128 changed files with 2545 additions and 37246 deletions
--- a/.gitea/workflows/default_nottags.yaml
+++ b/.gitea/workflows/default_nottags.yaml
@ -1,66 +0,0 @@
 name: Default (not tags)
 on:
  push:
    tags-ignore:
      - '**'
 env:
  IMAGE: code.foss.global/host.today/ht-docker-node:npmci
  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@/${{gitea.repository}}.git
  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
  NPMCI_URL_CLOUDLY: ${{secrets.NPMCI_URL_CLOUDLY}}
 jobs:
  security:
    runs-on: ubuntu-latest
    continue-on-error: true
    container:
      image: ${{ env.IMAGE }}
    steps:
      - uses: actions/checkout@v3
      - name: Install pnpm and npmci
        run: |
          pnpm install -g pnpm
          pnpm install -g @ship.zone/npmci
      - name: Run npm prepare
        run: npmci npm prepare
      - name: Audit production dependencies
        run: |
          npmci command npm config set registry https://registry.npmjs.org
          npmci command pnpm audit --audit-level=high --prod
        continue-on-error: true
      - name: Audit development dependencies
        run: |
          npmci command npm config set registry https://registry.npmjs.org
          npmci command pnpm audit --audit-level=high --dev
        continue-on-error: true
  test:
    if: ${{ always() }}
    needs: security
    runs-on: ubuntu-latest
    container:
      image: ${{ env.IMAGE }}
    steps:
      - uses: actions/checkout@v3
      - name: Test stable
        run: |
          npmci node install stable
          npmci npm install
          npmci npm test
      - name: Test build
        run: |
          npmci node install stable
          npmci npm install
          npmci npm build
--- a/.gitea/workflows/default_tags.yaml
+++ b/.gitea/workflows/default_tags.yaml
@ -1,124 +0,0 @@
 name: Default (tags)
 on:
  push:
    tags:
      - '*'
 env:
  IMAGE: code.foss.global/host.today/ht-docker-node:npmci
  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@/${{gitea.repository}}.git
  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
  NPMCI_URL_CLOUDLY: ${{secrets.NPMCI_URL_CLOUDLY}}
 jobs:
  security:
    runs-on: ubuntu-latest
    continue-on-error: true
    container:
      image: ${{ env.IMAGE }}
    steps:
      - uses: actions/checkout@v3
      - name: Prepare
        run: |
          pnpm install -g pnpm
          pnpm install -g @ship.zone/npmci
          npmci npm prepare
      - name: Audit production dependencies
        run: |
          npmci command npm config set registry https://registry.npmjs.org
          npmci command pnpm audit --audit-level=high --prod
        continue-on-error: true
      - name: Audit development dependencies
        run: |
          npmci command npm config set registry https://registry.npmjs.org
          npmci command pnpm audit --audit-level=high --dev
        continue-on-error: true
  test:
    if: ${{ always() }}
    needs: security
    runs-on: ubuntu-latest
    container:
      image: ${{ env.IMAGE }}
    steps:
      - uses: actions/checkout@v3
      - name: Prepare
        run: |
          pnpm install -g pnpm
          pnpm install -g @ship.zone/npmci
          npmci npm prepare
      - name: Test stable
        run: |
          npmci node install stable
          npmci npm install
          npmci npm test
      - name: Test build
        run: |
          npmci node install stable
          npmci npm install
          npmci npm build
  release:
    needs: test
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    container:
      image: ${{ env.IMAGE }}
    steps:
      - uses: actions/checkout@v3
      - name: Prepare
        run: |
          pnpm install -g pnpm
          pnpm install -g @ship.zone/npmci
          npmci npm prepare
      - name: Release
        run: |
          npmci node install stable
          npmci npm publish
  metadata:
    needs: test
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    container:
      image: ${{ env.IMAGE }}
    continue-on-error: true
    steps:
      - uses: actions/checkout@v3
      - name: Prepare
        run: |
          pnpm install -g pnpm
          pnpm install -g @ship.zone/npmci
          npmci npm prepare
      - name: Code quality
        run: |
          npmci command npm install -g typescript
          npmci npm install
      - name: Trigger
        run: npmci trigger
      - name: Build docs and upload artifacts
        run: |
          npmci node install stable
          npmci npm install
          pnpm install -g @git.zone/tsdoc
          npmci command tsdoc
        continue-on-error: true
--- a/.gitignore
+++ b/.gitignore
@ -3,6 +3,7 @@
 # artifacts
 coverage/
 public/
 pages/
 # installs
 node_modules/
@ -14,7 +15,8 @@ node_modules/
 # builds
 dist/
-dist_*/
+dist_web/
 dist_serve/
 dist_ts_web/
-#------# custom
+# custom
 .claude/*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,119 @@
 # gitzone ci_default
 image: registry.gitlab.com/hosttoday/ht-docker-node:npmci
 cache:
  paths:
  - .npmci_cache/
  key: "$CI_BUILD_STAGE"
 stages:
 - security
 - test
 - release
 - metadata
 # ====================
 # security stage
 # ====================
 mirror:
  stage: security
  script:
  - npmci git mirror
  tags:
  - docker
  - notpriv
 snyk:
  stage: security
  script:
    - npmci npm prepare
    - npmci command npm install -g snyk
    - npmci command npm install --ignore-scripts
    - npmci command snyk test
  tags:
  - docker
  - notpriv
 # ====================
 # test stage
 # ====================
 testLTS:
  stage: test
  script:
  - npmci npm prepare
  - npmci node install lts
  - npmci npm install
  - npmci npm test
  coverage: /\d+.?\d+?\%\s*coverage/
  tags:
  - docker
  - priv
 testBuild:
  stage: test
  script:
  - npmci npm prepare
  - npmci node install lts
  - npmci npm install
  - npmci command npm run build
  coverage: /\d+.?\d+?\%\s*coverage/
  tags:
  - docker
  - notpriv
 release:
  stage: release
  script:
  - npmci node install lts
  - npmci npm publish
  only:
  - tags
  tags:
  - docker
  - notpriv
 # ====================
 # metadata stage
 # ====================
 codequality:
  stage: metadata
  allow_failure: true
  script:
    - npmci command npm install -g tslint typescript
    - npmci npm install
    - npmci command "tslint -c tslint.json ./ts/**/*.ts"
  tags:
  - docker
  - priv
 trigger:
  stage: metadata
  script:
  - npmci trigger
  only:
  - tags
  tags:
  - docker
  - notpriv
 pages:
  image: hosttoday/ht-docker-dbase:npmci
  services:
   - docker:18-dind
  stage: metadata
  script:
    - npmci command npm install -g @gitzone/tsdoc
    - npmci npm prepare
    - npmci npm install
    - npmci command tsdoc
  tags:
    - docker
    - notpriv
  only:
    - tags
  artifacts:
    expire_in: 1 week
    paths:
    - public
  allow_failure: true
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -2,10 +2,28 @@
  "version": "0.2.0",
  "configurations": [
    {
-      "command": "npm test",
+      "name": "current file",
-      "name": "Run npm test",
+      "type": "node",
      "request": "launch",
-      "type": "node-terminal"
+      "args": [
        "${relativeFile}"
      ],
      "runtimeArgs": ["-r", "@gitzone/tsrun"],
      "cwd": "${workspaceRoot}",
      "protocol": "inspector",
      "internalConsoleOptions": "openOnSessionStart"
    },
    {
      "name": "test.ts",
      "type": "node",
      "request": "launch",
      "args": [
        "test/test.ts"
      ],
      "runtimeArgs": ["-r", "@gitzone/tsrun"],
      "cwd": "${workspaceRoot}",
      "protocol": "inspector",
      "internalConsoleOptions": "openOnSessionStart"
    }
  ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,26 +0,0 @@
 {
  "json.schemas": [
    {
      "fileMatch": ["/npmextra.json"],
      "schema": {
        "type": "object",
        "properties": {
          "npmci": {
            "type": "object",
            "description": "settings for npmci"
          },
          "gitzone": {
            "type": "object",
            "description": "settings for gitzone",
            "properties": {
              "projectType": {
                "type": "string",
                "enum": ["website", "element", "service", "npm", "wcc"]
              }
            }
          }
        }
      }
    }
  ]
 }
--- a/assets/certs/cert.pem
+++ b/assets/certs/cert.pem
@ -1,19 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDCzCCAfOgAwIBAgIUPU4tviz3ZvsMDjCz1NZRT16b0Y4wDQYJKoZIhvcNAQEL
 BQAwFTETMBEGA1UEAwwKcHVzaC5yb2NrczAeFw0yNTAyMDMyMzA5MzRaFw0yNjAy
 MDMyMzA5MzRaMBUxEzARBgNVBAMMCnB1c2gucm9ja3MwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCZMkBYD/pYLBv9MiyHTLRT24kQyPeJBtZqryibi1jk
 BT1ZgNl3yo5U6kjj/nYBU/oy7M4OFC0xyaJQ4wpvLHu7xzREqwT9N9WcDcxaahUi
 P8+PsjGyznPrtXa1ASzGAYMNvXyWWp3351UWZHMEs6eY/Y7i8m4+0NwP5h8RNBCF
 KSFS41Ee9rNAMCnQSHZv1vIzKeVYPmYnCVmL7X2kQb+gS6Rvq5sEGLLKMC5QtTwI
 rdkPGpx4xZirIyf8KANbt0sShwUDpiCSuOCtpze08jMzoHLG9Nv97cJQjb/BhiES
 hLL+YjfAUFjq0rQ38zFKLJ87QB9Jym05mY6IadGQLXVXAgMBAAGjUzBRMB0GA1Ud
 DgQWBBQjpowWjrql/Eo2EVjl29xcjuCgkTAfBgNVHSMEGDAWgBQjpowWjrql/Eo2
 EVjl29xcjuCgkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAY
 44vqbaf6ewFrZC0f3Kk4A10lC6qjWkcDFfw+JE8nzt+4+xPqp1eWgZKF2rONyAv2
 nG41Xygt19ByancXLU44KB24LX8F1GV5Oo7CGBA+xtoSPc0JulXw9fGclZDC6XiR
 P/+vhGgCHicbfP2O+N00pOifrTtf2tmOT4iPXRRo4TxmPzuCd+ZJTlBhPlKCmICq
 yGdAiEo6HsSiP+M5qVlNx8s57MhQYk5TpgmI6FU4mO7zfDfSatFonlg+aDbrnaqJ
 v/+km02M+oB460GmKwsSTnThHZgLNCLiKqD8bdziiCQjx5u0GjLI6468o+Aehb8l
 l/x9vWTTk/QKq41X5hFk
 -----END CERTIFICATE-----
--- a/assets/certs/key.pem
+++ b/assets/certs/key.pem
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCZMkBYD/pYLBv9
 MiyHTLRT24kQyPeJBtZqryibi1jkBT1ZgNl3yo5U6kjj/nYBU/oy7M4OFC0xyaJQ
 4wpvLHu7xzREqwT9N9WcDcxaahUiP8+PsjGyznPrtXa1ASzGAYMNvXyWWp3351UW
 ZHMEs6eY/Y7i8m4+0NwP5h8RNBCFKSFS41Ee9rNAMCnQSHZv1vIzKeVYPmYnCVmL
 7X2kQb+gS6Rvq5sEGLLKMC5QtTwIrdkPGpx4xZirIyf8KANbt0sShwUDpiCSuOCt
 pze08jMzoHLG9Nv97cJQjb/BhiEShLL+YjfAUFjq0rQ38zFKLJ87QB9Jym05mY6I
 adGQLXVXAgMBAAECggEARGCBBq1PBHbfoUH5TQSIAlvdEEBa9+602lZG7jIioVfT
 W7Uem5Ctuan+kcDcY9hbNsqqZ+9KgsvoJmlIGXoF2jjeE/4vUmRO9AHWoc5yk2Be
 4NjcxN3QMLdEfiLBnLlFCOd4CdX1ZxZ6TG3WRpV3a1pVIeeqHGB1sKT6Xd/atcwG
 RvpiXzu0SutGxVb6WE9r6hovZ4fVERCyCRczUGrUH5ICbxf6E7L4u8xjEYR4uEKK
 /8ZkDqrWdRASDAdPPMNqnHUEAho/WnxpNeb6B4lvvv2QWxIS9H1OikF/NzWPgVNS
 oPpvtJgjyo5xdgLm3zE4lcSPNVSrh1TBXuAn9TG4WQKBgQDScPFkUNBqjC5iPMof
 bqDHlhlptrHmiv9LC0lgjEDPgIEQfjLfdCugwDk32QyAcb5B60upDYeqCFDkfV/C
 T536qxevYPjPAjahLPHqMxkWpjvtY6NOTgbbcpVtblU2Fj8R8qbyPNADG31LicU9
 GVPtQ4YcVaMWCYbg5107+9dFWQKBgQC6XK+foKK+81RFdrqaNNgebTWTsANnBcZe
 xl0bj6oL5yY0IzroxHvgcNS7UMriWCu+K2xfkUBdMmxU773VN5JQ5k15ezjgtrvc
 8oAaEsxYP4su12JSTC/zsBANUgrNbFj8++qqKYWt2aQc2O/kbZ4MNfekIVFc8AjM
 2X9PxvxKLwKBgHXL7QO3TQLnVyt8VbQEjBFMzwriznB7i+4o8jkOKVU93IEr8zQr
 5iQElcLSR3I6uUJTALYvsaoXH5jXKVwujwL69LYiNQRDe+r6qqvrUHbiNJdsd8Rk
 XuhGGqj34tD04Pcd+h+MtO+YWqmHBBZwcA9XBeIkebbjPFH2kLT8AwN5AoGAYQy9
 hMJxnkE3hIkk+gNE/OtgeE20J+Vw/ZANkrnJEzPHyGUEW41e+W2oyvdzAFZsSTdx
 037f5ujIU58Z27x53NliRT4vS4693H0Iyws5EUfeIoGVuUflvODWKymraHjhCrXh
 6cV/0R5DAabTnsCbCr7b/MRBC8YQvyUQ0KnOXo8CgYBQYGpvJnSWyvsCjtb6apTP
 drjcBhVd0aSBpLGtDdtUCV4oLl9HPy+cLzcGaqckBqCwEq5DKruhMEf7on56bUMd
 m/3ItFk1TnhysAeJHb3zLqmJ9CKBitpqLlsOE7MEXVNmbTYeXU10Uo9yOfyt1i7T
 su+nT5VtyPkmF/l4wZl5+g==
 -----END PRIVATE KEY-----
--- a/changelog.md
+++ b/changelog.md
--- a/npmextra.json
+++ b/npmextra.json
@ -1,38 +1,17 @@
 {
  "gitzone": {
    "projectType": "npm",
    "module": {
-      "githost": "code.foss.global",
+      "githost": "gitlab.com",
-      "gitscope": "push.rocks",
+      "gitscope": "pushrocks",
      "gitrepo": "smartproxy",
-      "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
+      "shortDescription": "a proxy for handling high workloads of proxying",
-      "npmPackagename": "@push.rocks/smartproxy",
+      "npmPackagename": "@pushrocks/smartproxy",
      "license": "MIT",
-      "projectDomain": "push.rocks",
+      "projectDomain": "push.rocks"
      "keywords": [
        "proxy",
        "network",
        "traffic management",
        "SSL",
        "TLS",
        "WebSocket",
        "port proxying",
        "dynamic routing",
        "authentication",
        "real-time applications",
        "high workload",
        "HTTPS",
        "reverse proxy",
        "server",
        "network security"
      ]
    }
  },
  "npmci": {
    "npmGlobalTools": [],
    "npmAccessLevel": "public"
  },
  "tsdoc": {
    "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
  }
 }
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,90 +1,44 @@
 {
-  "name": "@push.rocks/smartproxy",
+  "name": "@pushrocks/smartproxy",
-  "version": "16.0.2",
+  "version": "1.0.19",
  "private": false,
-  "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
+  "description": "a proxy for handling high workloads of proxying",
-  "main": "dist_ts/index.js",
+  "main": "dist/index.js",
-  "typings": "dist_ts/index.d.ts",
+  "typings": "dist/index.d.ts",
  "type": "module",
  "author": "Lossless GmbH",
  "license": "MIT",
  "scripts": {
    "test": "(tstest test/)",
-    "build": "(tsbuild tsfolders --allowimplicitany)",
+    "build": "(tsbuild)",
-    "format": "(gitzone format)",
+    "format": "(gitzone format)"
    "buildDocs": "tsdoc"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^2.3.2",
+    "@gitzone/tsbuild": "^2.0.22",
-    "@git.zone/tsrun": "^1.2.44",
+    "@gitzone/tstest": "^1.0.15",
-    "@git.zone/tstest": "^1.0.77",
+    "@pushrocks/tapbundle": "^3.0.7",
-    "@push.rocks/tapbundle": "^6.0.3",
+    "@types/node": "^12.7.2",
-    "@types/node": "^22.15.3",
+    "tslint": "^5.19.0",
-    "typescript": "^5.8.3"
+    "tslint-config-prettier": "^1.15.0"
  },
  "dependencies": {
-    "@push.rocks/lik": "^6.2.2",
+    "@pushrocks/smartnetwork": "^1.1.6",
-    "@push.rocks/smartacme": "^7.3.2",
+    "@pushrocks/smartpromise": "^3.0.2",
-    "@push.rocks/smartdelay": "^3.0.5",
+    "@pushrocks/smartrequest": "^1.1.23",
-    "@push.rocks/smartnetwork": "^4.0.1",
+    "@pushrocks/smartspawn": "^2.0.8",
-    "@push.rocks/smartpromise": "^4.2.3",
+    "@pushrocks/smartsystem": "^2.0.7",
-    "@push.rocks/smartrequest": "^2.1.0",
+    "@tsclass/tsclass": "^2.0.5",
-    "@push.rocks/smartstring": "^4.0.15",
+    "@types/ws": "^6.0.2",
-    "@push.rocks/taskbuffer": "^3.1.7",
+    "ws": "^7.1.2"
    "@tsclass/tsclass": "^9.2.0",
    "@types/minimatch": "^5.1.2",
    "@types/ws": "^8.18.1",
    "minimatch": "^10.0.1",
    "pretty-ms": "^9.2.0",
    "ws": "^8.18.2"
  },
  "files": [
-    "ts/**/*",
+    "ts/*",
-    "ts_web/**/*",
+    "ts_web/*",
-    "dist/**/*",
+    "dist/*",
-    "dist_*/**/*",
+    "dist_web/*",
-    "dist_ts/**/*",
+    "dist_ts_web/*",
-    "dist_ts_web/**/*",
+    "assets/*",
    "assets/**/*",
    "cli.js",
    "npmextra.json",
    "readme.md"
-  ],
+  ]
  "browserslist": [
    "last 1 chrome versions"
  ],
  "keywords": [
    "proxy",
    "network",
    "traffic management",
    "SSL",
    "TLS",
    "WebSocket",
    "port proxying",
    "dynamic routing",
    "authentication",
    "real-time applications",
    "high workload",
    "HTTPS",
    "reverse proxy",
    "server",
    "network security"
  ],
  "homepage": "https://code.foss.global/push.rocks/smartproxy#readme",
  "repository": {
    "type": "git",
    "url": "https://code.foss.global/push.rocks/smartproxy.git"
  },
  "bugs": {
    "url": "https://code.foss.global/push.rocks/smartproxy/issues"
  },
  "pnpm": {
    "overrides": {},
    "onlyBuiltDependencies": [
      "esbuild",
      "mongodb-memory-server",
      "puppeteer"
    ]
  },
  "packageManager": "pnpm@10.10.0+sha512.d615db246fe70f25dcfea6d8d73dee782ce23e2245e3c4f6f888249fb568149318637dca73c2c5c8ef2a4ca0d5657fb9567188bfab47f566d1ee6ce987815c39"
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/readme.hints.md
+++ b/readme.hints.md
@ -1,64 +0,0 @@
 # SmartProxy Project Hints
 ## Project Overview
 - Package: `@push.rocks/smartproxy` – high-performance proxy supporting HTTP(S), TCP, WebSocket, and ACME integration.
 - Written in TypeScript, compiled output in `dist_ts/`, uses ESM with NodeNext resolution.
 ## Repository Structure
 - `ts/` – TypeScript source files:
  - `index.ts` exports main modules.
  - `plugins.ts` centralizes native and third-party imports.
  - Subdirectories: `networkproxy/`, `nftablesproxy/`, `port80handler/`, `redirect/`, `smartproxy/`.
  - Key classes: `ProxyRouter` (`classes.router.ts`), `SmartProxy` (`classes.smartproxy.ts`), plus handlers/managers.
 - `dist_ts/` – transpiled `.js` and `.d.ts` files mirroring `ts/` structure.
 - `test/` – test suites in TypeScript:
  - `test.router.ts` – routing logic (hostname matching, wildcards, path parameters, config management).
  - `test.smartproxy.ts` – proxy behavior tests (TCP forwarding, SNI handling, concurrency, chaining, timeouts).
  - `test/helpers/` – utilities (e.g., certificates).
 - `assets/certs/` – placeholder certificates for ACME and TLS.
 ## Development Setup
 - Requires `pnpm` (v10+).
 - Install dependencies: `pnpm install`.
 - Build: `pnpm build` (runs `tsbuild --web --allowimplicitany`).
 - Test: `pnpm test` (runs `tstest test/`).
 - Format: `pnpm format` (runs `gitzone format`).
 ## Testing Framework
 - Uses `@push.rocks/tapbundle` (`tap`, `expect`, `expactAsync`).
 - Test files: must start with `test.` and use `.ts` extension.
 - Run specific tests via `tsx`, e.g., `tsx test/test.router.ts`.
 ## Coding Conventions
 - Import modules via `plugins.ts`:
  ```ts
  import * as plugins from './plugins.ts';
  const server = new plugins.http.Server();
  ```
 - Reference plugins with full path: `plugins.acme`, `plugins.smartdelay`, `plugins.minimatch`, etc.
 - Path patterns support globs (`*`) and parameters (`:param`) in `ProxyRouter`.
 - Wildcard hostname matching leverages `minimatch` patterns.
 ## Key Components
 - **ProxyRouter**
  - Methods: `routeReq`, `routeReqWithDetails`.
  - Hostname matching: case-insensitive, strips port, supports exact, wildcard, TLD, complex patterns.
  - Path routing: exact, wildcard, parameter extraction (`pathParams`), returns `pathMatch` and `pathRemainder`.
  - Config API: `setNewProxyConfigs`, `addProxyConfig`, `removeProxyConfig`, `getHostnames`, `getProxyConfigs`.
 - **SmartProxy**
  - Manages one or more `net.Server` instances to forward TCP streams.
  - Options: `preserveSourceIP`, `defaultAllowedIPs`, `globalPortRanges`, `sniEnabled`.
  - DomainConfigManager: round-robin selection for multiple target IPs.
  - Graceful shutdown in `stop()`, ensures no lingering servers or sockets.
 ## Notable Points
 - **TSConfig**: `module: NodeNext`, `verbatimModuleSyntax`, allows `.js` extension imports in TS.
 - Mermaid diagrams and architecture flows in `readme.md` illustrate component interactions and protocol flows.
 - CLI entrypoint (`cli.js`) supports command-line usage (ACME, proxy controls).
 - ACME and certificate handling via `Port80Handler` and `helpers.certificates.ts`.
 ## TODOs / Considerations
 - Ensure import extensions in source match build outputs (`.ts` vs `.js`).
 - Update `plugins.ts` when adding new dependencies.
 - Maintain test coverage for new routing or proxy features.
 - Keep `ts/` and `dist_ts/` in sync after refactors.
--- a/readme.md
+++ b/readme.md
--- a/readme.plan.md
+++ b/readme.plan.md
@ -1,168 +0,0 @@
 # SmartProxy Complete Route-Based Implementation Plan
 ## Project Goal
 Complete the refactoring of SmartProxy to a pure route-based configuration approach by:
 1. Removing all remaining domain-based configuration code with no backward compatibility
 2. Updating internal components to work directly and exclusively with route configurations
 3. Eliminating all conversion functions and domain-based interfaces
 4. Cleaning up deprecated methods and interfaces completely
 5. Focusing entirely on route-based helper functions for the best developer experience
 ## Current Status
 The major refactoring to route-based configuration has been successfully completed:
 - SmartProxy now works exclusively with route-based configurations in its public API
 - All test files have been updated to use route-based configurations
 - Documentation has been updated to explain the route-based approach
 - Helper functions have been implemented for creating route configurations
 - All features are working correctly with the new approach
 ### Completed Phases:
 1. ✅ **Phase 1:** CertProvisioner has been fully refactored to work natively with routes
 2. ✅ **Phase 2:** NetworkProxyBridge now works directly with route configurations
 3. ✅ **Phase 3:** Legacy domain configuration code has been removed
 4. ✅ **Phase 4:** Route helpers and configuration experience have been enhanced
 5. ✅ **Phase 5:** Tests and validation have been completed
 ### Project Status:
 ✅ COMPLETED (May 10, 2025): SmartProxy has been fully refactored to a pure route-based configuration approach with no backward compatibility for domain-based configurations.
 ## Implementation Checklist
 ### Phase 1: Refactor CertProvisioner for Native Route Support ✅
 - [x] 1.1 Update CertProvisioner constructor to store routeConfigs directly
 - [x] 1.2 Remove extractDomainsFromRoutes() method and domainConfigs array
 - [x] 1.3 Create extractCertificateRoutesFromRoutes() method to find routes needing certificates
 - [x] 1.4 Update provisionAllDomains() to work with route configurations
 - [x] 1.5 Update provisionDomain() to handle route configs
 - [x] 1.6 Modify renewal tracking to use routes instead of domains
 - [x] 1.7 Update renewals scheduling to use route-based approach
 - [x] 1.8 Refactor requestCertificate() method to use routes
 - [x] 1.9 Update ICertificateData interface to include route references
 - [x] 1.10 Update certificate event handling to include route information
 - [x] 1.11 Add unit tests for route-based certificate provisioning
 - [x] 1.12 Add tests for wildcard domain handling with routes
 - [x] 1.13 Test certificate renewal with route configurations
 - [x] 1.14 Update certificate-types.ts to remove domain-based types
 ### Phase 2: Refactor NetworkProxyBridge for Direct Route Processing ✅
 - [x] 2.1 Update NetworkProxyBridge constructor to work directly with routes
 - [x] 2.2 Refactor syncRoutesToNetworkProxy() to eliminate domain conversion
 - [x] 2.3 Rename convertRoutesToNetworkProxyConfigs() to mapRoutesToNetworkProxyConfigs()
 - [x] 2.4 Maintain syncDomainConfigsToNetworkProxy() as deprecated wrapper
 - [x] 2.5 Implement direct mapping from routes to NetworkProxy configs
 - [x] 2.6 Update handleCertificateEvent() to work with routes
 - [x] 2.7 Update applyExternalCertificate() to use route information
 - [x] 2.8 Update registerDomainsWithPort80Handler() to extract domains from routes
 - [x] 2.9 Update certificate request flow to track route references
 - [x] 2.10 Test NetworkProxyBridge with pure route configurations
 - [x] 2.11 Successfully build and run all tests
 ### Phase 3: Remove Legacy Domain Configuration Code
 - [x] 3.1 Identify all imports of domain-config.ts and update them
 - [x] 3.2 Create route-based alternatives for any remaining domain-config usage
 - [x] 3.3 Delete domain-config.ts
 - [x] 3.4 Identify all imports of domain-manager.ts and update them
 - [x] 3.5 Delete domain-manager.ts
 - [x] 3.6 Update forwarding-types.ts (route-based only)
 - [x] 3.7 Add route-based domain support to Port80Handler
 - [x] 3.8 Create IPort80RouteOptions and extractPort80RoutesFromRoutes utility
 - [x] 3.9 Update SmartProxy.ts to use route-based domain management
 - [x] 3.10 Provide compatibility layer for domain-based interfaces
 - [x] 3.11 Update IDomainForwardConfig to IRouteForwardConfig
 - [x] 3.12 Update JSDoc comments to reference routes instead of domains
 - [x] 3.13 Run build to find any remaining type errors
 - [x] 3.14 Fix all type errors to ensure successful build
 - [x] 3.15 Update tests to use route-based approach instead of domain-based
 - [x] 3.16 Fix all failing tests
 - [x] 3.17 Verify build and test suite pass successfully
 ### Phase 4: Enhance Route Helpers and Configuration Experience ✅
 - [x] 4.1 Create route-validators.ts with validation functions
 - [x] 4.2 Add validateRouteConfig() function for configuration validation
 - [x] 4.3 Add mergeRouteConfigs() utility function
 - [x] 4.4 Add findMatchingRoutes() helper function
 - [x] 4.5 Expand createStaticFileRoute() with more options
 - [x] 4.6 Add createApiRoute() helper for API gateway patterns
 - [x] 4.7 Add createAuthRoute() for authentication configurations
 - [x] 4.8 Add createWebSocketRoute() helper for WebSocket support
 - [x] 4.9 Create routePatterns.ts with common route patterns
 - [x] 4.10 Update utils/index.ts to export all helpers
 - [x] 4.11 Add schema validation for route configurations
 - [x] 4.12 Create utils for route pattern testing
 - [x] 4.13 Update docs with pure route-based examples
 - [x] 4.14 Remove any legacy code examples from documentation
 ### Phase 5: Testing and Validation ✅
 - [x] 5.1 Update all tests to use pure route-based components
 - [x] 5.2 Create test cases for potential edge cases
 - [x] 5.3 Create a test for domain wildcard handling
 - [x] 5.4 Test all helper functions
 - [x] 5.5 Test certificate provisioning with routes
 - [x] 5.6 Test NetworkProxy integration with routes
 - [x] 5.7 Benchmark route matching performance
 - [x] 5.8 Compare memory usage before and after changes
 - [x] 5.9 Optimize route operations for large configurations
 - [x] 5.10 Verify public API matches documentation
 - [x] 5.11 Check for any backward compatibility issues
 - [x] 5.12 Ensure all examples in README work correctly
 - [x] 5.13 Run full test suite with new implementation
 - [x] 5.14 Create a final PR with all changes
 ## Clean Break Approach
 To keep our codebase as clean as possible, we are taking a clean break approach with NO migration or compatibility support for domain-based configuration. We will:
 1. Completely remove all domain-based code
 2. Not provide any migration utilities in the codebase
 3. Focus solely on the route-based approach
 4. Document the route-based API as the only supported method
 This approach prioritizes codebase clarity over backward compatibility, which is appropriate since we've already made a clean break in the public API with v14.0.0.
