feat(smart-proxy): add hot-reloadable global ingress security policy across Rust and TypeScript proxy layers

rust/crates/rustproxy-passthrough/src/connection_registry.rs

@@ -7,8 +7,8 @@
 
 use std::collections::HashSet;
 use std::net::IpAddr;
-use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::Arc;
 
 use dashmap::DashMap;
 use tokio_util::sync::CancellationToken;
@@ -73,7 +73,9 @@ impl ConnectionRegistry {
     pub fn recycle_for_cert_change(&self, cert_domain: &str) {
         let mut recycled = 0u64;
         self.connections.retain(|_, entry| {
-            let matches = entry.domain.as_deref()
+            let matches = entry
+                .domain
+                .as_deref()
                 .map(|d| domain_matches(cert_domain, d) || domain_matches(d, cert_domain))
                 .unwrap_or(false);
             if matches {
@@ -100,7 +102,11 @@ impl ConnectionRegistry {
         let mut recycled = 0u64;
         self.connections.retain(|_, entry| {
             if entry.route_id.as_deref() == Some(route_id) {
-                if !RequestFilter::check_ip_security(new_security, &entry.source_ip, entry.domain.as_deref()) {
+                if !RequestFilter::check_ip_security(
+                    new_security,
+                    &entry.source_ip,
+                    entry.domain.as_deref(),
+                ) {
                     info!(
                         "Terminating connection from {} — IP now blocked on route '{}'",
                         entry.source_ip, route_id