feat(ACME/Certificate): Introduce certificate provider hook and observable certificate events; remove legacy ACME flow

readme.md

@@ -199,6 +199,50 @@ sequenceDiagram
 - **IP Filtering** - Control access with IP allow/block lists using glob patterns
  - **NfTables Integration** - Direct manipulation of nftables for advanced low-level port forwarding
 
+## Certificate Provider Hook & Events
+
+You can customize how certificates are provisioned per domain by using the `certProvider` callback and listen for certificate events emitted by `SmartProxy`.
+
+```typescript
+import { SmartProxy } from '@push.rocks/smartproxy';
+import * as fs from 'fs';
+
+// Example certProvider: static for a specific domain, HTTP-01 otherwise
+const certProvider = async (domain: string) => {
+  if (domain === 'static.example.com') {
+    // Load from disk or vault
+    return {
+      id: 'static-cert',
+      domainName: domain,
+      created: Date.now(),
+      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
+      privateKey: fs.readFileSync('/etc/ssl/private/static.key', 'utf8'),
+      publicKey: fs.readFileSync('/etc/ssl/certs/static.crt', 'utf8'),
+      csr: ''
+    };
+  }
+  // Fallback to ACME HTTP-01 challenge
+  return 'http01';
+};
+
+const proxy = new SmartProxy({
+  fromPort: 80,
+  toPort: 8080,
+  domainConfigs: [{
+    domains: ['static.example.com', 'dynamic.example.com'],
+    allowedIPs: ['*']
+  }],
+  certProvider
+});
+
+// Listen for certificate issuance or renewal
+proxy.on('certificate', (evt) => {
+  console.log(`Certificate for ${evt.domain} ready, expires on ${evt.expiryDate}`);
+});
+
+await proxy.start();
+```
+
 ## Configuration Options
 
 ### backendProtocol