 ## File Changes
 ### Files to Delete (Remove Completely)
 - [x] `/ts/forwarding/config/domain-config.ts` - Deleted with no replacement
 - [x] `/ts/forwarding/config/domain-manager.ts` - Deleted with no replacement
 - [x] `/ts/forwarding/config/forwarding-types.ts` - Updated with pure route-based types
 - [x] Any domain-config related tests have been updated to use route-based approach
 ### Files to Modify (Remove All Domain References)
 - [x] `/ts/certificate/providers/cert-provisioner.ts` - Complete rewrite to use routes only ✅
 - [x] `/ts/proxies/smart-proxy/network-proxy-bridge.ts` - Direct route processing implementation ✅
 - [x] `/ts/certificate/models/certificate-types.ts` - Updated with route-based interfaces ✅
 - [x] `/ts/certificate/index.ts` - Cleaned up domain-related types and exports
 - [x] `/ts/http/port80/port80-handler.ts` - Updated to work exclusively with routes
 - [x] `/ts/proxies/smart-proxy/smart-proxy.ts` - Removed domain references
 - [x] `test/test.forwarding.ts` - Updated to use route-based approach
 - [x] `test/test.forwarding.unit.ts` - Updated to use route-based approach
 ### New Files to Create (Route-Focused)
 - [x] `/ts/proxies/smart-proxy/utils/route-helpers.ts` - Created with helper functions for common route configurations
 - [x] `/ts/proxies/smart-proxy/utils/route-migration-utils.ts` - Added migration utilities from domains to routes
 - [x] `/ts/proxies/smart-proxy/utils/route-validators.ts` - Validation utilities for route configurations
 - [x] `/ts/proxies/smart-proxy/utils/route-utils.ts` - Additional route utility functions
 - [x] `/ts/proxies/smart-proxy/utils/route-patterns.ts` - Common route patterns for easy configuration
 - [x] `/ts/proxies/smart-proxy/utils/index.ts` - Central export point for all route utilities
 ## Benefits of Complete Refactoring
 1. **Codebase Simplicity**:
   - No dual implementation or conversion logic
   - Simplified mental model for developers
   - Easier to maintain and extend
 2. **Performance Improvements**:
   - Remove conversion overhead
   - More efficient route matching
   - Reduced memory footprint
 3. **Better Developer Experience**:
   - Consistent API throughout
   - Cleaner documentation
   - More intuitive configuration patterns
 4. **Future-Proof Design**:
   - Clear foundation for new features
   - Easier to implement advanced routing capabilities
   - Better integration with modern web patterns
--- a/test/core/utils/ip-util-debugger.ts
+++ b/test/core/utils/ip-util-debugger.ts
@ -1,22 +0,0 @@
 import { IpUtils } from '../../../ts/core/utils/ip-utils.js';
 // Test the overlap case
 const result = IpUtils.isIPAuthorized('127.0.0.1', ['127.0.0.1'], ['127.0.0.1']);
 console.log('Result of IP that is both allowed and blocked:', result);
 // Trace through the code logic
 const ip = '127.0.0.1';
 const allowedIPs = ['127.0.0.1'];
 const blockedIPs = ['127.0.0.1'];
 console.log('Step 1 check:', (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)));
 // Check if IP is blocked - blocked IPs take precedence
 console.log('blockedIPs length > 0:', blockedIPs.length > 0);
 console.log('isGlobIPMatch result:', IpUtils.isGlobIPMatch(ip, blockedIPs));
 console.log('Step 2 check (is blocked):', (blockedIPs.length > 0 && IpUtils.isGlobIPMatch(ip, blockedIPs)));
 // Check if IP is allowed
 console.log('allowedIPs length === 0:', allowedIPs.length === 0);
 console.log('isGlobIPMatch for allowed:', IpUtils.isGlobIPMatch(ip, allowedIPs));
 console.log('Step 3 (is allowed):', allowedIPs.length === 0 || IpUtils.isGlobIPMatch(ip, allowedIPs));
--- a/test/core/utils/test.ip-utils.ts
+++ b/test/core/utils/test.ip-utils.ts
@ -1,156 +0,0 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import { IpUtils } from '../../../ts/core/utils/ip-utils.js';
 tap.test('ip-utils - normalizeIP', async () => {
  // IPv4 normalization
  const ipv4Variants = IpUtils.normalizeIP('127.0.0.1');
  expect(ipv4Variants).toEqual(['127.0.0.1', '::ffff:127.0.0.1']);
  // IPv6-mapped IPv4 normalization
  const ipv6MappedVariants = IpUtils.normalizeIP('::ffff:127.0.0.1');
  expect(ipv6MappedVariants).toEqual(['::ffff:127.0.0.1', '127.0.0.1']);
  // IPv6 normalization
  const ipv6Variants = IpUtils.normalizeIP('::1');
  expect(ipv6Variants).toEqual(['::1']);
  // Invalid/empty input handling
  expect(IpUtils.normalizeIP('')).toEqual([]);
  expect(IpUtils.normalizeIP(null as any)).toEqual([]);
  expect(IpUtils.normalizeIP(undefined as any)).toEqual([]);
 });
 tap.test('ip-utils - isGlobIPMatch', async () => {
  // Direct matches
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['127.0.0.1'])).toEqual(true);
  expect(IpUtils.isGlobIPMatch('::1', ['::1'])).toEqual(true);
  // Wildcard matches
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['127.0.0.*'])).toEqual(true);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['127.0.*.*'])).toEqual(true);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['127.*.*.*'])).toEqual(true);
  // IPv4-mapped IPv6 handling
  expect(IpUtils.isGlobIPMatch('::ffff:127.0.0.1', ['127.0.0.1'])).toEqual(true);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['::ffff:127.0.0.1'])).toEqual(true);
  // Match multiple patterns
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['10.0.0.1', '127.0.0.1', '192.168.1.1'])).toEqual(true);
  // Non-matching patterns
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['10.0.0.1'])).toEqual(false);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['128.0.0.1'])).toEqual(false);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', ['127.0.0.2'])).toEqual(false);
  // Edge cases
  expect(IpUtils.isGlobIPMatch('', ['127.0.0.1'])).toEqual(false);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', [])).toEqual(false);
  expect(IpUtils.isGlobIPMatch('127.0.0.1', null as any)).toEqual(false);
  expect(IpUtils.isGlobIPMatch(null as any, ['127.0.0.1'])).toEqual(false);
 });
 tap.test('ip-utils - isIPAuthorized', async () => {
  // Basic tests to check the core functionality works
  // No restrictions - all IPs allowed
  expect(IpUtils.isIPAuthorized('127.0.0.1')).toEqual(true);
  // Basic blocked IP test
  const blockedIP = '8.8.8.8';
  const blockedIPs = [blockedIP];
  expect(IpUtils.isIPAuthorized(blockedIP, [], blockedIPs)).toEqual(false);
  // Basic allowed IP test
  const allowedIP = '10.0.0.1';
  const allowedIPs = [allowedIP];
  expect(IpUtils.isIPAuthorized(allowedIP, allowedIPs)).toEqual(true);
  expect(IpUtils.isIPAuthorized('192.168.1.1', allowedIPs)).toEqual(false);
 });
 tap.test('ip-utils - isPrivateIP', async () => {
  // Private IPv4 ranges
  expect(IpUtils.isPrivateIP('10.0.0.1')).toEqual(true);
  expect(IpUtils.isPrivateIP('172.16.0.1')).toEqual(true);
  expect(IpUtils.isPrivateIP('172.31.255.255')).toEqual(true);
  expect(IpUtils.isPrivateIP('192.168.0.1')).toEqual(true);
  expect(IpUtils.isPrivateIP('127.0.0.1')).toEqual(true);
  // Public IPv4 addresses
  expect(IpUtils.isPrivateIP('8.8.8.8')).toEqual(false);
  expect(IpUtils.isPrivateIP('203.0.113.1')).toEqual(false);
  // IPv4-mapped IPv6 handling
  expect(IpUtils.isPrivateIP('::ffff:10.0.0.1')).toEqual(true);
  expect(IpUtils.isPrivateIP('::ffff:8.8.8.8')).toEqual(false);
  // Private IPv6 addresses
  expect(IpUtils.isPrivateIP('::1')).toEqual(true);
  expect(IpUtils.isPrivateIP('fd00::')).toEqual(true);
  expect(IpUtils.isPrivateIP('fe80::1')).toEqual(true);
  // Public IPv6 addresses
  expect(IpUtils.isPrivateIP('2001:db8::1')).toEqual(false);
  // Edge cases
  expect(IpUtils.isPrivateIP('')).toEqual(false);
  expect(IpUtils.isPrivateIP(null as any)).toEqual(false);
  expect(IpUtils.isPrivateIP(undefined as any)).toEqual(false);
 });
 tap.test('ip-utils - isPublicIP', async () => {
  // Public IPv4 addresses
  expect(IpUtils.isPublicIP('8.8.8.8')).toEqual(true);
  expect(IpUtils.isPublicIP('203.0.113.1')).toEqual(true);
  // Private IPv4 ranges
  expect(IpUtils.isPublicIP('10.0.0.1')).toEqual(false);
  expect(IpUtils.isPublicIP('172.16.0.1')).toEqual(false);
  expect(IpUtils.isPublicIP('192.168.0.1')).toEqual(false);
  expect(IpUtils.isPublicIP('127.0.0.1')).toEqual(false);
  // Public IPv6 addresses
  expect(IpUtils.isPublicIP('2001:db8::1')).toEqual(true);
  // Private IPv6 addresses
  expect(IpUtils.isPublicIP('::1')).toEqual(false);
  expect(IpUtils.isPublicIP('fd00::')).toEqual(false);
  expect(IpUtils.isPublicIP('fe80::1')).toEqual(false);
  // Edge cases - the implementation treats these as non-private, which is technically correct but might not be what users expect
  const emptyResult = IpUtils.isPublicIP('');
  expect(emptyResult).toEqual(true);
  const nullResult = IpUtils.isPublicIP(null as any);
  expect(nullResult).toEqual(true);
  const undefinedResult = IpUtils.isPublicIP(undefined as any);
  expect(undefinedResult).toEqual(true);
 });
 tap.test('ip-utils - cidrToGlobPatterns', async () => {
  // Class C network
  const classC = IpUtils.cidrToGlobPatterns('192.168.1.0/24');
  expect(classC).toEqual(['192.168.1.*']);
  // Class B network
  const classB = IpUtils.cidrToGlobPatterns('172.16.0.0/16');
  expect(classB).toEqual(['172.16.*.*']);
  // Class A network
  const classA = IpUtils.cidrToGlobPatterns('10.0.0.0/8');
  expect(classA).toEqual(['10.*.*.*']);
  // Small subnet (/28 = 16 addresses)
  const smallSubnet = IpUtils.cidrToGlobPatterns('192.168.1.0/28');
  expect(smallSubnet.length).toEqual(16);
  expect(smallSubnet).toContain('192.168.1.0');
  expect(smallSubnet).toContain('192.168.1.15');
  // Invalid inputs
  expect(IpUtils.cidrToGlobPatterns('')).toEqual([]);
  expect(IpUtils.cidrToGlobPatterns('192.168.1.0')).toEqual([]);
  expect(IpUtils.cidrToGlobPatterns('192.168.1.0/')).toEqual([]);
  expect(IpUtils.cidrToGlobPatterns('192.168.1.0/33')).toEqual([]);
  expect(IpUtils.cidrToGlobPatterns('invalid/24')).toEqual([]);
 });
 export default tap.start();
--- a/test/core/utils/test.validation-utils.ts
+++ b/test/core/utils/test.validation-utils.ts
@ -1,302 +0,0 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import { ValidationUtils } from '../../../ts/core/utils/validation-utils.js';
 import type { IDomainOptions, IAcmeOptions } from '../../../ts/core/models/common-types.js';
 tap.test('validation-utils - isValidPort', async () => {
  // Valid port values
  expect(ValidationUtils.isValidPort(1)).toEqual(true);
  expect(ValidationUtils.isValidPort(80)).toEqual(true);
  expect(ValidationUtils.isValidPort(443)).toEqual(true);
  expect(ValidationUtils.isValidPort(8080)).toEqual(true);
  expect(ValidationUtils.isValidPort(65535)).toEqual(true);
  // Invalid port values
  expect(ValidationUtils.isValidPort(0)).toEqual(false);
  expect(ValidationUtils.isValidPort(-1)).toEqual(false);
  expect(ValidationUtils.isValidPort(65536)).toEqual(false);
  expect(ValidationUtils.isValidPort(80.5)).toEqual(false);
  expect(ValidationUtils.isValidPort(NaN)).toEqual(false);
  expect(ValidationUtils.isValidPort(null as any)).toEqual(false);
  expect(ValidationUtils.isValidPort(undefined as any)).toEqual(false);
 });
 tap.test('validation-utils - isValidDomainName', async () => {
  // Valid domain names
  expect(ValidationUtils.isValidDomainName('example.com')).toEqual(true);
  expect(ValidationUtils.isValidDomainName('sub.example.com')).toEqual(true);
  expect(ValidationUtils.isValidDomainName('*.example.com')).toEqual(true);
  expect(ValidationUtils.isValidDomainName('a-hyphenated-domain.example.com')).toEqual(true);
  expect(ValidationUtils.isValidDomainName('example123.com')).toEqual(true);
  // Invalid domain names
  expect(ValidationUtils.isValidDomainName('')).toEqual(false);
  expect(ValidationUtils.isValidDomainName(null as any)).toEqual(false);
  expect(ValidationUtils.isValidDomainName(undefined as any)).toEqual(false);
  expect(ValidationUtils.isValidDomainName('-invalid.com')).toEqual(false);
  expect(ValidationUtils.isValidDomainName('invalid-.com')).toEqual(false);
  expect(ValidationUtils.isValidDomainName('inv@lid.com')).toEqual(false);
  expect(ValidationUtils.isValidDomainName('example')).toEqual(false);
  expect(ValidationUtils.isValidDomainName('example.')).toEqual(false);
 });
 tap.test('validation-utils - isValidEmail', async () => {
  // Valid email addresses
  expect(ValidationUtils.isValidEmail('user@example.com')).toEqual(true);
  expect(ValidationUtils.isValidEmail('admin@sub.example.com')).toEqual(true);
  expect(ValidationUtils.isValidEmail('first.last@example.com')).toEqual(true);
  expect(ValidationUtils.isValidEmail('user+tag@example.com')).toEqual(true);
  // Invalid email addresses
  expect(ValidationUtils.isValidEmail('')).toEqual(false);
  expect(ValidationUtils.isValidEmail(null as any)).toEqual(false);
  expect(ValidationUtils.isValidEmail(undefined as any)).toEqual(false);
  expect(ValidationUtils.isValidEmail('user')).toEqual(false);
  expect(ValidationUtils.isValidEmail('user@')).toEqual(false);
  expect(ValidationUtils.isValidEmail('@example.com')).toEqual(false);
  expect(ValidationUtils.isValidEmail('user example.com')).toEqual(false);
 });
 tap.test('validation-utils - isValidCertificate', async () => {
  // Valid certificate format
  const validCert = `-----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUJlq+zz9CO2E91rlD4vhx0CX1Z/kwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzAxMDEwMDAwMDBaFw0yNDAx
 MDEwMDAwMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQC0aQeHIV9vQpZ4UVwW/xhx9zl01UbppLXdoqe3NP9x
 KfXTCB1YbtJ4GgKIlQqHGLGsLI5ZOE7KxmJeGEwK7ueP4f3WkUlM5C5yTbZ5hSUo
 R+OFnszFRJJiBXJlw57YAW9+zqKQHYxwve64O64dlgw6pekDYJhXtrUUZ78Lz0GX
 veJvCrci1M4Xk6/7/p1Ii9PNmbPKqHafdmkFLf6TXiWPuRDhPuHW7cXyE8xD5ahr
 NsDuwJyRUk+GS4/oJg0TqLSiD0IPxDH50V5MSfUIB82i+lc1t+OAGwLhjUDuQmJi
 Pv1+9Zvv+HA5PXBCsGXnSADrOOUO6t9q5R9PXbSvAgMBAAGjUzBRMB0GA1UdDgQW
 BBQEtdtBhH/z1XyIf+y+5O9ErDGCVjAfBgNVHSMEGDAWgBQEtdtBhH/z1XyIf+y+
 5O9ErDGCVjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBmJyQ0
 r0pBJkYJJVDJ6i3WMoEEFTD8MEUkWxASHRnuMzm7XlZ8WS1HvbEWF0+WfJPCYHnk
 tGbvUFGaZ4qUxZ4Ip2mvKXoeYTJCZRxxhHeSVWnZZu0KS3X7xVAFwQYQNhdLOqP8
 XOHyLhHV/1/kcFd3GvKKjXxE79jUUZ/RXHZ/IY50KvxGzWc/5ZOFYrPEW1/rNlRo
 7ixXo1hNnBQsG1YoFAxTBGegdTFJeTYHYjZZ5XlRvY2aBq6QveRbJGJLcPm1UQMd
 HQYxacbWSVAQf3ltYwSH+y3a97C5OsJJiQXpRRJlQKL3txklzcpg3E5swhr63bM2
 jUoNXr5G5Q5h3GD5
 -----END CERTIFICATE-----`;
  expect(ValidationUtils.isValidCertificate(validCert)).toEqual(true);
  // Invalid certificate format
  expect(ValidationUtils.isValidCertificate('')).toEqual(false);
  expect(ValidationUtils.isValidCertificate(null as any)).toEqual(false);
  expect(ValidationUtils.isValidCertificate(undefined as any)).toEqual(false);
  expect(ValidationUtils.isValidCertificate('invalid certificate')).toEqual(false);
  expect(ValidationUtils.isValidCertificate('-----BEGIN CERTIFICATE-----')).toEqual(false);
 });
 tap.test('validation-utils - isValidPrivateKey', async () => {
  // Valid private key format
  const validKey = `-----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0aQeHIV9vQpZ4
 UVwW/xhx9zl01UbppLXdoqe3NP9xKfXTCB1YbtJ4GgKIlQqHGLGsLI5ZOE7KxmJe
 GEwK7ueP4f3WkUlM5C5yTbZ5hSUoR+OFnszFRJJiBXJlw57YAW9+zqKQHYxwve64
 O64dlgw6pekDYJhXtrUUZ78Lz0GXveJvCrci1M4Xk6/7/p1Ii9PNmbPKqHafdmkF
 Lf6TXiWPuRDhPuHW7cXyE8xD5ahrNsDuwJyRUk+GS4/oJg0TqLSiD0IPxDH50V5M
 SfUIB82i+lc1t+OAGwLhjUDuQmJiPv1+9Zvv+HA5PXBCsGXnSADrOOUO6t9q5R9P
 XbSvAgMBAAECggEADw8Xx9iEv3FvS8hYIRn2ZWM8ObRgbHkFN92NJ/5RvUwgyV03
 gG8GwVN+7IsVLnIQRyIYEGGJ0ZLZFIq7//Jy0jYUgEGLmXxknuZQn1cQEqqYVyBr
 G9JrfKkXaDEoP/bZBMvZ0KEO2C9Vq6mY8M0h0GxDT2y6UQnQYjH3+H6Rvhbhh+Ld
 n8lCJqWoW1t9GOUZ4xLsZ5jEDibcMJJzLBWYRxgHWyECK31/VtEQDKFiUcymrJ3I
 /zoDEDGbp1gdJHvlCxfSLJ2za7ErtRKRXYFRhZ9QkNSXl1pVFMqRQkedXIcA1/Cs
 VpUxiIE2JA3hSrv2csjmXoGJKDLVCvZ3CFxKL3u/AQKBgQDf6MxHXN3IDuJNrJP7
 0gyRbO5d6vcvP/8qiYjtEt2xB2MNt5jDz9Bxl6aKEdNW2+UE0rvXXT6KAMZv9LiF
 hxr5qiJmmSB8OeGfr0W4FCixGN4BkRNwfT1gUqZgQOrfMOLHNXOksc1CJwHJfROV
 h6AH+gjtF2BCXnVEHcqtRklk4QKBgQDOOYnLJn1CwgFAyRUYK8LQYKnrLp2cGn7N
 YH0SLf+VnCu7RCeNr3dm9FoHBCynjkx+qv9kGvCaJuZqEJ7+7IimNUZfDjwXTOJ+
 pzs8kEPN5EQOcbkmYCTQyOA0YeBuEXcv5xIZRZUYQvKg1xXOe/JhAQ4siVIMhgQL
 2XR3QwzRDwKBgB7rjZs2VYnuVExGr74lUUAGoZ71WCgt9Du9aYGJfNUriDtTEWAd
 VT5sKgVqpRwkY/zXujdxGr+K8DZu4vSdHBLcDLQsEBvRZIILTzjwXBRPGMnVe95v
 Q90+vytbmHshlkbMaVRNQxCjdbf7LbQbLecgRt+5BKxHVwL4u3BZNIqhAoGAas4f
 PoPOdFfKAMKZL7FLGMhEXLyFsg1JcGRfmByxTNgOJKXpYv5Hl7JLYOvfaiUOUYKI
 5Dnh5yLdFOaOjnB3iP0KEiSVEwZK0/Vna5JkzFTqImK9QD3SQCtQLXHJLD52EPFR
 9gRa8N5k68+mIzGDEzPBoC1AajbXFGPxNOwaQQ0CgYEAq0dPYK0TTv3Yez27LzVy
 RbHkwpE+df4+KhpHbCzUKzfQYo4WTahlR6IzhpOyVQKIptkjuTDyQzkmt0tXEGw3
 /M3yHa1FcY9IzPrHXHJoOeU1r9ay0GOQUi4FxKkYYWxUCtjOi5xlUxI0ABD8vGGR
 QbKMrQXRgLd/84nDnY2cYzA=
 -----END PRIVATE KEY-----`;
  expect(ValidationUtils.isValidPrivateKey(validKey)).toEqual(true);
  // Invalid private key format
  expect(ValidationUtils.isValidPrivateKey('')).toEqual(false);
  expect(ValidationUtils.isValidPrivateKey(null as any)).toEqual(false);
  expect(ValidationUtils.isValidPrivateKey(undefined as any)).toEqual(false);
  expect(ValidationUtils.isValidPrivateKey('invalid key')).toEqual(false);
  expect(ValidationUtils.isValidPrivateKey('-----BEGIN PRIVATE KEY-----')).toEqual(false);
 });
 tap.test('validation-utils - validateDomainOptions', async () => {
  // Valid domain options
  const validDomainOptions: IDomainOptions = {
    domainName: 'example.com',
    sslRedirect: true,
    acmeMaintenance: true
  };
  expect(ValidationUtils.validateDomainOptions(validDomainOptions).isValid).toEqual(true);
  // Valid domain options with forward
  const validDomainOptionsWithForward: IDomainOptions = {
    domainName: 'example.com',
    sslRedirect: true,
    acmeMaintenance: true,
    forward: {
      ip: '127.0.0.1',
      port: 8080
    }
  };
  expect(ValidationUtils.validateDomainOptions(validDomainOptionsWithForward).isValid).toEqual(true);
  // Invalid domain options - no domain name
  const invalidDomainOptions1: IDomainOptions = {
    domainName: '',
    sslRedirect: true,
    acmeMaintenance: true
  };
  expect(ValidationUtils.validateDomainOptions(invalidDomainOptions1).isValid).toEqual(false);
  // Invalid domain options - invalid domain name
  const invalidDomainOptions2: IDomainOptions = {
    domainName: 'inv@lid.com',
    sslRedirect: true,
    acmeMaintenance: true
  };
  expect(ValidationUtils.validateDomainOptions(invalidDomainOptions2).isValid).toEqual(false);
  // Invalid domain options - forward missing ip
  const invalidDomainOptions3: IDomainOptions = {
    domainName: 'example.com',
    sslRedirect: true,
    acmeMaintenance: true,
    forward: {
      ip: '',
      port: 8080
    }
  };
  expect(ValidationUtils.validateDomainOptions(invalidDomainOptions3).isValid).toEqual(false);
  // Invalid domain options - forward missing port
  const invalidDomainOptions4: IDomainOptions = {
    domainName: 'example.com',
    sslRedirect: true,
    acmeMaintenance: true,
    forward: {
      ip: '127.0.0.1',
      port: null as any
    }
  };
  expect(ValidationUtils.validateDomainOptions(invalidDomainOptions4).isValid).toEqual(false);
  // Invalid domain options - invalid forward port
  const invalidDomainOptions5: IDomainOptions = {
    domainName: 'example.com',
    sslRedirect: true,
    acmeMaintenance: true,
    forward: {
      ip: '127.0.0.1',
      port: 99999
    }
  };
  expect(ValidationUtils.validateDomainOptions(invalidDomainOptions5).isValid).toEqual(false);
 });
 tap.test('validation-utils - validateAcmeOptions', async () => {
  // Valid ACME options
  const validAcmeOptions: IAcmeOptions = {
    enabled: true,
    accountEmail: 'admin@example.com',
    port: 80,
    httpsRedirectPort: 443,
    useProduction: false,
    renewThresholdDays: 30,
    renewCheckIntervalHours: 24,
    certificateStore: './certs'
  };
  expect(ValidationUtils.validateAcmeOptions(validAcmeOptions).isValid).toEqual(true);
  // ACME disabled - should be valid regardless of other options
  const disabledAcmeOptions: IAcmeOptions = {
    enabled: false
  };
  // Don't need to verify other fields when ACME is disabled
  const disabledResult = ValidationUtils.validateAcmeOptions(disabledAcmeOptions);
  expect(disabledResult.isValid).toEqual(true);
  // Invalid ACME options - missing email
  const invalidAcmeOptions1: IAcmeOptions = {
    enabled: true,
    accountEmail: '',
    port: 80
  };
  expect(ValidationUtils.validateAcmeOptions(invalidAcmeOptions1).isValid).toEqual(false);
  // Invalid ACME options - invalid email
  const invalidAcmeOptions2: IAcmeOptions = {
    enabled: true,
    accountEmail: 'invalid-email',
    port: 80
  };
  expect(ValidationUtils.validateAcmeOptions(invalidAcmeOptions2).isValid).toEqual(false);
  // Invalid ACME options - invalid port
  const invalidAcmeOptions3: IAcmeOptions = {
    enabled: true,
    accountEmail: 'admin@example.com',
    port: 99999
  };
  expect(ValidationUtils.validateAcmeOptions(invalidAcmeOptions3).isValid).toEqual(false);
  // Invalid ACME options - invalid HTTPS redirect port
  const invalidAcmeOptions4: IAcmeOptions = {
    enabled: true,
    accountEmail: 'admin@example.com',
    port: 80,
    httpsRedirectPort: -1
  };
  expect(ValidationUtils.validateAcmeOptions(invalidAcmeOptions4).isValid).toEqual(false);
  // Invalid ACME options - invalid renew threshold days
  const invalidAcmeOptions5: IAcmeOptions = {
    enabled: true,
    accountEmail: 'admin@example.com',
    port: 80,
    renewThresholdDays: 0
  };
  // The implementation allows renewThresholdDays of 0, even though the docstring suggests otherwise
  const validationResult5 = ValidationUtils.validateAcmeOptions(invalidAcmeOptions5);
  expect(validationResult5.isValid).toEqual(true);
  // Invalid ACME options - invalid renew check interval hours
  const invalidAcmeOptions6: IAcmeOptions = {
    enabled: true,
    accountEmail: 'admin@example.com',
    port: 80,
    renewCheckIntervalHours: 0
  };
  // The implementation should validate this, but let's check the actual result
  const checkIntervalResult = ValidationUtils.validateAcmeOptions(invalidAcmeOptions6);
  // Adjust test to match actual implementation behavior
  expect(checkIntervalResult.isValid !== false ? true : false).toEqual(true);
 });
 export default tap.start();
--- a/test/helpers/certificates.ts
+++ b/test/helpers/certificates.ts
@ -1,37 +0,0 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
 import * as tls from 'tls';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export interface TestCertificates {
  privateKey: string;
  publicKey: string;
 }
 export function loadTestCertificates(): TestCertificates {
  const certPath = path.join(__dirname, '..', '..', 'assets', 'certs', 'cert.pem');
  const keyPath = path.join(__dirname, '..', '..', 'assets', 'certs', 'key.pem');
  // Read certificates
  const publicKey = fs.readFileSync(certPath, 'utf8');
  const privateKey = fs.readFileSync(keyPath, 'utf8');
  // Validate certificates
  try {
    // Try to create a secure context with the certificates
    tls.createSecureContext({
      cert: publicKey,
      key: privateKey
    });
  } catch (error) {
    throw new Error(`Invalid certificates: ${error.message}`);
  }
  return {
    privateKey,
    publicKey
  };
 }
--- a/test/test.certificate-provisioning.ts
+++ b/test/test.certificate-provisioning.ts
@ -1,396 +0,0 @@
 /**
 * Tests for certificate provisioning with route-based configuration
 */
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as path from 'path';
 import * as fs from 'fs';
 import * as os from 'os';
 import * as plugins from '../ts/plugins.js';
 // Import from core modules
 import { CertProvisioner } from '../ts/certificate/providers/cert-provisioner.js';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 import { createCertificateProvisioner } from '../ts/certificate/index.js';
 import type { ISmartProxyOptions } from '../ts/proxies/smart-proxy/models/interfaces.js';
 // Extended options interface for testing - allows us to map ports for testing
 interface TestSmartProxyOptions extends ISmartProxyOptions {
  portMap?: Record<number, number>; // Map standard ports to non-privileged ones for testing
 }
 // Import route helpers
 import {
  createHttpsTerminateRoute,
  createCompleteHttpsServer,
  createHttpRoute
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 // Import test helpers
 import { loadTestCertificates } from './helpers/certificates.js';
 // Create temporary directory for certificates
 const tempDir = path.join(os.tmpdir(), `smartproxy-test-${Date.now()}`);
 fs.mkdirSync(tempDir, { recursive: true });
 // Mock Port80Handler class that extends EventEmitter
 class MockPort80Handler extends plugins.EventEmitter {
  public domainsAdded: string[] = [];
  addDomain(opts: { domainName: string; sslRedirect: boolean; acmeMaintenance: boolean }) {
    this.domainsAdded.push(opts.domainName);
    return true;
  }
  async renewCertificate(domain: string): Promise<void> {
    // In a real implementation, this would trigger certificate renewal
    console.log(`Mock certificate renewal for ${domain}`);
  }
 }
 // Mock NetworkProxyBridge
 class MockNetworkProxyBridge {
  public appliedCerts: any[] = [];
  applyExternalCertificate(cert: any) {
    this.appliedCerts.push(cert);
  }
 }
 tap.test('CertProvisioner: Should extract certificate domains from routes', async () => {
  // Create routes with domains requiring certificates
  const routes = [
    createHttpsTerminateRoute('example.com', { host: 'localhost', port: 8080 }, {
      certificate: 'auto'
    }),
    createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8081 }, {
      certificate: 'auto'
    }),
    createHttpsTerminateRoute('api.example.com', { host: 'localhost', port: 8082 }, {
      certificate: 'auto'
    }),
    // This route shouldn't require a certificate (passthrough)
    createHttpsTerminateRoute('passthrough.example.com', { host: 'localhost', port: 8083 }, {
      certificate: 'auto', // Will be ignored for passthrough
      httpsPort: 4443,
      tls: {
        mode: 'passthrough'
      }
    }),
    // This route shouldn't require a certificate (static certificate provided)
    createHttpsTerminateRoute('static-cert.example.com', { host: 'localhost', port: 8084 }, {
      certificate: {
        key: 'test-key',
        cert: 'test-cert'
      }
    })
  ];
  // Create mocks
  const mockPort80 = new MockPort80Handler();
  const mockBridge = new MockNetworkProxyBridge();
  // Create certificate provisioner
  const certProvisioner = new CertProvisioner(
    routes,
    mockPort80 as any,
    mockBridge as any
  );
  // Get routes that require certificate provisioning
  const extractedDomains = (certProvisioner as any).extractCertificateRoutesFromRoutes(routes);
  // Validate extraction
  expect(extractedDomains).toBeInstanceOf(Array);
  expect(extractedDomains.length).toBeGreaterThan(0); // Should extract at least some domains
  // Check that the correct domains were extracted
  const domains = extractedDomains.map(item => item.domain);
  expect(domains).toInclude('example.com');
  expect(domains).toInclude('secure.example.com');
  expect(domains).toInclude('api.example.com');
  // NOTE: Since we're now using createHttpsTerminateRoute for the passthrough domain
  // and we've set certificate: 'auto', the domain will be included
  // but will use passthrough mode for TLS
  expect(domains).toInclude('passthrough.example.com');
  // NOTE: The current implementation extracts all domains with terminate mode,
  // including those with static certificates. This is different from our expectation,
  // but we'll update the test to match the actual implementation.
  expect(domains).toInclude('static-cert.example.com');
 });
 tap.test('CertProvisioner: Should handle wildcard domains in routes', async () => {
  // Create routes with wildcard domains
  const routes = [
    createHttpsTerminateRoute('*.example.com', { host: 'localhost', port: 8080 }, {
      certificate: 'auto'
    }),
    createHttpsTerminateRoute('example.org', { host: 'localhost', port: 8081 }, {
      certificate: 'auto'
    }),
    createHttpsTerminateRoute(['api.example.net', 'app.example.net'], { host: 'localhost', port: 8082 }, {
      certificate: 'auto'
    })
  ];
  // Create mocks
  const mockPort80 = new MockPort80Handler();
  const mockBridge = new MockNetworkProxyBridge();
  // Create custom certificate provisioner function
  const customCertFunc = async (domain: string) => {
    // Always return a static certificate for testing
    return {
      domainName: domain,
      publicKey: 'TEST-CERT',
      privateKey: 'TEST-KEY',
      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
      created: Date.now(),
      csr: 'TEST-CSR',
      id: 'TEST-ID',
    };
  };
  // Create certificate provisioner with custom cert function
  const certProvisioner = new CertProvisioner(
    routes, 
    mockPort80 as any,
    mockBridge as any,
    customCertFunc
  );
  // Get routes that require certificate provisioning
  const extractedDomains = (certProvisioner as any).extractCertificateRoutesFromRoutes(routes);
  // Validate extraction
  expect(extractedDomains).toBeInstanceOf(Array);
  // Check that the correct domains were extracted
  const domains = extractedDomains.map(item => item.domain);
  expect(domains).toInclude('*.example.com');
  expect(domains).toInclude('example.org');
  expect(domains).toInclude('api.example.net');
  expect(domains).toInclude('app.example.net');
 });
 tap.test('CertProvisioner: Should provision certificates for routes', async () => {
  const testCerts = loadTestCertificates();
  // Create the custom provisioner function
  const mockProvisionFunction = async (domain: string) => {
    return {
      domainName: domain,
      publicKey: testCerts.publicKey,
      privateKey: testCerts.privateKey,
      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
      created: Date.now(),
      csr: 'TEST-CSR',
      id: 'TEST-ID',
    };
  };
  // Create routes with domains requiring certificates
  const routes = [
    createHttpsTerminateRoute('example.com', { host: 'localhost', port: 8080 }, {
      certificate: 'auto'
    }),
    createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8081 }, {
      certificate: 'auto'
    })
  ];
  // Create mocks
  const mockPort80 = new MockPort80Handler();
  const mockBridge = new MockNetworkProxyBridge();
  // Create certificate provisioner with mock provider
  const certProvisioner = new CertProvisioner(
    routes,
    mockPort80 as any,
    mockBridge as any,
    mockProvisionFunction
  );
  // Create an events array to catch certificate events
  const events: any[] = [];
  certProvisioner.on('certificate', (event) => {
    events.push(event);
  });
  // Start the provisioner (which will trigger initial provisioning)
  await certProvisioner.start();
  // Verify certificates were provisioned (static provision flow)
  expect(mockBridge.appliedCerts.length).toBeGreaterThanOrEqual(2);
  expect(events.length).toBeGreaterThanOrEqual(2);
  // Check that each domain received a certificate
  const certifiedDomains = events.map(e => e.domain);
  expect(certifiedDomains).toInclude('example.com');
  expect(certifiedDomains).toInclude('secure.example.com');
  // Important: stop the provisioner to clean up any timers or listeners
  await certProvisioner.stop();
 });
 tap.test('SmartProxy: Should handle certificate provisioning through routes', async () => {
  // Skip this test in CI environments where we can't bind to the needed ports
  if (process.env.CI) {
    console.log('Skipping SmartProxy certificate test in CI environment');
    return;
  }
  // Create test certificates
  const testCerts = loadTestCertificates();
  // Create mock cert provision function
  const mockProvisionFunction = async (domain: string) => {
    return {
      domainName: domain,
      publicKey: testCerts.publicKey,
      privateKey: testCerts.privateKey,
      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
      created: Date.now(),
      csr: 'TEST-CSR',
      id: 'TEST-ID',
    };
  };
  // Create routes for testing
  const routes = [
    // HTTPS with auto certificate
    createHttpsTerminateRoute('auto.example.com', { host: 'localhost', port: 8080 }, {
      certificate: 'auto'
    }),
    // HTTPS with static certificate
    createHttpsTerminateRoute('static.example.com', { host: 'localhost', port: 8081 }, {
      certificate: {
        key: testCerts.privateKey,
        cert: testCerts.publicKey
      }
    }),
    // Complete HTTPS server with auto certificate
    ...createCompleteHttpsServer('auto-complete.example.com', { host: 'localhost', port: 8082 }, {
      certificate: 'auto'
    }),
    // API route with auto certificate - using createHttpRoute with HTTPS options
    createHttpsTerminateRoute('auto-api.example.com', { host: 'localhost', port: 8083 }, {
      certificate: 'auto',
      match: { path: '/api/*' }
    })
  ];
  try {
    // Create a minimal server to act as a target for testing
    // This will be used in unit testing only, not in production
    const mockTarget = new class {
      server = plugins.http.createServer((req, res) => {
        res.writeHead(200, { 'Content-Type': 'text/plain' });
        res.end('Mock target server');
      });
      start() {
        return new Promise<void>((resolve) => {
          this.server.listen(8080, () => resolve());
        });
      }
      stop() {
        return new Promise<void>((resolve) => {
          this.server.close(() => resolve());
        });
      }
    };
    // Start the mock target
    await mockTarget.start();
    // Create a SmartProxy instance that can avoid binding to privileged ports
    // and using a mock certificate provisioner for testing
    const proxy = new SmartProxy({
      // Use TestSmartProxyOptions with portMap for testing
      routes,
      // Use high port numbers for testing to avoid need for root privileges
      portMap: {
        80: 8080,  // Map HTTP port 80 to 8080
        443: 4443  // Map HTTPS port 443 to 4443
      },
      tlsSetupTimeoutMs: 500, // Lower timeout for testing
      // Certificate provisioning settings
      certProvisionFunction: mockProvisionFunction,
      acme: {
        enabled: true,
        accountEmail: 'test@bleu.de',
        useProduction: false,  // Use staging
        certificateStore: tempDir
      }
    });
    // Track certificate events
    const events: any[] = [];
    proxy.on('certificate', (event) => {
      events.push(event);
    });
    // Instead of starting the actual proxy which tries to bind to ports,
    // just test the initialization part that handles the certificate configuration
    // We can't access private certProvisioner directly,
    // so just use dummy events for testing
    console.log(`Test would provision certificates if actually started`);
    // Add some dummy events for testing
    proxy.emit('certificate', {
      domain: 'auto.example.com',
      certificate: 'test-cert',
      privateKey: 'test-key',
      expiryDate: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
      source: 'test'
    });
    proxy.emit('certificate', {
      domain: 'auto-complete.example.com',
      certificate: 'test-cert',
      privateKey: 'test-key',
      expiryDate: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
      source: 'test'
    });
    // Give time for events to finalize
    await new Promise(resolve => setTimeout(resolve, 100));
    // Verify certificates were set up - this test might be skipped due to permissions
    // For unit testing, we're only testing the routes are set up properly
    // The errors in the log are expected in non-root environments and can be ignored
    // Stop the mock target server
    await mockTarget.stop();
    // Instead of directly accessing the private certProvisioner property,
    // we'll call the public stop method which will clean up internal resources
    await proxy.stop();
  } catch (err) {
    if (err.code === 'EACCES') {
      console.log('Skipping test: EACCES error (needs privileged ports)');
    } else {
      console.error('Error in SmartProxy test:', err);
      throw err;
    }
  }
 });
 tap.test('cleanup', async () => {
  try {
    fs.rmSync(tempDir, { recursive: true, force: true });
    console.log('Temporary directory cleaned up:', tempDir);
  } catch (err) {
    console.error('Error cleaning up:', err);
  }
 });
 export default tap.start();
--- a/test/test.certprovisioner.unit.ts
+++ b/test/test.certprovisioner.unit.ts
@ -1,211 +0,0 @@
 import { tap, expect } from '@push.rocks/tapbundle';
 import * as plugins from '../ts/plugins.js';
 import { CertProvisioner } from '../ts/certificate/providers/cert-provisioner.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 import type { ICertificateData } from '../ts/certificate/models/certificate-types.js';
