feat: add China domain/IP direct bypass rules in Surge client config

Route China-destined traffic to DIRECT using Sukka's cn/domestic rulesets,
placed after AI/streaming rules to preserve chain priority for those services.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/surge-client.conf

@@ -40,8 +40,15 @@ RULE-SET,https://ruleset.skk.moe/List/non_ip/ai.conf,Chain
 # --- Streaming Services → Chain (exit from landing IP) ---
 RULE-SET,https://ruleset.skk.moe/List/non_ip/stream_us.conf,Chain
 
+# --- China Direct (domain rules) ---
+DOMAIN-SET,https://ruleset.skk.moe/List/domainset/cn.conf,DIRECT
+RULE-SET,https://ruleset.skk.moe/List/non_ip/domestic.conf,DIRECT
+
 # --- IP-based rules (must come after domain rules) ---
 RULE-SET,https://ruleset.skk.moe/List/ip/stream_us.conf,Chain
 
+# --- China Direct (IP rules) ---
+RULE-SET,https://ruleset.skk.moe/List/ip/domestic.conf,DIRECT
+
 # --- Default: all other traffic through relay ---
 FINAL,Relay-SS

openspec/changes/archive/2026-04-22-china-direct-bypass/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-22

openspec/changes/archive/2026-04-22-china-direct-bypass/design.md

@@ -0,0 +1,42 @@
+## Context
+
+The current `docs/surge-client.conf` routes AI/streaming through the chained landing proxy and everything else through the relay. There is no handling for China-destined traffic, which gets unnecessarily routed through the relay server, adding latency and potentially breaking access to domestic services.
+
+Sukka's ruleset already provides comprehensive China domain and IP lists at `ruleset.skk.moe`.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Route China domains and IPs to `DIRECT` in the reference Surge client config
+- Use Sukka's maintained China rulesets (no self-maintained lists)
+- Maintain correct rule ordering (domain rules before IP rules)
+
+**Non-Goals:**
+- Server-side changes (this is purely client-side Surge config)
+- GeoIP database management (Surge handles this via Sukka's rulesets)
+
+## Decisions
+
+### 1. Rule placement: China rules before FINAL, after service-specific rules
+
+China direct rules are inserted after the AI/streaming rules but before `FINAL`. This way, AI/streaming traffic still goes through the chain even if the IP happens to resolve to a China range, while general China traffic goes direct.
+
+Ordering:
+1. AI domain/non_ip rules → Chain
+2. Streaming domain/non_ip rules → Chain
+3. **China domain/non_ip rules → DIRECT** (new)
+4. Streaming IP rules → Chain
+5. **China IP rules → DIRECT** (new)
+6. FINAL → Relay-SS
+
+### 2. Use Sukka's China rulesets
+
+- `domainset/cn.conf` — China domain set
+- `non_ip/domestic.conf` — non-IP China domestic rules
+- `ip/domestic.conf` — China IP CIDR rules
+
+Consistent with the existing approach of delegating all domain/IP lists to Sukka.
+
+## Risks / Trade-offs
+
+- **[China IP range overlap with CDN]** → Some international services use China CDN nodes. These will go direct instead of through the proxy. This is typically desired behavior (faster access). If specific services break, they can be added as exceptions above the China rules.

openspec/changes/archive/2026-04-22-china-direct-bypass/proposal.md

@@ -0,0 +1,23 @@
+## Why
+
+Chinese domains and IP addresses should connect directly without going through the proxy chain. Routing China-destined traffic through overseas proxies adds unnecessary latency and may break access to domestic services.
+
+## What Changes
+
+- Add Sukka's China domain and IP rulesets to the reference Surge client configuration, routing them to `DIRECT`
+- China domain rules placed before IP-based rules (following Sukka's prescribed ordering)
+- China IP CIDR rules placed in the IP rules section
+
+## Capabilities
+
+### New Capabilities
+
+(none)
+
+### Modified Capabilities
+- `proxy-rules`: Adding China domain and IP direct bypass rules to the Surge configuration
+
+## Impact
+
+- `docs/surge-client.conf` updated with new DIRECT rules for China traffic
+- No server-side changes — this is client-side Surge configuration only

openspec/changes/archive/2026-04-22-china-direct-bypass/specs/proxy-rules/spec.md

