strict bool) (*ClientConfigLoadResult, error) {
-	result := &ClientConfigLoadResult{
-		Proxies:  make([]v1.ProxyConfigurer, 0),
-		Visitors: make([]v1.VisitorConfigurer, 0),
-	}
-
-	if DetectLegacyINIFormatFromFile(path) {
-		legacyCommon, legacyProxyCfgs, legacyVisitorCfgs, err := legacy.ParseClientConfig(path)
-		if err != nil {
-			return nil, err
-		}
-		result.Common = legacy.Convert_ClientCommonConf_To_v1(&legacyCommon)
-		for _, c := range legacyProxyCfgs {
-			result.Proxies = append(result.Proxies, legacy.Convert_ProxyConf_To_v1(c))
-		}
-		for _, c := range legacyVisitorCfgs {
-			result.Visitors = append(result.Visitors, legacy.Convert_VisitorConf_To_v1(c))
-		}
-		result.IsLegacyFormat = true
-	} else {
-		allCfg := v1.ClientConfig{}
-		if err := LoadConfigureFromFile(path, &allCfg, strict); err != nil {
-			return nil, err
-		}
-		result.Common = &allCfg.ClientCommonConfig
-		for _, c := range allCfg.Proxies {
-			result.Proxies = append(result.Proxies, c.ProxyConfigurer)
-		}
-		for _, c := range allCfg.Visitors {
-			result.Visitors = append(result.Visitors, c.VisitorConfigurer)
-		}
-	}
-
-	// Load additional config from includes.
-	// legacy ini format already handle this in ParseClientConfig.
-	if len(result.Common.IncludeConfigFiles) > 0 && !result.IsLegacyFormat {
-		extProxyCfgs, extVisitorCfgs, err := LoadAdditionalClientConfigs(result.Common.IncludeConfigFiles, result.IsLegacyFormat, strict)
-		if err != nil {
-			return nil, err
-		}
-		result.Proxies = append(result.Proxies, extProxyCfgs...)
-		result.Visitors = append(result.Visitors, extVisitorCfgs...)
-	}
-
-	// Complete the common config
-	if result.Common != nil {
-		if err := result.Common.Complete(); err != nil {
-			return nil, err
-		}
-	}
-
-	return result, nil
-}
-
 func LoadClientConfig(path string, strict bool) (
 	*v1.ClientCommonConfig,
 	[]v1.ProxyConfigurer,
 	[]v1.VisitorConfigurer,
 	bool, error,
 ) {
-	result, err := LoadClientConfigResult(path, strict)
-	if err != nil {
-		return nil, nil, nil, result != nil && result.IsLegacyFormat, err
+	var (
+		cliCfg         *v1.ClientCommonConfig
+		proxyCfgs      = make([]v1.ProxyConfigurer, 0)
+		visitorCfgs    = make([]v1.VisitorConfigurer, 0)
+		isLegacyFormat bool
+	)
+
+	if DetectLegacyINIFormatFromFile(path) {
+		legacyCommon, legacyProxyCfgs, legacyVisitorCfgs, err := legacy.ParseClientConfig(path)
+		if err != nil {
+			return nil, nil, nil, true, err
+		}
+		cliCfg = legacy.Convert_ClientCommonConf_To_v1(&legacyCommon)
+		for _, c := range legacyProxyCfgs {
+			proxyCfgs = append(proxyCfgs, legacy.Convert_ProxyConf_To_v1(c))
+		}
+		for _, c := range legacyVisitorCfgs {
+			visitorCfgs = append(visitorCfgs, legacy.Convert_VisitorConf_To_v1(c))
+		}
+		isLegacyFormat = true
+	} else {
+		allCfg := v1.ClientConfig{}
+		if err := LoadConfigureFromFile(path, &allCfg, strict); err != nil {
+			return nil, nil, nil, false, err
+		}
+		cliCfg = &allCfg.ClientCommonConfig
+		for _, c := range allCfg.Proxies {
+			proxyCfgs = append(proxyCfgs, c.ProxyConfigurer)
+		}
+		for _, c := range allCfg.Visitors {
+			visitorCfgs = append(visitorCfgs, c.VisitorConfigurer)
+		}
 	}

-	proxyCfgs := result.Proxies
-	visitorCfgs := result.Visitors
-
-	proxyCfgs, visitorCfgs = FilterClientConfigurers(result.Common, proxyCfgs, visitorCfgs)
-	proxyCfgs = CompleteProxyConfigurers(proxyCfgs)
-	visitorCfgs = CompleteVisitorConfigurers(visitorCfgs)
-	return result.Common, proxyCfgs, visitorCfgs, result.IsLegacyFormat, nil
-}
-
-func CompleteProxyConfigurers(proxies []v1.ProxyConfigurer) []v1.ProxyConfigurer {
-	proxyCfgs := proxies
-	for _, c := range proxyCfgs {
-		c.Complete()
-	}
-	return proxyCfgs
-}
-
-func CompleteVisitorConfigurers(visitors []v1.VisitorConfigurer) []v1.VisitorConfigurer {
-	visitorCfgs := visitors
-	for _, c := range visitorCfgs {
-		c.Complete()
-	}
-	return visitorCfgs
-}
-
-func FilterClientConfigurers(
-	common *v1.ClientCommonConfig,
-	proxies []v1.ProxyConfigurer,
-	visitors []v1.VisitorConfigurer,
-) ([]v1.ProxyConfigurer, []v1.VisitorConfigurer) {
-	if common == nil {
-		common = &v1.ClientCommonConfig{}
+	// Load additional config from includes.
+	// legacy ini format already handle this in ParseClientConfig.
+	if len(cliCfg.IncludeConfigFiles) > 0 && !isLegacyFormat {
+		extProxyCfgs, extVisitorCfgs, err := LoadAdditionalClientConfigs(cliCfg.IncludeConfigFiles, isLegacyFormat, strict)
+		if err != nil {
+			return nil, nil, nil, isLegacyFormat, err
+		}
+		proxyCfgs = append(proxyCfgs, extProxyCfgs...)
+		visitorCfgs = append(visitorCfgs, extVisitorCfgs...)
 	}

-	proxyCfgs := proxies
-	visitorCfgs := visitors
-
-	// Filter by start across merged configurers from all sources.
-	// For example, store entries are also filtered by this set.
-	if len(common.Start) > 0 {
-		startSet := sets.New(common.Start...)
+	// Filter by start
+	if len(cliCfg.Start) > 0 {
+		startSet := sets.New(cliCfg.Start...)
 		proxyCfgs = lo.Filter(proxyCfgs, func(c v1.ProxyConfigurer, _ int) bool {
 			return startSet.Has(c.GetBaseConfig().Name)
 		})
@@ -467,7 +291,19 @@ func FilterClientConfigurers(
 		enabled := c.GetBaseConfig().Enabled
 		return enabled == nil || *enabled
 	})
-	return proxyCfgs, visitorCfgs
+
+	if cliCfg != nil {
+		if err := cliCfg.Complete(); err != nil {
+			return nil, nil, nil, isLegacyFormat, err
+		}
+	}
+	for _, c := range proxyCfgs {
+		c.Complete(cliCfg.User)
+	}
+	for _, c := range visitorCfgs {
+		c.Complete(cliCfg)
+	}
+	return cliCfg, proxyCfgs, visitorCfgs, isLegacyFormat, nil
 }

 func LoadAdditionalClientConfigs(paths []string, isLegacyFormat bool, strict bool) ([]v1.ProxyConfigurer, []v1.VisitorConfigurer, error) {
--- a/pkg/config/load_test.go
+++ b/pkg/config/load_test.go
@@ -15,7 +15,6 @@
 package config

 import (
-	"encoding/json"
 	"fmt"
 	"strings"
 	"testing"
@@ -189,31 +188,6 @@ unixPath = "/tmp/uds.sock"
 	require.Error(err)
 }

-func TestLoadClientConfigStrictMode_UnknownPluginField(t *testing.T) {
-	require := require.New(t)
-
-	content := `
-serverPort = 7000
-
-[[proxies]]
-name = "test"
-type = "tcp"
-localPort = 6000
-[proxies.plugin]
-type = "http2https"
-localAddr = "127.0.0.1:8080"
-unknownInPlugin = "value"
-`
-
-	clientCfg := v1.ClientConfig{}
-
-	err := LoadConfigure([]byte(content), &clientCfg, false)
-	require.NoError(err)
-
-	err = LoadConfigure([]byte(content), &clientCfg, true)
-	require.ErrorContains(err, "unknownInPlugin")
-}
-
 // TestYAMLMergeInStrictMode tests that YAML merge functionality works
 // even in strict mode by properly handling dot-prefixed fields
 func TestYAMLMergeInStrictMode(t *testing.T) {
@@ -299,169 +273,6 @@ proxies:
 	require.Equal("stcp", clientCfg.Proxies[0].ProxyConfigurer.GetBaseConfig().Type)
 }