 import type { TCertProvisionObject } from '../ts/certificate/providers/cert-provisioner.js';
 // Fake Port80Handler stub
 class FakePort80Handler extends plugins.EventEmitter {
  public domainsAdded: string[] = [];
  public renewCalled: string[] = [];
  addDomain(opts: { domainName: string; sslRedirect: boolean; acmeMaintenance: boolean }) {
    this.domainsAdded.push(opts.domainName);
  }
  async renewCertificate(domain: string): Promise<void> {
    this.renewCalled.push(domain);
  }
 }
 // Fake NetworkProxyBridge stub
 class FakeNetworkProxyBridge {
  public appliedCerts: ICertificateData[] = [];
  applyExternalCertificate(cert: ICertificateData) {
    this.appliedCerts.push(cert);
  }
 }
 tap.test('CertProvisioner handles static provisioning', async () => {
  const domain = 'static.com';
  // Create route-based configuration for testing
  const routeConfigs: IRouteConfig[] = [{
    name: 'Static Route',
    match: {
      ports: 443,
      domains: [domain]
    },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 443 },
      tls: {
        mode: 'terminate-and-reencrypt',
        certificate: 'auto'
      }
    }
  }];
  const fakePort80 = new FakePort80Handler();
  const fakeBridge = new FakeNetworkProxyBridge();
  // certProvider returns static certificate
  const certProvider = async (d: string): Promise<TCertProvisionObject> => {
    expect(d).toEqual(domain);
    return {
      domainName: domain,
      publicKey: 'CERT',
      privateKey: 'KEY',
      validUntil: Date.now() + 3600 * 1000,
      created: Date.now(),
      csr: 'CSR',
      id: 'ID',
    };
  };
  const prov = new CertProvisioner(
    routeConfigs,
    fakePort80 as any,
    fakeBridge as any,
    certProvider,
    1, // low renew threshold
    1, // short interval
    false // disable auto renew for unit test
  );
  const events: any[] = [];
  prov.on('certificate', (data) => events.push(data));
  await prov.start();
  // Static flow: no addDomain, certificate applied via bridge
  expect(fakePort80.domainsAdded.length).toEqual(0);
  expect(fakeBridge.appliedCerts.length).toEqual(1);
  expect(events.length).toEqual(1);
  const evt = events[0];
  expect(evt.domain).toEqual(domain);
  expect(evt.certificate).toEqual('CERT');
  expect(evt.privateKey).toEqual('KEY');
  expect(evt.isRenewal).toEqual(false);
  expect(evt.source).toEqual('static');
  expect(evt.routeReference).toBeTruthy();
  expect(evt.routeReference.routeName).toEqual('Static Route');
 });
 tap.test('CertProvisioner handles http01 provisioning', async () => {
  const domain = 'http01.com';
  // Create route-based configuration for testing
  const routeConfigs: IRouteConfig[] = [{
    name: 'HTTP01 Route',
    match: {
      ports: 443,
      domains: [domain]
    },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 80 },
      tls: {
        mode: 'terminate',
        certificate: 'auto'
      }
    }
  }];
  const fakePort80 = new FakePort80Handler();
  const fakeBridge = new FakeNetworkProxyBridge();
  // certProvider returns http01 directive
  const certProvider = async (): Promise<TCertProvisionObject> => 'http01';
  const prov = new CertProvisioner(
    routeConfigs,
    fakePort80 as any,
    fakeBridge as any,
    certProvider,
    1,
    1,
    false
  );
  const events: any[] = [];
  prov.on('certificate', (data) => events.push(data));
  await prov.start();
  // HTTP-01 flow: addDomain called, no static cert applied
  expect(fakePort80.domainsAdded).toEqual([domain]);
  expect(fakeBridge.appliedCerts.length).toEqual(0);
  expect(events.length).toEqual(0);
 });
 tap.test('CertProvisioner on-demand http01 renewal', async () => {
  const domain = 'renew.com';
  // Create route-based configuration for testing
  const routeConfigs: IRouteConfig[] = [{
    name: 'Renewal Route',
    match: {
      ports: 443,
      domains: [domain]
    },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 80 },
      tls: {
        mode: 'terminate',
        certificate: 'auto'
      }
    }
  }];
  const fakePort80 = new FakePort80Handler();
  const fakeBridge = new FakeNetworkProxyBridge();
  const certProvider = async (): Promise<TCertProvisionObject> => 'http01';
  const prov = new CertProvisioner(
    routeConfigs,
    fakePort80 as any,
    fakeBridge as any,
    certProvider,
    1,
    1,
    false
  );
  // requestCertificate should call renewCertificate
  await prov.requestCertificate(domain);
  expect(fakePort80.renewCalled).toEqual([domain]);
 });
 tap.test('CertProvisioner on-demand static provisioning', async () => {
  const domain = 'ondemand.com';
  // Create route-based configuration for testing
  const routeConfigs: IRouteConfig[] = [{
    name: 'On-Demand Route',
    match: {
      ports: 443,
      domains: [domain]
    },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 443 },
      tls: {
        mode: 'terminate-and-reencrypt',
        certificate: 'auto'
      }
    }
  }];
  const fakePort80 = new FakePort80Handler();
  const fakeBridge = new FakeNetworkProxyBridge();
  const certProvider = async (): Promise<TCertProvisionObject> => ({
    domainName: domain,
    publicKey: 'PKEY',
    privateKey: 'PRIV',
    validUntil: Date.now() + 1000,
    created: Date.now(),
    csr: 'CSR',
    id: 'ID',
  });
  const prov = new CertProvisioner(
    routeConfigs,
    fakePort80 as any,
    fakeBridge as any,
    certProvider,
    1,
    1,
    false
  );
  const events: any[] = [];
  prov.on('certificate', (data) => events.push(data));
  await prov.requestCertificate(domain);
  expect(fakeBridge.appliedCerts.length).toEqual(1);
  expect(events.length).toEqual(1);
  expect(events[0].domain).toEqual(domain);
  expect(events[0].source).toEqual('static');
  expect(events[0].routeReference).toBeTruthy();
  expect(events[0].routeReference.routeName).toEqual('On-Demand Route');
 });
 export default tap.start();
--- a/test/test.forwarding.examples.ts
+++ b/test/test.forwarding.examples.ts
@ -1,197 +0,0 @@
 import * as path from 'path';
 import { tap, expect } from '@push.rocks/tapbundle';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 import {
  createHttpRoute,
  createHttpsRoute,
  createPassthroughRoute,
  createRedirectRoute,
  createHttpToHttpsRedirect,
  createBlockRoute,
  createLoadBalancerRoute,
  createHttpsServer,
  createPortRange,
  createSecurityConfig,
  createStaticFileRoute,
  createTestRoute
 } from '../ts/proxies/smart-proxy/route-helpers/index.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 // Test to demonstrate various route configurations using the new helpers
 tap.test('Route-based configuration examples', async (tools) => {
  // Example 1: HTTP-only configuration
  const httpOnlyRoute = createHttpRoute({
    domains: 'http.example.com',
    target: {
      host: 'localhost',
      port: 3000
    },
    security: {
      allowedIps: ['*'] // Allow all
    },
    name: 'Basic HTTP Route'
  });
  console.log('HTTP-only route created successfully:', httpOnlyRoute.name);
  expect(httpOnlyRoute.action.type).toEqual('forward');
  expect(httpOnlyRoute.match.domains).toEqual('http.example.com');
  // Example 2: HTTPS Passthrough (SNI) configuration
  const httpsPassthroughRoute = createPassthroughRoute({
    domains: 'pass.example.com',
    target: {
      host: ['10.0.0.1', '10.0.0.2'], // Round-robin target IPs
      port: 443
    },
    security: {
      allowedIps: ['*'] // Allow all
    },
    name: 'HTTPS Passthrough Route'
  });
  expect(httpsPassthroughRoute).toBeTruthy();
  expect(httpsPassthroughRoute.action.tls?.mode).toEqual('passthrough');
  expect(Array.isArray(httpsPassthroughRoute.action.target?.host)).toBeTrue();
  // Example 3: HTTPS Termination to HTTP Backend
  const terminateToHttpRoute = createHttpsRoute({
    domains: 'secure.example.com',
    target: {
      host: 'localhost',
      port: 8080
    },
    tlsMode: 'terminate',
    certificate: 'auto',
    headers: {
      'X-Forwarded-Proto': 'https'
    },
    security: {
      allowedIps: ['*'] // Allow all
    },
    name: 'HTTPS Termination to HTTP Backend'
  });
  // Create the HTTP to HTTPS redirect for this domain
  const httpToHttpsRedirect = createHttpToHttpsRedirect({
    domains: 'secure.example.com',
    name: 'HTTP to HTTPS Redirect for secure.example.com'
  });
  expect(terminateToHttpRoute).toBeTruthy();
  expect(terminateToHttpRoute.action.tls?.mode).toEqual('terminate');
  expect(terminateToHttpRoute.action.advanced?.headers?.['X-Forwarded-Proto']).toEqual('https');
  expect(httpToHttpsRedirect.action.type).toEqual('redirect');
  // Example 4: Load Balancer with HTTPS
  const loadBalancerRoute = createLoadBalancerRoute({
    domains: 'proxy.example.com',
    targets: ['internal-api-1.local', 'internal-api-2.local'],
    targetPort: 8443,
    tlsMode: 'terminate-and-reencrypt',
    certificate: 'auto',
    headers: {
      'X-Original-Host': '{domain}'
    },
    security: {
      allowedIps: ['10.0.0.0/24', '192.168.1.0/24'],
      maxConnections: 1000
    },
    name: 'Load Balanced HTTPS Route'
  });
  expect(loadBalancerRoute).toBeTruthy();
  expect(loadBalancerRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
  expect(Array.isArray(loadBalancerRoute.action.target?.host)).toBeTrue();
  expect(loadBalancerRoute.action.security?.allowedIps?.length).toEqual(2);
  // Example 5: Block specific IPs
  const blockRoute = createBlockRoute({
    ports: [80, 443],
    clientIp: ['192.168.5.0/24'],
    name: 'Block Suspicious IPs',
    priority: 1000 // High priority to ensure it's evaluated first
  });
  expect(blockRoute.action.type).toEqual('block');
  expect(blockRoute.match.clientIp?.length).toEqual(1);
  expect(blockRoute.priority).toEqual(1000);
  // Example 6: Complete HTTPS Server with HTTP Redirect
  const httpsServerRoutes = createHttpsServer({
    domains: 'complete.example.com',
    target: {
      host: 'localhost',
      port: 8080
    },
    certificate: 'auto',
    name: 'Complete HTTPS Server'
  });
  expect(Array.isArray(httpsServerRoutes)).toBeTrue();
  expect(httpsServerRoutes.length).toEqual(2); // HTTPS route and HTTP redirect
  expect(httpsServerRoutes[0].action.tls?.mode).toEqual('terminate');
  expect(httpsServerRoutes[1].action.type).toEqual('redirect');
  // Example 7: Static File Server
  const staticFileRoute = createStaticFileRoute({
    domains: 'static.example.com',
    targetDirectory: '/var/www/static',
    tlsMode: 'terminate',
    certificate: 'auto',
    headers: {
      'Cache-Control': 'public, max-age=86400'
    },
    name: 'Static File Server'
  });
  expect(staticFileRoute.action.advanced?.staticFiles?.directory).toEqual('/var/www/static');
  expect(staticFileRoute.action.advanced?.headers?.['Cache-Control']).toEqual('public, max-age=86400');
  // Example 8: Test Route for Debugging
  const testRoute = createTestRoute({
    ports: 8000,
    domains: 'test.example.com',
    response: {
      status: 200,
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ status: 'ok', message: 'API is working!' })
    }
  });
  expect(testRoute.match.ports).toEqual(8000);
  expect(testRoute.action.advanced?.testResponse?.status).toEqual(200);
  // Create a SmartProxy instance with all routes
  const allRoutes: IRouteConfig[] = [
    httpOnlyRoute,
    httpsPassthroughRoute,
    terminateToHttpRoute,
    httpToHttpsRedirect,
    loadBalancerRoute,
    blockRoute,
    ...httpsServerRoutes,
    staticFileRoute,
    testRoute
  ];
  // We're not actually starting the SmartProxy in this test,
  // just verifying that the configuration is valid
  const smartProxy = new SmartProxy({
    routes: allRoutes,
    acme: {
      email: 'admin@example.com',
      termsOfServiceAgreed: true,
      directoryUrl: 'https://acme-staging-v02.api.letsencrypt.org/directory'
    }
  });
  console.log(`Smart Proxy configured with ${allRoutes.length} routes`);
  // Verify our example proxy was created correctly
  expect(smartProxy).toBeTruthy();
 });
 export default tap.start();
--- a/test/test.forwarding.ts
+++ b/test/test.forwarding.ts
@ -1,233 +0,0 @@
 import { tap, expect } from '@push.rocks/tapbundle';
 import * as plugins from '../ts/plugins.js';
 import type { IForwardConfig, TForwardingType } from '../ts/forwarding/config/forwarding-types.js';
 // First, import the components directly to avoid issues with compiled modules
 import { ForwardingHandlerFactory } from '../ts/forwarding/factory/forwarding-factory.js';
 import { httpOnly, tlsTerminateToHttp, tlsTerminateToHttps, httpsPassthrough } from '../ts/forwarding/config/forwarding-types.js';
 // Import route-based helpers
 import {
  createHttpRoute,
  createHttpsTerminateRoute,
  createHttpsPassthroughRoute,
  createHttpToHttpsRedirect,
  createCompleteHttpsServer
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 const helpers = {
  httpOnly,
  tlsTerminateToHttp,
  tlsTerminateToHttps,
  httpsPassthrough
 };
 // Route-based utility functions for testing
 function findRouteForDomain(routes: any[], domain: string): any {
  return routes.find(route => {
    const domains = Array.isArray(route.match.domains)
      ? route.match.domains
      : [route.match.domains];
    return domains.some(d => {
      // Handle wildcard domains
      if (d.startsWith('*.')) {
        const suffix = d.substring(2);
        return domain.endsWith(suffix) && domain.split('.').length > suffix.split('.').length;
      }
      return d === domain;
    });
  });
 }
 tap.test('ForwardingHandlerFactory - apply defaults based on type', async () => {
      // HTTP-only defaults
      const httpConfig: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 3000 }
      };
      const expandedHttpConfig = ForwardingHandlerFactory.applyDefaults(httpConfig);
      expect(expandedHttpConfig.http?.enabled).toEqual(true);
      // HTTPS-passthrough defaults
      const passthroughConfig: IForwardConfig = {
        type: 'https-passthrough',
        target: { host: 'localhost', port: 443 }
      };
      const expandedPassthroughConfig = ForwardingHandlerFactory.applyDefaults(passthroughConfig);
      expect(expandedPassthroughConfig.https?.forwardSni).toEqual(true);
      expect(expandedPassthroughConfig.http?.enabled).toEqual(false);
      // HTTPS-terminate-to-http defaults
      const terminateToHttpConfig: IForwardConfig = {
        type: 'https-terminate-to-http',
        target: { host: 'localhost', port: 3000 }
      };
      const expandedTerminateToHttpConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpConfig);
      expect(expandedTerminateToHttpConfig.http?.enabled).toEqual(true);
      expect(expandedTerminateToHttpConfig.http?.redirectToHttps).toEqual(true);
      expect(expandedTerminateToHttpConfig.acme?.enabled).toEqual(true);
      expect(expandedTerminateToHttpConfig.acme?.maintenance).toEqual(true);
      // HTTPS-terminate-to-https defaults
      const terminateToHttpsConfig: IForwardConfig = {
        type: 'https-terminate-to-https',
        target: { host: 'localhost', port: 8443 }
      };
      const expandedTerminateToHttpsConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpsConfig);
      expect(expandedTerminateToHttpsConfig.http?.enabled).toEqual(true);
      expect(expandedTerminateToHttpsConfig.http?.redirectToHttps).toEqual(true);
      expect(expandedTerminateToHttpsConfig.acme?.enabled).toEqual(true);
      expect(expandedTerminateToHttpsConfig.acme?.maintenance).toEqual(true);
    });
 tap.test('ForwardingHandlerFactory - validate configuration', async () => {
      // Valid configuration
      const validConfig: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 3000 }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(validConfig)).not.toThrow();
      // Invalid configuration - missing target
      const invalidConfig1: any = {
        type: 'http-only'
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig1)).toThrow();
      // Invalid configuration - invalid port
      const invalidConfig2: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 0 }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig2)).toThrow();
      // Invalid configuration - HTTP disabled for HTTP-only
      const invalidConfig3: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 3000 },
        http: { enabled: false }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig3)).toThrow();
      // Invalid configuration - HTTP enabled for HTTPS passthrough
      const invalidConfig4: IForwardConfig = {
        type: 'https-passthrough',
        target: { host: 'localhost', port: 443 },
        http: { enabled: true }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig4)).toThrow();
    });
 tap.test('Route Management - manage route configurations', async () => {
      // Create an array to store routes
      const routes: any[] = [];
      // Add a route configuration
      const httpRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
      routes.push(httpRoute);
      // Check that the configuration was added
      expect(routes.length).toEqual(1);
      expect(routes[0].match.domains).toEqual('example.com');
      expect(routes[0].action.type).toEqual('forward');
      expect(routes[0].action.target.host).toEqual('localhost');
      expect(routes[0].action.target.port).toEqual(3000);
      // Find a route for a domain
      const foundRoute = findRouteForDomain(routes, 'example.com');
      expect(foundRoute).toBeDefined();
      // Remove a route configuration
      const initialLength = routes.length;
      const domainToRemove = 'example.com';
      const indexToRemove = routes.findIndex(route => {
        const domains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
        return domains.includes(domainToRemove);
      });
      if (indexToRemove !== -1) {
        routes.splice(indexToRemove, 1);
      }
      expect(routes.length).toEqual(initialLength - 1);
      // Check that the configuration was removed
      expect(routes.length).toEqual(0);
      // Check that no route exists anymore
      const notFoundRoute = findRouteForDomain(routes, 'example.com');
      expect(notFoundRoute).toBeUndefined();
    });
 tap.test('Route Management - support wildcard domains', async () => {
      // Create an array to store routes
      const routes: any[] = [];
      // Add a wildcard domain route
      const wildcardRoute = createHttpRoute('*.example.com', { host: 'localhost', port: 3000 });
      routes.push(wildcardRoute);
      // Find a route for a subdomain
      const foundRoute = findRouteForDomain(routes, 'test.example.com');
      expect(foundRoute).toBeDefined();
      // Find a route for a different domain (should not match)
      const notFoundRoute = findRouteForDomain(routes, 'example.org');
      expect(notFoundRoute).toBeUndefined();
    });
 tap.test('Route Helper Functions - create HTTP route', async () => {
      const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
      expect(route.match.domains).toEqual('example.com');
      expect(route.match.ports).toEqual(80);
      expect(route.action.type).toEqual('forward');
      expect(route.action.target.host).toEqual('localhost');
      expect(route.action.target.port).toEqual(3000);
    });
 tap.test('Route Helper Functions - create HTTPS terminate route', async () => {
      const route = createHttpsTerminateRoute('example.com', { host: 'localhost', port: 3000 });
      expect(route.match.domains).toEqual('example.com');
      expect(route.match.ports).toEqual(443);
      expect(route.action.type).toEqual('forward');
      expect(route.action.target.host).toEqual('localhost');
      expect(route.action.target.port).toEqual(3000);
      expect(route.action.tls?.mode).toEqual('terminate');
      expect(route.action.tls?.certificate).toEqual('auto');
    });
 tap.test('Route Helper Functions - create complete HTTPS server', async () => {
      const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 8443 });
      expect(routes.length).toEqual(2);
      // HTTPS route
      expect(routes[0].match.domains).toEqual('example.com');
      expect(routes[0].match.ports).toEqual(443);
      expect(routes[0].action.type).toEqual('forward');
      expect(routes[0].action.target.host).toEqual('localhost');
      expect(routes[0].action.target.port).toEqual(8443);
      expect(routes[0].action.tls?.mode).toEqual('terminate');
      // HTTP redirect route
      expect(routes[1].match.domains).toEqual('example.com');
      expect(routes[1].match.ports).toEqual(80);
      expect(routes[1].action.type).toEqual('redirect');
    });
 tap.test('Route Helper Functions - create HTTPS passthrough route', async () => {
      const route = createHttpsPassthroughRoute('example.com', { host: 'localhost', port: 443 });
      expect(route.match.domains).toEqual('example.com');
      expect(route.match.ports).toEqual(443);
      expect(route.action.type).toEqual('forward');
      expect(route.action.target.host).toEqual('localhost');
      expect(route.action.target.port).toEqual(443);
      expect(route.action.tls?.mode).toEqual('passthrough');
    });
 export default tap.start();
--- a/test/test.forwarding.unit.ts
+++ b/test/test.forwarding.unit.ts
@ -1,168 +0,0 @@
 import { tap, expect } from '@push.rocks/tapbundle';
 import * as plugins from '../ts/plugins.js';
 import type { IForwardConfig } from '../ts/forwarding/config/forwarding-types.js';
 // First, import the components directly to avoid issues with compiled modules
 import { ForwardingHandlerFactory } from '../ts/forwarding/factory/forwarding-factory.js';
 import { httpOnly, tlsTerminateToHttp, tlsTerminateToHttps, httpsPassthrough } from '../ts/forwarding/config/forwarding-types.js';
 // Import route-based helpers
 import {
  createHttpRoute,
  createHttpsTerminateRoute,
  createHttpsPassthroughRoute,
  createHttpToHttpsRedirect,
  createCompleteHttpsServer
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 const helpers = {
  httpOnly,
  tlsTerminateToHttp,
  tlsTerminateToHttps,
  httpsPassthrough
 };
 tap.test('ForwardingHandlerFactory - apply defaults based on type', async () => {
      // HTTP-only defaults
      const httpConfig: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 3000 }
      };
      const expandedHttpConfig = ForwardingHandlerFactory.applyDefaults(httpConfig);
      expect(expandedHttpConfig.http?.enabled).toEqual(true);
      // HTTPS-passthrough defaults
      const passthroughConfig: IForwardConfig = {
        type: 'https-passthrough',
        target: { host: 'localhost', port: 443 }
      };
      const expandedPassthroughConfig = ForwardingHandlerFactory.applyDefaults(passthroughConfig);
      expect(expandedPassthroughConfig.https?.forwardSni).toEqual(true);
      expect(expandedPassthroughConfig.http?.enabled).toEqual(false);
      // HTTPS-terminate-to-http defaults
      const terminateToHttpConfig: IForwardConfig = {
        type: 'https-terminate-to-http',
        target: { host: 'localhost', port: 3000 }
      };
      const expandedTerminateToHttpConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpConfig);
      expect(expandedTerminateToHttpConfig.http?.enabled).toEqual(true);
      expect(expandedTerminateToHttpConfig.http?.redirectToHttps).toEqual(true);
      expect(expandedTerminateToHttpConfig.acme?.enabled).toEqual(true);
      expect(expandedTerminateToHttpConfig.acme?.maintenance).toEqual(true);
      // HTTPS-terminate-to-https defaults
      const terminateToHttpsConfig: IForwardConfig = {
        type: 'https-terminate-to-https',
        target: { host: 'localhost', port: 8443 }
      };
      const expandedTerminateToHttpsConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpsConfig);
      expect(expandedTerminateToHttpsConfig.http?.enabled).toEqual(true);
      expect(expandedTerminateToHttpsConfig.http?.redirectToHttps).toEqual(true);
      expect(expandedTerminateToHttpsConfig.acme?.enabled).toEqual(true);
      expect(expandedTerminateToHttpsConfig.acme?.maintenance).toEqual(true);
    });
 tap.test('ForwardingHandlerFactory - validate configuration', async () => {
      // Valid configuration
      const validConfig: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 3000 }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(validConfig)).not.toThrow();
      // Invalid configuration - missing target
      const invalidConfig1: any = {
        type: 'http-only'
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig1)).toThrow();
      // Invalid configuration - invalid port
      const invalidConfig2: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 0 }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig2)).toThrow();
      // Invalid configuration - HTTP disabled for HTTP-only
      const invalidConfig3: IForwardConfig = {
        type: 'http-only',
        target: { host: 'localhost', port: 3000 },
        http: { enabled: false }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig3)).toThrow();
      // Invalid configuration - HTTP enabled for HTTPS passthrough
      const invalidConfig4: IForwardConfig = {
        type: 'https-passthrough',
        target: { host: 'localhost', port: 443 },
        http: { enabled: true }
      };
      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig4)).toThrow();
    });
 tap.test('Route Helper - create HTTP route configuration', async () => {
      // Create a route-based configuration
      const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
      // Verify route properties
      expect(route.match.domains).toEqual('example.com');
      expect(route.action.type).toEqual('forward');
      expect(route.action.target?.host).toEqual('localhost');
      expect(route.action.target?.port).toEqual(3000);
    });
 tap.test('Route Helper Functions - create HTTP route', async () => {
      const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
      expect(route.match.domains).toEqual('example.com');
      expect(route.match.ports).toEqual(80);
      expect(route.action.type).toEqual('forward');
      expect(route.action.target.host).toEqual('localhost');
      expect(route.action.target.port).toEqual(3000);
    });
 tap.test('Route Helper Functions - create HTTPS terminate route', async () => {
      const route = createHttpsTerminateRoute('example.com', { host: 'localhost', port: 3000 });
      expect(route.match.domains).toEqual('example.com');
      expect(route.match.ports).toEqual(443);
      expect(route.action.type).toEqual('forward');
      expect(route.action.target.host).toEqual('localhost');
      expect(route.action.target.port).toEqual(3000);
      expect(route.action.tls?.mode).toEqual('terminate');
      expect(route.action.tls?.certificate).toEqual('auto');
    });
 tap.test('Route Helper Functions - create complete HTTPS server', async () => {
      const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 8443 });
      expect(routes.length).toEqual(2);
      // HTTPS route
      expect(routes[0].match.domains).toEqual('example.com');
      expect(routes[0].match.ports).toEqual(443);
      expect(routes[0].action.type).toEqual('forward');
      expect(routes[0].action.target.host).toEqual('localhost');
      expect(routes[0].action.target.port).toEqual(8443);
      expect(routes[0].action.tls?.mode).toEqual('terminate');
      // HTTP redirect route
      expect(routes[1].match.domains).toEqual('example.com');
      expect(routes[1].match.ports).toEqual(80);
      expect(routes[1].action.type).toEqual('redirect');
    });
 tap.test('Route Helper Functions - create HTTPS passthrough route', async () => {
      const route = createHttpsPassthroughRoute('example.com', { host: 'localhost', port: 443 });
      expect(route.match.domains).toEqual('example.com');
      expect(route.match.ports).toEqual(443);
      expect(route.action.type).toEqual('forward');
      expect(route.action.target.host).toEqual('localhost');
      expect(route.action.target.port).toEqual(443);
      expect(route.action.tls?.mode).toEqual('passthrough');
    });
 export default tap.start();
--- a/test/test.networkproxy.ts
+++ b/test/test.networkproxy.ts
@ -1,578 +0,0 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as smartproxy from '../ts/index.js';
 import { loadTestCertificates } from './helpers/certificates.js';
 import * as https from 'https';
 import * as http from 'http';
 import { WebSocket, WebSocketServer } from 'ws';
 let testProxy: smartproxy.NetworkProxy;
 let testServer: http.Server;
 let wsServer: WebSocketServer;
 let testCertificates: { privateKey: string; publicKey: string };
 // Helper function to make HTTPS requests
 async function makeHttpsRequest(
  options: https.RequestOptions,
 ): Promise<{ statusCode: number; headers: http.IncomingHttpHeaders; body: string }> {
  console.log('[TEST] Making HTTPS request:', {
    hostname: options.hostname,
    port: options.port,
    path: options.path,
    method: options.method,
    headers: options.headers,
  });
  return new Promise((resolve, reject) => {
    const req = https.request(options, (res) => {
      console.log('[TEST] Received HTTPS response:', {
        statusCode: res.statusCode,
        headers: res.headers,
      });
      let data = '';
      res.on('data', (chunk) => (data += chunk));
      res.on('end', () => {
        console.log('[TEST] Response completed:', { data });
        resolve({
          statusCode: res.statusCode!,
          headers: res.headers,
          body: data,
        });
      });
    });
    req.on('error', (error) => {
      console.error('[TEST] Request error:', error);
      reject(error);
    });
    req.end();
  });
 }
 // Setup test environment
 tap.test('setup test environment', async () => {
  // Load and validate certificates
  console.log('[TEST] Loading and validating certificates');
  testCertificates = loadTestCertificates();
  console.log('[TEST] Certificates loaded and validated');
  // Create a test HTTP server
  testServer = http.createServer((req, res) => {
    console.log('[TEST SERVER] Received HTTP request:', {
      url: req.url,
      method: req.method,
      headers: req.headers,
    });
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    res.end('Hello from test server!');
  });
  // Handle WebSocket upgrade requests
  testServer.on('upgrade', (request, socket, head) => {
    console.log('[TEST SERVER] Received WebSocket upgrade request:', {
      url: request.url,
      method: request.method,
      headers: {
        host: request.headers.host,
        upgrade: request.headers.upgrade,
        connection: request.headers.connection,
        'sec-websocket-key': request.headers['sec-websocket-key'],
        'sec-websocket-version': request.headers['sec-websocket-version'],
        'sec-websocket-protocol': request.headers['sec-websocket-protocol'],
      },
    });
    if (request.headers.upgrade?.toLowerCase() !== 'websocket') {
      console.log('[TEST SERVER] Not a WebSocket upgrade request');
      socket.destroy();
      return;
    }
    console.log('[TEST SERVER] Handling WebSocket upgrade');
    wsServer.handleUpgrade(request, socket, head, (ws) => {
      console.log('[TEST SERVER] WebSocket connection upgraded');
      wsServer.emit('connection', ws, request);
    });
  });
  // Create a WebSocket server (for the test HTTP server)
  console.log('[TEST SERVER] Creating WebSocket server');
  wsServer = new WebSocketServer({
    noServer: true,
    perMessageDeflate: false,
    clientTracking: true,
    handleProtocols: () => 'echo-protocol',
  });
  wsServer.on('connection', (ws, request) => {
    console.log('[TEST SERVER] WebSocket connection established:', {
      url: request.url,
      headers: {
        host: request.headers.host,
        upgrade: request.headers.upgrade,
        connection: request.headers.connection,
        'sec-websocket-key': request.headers['sec-websocket-key'],
        'sec-websocket-version': request.headers['sec-websocket-version'],
        'sec-websocket-protocol': request.headers['sec-websocket-protocol'],
      },
    });
    // Set up connection timeout
    const connectionTimeout = setTimeout(() => {
      console.error('[TEST SERVER] WebSocket connection timed out');
      ws.terminate();
    }, 5000);
    // Clear timeout when connection is properly closed
    const clearConnectionTimeout = () => {
      clearTimeout(connectionTimeout);
    };
    ws.on('message', (message) => {
      const msg = message.toString();
      console.log('[TEST SERVER] Received message:', msg);
      try {
        const response = `Echo: ${msg}`;
        console.log('[TEST SERVER] Sending response:', response);
        ws.send(response);
        // Clear timeout on successful message exchange
        clearConnectionTimeout();
      } catch (error) {
        console.error('[TEST SERVER] Error sending message:', error);
      }
    });
    ws.on('error', (error) => {
      console.error('[TEST SERVER] WebSocket error:', error);
      clearConnectionTimeout();
    });
    ws.on('close', (code, reason) => {
      console.log('[TEST SERVER] WebSocket connection closed:', {
        code,
        reason: reason.toString(),
        wasClean: code === 1000 || code === 1001,
      });
      clearConnectionTimeout();
    });
    ws.on('ping', (data) => {
      try {
        console.log('[TEST SERVER] Received ping, sending pong');
        ws.pong(data);
      } catch (error) {
        console.error('[TEST SERVER] Error sending pong:', error);
      }
    });
    ws.on('pong', (data) => {
      console.log('[TEST SERVER] Received pong');
    });
  });
  wsServer.on('error', (error) => {
    console.error('Test server: WebSocket server error:', error);
  });
  wsServer.on('headers', (headers) => {
    console.log('Test server: WebSocket headers:', headers);
  });
  wsServer.on('close', () => {
    console.log('Test server: WebSocket server closed');
  });
  await new Promise<void>((resolve) => testServer.listen(3000, resolve));
  console.log('Test server listening on port 3000');
 });
 tap.test('should create proxy instance', async () => {
  // Test with the original minimal options (only port)
  testProxy = new smartproxy.NetworkProxy({
    port: 3001,
  });
  expect(testProxy).toEqual(testProxy); // Instance equality check
 });
 tap.test('should create proxy instance with extended options', async () => {
  // Test with extended options to verify backward compatibility
  testProxy = new smartproxy.NetworkProxy({
    port: 3001,
    maxConnections: 5000,
    keepAliveTimeout: 120000,
    headersTimeout: 60000,
    logLevel: 'info',
    cors: {
      allowOrigin: '*',
      allowMethods: 'GET, POST, OPTIONS',
      allowHeaders: 'Content-Type',
      maxAge: 3600
    }
  });
  expect(testProxy).toEqual(testProxy); // Instance equality check
  expect(testProxy.options.port).toEqual(3001);
 });
 tap.test('should start the proxy server', async () => {
  // Ensure any previous server is closed
  if (testProxy && testProxy.httpsServer) {
    await new Promise<void>((resolve) =>
      testProxy.httpsServer.close(() => resolve())
    );
  }
  console.log('[TEST] Starting the proxy server');
  await testProxy.start();
  console.log('[TEST] Proxy server started');
  // Configure proxy with test certificates
  // Awaiting the update ensures that the SNI context is added before any requests come in.
  await testProxy.updateProxyConfigs([
    {
      destinationIps: ['127.0.0.1'],
      destinationPorts: [3000],
      hostName: 'push.rocks',
      publicKey: testCertificates.publicKey,
      privateKey: testCertificates.privateKey,
    },
  ]);
  console.log('[TEST] Proxy configuration updated');
 });
 tap.test('should route HTTPS requests based on host header', async () => {
  // IMPORTANT: Connect to localhost (where the proxy is listening) but use the Host header "push.rocks"
  const response = await makeHttpsRequest({
    hostname: 'localhost', // changed from 'push.rocks' to 'localhost'
    port: 3001,
    path: '/',
    method: 'GET',
    headers: {
      host: 'push.rocks', // virtual host for routing
    },
    rejectUnauthorized: false,
  });
  expect(response.statusCode).toEqual(200);
  expect(response.body).toEqual('Hello from test server!');
 });
 tap.test('should handle unknown host headers', async () => {
  // Connect to localhost but use an unknown host header.
  const response = await makeHttpsRequest({
    hostname: 'localhost', // connecting to localhost
    port: 3001,
    path: '/',
    method: 'GET',
    headers: {
      host: 'unknown.host', // this should not match any proxy config
    },
    rejectUnauthorized: false,
  });
  // Expect a 404 response with the appropriate error message.
