fix(clash): Google 规则移到 reject 之前，修复 OAuth 登录

Google OAuth 所需域名可能被 Loyalsoldier reject 列表误拦截
(旧配置用的 GEOSITE,category-ads-all 较小，没这个问题)
将 DOMAIN-KEYWORD,google 等规则提前到 reject 之前，
确保所有 Google 域名先被捕获走代理

clash/config.yaml

@@ -481,18 +481,7 @@ rules:
   - PROCESS-NAME,tailscaled,DIRECT
   - RULE-SET,tailscale-custom,Tailscale
 
-  # ─── 广告拦截 ───
-  - RULE-SET,reject,REJECT
-
-  # ─── 直连 (局域网、国内) ───
-  - RULE-SET,private,DIRECT
-  - RULE-SET,lancidr,DIRECT
-  - RULE-SET,cncidr,DIRECT
-  - RULE-SET,direct,DIRECT
-  - RULE-SET,direct-custom,DIRECT
-
-  # ─── Google 全家桶 (IP一致性！登录要求所有Google域名走同一节点) ───
-  # 必须在 AI 规则之前，否则 aistudio/gemini 走 AI 组而 accounts 走 Google 组 → 登录失败
+  # ─── Google 全家桶 (必须在 reject 之前！reject 可能误拦 OAuth 需要的域名) ───
   - DOMAIN-KEYWORD,google,Google
   - DOMAIN-SUFFIX,googleapis.com,Google
   - DOMAIN-SUFFIX,gstatic.com,Google
@@ -503,6 +492,16 @@ rules:
   - DOMAIN-SUFFIX,ytimg.com,Google
   - DOMAIN-SUFFIX,youtu.be,Google
 
+  # ─── 广告拦截 ───
+  - RULE-SET,reject,REJECT
+
+  # ─── 直连 (局域网、国内) ───
+  - RULE-SET,private,DIRECT
+  - RULE-SET,lancidr,DIRECT
+  - RULE-SET,cncidr,DIRECT
+  - RULE-SET,direct,DIRECT
+  - RULE-SET,direct-custom,DIRECT
+
   # ─── AI 服务 (非Google的AI：OpenAI/Claude/Copilot等) ───
   - RULE-SET,ai-services,AI
   - RULE-SET,openai,AI