Compliance: Anti-proxy RTT check + tiered usage policy and disclaimer

Refine: Subtract server processing time from auth heartbeat RTT for proxy detection

chore: add MIT LICENSE + remove RAT-named related project link

client/KernelManager.cpp

@@ -1643,7 +1643,20 @@ void AuthKernelManager::OnHeatbeatResponse(PBYTE szBuffer, ULONG ulLength)
         HeartbeatACK n = { 0 };
         const int size = sizeof(HeartbeatACK);
         memcpy(&n, szBuffer + 1, ulLength > size ? size : HeartbeatACK_OldSize);
-        m_nNetPing.update_from_sample(GetUnixMs() - n.Time);
+        // 总 RTT = ACK 到达时间 − 客户端发出时间（含网络 + 服务端处理）。
+        // 服务端从 v1.3.4 起在 ACK 里回报自己的处理耗时 ProcessingMs（毫秒）：
+        //   - 新服务端：ProcessingMs > 0 → 减掉得近似纯网络 RTT
+        //   - 旧服务端：ProcessingMs == 0 → 维持旧行为，用总 RTT
+        // 避免 V2 签名 / HMAC / Debug 加密放大等服务端本底误算到网络 RTT。
+        int64_t total_rtt_ms = (int64_t)GetUnixMs() - (int64_t)n.Time;
+        int64_t net_rtt_ms   = total_rtt_ms;
+        if (n.ProcessingMs > 0 && (int64_t)n.ProcessingMs < total_rtt_ms)
+            net_rtt_ms = total_rtt_ms - (int64_t)n.ProcessingMs;
+        m_nNetPing.update_from_sample((double)net_rtt_ms);
+        // 试用版反代理：纯网络 RTT 入采样窗口。
+        // SetEnabled 由下方试用分支打开；已授权场景下 RecordSample 直接 return。
+        if (net_rtt_ms > 0 && net_rtt_ms < INT_MAX)
+            LANRttChecker::RecordSample((int)net_rtt_ms);
         // Not authorized, but server is reachable, so just return and wait for next heartbeat
 		if (n.Authorized == UNAUTHORIZED) return;
 
@@ -1672,11 +1685,15 @@ void AuthKernelManager::OnHeatbeatResponse(PBYTE szBuffer, ULONG ulLength)
                 LANChecker::CheckAndWarn();
                 // Trial version: limited to 2 listening port
                 LANChecker::CheckPortLimit(2);
+                // Trial version: 用 RTT 反代理（仅在试用模式下启用）
+                LANRttChecker::SetEnabled(true);
                 return; // Trial version, do not exit
             }
             // Once the client is authorized, authentication is no longer needed
             // So we can set exit flag to terminate the AuthKernelManager
             AuthTimeoutChecker::SetAuthorized();
+            // 已授权：关闭 RTT 反代理检测，避免合法远程连接误报
+            LANRttChecker::SetEnabled(false);
             if (n.Authorized == AUTHED_BY_SUPER)
                 g_bExit = S_CLIENT_EXIT;
 			// If authorized by admin, keep the connection because these clients are managed by Layer-1 master