-func TestFilterClientConfigurers_PreserveRawNamesAndNoMutation(t *testing.T) {
-	require := require.New(t)
-
-	enabled := true
-	proxyCfg := &v1.TCPProxyConfig{}
-	proxyCfg.Name = "proxy-raw"
-	proxyCfg.Type = "tcp"
-	proxyCfg.LocalPort = 10080
-	proxyCfg.Enabled = &enabled
-
-	visitorCfg := &v1.XTCPVisitorConfig{}
-	visitorCfg.Name = "visitor-raw"
-	visitorCfg.Type = "xtcp"
-	visitorCfg.ServerName = "server-raw"
-	visitorCfg.FallbackTo = "fallback-raw"
-	visitorCfg.SecretKey = "secret"
-	visitorCfg.BindPort = 10081
-	visitorCfg.Enabled = &enabled
-
-	common := &v1.ClientCommonConfig{
-		User: "alice",
-	}
-
-	proxies, visitors := FilterClientConfigurers(common, []v1.ProxyConfigurer{proxyCfg}, []v1.VisitorConfigurer{visitorCfg})
-	require.Len(proxies, 1)
-	require.Len(visitors, 1)
-
-	p := proxies[0].GetBaseConfig()
-	require.Equal("proxy-raw", p.Name)
-	require.Empty(p.LocalIP)
-
-	v := visitors[0].GetBaseConfig()
-	require.Equal("visitor-raw", v.Name)
-	require.Equal("server-raw", v.ServerName)
-	require.Empty(v.BindAddr)
-
-	xtcp := visitors[0].(*v1.XTCPVisitorConfig)
-	require.Equal("fallback-raw", xtcp.FallbackTo)
-	require.Empty(xtcp.Protocol)
-}
-
-func TestCompleteProxyConfigurers_PreserveRawNames(t *testing.T) {
-	require := require.New(t)
-
-	enabled := true
-	proxyCfg := &v1.TCPProxyConfig{}
-	proxyCfg.Name = "proxy-raw"
-	proxyCfg.Type = "tcp"
-	proxyCfg.LocalPort = 10080
-	proxyCfg.Enabled = &enabled
-
-	proxies := CompleteProxyConfigurers([]v1.ProxyConfigurer{proxyCfg})
-	require.Len(proxies, 1)
-
-	p := proxies[0].GetBaseConfig()
-	require.Equal("proxy-raw", p.Name)
-	require.Equal("127.0.0.1", p.LocalIP)
-}
-
-func TestCompleteVisitorConfigurers_PreserveRawNames(t *testing.T) {
-	require := require.New(t)
-
-	enabled := true
-	visitorCfg := &v1.XTCPVisitorConfig{}
-	visitorCfg.Name = "visitor-raw"
-	visitorCfg.Type = "xtcp"
-	visitorCfg.ServerName = "server-raw"
-	visitorCfg.FallbackTo = "fallback-raw"
-	visitorCfg.SecretKey = "secret"
-	visitorCfg.BindPort = 10081
-	visitorCfg.Enabled = &enabled
-
-	visitors := CompleteVisitorConfigurers([]v1.VisitorConfigurer{visitorCfg})
-	require.Len(visitors, 1)
-
-	v := visitors[0].GetBaseConfig()
-	require.Equal("visitor-raw", v.Name)
-	require.Equal("server-raw", v.ServerName)
-	require.Equal("127.0.0.1", v.BindAddr)
-
-	xtcp := visitors[0].(*v1.XTCPVisitorConfig)
-	require.Equal("fallback-raw", xtcp.FallbackTo)
-	require.Equal("quic", xtcp.Protocol)
-}
-
-func TestCompleteProxyConfigurers_Idempotent(t *testing.T) {
-	require := require.New(t)
-
-	proxyCfg := &v1.TCPProxyConfig{}
-	proxyCfg.Name = "proxy"
-	proxyCfg.Type = "tcp"
-	proxyCfg.LocalPort = 10080
-
-	proxies := CompleteProxyConfigurers([]v1.ProxyConfigurer{proxyCfg})
-	firstProxyJSON, err := json.Marshal(proxies[0])
-	require.NoError(err)
-
-	proxies = CompleteProxyConfigurers(proxies)
-	secondProxyJSON, err := json.Marshal(proxies[0])
-	require.NoError(err)
-
-	require.Equal(string(firstProxyJSON), string(secondProxyJSON))
-}
-
-func TestCompleteVisitorConfigurers_Idempotent(t *testing.T) {
-	require := require.New(t)
-
-	visitorCfg := &v1.XTCPVisitorConfig{}
-	visitorCfg.Name = "visitor"
-	visitorCfg.Type = "xtcp"
-	visitorCfg.ServerName = "server"
-	visitorCfg.SecretKey = "secret"
-	visitorCfg.BindPort = 10081
-
-	visitors := CompleteVisitorConfigurers([]v1.VisitorConfigurer{visitorCfg})
-	firstVisitorJSON, err := json.Marshal(visitors[0])
-	require.NoError(err)
-
-	visitors = CompleteVisitorConfigurers(visitors)
-	secondVisitorJSON, err := json.Marshal(visitors[0])
-	require.NoError(err)
-
-	require.Equal(string(firstVisitorJSON), string(secondVisitorJSON))
-}
-
-func TestFilterClientConfigurers_FilterByStartAndEnabled(t *testing.T) {
-	require := require.New(t)
-
-	enabled := true
-	disabled := false
-
-	proxyKeep := &v1.TCPProxyConfig{}
-	proxyKeep.Name = "keep"
-	proxyKeep.Type = "tcp"
-	proxyKeep.LocalPort = 10080
-	proxyKeep.Enabled = &enabled
-
-	proxyDropByStart := &v1.TCPProxyConfig{}
-	proxyDropByStart.Name = "drop-by-start"
-	proxyDropByStart.Type = "tcp"
-	proxyDropByStart.LocalPort = 10081
-	proxyDropByStart.Enabled = &enabled
-
-	proxyDropByEnabled := &v1.TCPProxyConfig{}
-	proxyDropByEnabled.Name = "drop-by-enabled"
-	proxyDropByEnabled.Type = "tcp"
-	proxyDropByEnabled.LocalPort = 10082
-	proxyDropByEnabled.Enabled = &disabled
-
-	common := &v1.ClientCommonConfig{
-		Start: []string{"keep"},
-	}
-
-	proxies, visitors := FilterClientConfigurers(common, []v1.ProxyConfigurer{
-		proxyKeep,
-		proxyDropByStart,
-		proxyDropByEnabled,
-	}, nil)
-	require.Len(visitors, 0)
-	require.Len(proxies, 1)
-	require.Equal("keep", proxies[0].GetBaseConfig().Name)
-}
-
 // TestYAMLEdgeCases tests edge cases for YAML parsing, including non-map types
 func TestYAMLEdgeCases(t *testing.T) {
 	require := require.New(t)
@@ -495,111 +306,3 @@ serverPort: 7000
 	require.Equal("127.0.0.1", clientCfg.ServerAddr)
 	require.Equal(7000, clientCfg.ServerPort)
 }
-
-func TestTOMLSyntaxErrorWithPosition(t *testing.T) {
-	require := require.New(t)
-
-	// TOML with syntax error (unclosed table array header)
-	content := `serverAddr = "127.0.0.1"
-serverPort = 7000
-
-[[proxies]
-name = "test"
-`
-
-	clientCfg := v1.ClientConfig{}
-	err := LoadConfigure([]byte(content), &clientCfg, false, "toml")
-	require.Error(err)
-	require.Contains(err.Error(), "toml")
-	require.Contains(err.Error(), "line")
-	require.Contains(err.Error(), "column")
-}
-
-func TestTOMLTypeMismatchErrorWithFieldInfo(t *testing.T) {
-	require := require.New(t)
-
-	// TOML with wrong type: proxies should be a table array, not a string
-	content := `serverAddr = "127.0.0.1"
-serverPort = 7000
-proxies = "this should be a table array"
-`
-
-	clientCfg := v1.ClientConfig{}
-	err := LoadConfigure([]byte(content), &clientCfg, false, "toml")
-	require.Error(err)
-	// The error should contain field info
-	errMsg := err.Error()
-	require.Contains(errMsg, "proxies")
-	require.NotContains(errMsg, "line")
-}
-
-func TestFindFieldLineInContent(t *testing.T) {
-	content := []byte(`serverAddr = "127.0.0.1"
-serverPort = 7000
-
-[[proxies]]
-name = "test"
-type = "tcp"
-remotePort = 6000
-`)
-
-	tests := []struct {
-		fieldPath string
-		wantLine  int
-	}{
-		{"serverAddr", 1},
-		{"serverPort", 2},
-		{"name", 5},
-		{"type", 6},
-		{"remotePort", 7},
-		{"nonexistent", 0},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.fieldPath, func(t *testing.T) {
-			got := findFieldLineInContent(content, tt.fieldPath)
-			require.Equal(t, tt.wantLine, got)
-		})
-	}
-}
-
-func TestFormatDetection(t *testing.T) {
-	tests := []struct {
-		path   string
-		format string
-	}{
-		{"config.toml", "toml"},
-		{"config.TOML", "toml"},
-		{"config.yaml", "yaml"},
-		{"config.yml", "yaml"},
-		{"config.json", "json"},
-		{"config.ini", ""},
-		{"config", ""},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.path, func(t *testing.T) {
-			require.Equal(t, tt.format, detectFormatFromPath(tt.path))
-		})
-	}
-}
-
-func TestValidTOMLStillWorks(t *testing.T) {
-	require := require.New(t)
-
-	// Valid TOML with format hint should work fine
-	content := `serverAddr = "127.0.0.1"
-serverPort = 7000
-
-[[proxies]]
-name = "test"
-type = "tcp"
-remotePort = 6000
-`
-	clientCfg := v1.ClientConfig{}
-	err := LoadConfigure([]byte(content), &clientCfg, false, "toml")
-	require.NoError(err)
-	require.Equal("127.0.0.1", clientCfg.ServerAddr)
-	require.Equal(7000, clientCfg.ServerPort)
-	require.Len(clientCfg.Proxies, 1)
-}
--- a/pkg/config/source/aggregator.go
+++ b/pkg/config/source/aggregator.go
@@ -1,109 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"cmp"
-	"errors"
-	"fmt"
-	"maps"
-	"slices"
-	"sync"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-type Aggregator struct {
-	mu sync.RWMutex
-
-	configSource *ConfigSource
-	storeSource  *StoreSource
-}
-
-func NewAggregator(configSource *ConfigSource) *Aggregator {
-	if configSource == nil {
-		configSource = NewConfigSource()
-	}
-	return &Aggregator{
-		configSource: configSource,
-	}
-}
-
-func (a *Aggregator) SetStoreSource(storeSource *StoreSource) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	a.storeSource = storeSource
-}
-
-func (a *Aggregator) ConfigSource() *ConfigSource {
-	return a.configSource
-}
-
-func (a *Aggregator) StoreSource() *StoreSource {
-	return a.storeSource
-}
-
-func (a *Aggregator) getSourcesLocked() []Source {
-	sources := make([]Source, 0, 2)
-	if a.configSource != nil {
-		sources = append(sources, a.configSource)
-	}
-	if a.storeSource != nil {
-		sources = append(sources, a.storeSource)
-	}
-	return sources
-}
-
-func (a *Aggregator) Load() ([]v1.ProxyConfigurer, []v1.VisitorConfigurer, error) {
-	a.mu.RLock()
-	entries := a.getSourcesLocked()
-	a.mu.RUnlock()
-
-	if len(entries) == 0 {
-		return nil, nil, errors.New("no sources configured")
-	}
-
-	proxyMap := make(map[string]v1.ProxyConfigurer)
-	visitorMap := make(map[string]v1.VisitorConfigurer)
-
-	for _, src := range entries {
-		proxies, visitors, err := src.Load()
-		if err != nil {
-			return nil, nil, fmt.Errorf("load source: %w", err)
-		}
-		for _, p := range proxies {
-			proxyMap[p.GetBaseConfig().Name] = p
-		}
-		for _, v := range visitors {
-			visitorMap[v.GetBaseConfig().Name] = v
-		}
-	}
-	proxies, visitors := a.mapsToSortedSlices(proxyMap, visitorMap)
-	return proxies, visitors, nil
-}
-
-func (a *Aggregator) mapsToSortedSlices(
-	proxyMap map[string]v1.ProxyConfigurer,
-	visitorMap map[string]v1.VisitorConfigurer,
-) ([]v1.ProxyConfigurer, []v1.VisitorConfigurer) {
-	proxies := slices.SortedFunc(maps.Values(proxyMap), func(x, y v1.ProxyConfigurer) int {
-		return cmp.Compare(x.GetBaseConfig().Name, y.GetBaseConfig().Name)
-	})
-	visitors := slices.SortedFunc(maps.Values(visitorMap), func(x, y v1.VisitorConfigurer) int {
-		return cmp.Compare(x.GetBaseConfig().Name, y.GetBaseConfig().Name)
-	})
-	return proxies, visitors
-}
--- a/pkg/config/source/aggregator_test.go
+++ b/pkg/config/source/aggregator_test.go
@@ -1,238 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-// mockProxy creates a TCP proxy config for testing
-func mockProxy(name string) v1.ProxyConfigurer {
-	cfg := &v1.TCPProxyConfig{}
-	cfg.Name = name
-	cfg.Type = "tcp"
-	cfg.LocalPort = 8080
-	cfg.RemotePort = 9090
-	return cfg
-}
-
-// mockVisitor creates a STCP visitor config for testing
-func mockVisitor(name string) v1.VisitorConfigurer {
-	cfg := &v1.STCPVisitorConfig{}
-	cfg.Name = name
-	cfg.Type = "stcp"
-	cfg.ServerName = "test-server"
-	return cfg
-}
-
-func newTestStoreSource(t *testing.T) *StoreSource {
-	t.Helper()
-
-	path := filepath.Join(t.TempDir(), "store.json")
-	storeSource, err := NewStoreSource(StoreSourceConfig{Path: path})
-	require.NoError(t, err)
-	return storeSource
-}
-
-func newTestAggregator(t *testing.T, storeSource *StoreSource) *Aggregator {
-	t.Helper()
-
-	configSource := NewConfigSource()
-	agg := NewAggregator(configSource)
-	if storeSource != nil {
-		agg.SetStoreSource(storeSource)
-	}
-	return agg
-}
-
-func TestNewAggregator_CreatesConfigSourceWhenNil(t *testing.T) {
-	require := require.New(t)
-
-	agg := NewAggregator(nil)
-	require.NotNil(agg)
-	require.NotNil(agg.ConfigSource())
-	require.Nil(agg.StoreSource())
-}
-
-func TestNewAggregator_WithoutStore(t *testing.T) {
-	require := require.New(t)
-
-	configSource := NewConfigSource()
-	agg := NewAggregator(configSource)
-	require.NotNil(agg)
-	require.Same(configSource, agg.ConfigSource())
-	require.Nil(agg.StoreSource())
-}
-
-func TestNewAggregator_WithStore(t *testing.T) {
-	require := require.New(t)
-
-	storeSource := newTestStoreSource(t)
-	configSource := NewConfigSource()
-	agg := NewAggregator(configSource)
-	agg.SetStoreSource(storeSource)
-
-	require.Same(configSource, agg.ConfigSource())
-	require.Same(storeSource, agg.StoreSource())
-}
-
-func TestAggregator_SetStoreSource_Overwrite(t *testing.T) {
-	require := require.New(t)
-
-	agg := newTestAggregator(t, nil)
-	first := newTestStoreSource(t)
-	second := newTestStoreSource(t)
-
-	agg.SetStoreSource(first)
-	require.Same(first, agg.StoreSource())
-
-	agg.SetStoreSource(second)
-	require.Same(second, agg.StoreSource())
-
-	agg.SetStoreSource(nil)
-	require.Nil(agg.StoreSource())
-}
-
-func TestAggregator_MergeBySourceOrder(t *testing.T) {
-	require := require.New(t)
-
-	storeSource := newTestStoreSource(t)
-	agg := newTestAggregator(t, storeSource)
-
-	configSource := agg.ConfigSource()
-
-	configShared := mockProxy("shared").(*v1.TCPProxyConfig)
-	configShared.LocalPort = 1111
-	configOnly := mockProxy("only-in-config").(*v1.TCPProxyConfig)
-	configOnly.LocalPort = 1112
-
-	err := configSource.ReplaceAll([]v1.ProxyConfigurer{configShared, configOnly}, nil)
-	require.NoError(err)
-
-	storeShared := mockProxy("shared").(*v1.TCPProxyConfig)
-	storeShared.LocalPort = 2222
-	storeOnly := mockProxy("only-in-store").(*v1.TCPProxyConfig)
-	storeOnly.LocalPort = 2223
-	err = storeSource.AddProxy(storeShared)
-	require.NoError(err)
-	err = storeSource.AddProxy(storeOnly)
-	require.NoError(err)
-
-	proxies, visitors, err := agg.Load()
-	require.NoError(err)
-	require.Len(visitors, 0)
-	require.Len(proxies, 3)
-
-	var sharedProxy *v1.TCPProxyConfig
-	for _, p := range proxies {
-		if p.GetBaseConfig().Name == "shared" {
-			sharedProxy = p.(*v1.TCPProxyConfig)
-			break
-		}
-	}
-	require.NotNil(sharedProxy)
-	require.Equal(2222, sharedProxy.LocalPort)
-}
-
-func TestAggregator_DisabledEntryIsSourceLocalFilter(t *testing.T) {
-	require := require.New(t)
-
-	storeSource := newTestStoreSource(t)
-	agg := newTestAggregator(t, storeSource)
-	configSource := agg.ConfigSource()
-
-	lowProxy := mockProxy("shared-proxy").(*v1.TCPProxyConfig)
-	lowProxy.LocalPort = 1111
-	err := configSource.ReplaceAll([]v1.ProxyConfigurer{lowProxy}, nil)
-	require.NoError(err)
-
-	disabled := false
-	highProxy := mockProxy("shared-proxy").(*v1.TCPProxyConfig)
-	highProxy.LocalPort = 2222
-	highProxy.Enabled = &disabled
-	err = storeSource.AddProxy(highProxy)
-	require.NoError(err)
-
-	proxies, visitors, err := agg.Load()
-	require.NoError(err)
-	require.Len(proxies, 1)
-	require.Len(visitors, 0)
-
-	proxy := proxies[0].(*v1.TCPProxyConfig)
-	require.Equal("shared-proxy", proxy.Name)
-	require.Equal(1111, proxy.LocalPort)
-}
-
-func TestAggregator_VisitorMerge(t *testing.T) {
-	require := require.New(t)
-
-	storeSource := newTestStoreSource(t)
-	agg := newTestAggregator(t, storeSource)
-
-	err := agg.ConfigSource().ReplaceAll(nil, []v1.VisitorConfigurer{mockVisitor("visitor1")})
-	require.NoError(err)
-	err = storeSource.AddVisitor(mockVisitor("visitor2"))
-	require.NoError(err)
-
-	_, visitors, err := agg.Load()
-	require.NoError(err)
-	require.Len(visitors, 2)
-}
-
-func TestAggregator_Load_ReturnsSortedByName(t *testing.T) {
-	require := require.New(t)
-
-	agg := newTestAggregator(t, nil)
-	err := agg.ConfigSource().ReplaceAll(
-		[]v1.ProxyConfigurer{mockProxy("charlie"), mockProxy("alice"), mockProxy("bob")},
-		[]v1.VisitorConfigurer{mockVisitor("zulu"), mockVisitor("alpha")},
-	)
-	require.NoError(err)
-
-	proxies, visitors, err := agg.Load()
-	require.NoError(err)
-	require.Len(proxies, 3)
-	require.Equal("alice", proxies[0].GetBaseConfig().Name)
-	require.Equal("bob", proxies[1].GetBaseConfig().Name)
-	require.Equal("charlie", proxies[2].GetBaseConfig().Name)
-	require.Len(visitors, 2)
-	require.Equal("alpha", visitors[0].GetBaseConfig().Name)
-	require.Equal("zulu", visitors[1].GetBaseConfig().Name)
-}
-
-func TestAggregator_Load_ReturnsDefensiveCopies(t *testing.T) {
-	require := require.New(t)
-
-	agg := newTestAggregator(t, nil)
-	err := agg.ConfigSource().ReplaceAll([]v1.ProxyConfigurer{mockProxy("ssh")}, nil)
-	require.NoError(err)
-
-	proxies, _, err := agg.Load()
-	require.NoError(err)
-	require.Len(proxies, 1)
-	require.Equal("ssh", proxies[0].GetBaseConfig().Name)
-
-	proxies[0].GetBaseConfig().Name = "alice.ssh"
-
-	proxies2, _, err := agg.Load()
-	require.NoError(err)
-	require.Len(proxies2, 1)
-	require.Equal("ssh", proxies2[0].GetBaseConfig().Name)
-}
--- a/pkg/config/source/base_source.go
+++ b/pkg/config/source/base_source.go
@@ -1,65 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"sync"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-// baseSource provides shared state and behavior for Source implementations.
-// It manages proxy/visitor storage.
-// Concrete types (ConfigSource, StoreSource) embed this struct.
-type baseSource struct {
-	mu sync.RWMutex
-
-	proxies  map[string]v1.ProxyConfigurer
-	visitors map[string]v1.VisitorConfigurer
-}
-
-func newBaseSource() baseSource {
-	return baseSource{
-		proxies:  make(map[string]v1.ProxyConfigurer),
-		visitors: make(map[string]v1.VisitorConfigurer),
-	}
-}
-
-// Load returns all enabled proxy and visitor configurations.
-// Configurations with Enabled explicitly set to false are filtered out.
-func (s *baseSource) Load() ([]v1.ProxyConfigurer, []v1.VisitorConfigurer, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	proxies := make([]v1.ProxyConfigurer, 0, len(s.proxies))
-	for _, p := range s.proxies {
-		// Filter out disabled proxies (nil or true means enabled)
-		if enabled := p.GetBaseConfig().Enabled; enabled != nil && !*enabled {
-			continue
-		}
-		proxies = append(proxies, p)
-	}
-
-	visitors := make([]v1.VisitorConfigurer, 0, len(s.visitors))
-	for _, v := range s.visitors {
-		// Filter out disabled visitors (nil or true means enabled)
-		if enabled := v.GetBaseConfig().Enabled; enabled != nil && !*enabled {
-			continue
-		}
-		visitors = append(visitors, v)
-	}
-
-	return cloneConfigurers(proxies, visitors)
-}
--- a/pkg/config/source/base_source_test.go
+++ b/pkg/config/source/base_source_test.go
@@ -1,48 +0,0 @@
-package source
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-func TestBaseSourceLoadReturnsClonedConfigurers(t *testing.T) {
-	require := require.New(t)
-
-	src := NewConfigSource()
-
-	proxyCfg := &v1.TCPProxyConfig{
-		ProxyBaseConfig: v1.ProxyBaseConfig{
-			Name: "proxy1",
-			Type: "tcp",
-		},
-	}
-	visitorCfg := &v1.STCPVisitorConfig{
-		VisitorBaseConfig: v1.VisitorBaseConfig{
-			Name: "visitor1",
-			Type: "stcp",
-		},
-	}
-
-	err := src.ReplaceAll([]v1.ProxyConfigurer{proxyCfg}, []v1.VisitorConfigurer{visitorCfg})
-	require.NoError(err)
-
-	firstProxies, firstVisitors, err := src.Load()
-	require.NoError(err)
-	require.Len(firstProxies, 1)
-	require.Len(firstVisitors, 1)
-
-	// Mutate loaded objects as runtime completion would do.
-	firstProxies[0].Complete()
-	firstVisitors[0].Complete()
-
-	secondProxies, secondVisitors, err := src.Load()
-	require.NoError(err)
-	require.Len(secondProxies, 1)
-	require.Len(secondVisitors, 1)
-
-	require.Empty(secondProxies[0].GetBaseConfig().LocalIP)
-	require.Empty(secondVisitors[0].GetBaseConfig().BindAddr)
-}
--- a/pkg/config/source/clone.go
+++ b/pkg/config/source/clone.go
@@ -1,43 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"fmt"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-func cloneConfigurers(
-	proxies []v1.ProxyConfigurer,
-	visitors []v1.VisitorConfigurer,
-) ([]v1.ProxyConfigurer, []v1.VisitorConfigurer, error) {
-	clonedProxies := make([]v1.ProxyConfigurer, 0, len(proxies))
-	clonedVisitors := make([]v1.VisitorConfigurer, 0, len(visitors))
-
-	for _, cfg := range proxies {
-		if cfg == nil {
-			return nil, nil, fmt.Errorf("proxy cannot be nil")
-		}
-		clonedProxies = append(clonedProxies, cfg.Clone())
-	}
-	for _, cfg := range visitors {
-		if cfg == nil {
-			return nil, nil, fmt.Errorf("visitor cannot be nil")
-		}