  expect(response.statusCode).toEqual(404);
 });
 tap.test('should support WebSocket connections', async () => {
  console.log('\n[TEST] ====== WebSocket Test Started ======');
  console.log('[TEST] Test server port:', 3000);
  console.log('[TEST] Proxy server port:', 3001);
  console.log('\n[TEST] Starting WebSocket test');
  // Reconfigure proxy with test certificates if necessary
  await testProxy.updateProxyConfigs([
    {
      destinationIps: ['127.0.0.1'],
      destinationPorts: [3000],
      hostName: 'push.rocks',
      publicKey: testCertificates.publicKey,
      privateKey: testCertificates.privateKey,
    },
  ]);
  return new Promise<void>((resolve, reject) => {
    console.log('[TEST] Creating WebSocket client');
    // IMPORTANT: Connect to localhost but specify the SNI servername and Host header as "push.rocks"
    const wsUrl = 'wss://localhost:3001'; // changed from 'wss://push.rocks:3001'
    console.log('[TEST] Creating WebSocket connection to:', wsUrl);
    const ws = new WebSocket(wsUrl, {
      rejectUnauthorized: false, // Accept self-signed certificates
      handshakeTimeout: 5000,
      perMessageDeflate: false,
      headers: {
        Host: 'push.rocks', // required for SNI and routing on the proxy
        Connection: 'Upgrade',
        Upgrade: 'websocket',
        'Sec-WebSocket-Version': '13',
      },
      protocol: 'echo-protocol',
      agent: new https.Agent({
        rejectUnauthorized: false, // Also needed for the underlying HTTPS connection
      }),
    });
    console.log('[TEST] WebSocket client created');
    let resolved = false;
    const cleanup = () => {
      if (!resolved) {
        resolved = true;
        try {
          console.log('[TEST] Cleaning up WebSocket connection');
          ws.close();
          resolve();
        } catch (error) {
          console.error('[TEST] Error during cleanup:', error);
          reject(error);
        }
      }
    };
    const timeout = setTimeout(() => {
      console.error('[TEST] WebSocket test timed out');
      cleanup();
      reject(new Error('WebSocket test timed out after 5 seconds'));
    }, 5000);
    // Connection establishment events
    ws.on('upgrade', (response) => {
      console.log('[TEST] WebSocket upgrade response received:', {
        headers: response.headers,
        statusCode: response.statusCode,
      });
    });
    ws.on('open', () => {
      console.log('[TEST] WebSocket connection opened');
      try {
        console.log('[TEST] Sending test message');
        ws.send('Hello WebSocket');
      } catch (error) {
        console.error('[TEST] Error sending message:', error);
        cleanup();
        reject(error);
      }
    });
    ws.on('message', (message) => {
      console.log('[TEST] Received message:', message.toString());
      if (
        message.toString() === 'Hello WebSocket' ||
        message.toString() === 'Echo: Hello WebSocket'
      ) {
        console.log('[TEST] Message received correctly');
        clearTimeout(timeout);
        cleanup();
      }
    });
    ws.on('error', (error) => {
      console.error('[TEST] WebSocket error:', error);
      cleanup();
      reject(error);
    });
    ws.on('close', (code, reason) => {
      console.log('[TEST] WebSocket connection closed:', {
        code,
        reason: reason.toString(),
      });
      cleanup();
    });
  });
 });
 tap.test('should handle custom headers', async () => {
  await testProxy.addDefaultHeaders({
    'X-Proxy-Header': 'test-value',
  });
  const response = await makeHttpsRequest({
    hostname: 'localhost', // changed to 'localhost'
    port: 3001,
    path: '/',
    method: 'GET',
    headers: {
      host: 'push.rocks', // still routing to push.rocks
    },
    rejectUnauthorized: false,
  });
  expect(response.headers['x-proxy-header']).toEqual('test-value');
 });
 tap.test('should handle CORS preflight requests', async () => {
  try {
    console.log('[TEST] Testing CORS preflight handling...');
    // First ensure the existing proxy is working correctly
    console.log('[TEST] Making initial GET request to verify server');
    const initialResponse = await makeHttpsRequest({
      hostname: 'localhost',
      port: 3001,
      path: '/',
      method: 'GET',
      headers: { host: 'push.rocks' },
      rejectUnauthorized: false,
    });
    console.log('[TEST] Initial response status:', initialResponse.statusCode);
    expect(initialResponse.statusCode).toEqual(200);
    // Add CORS headers to the existing proxy
    console.log('[TEST] Adding CORS headers');
    await testProxy.addDefaultHeaders({
      'Access-Control-Allow-Origin': '*',
      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
      'Access-Control-Max-Age': '86400'
    });
    // Allow server to process the header changes
    console.log('[TEST] Waiting for headers to be processed');
    await new Promise(resolve => setTimeout(resolve, 500)); // Increased timeout
    // Send OPTIONS request to simulate CORS preflight
    console.log('[TEST] Sending OPTIONS request for CORS preflight');
    const response = await makeHttpsRequest({
      hostname: 'localhost',
      port: 3001,
      path: '/',
      method: 'OPTIONS',
      headers: {
        host: 'push.rocks',
        'Access-Control-Request-Method': 'POST',
        'Access-Control-Request-Headers': 'Content-Type',
        'Origin': 'https://example.com'
      },
      rejectUnauthorized: false,
    });
    console.log('[TEST] CORS preflight response status:', response.statusCode);
    console.log('[TEST] CORS preflight response headers:', response.headers);
    // For now, accept either 204 or 200 as success
    expect([200, 204]).toContain(response.statusCode);
    console.log('[TEST] CORS test completed successfully');
  } catch (error) {
    console.error('[TEST] Error in CORS test:', error);
    throw error; // Rethrow to fail the test
  }
 });
 tap.test('should track connections and metrics', async () => {
  try {
    console.log('[TEST] Testing metrics tracking...');
    // Get initial metrics counts
    const initialRequestsServed = testProxy.requestsServed || 0;
    console.log('[TEST] Initial requests served:', initialRequestsServed);
    // Make a few requests to ensure we have metrics to check
    console.log('[TEST] Making test requests to increment metrics');
    for (let i = 0; i < 3; i++) {
      console.log(`[TEST] Making request ${i+1}/3`);
      await makeHttpsRequest({
        hostname: 'localhost',
        port: 3001,
        path: '/metrics-test-' + i,
        method: 'GET',
        headers: { host: 'push.rocks' },
        rejectUnauthorized: false,
      });
    }
    // Wait a bit to let metrics update
    console.log('[TEST] Waiting for metrics to update');
    await new Promise(resolve => setTimeout(resolve, 500)); // Increased timeout
    // Verify metrics tracking is working
    console.log('[TEST] Current requests served:', testProxy.requestsServed);
    console.log('[TEST] Connected clients:', testProxy.connectedClients);
    expect(testProxy.connectedClients).toBeDefined();
    expect(typeof testProxy.requestsServed).toEqual('number');
    // Use ">=" instead of ">" to be more forgiving with edge cases
    expect(testProxy.requestsServed).toBeGreaterThanOrEqual(initialRequestsServed + 2);
    console.log('[TEST] Metrics test completed successfully');
  } catch (error) {
    console.error('[TEST] Error in metrics test:', error);
    throw error; // Rethrow to fail the test
  }
 });
 tap.test('cleanup', async () => {
  try {
    console.log('[TEST] Starting cleanup');
    // Clean up all servers
    console.log('[TEST] Terminating WebSocket clients');
    try {
      wsServer.clients.forEach((client) => {
        try {
          client.terminate();
        } catch (err) {
          console.error('[TEST] Error terminating client:', err);
        }
      });
    } catch (err) {
      console.error('[TEST] Error accessing WebSocket clients:', err);
    }
    console.log('[TEST] Closing WebSocket server');
    try {
      await new Promise<void>((resolve) => {
        wsServer.close(() => {
          console.log('[TEST] WebSocket server closed');
          resolve();
        });
        // Add timeout to prevent hanging
        setTimeout(() => {
          console.log('[TEST] WebSocket server close timed out, continuing');
          resolve();
        }, 1000);
      });
    } catch (err) {
      console.error('[TEST] Error closing WebSocket server:', err);
    }
    console.log('[TEST] Closing test server');
    try {
      await new Promise<void>((resolve) => {
        testServer.close(() => {
          console.log('[TEST] Test server closed');
          resolve();
        });
        // Add timeout to prevent hanging
        setTimeout(() => {
          console.log('[TEST] Test server close timed out, continuing');
          resolve();
        }, 1000);
      });
    } catch (err) {
      console.error('[TEST] Error closing test server:', err);
    }
    console.log('[TEST] Stopping proxy');
    try {
      await testProxy.stop();
    } catch (err) {
      console.error('[TEST] Error stopping proxy:', err);
    }
    console.log('[TEST] Cleanup complete');
  } catch (error) {
    console.error('[TEST] Error during cleanup:', error);
    // Don't throw here - we want cleanup to always complete
  }
 });
 process.on('exit', () => {
  console.log('[TEST] Shutting down test server');
  testServer.close(() => console.log('[TEST] Test server shut down'));
  wsServer.close(() => console.log('[TEST] WebSocket server shut down'));
  testProxy.stop().then(() => console.log('[TEST] Proxy server stopped'));
 });
 export default tap.start();
--- a/test/test.route-config.ts
+++ b/test/test.route-config.ts
@ -1,600 +0,0 @@
 /**
 * Tests for the unified route-based configuration system
 */
 import { expect, tap } from '@push.rocks/tapbundle';
 // Import from core modules
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 // Import route utilities and helpers
 import {
  findMatchingRoutes,
  findBestMatchingRoute,
  routeMatchesDomain,
  routeMatchesPort,
  routeMatchesPath,
  routeMatchesHeaders,
  mergeRouteConfigs,
  generateRouteId,
  cloneRoute
 } from '../ts/proxies/smart-proxy/utils/route-utils.js';
 import {
  validateRouteConfig,
  validateRoutes,
  isValidDomain,
  isValidPort,
  hasRequiredPropertiesForAction,
  assertValidRoute
 } from '../ts/proxies/smart-proxy/utils/route-validators.js';
 import {
  createHttpRoute,
  createHttpsTerminateRoute,
  createHttpsPassthroughRoute,
  createHttpToHttpsRedirect,
  createCompleteHttpsServer,
  createLoadBalancerRoute,
  createStaticFileRoute,
  createApiRoute,
  createWebSocketRoute
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 // Import test helpers
 import { loadTestCertificates } from './helpers/certificates.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 // --------------------------------- Route Creation Tests ---------------------------------
 tap.test('Routes: Should create basic HTTP route', async () => {
  // Create a simple HTTP route
  const httpRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 }, {
    name: 'Basic HTTP Route'
  });
  // Validate the route configuration
  expect(httpRoute.match.ports).toEqual(80);
  expect(httpRoute.match.domains).toEqual('example.com');
  expect(httpRoute.action.type).toEqual('forward');
  expect(httpRoute.action.target?.host).toEqual('localhost');
  expect(httpRoute.action.target?.port).toEqual(3000);
  expect(httpRoute.name).toEqual('Basic HTTP Route');
 });
 tap.test('Routes: Should create HTTPS route with TLS termination', async () => {
  // Create an HTTPS route with TLS termination
  const httpsRoute = createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8080 }, {
    certificate: 'auto',
    name: 'HTTPS Route'
  });
  // Validate the route configuration
  expect(httpsRoute.match.ports).toEqual(443); // Default HTTPS port
  expect(httpsRoute.match.domains).toEqual('secure.example.com');
  expect(httpsRoute.action.type).toEqual('forward');
  expect(httpsRoute.action.tls?.mode).toEqual('terminate');
  expect(httpsRoute.action.tls?.certificate).toEqual('auto');
  expect(httpsRoute.action.target?.host).toEqual('localhost');
  expect(httpsRoute.action.target?.port).toEqual(8080);
  expect(httpsRoute.name).toEqual('HTTPS Route');
 });
 tap.test('Routes: Should create HTTP to HTTPS redirect', async () => {
  // Create an HTTP to HTTPS redirect
  const redirectRoute = createHttpToHttpsRedirect('example.com', 443, {
    status: 301
  });
  // Validate the route configuration
  expect(redirectRoute.match.ports).toEqual(80);
  expect(redirectRoute.match.domains).toEqual('example.com');
  expect(redirectRoute.action.type).toEqual('redirect');
  expect(redirectRoute.action.redirect?.to).toEqual('https://{domain}:443{path}');
  expect(redirectRoute.action.redirect?.status).toEqual(301);
 });
 tap.test('Routes: Should create complete HTTPS server with redirects', async () => {
  // Create a complete HTTPS server setup
  const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 8080 }, {
    certificate: 'auto'
  });
  // Validate that we got two routes (HTTPS route and HTTP redirect)
  expect(routes.length).toEqual(2);
  // Validate HTTPS route
  const httpsRoute = routes[0];
  expect(httpsRoute.match.ports).toEqual(443);
  expect(httpsRoute.match.domains).toEqual('example.com');
  expect(httpsRoute.action.type).toEqual('forward');
  expect(httpsRoute.action.tls?.mode).toEqual('terminate');
  // Validate HTTP redirect route
  const redirectRoute = routes[1];
  expect(redirectRoute.match.ports).toEqual(80);
  expect(redirectRoute.action.type).toEqual('redirect');
  expect(redirectRoute.action.redirect?.to).toEqual('https://{domain}:443{path}');
 });
 tap.test('Routes: Should create load balancer route', async () => {
  // Create a load balancer route
  const lbRoute = createLoadBalancerRoute(
    'app.example.com',
    ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
    8080,
    {
      tls: {
        mode: 'terminate',
        certificate: 'auto'
      },
      name: 'Load Balanced Route'
    }
  );
  // Validate the route configuration
  expect(lbRoute.match.domains).toEqual('app.example.com');
  expect(lbRoute.action.type).toEqual('forward');
  expect(Array.isArray(lbRoute.action.target?.host)).toBeTrue();
  expect((lbRoute.action.target?.host as string[]).length).toEqual(3);
  expect((lbRoute.action.target?.host as string[])[0]).toEqual('10.0.0.1');
  expect(lbRoute.action.target?.port).toEqual(8080);
  expect(lbRoute.action.tls?.mode).toEqual('terminate');
 });
 tap.test('Routes: Should create API route with CORS', async () => {
  // Create an API route with CORS headers
  const apiRoute = createApiRoute('api.example.com', '/v1', { host: 'localhost', port: 3000 }, {
    useTls: true,
    certificate: 'auto',
    addCorsHeaders: true,
    name: 'API Route'
  });
  // Validate the route configuration
  expect(apiRoute.match.domains).toEqual('api.example.com');
  expect(apiRoute.match.path).toEqual('/v1/*');
  expect(apiRoute.action.type).toEqual('forward');
  expect(apiRoute.action.tls?.mode).toEqual('terminate');
  expect(apiRoute.action.target?.host).toEqual('localhost');
  expect(apiRoute.action.target?.port).toEqual(3000);
  // Check CORS headers
  expect(apiRoute.headers).toBeDefined();
  if (apiRoute.headers?.response) {
    expect(apiRoute.headers.response['Access-Control-Allow-Origin']).toEqual('*');
    expect(apiRoute.headers.response['Access-Control-Allow-Methods']).toInclude('GET');
  }
 });
 tap.test('Routes: Should create WebSocket route', async () => {
  // Create a WebSocket route
  const wsRoute = createWebSocketRoute('ws.example.com', '/socket', { host: 'localhost', port: 5000 }, {
    useTls: true,
    certificate: 'auto',
    pingInterval: 15000,
    name: 'WebSocket Route'
  });
  // Validate the route configuration
  expect(wsRoute.match.domains).toEqual('ws.example.com');
  expect(wsRoute.match.path).toEqual('/socket');
  expect(wsRoute.action.type).toEqual('forward');
  expect(wsRoute.action.tls?.mode).toEqual('terminate');
  expect(wsRoute.action.target?.host).toEqual('localhost');
  expect(wsRoute.action.target?.port).toEqual(5000);
  // Check WebSocket configuration
  expect(wsRoute.action.websocket).toBeDefined();
  if (wsRoute.action.websocket) {
    expect(wsRoute.action.websocket.enabled).toBeTrue();
    expect(wsRoute.action.websocket.pingInterval).toEqual(15000);
  }
 });
 tap.test('Routes: Should create static file route', async () => {
  // Create a static file route
  const staticRoute = createStaticFileRoute('static.example.com', '/var/www/html', {
    serveOnHttps: true,
    certificate: 'auto',
    indexFiles: ['index.html', 'index.htm', 'default.html'],
    name: 'Static File Route'
  });
  // Validate the route configuration
  expect(staticRoute.match.domains).toEqual('static.example.com');
  expect(staticRoute.action.type).toEqual('static');
  expect(staticRoute.action.static?.root).toEqual('/var/www/html');
  expect(staticRoute.action.static?.index).toBeInstanceOf(Array);
  expect(staticRoute.action.static?.index).toInclude('index.html');
  expect(staticRoute.action.static?.index).toInclude('default.html');
  expect(staticRoute.action.tls?.mode).toEqual('terminate');
 });
 tap.test('SmartProxy: Should create instance with route-based config', async () => {
  // Create TLS certificates for testing
  const certs = loadTestCertificates();
  // Create a SmartProxy instance with route-based configuration
  const proxy = new SmartProxy({
    routes: [
      createHttpRoute('example.com', { host: 'localhost', port: 3000 }, {
        name: 'HTTP Route'
      }),
      createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8443 }, {
        certificate: {
          key: certs.privateKey,
          cert: certs.publicKey
        },
        name: 'HTTPS Route'
      })
    ],
    defaults: {
      target: {
        host: 'localhost',
        port: 8080
      },
      security: {
        allowedIps: ['127.0.0.1', '192.168.0.*'],
        maxConnections: 100
      }
    },
    // Additional settings
    initialDataTimeout: 10000,
    inactivityTimeout: 300000,
    enableDetailedLogging: true
  });
  // Simply verify the instance was created successfully
  expect(typeof proxy).toEqual('object');
  expect(typeof proxy.start).toEqual('function');
  expect(typeof proxy.stop).toEqual('function');
 });
 // --------------------------------- Edge Case Tests ---------------------------------
 tap.test('Edge Case - Empty Routes Array', async () => {
  // Attempting to find routes in an empty array
  const emptyRoutes: IRouteConfig[] = [];
  const matches = findMatchingRoutes(emptyRoutes, { domain: 'example.com', port: 80 });
  expect(matches).toBeInstanceOf(Array);
  expect(matches.length).toEqual(0);
  const bestMatch = findBestMatchingRoute(emptyRoutes, { domain: 'example.com', port: 80 });
  expect(bestMatch).toBeUndefined();
 });
 tap.test('Edge Case - Multiple Matching Routes with Same Priority', async () => {
  // Create multiple routes with identical priority but different targets
  const route1 = createHttpRoute('example.com', { host: 'server1', port: 3000 });
  const route2 = createHttpRoute('example.com', { host: 'server2', port: 3000 });
  const route3 = createHttpRoute('example.com', { host: 'server3', port: 3000 });
  // Set all to the same priority
  route1.priority = 100;
  route2.priority = 100;
  route3.priority = 100;
  const routes = [route1, route2, route3];
  // Find matching routes
  const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 80 });
  // Should find all three routes
  expect(matches.length).toEqual(3);
  // First match could be any of the routes since they have the same priority
  // But the implementation should be consistent (likely keep the original order)
  const bestMatch = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
  expect(bestMatch).not.toBeUndefined();
 });
 tap.test('Edge Case - Wildcard Domains and Path Matching', async () => {
  // Create routes with wildcard domains and path patterns
  const wildcardApiRoute = createApiRoute('*.example.com', '/api', { host: 'api-server', port: 3000 }, {
    useTls: true,
    certificate: 'auto'
  });
  const exactApiRoute = createApiRoute('api.example.com', '/api', { host: 'specific-api-server', port: 3001 }, {
    useTls: true,
    certificate: 'auto',
    priority: 200 // Higher priority
  });
  const routes = [wildcardApiRoute, exactApiRoute];
  // Test with a specific subdomain that matches both routes
  const matches = findMatchingRoutes(routes, { domain: 'api.example.com', path: '/api/users', port: 443 });
  // Should match both routes
  expect(matches.length).toEqual(2);
  // The exact domain match should have higher priority
  const bestMatch = findBestMatchingRoute(routes, { domain: 'api.example.com', path: '/api/users', port: 443 });
  expect(bestMatch).not.toBeUndefined();
  if (bestMatch) {
    expect(bestMatch.action.target.port).toEqual(3001); // Should match the exact domain route
  }
  // Test with a different subdomain - should only match the wildcard route
  const otherMatches = findMatchingRoutes(routes, { domain: 'other.example.com', path: '/api/products', port: 443 });
  expect(otherMatches.length).toEqual(1);
  expect(otherMatches[0].action.target.port).toEqual(3000); // Should match the wildcard domain route
 });
 tap.test('Edge Case - Disabled Routes', async () => {
  // Create enabled and disabled routes
  const enabledRoute = createHttpRoute('example.com', { host: 'server1', port: 3000 });
  const disabledRoute = createHttpRoute('example.com', { host: 'server2', port: 3001 });
  disabledRoute.enabled = false;
  const routes = [enabledRoute, disabledRoute];
  // Find matching routes
  const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 80 });
  // Should only find the enabled route
  expect(matches.length).toEqual(1);
  expect(matches[0].action.target.port).toEqual(3000);
 });
 tap.test('Edge Case - Complex Path and Headers Matching', async () => {
  // Create route with complex path and headers matching
  const complexRoute: IRouteConfig = {
    match: {
      domains: 'api.example.com',
      ports: 443,
      path: '/api/v2/*',
      headers: {
        'Content-Type': 'application/json',
        'X-API-Key': 'valid-key'
      }
    },
    action: {
      type: 'forward',
      target: {
        host: 'internal-api',
        port: 8080
      },
      tls: {
        mode: 'terminate',
        certificate: 'auto'
      }
    },
    name: 'Complex API Route'
  };
  // Test with matching criteria
  const matchingPath = routeMatchesPath(complexRoute, '/api/v2/users');
  expect(matchingPath).toBeTrue();
  const matchingHeaders = routeMatchesHeaders(complexRoute, {
    'Content-Type': 'application/json',
    'X-API-Key': 'valid-key',
    'Accept': 'application/json'
  });
  expect(matchingHeaders).toBeTrue();
  // Test with non-matching criteria
  const nonMatchingPath = routeMatchesPath(complexRoute, '/api/v1/users');
  expect(nonMatchingPath).toBeFalse();
  const nonMatchingHeaders = routeMatchesHeaders(complexRoute, {
    'Content-Type': 'application/json',
    'X-API-Key': 'invalid-key'
  });
  expect(nonMatchingHeaders).toBeFalse();
 });
 tap.test('Edge Case - Port Range Matching', async () => {
  // Create route with port range matching
  const portRangeRoute: IRouteConfig = {
    match: {
      domains: 'example.com',
      ports: [{ from: 8000, to: 9000 }]
    },
    action: {
      type: 'forward',
      target: {
        host: 'backend',
        port: 3000
      }
    },
    name: 'Port Range Route'
  };
  // Test with ports in the range
  expect(routeMatchesPort(portRangeRoute, 8000)).toBeTrue(); // Lower bound
  expect(routeMatchesPort(portRangeRoute, 8500)).toBeTrue(); // Middle
  expect(routeMatchesPort(portRangeRoute, 9000)).toBeTrue(); // Upper bound
  // Test with ports outside the range
  expect(routeMatchesPort(portRangeRoute, 7999)).toBeFalse(); // Just below
  expect(routeMatchesPort(portRangeRoute, 9001)).toBeFalse(); // Just above
  // Test with multiple port ranges
  const multiRangeRoute: IRouteConfig = {
    match: {
      domains: 'example.com',
      ports: [
        { from: 80, to: 90 },
        { from: 8000, to: 9000 }
      ]
    },
    action: {
      type: 'forward',
      target: {
        host: 'backend',
        port: 3000
      }
    },
    name: 'Multi Range Route'
  };
  expect(routeMatchesPort(multiRangeRoute, 85)).toBeTrue();
  expect(routeMatchesPort(multiRangeRoute, 8500)).toBeTrue();
  expect(routeMatchesPort(multiRangeRoute, 100)).toBeFalse();
 });
 // --------------------------------- Wildcard Domain Tests ---------------------------------
 tap.test('Wildcard Domain Handling', async () => {
  // Create routes with different wildcard patterns
  const simpleDomainRoute = createHttpRoute('example.com', { host: 'server1', port: 3000 });
  const wildcardSubdomainRoute = createHttpRoute('*.example.com', { host: 'server2', port: 3001 });
  const specificSubdomainRoute = createHttpRoute('api.example.com', { host: 'server3', port: 3002 });
  // Set explicit priorities to ensure deterministic matching
  specificSubdomainRoute.priority = 200; // Highest priority for specific domain
  wildcardSubdomainRoute.priority = 100; // Medium priority for wildcard
  simpleDomainRoute.priority = 50;       // Lowest priority for generic domain
  const routes = [simpleDomainRoute, wildcardSubdomainRoute, specificSubdomainRoute];
  // Test exact domain match
  expect(routeMatchesDomain(simpleDomainRoute, 'example.com')).toBeTrue();
  expect(routeMatchesDomain(simpleDomainRoute, 'sub.example.com')).toBeFalse();
  // Test wildcard subdomain match
  expect(routeMatchesDomain(wildcardSubdomainRoute, 'any.example.com')).toBeTrue();
  expect(routeMatchesDomain(wildcardSubdomainRoute, 'nested.sub.example.com')).toBeTrue();
  expect(routeMatchesDomain(wildcardSubdomainRoute, 'example.com')).toBeFalse();
  // Test specific subdomain match
  expect(routeMatchesDomain(specificSubdomainRoute, 'api.example.com')).toBeTrue();
  expect(routeMatchesDomain(specificSubdomainRoute, 'other.example.com')).toBeFalse();
  expect(routeMatchesDomain(specificSubdomainRoute, 'sub.api.example.com')).toBeFalse();
  // Test finding best match when multiple domains match
  const specificSubdomainRequest = { domain: 'api.example.com', port: 80 };
  const bestSpecificMatch = findBestMatchingRoute(routes, specificSubdomainRequest);
  expect(bestSpecificMatch).not.toBeUndefined();
  if (bestSpecificMatch) {
    // Find which route was matched
    const matchedPort = bestSpecificMatch.action.target.port;
    console.log(`Matched route with port: ${matchedPort}`);
    // Verify it's the specific subdomain route (with highest priority)
    expect(bestSpecificMatch.priority).toEqual(200);
  }
  // Test with a subdomain that matches wildcard but not specific
  const otherSubdomainRequest = { domain: 'other.example.com', port: 80 };
  const bestWildcardMatch = findBestMatchingRoute(routes, otherSubdomainRequest);
  expect(bestWildcardMatch).not.toBeUndefined();
  if (bestWildcardMatch) {
    // Find which route was matched
    const matchedPort = bestWildcardMatch.action.target.port;
    console.log(`Matched route with port: ${matchedPort}`);
    // Verify it's the wildcard subdomain route (with medium priority)
    expect(bestWildcardMatch.priority).toEqual(100);
  }
 });
 // --------------------------------- Integration Tests ---------------------------------
 tap.test('Route Integration - Combining Multiple Route Types', async () => {
  // Create a comprehensive set of routes for a full application
  const routes: IRouteConfig[] = [
    // Main website with HTTPS and HTTP redirect
    ...createCompleteHttpsServer('example.com', { host: 'web-server', port: 8080 }, {
      certificate: 'auto'
    }),
    // API endpoints
    createApiRoute('api.example.com', '/v1', { host: 'api-server', port: 3000 }, {
      useTls: true,
      certificate: 'auto',
      addCorsHeaders: true
    }),
    // WebSocket for real-time updates
    createWebSocketRoute('ws.example.com', '/live', { host: 'websocket-server', port: 5000 }, {
      useTls: true,
      certificate: 'auto'
    }),
    // Static assets
    createStaticFileRoute('static.example.com', '/var/www/assets', {
      serveOnHttps: true,
      certificate: 'auto'
    }),
    // Legacy system with passthrough
    createHttpsPassthroughRoute('legacy.example.com', { host: 'legacy-server', port: 443 })
  ];
  // Validate all routes
  const validationResult = validateRoutes(routes);
  expect(validationResult.valid).toBeTrue();
  expect(validationResult.errors.length).toEqual(0);
  // Test route matching for different endpoints
  // Web server (HTTPS)
  const webServerMatch = findBestMatchingRoute(routes, { domain: 'example.com', port: 443 });
  expect(webServerMatch).not.toBeUndefined();
  if (webServerMatch) {
    expect(webServerMatch.action.type).toEqual('forward');
    expect(webServerMatch.action.target.host).toEqual('web-server');
  }
  // Web server (HTTP redirect)
  const webRedirectMatch = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
  expect(webRedirectMatch).not.toBeUndefined();
  if (webRedirectMatch) {
    expect(webRedirectMatch.action.type).toEqual('redirect');
  }
  // API server
  const apiMatch = findBestMatchingRoute(routes, { 
    domain: 'api.example.com', 
    port: 443,
    path: '/v1/users'
  });
  expect(apiMatch).not.toBeUndefined();
  if (apiMatch) {
    expect(apiMatch.action.type).toEqual('forward');
    expect(apiMatch.action.target.host).toEqual('api-server');
  }
  // WebSocket server
  const wsMatch = findBestMatchingRoute(routes, { 
    domain: 'ws.example.com', 
    port: 443,
    path: '/live'
  });
  expect(wsMatch).not.toBeUndefined();
  if (wsMatch) {
    expect(wsMatch.action.type).toEqual('forward');
    expect(wsMatch.action.target.host).toEqual('websocket-server');
    expect(wsMatch.action.websocket?.enabled).toBeTrue();
  }
  // Static assets
  const staticMatch = findBestMatchingRoute(routes, { 
    domain: 'static.example.com', 
    port: 443
  });
  expect(staticMatch).not.toBeUndefined();
  if (staticMatch) {
    expect(staticMatch.action.type).toEqual('static');
    expect(staticMatch.action.static.root).toEqual('/var/www/assets');
  }
  // Legacy system
  const legacyMatch = findBestMatchingRoute(routes, { 
    domain: 'legacy.example.com', 
    port: 443
  });
  expect(legacyMatch).not.toBeUndefined();
  if (legacyMatch) {
    expect(legacyMatch.action.type).toEqual('forward');
    expect(legacyMatch.action.tls?.mode).toEqual('passthrough');
  }
 });
 export default tap.start();
--- a/test/test.route-utils.ts
+++ b/test/test.route-utils.ts
--- a/test/test.router.ts
+++ b/test/test.router.ts
@ -1,392 +0,0 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as tsclass from '@tsclass/tsclass';
 import * as http from 'http';
 import { ProxyRouter, type RouterResult } from '../ts/http/router/proxy-router.js';
 // Test proxies and configurations
 let router: ProxyRouter;
 // Sample hostname for testing
 const TEST_DOMAIN = 'example.com';
 const TEST_SUBDOMAIN = 'api.example.com';
 const TEST_WILDCARD = '*.example.com';
 // Helper: Creates a mock HTTP request for testing
 function createMockRequest(host: string, url: string = '/'): http.IncomingMessage {
  const req = {
    headers: { host },
    url,
    socket: {
      remoteAddress: '127.0.0.1'
    }
  } as any;
  return req;
 }
 // Helper: Creates a test proxy configuration
 function createProxyConfig(
  hostname: string, 
  destinationIp: string = '10.0.0.1',
  destinationPort: number = 8080
 ): tsclass.network.IReverseProxyConfig {
  return {
    hostName: hostname,
    publicKey: 'mock-cert',
    privateKey: 'mock-key',
    destinationIps: [destinationIp],
    destinationPorts: [destinationPort],
  } as tsclass.network.IReverseProxyConfig;
 }
 // SETUP: Create a ProxyRouter instance
 tap.test('setup proxy router test environment', async () => {
  router = new ProxyRouter();
  // Initialize with empty config
  router.setNewProxyConfigs([]);
 });
 // Test basic routing by hostname
 tap.test('should route requests by hostname', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  const req = createMockRequest(TEST_DOMAIN);
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(config);
 });
 // Test handling of hostname with port number
 tap.test('should handle hostname with port number', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  const req = createMockRequest(`${TEST_DOMAIN}:443`);
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(config);
 });
 // Test case-insensitive hostname matching
 tap.test('should perform case-insensitive hostname matching', async () => {
  const config = createProxyConfig(TEST_DOMAIN.toLowerCase());
  router.setNewProxyConfigs([config]);
  const req = createMockRequest(TEST_DOMAIN.toUpperCase());
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(config);
 });
 // Test handling of unmatched hostnames
 tap.test('should return undefined for unmatched hostnames', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  const req = createMockRequest('unknown.domain.com');
  const result = router.routeReq(req);
  expect(result).toBeUndefined();
 });
 // Test adding path patterns
 tap.test('should match requests using path patterns', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  // Add a path pattern to the config
  router.setPathPattern(config, '/api/users');
  // Test that path matches
  const req1 = createMockRequest(TEST_DOMAIN, '/api/users');
  const result1 = router.routeReqWithDetails(req1);
  expect(result1).toBeTruthy();
  expect(result1.config).toEqual(config);
  expect(result1.pathMatch).toEqual('/api/users');
  // Test that non-matching path doesn't match
  const req2 = createMockRequest(TEST_DOMAIN, '/web/users');
  const result2 = router.routeReqWithDetails(req2);
  expect(result2).toBeUndefined();
 });
 // Test handling wildcard patterns
 tap.test('should support wildcard path patterns', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  router.setPathPattern(config, '/api/*');
  // Test with path that matches the wildcard pattern
  const req = createMockRequest(TEST_DOMAIN, '/api/users/123');
  const result = router.routeReqWithDetails(req);
  expect(result).toBeTruthy();
  expect(result.config).toEqual(config);
  expect(result.pathMatch).toEqual('/api');
  // Print the actual value to diagnose issues
  console.log('Path remainder value:', result.pathRemainder);
  expect(result.pathRemainder).toBeTruthy();
  expect(result.pathRemainder).toEqual('/users/123');
 });
 // Test extracting path parameters
 tap.test('should extract path parameters from URL', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  router.setPathPattern(config, '/users/:id/profile');
  const req = createMockRequest(TEST_DOMAIN, '/users/123/profile');
  const result = router.routeReqWithDetails(req);
  expect(result).toBeTruthy();
  expect(result.config).toEqual(config);
  expect(result.pathParams).toBeTruthy();
  expect(result.pathParams.id).toEqual('123');
 });
 // Test multiple configs for same hostname with different paths
 tap.test('should support multiple configs for same hostname with different paths', async () => {
  const apiConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
  const webConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
  // Add both configs
  router.setNewProxyConfigs([apiConfig, webConfig]);
  // Set different path patterns
  router.setPathPattern(apiConfig, '/api');
  router.setPathPattern(webConfig, '/web');
  // Test API path routes to API config
  const apiReq = createMockRequest(TEST_DOMAIN, '/api/users');
  const apiResult = router.routeReq(apiReq);
  expect(apiResult).toEqual(apiConfig);
  // Test web path routes to web config
  const webReq = createMockRequest(TEST_DOMAIN, '/web/dashboard');
  const webResult = router.routeReq(webReq);
  expect(webResult).toEqual(webConfig);
  // Test unknown path returns undefined
  const unknownReq = createMockRequest(TEST_DOMAIN, '/unknown');
  const unknownResult = router.routeReq(unknownReq);
  expect(unknownResult).toBeUndefined();
 });
 // Test wildcard subdomains
 tap.test('should match wildcard subdomains', async () => {
  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
  router.setNewProxyConfigs([wildcardConfig]);
  // Test that subdomain.example.com matches *.example.com
  const req = createMockRequest('subdomain.example.com');
  const result = router.routeReq(req);
  expect(result).toBeTruthy();
  expect(result).toEqual(wildcardConfig);
 });
 // Test TLD wildcards (example.*)
 tap.test('should match TLD wildcards', async () => {
  const tldWildcardConfig = createProxyConfig('example.*');
  router.setNewProxyConfigs([tldWildcardConfig]);
  // Test that example.com matches example.*
  const req1 = createMockRequest('example.com');
  const result1 = router.routeReq(req1);
  expect(result1).toBeTruthy();
  expect(result1).toEqual(tldWildcardConfig);
  // Test that example.org matches example.*
  const req2 = createMockRequest('example.org');
  const result2 = router.routeReq(req2);
  expect(result2).toBeTruthy();
  expect(result2).toEqual(tldWildcardConfig);
  // Test that subdomain.example.com doesn't match example.*
  const req3 = createMockRequest('subdomain.example.com');
  const result3 = router.routeReq(req3);
  expect(result3).toBeUndefined();
 });
 // Test complex pattern matching (*.lossless*)
 tap.test('should match complex wildcard patterns', async () => {
  const complexWildcardConfig = createProxyConfig('*.lossless*');
  router.setNewProxyConfigs([complexWildcardConfig]);
  // Test that sub.lossless.com matches *.lossless*
  const req1 = createMockRequest('sub.lossless.com');
  const result1 = router.routeReq(req1);
  expect(result1).toBeTruthy();
  expect(result1).toEqual(complexWildcardConfig);
  // Test that api.lossless.org matches *.lossless*
  const req2 = createMockRequest('api.lossless.org');
  const result2 = router.routeReq(req2);
  expect(result2).toBeTruthy();
  expect(result2).toEqual(complexWildcardConfig);
  // Test that losslessapi.com matches *.lossless*
  const req3 = createMockRequest('losslessapi.com');
  const result3 = router.routeReq(req3);
  expect(result3).toBeUndefined(); // Should not match as it doesn't have a subdomain
 });
 // Test default configuration fallback
 tap.test('should fall back to default configuration', async () => {
  const defaultConfig = createProxyConfig('*');
  const specificConfig = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([defaultConfig, specificConfig]);
  // Test specific domain routes to specific config
  const specificReq = createMockRequest(TEST_DOMAIN);
  const specificResult = router.routeReq(specificReq);
  expect(specificResult).toEqual(specificConfig);
  // Test unknown domain falls back to default config
  const unknownReq = createMockRequest('unknown.com');
  const unknownResult = router.routeReq(unknownReq);
  expect(unknownResult).toEqual(defaultConfig);
 });
 // Test priority between exact and wildcard matches
 tap.test('should prioritize exact hostname over wildcard', async () => {
  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
  const exactConfig = createProxyConfig(TEST_SUBDOMAIN);
  router.setNewProxyConfigs([wildcardConfig, exactConfig]);
  // Test that exact match takes priority
  const req = createMockRequest(TEST_SUBDOMAIN);
  const result = router.routeReq(req);
  expect(result).toEqual(exactConfig);
 });
 // Test adding and removing configurations
 tap.test('should manage configurations correctly', async () => {
  router.setNewProxyConfigs([]);
  // Add a config
  const config = createProxyConfig(TEST_DOMAIN);
  router.addProxyConfig(config);
  // Verify routing works
  const req = createMockRequest(TEST_DOMAIN);
  let result = router.routeReq(req);
  expect(result).toEqual(config);
  // Remove the config and verify it no longer routes
  const removed = router.removeProxyConfig(TEST_DOMAIN);
  expect(removed).toBeTrue();
  result = router.routeReq(req);
  expect(result).toBeUndefined();
 });
 // Test path pattern specificity
 tap.test('should prioritize more specific path patterns', async () => {
  const genericConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
  const specificConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
  router.setNewProxyConfigs([genericConfig, specificConfig]);
  router.setPathPattern(genericConfig, '/api/*');
  router.setPathPattern(specificConfig, '/api/users');
  // The more specific '/api/users' should match before the '/api/*' wildcard
  const req = createMockRequest(TEST_DOMAIN, '/api/users');
  const result = router.routeReq(req);
  expect(result).toEqual(specificConfig);
 });
 // Test getHostnames method
 tap.test('should retrieve all configured hostnames', async () => {
  router.setNewProxyConfigs([
    createProxyConfig(TEST_DOMAIN),
    createProxyConfig(TEST_SUBDOMAIN)
  ]);
  const hostnames = router.getHostnames();
  expect(hostnames.length).toEqual(2);
  expect(hostnames).toContain(TEST_DOMAIN.toLowerCase());
  expect(hostnames).toContain(TEST_SUBDOMAIN.toLowerCase());
 });
 // Test handling missing host header
 tap.test('should handle missing host header', async () => {
  const defaultConfig = createProxyConfig('*');
  router.setNewProxyConfigs([defaultConfig]);
  const req = createMockRequest('');
  req.headers.host = undefined;
  const result = router.routeReq(req);
  expect(result).toEqual(defaultConfig);
 });
 // Test complex path parameters
 tap.test('should handle complex path parameters', async () => {
  const config = createProxyConfig(TEST_DOMAIN);
  router.setNewProxyConfigs([config]);
  router.setPathPattern(config, '/api/:version/users/:userId/posts/:postId');
  const req = createMockRequest(TEST_DOMAIN, '/api/v1/users/123/posts/456');
  const result = router.routeReqWithDetails(req);
  expect(result).toBeTruthy();
  expect(result.config).toEqual(config);
  expect(result.pathParams).toBeTruthy();
  expect(result.pathParams.version).toEqual('v1');
  expect(result.pathParams.userId).toEqual('123');
  expect(result.pathParams.postId).toEqual('456');
 });
 // Performance test
 tap.test('should handle many configurations efficiently', async () => {
  const configs = [];
  // Create many configs with different hostnames
  for (let i = 0; i < 100; i++) {
    configs.push(createProxyConfig(`host-${i}.example.com`));
  }
  router.setNewProxyConfigs(configs);
  // Test middle of the list to avoid best/worst case
  const req = createMockRequest('host-50.example.com');
  const result = router.routeReq(req);
  expect(result).toEqual(configs[50]);
 });
 // Test cleanup
 tap.test('cleanup proxy router test environment', async () => {
  // Clear all configurations
  router.setNewProxyConfigs([]);
  // Verify empty state
  expect(router.getHostnames().length).toEqual(0);
  expect(router.getProxyConfigs().length).toEqual(0);
 });
 export default tap.start();
--- a/test/test.smartproxy.ts
+++ b/test/test.smartproxy.ts
@ -1,441 +0,0 @@
 import { expect, tap } from '@push.rocks/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 let testServer: net.Server;
 let smartProxy: SmartProxy;
 const TEST_SERVER_PORT = 4000;
 const PROXY_PORT = 4001;
 const TEST_DATA = 'Hello through port proxy!';
 // Track all created servers and proxies for proper cleanup
 const allServers: net.Server[] = [];
 const allProxies: SmartProxy[] = [];
 // Helper: Creates a test TCP server that listens on a given port and host.
 function createTestServer(port: number, host: string = 'localhost'): Promise<net.Server> {
  return new Promise((resolve) => {
    const server = net.createServer((socket) => {
      socket.on('data', (data) => {
        // Echo the received data back with a prefix.
        socket.write(`Echo: ${data.toString()}`);
      });
      socket.on('error', (error) => {
        console.error(`[Test Server] Socket error on ${host}:${port}:`, error);
      });
    });
    server.listen(port, host, () => {
      console.log(`[Test Server] Listening on ${host}:${port}`);
      allServers.push(server); // Track this server
      resolve(server);
    });
  });
 }
 // Helper: Creates a test client connection.
 function createTestClient(port: number, data: string): Promise<string> {
  return new Promise((resolve, reject) => {
    const client = new net.Socket();
    let response = '';
    const timeout = setTimeout(() => {
      client.destroy();
      reject(new Error(`Client connection timeout to port ${port}`));
    }, 5000);
    client.connect(port, 'localhost', () => {
      console.log('[Test Client] Connected to server');
      client.write(data);
    });
    client.on('data', (chunk) => {
      response += chunk.toString();
      client.end();
    });
    client.on('end', () => {
      clearTimeout(timeout);
      resolve(response);
    });
    client.on('error', (error) => {
      clearTimeout(timeout);
      reject(error);
    });
  });
 }
 // SETUP: Create a test server and a PortProxy instance.
 tap.test('setup port proxy test environment', async () => {
  testServer = await createTestServer(TEST_SERVER_PORT);
  smartProxy = new SmartProxy({
    routes: [
      {
        match: {
          ports: PROXY_PORT
        },
        action: {
          type: 'forward',
          target: {
            host: 'localhost',
            port: TEST_SERVER_PORT
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1']
      }
    }
  });
  allProxies.push(smartProxy); // Track this proxy
 });
 // Test that the proxy starts and its servers are listening.
 tap.test('should start port proxy', async () => {
  await smartProxy.start();
  expect((smartProxy as any).netServers.every((server: net.Server) => server.listening)).toBeTrue();
 });
 // Test basic TCP forwarding.
 tap.test('should forward TCP connections and data to localhost', async () => {
  const response = await createTestClient(PROXY_PORT, TEST_DATA);
  expect(response).toEqual(`Echo: ${TEST_DATA}`);
 });
 // Test proxy with a custom target host.
 tap.test('should forward TCP connections to custom host', async () => {
  const customHostProxy = new SmartProxy({
    routes: [
      {
        match: {
          ports: PROXY_PORT + 1
        },
        action: {
          type: 'forward',
          target: {
            host: '127.0.0.1',
            port: TEST_SERVER_PORT
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1']
      }
    }
  });
  allProxies.push(customHostProxy); // Track this proxy
  await customHostProxy.start();
  const response = await createTestClient(PROXY_PORT + 1, TEST_DATA);
  expect(response).toEqual(`Echo: ${TEST_DATA}`);
  await customHostProxy.stop();
  // Remove from tracking after stopping
  const index = allProxies.indexOf(customHostProxy);
  if (index !== -1) allProxies.splice(index, 1);
 });
 // Test custom IP forwarding
 // Modified to work in Docker/CI environments without needing 127.0.0.2
 tap.test('should forward connections to custom IP', async () => {
  // Set up ports that are FAR apart to avoid any possible confusion
  const forcedProxyPort = PROXY_PORT + 2;      // 4003 - The port that our proxy listens on
  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on different port
  // Create a test server listening on a unique port on 127.0.0.1 (works in all environments)
  const testServer2 = await createTestServer(targetServerPort, '127.0.0.1');
  // We're simulating routing to a different IP by using a different port
  // This tests the core functionality without requiring multiple IPs
  const domainProxy = new SmartProxy({
    routes: [
      {
        match: {
          ports: forcedProxyPort
        },
        action: {
          type: 'forward',
          target: {
            host: '127.0.0.1',
            port: targetServerPort
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
      }
    }
  });
  allProxies.push(domainProxy); // Track this proxy
  await domainProxy.start();
  // Send a single test connection
  const response = await createTestClient(forcedProxyPort, TEST_DATA);
  expect(response).toEqual(`Echo: ${TEST_DATA}`);
  await domainProxy.stop();
  // Remove from tracking after stopping
  const proxyIndex = allProxies.indexOf(domainProxy);
  if (proxyIndex !== -1) allProxies.splice(proxyIndex, 1);
  // Close the test server
  await new Promise<void>((resolve) => testServer2.close(() => resolve()));
  // Remove from tracking
  const serverIndex = allServers.indexOf(testServer2);
  if (serverIndex !== -1) allServers.splice(serverIndex, 1);
 });
 // Test handling of multiple concurrent connections.
 tap.test('should handle multiple concurrent connections', async () => {
  const concurrentRequests = 5;
  const requests = Array(concurrentRequests).fill(null).map((_, i) =>
    createTestClient(PROXY_PORT, `${TEST_DATA} ${i + 1}`)
  );
  const responses = await Promise.all(requests);
  responses.forEach((response, i) => {
    expect(response).toEqual(`Echo: ${TEST_DATA} ${i + 1}`);
  });
 });
 // Test connection timeout handling.
 tap.test('should handle connection timeouts', async () => {
  const client = new net.Socket();
  await new Promise<void>((resolve) => {
    // Add a timeout to ensure we don't hang here
    const timeout = setTimeout(() => {
      client.destroy();
      resolve();
    }, 3000);
    client.connect(PROXY_PORT, 'localhost', () => {
      // Do not send any data to trigger a timeout.
      client.on('close', () => {
        clearTimeout(timeout);
        resolve();
      });
    });
    client.on('error', () => {
      clearTimeout(timeout);
      client.destroy();
      resolve();
    });
  });
 });
 // Test stopping the port proxy.
 tap.test('should stop port proxy', async () => {
  await smartProxy.stop();
  expect((smartProxy as any).netServers.every((server: net.Server) => !server.listening)).toBeTrue();
  // Remove from tracking
  const index = allProxies.indexOf(smartProxy);
  if (index !== -1) allProxies.splice(index, 1);
 });
 // Test chained proxies with and without source IP preservation.
 tap.test('should support optional source IP preservation in chained proxies', async () => {
  // Chained proxies without IP preservation.
  const firstProxyDefault = new SmartProxy({
    routes: [
      {
        match: {
          ports: PROXY_PORT + 4
        },
        action: {
          type: 'forward',
          target: {
            host: 'localhost',
            port: PROXY_PORT + 5
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
      }
    }
  });
  const secondProxyDefault = new SmartProxy({
    routes: [
      {
        match: {
          ports: PROXY_PORT + 5
        },
        action: {
          type: 'forward',
          target: {
            host: 'localhost',
            port: TEST_SERVER_PORT
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
      }
    }
  });
  allProxies.push(firstProxyDefault, secondProxyDefault); // Track these proxies
  await secondProxyDefault.start();
  await firstProxyDefault.start();
  const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
  await firstProxyDefault.stop();
  await secondProxyDefault.stop();
  // Remove from tracking
  const index1 = allProxies.indexOf(firstProxyDefault);
  if (index1 !== -1) allProxies.splice(index1, 1);
  const index2 = allProxies.indexOf(secondProxyDefault);
  if (index2 !== -1) allProxies.splice(index2, 1);
  // Chained proxies with IP preservation.
  const firstProxyPreserved = new SmartProxy({
    routes: [
      {
        match: {
          ports: PROXY_PORT + 6
        },
        action: {
          type: 'forward',
          target: {
            host: 'localhost',
            port: PROXY_PORT + 7
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1']
      },
      preserveSourceIP: true
    },
    preserveSourceIP: true
  });
  const secondProxyPreserved = new SmartProxy({
    routes: [
      {
        match: {
          ports: PROXY_PORT + 7
        },
        action: {
          type: 'forward',
          target: {
            host: 'localhost',
            port: TEST_SERVER_PORT
          }
        }
      }
    ],
    defaults: {
      security: {
        allowedIPs: ['127.0.0.1']
      },
      preserveSourceIP: true
    },
    preserveSourceIP: true
  });
  allProxies.push(firstProxyPreserved, secondProxyPreserved); // Track these proxies
  await secondProxyPreserved.start();
  await firstProxyPreserved.start();
  const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
  await firstProxyPreserved.stop();
  await secondProxyPreserved.stop();
  // Remove from tracking
  const index3 = allProxies.indexOf(firstProxyPreserved);
  if (index3 !== -1) allProxies.splice(index3, 1);
  const index4 = allProxies.indexOf(secondProxyPreserved);
  if (index4 !== -1) allProxies.splice(index4, 1);
 });
 // Test round-robin behavior for multiple target hosts in a domain config.
 tap.test('should use round robin for multiple target hosts in domain config', async () => {
  // Create a domain config with multiple hosts in the target
  // Create a route with multiple target hosts
  const routeConfig = {
    match: {
      ports: 80,
      domains: ['rr.test']
    },
    action: {
      type: 'forward' as const,
      target: {
        host: ['hostA', 'hostB'], // Array of hosts for round-robin
        port: 80
      }
    }
  };
  const proxyInstance = new SmartProxy({
    routes: [routeConfig]
  });
  // Don't track this proxy as it doesn't actually start or listen
  // Use the RouteConnectionHandler to test the round-robin functionality
  // For route based configuration, we need to implement a different approach for testing
  // Since there's no direct access to getTargetHost
  // In a route-based approach, the target host selection would happen in the
  // connection setup process, which isn't directly accessible without
  // making actual connections. We'll skip the direct test.
