feat: add bypass rules, weighted pool selection, integration tests

Per-listener bypass rules skip the chain for local/private destinations
(CIDR, exact IP/hostname, domain suffix). Weighted multi-candidate pool
selection biases toward pools with more alive proxies. End-to-end
integration tests validate the full client->s5p->hop->target path using
mock SOCKS5 proxies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -93,7 +93,8 @@ proxy_pools:
     max_fails: 3
 
 # Multi-listener: each port gets a chain depth and pool assignment
-# Use "pool" for listener default, "pool:name" for explicit pool per hop
+# Use "pool" for listener default, "pool:name" for explicit pool per hop,
+# or [pool:a, pool:b] for random choice from candidates per connection
 listeners:
   - listen: 0.0.0.0:1080
     pool: clean
@@ -102,11 +103,10 @@ listeners:
       - pool                           # Tor + 2 clean proxies
       - pool
   - listen: 0.0.0.0:1081
-    pool: clean
     chain:
       - socks5://127.0.0.1:9050
-      - pool:clean                     # per-hop: clean pool
-      - pool:mitm                      # per-hop: mitm pool
+      - [pool:clean, pool:mitm]        # random choice per connection
+      - [pool:clean, pool:mitm]        # independent random choice
   - listen: 0.0.0.0:1082
     chain:
       - socks5://127.0.0.1:9050       # Tor only
@@ -145,9 +145,9 @@ Options:
 ## How Chaining Works
 
 ```
-:1080  Client -> s5p -> Tor -> [clean] -> [clean] -> Dest  (2 clean hops)
-:1081  Client -> s5p -> Tor -> [clean] -> [mitm]  -> Dest  (mixed pools)
-:1082  Client -> s5p -> Tor -> Dest                         (Tor only)
+:1080  Client -> s5p -> Tor -> [clean] -> [clean]       -> Dest  (2 clean hops)
+:1081  Client -> s5p -> Tor -> [clean|mitm] -> [clean|mitm] -> Dest  (random)
+:1082  Client -> s5p -> Tor -> Dest                              (Tor only)
 ```
 
 s5p connects to Hop1 via TCP, negotiates the hop protocol (SOCKS5/4/HTTP),