-		clonedVisitors = append(clonedVisitors, cfg.Clone())
-	}
-	return clonedProxies, clonedVisitors, nil
-}
--- a/pkg/config/source/config_source.go
+++ b/pkg/config/source/config_source.go
@@ -1,65 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"fmt"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-// ConfigSource implements Source for in-memory configuration.
-// All operations are thread-safe.
-type ConfigSource struct {
-	baseSource
-}
-
-func NewConfigSource() *ConfigSource {
-	return &ConfigSource{
-		baseSource: newBaseSource(),
-	}
-}
-
-// ReplaceAll replaces all proxy and visitor configurations atomically.
-func (s *ConfigSource) ReplaceAll(proxies []v1.ProxyConfigurer, visitors []v1.VisitorConfigurer) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	nextProxies := make(map[string]v1.ProxyConfigurer, len(proxies))
-	for _, p := range proxies {
-		if p == nil {
-			return fmt.Errorf("proxy cannot be nil")
-		}
-		name := p.GetBaseConfig().Name
-		if name == "" {
-			return fmt.Errorf("proxy name cannot be empty")
-		}
-		nextProxies[name] = p
-	}
-	nextVisitors := make(map[string]v1.VisitorConfigurer, len(visitors))
-	for _, v := range visitors {
-		if v == nil {
-			return fmt.Errorf("visitor cannot be nil")
-		}
-		name := v.GetBaseConfig().Name
-		if name == "" {
-			return fmt.Errorf("visitor name cannot be empty")
-		}
-		nextVisitors[name] = v
-	}
-	s.proxies = nextProxies
-	s.visitors = nextVisitors
-	return nil
-}
--- a/pkg/config/source/config_source_test.go
+++ b/pkg/config/source/config_source_test.go
@@ -1,173 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-func TestNewConfigSource(t *testing.T) {
-	require := require.New(t)
-
-	src := NewConfigSource()
-	require.NotNil(src)
-}
-
-func TestConfigSource_ReplaceAll(t *testing.T) {
-	require := require.New(t)
-
-	src := NewConfigSource()
-
-	err := src.ReplaceAll(
-		[]v1.ProxyConfigurer{mockProxy("proxy1"), mockProxy("proxy2")},
-		[]v1.VisitorConfigurer{mockVisitor("visitor1")},
-	)
-	require.NoError(err)
-
-	proxies, visitors, err := src.Load()
-	require.NoError(err)
-	require.Len(proxies, 2)
-	require.Len(visitors, 1)
-
-	// ReplaceAll again should replace everything
-	err = src.ReplaceAll(
-		[]v1.ProxyConfigurer{mockProxy("proxy3")},
-		nil,
-	)
-	require.NoError(err)
-
-	proxies, visitors, err = src.Load()
-	require.NoError(err)
-	require.Len(proxies, 1)
-	require.Len(visitors, 0)
-	require.Equal("proxy3", proxies[0].GetBaseConfig().Name)
-
-	// ReplaceAll with nil proxy should fail
-	err = src.ReplaceAll([]v1.ProxyConfigurer{nil}, nil)
-	require.Error(err)
-
-	// ReplaceAll with empty name proxy should fail
-	err = src.ReplaceAll([]v1.ProxyConfigurer{&v1.TCPProxyConfig{}}, nil)
-	require.Error(err)
-}
-
-func TestConfigSource_Load(t *testing.T) {
-	require := require.New(t)
-
-	src := NewConfigSource()
-
-	err := src.ReplaceAll(
-		[]v1.ProxyConfigurer{mockProxy("proxy1"), mockProxy("proxy2")},
-		[]v1.VisitorConfigurer{mockVisitor("visitor1")},
-	)
-	require.NoError(err)
-
-	proxies, visitors, err := src.Load()
-	require.NoError(err)
-	require.Len(proxies, 2)
-	require.Len(visitors, 1)
-}
-
-// TestConfigSource_Load_FiltersDisabled verifies that Load() filters out
-// proxies and visitors with Enabled explicitly set to false.
-func TestConfigSource_Load_FiltersDisabled(t *testing.T) {
-	require := require.New(t)
-
-	src := NewConfigSource()
-
-	disabled := false
-	enabled := true
-
-	// Create enabled proxy (nil Enabled = enabled by default)
-	enabledProxy := mockProxy("enabled-proxy")
-
-	// Create disabled proxy
-	disabledProxy := &v1.TCPProxyConfig{}
-	disabledProxy.Name = "disabled-proxy"
-	disabledProxy.Type = "tcp"
-	disabledProxy.Enabled = &disabled
-
-	// Create explicitly enabled proxy
-	explicitEnabledProxy := &v1.TCPProxyConfig{}
-	explicitEnabledProxy.Name = "explicit-enabled-proxy"
-	explicitEnabledProxy.Type = "tcp"
-	explicitEnabledProxy.Enabled = &enabled
-
-	// Create enabled visitor (nil Enabled = enabled by default)
-	enabledVisitor := mockVisitor("enabled-visitor")
-
-	// Create disabled visitor
-	disabledVisitor := &v1.STCPVisitorConfig{}
-	disabledVisitor.Name = "disabled-visitor"
-	disabledVisitor.Type = "stcp"
-	disabledVisitor.Enabled = &disabled
-
-	err := src.ReplaceAll(
-		[]v1.ProxyConfigurer{enabledProxy, disabledProxy, explicitEnabledProxy},
-		[]v1.VisitorConfigurer{enabledVisitor, disabledVisitor},
-	)
-	require.NoError(err)
-
-	// Load should filter out disabled configs
-	proxies, visitors, err := src.Load()
-	require.NoError(err)
-	require.Len(proxies, 2, "Should have 2 enabled proxies")
-	require.Len(visitors, 1, "Should have 1 enabled visitor")
-
-	// Verify the correct proxies are returned
-	proxyNames := make([]string, 0, len(proxies))
-	for _, p := range proxies {
-		proxyNames = append(proxyNames, p.GetBaseConfig().Name)
-	}
-	require.Contains(proxyNames, "enabled-proxy")
-	require.Contains(proxyNames, "explicit-enabled-proxy")
-	require.NotContains(proxyNames, "disabled-proxy")
-
-	// Verify the correct visitor is returned
-	require.Equal("enabled-visitor", visitors[0].GetBaseConfig().Name)
-}
-
-func TestConfigSource_ReplaceAll_DoesNotApplyRuntimeDefaults(t *testing.T) {
-	require := require.New(t)
-
-	src := NewConfigSource()
-
-	proxyCfg := &v1.TCPProxyConfig{}
-	proxyCfg.Name = "proxy1"
-	proxyCfg.Type = "tcp"
-	proxyCfg.LocalPort = 10080
-
-	visitorCfg := &v1.XTCPVisitorConfig{}
-	visitorCfg.Name = "visitor1"
-	visitorCfg.Type = "xtcp"
-	visitorCfg.ServerName = "server1"
-	visitorCfg.SecretKey = "secret"
-	visitorCfg.BindPort = 10081
-
-	err := src.ReplaceAll([]v1.ProxyConfigurer{proxyCfg}, []v1.VisitorConfigurer{visitorCfg})
-	require.NoError(err)
-
-	proxies, visitors, err := src.Load()
-	require.NoError(err)
-	require.Len(proxies, 1)
-	require.Len(visitors, 1)
-	require.Empty(proxies[0].GetBaseConfig().LocalIP)
-	require.Empty(visitors[0].GetBaseConfig().BindAddr)
-	require.Empty(visitors[0].(*v1.XTCPVisitorConfig).Protocol)
-}
--- a/pkg/config/source/source.go
+++ b/pkg/config/source/source.go
@@ -1,37 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-)
-
-// Source is the interface for configuration sources.
-// A Source provides proxy and visitor configurations from various backends.
-// Aggregator currently uses the built-in config source as base and an optional
-// store source as higher-priority overlay.
-type Source interface {
-	// Load loads the proxy and visitor configurations from this source.
-	// Returns the loaded configurations and any error encountered.
-	// A disabled entry in one source is source-local filtering, not a cross-source
-	// tombstone for entries from lower-priority sources.
-	//
-	// Error handling contract with Aggregator:
-	//   - When err is nil, returned slices are consumed.
-	//   - When err is non-nil, Aggregator aborts the merge and returns the error.
-	//   - To publish best-effort or partial results, return those results with
-	//     err set to nil.
-	Load() (proxies []v1.ProxyConfigurer, visitors []v1.VisitorConfigurer, err error)
-}
--- a/pkg/config/source/store.go
+++ b/pkg/config/source/store.go
@@ -1,367 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/util/jsonx"
-)
-
-type StoreSourceConfig struct {
-	Path string `json:"path"`
-}
-
-type storeData struct {
-	Proxies  []v1.TypedProxyConfig   `json:"proxies,omitempty"`
-	Visitors []v1.TypedVisitorConfig `json:"visitors,omitempty"`
-}
-
-type StoreSource struct {
-	baseSource
-	config StoreSourceConfig
-}
-
-var (
-	ErrAlreadyExists = errors.New("already exists")
-	ErrNotFound      = errors.New("not found")
-)
-
-func NewStoreSource(cfg StoreSourceConfig) (*StoreSource, error) {
-	if cfg.Path == "" {
-		return nil, fmt.Errorf("path is required")
-	}
-
-	s := &StoreSource{
-		baseSource: newBaseSource(),
-		config:     cfg,
-	}
-
-	if err := s.loadFromFile(); err != nil {
-		if !os.IsNotExist(err) {
-			return nil, fmt.Errorf("failed to load existing data: %w", err)
-		}
-	}
-
-	return s, nil
-}
-
-func (s *StoreSource) loadFromFile() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	return s.loadFromFileUnlocked()
-}
-
-func (s *StoreSource) loadFromFileUnlocked() error {
-	data, err := os.ReadFile(s.config.Path)
-	if err != nil {
-		return err
-	}
-
-	type rawStoreData struct {
-		Proxies  []jsonx.RawMessage `json:"proxies,omitempty"`
-		Visitors []jsonx.RawMessage `json:"visitors,omitempty"`
-	}
-	stored := rawStoreData{}
-	if err := jsonx.Unmarshal(data, &stored); err != nil {
-		return fmt.Errorf("failed to parse JSON: %w", err)
-	}
-
-	s.proxies = make(map[string]v1.ProxyConfigurer)
-	s.visitors = make(map[string]v1.VisitorConfigurer)
-
-	for i, proxyData := range stored.Proxies {
-		proxyCfg, err := v1.DecodeProxyConfigurerJSON(proxyData, v1.DecodeOptions{
-			DisallowUnknownFields: false,
-		})
-		if err != nil {
-			return fmt.Errorf("failed to decode proxy at index %d: %w", i, err)
-		}
-		name := proxyCfg.GetBaseConfig().Name
-		if name == "" {
-			return fmt.Errorf("proxy name cannot be empty")
-		}
-		s.proxies[name] = proxyCfg
-	}
-
-	for i, visitorData := range stored.Visitors {
-		visitorCfg, err := v1.DecodeVisitorConfigurerJSON(visitorData, v1.DecodeOptions{
-			DisallowUnknownFields: false,
-		})
-		if err != nil {
-			return fmt.Errorf("failed to decode visitor at index %d: %w", i, err)
-		}
-		name := visitorCfg.GetBaseConfig().Name
-		if name == "" {
-			return fmt.Errorf("visitor name cannot be empty")
-		}
-		s.visitors[name] = visitorCfg
-	}
-
-	return nil
-}
-
-func (s *StoreSource) saveToFileUnlocked() error {
-	stored := storeData{
-		Proxies:  make([]v1.TypedProxyConfig, 0, len(s.proxies)),
-		Visitors: make([]v1.TypedVisitorConfig, 0, len(s.visitors)),
-	}
-
-	for _, p := range s.proxies {
-		stored.Proxies = append(stored.Proxies, v1.TypedProxyConfig{ProxyConfigurer: p})
-	}
-	for _, v := range s.visitors {
-		stored.Visitors = append(stored.Visitors, v1.TypedVisitorConfig{VisitorConfigurer: v})
-	}
-
-	data, err := jsonx.MarshalIndent(stored, "", "  ")
-	if err != nil {
-		return fmt.Errorf("failed to marshal JSON: %w", err)
-	}
-
-	dir := filepath.Dir(s.config.Path)
-	if err := os.MkdirAll(dir, 0o755); err != nil {
-		return fmt.Errorf("failed to create directory: %w", err)
-	}
-
-	tmpPath := s.config.Path + ".tmp"
-
-	f, err := os.OpenFile(tmpPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
-	if err != nil {
-		return fmt.Errorf("failed to create temp file: %w", err)
-	}
-
-	if _, err := f.Write(data); err != nil {
-		f.Close()
-		os.Remove(tmpPath)
-		return fmt.Errorf("failed to write temp file: %w", err)
-	}
-
-	if err := f.Sync(); err != nil {
-		f.Close()
-		os.Remove(tmpPath)
-		return fmt.Errorf("failed to sync temp file: %w", err)
-	}
-
-	if err := f.Close(); err != nil {
-		os.Remove(tmpPath)
-		return fmt.Errorf("failed to close temp file: %w", err)
-	}
-
-	if err := os.Rename(tmpPath, s.config.Path); err != nil {
-		os.Remove(tmpPath)
-		return fmt.Errorf("failed to rename temp file: %w", err)
-	}
-
-	return nil
-}
-
-func (s *StoreSource) AddProxy(proxy v1.ProxyConfigurer) error {
-	if proxy == nil {
-		return fmt.Errorf("proxy cannot be nil")
-	}
-
-	name := proxy.GetBaseConfig().Name
-	if name == "" {
-		return fmt.Errorf("proxy name cannot be empty")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if _, exists := s.proxies[name]; exists {
-		return fmt.Errorf("%w: proxy %q", ErrAlreadyExists, name)
-	}
-
-	s.proxies[name] = proxy
-
-	if err := s.saveToFileUnlocked(); err != nil {
-		delete(s.proxies, name)
-		return fmt.Errorf("failed to persist: %w", err)
-	}
-	return nil
-}
-
-func (s *StoreSource) UpdateProxy(proxy v1.ProxyConfigurer) error {
-	if proxy == nil {
-		return fmt.Errorf("proxy cannot be nil")
-	}
-
-	name := proxy.GetBaseConfig().Name
-	if name == "" {
-		return fmt.Errorf("proxy name cannot be empty")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	oldProxy, exists := s.proxies[name]
-	if !exists {
-		return fmt.Errorf("%w: proxy %q", ErrNotFound, name)
-	}
-
-	s.proxies[name] = proxy
-
-	if err := s.saveToFileUnlocked(); err != nil {
-		s.proxies[name] = oldProxy
-		return fmt.Errorf("failed to persist: %w", err)
-	}
-	return nil
-}
-
-func (s *StoreSource) RemoveProxy(name string) error {
-	if name == "" {
-		return fmt.Errorf("proxy name cannot be empty")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	oldProxy, exists := s.proxies[name]
-	if !exists {
-		return fmt.Errorf("%w: proxy %q", ErrNotFound, name)
-	}
-
-	delete(s.proxies, name)
-
-	if err := s.saveToFileUnlocked(); err != nil {
-		s.proxies[name] = oldProxy
-		return fmt.Errorf("failed to persist: %w", err)
-	}
-	return nil
-}
-
-func (s *StoreSource) GetProxy(name string) v1.ProxyConfigurer {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	p, exists := s.proxies[name]
-	if !exists {
-		return nil
-	}
-	return p
-}
-
-func (s *StoreSource) AddVisitor(visitor v1.VisitorConfigurer) error {
-	if visitor == nil {
-		return fmt.Errorf("visitor cannot be nil")
-	}
-
-	name := visitor.GetBaseConfig().Name
-	if name == "" {
-		return fmt.Errorf("visitor name cannot be empty")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if _, exists := s.visitors[name]; exists {
-		return fmt.Errorf("%w: visitor %q", ErrAlreadyExists, name)
-	}
-
-	s.visitors[name] = visitor
-
-	if err := s.saveToFileUnlocked(); err != nil {
-		delete(s.visitors, name)
-		return fmt.Errorf("failed to persist: %w", err)
-	}
-	return nil
-}
-
-func (s *StoreSource) UpdateVisitor(visitor v1.VisitorConfigurer) error {
-	if visitor == nil {
-		return fmt.Errorf("visitor cannot be nil")
-	}
-
-	name := visitor.GetBaseConfig().Name
-	if name == "" {
-		return fmt.Errorf("visitor name cannot be empty")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	oldVisitor, exists := s.visitors[name]
-	if !exists {
-		return fmt.Errorf("%w: visitor %q", ErrNotFound, name)
-	}
-
-	s.visitors[name] = visitor
-
-	if err := s.saveToFileUnlocked(); err != nil {
-		s.visitors[name] = oldVisitor
-		return fmt.Errorf("failed to persist: %w", err)
-	}
-	return nil
-}
-
-func (s *StoreSource) RemoveVisitor(name string) error {
-	if name == "" {
-		return fmt.Errorf("visitor name cannot be empty")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	oldVisitor, exists := s.visitors[name]
-	if !exists {
-		return fmt.Errorf("%w: visitor %q", ErrNotFound, name)
-	}
-
-	delete(s.visitors, name)
-
-	if err := s.saveToFileUnlocked(); err != nil {
-		s.visitors[name] = oldVisitor
-		return fmt.Errorf("failed to persist: %w", err)
-	}
-	return nil
-}
-
-func (s *StoreSource) GetVisitor(name string) v1.VisitorConfigurer {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	v, exists := s.visitors[name]
-	if !exists {
-		return nil
-	}
-	return v
-}
-
-func (s *StoreSource) GetAllProxies() ([]v1.ProxyConfigurer, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	result := make([]v1.ProxyConfigurer, 0, len(s.proxies))
-	for _, p := range s.proxies {
-		result = append(result, p)
-	}
-	return result, nil
-}
-
-func (s *StoreSource) GetAllVisitors() ([]v1.VisitorConfigurer, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	result := make([]v1.VisitorConfigurer, 0, len(s.visitors))
-	for _, v := range s.visitors {
-		result = append(result, v)
-	}
-	return result, nil
-}
--- a/pkg/config/source/store_test.go
+++ b/pkg/config/source/store_test.go
@@ -1,121 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package source
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/util/jsonx"
-)
-
-func TestStoreSource_AddProxyAndVisitor_DoesNotApplyRuntimeDefaults(t *testing.T) {
-	require := require.New(t)
-
-	path := filepath.Join(t.TempDir(), "store.json")
-	storeSource, err := NewStoreSource(StoreSourceConfig{Path: path})
-	require.NoError(err)
-
-	proxyCfg := &v1.TCPProxyConfig{}
-	proxyCfg.Name = "proxy1"
-	proxyCfg.Type = "tcp"
-	proxyCfg.LocalPort = 10080
-
-	visitorCfg := &v1.XTCPVisitorConfig{}
-	visitorCfg.Name = "visitor1"
-	visitorCfg.Type = "xtcp"
-	visitorCfg.ServerName = "server1"
-	visitorCfg.SecretKey = "secret"
-	visitorCfg.BindPort = 10081
-
-	err = storeSource.AddProxy(proxyCfg)
-	require.NoError(err)
-	err = storeSource.AddVisitor(visitorCfg)
-	require.NoError(err)
-
-	gotProxy := storeSource.GetProxy("proxy1")
-	require.NotNil(gotProxy)
-	require.Empty(gotProxy.GetBaseConfig().LocalIP)
-
-	gotVisitor := storeSource.GetVisitor("visitor1")
-	require.NotNil(gotVisitor)
-	require.Empty(gotVisitor.GetBaseConfig().BindAddr)
-	require.Empty(gotVisitor.(*v1.XTCPVisitorConfig).Protocol)
-}
-
-func TestStoreSource_LoadFromFile_DoesNotApplyRuntimeDefaults(t *testing.T) {
-	require := require.New(t)
-
-	path := filepath.Join(t.TempDir(), "store.json")
-
-	proxyCfg := &v1.TCPProxyConfig{}
-	proxyCfg.Name = "proxy1"
-	proxyCfg.Type = "tcp"
-	proxyCfg.LocalPort = 10080
-
-	visitorCfg := &v1.XTCPVisitorConfig{}
-	visitorCfg.Name = "visitor1"
-	visitorCfg.Type = "xtcp"
-	visitorCfg.ServerName = "server1"
-	visitorCfg.SecretKey = "secret"
-	visitorCfg.BindPort = 10081
-
-	stored := storeData{
-		Proxies:  []v1.TypedProxyConfig{{ProxyConfigurer: proxyCfg}},
-		Visitors: []v1.TypedVisitorConfig{{VisitorConfigurer: visitorCfg}},
-	}
-	data, err := jsonx.Marshal(stored)
-	require.NoError(err)
-	err = os.WriteFile(path, data, 0o600)
-	require.NoError(err)
-
-	storeSource, err := NewStoreSource(StoreSourceConfig{Path: path})
-	require.NoError(err)
-
-	gotProxy := storeSource.GetProxy("proxy1")
-	require.NotNil(gotProxy)
-	require.Empty(gotProxy.GetBaseConfig().LocalIP)
-
-	gotVisitor := storeSource.GetVisitor("visitor1")
-	require.NotNil(gotVisitor)
-	require.Empty(gotVisitor.GetBaseConfig().BindAddr)
-	require.Empty(gotVisitor.(*v1.XTCPVisitorConfig).Protocol)
-}
-
-func TestStoreSource_LoadFromFile_UnknownFieldsAreIgnored(t *testing.T) {
-	require := require.New(t)
-
-	path := filepath.Join(t.TempDir(), "store.json")
-	raw := []byte(`{
-		"proxies": [
-			{"name":"proxy1","type":"tcp","localPort":10080,"unexpected":"value"}
-		],
-		"visitors": [
-			{"name":"visitor1","type":"xtcp","serverName":"server1","secretKey":"secret","bindPort":10081,"unexpected":"value"}
-		]
-	}`)
-	err := os.WriteFile(path, raw, 0o600)
-	require.NoError(err)
-
-	storeSource, err := NewStoreSource(StoreSourceConfig{Path: path})
-	require.NoError(err)
-
-	require.NotNil(storeSource.GetProxy("proxy1"))
-	require.NotNil(storeSource.GetVisitor("visitor1"))
-}
--- a/pkg/config/template.go
+++ b/pkg/config/template.go
@@ -38,7 +38,7 @@ func parseNumberRangePair(firstRangeStr, secondRangeStr string) ([]NumberPair, e
 		return nil, fmt.Errorf("first and second range numbers are not in pairs")
 	}
 	pairs := make([]NumberPair, 0, len(firstRangeNumbers))
-	for i := range firstRangeNumbers {
+	for i := 0; i < len(firstRangeNumbers); i++ {
 		pairs = append(pairs, NumberPair{
 			First:  firstRangeNumbers[i],
 			Second: secondRangeNumbers[i],
--- a/pkg/config/types/types.go
+++ b/pkg/config/types/types.go
@@ -70,18 +70,24 @@ func (q *BandwidthQuantity) UnmarshalString(s string) error {
 		f    float64
 		err  error
 	)
-	if fstr, ok := strings.CutSuffix(s, "MB"); ok {
+	switch {
+	case strings.HasSuffix(s, "MB"):
 		base = MB
+		fstr := strings.TrimSuffix(s, "MB")
 		f, err = strconv.ParseFloat(fstr, 64)
-	} else if fstr, ok := strings.CutSuffix(s, "KB"); ok {
+		if err != nil {
+			return err
+		}
+	case strings.HasSuffix(s, "KB"):
 		base = KB
+		fstr := strings.TrimSuffix(s, "KB")
 		f, err = strconv.ParseFloat(fstr, 64)
-	} else {
+		if err != nil {
+			return err
+		}
+	default:
 		return errors.New("unit not support")
 	}
-	if err != nil {
-		return err
-	}

