feat(smart-proxy): add hot-reloadable global ingress security policy across Rust and TypeScript proxy layers

rust/crates/rustproxy/tests/common/mod.rs

@@ -136,7 +136,8 @@ pub async fn start_http_echo_backend(port: u16, backend_name: &str) -> JoinHandl
                 let path = parts.get(1).copied().unwrap_or("/");
 
                 // Extract Host header
-                let host = req_str.lines()
+                let host = req_str
+                    .lines()
                     .find(|l| l.to_lowercase().starts_with("host:"))
                     .map(|l| l[5..].trim())
                     .unwrap_or("unknown");
@@ -336,7 +337,8 @@ pub async fn start_ws_echo_backend(port: u16) -> JoinHandle<()> {
                 let req_str = String::from_utf8_lossy(&buf[..n]);
 
                 // Extract Sec-WebSocket-Key for proper handshake
-                let ws_key = req_str.lines()
+                let ws_key = req_str
+                    .lines()
                     .find(|l| l.to_lowercase().starts_with("sec-websocket-key:"))
                     .map(|l| l.split(':').nth(1).unwrap_or("").trim().to_string())
                     .unwrap_or_default();
@@ -378,7 +380,9 @@ pub fn generate_self_signed_cert(domain: &str) -> (String, String) {
     use rcgen::{CertificateParams, KeyPair};
 
     let mut params = CertificateParams::new(vec![domain.to_string()]).unwrap();
-    params.distinguished_name.push(rcgen::DnType::CommonName, domain);
+    params
+        .distinguished_name
+        .push(rcgen::DnType::CommonName, domain);
 
     let key_pair = KeyPair::generate().unwrap();
     let cert = params.self_signed(&key_pair).unwrap();
@@ -458,11 +462,7 @@ pub fn make_tls_terminate_route(
 
 /// Start a TLS WebSocket echo backend: accepts TLS, performs WS handshake, then echoes data.
 /// Combines TLS acceptance (like `start_tls_http_backend`) with WebSocket echo (like `start_ws_echo_backend`).
-pub async fn start_tls_ws_echo_backend(
-    port: u16,
-    cert_pem: &str,
-    key_pem: &str,
-) -> JoinHandle<()> {
+pub async fn start_tls_ws_echo_backend(port: u16, cert_pem: &str, key_pem: &str) -> JoinHandle<()> {
     use std::sync::Arc;
 
     let acceptor = rustproxy_passthrough::build_tls_acceptor(cert_pem, key_pem)