fix(relay): complete stream timeout configuration

Preserve the new body-stream idle timeout across every config-facing path that can rewrite configuration. Desktop Save now round-trips stream_timeout_secs alongside request_timeout_secs, preventing hand-edited large-download timeout settings from being silently dropped.

Document the split timeout model in the TOML examples and user guides: request_timeout_secs bounds relay connection and response-header arrival, while stream_timeout_secs bounds idle time between body chunks after headers have arrived. This keeps dead destinations bounded without aborting slow range downloads mid-stream.

Update the guide's implementation matrix to reflect the active range-aware download path and its remaining quota cost. Large range-capable responses can stream in chunks and resume cleanly with Range: bytes=N-, but each chunk remains an Apps Script UrlFetchApp call.

Add regression coverage for TOML parsing and defaults, JSON migration round-trip preservation, Range header start parsing, and validation of non-zero-offset resume probes.

Author: maybeknott

config.example.toml

@@ -2,6 +2,11 @@
 mode = "apps_script"
 script_id = "YOUR_APPS_SCRIPT_DEPLOYMENT_ID"
 auth_key = "CHANGE_ME_TO_A_STRONG_SECRET"
+# Response header/connect timeout for each relay request.
+request_timeout_secs = 30
+# Per-body-chunk idle timeout after headers arrive. Keep this larger than
+# request_timeout_secs so slow large downloads can continue streaming.
+stream_timeout_secs = 300
 
 [network]
 google_ip = "216.239.38.120"

config.full.example.toml

@@ -2,6 +2,11 @@
 mode = "full"
 script_id = "YOUR_APPS_SCRIPT_DEPLOYMENT_ID"
 auth_key = "CHANGE_ME_TO_A_STRONG_SECRET"
+# Response header/connect timeout for each relay request.
+request_timeout_secs = 30
+# Per-body-chunk idle timeout after headers arrive. Keep this larger than
+# request_timeout_secs so slow large downloads can continue streaming.
+stream_timeout_secs = 300
 
 [network]
 google_ip = "216.239.38.120"

docs/guide.fa.md

@@ -230,7 +230,8 @@ HTTP / HTTPS مثل قبل از Apps Script می‌رود (تغییری نمی
 **محافظ‌های منابع:**
 - **حداکثر ۵۰ op** در هر بَچ — اگر سشن‌های فعال بیشتر باشند، مالتی‌پلکسر چند بَچ می‌فرستد
 - **سقف payload ۴ مگابایت** در هر بَچ — خیلی کمتر از ۵۰ مگابایت Apps Script
-- **timeout ۳۰ ثانیه** هر بَچ — مقصد کند / مرده نمی‌تواند سایر سشن‌ها را گیر بیاندازد
+- **timeout ۳۰ ثانیه برای اتصال و هدرها** در هر بَچ — مقصد کند / مرده نمی‌تواند سایر سشن‌ها را گیر بیاندازد
+- **timeout ۳۰۰ ثانیه برای هر chunk بدنه** بعد از رسیدن هدرها — دانلودهای بزرگ و کند با بودجهٔ کوتاه هدر قطع نمی‌شوند
 
 ### راه‌اندازی سریع حالت full
 
@@ -253,6 +254,8 @@ HTTP / HTTPS مثل قبل از Apps Script می‌رود (تغییری نمی
    mode = "full"
    script_id = ["id1", "id2", "id3", "id4", "id5", "id6"]
    auth_key = "your-secret"
+   request_timeout_secs = 30
+   stream_timeout_secs = 300
    ```
 
 ## Exit node
@@ -368,14 +371,15 @@ sni_hosts = ["www.google.com", "drive.google.com", "docs.google.com"]
 | بیلد musl | OpenWRT / Alpine / محیط‌های بدون libc — باینری استاتیک، با procd init |
 | **Exit node** | برای سایت‌های پشت Cloudflare (v1.9.4+) |
 | **Unwrap goog.script.init** | دفاع‌در‌عمق در مقابل Deploymentهایی که پاسخ HtmlService-wrapped می‌فرستند (v1.9.6+) |
+| دانلود بزرگ Range-aware | استریم chunk شده و resume برای درخواست‌های `Range: bytes=N-` |
+| timeout جدا برای رله | `request_timeout_secs` برای اتصال/هدر و `stream_timeout_secs` برای idle هر chunk بدنه |
 