 	q.s = s
 	q.i = int64(f * float64(base))
@@ -137,8 +143,8 @@ func (p PortsRangeSlice) String() string {
 func NewPortsRangeSliceFromString(str string) ([]PortsRange, error) {
 	str = strings.TrimSpace(str)
 	out := []PortsRange{}
-	numRanges := strings.SplitSeq(str, ",")
-	for numRangeStr := range numRanges {
+	numRanges := strings.Split(str, ",")
+	for _, numRangeStr := range numRanges {
 		// 1000-2000 or 2001
 		numArray := strings.Split(numRangeStr, "-")
 		// length: only 1 or 2 is correct
--- a/pkg/config/types/types_test.go
+++ b/pkg/config/types/types_test.go
@@ -39,31 +39,6 @@ func TestBandwidthQuantity(t *testing.T) {
 	require.Equal(`{"b":"1KB","int":5}`, string(buf))
 }

-func TestBandwidthQuantity_MB(t *testing.T) {
-	require := require.New(t)
-
-	var w Wrap
-	err := json.Unmarshal([]byte(`{"b":"2MB","int":1}`), &w)
-	require.NoError(err)
-	require.EqualValues(2*MB, w.B.Bytes())
-
-	buf, err := json.Marshal(&w)
-	require.NoError(err)
-	require.Equal(`{"b":"2MB","int":1}`, string(buf))
-}
-
-func TestBandwidthQuantity_InvalidUnit(t *testing.T) {
-	var w Wrap
-	err := json.Unmarshal([]byte(`{"b":"1GB","int":1}`), &w)
-	require.Error(t, err)
-}
-
-func TestBandwidthQuantity_InvalidNumber(t *testing.T) {
-	var w Wrap
-	err := json.Unmarshal([]byte(`{"b":"abcKB","int":1}`), &w)
-	require.Error(t, err)
-}
-
 func TestPortsRangeSlice2String(t *testing.T) {
 	require := require.New(t)

--- a/pkg/config/v1/client.go
+++ b/pkg/config/v1/client.go
@@ -77,9 +77,6 @@ type ClientCommonConfig struct {

 	// Include other config files for proxies.
 	IncludeConfigFiles []string `json:"includes,omitempty"`
-
-	// Store config enables the built-in store source (not configurable via sources list).
-	Store StoreConfig `json:"store,omitempty"`
 }

 func (c *ClientCommonConfig) Complete() error {
--- a/pkg/config/v1/clone_test.go
+++ b/pkg/config/v1/clone_test.go
@@ -1,109 +0,0 @@
-package v1
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestProxyCloneDeepCopy(t *testing.T) {
-	require := require.New(t)
-
-	enabled := true
-	pluginHTTP2 := true
-	cfg := &HTTPProxyConfig{
-		ProxyBaseConfig: ProxyBaseConfig{
-			Name:        "p1",
-			Type:        "http",
-			Enabled:     &enabled,
-			Annotations: map[string]string{"a": "1"},
-			Metadatas:   map[string]string{"m": "1"},
-			HealthCheck: HealthCheckConfig{
-				Type: "http",
-				HTTPHeaders: []HTTPHeader{
-					{Name: "X-Test", Value: "v1"},
-				},
-			},
-			ProxyBackend: ProxyBackend{
-				Plugin: TypedClientPluginOptions{
-					Type: PluginHTTPS2HTTP,
-					ClientPluginOptions: &HTTPS2HTTPPluginOptions{
-						Type:           PluginHTTPS2HTTP,
-						EnableHTTP2:    &pluginHTTP2,
-						RequestHeaders: HeaderOperations{Set: map[string]string{"k": "v"}},
-					},
-				},
-			},
-		},
-		DomainConfig: DomainConfig{
-			CustomDomains: []string{"a.example.com"},
-			SubDomain:     "a",
-		},
-		Locations:       []string{"/api"},
-		RequestHeaders:  HeaderOperations{Set: map[string]string{"h1": "v1"}},
-		ResponseHeaders: HeaderOperations{Set: map[string]string{"h2": "v2"}},
-	}
-
-	cloned := cfg.Clone().(*HTTPProxyConfig)
-
-	*cloned.Enabled = false
-	cloned.Annotations["a"] = "changed"
-	cloned.Metadatas["m"] = "changed"
-	cloned.HealthCheck.HTTPHeaders[0].Value = "changed"
-	cloned.CustomDomains[0] = "b.example.com"
-	cloned.Locations[0] = "/new"
-	cloned.RequestHeaders.Set["h1"] = "changed"
-	cloned.ResponseHeaders.Set["h2"] = "changed"
-	clientPlugin := cloned.Plugin.ClientPluginOptions.(*HTTPS2HTTPPluginOptions)
-	*clientPlugin.EnableHTTP2 = false
-	clientPlugin.RequestHeaders.Set["k"] = "changed"
-
-	require.True(*cfg.Enabled)
-	require.Equal("1", cfg.Annotations["a"])
-	require.Equal("1", cfg.Metadatas["m"])
-	require.Equal("v1", cfg.HealthCheck.HTTPHeaders[0].Value)
-	require.Equal("a.example.com", cfg.CustomDomains[0])
-	require.Equal("/api", cfg.Locations[0])
-	require.Equal("v1", cfg.RequestHeaders.Set["h1"])
-	require.Equal("v2", cfg.ResponseHeaders.Set["h2"])
-
-	origPlugin := cfg.Plugin.ClientPluginOptions.(*HTTPS2HTTPPluginOptions)
-	require.True(*origPlugin.EnableHTTP2)
-	require.Equal("v", origPlugin.RequestHeaders.Set["k"])
-}
-
-func TestVisitorCloneDeepCopy(t *testing.T) {
-	require := require.New(t)
-
-	enabled := true
-	cfg := &XTCPVisitorConfig{
-		VisitorBaseConfig: VisitorBaseConfig{
-			Name:       "v1",
-			Type:       "xtcp",
-			Enabled:    &enabled,
-			ServerName: "server",
-			BindPort:   7000,
-			Plugin: TypedVisitorPluginOptions{
-				Type: VisitorPluginVirtualNet,
-				VisitorPluginOptions: &VirtualNetVisitorPluginOptions{
-					Type:          VisitorPluginVirtualNet,
-					DestinationIP: "10.0.0.1",
-				},
-			},
-		},
-		NatTraversal: &NatTraversalConfig{
-			DisableAssistedAddrs: true,
-		},
-	}
-
-	cloned := cfg.Clone().(*XTCPVisitorConfig)
-	*cloned.Enabled = false
-	cloned.NatTraversal.DisableAssistedAddrs = false
-	visitorPlugin := cloned.Plugin.VisitorPluginOptions.(*VirtualNetVisitorPluginOptions)
-	visitorPlugin.DestinationIP = "10.0.0.2"
-
-	require.True(*cfg.Enabled)
-	require.True(cfg.NatTraversal.DisableAssistedAddrs)
-	origPlugin := cfg.Plugin.VisitorPluginOptions.(*VirtualNetVisitorPluginOptions)
-	require.Equal("10.0.0.1", origPlugin.DestinationIP)
-}
--- a/pkg/config/v1/common.go
+++ b/pkg/config/v1/common.go
@@ -15,11 +15,23 @@
 package v1

 import (
-	"maps"
+	"sync"

 	"github.com/fatedier/frp/pkg/util/util"
 )

+// TODO(fatedier): Due to the current implementation issue of the go json library, the UnmarshalJSON method
+// of a custom struct cannot access the DisallowUnknownFields parameter of the parent decoder.
+// Here, a global variable is temporarily used to control whether unknown fields are allowed.
+// Once the v2 version is implemented by the community, we can switch to a standardized approach.
+//
+// https://github.com/golang/go/issues/41144
+// https://github.com/golang/go/discussions/63397
+var (
+	DisallowUnknownFields   = false
+	DisallowUnknownFieldsMu sync.Mutex
+)
+
 type AuthScope string

 const (
@@ -92,14 +104,6 @@ type NatTraversalConfig struct {
 	DisableAssistedAddrs bool `json:"disableAssistedAddrs,omitempty"`
 }

-func (c *NatTraversalConfig) Clone() *NatTraversalConfig {
-	if c == nil {
-		return nil
-	}
-	out := *c
-	return &out
-}
-
 type LogConfig struct {
 	// This is destination where frp should write the logs.
 	// If "console" is used, logs will be printed to stdout, otherwise,
@@ -134,12 +138,6 @@ type HeaderOperations struct {
 	Set map[string]string `json:"set,omitempty"`
 }