  // For route-based approach, the actual round-robin logic happens in connection handling
  // Just make sure our config has the expected hosts
  expect(Array.isArray(routeConfig.action.target.host)).toBeTrue();
  expect(routeConfig.action.target.host).toContain('hostA');
  expect(routeConfig.action.target.host).toContain('hostB');
 });
 // CLEANUP: Tear down all servers and proxies
 tap.test('cleanup port proxy test environment', async () => {
  // Stop all remaining proxies
  for (const proxy of [...allProxies]) {
    try {
      await proxy.stop();
      const index = allProxies.indexOf(proxy);
      if (index !== -1) allProxies.splice(index, 1);
    } catch (err) {
      console.error(`Error stopping proxy: ${err}`);
    }
  }
  // Close all remaining servers
  for (const server of [...allServers]) {
    try {
      await new Promise<void>((resolve) => {
        if (server.listening) {
          server.close(() => resolve());
        } else {
          resolve();
        }
      });
      const index = allServers.indexOf(server);
      if (index !== -1) allServers.splice(index, 1);
    } catch (err) {
      console.error(`Error closing server: ${err}`);
    }
  }
  // Verify all resources are cleaned up
  expect(allProxies.length).toEqual(0);
  expect(allServers.length).toEqual(0);
 });
 export default tap.start();
--- a/test/test.ts
+++ b/test/test.ts
@ -0,0 +1,22 @@
 import { expect, tap } from '@pushrocks/tapbundle';
 import * as smartproxy from '../ts/index';
 let testProxy: smartproxy.SmartProxy;
 tap.test('first test', async () => {
  testProxy = new smartproxy.SmartProxy();
 });
 tap.test('should start the testproxy', async () => {
  await testProxy.start();
 });
 tap.test('should wait for 5 seconds', async (tools) => {
  await tools.delayFor(5000);
 });
 tap.test('should close the testproxy', async () => {
  await testProxy.stop();
 });
 tap.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -1,8 +0,0 @@
 /**
 * autocreated commitinfo by @push.rocks/commitinfo
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
  version: '16.0.2',
  description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }
--- a/ts/certificate/acme/acme-factory.ts
+++ b/ts/certificate/acme/acme-factory.ts
@ -1,48 +0,0 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import type { IAcmeOptions } from '../models/certificate-types.js';
 import { ensureCertificateDirectory } from '../utils/certificate-helpers.js';
 // We'll need to update this import when we move the Port80Handler
 import { Port80Handler } from '../../http/port80/port80-handler.js';
 /**
 * Factory to create a Port80Handler with common setup.
 * Ensures the certificate store directory exists and instantiates the handler.
 * @param options Port80Handler configuration options
 * @returns A new Port80Handler instance
 */
 export function buildPort80Handler(
  options: IAcmeOptions
 ): Port80Handler {
  if (options.certificateStore) {
    ensureCertificateDirectory(options.certificateStore);
    console.log(`Ensured certificate store directory: ${options.certificateStore}`);
  }
  return new Port80Handler(options);
 }
 /**
 * Creates default ACME options with sensible defaults
 * @param email Account email for ACME provider
 * @param certificateStore Path to store certificates
 * @param useProduction Whether to use production ACME servers
 * @returns Configured ACME options
 */
 export function createDefaultAcmeOptions(
  email: string,
  certificateStore: string,
  useProduction: boolean = false
 ): IAcmeOptions {
  return {
    accountEmail: email,
    enabled: true,
    port: 80,
    useProduction,
    httpsRedirectPort: 443,
    renewThresholdDays: 30,
    renewCheckIntervalHours: 24,
    autoRenew: true,
    certificateStore,
    skipConfiguredCerts: false
  };
 }
--- a/ts/certificate/acme/challenge-handler.ts
+++ b/ts/certificate/acme/challenge-handler.ts
@ -1,110 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IAcmeOptions, ICertificateData } from '../models/certificate-types.js';
 import { CertificateEvents } from '../events/certificate-events.js';
 /**
 * Manages ACME challenges and certificate validation
 */
 export class AcmeChallengeHandler extends plugins.EventEmitter {
  private options: IAcmeOptions;
  private client: any; // ACME client from plugins
  private pendingChallenges: Map<string, any>;
  /**
   * Creates a new ACME challenge handler
   * @param options ACME configuration options
   */
  constructor(options: IAcmeOptions) {
    super();
    this.options = options;
    this.pendingChallenges = new Map();
    // Initialize ACME client if needed
    // This is just a placeholder implementation since we don't use the actual
    // client directly in this implementation - it's handled by Port80Handler
    this.client = null;
    console.log('Created challenge handler with options:',
      options.accountEmail,
      options.useProduction ? 'production' : 'staging'
    );
  }
  /**
   * Gets or creates the ACME account key
   */
  private getAccountKey(): Buffer {
    // Implementation details would depend on plugin requirements
    // This is a simplified version
    if (!this.options.certificateStore) {
      throw new Error('Certificate store is required for ACME challenges');
    }
    // This is just a placeholder - actual implementation would check for
    // existing account key and create one if needed
    return Buffer.from('account-key-placeholder');
  }
  /**
   * Validates a domain using HTTP-01 challenge
   * @param domain Domain to validate
   * @param challengeToken ACME challenge token
   * @param keyAuthorization Key authorization for the challenge
   */
  public async handleHttpChallenge(
    domain: string,
    challengeToken: string,
    keyAuthorization: string
  ): Promise<void> {
    // Store challenge for response
    this.pendingChallenges.set(challengeToken, keyAuthorization);
    try {
      // Wait for challenge validation - this would normally be handled by the ACME client
      await new Promise(resolve => setTimeout(resolve, 1000));
      this.emit(CertificateEvents.CERTIFICATE_ISSUED, {
        domain,
        success: true
      });
    } catch (error) {
      this.emit(CertificateEvents.CERTIFICATE_FAILED, {
        domain,
        error: error instanceof Error ? error.message : String(error),
        isRenewal: false
      });
      throw error;
    } finally {
      // Clean up the challenge
      this.pendingChallenges.delete(challengeToken);
    }
  }
  /**
   * Responds to an HTTP-01 challenge request
   * @param token Challenge token from the request path
   * @returns The key authorization if found
   */
  public getChallengeResponse(token: string): string | null {
    return this.pendingChallenges.get(token) || null;
  }
  /**
   * Checks if a request path is an ACME challenge
   * @param path Request path
   * @returns True if this is an ACME challenge request
   */
  public isAcmeChallenge(path: string): boolean {
    return path.startsWith('/.well-known/acme-challenge/');
  }
  /**
   * Extracts the challenge token from an ACME challenge path
   * @param path Request path
   * @returns The challenge token if valid
   */
  public extractChallengeToken(path: string): string | null {
    if (!this.isAcmeChallenge(path)) return null;
    const parts = path.split('/');
    return parts[parts.length - 1] || null;
  }
 }
--- a/ts/certificate/acme/index.ts
+++ b/ts/certificate/acme/index.ts
@ -1,3 +0,0 @@
 /**
 * ACME certificate provisioning
 */
--- a/ts/certificate/events/certificate-events.ts
+++ b/ts/certificate/events/certificate-events.ts
@ -1,36 +0,0 @@
 /**
 * Certificate-related events emitted by certificate management components
 */
 export enum CertificateEvents {
  CERTIFICATE_ISSUED = 'certificate-issued',
  CERTIFICATE_RENEWED = 'certificate-renewed',
  CERTIFICATE_FAILED = 'certificate-failed',
  CERTIFICATE_EXPIRING = 'certificate-expiring',
  CERTIFICATE_APPLIED = 'certificate-applied',
  // Events moved from Port80Handler for compatibility
  MANAGER_STARTED = 'manager-started',
  MANAGER_STOPPED = 'manager-stopped',
 }
 /**
 * Port80Handler-specific events including certificate-related ones
 * @deprecated Use CertificateEvents and HttpEvents instead
 */
 export enum Port80HandlerEvents {
  CERTIFICATE_ISSUED = 'certificate-issued',
  CERTIFICATE_RENEWED = 'certificate-renewed',
  CERTIFICATE_FAILED = 'certificate-failed',
  CERTIFICATE_EXPIRING = 'certificate-expiring',
  MANAGER_STARTED = 'manager-started',
  MANAGER_STOPPED = 'manager-stopped',
  REQUEST_FORWARDED = 'request-forwarded',
 }
 /**
 * Certificate provider events
 */
 export enum CertProvisionerEvents {
  CERTIFICATE_ISSUED = 'certificate',
  CERTIFICATE_RENEWED = 'certificate',
  CERTIFICATE_FAILED = 'certificate-failed'
 }
--- a/ts/certificate/index.ts
+++ b/ts/certificate/index.ts
@ -1,75 +0,0 @@
 /**
 * Certificate management module for SmartProxy
 * Provides certificate provisioning, storage, and management capabilities
 */
 // Certificate types and models
 export * from './models/certificate-types.js';
 // Certificate events
 export * from './events/certificate-events.js';
 // Certificate providers
 export * from './providers/cert-provisioner.js';
 // ACME related exports
 export * from './acme/acme-factory.js';
 export * from './acme/challenge-handler.js';
 // Certificate utilities
 export * from './utils/certificate-helpers.js';
 // Certificate storage
 export * from './storage/file-storage.js';
 // Convenience function to create a certificate provisioner with common settings
 import { CertProvisioner } from './providers/cert-provisioner.js';
 import type { TCertProvisionObject } from './providers/cert-provisioner.js';
 import { buildPort80Handler } from './acme/acme-factory.js';
 import type { IAcmeOptions, IRouteForwardConfig } from './models/certificate-types.js';
 import type { IRouteConfig } from '../proxies/smart-proxy/models/route-types.js';
 /**
 * Interface for NetworkProxyBridge used by CertProvisioner
 */
 interface ICertNetworkProxyBridge {
  applyExternalCertificate(certData: any): void;
 }
 /**
 * Creates a complete certificate provisioning system with default settings
 * @param routeConfigs Route configurations that may need certificates
 * @param acmeOptions ACME options for certificate provisioning
 * @param networkProxyBridge Bridge to apply certificates to network proxy
 * @param certProvider Optional custom certificate provider
 * @returns Configured CertProvisioner
 */
 export function createCertificateProvisioner(
  routeConfigs: IRouteConfig[],
  acmeOptions: IAcmeOptions,
  networkProxyBridge: ICertNetworkProxyBridge,
  certProvider?: (domain: string) => Promise<TCertProvisionObject>
 ): CertProvisioner {
  // Build the Port80Handler for ACME challenges
  const port80Handler = buildPort80Handler(acmeOptions);
  // Extract ACME-specific configuration
  const {
    renewThresholdDays = 30,
    renewCheckIntervalHours = 24,
    autoRenew = true,
    routeForwards = []
  } = acmeOptions;
  // Create and return the certificate provisioner
  return new CertProvisioner(
    routeConfigs,
    port80Handler,
    networkProxyBridge,
    certProvider,
    renewThresholdDays,
    renewCheckIntervalHours,
    autoRenew,
    routeForwards
  );
 }
--- a/ts/certificate/models/certificate-types.ts
+++ b/ts/certificate/models/certificate-types.ts
@ -1,109 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
 /**
 * Certificate data structure containing all necessary information
 * about a certificate
 */
 export interface ICertificateData {
  domain: string;
  certificate: string;
  privateKey: string;
  expiryDate: Date;
  // Optional source and renewal information for event emissions
  source?: 'static' | 'http01' | 'dns01';
  isRenewal?: boolean;
  // Reference to the route that requested this certificate (if available)
  routeReference?: {
    routeId?: string;
    routeName?: string;
  };
 }
 /**
 * Certificates pair (private and public keys)
 */
 export interface ICertificates {
  privateKey: string;
  publicKey: string;
 }
 /**
 * Certificate failure payload type
 */
 export interface ICertificateFailure {
  domain: string;
  error: string;
  isRenewal: boolean;
  routeReference?: {
    routeId?: string;
    routeName?: string;
  };
 }
 /**
 * Certificate expiry payload type
 */
 export interface ICertificateExpiring {
  domain: string;
  expiryDate: Date;
  daysRemaining: number;
  routeReference?: {
    routeId?: string;
    routeName?: string;
  };
 }
 /**
 * Route-specific forwarding configuration for ACME challenges
 */
 export interface IRouteForwardConfig {
  domain: string;
  target: {
    host: string;
    port: number;
  };
  sslRedirect?: boolean;
 }
 /**
 * Domain configuration options for Port80Handler
 *
 * This is used internally by the Port80Handler to manage domains
 * but will eventually be replaced with route-based options.
 */
 export interface IDomainOptions {
  domainName: string;
  sslRedirect: boolean;   // if true redirects the request to port 443
  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
  forward?: {
    ip: string;
    port: number;
  }; // forwards all http requests to that target
  acmeForward?: {
    ip: string;
    port: number;
  }; // forwards letsencrypt requests to this config
  routeReference?: {
    routeId?: string;
    routeName?: string;
  };
 }
 /**
 * Unified ACME configuration options used across proxies and handlers
 */
 export interface IAcmeOptions {
  accountEmail?: string;          // Email for Let's Encrypt account
  enabled?: boolean;              // Whether ACME is enabled
  port?: number;                  // Port to listen on for ACME challenges (default: 80)
  useProduction?: boolean;        // Use production environment (default: staging)
  httpsRedirectPort?: number;     // Port to redirect HTTP requests to HTTPS (default: 443)
  renewThresholdDays?: number;    // Days before expiry to renew certificates
  renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
  autoRenew?: boolean;            // Whether to automatically renew certificates
  certificateStore?: string;      // Directory to store certificates
  skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
  routeForwards?: IRouteForwardConfig[]; // Route-specific forwarding configs
 }
--- a/ts/certificate/providers/cert-provisioner.ts
+++ b/ts/certificate/providers/cert-provisioner.ts
@ -1,519 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
 import type { ICertificateData, IRouteForwardConfig, IDomainOptions } from '../models/certificate-types.js';
 import { Port80HandlerEvents, CertProvisionerEvents } from '../events/certificate-events.js';
 import { Port80Handler } from '../../http/port80/port80-handler.js';
 // Interface for NetworkProxyBridge
 interface INetworkProxyBridge {
  applyExternalCertificate(certData: ICertificateData): void;
 }
 /**
 * Type for static certificate provisioning
 */
 export type TCertProvisionObject = plugins.tsclass.network.ICert | 'http01' | 'dns01';
 /**
 * Interface for routes that need certificates
 */
 interface ICertRoute {
  domain: string;
  route: IRouteConfig;
  tlsMode: 'terminate' | 'terminate-and-reencrypt';
 }
 /**
 * CertProvisioner manages certificate provisioning and renewal workflows,
 * unifying static certificates and HTTP-01 challenges via Port80Handler.
 *
 * This class directly works with route configurations instead of converting to domain configs.
 */
 export class CertProvisioner extends plugins.EventEmitter {
  private routeConfigs: IRouteConfig[];
  private certRoutes: ICertRoute[] = [];
  private port80Handler: Port80Handler;
  private networkProxyBridge: INetworkProxyBridge;
  private certProvisionFunction?: (domain: string) => Promise<TCertProvisionObject>;
  private routeForwards: IRouteForwardConfig[];
  private renewThresholdDays: number;
  private renewCheckIntervalHours: number;
  private autoRenew: boolean;
  private renewManager?: plugins.taskbuffer.TaskManager;
  // Track provisioning type per domain
  private provisionMap: Map<string, { type: 'http01' | 'dns01' | 'static', routeRef?: ICertRoute }>;
  /**
   * Extract routes that need certificates
   * @param routes Route configurations
   */
  private extractCertificateRoutesFromRoutes(routes: IRouteConfig[]): ICertRoute[] {
    const certRoutes: ICertRoute[] = [];
    // Process all HTTPS routes that need certificates
    for (const route of routes) {
      // Only process routes with TLS termination that need certificates
      if (route.action.type === 'forward' &&
          route.action.tls &&
          (route.action.tls.mode === 'terminate' || route.action.tls.mode === 'terminate-and-reencrypt') &&
          route.match.domains) {
        // Extract domains from the route
        const domains = Array.isArray(route.match.domains)
          ? route.match.domains
          : [route.match.domains];
        // For each domain in the route, create a certRoute entry
        for (const domain of domains) {
          // Skip wildcard domains that can't use ACME unless we have a certProvider
          if (domain.includes('*') && (!this.certProvisionFunction || this.certProvisionFunction.length === 0)) {
            console.warn(`Skipping wildcard domain that requires a certProvisionFunction: ${domain}`);
            continue;
          }
          certRoutes.push({
            domain,
            route,
            tlsMode: route.action.tls.mode
          });
        }
      }
    }
    return certRoutes;
  }
  /**
   * Constructor for CertProvisioner
   *
   * @param routeConfigs Array of route configurations
   * @param port80Handler HTTP-01 challenge handler instance
   * @param networkProxyBridge Bridge for applying external certificates
   * @param certProvider Optional callback returning a static cert or 'http01'
   * @param renewThresholdDays Days before expiry to trigger renewals
   * @param renewCheckIntervalHours Interval in hours to check for renewals
   * @param autoRenew Whether to automatically schedule renewals
   * @param routeForwards Route-specific forwarding configs for ACME challenges
   */
  constructor(
    routeConfigs: IRouteConfig[],
    port80Handler: Port80Handler,
    networkProxyBridge: INetworkProxyBridge,
    certProvider?: (domain: string) => Promise<TCertProvisionObject>,
    renewThresholdDays: number = 30,
    renewCheckIntervalHours: number = 24,
    autoRenew: boolean = true,
    routeForwards: IRouteForwardConfig[] = []
  ) {
    super();
    this.routeConfigs = routeConfigs;
    this.port80Handler = port80Handler;
    this.networkProxyBridge = networkProxyBridge;
    this.certProvisionFunction = certProvider;
    this.renewThresholdDays = renewThresholdDays;
    this.renewCheckIntervalHours = renewCheckIntervalHours;
    this.autoRenew = autoRenew;
    this.provisionMap = new Map();
    this.routeForwards = routeForwards;
    // Extract certificate routes during instantiation
    this.certRoutes = this.extractCertificateRoutesFromRoutes(routeConfigs);
  }
  /**
   * Start initial provisioning and schedule renewals.
   */
  public async start(): Promise<void> {
    // Subscribe to Port80Handler certificate events
    this.setupEventSubscriptions();
    // Apply route forwarding for ACME challenges
    this.setupForwardingConfigs();
    // Initial provisioning for all domains in routes
    await this.provisionAllCertificates();
    // Schedule renewals if enabled
    if (this.autoRenew) {
      this.scheduleRenewals();
    }
  }
  /**
   * Set up event subscriptions for certificate events
   */
  private setupEventSubscriptions(): void {
    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
      // Add route reference if we have it
      const routeRef = this.findRouteForDomain(data.domain);
      const enhancedData: ICertificateData = {
        ...data,
        source: 'http01',
        isRenewal: false,
        routeReference: routeRef ? {
          routeId: routeRef.route.name,
          routeName: routeRef.route.name
        } : undefined
      };
      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, enhancedData);
    });
    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
      // Add route reference if we have it
      const routeRef = this.findRouteForDomain(data.domain);
      const enhancedData: ICertificateData = {
        ...data,
        source: 'http01',
        isRenewal: true,
        routeReference: routeRef ? {
          routeId: routeRef.route.name,
          routeName: routeRef.route.name
        } : undefined
      };
      this.emit(CertProvisionerEvents.CERTIFICATE_RENEWED, enhancedData);
    });
    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, (error) => {
      this.emit(CertProvisionerEvents.CERTIFICATE_FAILED, error);
    });
  }
  /**
   * Find a route for a given domain
   */
  private findRouteForDomain(domain: string): ICertRoute | undefined {
    return this.certRoutes.find(certRoute => certRoute.domain === domain);
  }
  /**
   * Set up forwarding configurations for the Port80Handler
   */
  private setupForwardingConfigs(): void {
    for (const config of this.routeForwards) {
      const domainOptions: IDomainOptions = {
        domainName: config.domain,
        sslRedirect: config.sslRedirect || false,
        acmeMaintenance: false,
        forward: config.target ? {
          ip: config.target.host,
          port: config.target.port
        } : undefined
      };
      this.port80Handler.addDomain(domainOptions);
    }
  }
  /**
   * Provision certificates for all routes that need them
   */
  private async provisionAllCertificates(): Promise<void> {
    for (const certRoute of this.certRoutes) {
      await this.provisionCertificateForRoute(certRoute);
    }
  }
  /**
   * Provision a certificate for a route
   */
  private async provisionCertificateForRoute(certRoute: ICertRoute): Promise<void> {
    const { domain, route } = certRoute;
    const isWildcard = domain.includes('*');
    let provision: TCertProvisionObject = 'http01';
    // Try to get a certificate from the provision function
    if (this.certProvisionFunction) {
      try {
        provision = await this.certProvisionFunction(domain);
      } catch (err) {
        console.error(`certProvider error for ${domain} on route ${route.name || 'unnamed'}:`, err);
      }
    } else if (isWildcard) {
      // No certProvider: cannot handle wildcard without DNS-01 support
      console.warn(`Skipping wildcard domain without certProvisionFunction: ${domain}`);
      return;
    }
    // Store the route reference with the provision type
    this.provisionMap.set(domain, {
      type: provision === 'http01' || provision === 'dns01' ? provision : 'static',
      routeRef: certRoute
    });
    // Handle different provisioning methods
    if (provision === 'http01') {
      if (isWildcard) {
        console.warn(`Skipping HTTP-01 for wildcard domain: ${domain}`);
        return;
      }
      this.port80Handler.addDomain({
        domainName: domain,
        sslRedirect: true,
        acmeMaintenance: true,
        routeReference: {
          routeId: route.name || domain,
          routeName: route.name
        }
      });
    } else if (provision === 'dns01') {
      // DNS-01 challenges would be handled by the certProvisionFunction
      // DNS-01 handling would go here if implemented
      console.log(`DNS-01 challenge type set for ${domain}`);
    } else {
      // Static certificate (e.g., DNS-01 provisioned or user-provided)
      const certObj = provision as plugins.tsclass.network.ICert;
      const certData: ICertificateData = {
        domain: certObj.domainName,
        certificate: certObj.publicKey,
        privateKey: certObj.privateKey,
        expiryDate: new Date(certObj.validUntil),
        source: 'static',
        isRenewal: false,
        routeReference: {
          routeId: route.name || domain,
          routeName: route.name
        }
      };
      this.networkProxyBridge.applyExternalCertificate(certData);
      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
    }
  }
  /**
   * Schedule certificate renewals using a task manager
   */
  private scheduleRenewals(): void {
    this.renewManager = new plugins.taskbuffer.TaskManager();
    const renewTask = new plugins.taskbuffer.Task({
      name: 'CertificateRenewals',
      taskFunction: async () => await this.performRenewals()
    });
    const hours = this.renewCheckIntervalHours;
    const cronExpr = `0 0 */${hours} * * *`;
    this.renewManager.addAndScheduleTask(renewTask, cronExpr);
    this.renewManager.start();
  }
  /**
   * Perform renewals for all domains that need it
   */
  private async performRenewals(): Promise<void> {
    for (const [domain, info] of this.provisionMap.entries()) {
      // Skip wildcard domains for HTTP-01 challenges
      if (domain.includes('*') && info.type === 'http01') continue;
      try {
        await this.renewCertificateForDomain(domain, info.type, info.routeRef);
      } catch (err) {
        console.error(`Renewal error for ${domain}:`, err);
      }
    }
  }
  /**
   * Renew a certificate for a specific domain
   * @param domain Domain to renew
   * @param provisionType Type of provisioning for this domain
   * @param certRoute The route reference for this domain
   */
  private async renewCertificateForDomain(
    domain: string,
    provisionType: 'http01' | 'dns01' | 'static',
    certRoute?: ICertRoute
  ): Promise<void> {
    if (provisionType === 'http01') {
      await this.port80Handler.renewCertificate(domain);
    } else if ((provisionType === 'static' || provisionType === 'dns01') && this.certProvisionFunction) {
      const provision = await this.certProvisionFunction(domain);
      if (provision !== 'http01' && provision !== 'dns01') {
        const certObj = provision as plugins.tsclass.network.ICert;
        const routeRef = certRoute?.route;
        const certData: ICertificateData = {
          domain: certObj.domainName,
          certificate: certObj.publicKey,
          privateKey: certObj.privateKey,
          expiryDate: new Date(certObj.validUntil),
          source: 'static',
          isRenewal: true,
          routeReference: routeRef ? {
            routeId: routeRef.name || domain,
            routeName: routeRef.name
          } : undefined
        };
        this.networkProxyBridge.applyExternalCertificate(certData);
        this.emit(CertProvisionerEvents.CERTIFICATE_RENEWED, certData);
      }
    }
  }
  /**
   * Stop all scheduled renewal tasks.
   */
  public async stop(): Promise<void> {
    if (this.renewManager) {
      this.renewManager.stop();
    }
  }
  /**
   * Request a certificate on-demand for the given domain.
   * This will look for a matching route configuration and provision accordingly.
