• Improved server list to show protocol/network/security (e.g. "VLESS / XHTTP / REALITY") under the server name by default
• Improved the "Insecure" subscription toggle — it no longer overrides per-server settings and now works without a premium subscription
• Improved local VPN security by requiring per-process SOCKS authentication so other apps on the machine can't probe the tunnel
• Improved DNS-from-JSON parsing to handle IP-in-URL DoH and surface the reason for any fallback in the subscription log
• Added a "random" autoconnect option that pings your subscription on app open and connects to a random alive server
• Added support for bypassing selected CIDRs from the tunnel (and forcing them direct in proxy-mode routing) via premium meta-params
• Added per-protocol inbound authorization for the local SOCKS/HTTP endpoints with Disabled/Auto/Manual/From-JSON modes, plus a copy button on the credential fields
• Added a configurable User-Agent for GeoSite/GeoIP downloads in the Routing section
• Fixed subscription fetch failing with "invalid hash" when the subscription URL uses a non-default port
• Fixed our own API domains being blocked from the Proxy routing section (they remain blocked from Block and Direct only)