 ### عمداً پیاده نشده
 
 | ویژگی | چرا نه |
 |---|---|
 | HTTP/2 multiplexing | state machine کریت `h2` (stream IDs، flow control، GOAWAY) موارد hang ظریف زیادی دارد؛ coalescing + pool ۲۰-conn بیشتر فایده را می‌گیرد |
 | Batch (`q:[...]` در apps_script) | connection pool + tokio async از قبل خوب موازی‌سازی می‌کند؛ batch ~۲۰۰ خط مدیریت state اضافه می‌کند با سود نامشخص |
-| Range-based parallel download | edge case‌های واقعی (سرورهای بدون Range، chunked وسط stream)؛ ویدیوی یوتیوب از قبل با تونل بازنویسی SNI، Apps Script را دور می‌زند |
 | حالت‌های `domain_fronting` / `google_fronting` / `custom_domain` | Cloudflare در ۲۰۲۴ domain fronting عمومی را کشت؛ Cloud Run پلن پولی می‌خواهد |
 
 ## محدودیت‌های شناخته‌شده
@@ -394,6 +398,10 @@ HTML یوتیوب سریع می‌آید (از تونل بازنویسی SNI)،
 
 برای مرور متنی خوب است، برای ۱۰۸۰p دردناک. چند `script_id` بچرخان برای هد روم بیشتر، یا VPN واقعی برای ویدیو.
 
+### دانلودهای بزرگ هنوز سهمیه مصرف می‌کنند
+
+رله می‌تواند پاسخ‌های Range-capable را chunk شده استریم کند و وقتی کلاینت با `Range: bytes=N-` ادامه می‌دهد، resume تمیز داشته باشد. اما هر chunk هنوز یک اجرای `UrlFetchApp` است. `request_timeout_secs` فقط اتصال و رسیدن هدرها را کنترل می‌کند؛ `stream_timeout_secs` سکوت بین chunkهای بدنه را.
+
 ### Brotli حذف می‌شود
 
 از هدر `Accept-Encoding` ‏`br` حذف می‌شود. Apps Script gzip را decompress می‌کند ولی Brotli نه؛ forward کردن `br` پاسخ را خراب می‌کند. سربار حجمی جزئی.

docs/guide.md

@@ -230,7 +230,8 @@ More deployments = more total concurrency = lower per-session latency. Each batc
 **Resource guards:**
 - **50 ops max** per batch — if more sessions are active, the mux splits into multiple batches
 - **4 MB payload cap** per batch — well under Apps Script's 50 MB limit
-- **30 s timeout** per batch — slow / dead targets can't block other sessions forever
+- **30 s header/connect timeout** per batch — slow / dead targets can't block other sessions forever
+- **300 s per-chunk stream timeout** after headers arrive — slow large downloads can keep moving without being killed by the shorter header budget
 
 ### Full mode quick start
 
@@ -253,6 +254,8 @@ More deployments = more total concurrency = lower per-session latency. Each batc
    mode = "full"
    script_id = ["id1", "id2", "id3", "id4", "id5", "id6"]
    auth_key = "your-secret"
+   request_timeout_secs = 30
+   stream_timeout_secs = 300
    ```
 
 ## Exit node
@@ -364,12 +367,13 @@ This port focuses on the **`apps_script` mode** — the only one that reliably w
 - [x] OpenWRT / Alpine / musl builds — static binaries, procd init script included
 - [x] **Exit node** support for Cloudflare-fronted sites (v1.9.4+)
 - [x] **Goog.script.init iframe unwrap** — defense-in-depth against deployments that return HtmlService-wrapped responses (v1.9.6+)
+- [x] Range-aware large download streaming with resume support for `Range: bytes=N-` requests
+- [x] Separate relay header/connect timeout and per-chunk body idle timeout
 
 Intentionally **not** implemented:
 
 - **HTTP/2 multiplexing** — `h2` crate state machine has too many subtle hang cases; coalescing + 20-conn pool gets most of the benefit
 - **Request batching (`q:[...]` mode in apps_script mode)** — connection pool + tokio async already parallelizes well; batching adds ~200 lines of state for unclear gain
-- **Range-based parallel download** — edge cases real (non-Range servers, chunked mid-stream); YouTube already bypasses Apps Script via SNI-rewrite tunnel
 - **Other modes** (`domain_fronting`, `google_fronting`, `custom_domain`) — Cloudflare killed generic domain fronting in 2024; Cloud Run needs a paid plan
 
 ## Known limitations
@@ -378,6 +382,7 @@ These are inherent to the Apps Script + domain-fronting approach, not bugs in th
 
