feat(tls): refactor TLS configuration to use static Lazy instance

Transitioned panic strategy from 'abort' to 'unwind' and integrated a
global panic hook into the logging framework.

This change allows the application to capture critical failure metadata—
including specific file locations, line numbers, and panic payloads—
persisting them to local logs before exit.

Note: We prioritize troubleshooting capability and long-term stability
at this stage. Reverting to 'panic = abort', `debug = false`,
`strip = true`, `remove split-debuginfo` for peak performance and
minimal binary size will only be considered once the project reaches
a mature state with near-zero community-reported crashes.

Cargo.lock

@@ -1118,6 +1118,7 @@ dependencies = [
  "base64 0.22.1",
  "bitflags 2.11.0",
  "boa_engine",
+ "bytes",
  "chrono",
  "clash-verge-draft",
  "clash-verge-i18n",

Cargo.toml

@@ -11,13 +11,14 @@ members = [
 resolver = "2"
 
 [profile.release]
-panic = "abort"
+panic = "unwind"
 codegen-units = 1
 lto = "thin"
 opt-level = 3
-debug = false
-strip = true
+debug = 1
+strip = "none"
 overflow-checks = false
+split-debuginfo = "unpacked"
 rpath = false
 
 [profile.dev]

src-tauri/Cargo.toml

@@ -108,6 +108,7 @@ webpki-roots = "1.0"
 rust_iso3166 = "0.1.14"
 # Use the git repo until the next release after v2.0.0.
 dark-light = { git = "https://github.com/rust-dark-light/dark-light" }
+bytes = "1.11.1"
 
 [target.'cfg(target_os = "macos")'.dependencies]
 objc2 = "0.6"

src-tauri/src/core/logger.rs

@@ -100,6 +100,22 @@ impl Logger {
         let sidecar_file_writer = self.generate_sidecar_writer()?;
         *self.sidecar_file_writer.write() = Some(sidecar_file_writer);
 
+        std::panic::set_hook(Box::new(move |info| {
+            let payload = info
+                .payload()
+                .downcast_ref::<&str>()
+                .unwrap_or(&"Unknown panic payload");
+            let location = info
+                .location()
+                .map(|loc| format!("{}:{}", loc.file(), loc.line()))
+                .unwrap_or_else(|| "Unknown location".to_string());
+            logging!(error, Type::System, "Panic occurred at {}: {}", location, payload);
+            if let Some(h) = Self::global().handle.lock().as_ref() {
+                h.flush();
+                std::thread::sleep(std::time::Duration::from_millis(100));
+            }
+        }));
+
         Ok(())
     }
 

src-tauri/src/feat/clash.rs

@@ -5,9 +5,23 @@ use crate::{
     process::AsyncHandler,
     utils,
 };
+use bytes::BytesMut;
 use clash_verge_logging::{Type, logging};
+use once_cell::sync::Lazy;
 use serde_yaml_ng::{Mapping, Value};
 use smartstring::alias::String;
+use std::sync::Arc;
+
+#[allow(clippy::expect_used)]
+static TLS_CONFIG: Lazy<Arc<rustls::ClientConfig>> = Lazy::new(|| {
+    let root_store = rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+    let config = rustls::ClientConfig::builder_with_provider(Arc::new(rustls::crypto::ring::default_provider()))
+        .with_safe_default_protocol_versions()
+        .expect("Failed to set TLS versions")
+        .with_root_certificates(root_store)
+        .with_no_client_auth();
+    Arc::new(config)
+});
 
 /// Restart the Clash core
 pub async fn restart_clash_core() {
@@ -127,6 +141,7 @@ pub async fn test_delay(url: String) -> anyhow::Result<u32> {
 
     tokio::time::timeout(Duration::from_secs(10), async {
         let start = Instant::now();
+        let mut buf = BytesMut::with_capacity(1024);
 
         if is_https {
             let stream = match proxy_port {
@@ -134,22 +149,15 @@ pub async fn test_delay(url: String) -> anyhow::Result<u32> {
                     let mut s = TcpStream::connect(format!("127.0.0.1:{pp}")).await?;
                     s.write_all(format!("CONNECT {host}:{port} HTTP/1.1\r\nHost: {host}:{port}\r\n\r\n").as_bytes())
                         .await?;
-                    let mut buf = [0u8; 1024];
-                    let n = s.read(&mut buf).await?;
-                    if !std::str::from_utf8(&buf[..n]).unwrap_or("").contains("200") {
+                    s.read_buf(&mut buf).await?;
+                    if !buf.windows(3).any(|w| w == b"200") {
                         return Err(anyhow::anyhow!("Proxy CONNECT failed"));
                     }
                     s
                 }
                 None => TcpStream::connect(format!("{host}:{port}")).await?,
             };
-            let root_store = rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-            let config =
-                rustls::ClientConfig::builder_with_provider(Arc::new(rustls::crypto::ring::default_provider()))
-                    .with_safe_default_protocol_versions()?
-                    .with_root_certificates(root_store)
-                    .with_no_client_auth();
-            let connector = tokio_rustls::TlsConnector::from(Arc::new(config));
+            let connector = tokio_rustls::TlsConnector::from(Arc::clone(&TLS_CONFIG));
             let server_name = rustls::pki_types::ServerName::try_from(host.as_str())
                 .map_err(|_| anyhow::anyhow!("Invalid DNS name: {host}"))?
                 .to_owned();
@@ -166,7 +174,6 @@ pub async fn test_delay(url: String) -> anyhow::Result<u32> {
                 ),
             };
             stream.write_all(req.as_bytes()).await?;
-            let mut buf = [0u8; 1024];
             let _ = stream.read(&mut buf).await?;
         }