@@ -0,0 +1,32 @@
+## ADDED Requirements
+
+### Requirement: Surge rules route China domains to DIRECT
+The reference Surge configuration SHALL use Sukka's China domain rulesets to route China-destined domain traffic to `DIRECT`, bypassing all proxies.
+
+#### Scenario: China domain hits DIRECT
+- **WHEN** a client request matches Sukka's China domain ruleset (e.g., `DOMAIN-SET,https://ruleset.skk.moe/List/domainset/cn.conf`)
+- **THEN** Surge routes it via `DIRECT` policy
+- **THEN** the traffic connects without going through any proxy
+
+### Requirement: Surge rules route China IPs to DIRECT
+The reference Surge configuration SHALL use Sukka's China IP ruleset to route China IP CIDR traffic to `DIRECT`.
+
+#### Scenario: China IP hits DIRECT
+- **WHEN** a client request resolves to a China IP matching Sukka's China IP ruleset (e.g., `RULE-SET,https://ruleset.skk.moe/List/ip/domestic.conf`)
+- **THEN** Surge routes it via `DIRECT` policy
+
+### Requirement: China rules are placed after service-specific rules
+The China direct rules SHALL be placed after AI and streaming service rules in the Surge configuration, so that AI/streaming traffic still routes through the chain even if the destination IP is in China.
+
+#### Scenario: AI service with China CDN still goes through chain
+- **WHEN** a request to an AI service domain matches the AI ruleset
+- **AND** the destination IP happens to be in a China range
+- **THEN** the AI ruleset matches first (higher priority) and routes through Chain
+- **THEN** the China IP rule does not override the AI routing
+
+### Requirement: China domain rules appear before China IP rules
+The China `DOMAIN-SET` and `non_ip` rules SHALL appear before the China `ip` rules, following Sukka's prescribed ordering to maintain DNS protection.
+
+#### Scenario: Correct ordering within China rules
+- **WHEN** the Surge config is loaded
+- **THEN** China `DOMAIN-SET` and `non_ip` entries appear before any China `ip` entries

openspec/changes/archive/2026-04-22-china-direct-bypass/tasks.md

@@ -0,0 +1,5 @@
+## 1. Update Surge Client Configuration
+
+- [x] 1.1 Add China domain DIRECT rules (`domainset/cn.conf`, `non_ip/domestic.conf`) after streaming non_ip rules and before IP-based rules
+- [x] 1.2 Add China IP DIRECT rule (`ip/domestic.conf`) after streaming IP rules and before FINAL
+- [x] 1.3 Verify rule ordering: AI/streaming domain → China domain → streaming IP → China IP → FINAL

openspec/specs/proxy-rules/spec.md

@@ -40,6 +40,37 @@ The reference Surge configuration SHALL route all traffic not matching any speci
 - **THEN** the Surge `FINAL` rule directs it through the relay SS proxy
 - **THEN** traffic exits from the relay server's IP
 
+### Requirement: Surge rules route China domains to DIRECT
+The reference Surge configuration SHALL use Sukka's China domain rulesets to route China-destined domain traffic to `DIRECT`, bypassing all proxies.
+
+#### Scenario: China domain hits DIRECT
+- **WHEN** a client request matches Sukka's China domain ruleset (e.g., `DOMAIN-SET,https://ruleset.skk.moe/List/domainset/cn.conf`)
+- **THEN** Surge routes it via `DIRECT` policy
+- **THEN** the traffic connects without going through any proxy
+
+### Requirement: Surge rules route China IPs to DIRECT
+The reference Surge configuration SHALL use Sukka's China IP ruleset to route China IP CIDR traffic to `DIRECT`.
+
+#### Scenario: China IP hits DIRECT
+- **WHEN** a client request resolves to a China IP matching Sukka's China IP ruleset (e.g., `RULE-SET,https://ruleset.skk.moe/List/ip/domestic.conf`)
+- **THEN** Surge routes it via `DIRECT` policy
+
+### Requirement: China rules are placed after service-specific rules
+The China direct rules SHALL be placed after AI and streaming service rules in the Surge configuration, so that AI/streaming traffic still routes through the chain even if the destination IP is in China.
+
+#### Scenario: AI service with China CDN still goes through chain
+- **WHEN** a request to an AI service domain matches the AI ruleset
+- **AND** the destination IP happens to be in a China range
+- **THEN** the AI ruleset matches first (higher priority) and routes through Chain
+- **THEN** the China IP rule does not override the AI routing
+
+### Requirement: China domain rules appear before China IP rules
+The China `DOMAIN-SET` and `non_ip` rules SHALL appear before the China `ip` rules, following Sukka's prescribed ordering to maintain DNS protection.
+
+#### Scenario: Correct ordering within China rules
+- **WHEN** the Surge config is loaded
+- **THEN** China `DOMAIN-SET` and `non_ip` entries appear before any China `ip` entries
+
 ### Requirement: No self-maintained domain lists
 The project SHALL NOT maintain its own domain lists for AI or streaming services. All domain/rule matching SHALL be delegated to Sukka's externally maintained rulesets.