-func (o HeaderOperations) Clone() HeaderOperations {
-	return HeaderOperations{
-		Set: maps.Clone(o.Set),
-	}
-}
-
 type HTTPHeader struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
--- a/pkg/config/v1/decode.go
+++ b/pkg/config/v1/decode.go
@@ -1,195 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package v1
-
-import (
-	"errors"
-	"fmt"
-	"reflect"
-
-	"github.com/fatedier/frp/pkg/util/jsonx"
-)
-
-type DecodeOptions struct {
-	DisallowUnknownFields bool
-}
-
-func decodeJSONWithOptions(b []byte, out any, options DecodeOptions) error {
-	return jsonx.UnmarshalWithOptions(b, out, jsonx.DecodeOptions{
-		RejectUnknownMembers: options.DisallowUnknownFields,
-	})
-}
-
-func isJSONNull(b []byte) bool {
-	return len(b) == 0 || string(b) == "null"
-}
-
-type typedEnvelope struct {
-	Type   string           `json:"type"`
-	Plugin jsonx.RawMessage `json:"plugin,omitempty"`
-}
-
-func DecodeProxyConfigurerJSON(b []byte, options DecodeOptions) (ProxyConfigurer, error) {
-	if isJSONNull(b) {
-		return nil, errors.New("type is required")
-	}
-
-	var env typedEnvelope
-	if err := jsonx.Unmarshal(b, &env); err != nil {
-		return nil, err
-	}
-
-	configurer := NewProxyConfigurerByType(ProxyType(env.Type))
-	if configurer == nil {
-		return nil, fmt.Errorf("unknown proxy type: %s", env.Type)
-	}
-	if err := decodeJSONWithOptions(b, configurer, options); err != nil {
-		return nil, fmt.Errorf("unmarshal ProxyConfig error: %v", err)
-	}
-
-	if len(env.Plugin) > 0 && !isJSONNull(env.Plugin) {
-		plugin, err := DecodeClientPluginOptionsJSON(env.Plugin, options)
-		if err != nil {
-			return nil, fmt.Errorf("unmarshal proxy plugin error: %v", err)
-		}
-		configurer.GetBaseConfig().Plugin = plugin
-	}
-	return configurer, nil
-}
-
-func DecodeVisitorConfigurerJSON(b []byte, options DecodeOptions) (VisitorConfigurer, error) {
-	if isJSONNull(b) {
-		return nil, errors.New("type is required")
-	}
-
-	var env typedEnvelope
-	if err := jsonx.Unmarshal(b, &env); err != nil {
-		return nil, err
-	}
-
-	configurer := NewVisitorConfigurerByType(VisitorType(env.Type))
-	if configurer == nil {
-		return nil, fmt.Errorf("unknown visitor type: %s", env.Type)
-	}
-	if err := decodeJSONWithOptions(b, configurer, options); err != nil {
-		return nil, fmt.Errorf("unmarshal VisitorConfig error: %v", err)
-	}
-
-	if len(env.Plugin) > 0 && !isJSONNull(env.Plugin) {
-		plugin, err := DecodeVisitorPluginOptionsJSON(env.Plugin, options)
-		if err != nil {
-			return nil, fmt.Errorf("unmarshal visitor plugin error: %v", err)
-		}
-		configurer.GetBaseConfig().Plugin = plugin
-	}
-	return configurer, nil
-}
-
-func DecodeClientPluginOptionsJSON(b []byte, options DecodeOptions) (TypedClientPluginOptions, error) {
-	if isJSONNull(b) {
-		return TypedClientPluginOptions{}, nil
-	}
-
-	var env typedEnvelope
-	if err := jsonx.Unmarshal(b, &env); err != nil {
-		return TypedClientPluginOptions{}, err
-	}
-	if env.Type == "" {
-		return TypedClientPluginOptions{}, errors.New("plugin type is empty")
-	}
-
-	v, ok := clientPluginOptionsTypeMap[env.Type]
-	if !ok {
-		return TypedClientPluginOptions{}, fmt.Errorf("unknown plugin type: %s", env.Type)
-	}
-	optionsStruct := reflect.New(v).Interface().(ClientPluginOptions)
-	if err := decodeJSONWithOptions(b, optionsStruct, options); err != nil {
-		return TypedClientPluginOptions{}, fmt.Errorf("unmarshal ClientPluginOptions error: %v", err)
-	}
-	return TypedClientPluginOptions{
-		Type:                env.Type,
-		ClientPluginOptions: optionsStruct,
-	}, nil
-}
-
-func DecodeVisitorPluginOptionsJSON(b []byte, options DecodeOptions) (TypedVisitorPluginOptions, error) {
-	if isJSONNull(b) {
-		return TypedVisitorPluginOptions{}, nil
-	}
-
-	var env typedEnvelope
-	if err := jsonx.Unmarshal(b, &env); err != nil {
-		return TypedVisitorPluginOptions{}, err
-	}
-	if env.Type == "" {
-		return TypedVisitorPluginOptions{}, errors.New("visitor plugin type is empty")
-	}
-
-	v, ok := visitorPluginOptionsTypeMap[env.Type]
-	if !ok {
-		return TypedVisitorPluginOptions{}, fmt.Errorf("unknown visitor plugin type: %s", env.Type)
-	}
-	optionsStruct := reflect.New(v).Interface().(VisitorPluginOptions)
-	if err := decodeJSONWithOptions(b, optionsStruct, options); err != nil {
-		return TypedVisitorPluginOptions{}, fmt.Errorf("unmarshal VisitorPluginOptions error: %v", err)
-	}
-	return TypedVisitorPluginOptions{
-		Type:                 env.Type,
-		VisitorPluginOptions: optionsStruct,
-	}, nil
-}
-
-func DecodeClientConfigJSON(b []byte, options DecodeOptions) (ClientConfig, error) {
-	type rawClientConfig struct {
-		ClientCommonConfig
-		Proxies  []jsonx.RawMessage `json:"proxies,omitempty"`
-		Visitors []jsonx.RawMessage `json:"visitors,omitempty"`
-	}
-
-	raw := rawClientConfig{}
-	if err := decodeJSONWithOptions(b, &raw, options); err != nil {
-		return ClientConfig{}, err
-	}
-
-	cfg := ClientConfig{
-		ClientCommonConfig: raw.ClientCommonConfig,
-		Proxies:            make([]TypedProxyConfig, 0, len(raw.Proxies)),
-		Visitors:           make([]TypedVisitorConfig, 0, len(raw.Visitors)),
-	}
-
-	for i, proxyData := range raw.Proxies {
-		proxyCfg, err := DecodeProxyConfigurerJSON(proxyData, options)
-		if err != nil {
-			return ClientConfig{}, fmt.Errorf("decode proxy at index %d: %w", i, err)
-		}
-		cfg.Proxies = append(cfg.Proxies, TypedProxyConfig{
-			Type:            proxyCfg.GetBaseConfig().Type,
-			ProxyConfigurer: proxyCfg,
-		})
-	}
-
-	for i, visitorData := range raw.Visitors {
-		visitorCfg, err := DecodeVisitorConfigurerJSON(visitorData, options)
-		if err != nil {
-			return ClientConfig{}, fmt.Errorf("decode visitor at index %d: %w", i, err)
-		}
-		cfg.Visitors = append(cfg.Visitors, TypedVisitorConfig{
-			Type:              visitorCfg.GetBaseConfig().Type,
-			VisitorConfigurer: visitorCfg,
-		})
-	}
-
-	return cfg, nil
-}
--- a/pkg/config/v1/decode_test.go
+++ b/pkg/config/v1/decode_test.go
@@ -1,86 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package v1
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestDecodeProxyConfigurerJSON_StrictPluginUnknownFields(t *testing.T) {
-	require := require.New(t)
-
-	data := []byte(`{
-		"name":"p1",
-		"type":"tcp",
-		"localPort":10080,
-		"plugin":{
-			"type":"http2https",
-			"localAddr":"127.0.0.1:8080",
-			"unknownInPlugin":"value"
-		}
-	}`)
-
-	_, err := DecodeProxyConfigurerJSON(data, DecodeOptions{DisallowUnknownFields: false})
-	require.NoError(err)
-
-	_, err = DecodeProxyConfigurerJSON(data, DecodeOptions{DisallowUnknownFields: true})
-	require.ErrorContains(err, "unknownInPlugin")
-}
-
-func TestDecodeVisitorConfigurerJSON_StrictPluginUnknownFields(t *testing.T) {
-	require := require.New(t)
-
-	data := []byte(`{
-		"name":"v1",
-		"type":"stcp",
-		"serverName":"server",
-		"bindPort":10081,
-		"plugin":{
-			"type":"virtual_net",
-			"destinationIP":"10.0.0.1",
-			"unknownInPlugin":"value"
-		}
-	}`)
-
-	_, err := DecodeVisitorConfigurerJSON(data, DecodeOptions{DisallowUnknownFields: false})
-	require.NoError(err)
-
-	_, err = DecodeVisitorConfigurerJSON(data, DecodeOptions{DisallowUnknownFields: true})
-	require.ErrorContains(err, "unknownInPlugin")
-}
-
-func TestDecodeClientConfigJSON_StrictUnknownProxyField(t *testing.T) {
-	require := require.New(t)
-
-	data := []byte(`{
-		"serverPort":7000,
-		"proxies":[
-			{
-				"name":"p1",
-				"type":"tcp",
-				"localPort":10080,
-				"unknownField":"value"
-			}
-		]
-	}`)
-
-	_, err := DecodeClientConfigJSON(data, DecodeOptions{DisallowUnknownFields: false})
-	require.NoError(err)
-
-	_, err = DecodeClientConfigJSON(data, DecodeOptions{DisallowUnknownFields: true})
-	require.ErrorContains(err, "unknownField")
-}
--- a/pkg/config/v1/proxy.go
+++ b/pkg/config/v1/proxy.go
@@ -15,13 +15,16 @@
 package v1

 import (
-	"maps"
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
 	"reflect"
-	"slices"
+
+	"github.com/samber/lo"

 	"github.com/fatedier/frp/pkg/config/types"
 	"github.com/fatedier/frp/pkg/msg"
-	"github.com/fatedier/frp/pkg/util/jsonx"
 	"github.com/fatedier/frp/pkg/util/util"
 )

@@ -99,23 +102,11 @@ type HealthCheckConfig struct {
 	HTTPHeaders []HTTPHeader `json:"httpHeaders,omitempty"`
 }

-func (c HealthCheckConfig) Clone() HealthCheckConfig {
-	out := c
-	out.HTTPHeaders = slices.Clone(c.HTTPHeaders)
-	return out
-}
-
 type DomainConfig struct {
 	CustomDomains []string `json:"customDomains,omitempty"`
 	SubDomain     string   `json:"subdomain,omitempty"`
 }

-func (c DomainConfig) Clone() DomainConfig {
-	out := c
-	out.CustomDomains = slices.Clone(c.CustomDomains)
-	return out
-}
-
 type ProxyBaseConfig struct {
 	Name string `json:"name"`
 	Type string `json:"type"`
@@ -131,27 +122,12 @@ type ProxyBaseConfig struct {
 	ProxyBackend
 }

-func (c ProxyBaseConfig) Clone() ProxyBaseConfig {
-	out := c
-	out.Enabled = util.ClonePtr(c.Enabled)
-	out.Annotations = maps.Clone(c.Annotations)
-	out.Metadatas = maps.Clone(c.Metadatas)
-	out.HealthCheck = c.HealthCheck.Clone()
-	out.ProxyBackend = c.ProxyBackend.Clone()
-	return out
-}
-
-func (c ProxyBackend) Clone() ProxyBackend {
-	out := c
-	out.Plugin = c.Plugin.Clone()
-	return out
-}
-
 func (c *ProxyBaseConfig) GetBaseConfig() *ProxyBaseConfig {
 	return c
 }

-func (c *ProxyBaseConfig) Complete() {
+func (c *ProxyBaseConfig) Complete(namePrefix string) {
+	c.Name = lo.Ternary(namePrefix == "", "", namePrefix+".") + c.Name
 	c.LocalIP = util.EmptyOr(c.LocalIP, "127.0.0.1")
 	c.Transport.BandwidthLimitMode = util.EmptyOr(c.Transport.BandwidthLimitMode, types.BandwidthLimitModeClient)

@@ -199,24 +175,40 @@ type TypedProxyConfig struct {
 }

 func (c *TypedProxyConfig) UnmarshalJSON(b []byte) error {
-	configurer, err := DecodeProxyConfigurerJSON(b, DecodeOptions{})
-	if err != nil {
+	if len(b) == 4 && string(b) == "null" {
+		return errors.New("type is required")
+	}
+
+	typeStruct := struct {
+		Type string `json:"type"`
+	}{}
+	if err := json.Unmarshal(b, &typeStruct); err != nil {
 		return err
 	}

-	c.Type = configurer.GetBaseConfig().Type
+	c.Type = typeStruct.Type
+	configurer := NewProxyConfigurerByType(ProxyType(typeStruct.Type))
+	if configurer == nil {
+		return fmt.Errorf("unknown proxy type: %s", typeStruct.Type)
+	}
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+	if err := decoder.Decode(configurer); err != nil {
+		return fmt.Errorf("unmarshal ProxyConfig error: %v", err)
+	}
 	c.ProxyConfigurer = configurer
 	return nil
 }

 func (c *TypedProxyConfig) MarshalJSON() ([]byte, error) {
-	return jsonx.Marshal(c.ProxyConfigurer)
+	return json.Marshal(c.ProxyConfigurer)
 }

 type ProxyConfigurer interface {
-	Complete()
+	Complete(namePrefix string)
 	GetBaseConfig() *ProxyBaseConfig
-	Clone() ProxyConfigurer
 	// MarshalToMsg marshals this config into a msg.NewProxy message. This
 	// function will be called on the frpc side.
 	MarshalToMsg(*msg.NewProxy)
@@ -239,14 +231,14 @@ const (
 )

 var proxyConfigTypeMap = map[ProxyType]reflect.Type{
-	ProxyTypeTCP:    reflect.TypeFor[TCPProxyConfig](),
-	ProxyTypeUDP:    reflect.TypeFor[UDPProxyConfig](),
-	ProxyTypeHTTP:   reflect.TypeFor[HTTPProxyConfig](),
-	ProxyTypeHTTPS:  reflect.TypeFor[HTTPSProxyConfig](),
-	ProxyTypeTCPMUX: reflect.TypeFor[TCPMuxProxyConfig](),
-	ProxyTypeSTCP:   reflect.TypeFor[STCPProxyConfig](),
-	ProxyTypeXTCP:   reflect.TypeFor[XTCPProxyConfig](),
-	ProxyTypeSUDP:   reflect.TypeFor[SUDPProxyConfig](),
+	ProxyTypeTCP:    reflect.TypeOf(TCPProxyConfig{}),
+	ProxyTypeUDP:    reflect.TypeOf(UDPProxyConfig{}),
+	ProxyTypeHTTP:   reflect.TypeOf(HTTPProxyConfig{}),
+	ProxyTypeHTTPS:  reflect.TypeOf(HTTPSProxyConfig{}),
+	ProxyTypeTCPMUX: reflect.TypeOf(TCPMuxProxyConfig{}),
+	ProxyTypeSTCP:   reflect.TypeOf(STCPProxyConfig{}),
+	ProxyTypeXTCP:   reflect.TypeOf(XTCPProxyConfig{}),
+	ProxyTypeSUDP:   reflect.TypeOf(SUDPProxyConfig{}),
 }

 func NewProxyConfigurerByType(proxyType ProxyType) ProxyConfigurer {
@@ -279,12 +271,6 @@ func (c *TCPProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.RemotePort = m.RemotePort
 }

-func (c *TCPProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	return &out
-}
-
 var _ ProxyConfigurer = &UDPProxyConfig{}

 type UDPProxyConfig struct {
@@ -305,12 +291,6 @@ func (c *UDPProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.RemotePort = m.RemotePort
 }

-func (c *UDPProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	return &out
-}
-
 var _ ProxyConfigurer = &HTTPProxyConfig{}

 type HTTPProxyConfig struct {
@@ -354,16 +334,6 @@ func (c *HTTPProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.RouteByHTTPUser = m.RouteByHTTPUser
 }

-func (c *HTTPProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	out.DomainConfig = c.DomainConfig.Clone()
-	out.Locations = slices.Clone(c.Locations)
-	out.RequestHeaders = c.RequestHeaders.Clone()
-	out.ResponseHeaders = c.ResponseHeaders.Clone()
-	return &out
-}
-
 var _ ProxyConfigurer = &HTTPSProxyConfig{}

 type HTTPSProxyConfig struct {
@@ -385,13 +355,6 @@ func (c *HTTPSProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.SubDomain = m.SubDomain
 }

-func (c *HTTPSProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	out.DomainConfig = c.DomainConfig.Clone()
-	return &out
-}
-
 type TCPMultiplexerType string

 const (
@@ -432,13 +395,6 @@ func (c *TCPMuxProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.RouteByHTTPUser = m.RouteByHTTPUser
 }

-func (c *TCPMuxProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	out.DomainConfig = c.DomainConfig.Clone()
-	return &out
-}
-
 var _ ProxyConfigurer = &STCPProxyConfig{}

 type STCPProxyConfig struct {
@@ -462,13 +418,6 @@ func (c *STCPProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.AllowUsers = m.AllowUsers
 }

-func (c *STCPProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	out.AllowUsers = slices.Clone(c.AllowUsers)
-	return &out
-}
-
 var _ ProxyConfigurer = &XTCPProxyConfig{}

 type XTCPProxyConfig struct {
@@ -495,14 +444,6 @@ func (c *XTCPProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.AllowUsers = m.AllowUsers
 }

-func (c *XTCPProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	out.AllowUsers = slices.Clone(c.AllowUsers)
-	out.NatTraversal = c.NatTraversal.Clone()
-	return &out
-}
-
 var _ ProxyConfigurer = &SUDPProxyConfig{}

 type SUDPProxyConfig struct {
@@ -525,10 +466,3 @@ func (c *SUDPProxyConfig) UnmarshalFromMsg(m *msg.NewProxy) {
 	c.Secretkey = m.Sk
 	c.AllowUsers = m.AllowUsers
 }
-
-func (c *SUDPProxyConfig) Clone() ProxyConfigurer {
-	out := *c
-	out.ProxyBaseConfig = c.ProxyBaseConfig.Clone()
-	out.AllowUsers = slices.Clone(c.AllowUsers)
-	return &out
-}
--- a/pkg/config/v1/proxy_plugin.go
+++ b/pkg/config/v1/proxy_plugin.go
@@ -15,11 +15,14 @@
 package v1

 import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
 	"reflect"

 	"github.com/samber/lo"

-	"github.com/fatedier/frp/pkg/util/jsonx"
 	"github.com/fatedier/frp/pkg/util/util"
 )

@@ -37,21 +40,20 @@ const (
 )

 var clientPluginOptionsTypeMap = map[string]reflect.Type{
-	PluginHTTP2HTTPS:       reflect.TypeFor[HTTP2HTTPSPluginOptions](),
-	PluginHTTPProxy:        reflect.TypeFor[HTTPProxyPluginOptions](),
-	PluginHTTPS2HTTP:       reflect.TypeFor[HTTPS2HTTPPluginOptions](),
-	PluginHTTPS2HTTPS:      reflect.TypeFor[HTTPS2HTTPSPluginOptions](),
-	PluginHTTP2HTTP:        reflect.TypeFor[HTTP2HTTPPluginOptions](),
-	PluginSocks5:           reflect.TypeFor[Socks5PluginOptions](),
-	PluginStaticFile:       reflect.TypeFor[StaticFilePluginOptions](),
-	PluginUnixDomainSocket: reflect.TypeFor[UnixDomainSocketPluginOptions](),
-	PluginTLS2Raw:          reflect.TypeFor[TLS2RawPluginOptions](),
-	PluginVirtualNet:       reflect.TypeFor[VirtualNetPluginOptions](),
+	PluginHTTP2HTTPS:       reflect.TypeOf(HTTP2HTTPSPluginOptions{}),
+	PluginHTTPProxy:        reflect.TypeOf(HTTPProxyPluginOptions{}),
+	PluginHTTPS2HTTP:       reflect.TypeOf(HTTPS2HTTPPluginOptions{}),
+	PluginHTTPS2HTTPS:      reflect.TypeOf(HTTPS2HTTPSPluginOptions{}),
+	PluginHTTP2HTTP:        reflect.TypeOf(HTTP2HTTPPluginOptions{}),
+	PluginSocks5:           reflect.TypeOf(Socks5PluginOptions{}),
+	PluginStaticFile:       reflect.TypeOf(StaticFilePluginOptions{}),
+	PluginUnixDomainSocket: reflect.TypeOf(UnixDomainSocketPluginOptions{}),
+	PluginTLS2Raw:          reflect.TypeOf(TLS2RawPluginOptions{}),
+	PluginVirtualNet:       reflect.TypeOf(VirtualNetPluginOptions{}),
 }

 type ClientPluginOptions interface {
 	Complete()
-	Clone() ClientPluginOptions
 }

 type TypedClientPluginOptions struct {
@@ -59,25 +61,43 @@ type TypedClientPluginOptions struct {
 	ClientPluginOptions
 }

