## ADDED Requirements

### Requirement: Surge client config is generated after deployment
The playbook SHALL render a Surge client configuration file on the Ansible controller using the actual deployed parameters (IPs, ports, passwords, domain).

#### Scenario: Surge config generated
- **WHEN** the playbook completes server deployment
- **THEN** a Surge client config is written to `output/surge-client.conf` on the Ansible controller
- **THEN** the config contains actual relay IP, SS port, SS password, landing domain, Trojan password

### Requirement: Generated config includes all proxy definitions and rules
The generated Surge config SHALL include the same proxy definitions, proxy groups, and routing rules as the previous reference config (Relay-SS, Landing-Trojan, Landing-Chain, Sukka's rulesets, China direct).

#### Scenario: Config structure matches reference
- **WHEN** the generated config is loaded in Surge
- **THEN** it contains [Proxy], [Proxy Group], and [Rule] sections with all expected entries

### Requirement: Generated config is not committed to git
The `output/` directory SHALL be listed in `.gitignore`.

#### Scenario: Output directory gitignored
- **WHEN** the repository is inspected
- **THEN** `.gitignore` contains `output/`