   *
   * @param domain Domain name to provision
   */
  public async requestCertificate(domain: string): Promise<void> {
    const isWildcard = domain.includes('*');
    // Find matching route
    const certRoute = this.findRouteForDomain(domain);
    // Determine provisioning method
    let provision: TCertProvisionObject = 'http01';
    if (this.certProvisionFunction) {
      provision = await this.certProvisionFunction(domain);
    } else if (isWildcard) {
      // Cannot perform HTTP-01 on wildcard without certProvider
      throw new Error(`Cannot request certificate for wildcard domain without certProvisionFunction: ${domain}`);
    }
    if (provision === 'http01') {
      if (isWildcard) {
        throw new Error(`Cannot request HTTP-01 certificate for wildcard domain: ${domain}`);
      }
      await this.port80Handler.renewCertificate(domain);
    } else if (provision === 'dns01') {
      // DNS-01 challenges would be handled by external mechanisms
      console.log(`DNS-01 challenge requested for ${domain}`);
    } else {
      // Static certificate (e.g., DNS-01 provisioned) supports wildcards
      const certObj = provision as plugins.tsclass.network.ICert;
      const certData: ICertificateData = {
        domain: certObj.domainName,
        certificate: certObj.publicKey,
        privateKey: certObj.privateKey,
        expiryDate: new Date(certObj.validUntil),
        source: 'static',
        isRenewal: false,
        routeReference: certRoute ? {
          routeId: certRoute.route.name || domain,
          routeName: certRoute.route.name
        } : undefined
      };
      this.networkProxyBridge.applyExternalCertificate(certData);
      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
    }
  }
  /**
   * Add a new domain for certificate provisioning
   *
   * @param domain Domain to add
   * @param options Domain configuration options
   */
  public async addDomain(domain: string, options?: {
    sslRedirect?: boolean;
    acmeMaintenance?: boolean;
    routeId?: string;
    routeName?: string;
  }): Promise<void> {
    const domainOptions: IDomainOptions = {
      domainName: domain,
      sslRedirect: options?.sslRedirect ?? true,
      acmeMaintenance: options?.acmeMaintenance ?? true,
      routeReference: {
        routeId: options?.routeId,
        routeName: options?.routeName
      }
    };
    this.port80Handler.addDomain(domainOptions);
    // Find matching route or create a generic one
    const existingRoute = this.findRouteForDomain(domain);
    if (existingRoute) {
      await this.provisionCertificateForRoute(existingRoute);
    } else {
      // We don't have a route, just provision the domain
      const isWildcard = domain.includes('*');
      let provision: TCertProvisionObject = 'http01';
      if (this.certProvisionFunction) {
        provision = await this.certProvisionFunction(domain);
      } else if (isWildcard) {
        throw new Error(`Cannot request certificate for wildcard domain without certProvisionFunction: ${domain}`);
      }
      this.provisionMap.set(domain, {
        type: provision === 'http01' || provision === 'dns01' ? provision : 'static'
      });
      if (provision !== 'http01' && provision !== 'dns01') {
        const certObj = provision as plugins.tsclass.network.ICert;
        const certData: ICertificateData = {
          domain: certObj.domainName,
          certificate: certObj.publicKey,
          privateKey: certObj.privateKey,
          expiryDate: new Date(certObj.validUntil),
          source: 'static',
          isRenewal: false,
          routeReference: {
            routeId: options?.routeId,
            routeName: options?.routeName
          }
        };
        this.networkProxyBridge.applyExternalCertificate(certData);
        this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
      }
    }
  }
  /**
   * Update routes with new configurations
   * This replaces all existing routes with new ones and re-provisions certificates as needed
   *
   * @param newRoutes New route configurations to use
   */
  public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
    // Store the new route configs
    this.routeConfigs = newRoutes;
    // Extract new certificate routes
    const newCertRoutes = this.extractCertificateRoutesFromRoutes(newRoutes);
    // Find domains that no longer need certificates
    const oldDomains = new Set(this.certRoutes.map(r => r.domain));
    const newDomains = new Set(newCertRoutes.map(r => r.domain));
    // Domains to remove
    const domainsToRemove = [...oldDomains].filter(d => !newDomains.has(d));
    // Remove obsolete domains from provision map
    for (const domain of domainsToRemove) {
      this.provisionMap.delete(domain);
    }
    // Update the cert routes
    this.certRoutes = newCertRoutes;
    // Provision certificates for new routes
    for (const certRoute of newCertRoutes) {
      if (!oldDomains.has(certRoute.domain)) {
        await this.provisionCertificateForRoute(certRoute);
      }
    }
  }
 }
 // Type alias for backward compatibility
 export type TSmartProxyCertProvisionObject = TCertProvisionObject;
--- a/ts/certificate/providers/index.ts
+++ b/ts/certificate/providers/index.ts
@ -1,3 +0,0 @@
 /**
 * Certificate providers
 */
--- a/ts/certificate/storage/file-storage.ts
+++ b/ts/certificate/storage/file-storage.ts
@ -1,234 +0,0 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as plugins from '../../plugins.js';
 import type { ICertificateData, ICertificates } from '../models/certificate-types.js';
 import { ensureCertificateDirectory } from '../utils/certificate-helpers.js';
 /**
 * FileStorage provides file system storage for certificates
 */
 export class FileStorage {
  private storageDir: string;
  /**
   * Creates a new file storage provider
   * @param storageDir Directory to store certificates
   */
  constructor(storageDir: string) {
    this.storageDir = path.resolve(storageDir);
    ensureCertificateDirectory(this.storageDir);
  }
  /**
   * Save a certificate to the file system
   * @param domain Domain name
   * @param certData Certificate data to save
   */
  public async saveCertificate(domain: string, certData: ICertificateData): Promise<void> {
    const sanitizedDomain = this.sanitizeDomain(domain);
    const certDir = path.join(this.storageDir, sanitizedDomain);
    ensureCertificateDirectory(certDir);
    const certPath = path.join(certDir, 'fullchain.pem');
    const keyPath = path.join(certDir, 'privkey.pem');
    const metaPath = path.join(certDir, 'metadata.json');
    // Write certificate and private key
    await fs.promises.writeFile(certPath, certData.certificate, 'utf8');
    await fs.promises.writeFile(keyPath, certData.privateKey, 'utf8');
    // Write metadata
    const metadata = {
      domain: certData.domain,
      expiryDate: certData.expiryDate.toISOString(),
      source: certData.source || 'unknown',
      issuedAt: new Date().toISOString()
    };
    await fs.promises.writeFile(
      metaPath, 
      JSON.stringify(metadata, null, 2), 
      'utf8'
    );
  }
  /**
   * Load a certificate from the file system
   * @param domain Domain name
   * @returns Certificate data if found, null otherwise
   */
  public async loadCertificate(domain: string): Promise<ICertificateData | null> {
    const sanitizedDomain = this.sanitizeDomain(domain);
    const certDir = path.join(this.storageDir, sanitizedDomain);
    if (!fs.existsSync(certDir)) {
      return null;
    }
    const certPath = path.join(certDir, 'fullchain.pem');
    const keyPath = path.join(certDir, 'privkey.pem');
    const metaPath = path.join(certDir, 'metadata.json');
    try {
      // Check if all required files exist
      if (!fs.existsSync(certPath) || !fs.existsSync(keyPath)) {
        return null;
      }
      // Read certificate and private key
      const certificate = await fs.promises.readFile(certPath, 'utf8');
      const privateKey = await fs.promises.readFile(keyPath, 'utf8');
      // Try to read metadata if available
      let expiryDate = new Date();
      let source: 'static' | 'http01' | 'dns01' | undefined;
      if (fs.existsSync(metaPath)) {
        const metaContent = await fs.promises.readFile(metaPath, 'utf8');
        const metadata = JSON.parse(metaContent);
        if (metadata.expiryDate) {
          expiryDate = new Date(metadata.expiryDate);
        }
        if (metadata.source) {
          source = metadata.source as 'static' | 'http01' | 'dns01';
        }
      }
      return {
        domain,
        certificate,
        privateKey,
        expiryDate,
        source
      };
    } catch (error) {
      console.error(`Error loading certificate for ${domain}:`, error);
      return null;
    }
  }
  /**
   * Delete a certificate from the file system
   * @param domain Domain name
   */
  public async deleteCertificate(domain: string): Promise<boolean> {
    const sanitizedDomain = this.sanitizeDomain(domain);
    const certDir = path.join(this.storageDir, sanitizedDomain);
    if (!fs.existsSync(certDir)) {
      return false;
    }
    try {
      // Recursively delete the certificate directory
      await this.deleteDirectory(certDir);
      return true;
    } catch (error) {
      console.error(`Error deleting certificate for ${domain}:`, error);
      return false;
    }
  }
  /**
   * List all domains with stored certificates
   * @returns Array of domain names
   */
  public async listCertificates(): Promise<string[]> {
    try {
      const entries = await fs.promises.readdir(this.storageDir, { withFileTypes: true });
      return entries
        .filter(entry => entry.isDirectory())
        .map(entry => entry.name);
    } catch (error) {
      console.error('Error listing certificates:', error);
      return [];
    }
  }
  /**
   * Check if a certificate is expiring soon
   * @param domain Domain name
   * @param thresholdDays Days threshold to consider expiring
   * @returns Information about expiring certificate or null
   */
  public async isExpiringSoon(
    domain: string, 
    thresholdDays: number = 30
  ): Promise<{ domain: string; expiryDate: Date; daysRemaining: number } | null> {
    const certData = await this.loadCertificate(domain);
    if (!certData) {
      return null;
    }
    const now = new Date();
    const expiryDate = certData.expiryDate;
    const timeRemaining = expiryDate.getTime() - now.getTime();
    const daysRemaining = Math.floor(timeRemaining / (1000 * 60 * 60 * 24));
    if (daysRemaining <= thresholdDays) {
      return {
        domain,
        expiryDate,
        daysRemaining
      };
    }
    return null;
  }
  /**
   * Check all certificates for expiration
   * @param thresholdDays Days threshold to consider expiring
   * @returns List of expiring certificates
   */
  public async getExpiringCertificates(
    thresholdDays: number = 30
  ): Promise<Array<{ domain: string; expiryDate: Date; daysRemaining: number }>> {
    const domains = await this.listCertificates();
    const expiringCerts = [];
    for (const domain of domains) {
      const expiring = await this.isExpiringSoon(domain, thresholdDays);
      if (expiring) {
        expiringCerts.push(expiring);
      }
    }
    return expiringCerts;
  }
  /**
   * Delete a directory recursively
   * @param directoryPath Directory to delete
   */
  private async deleteDirectory(directoryPath: string): Promise<void> {
    if (fs.existsSync(directoryPath)) {
      const entries = await fs.promises.readdir(directoryPath, { withFileTypes: true });
      for (const entry of entries) {
        const fullPath = path.join(directoryPath, entry.name);
        if (entry.isDirectory()) {
          await this.deleteDirectory(fullPath);
        } else {
          await fs.promises.unlink(fullPath);
        }
      }
      await fs.promises.rmdir(directoryPath);
    }
  }
  /**
   * Sanitize a domain name for use as a directory name
   * @param domain Domain name
   * @returns Sanitized domain name
   */
  private sanitizeDomain(domain: string): string {
    // Replace wildcard and any invalid filesystem characters
    return domain.replace(/\*/g, '_wildcard_').replace(/[/\\:*?"<>|]/g, '_');
  }
 }
--- a/ts/certificate/storage/index.ts
+++ b/ts/certificate/storage/index.ts
@ -1,3 +0,0 @@
 /**
 * Certificate storage mechanisms
 */
--- a/ts/certificate/utils/certificate-helpers.ts
+++ b/ts/certificate/utils/certificate-helpers.ts
@ -1,50 +0,0 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
 import type { ICertificates } from '../models/certificate-types.js';
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 /**
 * Loads the default SSL certificates from the assets directory
 * @returns The certificate key pair
 */
 export function loadDefaultCertificates(): ICertificates {
  try {
    // Need to adjust path from /ts/certificate/utils to /assets/certs
    const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
    const privateKey = fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8');
    const publicKey = fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8');
    if (!privateKey || !publicKey) {
      throw new Error('Failed to load default certificates');
    }
    return {
      privateKey,
      publicKey
    };
  } catch (error) {
    console.error('Error loading default certificates:', error);
    throw error;
  }
 }
 /**
 * Checks if a certificate file exists at the specified path
 * @param certPath Path to check for certificate
 * @returns True if the certificate exists, false otherwise
 */
 export function certificateExists(certPath: string): boolean {
  return fs.existsSync(certPath);
 }
 /**
 * Ensures the certificate directory exists
 * @param dirPath Path to the certificate directory
 */
 export function ensureCertificateDirectory(dirPath: string): void {
  if (!fs.existsSync(dirPath)) {
    fs.mkdirSync(dirPath, { recursive: true });
  }
 }
--- a/ts/common/eventUtils.ts
+++ b/ts/common/eventUtils.ts
@ -1,34 +0,0 @@
 import type { Port80Handler } from '../http/port80/port80-handler.js';
 import { Port80HandlerEvents } from './types.js';
 import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from './types.js';
 /**
 * Subscribers callback definitions for Port80Handler events
 */
 export interface Port80HandlerSubscribers {
  onCertificateIssued?: (data: ICertificateData) => void;
  onCertificateRenewed?: (data: ICertificateData) => void;
  onCertificateFailed?: (data: ICertificateFailure) => void;
  onCertificateExpiring?: (data: ICertificateExpiring) => void;
 }
 /**
 * Subscribes to Port80Handler events based on provided callbacks
 */
 export function subscribeToPort80Handler(
  handler: Port80Handler,
  subscribers: Port80HandlerSubscribers
 ): void {
  if (subscribers.onCertificateIssued) {
    handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, subscribers.onCertificateIssued);
  }
  if (subscribers.onCertificateRenewed) {
    handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, subscribers.onCertificateRenewed);
  }
  if (subscribers.onCertificateFailed) {
    handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, subscribers.onCertificateFailed);
  }
  if (subscribers.onCertificateExpiring) {
    handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, subscribers.onCertificateExpiring);
  }
 }
--- a/ts/common/port80-adapter.ts
+++ b/ts/common/port80-adapter.ts
@ -1,87 +0,0 @@
 import * as plugins from '../plugins.js';
 import type {
  IForwardConfig as ILegacyForwardConfig,
  IDomainOptions
 } from './types.js';
 import type {
  IForwardConfig
 } from '../forwarding/config/forwarding-types.js';
 /**
 * Converts a forwarding configuration target to the legacy format
 * for Port80Handler
 */
 export function convertToLegacyForwardConfig(
  forwardConfig: IForwardConfig
 ): ILegacyForwardConfig {
  // Determine host from the target configuration
  const host = Array.isArray(forwardConfig.target.host)
    ? forwardConfig.target.host[0]  // Use the first host in the array
    : forwardConfig.target.host;
  return {
    ip: host,
    port: forwardConfig.target.port
  };
 }
 /**
 * Creates Port80Handler domain options from a domain name and forwarding config
 */
 export function createPort80HandlerOptions(
  domain: string,
  forwardConfig: IForwardConfig
 ): IDomainOptions {
  // Determine if we should redirect HTTP to HTTPS
  let sslRedirect = false;
  if (forwardConfig.http?.redirectToHttps) {
    sslRedirect = true;
  }
  // Determine if ACME maintenance should be enabled
  // Enable by default for termination types, unless explicitly disabled
  const requiresTls = 
    forwardConfig.type === 'https-terminate-to-http' || 
    forwardConfig.type === 'https-terminate-to-https';
  const acmeMaintenance = 
    requiresTls && 
    forwardConfig.acme?.enabled !== false;
  // Set up forwarding configuration
  const options: IDomainOptions = {
    domainName: domain,
    sslRedirect,
    acmeMaintenance
  };
  // Add ACME challenge forwarding if configured
  if (forwardConfig.acme?.forwardChallenges) {
    options.acmeForward = {
      ip: Array.isArray(forwardConfig.acme.forwardChallenges.host) 
        ? forwardConfig.acme.forwardChallenges.host[0]
        : forwardConfig.acme.forwardChallenges.host,
      port: forwardConfig.acme.forwardChallenges.port
    };
  }
  // Add HTTP forwarding if this is an HTTP-only config or if HTTP is enabled
  const supportsHttp = 
    forwardConfig.type === 'http-only' || 
    (forwardConfig.http?.enabled !== false &&
     (forwardConfig.type === 'https-terminate-to-http' || 
      forwardConfig.type === 'https-terminate-to-https'));
  if (supportsHttp) {
    options.forward = {
      ip: Array.isArray(forwardConfig.target.host) 
        ? forwardConfig.target.host[0]
        : forwardConfig.target.host,
      port: forwardConfig.target.port
    };
  }
  return options;
 }
--- a/ts/common/types.ts
+++ b/ts/common/types.ts
@ -1,91 +0,0 @@
 import * as plugins from '../plugins.js';
 /**
 * Shared types for certificate management and domain options
 */
 /**
 * Domain forwarding configuration
 */
 export interface IForwardConfig {
  ip: string;
  port: number;
 }
 /**
 * Domain configuration options
 */
 export interface IDomainOptions {
  domainName: string;
  sslRedirect: boolean;   // if true redirects the request to port 443
  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
  forward?: IForwardConfig; // forwards all http requests to that target
  acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config
 }
 /**
 * Certificate data that can be emitted via events or set from outside
 */
 export interface ICertificateData {
  domain: string;
  certificate: string;
  privateKey: string;
  expiryDate: Date;
 }
 /**
 * Events emitted by the Port80Handler
 */
 export enum Port80HandlerEvents {
  CERTIFICATE_ISSUED = 'certificate-issued',
  CERTIFICATE_RENEWED = 'certificate-renewed',
  CERTIFICATE_FAILED = 'certificate-failed',
  CERTIFICATE_EXPIRING = 'certificate-expiring',
  MANAGER_STARTED = 'manager-started',
  MANAGER_STOPPED = 'manager-stopped',
  REQUEST_FORWARDED = 'request-forwarded',
 }
 /**
 * Certificate failure payload type
 */
 export interface ICertificateFailure {
  domain: string;
  error: string;
  isRenewal: boolean;
 }
 /**
 * Certificate expiry payload type
 */
 export interface ICertificateExpiring {
  domain: string;
  expiryDate: Date;
  daysRemaining: number;
 }
 /**
 * Forwarding configuration for specific domains in ACME setup
 */
 export interface IDomainForwardConfig {
  domain: string;
  forwardConfig?: IForwardConfig;
  acmeForwardConfig?: IForwardConfig;
  sslRedirect?: boolean;
 }
 /**
 * Unified ACME configuration options used across proxies and handlers
 */
 export interface IAcmeOptions {
  accountEmail?: string;          // Email for Let's Encrypt account
  enabled?: boolean;              // Whether ACME is enabled
  port?: number;                  // Port to listen on for ACME challenges (default: 80)
  useProduction?: boolean;        // Use production environment (default: staging)
  httpsRedirectPort?: number;     // Port to redirect HTTP requests to HTTPS (default: 443)
  renewThresholdDays?: number;    // Days before expiry to renew certificates
  renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
  autoRenew?: boolean;            // Whether to automatically renew certificates
  certificateStore?: string;      // Directory to store certificates
  skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
  domainForwards?: IDomainForwardConfig[]; // Domain-specific forwarding configs
 }
--- a/ts/core/events/index.ts
+++ b/ts/core/events/index.ts
@ -1,3 +0,0 @@
 /**
 * Common event definitions
 */
--- a/ts/core/index.ts
+++ b/ts/core/index.ts
@ -1,8 +0,0 @@
 /**
 * Core functionality module
 */
 // Export submodules
 export * from './models/index.js';
 export * from './utils/index.js';
 export * from './events/index.js';
--- a/ts/core/models/common-types.ts
+++ b/ts/core/models/common-types.ts
@ -1,91 +0,0 @@
 import * as plugins from '../../plugins.js';
 /**
 * Shared types for certificate management and domain options
 */
 /**
 * Domain forwarding configuration
 */
 export interface IForwardConfig {
  ip: string;
  port: number;
 }
 /**
 * Domain configuration options
 */
 export interface IDomainOptions {
  domainName: string;
  sslRedirect: boolean;   // if true redirects the request to port 443
  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
  forward?: IForwardConfig; // forwards all http requests to that target
  acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config
 }
 /**
 * Certificate data that can be emitted via events or set from outside
 */
 export interface ICertificateData {
  domain: string;
  certificate: string;
  privateKey: string;
  expiryDate: Date;
 }
 /**
 * Events emitted by the Port80Handler
 */
 export enum Port80HandlerEvents {
  CERTIFICATE_ISSUED = 'certificate-issued',
  CERTIFICATE_RENEWED = 'certificate-renewed',
  CERTIFICATE_FAILED = 'certificate-failed',
  CERTIFICATE_EXPIRING = 'certificate-expiring',
  MANAGER_STARTED = 'manager-started',
  MANAGER_STOPPED = 'manager-stopped',
  REQUEST_FORWARDED = 'request-forwarded',
 }
 /**
 * Certificate failure payload type
 */
 export interface ICertificateFailure {
  domain: string;
  error: string;
  isRenewal: boolean;
 }
 /**
 * Certificate expiry payload type
 */
 export interface ICertificateExpiring {
  domain: string;
  expiryDate: Date;
  daysRemaining: number;
 }
 /**
 * Forwarding configuration for specific domains in ACME setup
 */
 export interface IDomainForwardConfig {
  domain: string;
  forwardConfig?: IForwardConfig;
  acmeForwardConfig?: IForwardConfig;
  sslRedirect?: boolean;
 }
 /**
 * Unified ACME configuration options used across proxies and handlers
 */
 export interface IAcmeOptions {
  accountEmail?: string;          // Email for Let's Encrypt account
  enabled?: boolean;              // Whether ACME is enabled
  port?: number;                  // Port to listen on for ACME challenges (default: 80)
  useProduction?: boolean;        // Use production environment (default: staging)
  httpsRedirectPort?: number;     // Port to redirect HTTP requests to HTTPS (default: 443)
  renewThresholdDays?: number;    // Days before expiry to renew certificates
  renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
  autoRenew?: boolean;            // Whether to automatically renew certificates
  certificateStore?: string;      // Directory to store certificates
  skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
  domainForwards?: IDomainForwardConfig[]; // Domain-specific forwarding configs
 }
--- a/ts/core/models/index.ts
+++ b/ts/core/models/index.ts
@ -1,5 +0,0 @@
 /**
 * Core data models and interfaces
 */
 export * from './common-types.js';
--- a/ts/core/utils/event-utils.ts
+++ b/ts/core/utils/event-utils.ts
@ -1,34 +0,0 @@
 import type { Port80Handler } from '../../http/port80/port80-handler.js';
 import { Port80HandlerEvents } from '../models/common-types.js';
 import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from '../models/common-types.js';
 /**
 * Subscribers callback definitions for Port80Handler events
 */
 export interface IPort80HandlerSubscribers {
  onCertificateIssued?: (data: ICertificateData) => void;
  onCertificateRenewed?: (data: ICertificateData) => void;
  onCertificateFailed?: (data: ICertificateFailure) => void;
  onCertificateExpiring?: (data: ICertificateExpiring) => void;
 }
 /**
 * Subscribes to Port80Handler events based on provided callbacks
 */
 export function subscribeToPort80Handler(
  handler: Port80Handler,
  subscribers: IPort80HandlerSubscribers
 ): void {
  if (subscribers.onCertificateIssued) {
    handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, subscribers.onCertificateIssued);
  }
  if (subscribers.onCertificateRenewed) {
    handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, subscribers.onCertificateRenewed);
  }
  if (subscribers.onCertificateFailed) {
    handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, subscribers.onCertificateFailed);
  }
  if (subscribers.onCertificateExpiring) {
    handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, subscribers.onCertificateExpiring);
  }
 }
--- a/ts/core/utils/index.ts
+++ b/ts/core/utils/index.ts
@ -1,7 +0,0 @@
 /**
 * Core utility functions
 */
 export * from './event-utils.js';
 export * from './validation-utils.js';
 export * from './ip-utils.js';
--- a/ts/core/utils/ip-utils.ts
+++ b/ts/core/utils/ip-utils.ts
@ -1,175 +0,0 @@
 import * as plugins from '../../plugins.js';
 /**
 * Utility class for IP address operations
 */
 export class IpUtils {
  /**
   * Check if the IP matches any of the glob patterns
   *
   * This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
   * It's used to implement IP filtering based on security configurations.
   *
   * @param ip - The IP address to check
   * @param patterns - Array of glob patterns
   * @returns true if IP matches any pattern, false otherwise
   */
  public static isGlobIPMatch(ip: string, patterns: string[]): boolean {
    if (!ip || !patterns || patterns.length === 0) return false;
    // Normalize the IP being checked
    const normalizedIPVariants = this.normalizeIP(ip);
    if (normalizedIPVariants.length === 0) return false;
    // Normalize the pattern IPs for consistent comparison
    const expandedPatterns = patterns.flatMap(pattern => this.normalizeIP(pattern));
    // Check for any match between normalized IP variants and patterns
    return normalizedIPVariants.some((ipVariant) =>
      expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
    );
  }
  /**
   * Normalize IP addresses for consistent comparison
   * 
   * @param ip The IP address to normalize
   * @returns Array of normalized IP forms
   */
  public static normalizeIP(ip: string): string[] {
    if (!ip) return [];
    // Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
    if (ip.startsWith('::ffff:')) {
      const ipv4 = ip.slice(7);
      return [ip, ipv4];
    }
    // Handle IPv4 addresses by also checking IPv4-mapped form
    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
      return [ip, `::ffff:${ip}`];
    }
    return [ip];
  }
  /**
   * Check if an IP is authorized using security rules
   *
   * @param ip - The IP address to check
   * @param allowedIPs - Array of allowed IP patterns
   * @param blockedIPs - Array of blocked IP patterns
   * @returns true if IP is authorized, false if blocked
   */
  public static isIPAuthorized(ip: string, allowedIPs: string[] = [], blockedIPs: string[] = []): boolean {
    // Skip IP validation if no rules are defined
    if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
      return true;
    }
    // First check if IP is blocked - blocked IPs take precedence
    if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
      return false;
    }
    // Then check if IP is allowed (if no allowed IPs are specified, all non-blocked IPs are allowed)
    return allowedIPs.length === 0 || this.isGlobIPMatch(ip, allowedIPs);
  }
  /**
   * Check if an IP address is a private network address
   * 
   * @param ip The IP address to check
   * @returns true if the IP is a private network address, false otherwise
   */
  public static isPrivateIP(ip: string): boolean {
    if (!ip) return false;
    // Handle IPv4-mapped IPv6 addresses
    if (ip.startsWith('::ffff:')) {
      ip = ip.slice(7);
    }
    // Check IPv4 private ranges
    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
      const parts = ip.split('.').map(Number);
      // Check common private ranges
      // 10.0.0.0/8
      if (parts[0] === 10) return true;
      // 172.16.0.0/12
      if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
      // 192.168.0.0/16
      if (parts[0] === 192 && parts[1] === 168) return true;
      // 127.0.0.0/8 (localhost)
      if (parts[0] === 127) return true;
      return false;
    }
    // IPv6 local addresses
    return ip === '::1' || ip.startsWith('fc00:') || ip.startsWith('fd00:') || ip.startsWith('fe80:');
  }
  /**
   * Check if an IP address is a public network address
   * 
   * @param ip The IP address to check
   * @returns true if the IP is a public network address, false otherwise
   */
  public static isPublicIP(ip: string): boolean {
    return !this.isPrivateIP(ip);
  }
  /**
   * Convert a subnet CIDR to an IP range for filtering
   * 
   * @param cidr The CIDR notation (e.g., "192.168.1.0/24")
   * @returns Array of glob patterns that match the CIDR range
   */
  public static cidrToGlobPatterns(cidr: string): string[] {
    if (!cidr || !cidr.includes('/')) return [];
    const [ipPart, prefixPart] = cidr.split('/');
    const prefix = parseInt(prefixPart, 10);
    if (isNaN(prefix) || prefix < 0 || prefix > 32) return [];
    // For IPv4 only for now
    if (!/^\d{1,3}(\.\d{1,3}){3}$/.test(ipPart)) return [];
    const ipParts = ipPart.split('.').map(Number);
    const fullMask = Math.pow(2, 32 - prefix) - 1;
    // Convert IP to a numeric value
    const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
    // Calculate network address (IP & ~fullMask)
    const networkNum = ipNum & ~fullMask;
    // For large ranges, return wildcard patterns
    if (prefix <= 8) {
      return [`${(networkNum >>> 24) & 255}.*.*.*`];
    } else if (prefix <= 16) {
      return [`${(networkNum >>> 24) & 255}.${(networkNum >>> 16) & 255}.*.*`];
    } else if (prefix <= 24) {
      return [`${(networkNum >>> 24) & 255}.${(networkNum >>> 16) & 255}.${(networkNum >>> 8) & 255}.*`];
    }
    // For small ranges, create individual IP patterns
    const patterns = [];
    const maxAddresses = Math.min(256, Math.pow(2, 32 - prefix));
    for (let i = 0; i < maxAddresses; i++) {
      const currentIpNum = networkNum + i;
      patterns.push(
        `${(currentIpNum >>> 24) & 255}.${(currentIpNum >>> 16) & 255}.${(currentIpNum >>> 8) & 255}.${currentIpNum & 255}`
      );
    }
    return patterns;
  }
 }
--- a/ts/core/utils/validation-utils.ts
+++ b/ts/core/utils/validation-utils.ts
@ -1,177 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IDomainOptions, IAcmeOptions } from '../models/common-types.js';
 /**
 * Collection of validation utilities for configuration and domain options
 */
 export class ValidationUtils {
  /**
   * Validates domain configuration options
   * 
   * @param domainOptions The domain options to validate
   * @returns An object with validation result and error message if invalid
   */
  public static validateDomainOptions(domainOptions: IDomainOptions): { isValid: boolean; error?: string } {
    if (!domainOptions) {
      return { isValid: false, error: 'Domain options cannot be null or undefined' };
    }
    if (!domainOptions.domainName) {
      return { isValid: false, error: 'Domain name is required' };
    }
    // Check domain pattern
    if (!this.isValidDomainName(domainOptions.domainName)) {
      return { isValid: false, error: `Invalid domain name: ${domainOptions.domainName}` };
    }
    // Validate forward config if provided
    if (domainOptions.forward) {
      if (!domainOptions.forward.ip) {
        return { isValid: false, error: 'Forward IP is required when forward is specified' };
      }
      if (!domainOptions.forward.port) {
        return { isValid: false, error: 'Forward port is required when forward is specified' };
      }
      if (!this.isValidPort(domainOptions.forward.port)) {
        return { isValid: false, error: `Invalid forward port: ${domainOptions.forward.port}` };
      }
    }
    // Validate ACME forward config if provided
    if (domainOptions.acmeForward) {
      if (!domainOptions.acmeForward.ip) {
        return { isValid: false, error: 'ACME forward IP is required when acmeForward is specified' };
      }
      if (!domainOptions.acmeForward.port) {
        return { isValid: false, error: 'ACME forward port is required when acmeForward is specified' };
      }
      if (!this.isValidPort(domainOptions.acmeForward.port)) {
        return { isValid: false, error: `Invalid ACME forward port: ${domainOptions.acmeForward.port}` };
      }
    }
    return { isValid: true };
  }
  /**
   * Validates ACME configuration options
   * 
   * @param acmeOptions The ACME options to validate
   * @returns An object with validation result and error message if invalid
   */
  public static validateAcmeOptions(acmeOptions: IAcmeOptions): { isValid: boolean; error?: string } {
    if (!acmeOptions) {
      return { isValid: false, error: 'ACME options cannot be null or undefined' };
    }
    if (acmeOptions.enabled) {
      if (!acmeOptions.accountEmail) {
        return { isValid: false, error: 'Account email is required when ACME is enabled' };
      }
      if (!this.isValidEmail(acmeOptions.accountEmail)) {
        return { isValid: false, error: `Invalid email: ${acmeOptions.accountEmail}` };
      }
      if (acmeOptions.port && !this.isValidPort(acmeOptions.port)) {
        return { isValid: false, error: `Invalid ACME port: ${acmeOptions.port}` };
      }
      if (acmeOptions.httpsRedirectPort && !this.isValidPort(acmeOptions.httpsRedirectPort)) {
        return { isValid: false, error: `Invalid HTTPS redirect port: ${acmeOptions.httpsRedirectPort}` };
      }
      if (acmeOptions.renewThresholdDays && acmeOptions.renewThresholdDays < 1) {
        return { isValid: false, error: 'Renew threshold days must be greater than 0' };
      }
      if (acmeOptions.renewCheckIntervalHours && acmeOptions.renewCheckIntervalHours < 1) {
        return { isValid: false, error: 'Renew check interval hours must be greater than 0' };
      }
    }
    return { isValid: true };
  }
  /**
   * Validates a port number
   * 
   * @param port The port to validate
   * @returns true if the port is valid, false otherwise
   */
  public static isValidPort(port: number): boolean {
    return typeof port === 'number' && port > 0 && port <= 65535 && Number.isInteger(port);
  }
  /**
   * Validates a domain name
   * 
   * @param domain The domain name to validate
   * @returns true if the domain name is valid, false otherwise
   */
  public static isValidDomainName(domain: string): boolean {
    if (!domain || typeof domain !== 'string') {
      return false;
    }
    // Wildcard domain check (*.example.com)
    if (domain.startsWith('*.')) {
      domain = domain.substring(2);
    }
    // Simple domain validation pattern
    const domainPattern = /^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
    return domainPattern.test(domain);
  }
  /**
   * Validates an email address
   * 
   * @param email The email to validate
   * @returns true if the email is valid, false otherwise
   */
  public static isValidEmail(email: string): boolean {
    if (!email || typeof email !== 'string') {
      return false;
    }
    // Basic email validation pattern
    const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
    return emailPattern.test(email);
  }
  /**
   * Validates a certificate format (PEM)
   * 
   * @param cert The certificate content to validate
   * @returns true if the certificate appears to be in PEM format, false otherwise
   */
  public static isValidCertificate(cert: string): boolean {
    if (!cert || typeof cert !== 'string') {
      return false;
    }
    return cert.includes('-----BEGIN CERTIFICATE-----') && 
           cert.includes('-----END CERTIFICATE-----');
  }
  /**
   * Validates a private key format (PEM)
   * 
   * @param key The private key content to validate
   * @returns true if the key appears to be in PEM format, false otherwise
   */
  public static isValidPrivateKey(key: string): boolean {
    if (!key || typeof key !== 'string') {
      return false;
    }
    return key.includes('-----BEGIN PRIVATE KEY-----') && 
           key.includes('-----END PRIVATE KEY-----');
  }
 }
--- a/ts/forwarding/config/forwarding-types.ts
+++ b/ts/forwarding/config/forwarding-types.ts
@ -1,134 +0,0 @@
 import type * as plugins from '../../plugins.js';
 /**
 * @deprecated The legacy forwarding types are being replaced by the route-based configuration system.
 * See /ts/proxies/smart-proxy/models/route-types.ts for the new route-based configuration.
 *
 * The primary forwarding types supported by SmartProxy
 */
 export type TForwardingType =
  | 'http-only'                // HTTP forwarding only (no HTTPS)
  | 'https-passthrough'        // Pass-through TLS traffic (SNI forwarding)
  | 'https-terminate-to-http'  // Terminate TLS and forward to HTTP backend
  | 'https-terminate-to-https'; // Terminate TLS and forward to HTTPS backend
 /**
 * Event types emitted by forwarding handlers
 */
 export enum ForwardingHandlerEvents {
  CONNECTED = 'connected',
  DISCONNECTED = 'disconnected',
  ERROR = 'error',
  DATA_FORWARDED = 'data-forwarded',
  HTTP_REQUEST = 'http-request',
  HTTP_RESPONSE = 'http-response',
  CERTIFICATE_NEEDED = 'certificate-needed',
  CERTIFICATE_LOADED = 'certificate-loaded'
 }
 /**
 * Base interface for forwarding handlers
 */
 export interface IForwardingHandler extends plugins.EventEmitter {
  initialize(): Promise<void>;
  handleConnection(socket: plugins.net.Socket): void;
  handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void;
 }
 // Import and re-export the route-based helpers for seamless transition
 import {
  createHttpRoute,
  createHttpsTerminateRoute,
  createHttpsPassthroughRoute,
  createHttpToHttpsRedirect,
  createCompleteHttpsServer,
  createLoadBalancerRoute
 } from '../../proxies/smart-proxy/utils/route-helpers.js';
 export {
  createHttpRoute,
  createHttpsTerminateRoute,
  createHttpsPassthroughRoute,
  createHttpToHttpsRedirect,
  createCompleteHttpsServer,
  createLoadBalancerRoute
 };
 /**
 * @deprecated These helper functions are maintained for backward compatibility.
 * Please use the route-based helpers instead:
 * - createHttpRoute
 * - createHttpsTerminateRoute
 * - createHttpsPassthroughRoute
 * - createHttpToHttpsRedirect
 */
 import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
 import { domainConfigToRouteConfig } from '../../proxies/smart-proxy/utils/route-migration-utils.js';
 // For backward compatibility
 export interface IForwardConfig {
  type: TForwardingType;
  target: {
    host: string | string[];
    port: number;
  };
  http?: any;
  https?: any;
  acme?: any;
  security?: any;
  advanced?: any;
  [key: string]: any;
 }
 export interface IDeprecatedForwardConfig {
  type: TForwardingType;
  target: {
    host: string | string[];
    port: number;
  };
  [key: string]: any;
 }
 /**
 * @deprecated Use createHttpRoute instead
 */
 export const httpOnly = (
  partialConfig: Partial<IDeprecatedForwardConfig> & Pick<IDeprecatedForwardConfig, 'target'>
 ): IDeprecatedForwardConfig => ({
  type: 'http-only',
  target: partialConfig.target,
  ...(partialConfig)
 });
 /**
 * @deprecated Use createHttpsTerminateRoute instead
 */
 export const tlsTerminateToHttp = (
  partialConfig: Partial<IDeprecatedForwardConfig> & Pick<IDeprecatedForwardConfig, 'target'>
 ): IDeprecatedForwardConfig => ({
  type: 'https-terminate-to-http',
  target: partialConfig.target,
  ...(partialConfig)
 });
 /**
 * @deprecated Use createHttpsTerminateRoute with reencrypt option instead
 */
 export const tlsTerminateToHttps = (
  partialConfig: Partial<IDeprecatedForwardConfig> & Pick<IDeprecatedForwardConfig, 'target'>
 ): IDeprecatedForwardConfig => ({
  type: 'https-terminate-to-https',
  target: partialConfig.target,
  ...(partialConfig)
 });
 /**
 * @deprecated Use createHttpsPassthroughRoute instead
 */
 export const httpsPassthrough = (
  partialConfig: Partial<IDeprecatedForwardConfig> & Pick<IDeprecatedForwardConfig, 'target'>
 ): IDeprecatedForwardConfig => ({
  type: 'https-passthrough',
  target: partialConfig.target,
  ...(partialConfig)
 });
--- a/ts/forwarding/config/index.ts
+++ b/ts/forwarding/config/index.ts
@ -1,9 +0,0 @@
 /**
 * Forwarding configuration exports
 *
 * Note: The legacy domain-based configuration has been replaced by route-based configuration.
 * See /ts/proxies/smart-proxy/models/route-types.ts for the new route-based configuration.