-func (c TypedClientPluginOptions) Clone() TypedClientPluginOptions {
-	out := c
-	if c.ClientPluginOptions != nil {
-		out.ClientPluginOptions = c.ClientPluginOptions.Clone()
-	}
-	return out
-}
-
 func (c *TypedClientPluginOptions) UnmarshalJSON(b []byte) error {
-	decoded, err := DecodeClientPluginOptionsJSON(b, DecodeOptions{})
-	if err != nil {
+	if len(b) == 4 && string(b) == "null" {
+		return nil
+	}
+
+	typeStruct := struct {
+		Type string `json:"type"`
+	}{}
+	if err := json.Unmarshal(b, &typeStruct); err != nil {
 		return err
 	}
-	*c = decoded
+
+	c.Type = typeStruct.Type
+	if c.Type == "" {
+		return errors.New("plugin type is empty")
+	}
+
+	v, ok := clientPluginOptionsTypeMap[typeStruct.Type]
+	if !ok {
+		return fmt.Errorf("unknown plugin type: %s", typeStruct.Type)
+	}
+	options := reflect.New(v).Interface().(ClientPluginOptions)
+
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+
+	if err := decoder.Decode(options); err != nil {
+		return fmt.Errorf("unmarshal ClientPluginOptions error: %v", err)
+	}
+	c.ClientPluginOptions = options
 	return nil
 }

 func (c *TypedClientPluginOptions) MarshalJSON() ([]byte, error) {
-	return jsonx.Marshal(c.ClientPluginOptions)
+	return json.Marshal(c.ClientPluginOptions)
 }

 type HTTP2HTTPSPluginOptions struct {
@@ -89,15 +109,6 @@ type HTTP2HTTPSPluginOptions struct {

 func (o *HTTP2HTTPSPluginOptions) Complete() {}

-func (o *HTTP2HTTPSPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	out.RequestHeaders = o.RequestHeaders.Clone()
-	return &out
-}
-
 type HTTPProxyPluginOptions struct {
 	Type         string `json:"type,omitempty"`
 	HTTPUser     string `json:"httpUser,omitempty"`
@@ -106,12 +117,16 @@ type HTTPProxyPluginOptions struct {

 func (o *HTTPProxyPluginOptions) Complete() {}

-func (o *HTTPProxyPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
+type AutoTLSOptions struct {
+	Enable bool `json:"enable,omitempty"`
+	// Contact email for certificate expiration and important notices.
+	Email string `json:"email,omitempty"`
+	// Directory used to cache ACME account and certificates.
+	CacheDir string `json:"cacheDir,omitempty"`
+	// ACME directory URL, e.g. Let's Encrypt staging/prod endpoint.
+	CADirURL string `json:"caDirURL,omitempty"`
+	// Restrict certificate issuance to the listed domains.
+	HostAllowList []string `json:"hostAllowList,omitempty"`
 }

 type HTTPS2HTTPPluginOptions struct {
@@ -122,22 +137,13 @@ type HTTPS2HTTPPluginOptions struct {
 	EnableHTTP2       *bool            `json:"enableHTTP2,omitempty"`
 	CrtPath           string           `json:"crtPath,omitempty"`
 	KeyPath           string           `json:"keyPath,omitempty"`
+	AutoTLS           *AutoTLSOptions  `json:"autoTLS,omitempty"`
 }

 func (o *HTTPS2HTTPPluginOptions) Complete() {
 	o.EnableHTTP2 = util.EmptyOr(o.EnableHTTP2, lo.ToPtr(true))
 }

-func (o *HTTPS2HTTPPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	out.RequestHeaders = o.RequestHeaders.Clone()
-	out.EnableHTTP2 = util.ClonePtr(o.EnableHTTP2)
-	return &out
-}
-
 type HTTPS2HTTPSPluginOptions struct {
 	Type              string           `json:"type,omitempty"`
 	LocalAddr         string           `json:"localAddr,omitempty"`
@@ -146,22 +152,13 @@ type HTTPS2HTTPSPluginOptions struct {
 	EnableHTTP2       *bool            `json:"enableHTTP2,omitempty"`
 	CrtPath           string           `json:"crtPath,omitempty"`
 	KeyPath           string           `json:"keyPath,omitempty"`
+	AutoTLS           *AutoTLSOptions  `json:"autoTLS,omitempty"`
 }

 func (o *HTTPS2HTTPSPluginOptions) Complete() {
 	o.EnableHTTP2 = util.EmptyOr(o.EnableHTTP2, lo.ToPtr(true))
 }

-func (o *HTTPS2HTTPSPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	out.RequestHeaders = o.RequestHeaders.Clone()
-	out.EnableHTTP2 = util.ClonePtr(o.EnableHTTP2)
-	return &out
-}
-
 type HTTP2HTTPPluginOptions struct {
 	Type              string           `json:"type,omitempty"`
 	LocalAddr         string           `json:"localAddr,omitempty"`
@@ -171,15 +168,6 @@ type HTTP2HTTPPluginOptions struct {

 func (o *HTTP2HTTPPluginOptions) Complete() {}

-func (o *HTTP2HTTPPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	out.RequestHeaders = o.RequestHeaders.Clone()
-	return &out
-}
-
 type Socks5PluginOptions struct {
 	Type     string `json:"type,omitempty"`
 	Username string `json:"username,omitempty"`
@@ -188,14 +176,6 @@ type Socks5PluginOptions struct {

 func (o *Socks5PluginOptions) Complete() {}

-func (o *Socks5PluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
-}
-
 type StaticFilePluginOptions struct {
 	Type         string `json:"type,omitempty"`
 	LocalPath    string `json:"localPath,omitempty"`
@@ -206,14 +186,6 @@ type StaticFilePluginOptions struct {

 func (o *StaticFilePluginOptions) Complete() {}

-func (o *StaticFilePluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
-}
-
 type UnixDomainSocketPluginOptions struct {
 	Type     string `json:"type,omitempty"`
 	UnixPath string `json:"unixPath,omitempty"`
@@ -221,41 +193,18 @@ type UnixDomainSocketPluginOptions struct {

 func (o *UnixDomainSocketPluginOptions) Complete() {}

-func (o *UnixDomainSocketPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
-}
-
 type TLS2RawPluginOptions struct {
-	Type      string `json:"type,omitempty"`
-	LocalAddr string `json:"localAddr,omitempty"`
-	CrtPath   string `json:"crtPath,omitempty"`
-	KeyPath   string `json:"keyPath,omitempty"`
+	Type      string          `json:"type,omitempty"`
+	LocalAddr string          `json:"localAddr,omitempty"`
+	CrtPath   string          `json:"crtPath,omitempty"`
+	KeyPath   string          `json:"keyPath,omitempty"`
+	AutoTLS   *AutoTLSOptions `json:"autoTLS,omitempty"`
 }

 func (o *TLS2RawPluginOptions) Complete() {}

-func (o *TLS2RawPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
-}
-
 type VirtualNetPluginOptions struct {
 	Type string `json:"type,omitempty"`
 }

 func (o *VirtualNetPluginOptions) Complete() {}
-
-func (o *VirtualNetPluginOptions) Clone() ClientPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
-}
--- a/pkg/config/v1/store.go
+++ b/pkg/config/v1/store.go
@@ -1,26 +0,0 @@
-// Copyright 2026 The frp Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package v1
-
-// StoreConfig configures the built-in store source.
-type StoreConfig struct {
-	// Path is the store file path.
-	Path string `json:"path,omitempty"`
-}
-
-// IsEnabled returns true if the store is configured with a valid path.
-func (c *StoreConfig) IsEnabled() bool {
-	return c.Path != ""
-}
--- a/pkg/config/v1/validation/plugin.go
+++ b/pkg/config/v1/validation/plugin.go
@@ -16,6 +16,8 @@ package validation

 import (
 	"errors"
+	"fmt"
+	"strings"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
 )
@@ -49,6 +51,9 @@ func validateHTTPS2HTTPPluginOptions(c *v1.HTTPS2HTTPPluginOptions) error {
 	if c.LocalAddr == "" {
 		return errors.New("localAddr is required")
 	}
+	if err := validateAutoTLSOptions(c.AutoTLS, c.CrtPath, c.KeyPath); err != nil {
+		return fmt.Errorf("invalid autoTLS options: %w", err)
+	}
 	return nil
 }

@@ -56,6 +61,9 @@ func validateHTTPS2HTTPSPluginOptions(c *v1.HTTPS2HTTPSPluginOptions) error {
 	if c.LocalAddr == "" {
 		return errors.New("localAddr is required")
 	}
+	if err := validateAutoTLSOptions(c.AutoTLS, c.CrtPath, c.KeyPath); err != nil {
+		return fmt.Errorf("invalid autoTLS options: %w", err)
+	}
 	return nil
 }

@@ -77,5 +85,29 @@ func validateTLS2RawPluginOptions(c *v1.TLS2RawPluginOptions) error {
 	if c.LocalAddr == "" {
 		return errors.New("localAddr is required")
 	}
+	if err := validateAutoTLSOptions(c.AutoTLS, c.CrtPath, c.KeyPath); err != nil {
+		return fmt.Errorf("invalid autoTLS options: %w", err)
+	}
+	return nil
+}
+
+func validateAutoTLSOptions(c *v1.AutoTLSOptions, crtPath, keyPath string) error {
+	if c == nil || !c.Enable {
+		return nil
+	}
+
+	if crtPath != "" || keyPath != "" {
+		return errors.New("crtPath and keyPath must be empty when autoTLS.enable is true")
+	}
+	if strings.TrimSpace(c.CacheDir) == "" {
+		return errors.New("autoTLS.cacheDir is required when autoTLS.enable is true")
+	}
+	if len(c.HostAllowList) > 0 {
+		for _, host := range c.HostAllowList {
+			if strings.TrimSpace(host) == "" {
+				return errors.New("autoTLS.hostAllowList cannot contain empty domain")
+			}
+		}
+	}
 	return nil
 }
--- a/pkg/config/v1/validation/proxy.go
+++ b/pkg/config/v1/validation/proxy.go
@@ -81,7 +81,7 @@ func validateDomainConfigForClient(c *v1.DomainConfig) error {
 func validateDomainConfigForServer(c *v1.DomainConfig, s *v1.ServerConfig) error {
 	for _, domain := range c.CustomDomains {
 		if s.SubDomainHost != "" && len(strings.Split(s.SubDomainHost, ".")) < len(strings.Split(domain, ".")) {
-			if strings.HasSuffix(domain, "."+s.SubDomainHost) {
+			if strings.Contains(domain, s.SubDomainHost) {
 				return fmt.Errorf("custom domain [%s] should not belong to subdomain host [%s]", domain, s.SubDomainHost)
 			}
 		}
--- a/pkg/config/v1/visitor.go
+++ b/pkg/config/v1/visitor.go
@@ -15,9 +15,14 @@
 package v1

 import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
 	"reflect"

-	"github.com/fatedier/frp/pkg/util/jsonx"
+	"github.com/samber/lo"
+
 	"github.com/fatedier/frp/pkg/util/util"
 )

@@ -47,27 +52,31 @@ type VisitorBaseConfig struct {
 	Plugin TypedVisitorPluginOptions `json:"plugin,omitempty"`
 }

-func (c VisitorBaseConfig) Clone() VisitorBaseConfig {
-	out := c
-	out.Enabled = util.ClonePtr(c.Enabled)
-	out.Plugin = c.Plugin.Clone()
-	return out
-}
-
 func (c *VisitorBaseConfig) GetBaseConfig() *VisitorBaseConfig {
 	return c
 }

-func (c *VisitorBaseConfig) Complete() {
+func (c *VisitorBaseConfig) Complete(g *ClientCommonConfig) {
 	if c.BindAddr == "" {
 		c.BindAddr = "127.0.0.1"
 	}
+
+	namePrefix := ""
+	if g.User != "" {
+		namePrefix = g.User + "."
+	}
+	c.Name = namePrefix + c.Name
+
+	if c.ServerUser != "" {
+		c.ServerName = c.ServerUser + "." + c.ServerName
+	} else {
+		c.ServerName = namePrefix + c.ServerName
+	}
 }

 type VisitorConfigurer interface {
-	Complete()
+	Complete(*ClientCommonConfig)
 	GetBaseConfig() *VisitorBaseConfig
-	Clone() VisitorConfigurer
 }

 type VisitorType string
@@ -79,9 +88,9 @@ const (
 )

 var visitorConfigTypeMap = map[VisitorType]reflect.Type{
-	VisitorTypeSTCP: reflect.TypeFor[STCPVisitorConfig](),
-	VisitorTypeXTCP: reflect.TypeFor[XTCPVisitorConfig](),
-	VisitorTypeSUDP: reflect.TypeFor[SUDPVisitorConfig](),
+	VisitorTypeSTCP: reflect.TypeOf(STCPVisitorConfig{}),
+	VisitorTypeXTCP: reflect.TypeOf(XTCPVisitorConfig{}),
+	VisitorTypeSUDP: reflect.TypeOf(SUDPVisitorConfig{}),
 }

 type TypedVisitorConfig struct {
@@ -90,18 +99,35 @@ type TypedVisitorConfig struct {
 }

 func (c *TypedVisitorConfig) UnmarshalJSON(b []byte) error {
-	configurer, err := DecodeVisitorConfigurerJSON(b, DecodeOptions{})
-	if err != nil {
+	if len(b) == 4 && string(b) == "null" {
+		return errors.New("type is required")
+	}
+
+	typeStruct := struct {
+		Type string `json:"type"`
+	}{}
+	if err := json.Unmarshal(b, &typeStruct); err != nil {
 		return err
 	}

-	c.Type = configurer.GetBaseConfig().Type
+	c.Type = typeStruct.Type
+	configurer := NewVisitorConfigurerByType(VisitorType(typeStruct.Type))
+	if configurer == nil {
+		return fmt.Errorf("unknown visitor type: %s", typeStruct.Type)
+	}
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+	if err := decoder.Decode(configurer); err != nil {
+		return fmt.Errorf("unmarshal VisitorConfig error: %v", err)
+	}
 	c.VisitorConfigurer = configurer
 	return nil
 }

 func (c *TypedVisitorConfig) MarshalJSON() ([]byte, error) {
-	return jsonx.Marshal(c.VisitorConfigurer)
+	return json.Marshal(c.VisitorConfigurer)
 }

 func NewVisitorConfigurerByType(t VisitorType) VisitorConfigurer {
@@ -120,24 +146,12 @@ type STCPVisitorConfig struct {
 	VisitorBaseConfig
 }

-func (c *STCPVisitorConfig) Clone() VisitorConfigurer {
-	out := *c
-	out.VisitorBaseConfig = c.VisitorBaseConfig.Clone()
-	return &out
-}
-
 var _ VisitorConfigurer = &SUDPVisitorConfig{}

 type SUDPVisitorConfig struct {
 	VisitorBaseConfig
 }

-func (c *SUDPVisitorConfig) Clone() VisitorConfigurer {
-	out := *c
-	out.VisitorBaseConfig = c.VisitorBaseConfig.Clone()
-	return &out
-}
-
 var _ VisitorConfigurer = &XTCPVisitorConfig{}

 type XTCPVisitorConfig struct {
@@ -154,18 +168,15 @@ type XTCPVisitorConfig struct {
 	NatTraversal *NatTraversalConfig `json:"natTraversal,omitempty"`
 }

-func (c *XTCPVisitorConfig) Complete() {
-	c.VisitorBaseConfig.Complete()
+func (c *XTCPVisitorConfig) Complete(g *ClientCommonConfig) {
+	c.VisitorBaseConfig.Complete(g)

 	c.Protocol = util.EmptyOr(c.Protocol, "quic")
 	c.MaxRetriesAnHour = util.EmptyOr(c.MaxRetriesAnHour, 8)
 	c.MinRetryInterval = util.EmptyOr(c.MinRetryInterval, 90)
 	c.FallbackTimeoutMs = util.EmptyOr(c.FallbackTimeoutMs, 1000)
-}

-func (c *XTCPVisitorConfig) Clone() VisitorConfigurer {
-	out := *c
-	out.VisitorBaseConfig = c.VisitorBaseConfig.Clone()
-	out.NatTraversal = c.NatTraversal.Clone()
-	return &out
+	if c.FallbackTo != "" {
+		c.FallbackTo = lo.Ternary(g.User == "", "", g.User+".") + c.FallbackTo
+	}
 }
--- a/pkg/config/v1/visitor_plugin.go
+++ b/pkg/config/v1/visitor_plugin.go
@@ -15,9 +15,11 @@
 package v1

 import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
 	"reflect"
-
-	"github.com/fatedier/frp/pkg/util/jsonx"
 )

 const (
@@ -25,12 +27,11 @@ const (
 )

 var visitorPluginOptionsTypeMap = map[string]reflect.Type{
-	VisitorPluginVirtualNet: reflect.TypeFor[VirtualNetVisitorPluginOptions](),
+	VisitorPluginVirtualNet: reflect.TypeOf(VirtualNetVisitorPluginOptions{}),
 }

 type VisitorPluginOptions interface {
 	Complete()
-	Clone() VisitorPluginOptions
 }

 type TypedVisitorPluginOptions struct {
@@ -38,25 +39,43 @@ type TypedVisitorPluginOptions struct {
 	VisitorPluginOptions
 }

