feat(smart-proxy): Improve connection/rate-limit atomicity, SNI parsing, HttpProxy & ACME orchestration, and routing utilities

ts/proxies/smart-proxy/security-manager.ts

@@ -166,7 +166,7 @@ export class SecurityManager {
 
     // Check connection rate limit
     if (
-      this.smartProxy.settings.connectionRateLimitPerMinute && 
+      this.smartProxy.settings.connectionRateLimitPerMinute &&
       !this.checkConnectionRate(ip)
     ) {
       return {
@@ -174,7 +174,44 @@ export class SecurityManager {
         reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
       };
     }
-    
+
+    return { allowed: true };
+  }
+
+  /**
+   * Atomically validate an IP and track the connection if allowed.
+   * This prevents race conditions where concurrent connections could bypass per-IP limits.
+   *
+   * @param ip - The IP address to validate
+   * @param connectionId - The connection ID to track if validation passes
+   * @returns Object with validation result and reason
+   */
+  public validateAndTrackIP(ip: string, connectionId: string): { allowed: boolean; reason?: string } {
+    // Check connection count limit BEFORE tracking
+    if (
+      this.smartProxy.settings.maxConnectionsPerIP &&
+      this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
+    ) {
+      return {
+        allowed: false,
+        reason: `Maximum connections per IP (${this.smartProxy.settings.maxConnectionsPerIP}) exceeded`
+      };
+    }
+
+    // Check connection rate limit
+    if (
+      this.smartProxy.settings.connectionRateLimitPerMinute &&
+      !this.checkConnectionRate(ip)
+    ) {
+      return {
+        allowed: false,
+        reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
+      };
+    }
+
+    // Validation passed - immediately track to prevent race conditions
+    this.trackConnectionByIP(ip, connectionId);
+
     return { allowed: true };
   }