## MODIFIED Requirements

### Requirement: shadowsocks uses AEAD cipher
The shadowsocks configuration SHALL use an AEAD cipher (e.g., `aes-256-gcm` or `chacha20-ietf-poly1305`), configurable via Ansible variable. The SS port and password SHALL default to auto-generated values from the `credentials/` directory, with manual override supported.

#### Scenario: AEAD cipher is configured
- **WHEN** the shadowsocks configuration is generated
- **THEN** the `method` field uses the configured AEAD cipher
- **THEN** the default cipher is `aes-256-gcm` if not overridden

#### Scenario: Port and password use auto-generated defaults
- **WHEN** the shadowsocks role runs without manual overrides
- **THEN** the port and password come from `credentials/` lookup values