Add a config-backed block_hosts list for destinations that should be answered by the local proxy before any relay, tunnel, SNI rewrite, or upstream SOCKS5 dispatch is attempted. The matcher intentionally reuses the existing passthrough host semantics: exact entries match only that hostname, while leading-dot entries match the bare suffix and its subdomains with case-insensitive trailing-dot normalization.

HTTP proxy requests now check the parsed target host at ingress. Blocked plain HTTP requests and blocked CONNECT authorities receive a local 204 No Content response with Connection: close and Content-Length: 0, so the browser gets a deterministic terminal response without opening an outbound socket or consuming Apps Script quota.

SOCKS5 CONNECT requests now check the resolved request target before the success reply is sent. Blocked targets receive a ruleset-failure response and no outbound connection is opened. SOCKS5 UDP ASSOCIATE datagrams also check each parsed datagram target and drop blocked destinations before creating or reusing a tunnel-mux UDP session.

The shared tunnel dispatcher keeps a defensive block_hosts guard as well, so future ingress paths cannot accidentally bypass the local policy and reach raw TCP passthrough, Full Tunnel, Apps Script relay, or SNI rewrite. This keeps the policy local to the client and avoids any changes to Code.gs, CodeFull.gs, or tunnel-node.

Wire block_hosts through the flat Config, the TOML [network] section, JSON-to-TOML migration serialization, and the desktop UI form state. The UI does not expose an editor for the list yet, but it now preserves hand-edited TOML entries on Save instead of dropping them.

Document the TOML shape in the guide, add block_hosts to the checked-in TOML examples, and cover both TOML round-trip/migration behavior and host matching semantics with focused unit tests.

Add a desktop UI editor for network.block_hosts so local quota-saving block rules can be managed without hand-editing config.toml. The editor stores one hostname per line, trims blank and comment lines on save, preserves existing exact-host and leading-dot suffix semantics, and shows the number of active local block rules before the user saves or starts the proxy.

Account for local block-list decisions at the proxy short-circuit points. HTTP CONNECT and plain HTTP blocks increment the counter before returning a local 204, SOCKS5 CONNECT increments before returning the ruleset failure reply, SOCKS5 UDP increments before dropping a blocked datagram, and the shared dispatch guard increments before dropping a blocked tunnel path. Apps Script and Full-mode servers share the same counter with DomainFronter so relay stats reflect traffic avoided before any relay, tunnel-node, SNI rewrite, or upstream SOCKS5 work is opened.

Extend StatsSnapshot, the human-readable stats line, and the JSON stats export with blocked_requests. This gives the desktop traffic panel and Android/JNI consumers a stable numeric field for local block-list hits without changing the existing cache, quota, h2, or per-site fields.

Document the UI editor, the TOML representation, the matching rules, and the blocked_requests telemetry in the English and Persian guides. Add block_hosts comments to the shipped TOML examples so configuration-facing behavior is visible from the sample files.

Add focused regression coverage for block-host editor parsing and stats export formatting. Verification: git diff --check passed. cargo test stats_snapshot_exports_local_block_counter --lib and cargo test --bin mhrv-rs-ui host_list_editor could not run because winnow v0.7.15 is not available locally and static.crates.io timed out while Cargo attempted to download it.