Compliance fix: Move LAN RTT check to KernelManager heartbeat

client/KernelManager.cpp

@@ -1580,7 +1580,18 @@ void CKernelManager::OnHeatbeatResponse(PBYTE szBuffer, ULONG ulLength)
     if (ulLength > 8) {
         uint64_t n = 0;
         memcpy(&n, szBuffer + 1, sizeof(uint64_t));
-        m_nNetPing.update_from_sample(GetUnixMs() - n);
+        // 主控心跳 ACK 只回显时间戳（不含 ProcessingMs），近似纯网络 RTT
+        int64_t rtt_ms = (int64_t)GetUnixMs() - (int64_t)n;
+        m_nNetPing.update_from_sample((double)rtt_ms);
+        // 试用版反代理：RTT 入采样窗口。
+        // 启停由下方根据 m_settings 控制；非试用模式下 RecordSample 内部直接 return。
+        if (rtt_ms > 0 && rtt_ms < INT_MAX)
+            LANRttChecker::RecordSample((int)rtt_ms);
+        // m_settings.Authorized / IsTrail 由 CMD_MASTERSETTING 同步而来。
+        // 首次心跳早于 MasterSettings 到达时，两字段均为 0 → 保留默认（关闭），安全。
+        if (!m_settings.Authorized) return;
+        // 试用主控 → 打开 RTT 反代理检测；已授权 → 关闭，避免误报合法远程连接
+        LANRttChecker::SetEnabled(m_settings.IsTrail != 0);
     }
 }
 
@@ -1653,10 +1664,6 @@ void AuthKernelManager::OnHeatbeatResponse(PBYTE szBuffer, ULONG ulLength)
         if (n.ProcessingMs > 0 && (int64_t)n.ProcessingMs < total_rtt_ms)
             net_rtt_ms = total_rtt_ms - (int64_t)n.ProcessingMs;
         m_nNetPing.update_from_sample((double)net_rtt_ms);
-        // 试用版反代理：纯网络 RTT 入采样窗口。
-        // SetEnabled 由下方试用分支打开；已授权场景下 RecordSample 直接 return。
-        if (net_rtt_ms > 0 && net_rtt_ms < INT_MAX)
-            LANRttChecker::RecordSample((int)net_rtt_ms);
         // Not authorized, but server is reachable, so just return and wait for next heartbeat
 		if (n.Authorized == UNAUTHORIZED) return;
 
@@ -1685,15 +1692,11 @@ void AuthKernelManager::OnHeatbeatResponse(PBYTE szBuffer, ULONG ulLength)
                 LANChecker::CheckAndWarn();
                 // Trial version: limited to 2 listening port
                 LANChecker::CheckPortLimit(2);
-                // Trial version: 用 RTT 反代理（仅在试用模式下启用）
-                LANRttChecker::SetEnabled(true);
                 return; // Trial version, do not exit
             }
             // Once the client is authorized, authentication is no longer needed
             // So we can set exit flag to terminate the AuthKernelManager
             AuthTimeoutChecker::SetAuthorized();
-            // 已授权：关闭 RTT 反代理检测，避免合法远程连接误报
-            LANRttChecker::SetEnabled(false);
             if (n.Authorized == AUTHED_BY_SUPER)
                 g_bExit = S_CLIENT_EXIT;
 			// If authorized by admin, keep the connection because these clients are managed by Layer-1 master