 - **User-Agent fixed to `Google-Apps-Script`** for traffic through the relay. `UrlFetchApp.fetch()` doesn't allow override. Sites that detect bots (Google search, some CAPTCHAs) serve degraded / no-JS pages. Workaround: add the affected domain to the `hosts` map so it's routed through the SNI-rewrite tunnel with your real browser's UA. `google.com`, `youtube.com`, `fonts.googleapis.com` are already there.
 - **Video playback slow and quota-limited** for anything through the relay. YouTube HTML loads fast (SNI-rewrite tunnel), but `googlevideo.com` chunks go through Apps Script. Free tier: ~20k `UrlFetchApp` calls / day, 50 MB body cap per fetch. Fine for text browsing, painful for 1080p. Rotate multiple `script_id`s for headroom, or use a real VPN for video.
+- **Large downloads still consume Apps Script calls.** The relay can stream range-capable responses in chunks and resume cleanly when clients retry with `Range: bytes=N-`, but every chunk is still a `UrlFetchApp` invocation. `request_timeout_secs` controls connection/headers; `stream_timeout_secs` controls idle time between body chunks.
 - **Brotli stripped** from forwarded `Accept-Encoding`. Apps Script can decompress gzip but not `br`; forwarding `br` would garble responses. Minor size overhead.
 - **WebSockets don't work** through the relay — it's request / response JSON. Sites that upgrade to WS fail (ChatGPT streaming, Discord voice, etc.).
 - **HSTS-preloaded / hard-pinned sites** reject the MITM cert. Most sites are fine; a handful aren't.

src/bin/ui.rs

@@ -286,14 +286,16 @@ struct FormState {
     /// there is no UI editor for these yet, only file-edited config.
     /// See config.rs `fronting_groups`.
     fronting_groups: Vec<FrontingGroup>,
-    /// Auto-blacklist tuning + per-batch timeout. Config-only knobs (no UI
+    /// Auto-blacklist tuning + relay timeouts. Config-only knobs (no UI
     /// fields yet — power-user file edit). Round-tripped through FormState
     /// so Save preserves the user's hand-edited values. See config.rs
-    /// `auto_blacklist_*` and `request_timeout_secs`.
+    /// `auto_blacklist_*`, `request_timeout_secs`, and
+    /// `stream_timeout_secs`.
     auto_blacklist_strikes: u32,
     auto_blacklist_window_secs: u64,
     auto_blacklist_cooldown_secs: u64,
     request_timeout_secs: u64,
+    stream_timeout_secs: u64,
     /// Optional second-hop exit node for CF-anti-bot bypass (chatgpt.com /
     /// claude.ai / grok.com / x.com). Config-only — no UI editor yet.
     /// See `assets/exit_node/` for the generic exit-node handler.
@@ -391,6 +393,7 @@ fn load_form() -> (FormState, Option<String>) {
             auto_blacklist_window_secs: c.auto_blacklist_window_secs,
             auto_blacklist_cooldown_secs: c.auto_blacklist_cooldown_secs,
             request_timeout_secs: c.request_timeout_secs,
+            stream_timeout_secs: c.stream_timeout_secs,
             exit_node: c.exit_node.clone(),
         }
     } else {
@@ -427,12 +430,14 @@ fn load_form() -> (FormState, Option<String>) {
             bypass_doh_hosts: Vec::new(),
             block_doh: true,
             fronting_groups: Vec::new(),
-            // Defaults match `default_auto_blacklist_*` and
-            // `default_request_timeout_secs` in src/config.rs.
+            // Defaults match `default_auto_blacklist_*`,
+            // `default_request_timeout_secs`, and
+            // `default_stream_timeout_secs` in src/config.rs.
             auto_blacklist_strikes: 3,
             auto_blacklist_window_secs: 30,
             auto_blacklist_cooldown_secs: 120,
             request_timeout_secs: 30,
+            stream_timeout_secs: 300,
             exit_node: mhrv_rs::config::ExitNodeConfig::default(),
         }
     };
@@ -610,14 +615,15 @@ impl FormState {
             // batch alongside the system-proxy toggle (#432).
             coalesce_step_ms: 0,
             coalesce_max_ms: 0,
-            // Auto-blacklist + batch timeout: config-only knobs (#391,
+            // Auto-blacklist + relay timeouts: config-only knobs (#391,
             // #444, #430). Round-trip through FormState so Save doesn't
             // drop hand-edited values. UI editor planned alongside the
             // v1.8.x desktop UI batch.
             auto_blacklist_strikes: self.auto_blacklist_strikes,
             auto_blacklist_window_secs: self.auto_blacklist_window_secs,
             auto_blacklist_cooldown_secs: self.auto_blacklist_cooldown_secs,
             request_timeout_secs: self.request_timeout_secs,
+            stream_timeout_secs: self.stream_timeout_secs,
             // Exit-node config (CF-anti-bot bypass for chatgpt.com / claude.ai
             // / grok.com / x.com). Round-trip through FormState — config-only
             // editing for now, UI editor planned for v1.9.x desktop UI batch.