 */
 export * from './forwarding-types.js';
 export * from '../../proxies/smart-proxy/utils/route-helpers.js';
--- a/ts/forwarding/factory/forwarding-factory.ts
+++ b/ts/forwarding/factory/forwarding-factory.ts
@ -1,156 +0,0 @@
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandler } from '../handlers/base-handler.js';
 import { HttpForwardingHandler } from '../handlers/http-handler.js';
 import { HttpsPassthroughHandler } from '../handlers/https-passthrough-handler.js';
 import { HttpsTerminateToHttpHandler } from '../handlers/https-terminate-to-http-handler.js';
 import { HttpsTerminateToHttpsHandler } from '../handlers/https-terminate-to-https-handler.js';
 /**
 * Factory for creating forwarding handlers based on the configuration type
 */
 export class ForwardingHandlerFactory {
  /**
   * Create a forwarding handler based on the configuration
   * @param config The forwarding configuration
   * @returns The appropriate forwarding handler
   */
  public static createHandler(config: IForwardConfig): ForwardingHandler {
    // Create the appropriate handler based on the forwarding type
    switch (config.type) {
      case 'http-only':
        return new HttpForwardingHandler(config);
      case 'https-passthrough':
        return new HttpsPassthroughHandler(config);
      case 'https-terminate-to-http':
        return new HttpsTerminateToHttpHandler(config);
      case 'https-terminate-to-https':
        return new HttpsTerminateToHttpsHandler(config);
      default:
        // Type system should prevent this, but just in case:
        throw new Error(`Unknown forwarding type: ${(config as any).type}`);
    }
  }
  /**
   * Apply default values to a forwarding configuration based on its type
   * @param config The original forwarding configuration
   * @returns A configuration with defaults applied
   */
  public static applyDefaults(config: IForwardConfig): IForwardConfig {
    // Create a deep copy of the configuration
    const result: IForwardConfig = JSON.parse(JSON.stringify(config));
    // Apply defaults based on forwarding type
    switch (config.type) {
      case 'http-only':
        // Set defaults for HTTP-only mode
        result.http = {
          enabled: true,
          ...config.http
        };
        break;
      case 'https-passthrough':
        // Set defaults for HTTPS passthrough
        result.https = {
          forwardSni: true,
          ...config.https
        };
        // SNI forwarding doesn't do HTTP
        result.http = {
          enabled: false,
          ...config.http
        };
        break;
      case 'https-terminate-to-http':
        // Set defaults for HTTPS termination to HTTP
        result.https = {
          ...config.https
        };
        // Support HTTP access by default in this mode
        result.http = {
          enabled: true,
          redirectToHttps: true,
          ...config.http
        };
        // Enable ACME by default
        result.acme = {
          enabled: true,
          maintenance: true,
          ...config.acme
        };
        break;
      case 'https-terminate-to-https':
        // Similar to terminate-to-http but with different target handling
        result.https = {
          ...config.https
        };
        result.http = {
          enabled: true,
          redirectToHttps: true,
          ...config.http
        };
        result.acme = {
          enabled: true,
          maintenance: true,
          ...config.acme
        };
        break;
    }
    return result;
  }
  /**
   * Validate a forwarding configuration
   * @param config The configuration to validate
   * @throws Error if the configuration is invalid
   */
  public static validateConfig(config: IForwardConfig): void {
    // Validate common properties
    if (!config.target) {
      throw new Error('Forwarding configuration must include a target');
    }
    if (!config.target.host || (Array.isArray(config.target.host) && config.target.host.length === 0)) {
      throw new Error('Target must include a host or array of hosts');
    }
    if (!config.target.port || config.target.port <= 0 || config.target.port > 65535) {
      throw new Error('Target must include a valid port (1-65535)');
    }
    // Type-specific validation
    switch (config.type) {
      case 'http-only':
        // HTTP-only needs http.enabled to be true
        if (config.http?.enabled === false) {
          throw new Error('HTTP-only forwarding must have HTTP enabled');
        }
        break;
      case 'https-passthrough':
        // HTTPS passthrough doesn't support HTTP
        if (config.http?.enabled === true) {
          throw new Error('HTTPS passthrough does not support HTTP');
        }
        // HTTPS passthrough doesn't work with ACME
        if (config.acme?.enabled === true) {
          throw new Error('HTTPS passthrough does not support ACME');
        }
        break;
      case 'https-terminate-to-http':
      case 'https-terminate-to-https':
        // These modes support all options, nothing specific to validate
        break;
    }
  }
 }
--- a/ts/forwarding/factory/index.ts
+++ b/ts/forwarding/factory/index.ts
@ -1,5 +0,0 @@
 /**
 * Forwarding factory implementations
 */
 export { ForwardingHandlerFactory } from './forwarding-factory.js';
--- a/ts/forwarding/handlers/base-handler.ts
+++ b/ts/forwarding/handlers/base-handler.ts
@ -1,129 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type {
  IForwardConfig,
  IForwardingHandler
 } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
 /**
 * Base class for all forwarding handlers
 */
 export abstract class ForwardingHandler extends plugins.EventEmitter implements IForwardingHandler {
  /**
   * Create a new ForwardingHandler
   * @param config The forwarding configuration
   */
  constructor(protected config: IForwardConfig) {
    super();
  }
  /**
   * Initialize the handler
   * Base implementation does nothing, subclasses should override as needed
   */
  public async initialize(): Promise<void> {
    // Base implementation - no initialization needed
  }
  /**
   * Handle a new socket connection
   * @param socket The incoming socket connection
   */
  public abstract handleConnection(socket: plugins.net.Socket): void;
  /**
   * Handle an HTTP request
   * @param req The HTTP request
   * @param res The HTTP response
   */
  public abstract handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void;
  /**
   * Get a target from the configuration, supporting round-robin selection
   * @returns A resolved target object with host and port
   */
  protected getTargetFromConfig(): { host: string, port: number } {
    const { target } = this.config;
    // Handle round-robin host selection
    if (Array.isArray(target.host)) {
      if (target.host.length === 0) {
        throw new Error('No target hosts specified');
      }
      // Simple round-robin selection
      const randomIndex = Math.floor(Math.random() * target.host.length);
      return {
        host: target.host[randomIndex],
        port: target.port
      };
    }
    // Single host
    return {
      host: target.host,
      port: target.port
    };
  }
  /**
   * Redirect an HTTP request to HTTPS
   * @param req The HTTP request
   * @param res The HTTP response
   */
  protected redirectToHttps(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    const host = req.headers.host || '';
    const path = req.url || '/';
    const redirectUrl = `https://${host}${path}`;
    res.writeHead(301, {
      'Location': redirectUrl,
      'Cache-Control': 'no-cache'
    });
    res.end(`Redirecting to ${redirectUrl}`);
    this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
      statusCode: 301,
      headers: { 'Location': redirectUrl },
      size: 0
    });
  }
  /**
   * Apply custom headers from configuration
   * @param headers The original headers
   * @param variables Variables to replace in the headers
   * @returns The headers with custom values applied
   */
  protected applyCustomHeaders(
    headers: Record<string, string | string[] | undefined>,
    variables: Record<string, string>
  ): Record<string, string | string[] | undefined> {
    const customHeaders = this.config.advanced?.headers || {};
    const result = { ...headers };
    // Apply custom headers with variable substitution
    for (const [key, value] of Object.entries(customHeaders)) {
      if (typeof value !== 'string') continue;
      let processedValue = value;
      // Replace variables in the header value
      for (const [varName, varValue] of Object.entries(variables)) {
        processedValue = processedValue.replace(`{${varName}}`, varValue);
      }
      result[key] = processedValue;
    }
    return result;
  }
  /**
   * Get the timeout for this connection from configuration
   * @returns Timeout in milliseconds
   */
  protected getTimeout(): number {
    return this.config.advanced?.timeout || 60000; // Default: 60 seconds
  }
 }
--- a/ts/forwarding/handlers/http-handler.ts
+++ b/ts/forwarding/handlers/http-handler.ts
@ -1,149 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
 /**
 * Handler for HTTP-only forwarding
 */
 export class HttpForwardingHandler extends ForwardingHandler {
  /**
   * Create a new HTTP forwarding handler
   * @param config The forwarding configuration
   */
  constructor(config: IForwardConfig) {
    super(config);
    // Validate that this is an HTTP-only configuration
    if (config.type !== 'http-only') {
      throw new Error(`Invalid configuration type for HttpForwardingHandler: ${config.type}`);
    }
  }
  /**
   * Initialize the handler
   * HTTP handler doesn't need special initialization
   */
  public async initialize(): Promise<void> {
    // Basic initialization from parent class
    await super.initialize();
  }
  /**
   * Handle a raw socket connection
   * HTTP handler doesn't do much with raw sockets as it mainly processes
   * parsed HTTP requests
   */
  public handleConnection(socket: plugins.net.Socket): void {
    // For HTTP, we mainly handle parsed requests, but we can still set up
    // some basic connection tracking
    const remoteAddress = socket.remoteAddress || 'unknown';
    socket.on('close', (hadError) => {
      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
        remoteAddress,
        hadError
      });
    });
    socket.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: error.message
      });
    });
    this.emit(ForwardingHandlerEvents.CONNECTED, {
      remoteAddress
    });
  }
  /**
   * Handle an HTTP request
   * @param req The HTTP request
   * @param res The HTTP response
   */
  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    // Get the target from configuration
    const target = this.getTargetFromConfig();
    // Create a custom headers object with variables for substitution
    const variables = {
      clientIp: req.socket.remoteAddress || 'unknown'
    };
    // Prepare headers, merging with any custom headers from config
    const headers = this.applyCustomHeaders(req.headers, variables);
    // Create the proxy request options
    const options = {
      hostname: target.host,
      port: target.port,
      path: req.url,
      method: req.method,
      headers
    };
    // Create the proxy request
    const proxyReq = plugins.http.request(options, (proxyRes) => {
      // Copy status code and headers from the proxied response
      res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
      // Pipe the proxy response to the client response
      proxyRes.pipe(res);
      // Track bytes for logging
      let responseSize = 0;
      proxyRes.on('data', (chunk) => {
        responseSize += chunk.length;
      });
      proxyRes.on('end', () => {
        this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
          statusCode: proxyRes.statusCode,
          headers: proxyRes.headers,
          size: responseSize
        });
      });
    });
    // Handle errors in the proxy request
    proxyReq.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress: req.socket.remoteAddress,
        error: `Proxy request error: ${error.message}`
      });
      // Send an error response if headers haven't been sent yet
      if (!res.headersSent) {
        res.writeHead(502, { 'Content-Type': 'text/plain' });
        res.end(`Error forwarding request: ${error.message}`);
      } else {
        // Just end the response if headers have already been sent
        res.end();
      }
    });
    // Track request details for logging
    let requestSize = 0;
    req.on('data', (chunk) => {
      requestSize += chunk.length;
    });
    // Log the request
    this.emit(ForwardingHandlerEvents.HTTP_REQUEST, {
      method: req.method,
      url: req.url,
      headers: req.headers,
      remoteAddress: req.socket.remoteAddress,
      target: `${target.host}:${target.port}`
    });
    // Pipe the client request to the proxy request
    if (req.readable) {
      req.pipe(proxyReq);
    } else {
      proxyReq.end();
    }
  }
 }
--- a/ts/forwarding/handlers/https-passthrough-handler.ts
+++ b/ts/forwarding/handlers/https-passthrough-handler.ts
@ -1,191 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
 /**
 * Handler for HTTPS passthrough (SNI forwarding without termination)
 */
 export class HttpsPassthroughHandler extends ForwardingHandler {
  /**
   * Create a new HTTPS passthrough handler
   * @param config The forwarding configuration
   */
  constructor(config: IForwardConfig) {
    super(config);
    // Validate that this is an HTTPS passthrough configuration
    if (config.type !== 'https-passthrough') {
      throw new Error(`Invalid configuration type for HttpsPassthroughHandler: ${config.type}`);
    }
  }
  /**
   * Initialize the handler
   * HTTPS passthrough handler doesn't need special initialization
   */
  public async initialize(): Promise<void> {
    // Basic initialization from parent class
    await super.initialize();
  }
  /**
   * Handle a TLS/SSL socket connection by forwarding it without termination
   * @param clientSocket The incoming socket from the client
   */
  public handleConnection(clientSocket: plugins.net.Socket): void {
    // Get the target from configuration
    const target = this.getTargetFromConfig();
    // Log the connection
    const remoteAddress = clientSocket.remoteAddress || 'unknown';
    const remotePort = clientSocket.remotePort || 0;
    this.emit(ForwardingHandlerEvents.CONNECTED, {
      remoteAddress,
      remotePort,
      target: `${target.host}:${target.port}`
    });
    // Create a connection to the target server
    const serverSocket = plugins.net.connect(target.port, target.host);
    // Handle errors on the server socket
    serverSocket.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: `Target connection error: ${error.message}`
      });
      // Close the client socket if it's still open
      if (!clientSocket.destroyed) {
        clientSocket.destroy();
      }
    });
    // Handle errors on the client socket
    clientSocket.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: `Client connection error: ${error.message}`
      });
      // Close the server socket if it's still open
      if (!serverSocket.destroyed) {
        serverSocket.destroy();
      }
    });
    // Track data transfer for logging
    let bytesSent = 0;
    let bytesReceived = 0;
    // Forward data from client to server
    clientSocket.on('data', (data) => {
      bytesSent += data.length;
      // Check if server socket is writable
      if (serverSocket.writable) {
        const flushed = serverSocket.write(data);
        // Handle backpressure
        if (!flushed) {
          clientSocket.pause();
          serverSocket.once('drain', () => {
            clientSocket.resume();
          });
        }
      }
      this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
        direction: 'outbound',
        bytes: data.length,
        total: bytesSent
      });
    });
    // Forward data from server to client
    serverSocket.on('data', (data) => {
      bytesReceived += data.length;
      // Check if client socket is writable
      if (clientSocket.writable) {
        const flushed = clientSocket.write(data);
        // Handle backpressure
        if (!flushed) {
          serverSocket.pause();
          clientSocket.once('drain', () => {
            serverSocket.resume();
          });
        }
      }
      this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
        direction: 'inbound',
        bytes: data.length,
        total: bytesReceived
      });
    });
    // Handle connection close
    const handleClose = () => {
      if (!clientSocket.destroyed) {
        clientSocket.destroy();
      }
      if (!serverSocket.destroyed) {
        serverSocket.destroy();
      }
      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
        remoteAddress,
        bytesSent,
        bytesReceived
      });
    };
    // Set up close handlers
    clientSocket.on('close', handleClose);
    serverSocket.on('close', handleClose);
    // Set timeouts
    const timeout = this.getTimeout();
    clientSocket.setTimeout(timeout);
    serverSocket.setTimeout(timeout);
    // Handle timeouts
    clientSocket.on('timeout', () => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: 'Client connection timeout'
      });
      handleClose();
    });
    serverSocket.on('timeout', () => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: 'Server connection timeout'
      });
      handleClose();
    });
  }
  /**
   * Handle an HTTP request - HTTPS passthrough doesn't support HTTP
   * @param req The HTTP request
   * @param res The HTTP response
   */
  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    // HTTPS passthrough doesn't support HTTP requests
    res.writeHead(404, { 'Content-Type': 'text/plain' });
    res.end('HTTP not supported for this domain');
    this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
      statusCode: 404,
      headers: { 'Content-Type': 'text/plain' },
      size: 'HTTP not supported for this domain'.length
    });
  }
 }
--- a/ts/forwarding/handlers/https-terminate-to-http-handler.ts
+++ b/ts/forwarding/handlers/https-terminate-to-http-handler.ts
@ -1,264 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
 /**
 * Handler for HTTPS termination with HTTP backend
 */
 export class HttpsTerminateToHttpHandler extends ForwardingHandler {
  private tlsServer: plugins.tls.Server | null = null;
  private secureContext: plugins.tls.SecureContext | null = null;
  /**
   * Create a new HTTPS termination with HTTP backend handler
   * @param config The forwarding configuration
   */
  constructor(config: IForwardConfig) {
    super(config);
    // Validate that this is an HTTPS terminate to HTTP configuration
    if (config.type !== 'https-terminate-to-http') {
      throw new Error(`Invalid configuration type for HttpsTerminateToHttpHandler: ${config.type}`);
    }
  }
  /**
   * Initialize the handler, setting up TLS context
   */
  public async initialize(): Promise<void> {
    // We need to load or create TLS certificates
    if (this.config.https?.customCert) {
      // Use custom certificate from configuration
      this.secureContext = plugins.tls.createSecureContext({
        key: this.config.https.customCert.key,
        cert: this.config.https.customCert.cert
      });
      this.emit(ForwardingHandlerEvents.CERTIFICATE_LOADED, {
        source: 'config',
        domain: this.config.target.host
      });
    } else if (this.config.acme?.enabled) {
      // Request certificate through ACME if needed
      this.emit(ForwardingHandlerEvents.CERTIFICATE_NEEDED, {
        domain: Array.isArray(this.config.target.host) 
          ? this.config.target.host[0] 
          : this.config.target.host,
        useProduction: this.config.acme.production || false
      });
      // In a real implementation, we would wait for the certificate to be issued
      // For now, we'll use a dummy context
      this.secureContext = plugins.tls.createSecureContext({
        key: '-----BEGIN PRIVATE KEY-----\nDummy key\n-----END PRIVATE KEY-----',
        cert: '-----BEGIN CERTIFICATE-----\nDummy cert\n-----END CERTIFICATE-----'
      });
    } else {
      throw new Error('HTTPS termination requires either a custom certificate or ACME enabled');
    }
  }
  /**
   * Set the secure context for TLS termination
   * Called when a certificate is available
   * @param context The secure context
   */
  public setSecureContext(context: plugins.tls.SecureContext): void {
    this.secureContext = context;
  }
  /**
   * Handle a TLS/SSL socket connection by terminating TLS and forwarding to HTTP backend
   * @param clientSocket The incoming socket from the client
   */
  public handleConnection(clientSocket: plugins.net.Socket): void {
    // Make sure we have a secure context
    if (!this.secureContext) {
      clientSocket.destroy(new Error('TLS secure context not initialized'));
      return;
    }
    const remoteAddress = clientSocket.remoteAddress || 'unknown';
    const remotePort = clientSocket.remotePort || 0;
    // Create a TLS socket using our secure context
    const tlsSocket = new plugins.tls.TLSSocket(clientSocket, {
      secureContext: this.secureContext,
      isServer: true,
      server: this.tlsServer || undefined
    });
    this.emit(ForwardingHandlerEvents.CONNECTED, {
      remoteAddress,
      remotePort,
      tls: true
    });
    // Handle TLS errors
    tlsSocket.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: `TLS error: ${error.message}`
      });
      if (!tlsSocket.destroyed) {
        tlsSocket.destroy();
      }
    });
    // The TLS socket will now emit HTTP traffic that can be processed
    // In a real implementation, we would create an HTTP parser and handle
    // the requests here, but for simplicity, we'll just log the data
    let dataBuffer = Buffer.alloc(0);
    tlsSocket.on('data', (data) => {
      // Append to buffer
      dataBuffer = Buffer.concat([dataBuffer, data]);
      // Very basic HTTP parsing - in a real implementation, use http-parser
      if (dataBuffer.includes(Buffer.from('\r\n\r\n'))) {
        const target = this.getTargetFromConfig();
        // Simple example: forward the data to an HTTP server
        const socket = plugins.net.connect(target.port, target.host, () => {
          socket.write(dataBuffer);
          dataBuffer = Buffer.alloc(0);
          // Set up bidirectional data flow
          tlsSocket.pipe(socket);
          socket.pipe(tlsSocket);
        });
        socket.on('error', (error) => {
          this.emit(ForwardingHandlerEvents.ERROR, {
            remoteAddress,
            error: `Target connection error: ${error.message}`
          });
          if (!tlsSocket.destroyed) {
            tlsSocket.destroy();
          }
        });
      }
    });
    // Handle close
    tlsSocket.on('close', () => {
      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
        remoteAddress
      });
    });
    // Set timeout
    const timeout = this.getTimeout();
    tlsSocket.setTimeout(timeout);
    tlsSocket.on('timeout', () => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: 'TLS connection timeout'
      });
      if (!tlsSocket.destroyed) {
        tlsSocket.destroy();
      }
    });
  }
  /**
   * Handle an HTTP request by forwarding to the HTTP backend
   * @param req The HTTP request
   * @param res The HTTP response
   */
  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    // Check if we should redirect to HTTPS
    if (this.config.http?.redirectToHttps) {
      this.redirectToHttps(req, res);
      return;
    }
    // Get the target from configuration
    const target = this.getTargetFromConfig();
    // Create custom headers with variable substitution
    const variables = {
      clientIp: req.socket.remoteAddress || 'unknown'
    };
    // Prepare headers, merging with any custom headers from config
    const headers = this.applyCustomHeaders(req.headers, variables);
    // Create the proxy request options
    const options = {
      hostname: target.host,
      port: target.port,
      path: req.url,
      method: req.method,
      headers
    };
    // Create the proxy request
    const proxyReq = plugins.http.request(options, (proxyRes) => {
      // Copy status code and headers from the proxied response
      res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
      // Pipe the proxy response to the client response
      proxyRes.pipe(res);
      // Track response size for logging
      let responseSize = 0;
      proxyRes.on('data', (chunk) => {
        responseSize += chunk.length;
      });
      proxyRes.on('end', () => {
        this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
          statusCode: proxyRes.statusCode,
          headers: proxyRes.headers,
          size: responseSize
        });
      });
    });
    // Handle errors in the proxy request
    proxyReq.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress: req.socket.remoteAddress,
        error: `Proxy request error: ${error.message}`
      });
      // Send an error response if headers haven't been sent yet
      if (!res.headersSent) {
        res.writeHead(502, { 'Content-Type': 'text/plain' });
        res.end(`Error forwarding request: ${error.message}`);
      } else {
        // Just end the response if headers have already been sent
        res.end();
      }
    });
    // Track request details for logging
    let requestSize = 0;
    req.on('data', (chunk) => {
      requestSize += chunk.length;
    });
    // Log the request
    this.emit(ForwardingHandlerEvents.HTTP_REQUEST, {
      method: req.method,
      url: req.url,
      headers: req.headers,
      remoteAddress: req.socket.remoteAddress,
      target: `${target.host}:${target.port}`
    });
    // Pipe the client request to the proxy request
    if (req.readable) {
      req.pipe(proxyReq);
    } else {
      proxyReq.end();
    }
  }
 }
--- a/ts/forwarding/handlers/https-terminate-to-https-handler.ts
+++ b/ts/forwarding/handlers/https-terminate-to-https-handler.ts
@ -1,292 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
 /**
 * Handler for HTTPS termination with HTTPS backend
 */
 export class HttpsTerminateToHttpsHandler extends ForwardingHandler {
  private secureContext: plugins.tls.SecureContext | null = null;
  /**
   * Create a new HTTPS termination with HTTPS backend handler
   * @param config The forwarding configuration
   */
  constructor(config: IForwardConfig) {
    super(config);
    // Validate that this is an HTTPS terminate to HTTPS configuration
    if (config.type !== 'https-terminate-to-https') {
      throw new Error(`Invalid configuration type for HttpsTerminateToHttpsHandler: ${config.type}`);
    }
  }
  /**
   * Initialize the handler, setting up TLS context
   */
  public async initialize(): Promise<void> {
    // We need to load or create TLS certificates for termination
    if (this.config.https?.customCert) {
      // Use custom certificate from configuration
      this.secureContext = plugins.tls.createSecureContext({
        key: this.config.https.customCert.key,
        cert: this.config.https.customCert.cert
      });
      this.emit(ForwardingHandlerEvents.CERTIFICATE_LOADED, {
        source: 'config',
        domain: this.config.target.host
      });
    } else if (this.config.acme?.enabled) {
      // Request certificate through ACME if needed
      this.emit(ForwardingHandlerEvents.CERTIFICATE_NEEDED, {
        domain: Array.isArray(this.config.target.host) 
          ? this.config.target.host[0] 
          : this.config.target.host,
        useProduction: this.config.acme.production || false
      });
      // In a real implementation, we would wait for the certificate to be issued
      // For now, we'll use a dummy context
      this.secureContext = plugins.tls.createSecureContext({
        key: '-----BEGIN PRIVATE KEY-----\nDummy key\n-----END PRIVATE KEY-----',
        cert: '-----BEGIN CERTIFICATE-----\nDummy cert\n-----END CERTIFICATE-----'
      });
    } else {
      throw new Error('HTTPS termination requires either a custom certificate or ACME enabled');
    }
  }
  /**
   * Set the secure context for TLS termination
   * Called when a certificate is available
   * @param context The secure context
   */
  public setSecureContext(context: plugins.tls.SecureContext): void {
    this.secureContext = context;
  }
  /**
   * Handle a TLS/SSL socket connection by terminating TLS and creating a new TLS connection to backend
   * @param clientSocket The incoming socket from the client
   */
  public handleConnection(clientSocket: plugins.net.Socket): void {
    // Make sure we have a secure context
    if (!this.secureContext) {
      clientSocket.destroy(new Error('TLS secure context not initialized'));
      return;
    }
    const remoteAddress = clientSocket.remoteAddress || 'unknown';
    const remotePort = clientSocket.remotePort || 0;
    // Create a TLS socket using our secure context
    const tlsSocket = new plugins.tls.TLSSocket(clientSocket, {
      secureContext: this.secureContext,
      isServer: true
    });
    this.emit(ForwardingHandlerEvents.CONNECTED, {
      remoteAddress,
      remotePort,
      tls: true
    });
    // Handle TLS errors
    tlsSocket.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: `TLS error: ${error.message}`
      });
      if (!tlsSocket.destroyed) {
        tlsSocket.destroy();
      }
    });
    // The TLS socket will now emit HTTP traffic that can be processed
    // In a real implementation, we would create an HTTP parser and handle
    // the requests here, but for simplicity, we'll just forward the data
    // Get the target from configuration
    const target = this.getTargetFromConfig();
    // Set up the connection to the HTTPS backend
    const connectToBackend = () => {
      const backendSocket = plugins.tls.connect({
        host: target.host,
        port: target.port,
        // In a real implementation, we would configure TLS options
        rejectUnauthorized: false // For testing only, never use in production
      }, () => {
        this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
          direction: 'outbound',
          target: `${target.host}:${target.port}`,
          tls: true
        });
        // Set up bidirectional data flow
        tlsSocket.pipe(backendSocket);
        backendSocket.pipe(tlsSocket);
      });
      backendSocket.on('error', (error) => {
        this.emit(ForwardingHandlerEvents.ERROR, {
          remoteAddress,
          error: `Backend connection error: ${error.message}`
        });
        if (!tlsSocket.destroyed) {
          tlsSocket.destroy();
        }
      });
      // Handle close
      backendSocket.on('close', () => {
        if (!tlsSocket.destroyed) {
          tlsSocket.destroy();
        }
      });
      // Set timeout
      const timeout = this.getTimeout();
      backendSocket.setTimeout(timeout);
      backendSocket.on('timeout', () => {
        this.emit(ForwardingHandlerEvents.ERROR, {
          remoteAddress,
          error: 'Backend connection timeout'
        });
        if (!backendSocket.destroyed) {
          backendSocket.destroy();
        }
      });
    };
    // Wait for the TLS handshake to complete before connecting to backend
    tlsSocket.on('secure', () => {
      connectToBackend();
    });
    // Handle close
    tlsSocket.on('close', () => {
      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
        remoteAddress
      });
    });
    // Set timeout
    const timeout = this.getTimeout();
    tlsSocket.setTimeout(timeout);
    tlsSocket.on('timeout', () => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress,
        error: 'TLS connection timeout'
      });
      if (!tlsSocket.destroyed) {
        tlsSocket.destroy();
      }
    });
  }
  /**
   * Handle an HTTP request by forwarding to the HTTPS backend
   * @param req The HTTP request
   * @param res The HTTP response
   */
  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    // Check if we should redirect to HTTPS
    if (this.config.http?.redirectToHttps) {
      this.redirectToHttps(req, res);
      return;
    }
    // Get the target from configuration
    const target = this.getTargetFromConfig();
    // Create custom headers with variable substitution
    const variables = {
      clientIp: req.socket.remoteAddress || 'unknown'
    };
    // Prepare headers, merging with any custom headers from config
    const headers = this.applyCustomHeaders(req.headers, variables);
    // Create the proxy request options
    const options = {
      hostname: target.host,
      port: target.port,
      path: req.url,
      method: req.method,
      headers,
      // In a real implementation, we would configure TLS options
      rejectUnauthorized: false // For testing only, never use in production
    };
    // Create the proxy request using HTTPS
    const proxyReq = plugins.https.request(options, (proxyRes) => {
      // Copy status code and headers from the proxied response
      res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
      // Pipe the proxy response to the client response
      proxyRes.pipe(res);
      // Track response size for logging
      let responseSize = 0;
      proxyRes.on('data', (chunk) => {
        responseSize += chunk.length;
      });
      proxyRes.on('end', () => {
        this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
          statusCode: proxyRes.statusCode,
          headers: proxyRes.headers,
          size: responseSize
        });
      });
    });
    // Handle errors in the proxy request
    proxyReq.on('error', (error) => {
      this.emit(ForwardingHandlerEvents.ERROR, {
        remoteAddress: req.socket.remoteAddress,
        error: `Proxy request error: ${error.message}`
      });
      // Send an error response if headers haven't been sent yet
      if (!res.headersSent) {
        res.writeHead(502, { 'Content-Type': 'text/plain' });
        res.end(`Error forwarding request: ${error.message}`);
      } else {
        // Just end the response if headers have already been sent
        res.end();
      }
    });
    // Track request details for logging
    let requestSize = 0;
    req.on('data', (chunk) => {
      requestSize += chunk.length;
    });
    // Log the request
    this.emit(ForwardingHandlerEvents.HTTP_REQUEST, {
      method: req.method,
      url: req.url,
      headers: req.headers,
      remoteAddress: req.socket.remoteAddress,
      target: `${target.host}:${target.port}`
    });
    // Pipe the client request to the proxy request
    if (req.readable) {
      req.pipe(proxyReq);
    } else {
      proxyReq.end();
    }
  }
 }
--- a/ts/forwarding/handlers/index.ts
+++ b/ts/forwarding/handlers/index.ts
@ -1,9 +0,0 @@
 /**
 * Forwarding handler implementations
 */
 export { ForwardingHandler } from './base-handler.js';
 export { HttpForwardingHandler } from './http-handler.js';
 export { HttpsPassthroughHandler } from './https-passthrough-handler.js';
 export { HttpsTerminateToHttpHandler } from './https-terminate-to-http-handler.js';
 export { HttpsTerminateToHttpsHandler } from './https-terminate-to-https-handler.js';
--- a/ts/forwarding/index.ts
+++ b/ts/forwarding/index.ts
@ -1,35 +0,0 @@
 /**
 * Forwarding system module
 * Provides a flexible and type-safe way to configure and manage various forwarding strategies
 */
 // Export types and configuration
 export * from './config/forwarding-types.js';
 // Export handlers
 export { ForwardingHandler } from './handlers/base-handler.js';
 export * from './handlers/http-handler.js';
 export * from './handlers/https-passthrough-handler.js';
 export * from './handlers/https-terminate-to-http-handler.js';
 export * from './handlers/https-terminate-to-https-handler.js';
 // Export factory
 export * from './factory/forwarding-factory.js';
 // Helper functions as a convenience object
 import {
  httpOnly,
  tlsTerminateToHttp,
  tlsTerminateToHttps,
  httpsPassthrough
 } from './config/forwarding-types.js';
 // Export route-based helpers from smart-proxy
 export * from '../proxies/smart-proxy/utils/route-helpers.js';
 export const helpers = {
  httpOnly,
  tlsTerminateToHttp,
  tlsTerminateToHttps,
  httpsPassthrough
 };
--- a/ts/http/index.ts
+++ b/ts/http/index.ts
@ -1,23 +0,0 @@
 /**
 * HTTP functionality module
 */
 // Export types and models
 export * from './models/http-types.js';
 // Export submodules
 export * from './port80/index.js';
 export * from './router/index.js';
 export * from './redirects/index.js';
 // Import the components we need for the namespace
 import { Port80Handler } from './port80/port80-handler.js';
 import { ChallengeResponder } from './port80/challenge-responder.js';
 // Convenience namespace exports
 export const Http = {
  Port80: {
    Handler: Port80Handler,
    ChallengeResponder: ChallengeResponder
  }
 };
--- a/ts/http/models/http-types.ts
+++ b/ts/http/models/http-types.ts
@ -1,104 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type {
  IDomainOptions,
  IAcmeOptions
 } from '../../certificate/models/certificate-types.js';
 /**
 * HTTP-specific event types
 */
 export enum HttpEvents {
  REQUEST_RECEIVED = 'request-received',
  REQUEST_FORWARDED = 'request-forwarded',
  REQUEST_HANDLED = 'request-handled',
  REQUEST_ERROR = 'request-error',
 }
 /**
 * HTTP status codes as an enum for better type safety
 */
 export enum HttpStatus {
  OK = 200,
  MOVED_PERMANENTLY = 301,
  FOUND = 302,
  TEMPORARY_REDIRECT = 307,
  PERMANENT_REDIRECT = 308,
  BAD_REQUEST = 400,
  NOT_FOUND = 404,
  METHOD_NOT_ALLOWED = 405,
  INTERNAL_SERVER_ERROR = 500,
  NOT_IMPLEMENTED = 501,
  SERVICE_UNAVAILABLE = 503,
 }
 /**
 * Represents a domain configuration with certificate status information
 */
 export interface IDomainCertificate {
  options: IDomainOptions;
  certObtained: boolean;
  obtainingInProgress: boolean;
  certificate?: string;
  privateKey?: string;
  expiryDate?: Date;
  lastRenewalAttempt?: Date;
 }
 /**
 * Base error class for HTTP-related errors
 */
 export class HttpError extends Error {
  constructor(message: string) {
    super(message);
    this.name = 'HttpError';
  }
 }
 /**
 * Error related to certificate operations
 */
 export class CertificateError extends HttpError {
  constructor(
    message: string,
    public readonly domain: string,
    public readonly isRenewal: boolean = false
  ) {
    super(`${message} for domain ${domain}${isRenewal ? ' (renewal)' : ''}`);
    this.name = 'CertificateError';
  }
 }
 /**
 * Error related to server operations
 */
 export class ServerError extends HttpError {
  constructor(message: string, public readonly code?: string) {
    super(message);
    this.name = 'ServerError';
  }
 }
 /**
 * Redirect configuration for HTTP requests
 */
 export interface IRedirectConfig {
  source: string;           // Source path or pattern
  destination: string;      // Destination URL
  type: HttpStatus;         // Redirect status code
  preserveQuery?: boolean;  // Whether to preserve query parameters
 }
 /**
 * HTTP router configuration
 */
 export interface IRouterConfig {
  routes: Array<{
    path: string;
    handler: (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void;
  }>;
  notFoundHandler?: (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void;
 }
 // Backward compatibility interfaces
 export { HttpError as Port80HandlerError };
 export { CertificateError as CertError };
--- a/ts/http/port80/acme-interfaces.ts
+++ b/ts/http/port80/acme-interfaces.ts
@ -1,169 +0,0 @@
 /**
 * Type definitions for SmartAcme interfaces used by ChallengeResponder
 * These reflect the actual SmartAcme API based on the documentation
 *
 * Also includes route-based interfaces for Port80Handler to extract domains
 * that need certificate management from route configurations.
 */
 import * as plugins from '../../plugins.js';
 import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
 /**
 * Structure for SmartAcme certificate result
 */
 export interface ISmartAcmeCert {
  id?: string;
  domainName: string;
  created?: number | Date | string;
  privateKey: string;
  publicKey: string;
  csr?: string;
  validUntil: number | Date | string;
 }
 /**
 * Structure for SmartAcme options
 */
 export interface ISmartAcmeOptions {
  accountEmail: string;
  certManager: ICertManager;
  environment: 'production' | 'integration';
  challengeHandlers: IChallengeHandler<any>[];
  challengePriority?: string[];
  retryOptions?: {
    retries?: number;
    factor?: number;
    minTimeoutMs?: number;
    maxTimeoutMs?: number;
  };
 }
 /**
 * Interface for certificate manager
 */
 export interface ICertManager {
  init(): Promise<void>;
  get(domainName: string): Promise<ISmartAcmeCert | null>;
  put(cert: ISmartAcmeCert): Promise<ISmartAcmeCert>;
  delete(domainName: string): Promise<void>;
  close?(): Promise<void>;
 }
 /**
 * Interface for challenge handler
 */
 export interface IChallengeHandler<T> {
  getSupportedTypes(): string[];
  prepare(ch: T): Promise<void>;
  verify?(ch: T): Promise<void>;
  cleanup(ch: T): Promise<void>;
  checkWetherDomainIsSupported(domain: string): Promise<boolean>;
 }
 /**
 * HTTP-01 challenge type
 */
 export interface IHttp01Challenge {
  type: string; // 'http-01'
  token: string;
  keyAuthorization: string;
  webPath: string;
 }
 /**
 * HTTP-01 Memory Handler Interface
 */
 export interface IHttp01MemoryHandler extends IChallengeHandler<IHttp01Challenge> {
  handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse, next?: () => void): void;
 }
 /**
 * SmartAcme main class interface
 */
 export interface ISmartAcme {
  start(): Promise<void>;
  stop(): Promise<void>;
  getCertificateForDomain(domain: string): Promise<ISmartAcmeCert>;
  on?(event: string, listener: (data: any) => void): void;
  eventEmitter?: plugins.EventEmitter;
 }
 /**
 * Port80Handler route options
 */
 export interface IPort80RouteOptions {
  // The domain for the certificate
  domain: string;
  // Whether to redirect HTTP to HTTPS
  sslRedirect: boolean;
  // Whether to enable ACME certificate management
  acmeMaintenance: boolean;
  // Optional target for forwarding HTTP requests
  forward?: {
    ip: string;
    port: number;
  };
  // Optional target for forwarding ACME challenge requests
  acmeForward?: {
    ip: string;
    port: number;
  };
  // Reference to the route that requested this certificate
  routeReference?: {
    routeId?: string;
    routeName?: string;
  };
 }
 /**
 * Extract domains that need certificate management from routes
 * @param routes Route configurations to extract domains from
 * @returns Array of Port80RouteOptions for each domain
 */
 export function extractPort80RoutesFromRoutes(routes: IRouteConfig[]): IPort80RouteOptions[] {
  const result: IPort80RouteOptions[] = [];
  for (const route of routes) {
    // Skip routes that don't have domains or TLS configuration
    if (!route.match.domains || !route.action.tls) continue;
    // Skip routes that don't terminate TLS
    if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
    // Only routes with automatic certificates need ACME
    if (route.action.tls.certificate !== 'auto') continue;
    // Get domains from route
    const domains = Array.isArray(route.match.domains)
      ? route.match.domains
      : [route.match.domains];
    // Create Port80RouteOptions for each domain
    for (const domain of domains) {
      // Skip wildcards (we can't get certificates for them)
      if (domain.includes('*')) continue;
      // Create Port80RouteOptions
      const options: IPort80RouteOptions = {
        domain,
        sslRedirect: true, // Default to true for HTTPS routes
        acmeMaintenance: true, // Default to true for auto certificates
        // Add route reference
        routeReference: {
          routeName: route.name
        }
      };
      // Add domain to result
      result.push(options);
    }
  }
  return result;
 }
--- a/ts/http/port80/challenge-responder.ts
+++ b/ts/http/port80/challenge-responder.ts
@ -1,246 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { IncomingMessage, ServerResponse } from 'http';
 import {
  CertificateEvents
 } from '../../certificate/events/certificate-events.js';
 import type {
  ICertificateData,
  ICertificateFailure,
  ICertificateExpiring
 } from '../../certificate/models/certificate-types.js';
 import type {
  ISmartAcme,
  ISmartAcmeCert,
  ISmartAcmeOptions,
  IHttp01MemoryHandler
 } from './acme-interfaces.js';
 /**
 * ChallengeResponder handles ACME HTTP-01 challenges by leveraging SmartAcme
 * It acts as a bridge between the HTTP server and the ACME challenge verification process
 */
 export class ChallengeResponder extends plugins.EventEmitter {
  private smartAcme: ISmartAcme | null = null;
  private http01Handler: IHttp01MemoryHandler | null = null;
  /**
   * Creates a new challenge responder
   * @param useProduction Whether to use production ACME servers
   * @param email Account email for ACME
   * @param certificateStore Directory to store certificates
   */
  constructor(
    private readonly useProduction: boolean = false,
    private readonly email: string = 'admin@example.com',
    private readonly certificateStore: string = './certs'
  ) {
    super();
  }
  /**
   * Initialize the ACME client
   */
  public async initialize(): Promise<void> {
    try {
      // Create the HTTP-01 memory handler from SmartACME
      this.http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
      // Ensure certificate store directory exists
      await this.ensureCertificateStore();
      // Create a MemoryCertManager for certificate storage
      const certManager = new plugins.smartacme.certmanagers.MemoryCertManager();
      // Initialize the SmartACME client with appropriate options
      this.smartAcme = new plugins.smartacme.SmartAcme({
        accountEmail: this.email,
        certManager: certManager,
        environment: this.useProduction ? 'production' : 'integration',
        challengeHandlers: [this.http01Handler],
        challengePriority: ['http-01']
      });
      // Set up event forwarding from SmartAcme
      this.setupEventListeners();
      // Start the SmartACME client
      await this.smartAcme.start();
      console.log('ACME client initialized successfully');
    } catch (error) {
      const errorMessage = error instanceof Error ? error.message : String(error);
      throw new Error(`Failed to initialize ACME client: ${errorMessage}`);
    }
  }
  /**
   * Ensure the certificate store directory exists
   */
  private async ensureCertificateStore(): Promise<void> {
    try {
      await plugins.fs.promises.mkdir(this.certificateStore, { recursive: true });
    } catch (error) {
      const errorMessage = error instanceof Error ? error.message : String(error);
      throw new Error(`Failed to create certificate store: ${errorMessage}`);
    }
  }
  /**
   * Setup event listeners to forward SmartACME events to our own event emitter
   */
  private setupEventListeners(): void {
    if (!this.smartAcme) return;
    const setupEvents = (emitter: { on: (event: string, listener: (data: any) => void) => void }) => {
      // Forward certificate events
      emitter.on('certificate', (data: any) => {
        const isRenewal = !!data.isRenewal;
        const certData: ICertificateData = {
          domain: data.domainName || data.domain,
          certificate: data.publicKey || data.cert,
          privateKey: data.privateKey || data.key,
          expiryDate: new Date(data.validUntil || data.expiryDate || Date.now()),
          source: 'http01',
          isRenewal
        };
        const eventType = isRenewal
          ? CertificateEvents.CERTIFICATE_RENEWED
          : CertificateEvents.CERTIFICATE_ISSUED;
        this.emit(eventType, certData);
      });
      // Forward error events
      emitter.on('error', (error: any) => {
        const domain = error.domainName || error.domain || 'unknown';
        const failureData: ICertificateFailure = {
          domain,
          error: error.message || String(error),
          isRenewal: !!error.isRenewal
        };
        this.emit(CertificateEvents.CERTIFICATE_FAILED, failureData);
      });
    };
    // Check for direct event methods on SmartAcme
    if (typeof this.smartAcme.on === 'function') {
      setupEvents(this.smartAcme as any);
    }
    // Check for eventEmitter property
    else if (this.smartAcme.eventEmitter) {
      setupEvents(this.smartAcme.eventEmitter);
    }
    // If no proper event handling, log a warning
    else {
      console.warn('SmartAcme instance does not support expected event interface - events may not be forwarded');
    }
  }
  /**
   * Handle HTTP request by checking if it's an ACME challenge
   * @param req HTTP request object
   * @param res HTTP response object
   * @returns true if the request was handled, false otherwise
   */
  public handleRequest(req: IncomingMessage, res: ServerResponse): boolean {
    if (!this.http01Handler) return false;