-func (c TypedVisitorPluginOptions) Clone() TypedVisitorPluginOptions {
-	out := c
-	if c.VisitorPluginOptions != nil {
-		out.VisitorPluginOptions = c.VisitorPluginOptions.Clone()
-	}
-	return out
-}
-
 func (c *TypedVisitorPluginOptions) UnmarshalJSON(b []byte) error {
-	decoded, err := DecodeVisitorPluginOptionsJSON(b, DecodeOptions{})
-	if err != nil {
+	if len(b) == 4 && string(b) == "null" {
+		return nil
+	}
+
+	typeStruct := struct {
+		Type string `json:"type"`
+	}{}
+	if err := json.Unmarshal(b, &typeStruct); err != nil {
 		return err
 	}
-	*c = decoded
+
+	c.Type = typeStruct.Type
+	if c.Type == "" {
+		return errors.New("visitor plugin type is empty")
+	}
+
+	v, ok := visitorPluginOptionsTypeMap[typeStruct.Type]
+	if !ok {
+		return fmt.Errorf("unknown visitor plugin type: %s", typeStruct.Type)
+	}
+	options := reflect.New(v).Interface().(VisitorPluginOptions)
+
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+
+	if err := decoder.Decode(options); err != nil {
+		return fmt.Errorf("unmarshal VisitorPluginOptions error: %v", err)
+	}
+	c.VisitorPluginOptions = options
 	return nil
 }

 func (c *TypedVisitorPluginOptions) MarshalJSON() ([]byte, error) {
-	return jsonx.Marshal(c.VisitorPluginOptions)
+	return json.Marshal(c.VisitorPluginOptions)
 }

 type VirtualNetVisitorPluginOptions struct {
@@ -65,11 +84,3 @@ type VirtualNetVisitorPluginOptions struct {
 }

 func (o *VirtualNetVisitorPluginOptions) Complete() {}
-
-func (o *VirtualNetVisitorPluginOptions) Clone() VisitorPluginOptions {
-	if o == nil {
-		return nil
-	}
-	out := *o
-	return &out
-}
--- a/pkg/metrics/mem/server.go
+++ b/pkg/metrics/mem/server.go
@@ -143,6 +143,7 @@ func (m *serverMetrics) OpenConnection(name string, _ string) {
 	proxyStats, ok := m.info.ProxyStatistics[name]
 	if ok {
 		proxyStats.CurConns.Inc(1)
+		m.info.ProxyStatistics[name] = proxyStats
 	}
 }

@@ -154,6 +155,7 @@ func (m *serverMetrics) CloseConnection(name string, _ string) {
 	proxyStats, ok := m.info.ProxyStatistics[name]
 	if ok {
 		proxyStats.CurConns.Dec(1)
+		m.info.ProxyStatistics[name] = proxyStats
 	}
 }

@@ -166,6 +168,7 @@ func (m *serverMetrics) AddTrafficIn(name string, _ string, trafficBytes int64)
 	proxyStats, ok := m.info.ProxyStatistics[name]
 	if ok {
 		proxyStats.TrafficIn.Inc(trafficBytes)
+		m.info.ProxyStatistics[name] = proxyStats
 	}
 }

@@ -178,6 +181,7 @@ func (m *serverMetrics) AddTrafficOut(name string, _ string, trafficBytes int64)
 	proxyStats, ok := m.info.ProxyStatistics[name]
 	if ok {
 		proxyStats.TrafficOut.Inc(trafficBytes)
+		m.info.ProxyStatistics[name] = proxyStats
 	}
 }

@@ -199,35 +203,33 @@ func (m *serverMetrics) GetServer() *ServerStats {
 	return s
 }

-func toProxyStats(name string, proxyStats *ProxyStatistics) *ProxyStats {
-	ps := &ProxyStats{
-		Name:            name,
-		Type:            proxyStats.ProxyType,
-		User:            proxyStats.User,
-		ClientID:        proxyStats.ClientID,
-		TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
-		TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
-		CurConns:        int64(proxyStats.CurConns.Count()),
-	}
-	if !proxyStats.LastStartTime.IsZero() {
-		ps.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
-	}
-	if !proxyStats.LastCloseTime.IsZero() {
-		ps.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
-	}
-	return ps
-}
-
 func (m *serverMetrics) GetProxiesByType(proxyType string) []*ProxyStats {
 	res := make([]*ProxyStats, 0)
 	m.mu.Lock()
 	defer m.mu.Unlock()

+	filterAll := proxyType == "" || proxyType == "all"
 	for name, proxyStats := range m.info.ProxyStatistics {
-		if proxyStats.ProxyType != proxyType {
+		if !filterAll && proxyStats.ProxyType != proxyType {
 			continue
 		}
-		res = append(res, toProxyStats(name, proxyStats))
+
+		ps := &ProxyStats{
+			Name:            name,
+			Type:            proxyStats.ProxyType,
+			User:            proxyStats.User,
+			ClientID:        proxyStats.ClientID,
+			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
+			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
+			CurConns:        int64(proxyStats.CurConns.Count()),
+		}
+		if !proxyStats.LastStartTime.IsZero() {
+			ps.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
+		}
+		if !proxyStats.LastCloseTime.IsZero() {
+			ps.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
+		}
+		res = append(res, ps)
 	}
 	return res
 }
@@ -236,9 +238,32 @@ func (m *serverMetrics) GetProxiesByTypeAndName(proxyType string, proxyName stri
 	m.mu.Lock()
 	defer m.mu.Unlock()

-	proxyStats, ok := m.info.ProxyStatistics[proxyName]
-	if ok && proxyStats.ProxyType == proxyType {
-		res = toProxyStats(proxyName, proxyStats)
+	filterAll := proxyType == "" || proxyType == "all"
+	for name, proxyStats := range m.info.ProxyStatistics {
+		if !filterAll && proxyStats.ProxyType != proxyType {
+			continue
+		}
+
+		if name != proxyName {
+			continue
+		}
+
+		res = &ProxyStats{
+			Name:            name,
+			Type:            proxyStats.ProxyType,
+			User:            proxyStats.User,
+			ClientID:        proxyStats.ClientID,
+			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
+			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
+			CurConns:        int64(proxyStats.CurConns.Count()),
+		}
+		if !proxyStats.LastStartTime.IsZero() {
+			res.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
+		}
+		if !proxyStats.LastCloseTime.IsZero() {
+			res.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
+		}
+		break
 	}
 	return
 }
@@ -249,7 +274,21 @@ func (m *serverMetrics) GetProxyByName(proxyName string) (res *ProxyStats) {

 	proxyStats, ok := m.info.ProxyStatistics[proxyName]
 	if ok {
-		res = toProxyStats(proxyName, proxyStats)
+		res = &ProxyStats{
+			Name:            proxyName,
+			Type:            proxyStats.ProxyType,
+			User:            proxyStats.User,
+			ClientID:        proxyStats.ClientID,
+			TodayTrafficIn:  proxyStats.TrafficIn.TodayCount(),
+			TodayTrafficOut: proxyStats.TrafficOut.TodayCount(),
+			CurConns:        int64(proxyStats.CurConns.Count()),
+		}
+		if !proxyStats.LastStartTime.IsZero() {
+			res.LastStartTime = proxyStats.LastStartTime.Format("01-02 15:04:05")
+		}
+		if !proxyStats.LastCloseTime.IsZero() {
+			res.LastCloseTime = proxyStats.LastCloseTime.Format("01-02 15:04:05")
+		}
 	}
 	return
 }
--- a/pkg/msg/msg.go
+++ b/pkg/msg/msg.go
@@ -61,7 +61,7 @@ var msgTypeMap = map[byte]any{
 	TypeNatHoleReport:      NatHoleReport{},
 }

-var TypeNameNatHoleResp = reflect.TypeFor[NatHoleResp]().Name()
+var TypeNameNatHoleResp = reflect.TypeOf(&NatHoleResp{}).Elem().Name()

 type ClientSpec struct {
 	// Due to the support of VirtualClient, frps needs to know the client type in order to
@@ -184,7 +184,7 @@ type Pong struct {
 }

 type UDPPacket struct {
-	Content    []byte       `json:"c,omitempty"`
+	Content    string       `json:"c,omitempty"`
 	LocalAddr  *net.UDPAddr `json:"l,omitempty"`
 	RemoteAddr *net.UDPAddr `json:"r,omitempty"`
 }
--- a/pkg/naming/names.go
+++ b/pkg/naming/names.go
@@ -1,32 +0,0 @@
-package naming
-
-import "strings"
-
-// AddUserPrefix builds the wire-level proxy name for frps by prefixing user.
-func AddUserPrefix(user, name string) string {
-	if user == "" {
-		return name
-	}
-	return user + "." + name
-}
-
-// StripUserPrefix converts a wire-level proxy name to an internal raw name.
-// It strips only one exact "{user}." prefix.
-func StripUserPrefix(user, name string) string {
-	if user == "" {
-		return name
-	}
-	if trimmed, ok := strings.CutPrefix(name, user+"."); ok {
-		return trimmed
-	}
-	return name
-}
-
-// BuildTargetServerProxyName resolves visitor target proxy name for wire-level
-// protocol messages. serverUser overrides local user when set.
-func BuildTargetServerProxyName(localUser, serverUser, serverName string) string {
-	if serverUser != "" {
-		return AddUserPrefix(serverUser, serverName)
-	}
-	return AddUserPrefix(localUser, serverName)
-}
--- a/pkg/naming/names_test.go
+++ b/pkg/naming/names_test.go
@@ -1,27 +0,0 @@
-package naming
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestAddUserPrefix(t *testing.T) {
-	require := require.New(t)
-	require.Equal("test", AddUserPrefix("", "test"))
-	require.Equal("alice.test", AddUserPrefix("alice", "test"))
-}
-
-func TestStripUserPrefix(t *testing.T) {
-	require := require.New(t)
-	require.Equal("test", StripUserPrefix("", "test"))
-	require.Equal("test", StripUserPrefix("alice", "alice.test"))
-	require.Equal("alice.test", StripUserPrefix("alice", "alice.alice.test"))
-	require.Equal("bob.test", StripUserPrefix("alice", "bob.test"))
-}
-
-func TestBuildTargetServerProxyName(t *testing.T) {
-	require := require.New(t)
-	require.Equal("alice.test", BuildTargetServerProxyName("alice", "", "test"))
-	require.Equal("bob.test", BuildTargetServerProxyName("alice", "bob", "test"))
-}
--- a/pkg/nathole/analysis.go
+++ b/pkg/nathole/analysis.go
@@ -151,7 +151,7 @@ func getBehaviorScoresByMode(mode int, defaultScore int) []*BehaviorScore {
 func getBehaviorScoresByMode2(mode int, senderScore, receiverScore int) []*BehaviorScore {
 	behaviors := getBehaviorByMode(mode)
 	scores := make([]*BehaviorScore, 0, len(behaviors))
-	for i := range behaviors {
+	for i := 0; i < len(behaviors); i++ {
 		score := receiverScore
 		if behaviors[i].A.Role == DetectRoleSender {
 			score = senderScore
--- a/pkg/nathole/classify.go
+++ b/pkg/nathole/classify.go
@@ -70,8 +70,12 @@ func ClassifyNATFeature(addresses []string, localIPs []string) (*NatFeature, err
 			continue
 		}

-		portMax = max(portMax, portNum)
-		portMin = min(portMin, portNum)
+		if portNum > portMax {
+			portMax = portNum
+		}
+		if portNum < portMin {
+			portMin = portNum
+		}
 		if baseIP != ip {
 			ipChanged = true
 		}
--- a/pkg/nathole/controller.go
+++ b/pkg/nathole/controller.go
@@ -152,9 +152,7 @@ func (c *Controller) GenSid() string {

 func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.MessageTransporter, visitorUser string) {
 	if m.PreCheck {
-		c.mu.RLock()
 		cfg, ok := c.clientCfgs[m.ProxyName]
-		c.mu.RUnlock()
 		if !ok {
 			_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, fmt.Sprintf("xtcp server for [%s] doesn't exist", m.ProxyName)))
 			return
@@ -222,7 +220,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
 	// Make hole-punching decisions based on the NAT information of the client and visitor.
 	vResp, cResp, err := c.analysis(session)
 	if err != nil {
-		log.Debugf("sid [%s] analysis error: %v", err)
+		log.Debugf("sid [%s] analysis error: %v", sid, err)
 		vResp = c.GenNatHoleResponse(session.visitorMsg.TransactionID, nil, err.Error())
 		cResp = c.GenNatHoleResponse(session.clientMsg.TransactionID, nil, err.Error())
 	}
@@ -377,7 +375,7 @@ func getRangePorts(addrs []string, difference, maxNumber int) []msg.PortsRange {
 	if !isLast {
 		return nil
 	}
-	ports := make([]msg.PortsRange, 0, 1)
+	var ports []msg.PortsRange
 	_, portStr, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil
--- a/pkg/nathole/nathole.go
+++ b/pkg/nathole/nathole.go
@@ -298,13 +298,11 @@ func waitDetectMessage(
 		n, raddr, err := conn.ReadFromUDP(buf)
 		_ = conn.SetReadDeadline(time.Time{})
 		if err != nil {
-			pool.PutBuf(buf)
 			return nil, err
 		}
 		xl.Debugf("get udp message local %s, from %s", conn.LocalAddr(), raddr)
 		var m msg.NatHoleSid
 		if err := DecodeMessageInto(buf[:n], key, &m); err != nil {
-			pool.PutBuf(buf)
 			xl.Warnf("decode sid message error: %v", err)
 			continue
 		}
@@ -410,7 +408,7 @@ func sendSidMessageToRandomPorts(
 	xl := xlog.FromContextSafe(ctx)
 	used := sets.New[int]()
 	getUnusedPort := func() int {
-		for range 10 {
+		for i := 0; i < 10; i++ {
 			port := rand.IntN(65535-1024) + 1024
 			if !used.Has(port) {
 				used.Insert(port)
@@ -420,7 +418,7 @@ func sendSidMessageToRandomPorts(
 		return 0
 	}

-	for range count {
+	for i := 0; i < count; i++ {
 		select {
 		case <-ctx.Done():
 			return
--- a/pkg/plugin/client/autotls.go
+++ b/pkg/plugin/client/autotls.go
@@ -0,0 +1,212 @@
+// Copyright 2026 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !frps
+
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/crypto/acme"
+	"golang.org/x/crypto/acme/autocert"
+
+	v1 "github.com/fatedier/frp/pkg/config/v1"
+	"github.com/fatedier/frp/pkg/util/log"
+)
+
+func buildAutoTLSServerConfigWithHosts(pluginName string, auto *v1.AutoTLSOptions, fallbackHosts []string) (*tls.Config, error) {
+	if auto == nil || !auto.Enable {
+		return nil, fmt.Errorf("插件 %s 未启用 autoTLS", pluginName)
+	}
+
+	if err := os.MkdirAll(auto.CacheDir, 0o700); err != nil {
+		return nil, fmt.Errorf("插件 %s 创建 autoTLS 缓存目录失败: %w", pluginName, err)
+	}
+
+	hostSet := make(map[string]struct{})
+	hosts := make([]string, 0, len(auto.HostAllowList))
+	addHost := func(host string) {
+		host = strings.TrimSpace(strings.ToLower(host))
+		if host == "" {
+			return
+		}
+		if strings.Contains(host, "*") {
+			log.Warnf("[autoTLS][%s] 域名 [%s] 含通配符，自动申请不支持，已忽略", pluginName, host)
+			return
+		}
+		if _, ok := hostSet[host]; ok {
+			return
+		}
+		hostSet[host] = struct{}{}
+		hosts = append(hosts, host)
+	}
+
+	for _, host := range auto.HostAllowList {
+		addHost(host)
+	}
+	if len(hosts) == 0 {
+		for _, host := range fallbackHosts {
+			addHost(host)
+		}
+	}
+	if len(hosts) == 0 {
+		return nil, fmt.Errorf("插件 %s 的 hostAllowList 为空；请设置 autoTLS.hostAllowList 或 customDomains", pluginName)
+	}
+
+	manager := &autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		Email:      strings.TrimSpace(auto.Email),
+		HostPolicy: autocert.HostWhitelist(hosts...),
+	}
+	caDirURL := strings.TrimSpace(auto.CADirURL)
+	if caDirURL != "" {
+		manager.Client = &acme.Client{DirectoryURL: caDirURL}
+	} else {
+		caDirURL = autocert.DefaultACMEDirectory
+	}
+	managedHosts := make(map[string]struct{}, len(hosts))
+	for _, host := range hosts {
+		managedHosts[host] = struct{}{}
+	}
+	var warmupInProgress sync.Map
+	var warmupMissLogged sync.Map
+	manager.Cache = &autoTLSCache{
+		inner:            autocert.DirCache(auto.CacheDir),
+		managedHosts:     managedHosts,
+		pluginName:       pluginName,
+		caDirURL:         caDirURL,
+		warmupInProgress: &warmupInProgress,
+		warmupMissLogged: &warmupMissLogged,
+	}
+
+	cfg := manager.TLSConfig()
+	log.Infof("[autoTLS][%s] 已启用 autoTLS，管理域名=%v，缓存目录=%s", pluginName, hosts, auto.CacheDir)
+
+	var readySeen sync.Map
+
+	handleCertReady := func(host string, cert *tls.Certificate) {
+		var (
+			notAfter  time.Time
+			hasExpiry bool
+		)
+		if t, ok := getCertificateNotAfter(cert); ok {
+			notAfter = t
+			hasExpiry = true
+		}
+
+		_, readyLogged := readySeen.LoadOrStore(host, struct{}{})
+		if hasExpiry {
+			if !readyLogged {
+				log.Infof("[autoTLS][%s] 域名 [%s] 证书已就绪，过期时间 %s", pluginName, host, notAfter.Format(time.RFC3339))
+			}
+		} else if !readyLogged {
+			log.Infof("[autoTLS][%s] 域名 [%s] 证书已就绪", pluginName, host)
+		}
+	}
+
+	cfg.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		host := strings.TrimSpace(strings.ToLower(hello.ServerName))
+		if host == "" {
+			host = "<空SNI>"
+		}
+
+		cert, err := manager.GetCertificate(hello)
+		if err != nil {
+			log.Warnf("[autoTLS][%s] 获取域名 [%s] 证书失败: %v", pluginName, host, err)
+			return nil, err
+		}
+		handleCertReady(host, cert)
+		return cert, nil
+	}
+
+	// Warm up certificates in background after startup.
+	for _, host := range hosts {
+		h := host
+		go func() {
+			// Leave time for listener setup and route registration.
+			time.Sleep(1 * time.Second)
+			warmupMissLogged.Delete(h)
+			warmupInProgress.Store(h, struct{}{})
+			cert, err := manager.GetCertificate(&tls.ClientHelloInfo{ServerName: h})
+			warmupInProgress.Delete(h)
+			if err != nil {
+				log.Warnf("[autoTLS][%s] 域名 [%s] 预申请失败: %v", pluginName, h, err)
+				return
+			}
+			handleCertReady(h, cert)
+		}()
+	}
+	return cfg, nil
+}
+
+func getCertificateNotAfter(cert *tls.Certificate) (time.Time, bool) {
+	if cert == nil {
+		return time.Time{}, false
+	}
+	if cert.Leaf != nil {
+		return cert.Leaf.NotAfter, true
+	}
+	if len(cert.Certificate) == 0 {
+		return time.Time{}, false
+	}
+	leaf, err := x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return time.Time{}, false
+	}
+	return leaf.NotAfter, true
+}
+
+type autoTLSCache struct {
+	inner            autocert.Cache
+	managedHosts     map[string]struct{}
+	pluginName       string
+	caDirURL         string
+	warmupInProgress *sync.Map
+	warmupMissLogged *sync.Map
+}
+
+func (c *autoTLSCache) Get(ctx context.Context, key string) ([]byte, error) {
+	data, err := c.inner.Get(ctx, key)
+	if err != autocert.ErrCacheMiss {
+		return data, err
+	}
+
+	host := strings.TrimSuffix(key, "+rsa")
+	if _, ok := c.managedHosts[host]; !ok {
+		return data, err
+	}
+	if _, warming := c.warmupInProgress.Load(host); !warming {
+		return data, err
+	}
+	if _, loaded := c.warmupMissLogged.LoadOrStore(host, struct{}{}); !loaded {
+		log.Infof("[autoTLS][%s] 开始预申请域名 [%s] 证书，申请方式=TLS-ALPN-01，caDirURL=%s", c.pluginName, host, c.caDirURL)
+	}
+	return data, err
+}
+
+func (c *autoTLSCache) Put(ctx context.Context, key string, data []byte) error {
+	return c.inner.Put(ctx, key, data)
+}
+
+func (c *autoTLSCache) Delete(ctx context.Context, key string) error {
+	return c.inner.Delete(ctx, key)
+}
--- a/pkg/plugin/client/http2http.go
+++ b/pkg/plugin/client/http2http.go
@@ -21,7 +21,6 @@ import (
 	stdlog "log"
 	"net/http"
 	"net/http/httputil"
-	"time"