src/config.rs

@@ -1232,7 +1232,9 @@ mod rt_tests {
   "fetch_ips_from_api": true,
   "max_ips_to_scan": 50,
   "scan_batch_size": 100,
-  "google_ip_validation": true
+  "google_ip_validation": true,
+  "request_timeout_secs": 45,
+  "stream_timeout_secs": 600
 }"#;
         let tmp = std::env::temp_dir().join("mhrv-rt-test.json");
         std::fs::write(&tmp, json).unwrap();
@@ -1242,6 +1244,8 @@ mod rt_tests {
         assert_eq!(cfg.listen_port, 8085);
         assert_eq!(cfg.upstream_socks5.as_deref(), Some("127.0.0.1:50529"));
         assert_eq!(cfg.parallel_relay, 2);
+        assert_eq!(cfg.request_timeout_secs, 45);
+        assert_eq!(cfg.stream_timeout_secs, 600);
         assert_eq!(
             cfg.sni_hosts.as_ref().unwrap(),
             &vec!["www.google.com".to_string(), "drive.google.com".to_string()]
@@ -1367,6 +1371,38 @@ hosts = ["claude.ai", "chatgpt.com"]
         assert_eq!(cfg.exit_node.hosts, vec!["claude.ai", "chatgpt.com"]);
     }
 
+    #[test]
+    fn toml_parses_separate_header_and_stream_timeouts() {
+        let s = r#"
+[relay]
+mode = "apps_script"
+auth_key = "SECRET"
+script_id = "X"
+request_timeout_secs = 45
+stream_timeout_secs = 900
+"#;
+        let toml_cfg: TomlConfig = toml::from_str(s).unwrap();
+        let cfg = Config::from(toml_cfg);
+        assert_eq!(cfg.request_timeout_secs, 45);
+        assert_eq!(cfg.stream_timeout_secs, 900);
+        cfg.validate().unwrap();
+    }
+
+    #[test]
+    fn toml_defaults_stream_timeout_when_omitted() {
+        let s = r#"
+[relay]
+mode = "apps_script"
+auth_key = "SECRET"
+script_id = "X"
+"#;
+        let toml_cfg: TomlConfig = toml::from_str(s).unwrap();
+        let cfg = Config::from(toml_cfg);
+        assert_eq!(cfg.request_timeout_secs, 30);
+        assert_eq!(cfg.stream_timeout_secs, 300);
+        cfg.validate().unwrap();
+    }
+
     #[test]
     fn toml_parses_fronting_groups_array_of_tables() {
         let s = r#"
@@ -1471,4 +1507,4 @@ script_id = "ABCDEF"
         let _ = std::fs::remove_file(&json_path);
         let _ = std::fs::remove_file(&toml_path);
     }
-}
+}

src/domain_fronter.rs

@@ -5803,6 +5803,47 @@ Content-Length: 45812\r\n\r\n"
         assert!(validate_probe_range(206, &headers, b"hey", 4).is_none());
     }
 
+    #[test]
+    fn parse_range_start_accepts_resume_ranges() {
+        assert_eq!(parse_range_start("bytes=123-"), Some(123));
+        assert_eq!(parse_range_start("bytes=123-456"), Some(123));
+        assert_eq!(parse_range_start(" bytes=0-999 "), Some(0));
+        assert_eq!(parse_range_start("items=123-456"), None);
+        assert_eq!(parse_range_start("bytes=-500"), None);
+    }
+
+    #[test]
+    fn validate_probe_range_at_offset_accepts_exact_resume_probe() {
+        let headers = vec![(
+            "Content-Range".to_string(),
+            "bytes 262144-524287/1048576".to_string(),
+        )];
+        let body = vec![0u8; 262144];
+        let range = validate_probe_range_at_offset(206, &headers, &body, 262144, 524287)
+            .expect("exact resume probe must validate");
+
+        assert_eq!(
+            range,
+            ContentRange {
+                start: 262144,
+                end: 524287,
+                total: 1048576,
+            }
+        );
+    }
+
+    #[test]
+    fn validate_probe_range_at_offset_rejects_wrong_start_or_body_len() {
+        let headers = vec![(
+            "Content-Range".to_string(),
+            "bytes 262144-524287/1048576".to_string(),
+        )];
+        let body = vec![0u8; 262144];
+
+        assert!(validate_probe_range_at_offset(206, &headers, &body, 0, 524287).is_none());
+        assert!(validate_probe_range_at_offset(206, &headers, b"short", 262144, 524287).is_none());
+    }
+
     #[test]
     fn extract_exact_range_body_rejects_body_length_mismatch() {
         let raw = b"HTTP/1.1 206 Partial Content\r\n\