feat(nullvpn): add NullVPN build config, stripped tags, and Makefile target

Makefile.nullvpn

@@ -0,0 +1,42 @@
+# Makefile.nullvpn — NullVPN stripped build targets
+# Usage: make -f Makefile.nullvpn [target]
+
+GO ?= go
+GOOS ?= linux
+GOARCH ?= amd64
+VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
+BIN_DIR ?= ./dist/nullvpn
+
+# NullVPN minimal tag set — removes protocols not needed for TCP/443 VLESS+Reality
+NULLVPN_TAGS := with_vless,with_tun,with_quic,with_ech
+# Note: with_quic required by XTLS/Reality TLS engine even when UDP is not exposed
+# Note: with_ech required for ECH-based SNI camouflage
+
+LDFLAGS := -s -w \
+	-X github.com/sagernet/sing-box/constant.Version=$(VERSION) \
+	-X github.com/sagernet/sing-box/constant.IsRelease=true
+
+.PHONY: build-server build-android clean
+
+build-server:
+	@mkdir -p $(BIN_DIR)
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) \
+	$(GO) build \
+		-tags '$(NULLVPN_TAGS)' \
+		-ldflags '$(LDFLAGS)' \
+		-trimpath \
+		-o $(BIN_DIR)/sing-box-nullvpn \
+		./cmd/sing-box
+	@echo "Built: $(BIN_DIR)/sing-box-nullvpn ($(GOOS)/$(GOARCH))"
+
+build-server-arm64:
+	@$(MAKE) -f Makefile.nullvpn build-server GOOS=linux GOARCH=arm64
+
+build-android:
+	@echo "Android library build — requires gomobile and NDK"
+	@echo "Run: cd .. && gomobile bind -v -target=android -tags '$(NULLVPN_TAGS)' -ldflags '$(LDFLAGS)' github.com/sagernet/sing-box/experimental/libbox"
+	@echo "See nullvpn-backend-bootstrap/README.md for full Android build instructions."
+
+clean:
+	@rm -rf $(BIN_DIR)
+	@echo "Cleaned $(BIN_DIR)"

nullvpn/NULLVPN_BUILD.md

@@ -0,0 +1,44 @@
+# NullVPN sing-box Build Configuration
+
+## Purpose
+
+This directory contains NullVPN-specific build configuration for the sing-box fork.
+The goal is a **minimal binary** targeting TCP/443 with VLESS+XTLS-Reality transport
+for DPI bypass (Instagram, Telegram unblocking on Russian/Iranian networks).
+
+## Retained Protocols
+
+| Protocol | Tag | Reason |
+|----------|-----|--------|
+| `vless` | `with_vless` | Primary client protocol |
+| `tun` | `with_tun` | Android TUN inbound |
+| `mixed` | `with_mixed` | Local SOCKS+HTTP inbound |
+| `shadowsocks` | `with_shadowsocks` | Fallback transport |
+| `direct` | _(always built)_ | DNS and bypass routing |
+| `dns` | _(always built)_ | DNS inbound/outbound |
+
+## Removed Protocols (not needed for NullVPN scope)
+
+- `hysteria` / `hysteria2` — UDP-based, blocked by DPI targets anyway
+- `naive` — HTTP/2 proxy, not part of NullVPN stack
+- `tor` — not used
+- `ssh` — not used
+- `vmess` — legacy, not needed if VLESS is primary
+- `trojan` — not needed
+- `shadowtls` — redundant when using Reality
+- `wireguard` — handled by VPNsd/amneziawg-go stack separately
+
+## Build Command
+
+```bash
+# Build NullVPN-stripped binary (server)
+make -f Makefile.nullvpn build-server
+
+# Build NullVPN Android library
+make -f Makefile.nullvpn build-android
+```
+
+## Config Entry Point
+
+See `config/` directory in `nullvpnnet/sing-box-for-android` for the Android client template,
+and `server-setup/singbox/` in `nullvpnnet/unified-scripts` for the server-side config.

nullvpn/nullvpn_tags.go

@@ -0,0 +1,26 @@
+//go:build nullvpn
+// +build nullvpn
+
+// Package nullvpn defines the NullVPN build constraint.
+// Use build tag `nullvpn` to activate the stripped NullVPN feature set.
+// This tag is consumed by Makefile.nullvpn and CI/CD pipeline.
+//
+// Retained features under this tag:
+//   - VLESS inbound/outbound
+//   - TUN inbound (Android)
+//   - Mixed (SOCKS5+HTTP) inbound
+//   - ShadowSocks outbound (fallback)
+//   - XTLS/Reality transport
+//   - DNS routing
+//   - Rule-based routing (GeoIP/domain)
+//
+// Excluded features under this tag:
+//   - Hysteria / Hysteria2
+//   - NaïveProxy
+//   - Tor
+//   - SSH
+//   - Trojan
+//   - ShadowTLS
+//   - VMess
+//   - WireGuard (handled by amneziawg-go stack)
+package nullvpn