 	"github.com/fatedier/golib/pool"

@@ -69,7 +68,7 @@ func NewHTTP2HTTPPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin

 	p.s = &http.Server{
 		Handler:           rp,
-		ReadHeaderTimeout: 60 * time.Second,
+		ReadHeaderTimeout: 0,
 	}

 	go func() {
--- a/pkg/plugin/client/http2https.go
+++ b/pkg/plugin/client/http2https.go
@@ -22,7 +22,6 @@ import (
 	stdlog "log"
 	"net/http"
 	"net/http/httputil"
-	"time"

 	"github.com/fatedier/golib/pool"

@@ -78,7 +77,7 @@ func NewHTTP2HTTPSPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugi

 	p.s = &http.Server{
 		Handler:           rp,
-		ReadHeaderTimeout: 60 * time.Second,
+		ReadHeaderTimeout: 0,
 	}

 	go func() {
--- a/pkg/plugin/client/https2http.go
+++ b/pkg/plugin/client/https2http.go
@@ -46,7 +46,7 @@ type HTTPS2HTTPPlugin struct {
 	s *http.Server
 }

-func NewHTTPS2HTTPPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
+func NewHTTPS2HTTPPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.HTTPS2HTTPPluginOptions)
 	listener := NewProxyListener()

@@ -84,9 +84,18 @@ func NewHTTPS2HTTPPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugi
 		rp.ServeHTTP(w, r)
 	})

-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
-	if err != nil {
-		return nil, fmt.Errorf("gen TLS config error: %v", err)
+	var tlsConfig *tls.Config
+	var err error
+	if p.opts.AutoTLS != nil && p.opts.AutoTLS.Enable {
+		tlsConfig, err = buildAutoTLSServerConfigWithHosts(pluginCtx.Name, p.opts.AutoTLS, pluginCtx.HostAllowList)
+		if err != nil {
+			return nil, fmt.Errorf("build autoTLS config error: %v", err)
+		}
+	} else {
+		tlsConfig, err = transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+		if err != nil {
+			return nil, fmt.Errorf("gen TLS config error: %v", err)
+		}
 	}

 	p.s = &http.Server{
--- a/pkg/plugin/client/https2https.go
+++ b/pkg/plugin/client/https2https.go
@@ -46,7 +46,7 @@ type HTTPS2HTTPSPlugin struct {
 	s *http.Server
 }

-func NewHTTPS2HTTPSPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
+func NewHTTPS2HTTPSPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.HTTPS2HTTPSPluginOptions)

 	listener := NewProxyListener()
@@ -90,9 +90,18 @@ func NewHTTPS2HTTPSPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plug
 		rp.ServeHTTP(w, r)
 	})

-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
-	if err != nil {
-		return nil, fmt.Errorf("gen TLS config error: %v", err)
+	var tlsConfig *tls.Config
+	var err error
+	if p.opts.AutoTLS != nil && p.opts.AutoTLS.Enable {
+		tlsConfig, err = buildAutoTLSServerConfigWithHosts(pluginCtx.Name, p.opts.AutoTLS, pluginCtx.HostAllowList)
+		if err != nil {
+			return nil, fmt.Errorf("build autoTLS config error: %v", err)
+		}
+	} else {
+		tlsConfig, err = transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+		if err != nil {
+			return nil, fmt.Errorf("gen TLS config error: %v", err)
+		}
 	}

 	p.s = &http.Server{
--- a/pkg/plugin/client/plugin.go
+++ b/pkg/plugin/client/plugin.go
@@ -30,6 +30,7 @@ import (

 type PluginContext struct {
 	Name           string
+	HostAllowList  []string
 	VnetController *vnet.Controller
 }

--- a/pkg/plugin/client/tls2raw.go
+++ b/pkg/plugin/client/tls2raw.go
@@ -39,16 +39,25 @@ type TLS2RawPlugin struct {
 	tlsConfig *tls.Config
 }

-func NewTLS2RawPlugin(_ PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
+func NewTLS2RawPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
 	opts := options.(*v1.TLS2RawPluginOptions)

 	p := &TLS2RawPlugin{
 		opts: opts,
 	}

-	tlsConfig, err := transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
-	if err != nil {
-		return nil, err
+	var tlsConfig *tls.Config
+	var err error
+	if p.opts.AutoTLS != nil && p.opts.AutoTLS.Enable {
+		tlsConfig, err = buildAutoTLSServerConfigWithHosts(pluginCtx.Name, p.opts.AutoTLS, pluginCtx.HostAllowList)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		tlsConfig, err = transport.NewServerTLSConfig(p.opts.CrtPath, p.opts.KeyPath, "")
+		if err != nil {
+			return nil, err
+		}
 	}
 	p.tlsConfig = tlsConfig
 	return p, nil
@@ -62,13 +71,11 @@ func (p *TLS2RawPlugin) Handle(ctx context.Context, connInfo *ConnectionInfo) {

 	if err := tlsConn.Handshake(); err != nil {
 		xl.Warnf("tls handshake error: %v", err)
-		tlsConn.Close()
 		return
 	}
 	rawConn, err := net.Dial("tcp", p.opts.LocalAddr)
 	if err != nil {
 		xl.Warnf("dial to local addr error: %v", err)
-		tlsConn.Close()
 		return
 	}

--- a/pkg/plugin/client/unix_domain_socket.go
+++ b/pkg/plugin/client/unix_domain_socket.go
@@ -54,13 +54,10 @@ func (uds *UnixDomainSocketPlugin) Handle(ctx context.Context, connInfo *Connect
 	localConn, err := net.DialUnix("unix", nil, uds.UnixAddr)
 	if err != nil {
 		xl.Warnf("dial to uds %s error: %v", uds.UnixAddr, err)
-		connInfo.Conn.Close()
 		return
 	}
 	if connInfo.ProxyProtocolHeader != nil {
 		if _, err := connInfo.ProxyProtocolHeader.WriteTo(localConn); err != nil {
-			localConn.Close()
-			connInfo.Conn.Close()
 			return
 		}
 	}
--- a/pkg/plugin/server/http.go
+++ b/pkg/plugin/server/http.go
@@ -24,7 +24,6 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
-	"slices"
 	"strings"

 	v1 "github.com/fatedier/frp/pkg/config/v1"
@@ -65,7 +64,12 @@ func (p *httpPlugin) Name() string {
 }

 func (p *httpPlugin) IsSupport(op string) bool {
-	return slices.Contains(p.options.Ops, op)
+	for _, v := range p.options.Ops {
+		if v == op {
+			return true
+		}
+	}
+	return false
 }

 func (p *httpPlugin) Handle(ctx context.Context, op string, content any) (*Response, any, error) {
--- a/pkg/plugin/visitor/virtual_net.go
+++ b/pkg/plugin/visitor/virtual_net.go
@@ -153,7 +153,10 @@ func (p *VirtualNetPlugin) run() {

 				// Exponential backoff: 60s, 120s, 240s, 300s (capped)
 				baseDelay := 60 * time.Second
-				reconnectDelay = min(baseDelay*time.Duration(1<<uint(p.consecutiveErrors-1)), 300*time.Second)
+				reconnectDelay = baseDelay * time.Duration(1<<uint(p.consecutiveErrors-1))
+				if reconnectDelay > 300*time.Second {
+					reconnectDelay = 300 * time.Second
+				}
 			} else {
 				// Reset consecutive errors on successful connection
 				if p.consecutiveErrors > 0 {
--- a/pkg/policy/featuregate/feature_gate.go
+++ b/pkg/policy/featuregate/feature_gate.go
@@ -16,7 +16,6 @@ package featuregate

 import (
 	"fmt"
-	"maps"
 	"sort"
 	"strings"
 	"sync"
@@ -93,7 +92,10 @@ type featureGate struct {

 // NewFeatureGate creates a new feature gate with the default features
 func NewFeatureGate() MutableFeatureGate {
-	known := maps.Clone(defaultFeatures)
+	known := map[Feature]FeatureSpec{}
+	for k, v := range defaultFeatures {
+		known[k] = v
+	}

 	f := &featureGate{}
 	f.known.Store(known)
@@ -107,8 +109,14 @@ func (f *featureGate) SetFromMap(m map[string]bool) error {
 	defer f.lock.Unlock()

 	// Copy existing state
-	known := maps.Clone(f.known.Load().(map[Feature]FeatureSpec))
-	enabled := maps.Clone(f.enabled.Load().(map[Feature]bool))
+	known := map[Feature]FeatureSpec{}
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		known[k] = v
+	}
+	enabled := map[Feature]bool{}
+	for k, v := range f.enabled.Load().(map[Feature]bool) {
+		enabled[k] = v
+	}

 	// Apply the new settings
 	for k, v := range m {
@@ -139,7 +147,10 @@ func (f *featureGate) Add(features map[Feature]FeatureSpec) error {
 	}

 	// Copy existing state
-	known := maps.Clone(f.known.Load().(map[Feature]FeatureSpec))
+	known := map[Feature]FeatureSpec{}
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		known[k] = v
+	}

 	// Add new features
 	for name, spec := range features {
@@ -160,9 +171,8 @@ func (f *featureGate) Add(features map[Feature]FeatureSpec) error {

 // String returns a string containing all enabled feature gates, formatted as "key1=value1,key2=value2,..."
 func (f *featureGate) String() string {
-	enabled := f.enabled.Load().(map[Feature]bool)
-	pairs := make([]string, 0, len(enabled))
-	for k, v := range enabled {
+	pairs := []string{}
+	for k, v := range f.enabled.Load().(map[Feature]bool) {
 		pairs = append(pairs, fmt.Sprintf("%s=%t", k, v))
 	}
 	sort.Strings(pairs)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mxmilu666	406ea5ebee	chore(version): update version to 0.67.3	2026-03-08 18:35:40 +08:00
Mxmilu666	81a92d19d5	feat(proxy): add traffic counting wrapper for connections	2026-03-08 18:33:42 +08:00
Mxmilu666	83847f32ed	feat(controller): add API to close proxy by name	2026-02-21 07:42:17 +08:00
Mxmilu666	1f2c26761d	refactor(release): update changelog generation process	2026-02-20 15:28:31 +08:00
Mxmilu666	c836e276a7	style(plugin): reorder import statements for clarity	2026-02-20 15:15:16 +08:00
Mxmilu	d16f07d3e8	Merge pull request 'feat(proxy): add AutoTLS support for HTTPS plugins' (#1 ) from https-acme into dev Reviewed-on: Lolia-FRP/lolia-frp#1	2026-02-20 15:07:59 +08:00
Mxmilu666	6bd5eb92c3	feat(proxy): add AutoTLS support for HTTPS plugins	2026-02-19 09:01:07 +08:00
Mxmilu666	09602f5d74	chore(gitattributes): add .gitattributes for line endings	2026-02-19 06:37:58 +08:00
Mxmilu666	d7559b39e2	Merge remote-tracking branch 'upstream/dev' into dev	2026-02-08 00:57:08 +08:00
Mxmilu666	72d147dfa5	fix(workflows): add missing architectures for build matrix	2026-02-04 19:32:24 +08:00
Mxmilu666	481121a6c2	refactor(workflows): inline image name definitions in docker-build.yml	2026-01-16 00:20:37 +08:00
Mxmilu666	be252de683	chore(workflows): remove old build and push workflow file fix(dockerfiles): update base image to golang:1.25 for frpc and frps	2026-01-16 00:19:10 +08:00
Mxmilu666	0a99c1071b	feat(release): add debug step to check tags and commits[skip ci]	2026-01-14 00:30:05 +08:00
Mxmilu666	dd37b2e199	fix(frpc): fix goroutine closure in runMultipleClientsFromFiles	2026-01-14 00:11:41 +08:00
Mxmilu666	803e548f42	fix(version): update version to LoliaFRP-CLI 0.66.3	2026-01-14 00:03:50 +08:00
Mxmilu666	2dac44ac2e	fix(config): support multiple configuration files for frpc	2026-01-14 00:03:18 +08:00
Mxmilu666	655dc3cb2a	fix(version): update version to LoliaFRP-CLI 0.66.2	2026-01-13 00:10:24 +08:00
Mxmilu666	9894342f46	fix(auth): support multiple authentication tokens for frpc	2026-01-13 00:04:50 +08:00
Mxmilu666	e7cc706c86	fix(vhost): correct heading text for unbound domain page	2026-01-11 14:37:17 +08:00
Mxmilu666	92ac2b9153	fix(workflow): enhance artifact handling in release process [skip ci]	2026-01-11 14:08:20 +08:00
Mxmilu666	1ed369e962	fix(workflow): remove tags specification from push event [skip ci]	2026-01-11 14:04:37 +08:00
Mxmilu666	b74a8d0232	fix(workflow): remove branch specification from build-all workflow	2026-01-11 14:01:35 +08:00
Mxmilu666	d2180081a0	fix(workflow): correct path to build-all workflow	2026-01-11 13:58:22 +08:00
Mxmilu666	51f4e065b5	fix(workflow): correct path to build-all workflow	2026-01-11 13:55:26 +08:00
Mxmilu666	e58f774086	fix(workflow): specify branch for build-all workflow	2026-01-11 13:54:26 +08:00
Mxmilu666	178e381a26	fix(workflow): update build-all workflow path to absolute	2026-01-11 13:53:33 +08:00
Mxmilu666	26b93ae3a3	chore(version): update version to LoliaFRP-CLI 0.66.1	2026-01-11 13:52:10 +08:00
Mxmilu666	a2aeee28e4	feat(vhost): enhance Not Found page with Chinese localization	2026-01-11 13:51:37 +08:00
Mxmilu666	0416caef71	feat(workflow): enable workflow_call for build-all workflow [skip ci]	2026-01-11 13:36:14 +08:00
Mxmilu666	1004473e42	feat(workflow): add release workflow for FRP binaries	2026-01-11 13:30:40 +08:00
Mxmilu666	f386996928	fix(api): update comment for URL construction security	2026-01-11 04:05:27 +08:00
Mxmilu666	4eb4b202c5	fix(controller): include session ID in analysis error log style(log): use octal notation for file permissions	2026-01-11 04:00:52 +08:00
Mxmilu666	ac5bdad507	feat(client): add access messages for proxy services feat(client): translate log messages to Chinese feat(cmd): add authentication token support for API config feat(log): implement rotating file logger with custom styles feat(banner): add banner display function fix(version): update version string for CLI	2026-01-11 03:53:52 +08:00
Mxmilu666	42f4ea7f87	feat(build): enhance android-arm build process and output	2026-01-11 02:00:52 +08:00
Mxmilu666	36e5ac094b	feat(build): add android-arm build process and dependencies	2026-01-11 01:56:30 +08:00
Mxmilu666	72f79d3357	feat(api): add endpoint to close proxy by name	2025-12-26 01:10:43 +08:00
Mxmilu666	e1f905f63f	chore: remove obsolete build-all workflow and update architectures in package script	2025-12-25 22:19:53 +08:00
Mxmilu666	eb58f09268	chore: remove funding and pull request template files	2025-12-25 22:19:50 +08:00
Mxmilu666	46955ffc80	feat(api): update kick proxy endpoint to use name only	2025-12-25 22:19:00 +08:00
Mxmilu666	2d63296576	feat(api): add endpoint to retrieve all proxies	2025-12-25 22:18:38 +08:00
Mxmilu666	a76ba823ee	feat(api): add endpoint to kick proxy by name	2025-12-25 22:16:41 +08:00