    // Check if this is an ACME challenge request (/.well-known/acme-challenge/*)
    const url = req.url || '';
    if (url.startsWith('/.well-known/acme-challenge/')) {
      try {
        // Delegate to the HTTP-01 memory handler, which knows how to serve challenges
        this.http01Handler.handleRequest(req, res);
        return true;
      } catch (error) {
        console.error('Error handling ACME challenge:', error);
        // If there was an error, send a 404 response
        res.writeHead(404);
        res.end('Not found');
        return true;
      }
    }
    return false;
  }
  /**
   * Request a certificate for a domain
   * @param domain Domain name to request a certificate for
   * @param isRenewal Whether this is a renewal request
   */
  public async requestCertificate(domain: string, isRenewal: boolean = false): Promise<ICertificateData> {
    if (!this.smartAcme) {
      throw new Error('ACME client not initialized');
    }
    try {
      // Request certificate using SmartACME
      const certObj = await this.smartAcme.getCertificateForDomain(domain);
      // Convert the certificate object to our CertificateData format
      const certData: ICertificateData = {
        domain,
        certificate: certObj.publicKey,
        privateKey: certObj.privateKey,
        expiryDate: new Date(certObj.validUntil),
        source: 'http01',
        isRenewal
      };
      return certData;
    } catch (error) {
      // Create failure object
      const failure: ICertificateFailure = {
        domain,
        error: error instanceof Error ? error.message : String(error),
        isRenewal
      };
      // Emit failure event
      this.emit(CertificateEvents.CERTIFICATE_FAILED, failure);
      // Rethrow with more context
      throw new Error(`Failed to ${isRenewal ? 'renew' : 'obtain'} certificate for ${domain}: ${
        error instanceof Error ? error.message : String(error)
      }`);
    }
  }
  /**
   * Check if a certificate is expiring soon and trigger renewal if needed
   * @param domain Domain name
   * @param certificate Certificate data
   * @param thresholdDays Days before expiry to trigger renewal
   */
  public checkCertificateExpiry(
    domain: string,
    certificate: ICertificateData,
    thresholdDays: number = 30
  ): void {
    if (!certificate.expiryDate) return;
    const now = new Date();
    const expiryDate = certificate.expiryDate;
    const daysDifference = Math.floor((expiryDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
    if (daysDifference <= thresholdDays) {
      const expiryInfo: ICertificateExpiring = {
        domain,
        expiryDate,
        daysRemaining: daysDifference
      };
      this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiryInfo);
      // Automatically attempt renewal if expiring
      if (this.smartAcme) {
        this.requestCertificate(domain, true).catch(error => {
          console.error(`Failed to auto-renew certificate for ${domain}:`, error);
        });
      }
    }
  }
 }
--- a/ts/http/port80/index.ts
+++ b/ts/http/port80/index.ts
@ -1,13 +0,0 @@
 /**
 * Port 80 handling
 */
 // Export the main components
 export { Port80Handler } from './port80-handler.js';
 export { ChallengeResponder } from './challenge-responder.js';
 // Export backward compatibility interfaces and types
 export {
  HttpError as Port80HandlerError,
  CertificateError as CertError
 } from '../models/http-types.js';
--- a/ts/http/port80/port80-handler.ts
+++ b/ts/http/port80/port80-handler.ts
@ -1,728 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { IncomingMessage, ServerResponse } from 'http';
 import { CertificateEvents } from '../../certificate/events/certificate-events.js';
 import type {
  IDomainOptions, // Kept for backward compatibility
  ICertificateData,
  ICertificateFailure,
  ICertificateExpiring,
  IAcmeOptions,
  IRouteForwardConfig
 } from '../../certificate/models/certificate-types.js';
 import {
  HttpEvents,
  HttpStatus,
  HttpError,
  CertificateError,
  ServerError,
 } from '../models/http-types.js';
 import type { IDomainCertificate } from '../models/http-types.js';
 import { ChallengeResponder } from './challenge-responder.js';
 import { extractPort80RoutesFromRoutes } from './acme-interfaces.js';
 import type { IPort80RouteOptions } from './acme-interfaces.js';
 import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
 // Re-export for backward compatibility
 export {
  HttpError as Port80HandlerError,
  CertificateError,
  ServerError
 }
 // Port80Handler events enum for backward compatibility
 export const Port80HandlerEvents = CertificateEvents;
 /**
 * Configuration options for the Port80Handler
 */
 // Port80Handler options moved to common types
 /**
 * Port80Handler with ACME certificate management and request forwarding capabilities
 * Now with glob pattern support for domain matching
 */
 export class Port80Handler extends plugins.EventEmitter {
  private domainCertificates: Map<string, IDomainCertificate>;
  private challengeResponder: ChallengeResponder | null = null;
  private server: plugins.http.Server | null = null;
  // Renewal scheduling is handled externally by SmartProxy
  private isShuttingDown: boolean = false;
  private options: Required<IAcmeOptions>;
  /**
   * Creates a new Port80Handler
   * @param options Configuration options
   */
  constructor(options: IAcmeOptions = {}) {
    super();
    this.domainCertificates = new Map<string, IDomainCertificate>();
    // Default options
    this.options = {
      port: options.port ?? 80,
      accountEmail: options.accountEmail ?? 'admin@example.com',
      useProduction: options.useProduction ?? false, // Safer default: staging
      httpsRedirectPort: options.httpsRedirectPort ?? 443,
      enabled: options.enabled ?? true, // Enable by default
      certificateStore: options.certificateStore ?? './certs',
      skipConfiguredCerts: options.skipConfiguredCerts ?? false,
      renewThresholdDays: options.renewThresholdDays ?? 30,
      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
      autoRenew: options.autoRenew ?? true,
      routeForwards: options.routeForwards ?? []
    };
    // Initialize challenge responder
    if (this.options.enabled) {
      this.challengeResponder = new ChallengeResponder(
        this.options.useProduction,
        this.options.accountEmail,
        this.options.certificateStore
      );
      // Forward certificate events from the challenge responder
      this.challengeResponder.on(CertificateEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
        this.emit(CertificateEvents.CERTIFICATE_ISSUED, data);
      });
      this.challengeResponder.on(CertificateEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
        this.emit(CertificateEvents.CERTIFICATE_RENEWED, data);
      });
      this.challengeResponder.on(CertificateEvents.CERTIFICATE_FAILED, (error: ICertificateFailure) => {
        this.emit(CertificateEvents.CERTIFICATE_FAILED, error);
      });
      this.challengeResponder.on(CertificateEvents.CERTIFICATE_EXPIRING, (expiry: ICertificateExpiring) => {
        this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiry);
      });
    }
  }
  /**
   * Starts the HTTP server for ACME challenges
   */
  public async start(): Promise<void> {
    if (this.server) {
      throw new ServerError('Server is already running');
    }
    if (this.isShuttingDown) {
      throw new ServerError('Server is shutting down');
    }
    // Skip if disabled
    if (this.options.enabled === false) {
      console.log('Port80Handler is disabled, skipping start');
      return;
    }
    // Initialize the challenge responder if enabled
    if (this.options.enabled && this.challengeResponder) {
      try {
        await this.challengeResponder.initialize();
      } catch (error) {
        throw new ServerError(`Failed to initialize challenge responder: ${
          error instanceof Error ? error.message : String(error)
        }`);
      }
    }
    return new Promise((resolve, reject) => {
      try {
        this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
        this.server.on('error', (error: NodeJS.ErrnoException) => {
          if (error.code === 'EACCES') {
            reject(new ServerError(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`, error.code));
          } else if (error.code === 'EADDRINUSE') {
            reject(new ServerError(`Port ${this.options.port} is already in use.`, error.code));
          } else {
            reject(new ServerError(error.message, error.code));
          }
        });
        this.server.listen(this.options.port, () => {
          console.log(`Port80Handler is listening on port ${this.options.port}`);
          this.emit(CertificateEvents.MANAGER_STARTED, this.options.port);
          // Start certificate process for domains with acmeMaintenance enabled
          for (const [domain, domainInfo] of this.domainCertificates.entries()) {
            // Skip glob patterns for certificate issuance
            if (this.isGlobPattern(domain)) {
              console.log(`Skipping initial certificate for glob pattern: ${domain}`);
              continue;
            }
            if (domainInfo.options.acmeMaintenance && !domainInfo.certObtained && !domainInfo.obtainingInProgress) {
              this.obtainCertificate(domain).catch(err => {
                console.error(`Error obtaining initial certificate for ${domain}:`, err);
              });
            }
          }
          resolve();
        });
      } catch (error) {
        const message = error instanceof Error ? error.message : 'Unknown error starting server';
        reject(new ServerError(message));
      }
    });
  }
  /**
   * Stops the HTTP server and cleanup resources
   */
  public async stop(): Promise<void> {
    if (!this.server) {
      return;
    }
    this.isShuttingDown = true;
    return new Promise<void>((resolve) => {
      if (this.server) {
        this.server.close(() => {
          this.server = null;
          this.isShuttingDown = false;
          this.emit(CertificateEvents.MANAGER_STOPPED);
          resolve();
        });
      } else {
        this.isShuttingDown = false;
        resolve();
      }
    });
  }
  /**
   * Adds a domain with configuration options
   * @param options Domain configuration options
   */
  public addDomain(options: IDomainOptions | IPort80RouteOptions): void {
    // Normalize options format (handle both IDomainOptions and IPort80RouteOptions)
    const normalizedOptions: IDomainOptions = this.normalizeOptions(options);
    if (!normalizedOptions.domainName || typeof normalizedOptions.domainName !== 'string') {
      throw new HttpError('Invalid domain name');
    }
    const domainName = normalizedOptions.domainName;
    if (!this.domainCertificates.has(domainName)) {
      this.domainCertificates.set(domainName, {
        options: normalizedOptions,
        certObtained: false,
        obtainingInProgress: false
      });
      console.log(`Domain added: ${domainName} with configuration:`, {
        sslRedirect: normalizedOptions.sslRedirect,
        acmeMaintenance: normalizedOptions.acmeMaintenance,
        hasForward: !!normalizedOptions.forward,
        hasAcmeForward: !!normalizedOptions.acmeForward,
        routeReference: normalizedOptions.routeReference
      });
      // If acmeMaintenance is enabled and not a glob pattern, start certificate process immediately
      if (normalizedOptions.acmeMaintenance && this.server && !this.isGlobPattern(domainName)) {
        this.obtainCertificate(domainName).catch(err => {
          console.error(`Error obtaining initial certificate for ${domainName}:`, err);
        });
      }
    } else {
      // Update existing domain with new options
      const existing = this.domainCertificates.get(domainName)!;
      existing.options = normalizedOptions;
      console.log(`Domain ${domainName} configuration updated`);
    }
  }
  /**
   * Add domains from route configurations
   * @param routes Array of route configurations
   */
  public addDomainsFromRoutes(routes: IRouteConfig[]): void {
    // Extract Port80RouteOptions from routes
    const routeOptions = extractPort80RoutesFromRoutes(routes);
    // Add each domain
    for (const options of routeOptions) {
      this.addDomain(options);
    }
    console.log(`Added ${routeOptions.length} domains from routes for certificate management`);
  }
  /**
   * Normalize options from either IDomainOptions or IPort80RouteOptions
   * @param options Options to normalize
   * @returns Normalized IDomainOptions
   * @private
   */
  private normalizeOptions(options: IDomainOptions | IPort80RouteOptions): IDomainOptions {
    // Handle IPort80RouteOptions format
    if ('domain' in options) {
      return {
        domainName: options.domain,
        sslRedirect: options.sslRedirect,
        acmeMaintenance: options.acmeMaintenance,
        forward: options.forward,
        acmeForward: options.acmeForward,
        routeReference: options.routeReference
      };
    }
    // Already in IDomainOptions format
    return options;
  }
  /**
   * Removes a domain from management
   * @param domain The domain to remove
   */
  public removeDomain(domain: string): void {
    if (this.domainCertificates.delete(domain)) {
      console.log(`Domain removed: ${domain}`);
    }
  }
  /**
   * Gets the certificate for a domain if it exists
   * @param domain The domain to get the certificate for
   */
  public getCertificate(domain: string): ICertificateData | null {
    // Can't get certificates for glob patterns
    if (this.isGlobPattern(domain)) {
      return null;
    }
    const domainInfo = this.domainCertificates.get(domain);
    if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
      return null;
    }
    return {
      domain,
      certificate: domainInfo.certificate,
      privateKey: domainInfo.privateKey,
      expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
    };
  }
  /**
   * Check if a domain is a glob pattern
   * @param domain Domain to check
   * @returns True if the domain is a glob pattern
   */
  private isGlobPattern(domain: string): boolean {
    return domain.includes('*');
  }
  /**
   * Get domain info for a specific domain, using glob pattern matching if needed
   * @param requestDomain The actual domain from the request
   * @returns The domain info or null if not found
   */
  private getDomainInfoForRequest(requestDomain: string): { domainInfo: IDomainCertificate, pattern: string } | null {
    // Try direct match first
    if (this.domainCertificates.has(requestDomain)) {
      return {
        domainInfo: this.domainCertificates.get(requestDomain)!,
        pattern: requestDomain
      };
    }
    // Then try glob patterns
    for (const [pattern, domainInfo] of this.domainCertificates.entries()) {
      if (this.isGlobPattern(pattern) && this.domainMatchesPattern(requestDomain, pattern)) {
        return { domainInfo, pattern };
      }
    }
    return null;
  }
  /**
   * Check if a domain matches a glob pattern
   * @param domain The domain to check
   * @param pattern The pattern to match against
   * @returns True if the domain matches the pattern
   */
  private domainMatchesPattern(domain: string, pattern: string): boolean {
    // Handle different glob pattern styles
    if (pattern.startsWith('*.')) {
      // *.example.com matches any subdomain
      const suffix = pattern.substring(2);
      return domain.endsWith(suffix) && domain.includes('.') && domain !== suffix;
    } else if (pattern.endsWith('.*')) {
      // example.* matches any TLD
      const prefix = pattern.substring(0, pattern.length - 2);
      const domainParts = domain.split('.');
      return domain.startsWith(prefix + '.') && domainParts.length >= 2;
    } else if (pattern === '*') {
      // Wildcard matches everything
      return true;
    } else {
      // Exact match (shouldn't reach here as we check exact matches first)
      return domain === pattern;
    }
  }
  /**
   * Handles incoming HTTP requests
   * @param req The HTTP request
   * @param res The HTTP response
   */
  private handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
    // Emit request received event with basic info
    this.emit(HttpEvents.REQUEST_RECEIVED, {
      url: req.url,
      method: req.method,
      headers: req.headers
    });
    const hostHeader = req.headers.host;
    if (!hostHeader) {
      res.statusCode = HttpStatus.BAD_REQUEST;
      res.end('Bad Request: Host header is missing');
      return;
    }
    // Extract domain (ignoring any port in the Host header)
    const domain = hostHeader.split(':')[0];
    // Check if this is an ACME challenge request that our ChallengeResponder can handle
    if (this.challengeResponder && req.url?.startsWith('/.well-known/acme-challenge/')) {
      // Handle ACME HTTP-01 challenge with the challenge responder
      const domainMatch = this.getDomainInfoForRequest(domain);
      // If there's a specific ACME forwarding config for this domain, use that instead
      if (domainMatch?.domainInfo.options.acmeForward) {
        this.forwardRequest(req, res, domainMatch.domainInfo.options.acmeForward, 'ACME challenge');
        return;
      }
      // If domain exists and has acmeMaintenance enabled, or we don't have the domain yet
      // (for auto-provisioning), try to handle the ACME challenge
      if (!domainMatch || domainMatch.domainInfo.options.acmeMaintenance) {
        // Let the challenge responder try to handle this request
        if (this.challengeResponder.handleRequest(req, res)) {
          // Challenge was handled
          return;
        }
      }
    }
    // Dynamic provisioning: if domain not yet managed, register for ACME and return 503
    if (!this.domainCertificates.has(domain)) {
      try {
        this.addDomain({ domainName: domain, sslRedirect: false, acmeMaintenance: true });
      } catch (err) {
        console.error(`Error registering domain for on-demand provisioning: ${err}`);
      }
      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
      res.end('Certificate issuance in progress');
      return;
    }
    // Get domain config, using glob pattern matching if needed
    const domainMatch = this.getDomainInfoForRequest(domain);
    if (!domainMatch) {
      res.statusCode = HttpStatus.NOT_FOUND;
      res.end('Domain not configured');
      return;
    }
    const { domainInfo, pattern } = domainMatch;
    const options = domainInfo.options;
    // Check if we should forward non-ACME requests
    if (options.forward) {
      this.forwardRequest(req, res, options.forward, 'HTTP');
      return;
    }
    // If certificate exists and sslRedirect is enabled, redirect to HTTPS
    // (Skip for glob patterns as they won't have certificates)
    if (!this.isGlobPattern(pattern) && domainInfo.certObtained && options.sslRedirect) {
      const httpsPort = this.options.httpsRedirectPort;
      const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
      const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;
      res.statusCode = HttpStatus.MOVED_PERMANENTLY;
      res.setHeader('Location', redirectUrl);
      res.end(`Redirecting to ${redirectUrl}`);
      return;
    }
    // Handle case where certificate maintenance is enabled but not yet obtained
    // (Skip for glob patterns as they can't have certificates)
    if (!this.isGlobPattern(pattern) && options.acmeMaintenance && !domainInfo.certObtained) {
      // Trigger certificate issuance if not already running
      if (!domainInfo.obtainingInProgress) {
        this.obtainCertificate(domain).catch(err => {
          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
          this.emit(CertificateEvents.CERTIFICATE_FAILED, {
            domain,
            error: errorMessage,
            isRenewal: false
          });
          console.error(`Error obtaining certificate for ${domain}:`, err);
        });
      }
      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
      res.end('Certificate issuance in progress, please try again later.');
      return;
    }
    // Default response for unhandled request
    res.statusCode = HttpStatus.NOT_FOUND;
    res.end('No handlers configured for this request');
    // Emit request handled event
    this.emit(HttpEvents.REQUEST_HANDLED, {
      domain,
      url: req.url,
      statusCode: res.statusCode
    });
  }
  /**
   * Forwards an HTTP request to the specified target
   * @param req The original request
   * @param res The response object
   * @param target The forwarding target (IP and port)
   * @param requestType Type of request for logging
   */
  private forwardRequest(
    req: plugins.http.IncomingMessage,
    res: plugins.http.ServerResponse,
    target: { ip: string; port: number },
    requestType: string
  ): void {
    const options = {
      hostname: target.ip,
      port: target.port,
      path: req.url,
      method: req.method,
      headers: { ...req.headers }
    };
    const domain = req.headers.host?.split(':')[0] || 'unknown';
    console.log(`Forwarding ${requestType} request for ${domain} to ${target.ip}:${target.port}`);
    const proxyReq = plugins.http.request(options, (proxyRes) => {
      // Copy status code
      res.statusCode = proxyRes.statusCode || HttpStatus.INTERNAL_SERVER_ERROR;
      // Copy headers
      for (const [key, value] of Object.entries(proxyRes.headers)) {
        if (value) res.setHeader(key, value);
      }
      // Pipe response data
      proxyRes.pipe(res);
      this.emit(HttpEvents.REQUEST_FORWARDED, {
        domain,
        requestType,
        target: `${target.ip}:${target.port}`,
        statusCode: proxyRes.statusCode
      });
    });
    proxyReq.on('error', (error) => {
      console.error(`Error forwarding request to ${target.ip}:${target.port}:`, error);
      this.emit(HttpEvents.REQUEST_ERROR, {
        domain,
        error: error.message,
        target: `${target.ip}:${target.port}`
      });
      if (!res.headersSent) {
        res.statusCode = HttpStatus.INTERNAL_SERVER_ERROR;
        res.end(`Proxy error: ${error.message}`);
      } else {
        res.end();
      }
    });
    // Pipe original request to proxy request
    if (req.readable) {
      req.pipe(proxyReq);
    } else {
      proxyReq.end();
    }
  }
  /**
   * Obtains a certificate for a domain using ACME HTTP-01 challenge
   * @param domain The domain to obtain a certificate for
   * @param isRenewal Whether this is a renewal attempt
   */
  private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
    if (this.isGlobPattern(domain)) {
      throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal);
    }
    const domainInfo = this.domainCertificates.get(domain)!;
    if (!domainInfo.options.acmeMaintenance) {
      console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`);
      return;
    }
    if (domainInfo.obtainingInProgress) {
      console.log(`Certificate issuance already in progress for ${domain}`);
      return;
    }
    if (!this.challengeResponder) {
      throw new HttpError('Challenge responder is not initialized');
    }
    domainInfo.obtainingInProgress = true;
    domainInfo.lastRenewalAttempt = new Date();
    try {
      // Request certificate via ChallengeResponder
      // The ChallengeResponder handles all ACME client interactions and will emit events
      const certData = await this.challengeResponder.requestCertificate(domain, isRenewal);
      // Update domain info with certificate data
      domainInfo.certificate = certData.certificate;
      domainInfo.privateKey = certData.privateKey;
      domainInfo.certObtained = true;
      domainInfo.expiryDate = certData.expiryDate;
      console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
    } catch (error: any) {
      const errorMsg = error instanceof Error ? error.message : String(error);
      console.error(`Error during certificate issuance for ${domain}:`, error);
      throw new CertificateError(errorMsg, domain, isRenewal);
    } finally {
      domainInfo.obtainingInProgress = false;
    }
  }
  /**
   * Extract expiry date from certificate using a more robust approach
   * @param certificate Certificate PEM string
   * @param domain Domain for logging
   * @returns Extracted expiry date or default
   */
  private extractExpiryDateFromCertificate(certificate: string, domain: string): Date {
    try {
      // This is still using regex, but in a real implementation you would use
      // a library like node-forge or x509 to properly parse the certificate
      const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
      if (matches && matches[1]) {
        const expiryDate = new Date(matches[1]);
        // Validate that we got a valid date
        if (!isNaN(expiryDate.getTime())) {
          console.log(`Certificate for ${domain} will expire on ${expiryDate.toISOString()}`);
          return expiryDate;
        }
      }
      console.warn(`Could not extract valid expiry date from certificate for ${domain}, using default`);
      return this.getDefaultExpiryDate();
    } catch (error) {
      console.warn(`Failed to extract expiry date from certificate for ${domain}, using default`);
      return this.getDefaultExpiryDate();
    }
  }
  /**
   * Get a default expiry date (90 days from now)
   * @returns Default expiry date
   */
  private getDefaultExpiryDate(): Date {
    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days default
  }
  /**
   * Emits a certificate event with the certificate data
   * @param eventType The event type to emit
   * @param data The certificate data
   */
  private emitCertificateEvent(eventType: CertificateEvents, data: ICertificateData): void {
    this.emit(eventType, data);
  }
  /**
   * Gets all domains and their certificate status
   * @returns Map of domains to certificate status
   */
  public getDomainCertificateStatus(): Map<string, {
    certObtained: boolean;
    expiryDate?: Date;
    daysRemaining?: number;
    obtainingInProgress: boolean;
    lastRenewalAttempt?: Date;
  }> {
    const result = new Map<string, {
      certObtained: boolean;
      expiryDate?: Date;
      daysRemaining?: number;
      obtainingInProgress: boolean;
      lastRenewalAttempt?: Date;
    }>();
    const now = new Date();
    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
      // Skip glob patterns
      if (this.isGlobPattern(domain)) continue;
      const status: {
        certObtained: boolean;
        expiryDate?: Date;
        daysRemaining?: number;
        obtainingInProgress: boolean;
        lastRenewalAttempt?: Date;
      } = {
        certObtained: domainInfo.certObtained,
        expiryDate: domainInfo.expiryDate,
        obtainingInProgress: domainInfo.obtainingInProgress,
        lastRenewalAttempt: domainInfo.lastRenewalAttempt
      };
      // Calculate days remaining if expiry date is available
      if (domainInfo.expiryDate) {
        const daysRemaining = Math.ceil(
          (domainInfo.expiryDate.getTime() - now.getTime()) / (24 * 60 * 60 * 1000)
        );
        status.daysRemaining = daysRemaining;
      }
      result.set(domain, status);
    }
    return result;
  }
  /**
   * Request a certificate renewal for a specific domain.
   * @param domain The domain to renew.
   */
  public async renewCertificate(domain: string): Promise<void> {
    if (!this.domainCertificates.has(domain)) {
      throw new HttpError(`Domain not managed: ${domain}`);
    }
    // Trigger renewal via ACME
    await this.obtainCertificate(domain, true);
  }
 }
--- a/ts/http/redirects/index.ts
+++ b/ts/http/redirects/index.ts
@ -1,3 +0,0 @@
 /**
 * HTTP redirects
 */
--- a/ts/http/router/index.ts
+++ b/ts/http/router/index.ts
@ -1,5 +0,0 @@
 /**
 * HTTP routing
 */
 export * from './proxy-router.js';
--- a/ts/http/router/proxy-router.ts
+++ b/ts/http/router/proxy-router.ts
@ -1,437 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IReverseProxyConfig } from '../../proxies/network-proxy/models/types.js';
 /**
 * Optional path pattern configuration that can be added to proxy configs
 */
 export interface PathPatternConfig {
  pathPattern?: string;
 }
 // Backward compatibility
 export type IPathPatternConfig = PathPatternConfig;
 /**
 * Interface for router result with additional metadata
 */
 export interface RouterResult {
  config: IReverseProxyConfig;
  pathMatch?: string;
  pathParams?: Record<string, string>;
  pathRemainder?: string;
 }
 // Backward compatibility
 export type IRouterResult = RouterResult;
 /**
 * Router for HTTP reverse proxy requests
 * 
 * Supports the following domain matching patterns:
 * - Exact matches: "example.com"
 * - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
 * - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
 * - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
 * - Default fallback: "*" (matches any unmatched domain)
 * 
 * Also supports path pattern matching for each domain:
 * - Exact path: "/api/users"
 * - Wildcard paths: "/api/*" 
 * - Path parameters: "/users/:id/profile"
 */
 export class ProxyRouter {
  // Store original configs for reference
  private reverseProxyConfigs: IReverseProxyConfig[] = [];
  // Default config to use when no match is found (optional)
  private defaultConfig?: IReverseProxyConfig;
  // Store path patterns separately since they're not in the original interface
  private pathPatterns: Map<IReverseProxyConfig, string> = new Map();
  // Logger interface
  private logger: {
    error: (message: string, data?: any) => void;
    warn: (message: string, data?: any) => void;
    info: (message: string, data?: any) => void;
    debug: (message: string, data?: any) => void;
  };
  constructor(
    configs?: IReverseProxyConfig[],
    logger?: {
      error: (message: string, data?: any) => void;
      warn: (message: string, data?: any) => void;
      info: (message: string, data?: any) => void;
      debug: (message: string, data?: any) => void;
    }
  ) {
    this.logger = logger || console;
    if (configs) {
      this.setNewProxyConfigs(configs);
    }
  }
  /**
   * Sets a new set of reverse configs to be routed to
   * @param reverseCandidatesArg Array of reverse proxy configurations
   */
  public setNewProxyConfigs(reverseCandidatesArg: IReverseProxyConfig[]): void {
    this.reverseProxyConfigs = [...reverseCandidatesArg];
    // Find default config if any (config with "*" as hostname)
    this.defaultConfig = this.reverseProxyConfigs.find(config => config.hostName === '*');
    this.logger.info(`Router initialized with ${this.reverseProxyConfigs.length} configs (${this.getHostnames().length} unique hosts)`);
  }
  /**
   * Routes a request based on hostname and path
   * @param req The incoming HTTP request
   * @returns The matching proxy config or undefined if no match found
   */
  public routeReq(req: plugins.http.IncomingMessage): IReverseProxyConfig {
    const result = this.routeReqWithDetails(req);
    return result ? result.config : undefined;
  }
  /**
   * Routes a request with detailed matching information
   * @param req The incoming HTTP request
   * @returns Detailed routing result including matched config and path information
   */
  public routeReqWithDetails(req: plugins.http.IncomingMessage): RouterResult | undefined {
    // Extract and validate host header
    const originalHost = req.headers.host;
    if (!originalHost) {
      this.logger.error('No host header found in request');
      return this.defaultConfig ? { config: this.defaultConfig } : undefined;
    }
    // Parse URL for path matching
    const parsedUrl = plugins.url.parse(req.url || '/');
    const urlPath = parsedUrl.pathname || '/';
    // Extract hostname without port
    const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
    // First try exact hostname match
    const exactConfig = this.findConfigForHost(hostWithoutPort, urlPath);
    if (exactConfig) {
      return exactConfig;
    }
    // Try various wildcard patterns
    if (hostWithoutPort.includes('.')) {
      const domainParts = hostWithoutPort.split('.');
      // Try wildcard subdomain (*.example.com)
      if (domainParts.length > 2) {
        const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
        const wildcardConfig = this.findConfigForHost(wildcardDomain, urlPath);
        if (wildcardConfig) {
          return wildcardConfig;
        }
      }
      // Try TLD wildcard (example.*)
      const baseDomain = domainParts.slice(0, -1).join('.');
      const tldWildcardDomain = `${baseDomain}.*`;
      const tldWildcardConfig = this.findConfigForHost(tldWildcardDomain, urlPath);
      if (tldWildcardConfig) {
        return tldWildcardConfig;
      }
      // Try complex wildcard patterns
      const wildcardPatterns = this.findWildcardMatches(hostWithoutPort);
      for (const pattern of wildcardPatterns) {
        const wildcardConfig = this.findConfigForHost(pattern, urlPath);
        if (wildcardConfig) {
          return wildcardConfig;
        }
      }
    }
    // Fall back to default config if available
    if (this.defaultConfig) {
      this.logger.warn(`No specific config found for host: ${hostWithoutPort}, using default`);
      return { config: this.defaultConfig };
    }
    this.logger.error(`No config found for host: ${hostWithoutPort}`);
    return undefined;
  }
  /**
   * Find potential wildcard patterns that could match a given hostname
   * Handles complex patterns like "*.lossless*" or other partial matches
   * @param hostname The hostname to find wildcard matches for
   * @returns Array of potential wildcard patterns that could match
   */
  private findWildcardMatches(hostname: string): string[] {
    const patterns: string[] = [];
    const hostnameParts = hostname.split('.');
    // Find all configured hostnames that contain wildcards
    const wildcardConfigs = this.reverseProxyConfigs.filter(
      config => config.hostName.includes('*')
    );
    // Extract unique wildcard patterns
    const wildcardPatterns = [...new Set(
      wildcardConfigs.map(config => config.hostName.toLowerCase())
    )];
    // For each wildcard pattern, check if it could match the hostname
    // using simplified regex pattern matching
    for (const pattern of wildcardPatterns) {
      // Skip the default wildcard '*'
      if (pattern === '*') continue;
      // Skip already checked patterns (*.domain.com and domain.*)
      if (pattern.startsWith('*.') && pattern.indexOf('*', 2) === -1) continue;
      if (pattern.endsWith('.*') && pattern.indexOf('*') === pattern.length - 1) continue;
      // Convert wildcard pattern to regex
      const regexPattern = pattern
        .replace(/\./g, '\\.')  // Escape dots
        .replace(/\*/g, '.*');  // Convert * to .* for regex
      // Create regex object with case insensitive flag
      const regex = new RegExp(`^${regexPattern}$`, 'i');
      // If hostname matches this complex pattern, add it to the list
      if (regex.test(hostname)) {
        patterns.push(pattern);
      }
    }
    return patterns;
  }
  /**
   * Find a config for a specific host and path
   */
  private findConfigForHost(hostname: string, path: string): RouterResult | undefined {
    // Find all configs for this hostname
    const configs = this.reverseProxyConfigs.filter(
      config => config.hostName.toLowerCase() === hostname.toLowerCase()
    );
    if (configs.length === 0) {
      return undefined;
    }
    // First try configs with path patterns
    const configsWithPaths = configs.filter(config => this.pathPatterns.has(config));
    // Sort by path pattern specificity - more specific first
    configsWithPaths.sort((a, b) => {
      const aPattern = this.pathPatterns.get(a) || '';
      const bPattern = this.pathPatterns.get(b) || '';
      // Exact patterns come before wildcard patterns
      const aHasWildcard = aPattern.includes('*');
      const bHasWildcard = bPattern.includes('*');
      if (aHasWildcard && !bHasWildcard) return 1;
      if (!aHasWildcard && bHasWildcard) return -1;
      // Longer patterns are considered more specific
      return bPattern.length - aPattern.length;
    });
    // Check each config with path pattern
    for (const config of configsWithPaths) {
      const pathPattern = this.pathPatterns.get(config);
      if (pathPattern) {
        const pathMatch = this.matchPath(path, pathPattern);
        if (pathMatch) {
          return {
            config,
            pathMatch: pathMatch.matched,
            pathParams: pathMatch.params,
            pathRemainder: pathMatch.remainder
          };
        }
      }
    }
    // If no path pattern matched, use the first config without a path pattern
    const configWithoutPath = configs.find(config => !this.pathPatterns.has(config));
    if (configWithoutPath) {
      return { config: configWithoutPath };
    }
    return undefined;
  }
  /**
   * Matches a URL path against a pattern
   * Supports:
   * - Exact matches: /users/profile
   * - Wildcards: /api/* (matches any path starting with /api/)
   * - Path parameters: /users/:id (captures id as a parameter)
   * 
   * @param path The URL path to match
   * @param pattern The pattern to match against
   * @returns Match result with params and remainder, or null if no match
   */
  private matchPath(path: string, pattern: string): { 
    matched: string; 
    params: Record<string, string>; 
    remainder: string;
  } | null {
    // Handle exact match
    if (path === pattern) {
      return {
        matched: pattern,
        params: {},
        remainder: ''
      };
    }
    // Handle wildcard match
    if (pattern.endsWith('/*')) {
      const prefix = pattern.slice(0, -2);
      if (path === prefix || path.startsWith(`${prefix}/`)) {
        return {
          matched: prefix,
          params: {},
          remainder: path.slice(prefix.length)
        };
      }
      return null;
    }
    // Handle path parameters
    const patternParts = pattern.split('/').filter(p => p);
    const pathParts = path.split('/').filter(p => p);
    // Too few path parts to match
    if (pathParts.length < patternParts.length) {
      return null;
    }
    const params: Record<string, string> = {};
    // Compare each part
    for (let i = 0; i < patternParts.length; i++) {
      const patternPart = patternParts[i];
      const pathPart = pathParts[i];
      // Handle parameter
      if (patternPart.startsWith(':')) {
        const paramName = patternPart.slice(1);
        params[paramName] = pathPart;
        continue;
      }
      // Handle wildcard at the end
      if (patternPart === '*' && i === patternParts.length - 1) {
        break;
      }
      // Handle exact match for this part
      if (patternPart !== pathPart) {
        return null;
      }
    }
    // Calculate the remainder - the unmatched path parts
    const remainderParts = pathParts.slice(patternParts.length);
    const remainder = remainderParts.length ? '/' + remainderParts.join('/') : '';
    // Calculate the matched path
    const matchedParts = patternParts.map((part, i) => {
      return part.startsWith(':') ? pathParts[i] : part;
    });
    const matched = '/' + matchedParts.join('/');
    return {
      matched,
      params,
      remainder
    };
  }
  /**
   * Gets all currently active proxy configurations
   * @returns Array of all active configurations
   */
  public getProxyConfigs(): IReverseProxyConfig[] {
    return [...this.reverseProxyConfigs];
  }
  /**
   * Gets all hostnames that this router is configured to handle
   * @returns Array of hostnames
   */
  public getHostnames(): string[] {
    const hostnames = new Set<string>();
    for (const config of this.reverseProxyConfigs) {
      if (config.hostName !== '*') {
        hostnames.add(config.hostName.toLowerCase());
      }
    }
    return Array.from(hostnames);
  }
  /**
   * Adds a single new proxy configuration
   * @param config The configuration to add
   * @param pathPattern Optional path pattern for route matching
   */
  public addProxyConfig(
    config: IReverseProxyConfig,
    pathPattern?: string
  ): void {
    this.reverseProxyConfigs.push(config);
    // Store path pattern if provided
    if (pathPattern) {
      this.pathPatterns.set(config, pathPattern);
    }
  }
  /**
   * Sets a path pattern for an existing config
   * @param config The existing configuration
   * @param pathPattern The path pattern to set
   * @returns Boolean indicating if the config was found and updated
   */
  public setPathPattern(
    config: IReverseProxyConfig,
    pathPattern: string
  ): boolean {
    const exists = this.reverseProxyConfigs.includes(config);
    if (exists) {
      this.pathPatterns.set(config, pathPattern);
      return true;
    }
    return false;
  }
  /**
   * Removes a proxy configuration by hostname
   * @param hostname The hostname to remove
   * @returns Boolean indicating whether any configs were removed
   */
  public removeProxyConfig(hostname: string): boolean {
    const initialCount = this.reverseProxyConfigs.length;
    // Find configs to remove
    const configsToRemove = this.reverseProxyConfigs.filter(
      config => config.hostName === hostname
    );
    // Remove them from the patterns map
    for (const config of configsToRemove) {
      this.pathPatterns.delete(config);
    }
    // Filter them out of the configs array
    this.reverseProxyConfigs = this.reverseProxyConfigs.filter(
      config => config.hostName !== hostname
    );
    return this.reverseProxyConfigs.length !== initialCount;
  }
 }
--- a/ts/index.ts
+++ b/ts/index.ts
@ -1,35 +1 @@
-/**
+export * from './smartproxy.classes.smartproxy';
 * SmartProxy main module exports
 */
 // Legacy exports (to maintain backward compatibility)
 // Migrated to the new proxies structure
 export * from './proxies/nftables-proxy/index.js';
 export * from './proxies/network-proxy/index.js';
 // Export port80handler elements selectively to avoid conflicts
 export {
  Port80Handler,
  Port80HandlerError as HttpError,
  ServerError,
  CertificateError
 } from './http/port80/port80-handler.js';
 // Use re-export to control the names
 export { Port80HandlerEvents } from './certificate/events/certificate-events.js';
 export * from './redirect/classes.redirect.js';
 export * from './proxies/smart-proxy/index.js';
 // Original: export * from './smartproxy/classes.pp.snihandler.js'
 // Now we export from the new module
 export { SniHandler } from './tls/sni/sni-handler.js';
 // Original: export * from './smartproxy/classes.pp.interfaces.js'
 // Now we export from the new module
 export * from './proxies/smart-proxy/models/interfaces.js';
 // Core types and utilities
 export * from './core/models/common-types.js';
 // Modular exports for new architecture
 export * as forwarding from './forwarding/index.js';
 export * as certificate from './certificate/index.js';
 export * as tls from './tls/index.js';
 export * as http from './http/index.js';
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@ -1,48 +0,0 @@
 // node native scope
 import { EventEmitter } from 'events';
 import * as fs from 'fs';
 import * as http from 'http';
 import * as https from 'https';
 import * as net from 'net';
 import * as tls from 'tls';
 import * as url from 'url';
 import * as http2 from 'http2';
 export { EventEmitter, fs, http, https, net, tls, url, http2 };
 // tsclass scope
 import * as tsclass from '@tsclass/tsclass';
 export { tsclass };
 // pushrocks scope
 import * as lik from '@push.rocks/lik';
 import * as smartdelay from '@push.rocks/smartdelay';
 import * as smartpromise from '@push.rocks/smartpromise';
 import * as smartrequest from '@push.rocks/smartrequest';
 import * as smartstring from '@push.rocks/smartstring';
 import * as smartacme from '@push.rocks/smartacme';
 import * as smartacmePlugins from '@push.rocks/smartacme/dist_ts/smartacme.plugins.js';
 import * as smartacmeHandlers from '@push.rocks/smartacme/dist_ts/handlers/index.js';
 import * as taskbuffer from '@push.rocks/taskbuffer';
 export {
  lik,
  smartdelay,
  smartrequest,
  smartpromise,
  smartstring,
  smartacme,
  smartacmePlugins,
  smartacmeHandlers,
  taskbuffer,
 };
 // third party scope
 import prettyMs from 'pretty-ms';
 import * as ws from 'ws';
 import wsDefault from 'ws';
 import { minimatch } from 'minimatch';
 export { prettyMs, ws, wsDefault, minimatch };
--- a/ts/proxies/index.ts
+++ b/ts/proxies/index.ts
@ -1,8 +0,0 @@
 /**
 * Proxy implementations module
 */
 // Export submodules
 export * from './smart-proxy/index.js';
 export * from './network-proxy/index.js';
 export * from './nftables-proxy/index.js';
--- a/ts/proxies/network-proxy/certificate-manager.ts
+++ b/ts/proxies/network-proxy/certificate-manager.ts
@ -1,414 +0,0 @@
 import * as plugins from '../../plugins.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
 import { type INetworkProxyOptions, type ICertificateEntry, type ILogger, createLogger } from './models/types.js';
 import { Port80Handler } from '../../http/port80/port80-handler.js';
 import { CertificateEvents } from '../../certificate/events/certificate-events.js';
 import { buildPort80Handler } from '../../certificate/acme/acme-factory.js';
 import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
 import type { IDomainOptions } from '../../certificate/models/certificate-types.js';
 /**
 * Manages SSL certificates for NetworkProxy including ACME integration
 */
 export class CertificateManager {
  private defaultCertificates: { key: string; cert: string };
  private certificateCache: Map<string, ICertificateEntry> = new Map();
  private port80Handler: Port80Handler | null = null;
  private externalPort80Handler: boolean = false;
  private certificateStoreDir: string;
  private logger: ILogger;
  private httpsServer: plugins.https.Server | null = null;
  constructor(private options: INetworkProxyOptions) {
    this.certificateStoreDir = path.resolve(options.acme?.certificateStore || './certs');
    this.logger = createLogger(options.logLevel || 'info');
    // Ensure certificate store directory exists
    try {
      if (!fs.existsSync(this.certificateStoreDir)) {
        fs.mkdirSync(this.certificateStoreDir, { recursive: true });
        this.logger.info(`Created certificate store directory: ${this.certificateStoreDir}`);
      }
    } catch (error) {
      this.logger.warn(`Failed to create certificate store directory: ${error}`);
    }
    this.loadDefaultCertificates();
  }
  /**
   * Loads default certificates from the filesystem
   */
  public loadDefaultCertificates(): void {
    const __dirname = path.dirname(fileURLToPath(import.meta.url));
    // Fix the path to look for certificates at the project root instead of inside ts directory
    const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
    try {
      this.defaultCertificates = {
        key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
        cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
      };
      this.logger.info('Default certificates loaded successfully');
    } catch (error) {
      this.logger.error('Error loading default certificates', error);
      // Generate self-signed fallback certificates
      try {
        // This is a placeholder for actual certificate generation code
        // In a real implementation, you would use a library like selfsigned to generate certs
        this.defaultCertificates = {
          key: "FALLBACK_KEY_CONTENT",
          cert: "FALLBACK_CERT_CONTENT"
        };
        this.logger.warn('Using fallback self-signed certificates');
      } catch (fallbackError) {
        this.logger.error('Failed to generate fallback certificates', fallbackError);
        throw new Error('Could not load or generate SSL certificates');
      }
    }
  }
  /**
   * Set the HTTPS server reference for context updates
   */
  public setHttpsServer(server: plugins.https.Server): void {
    this.httpsServer = server;
  }
  /**
   * Get default certificates
   */
  public getDefaultCertificates(): { key: string; cert: string } {
    return { ...this.defaultCertificates };
  }
  /**
   * Sets an external Port80Handler for certificate management
   */
  public setExternalPort80Handler(handler: Port80Handler): void {
    if (this.port80Handler && !this.externalPort80Handler) {
      this.logger.warn('Replacing existing internal Port80Handler with external handler');
      // Clean up existing handler if needed
      if (this.port80Handler !== handler) {
        // Unregister event handlers to avoid memory leaks
        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_ISSUED);
        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_RENEWED);
        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_FAILED);
        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_EXPIRING);
      }
    }
    // Set the external handler
    this.port80Handler = handler;
    this.externalPort80Handler = true;
    // Subscribe to Port80Handler events
    subscribeToPort80Handler(this.port80Handler, {
      onCertificateIssued: this.handleCertificateIssued.bind(this),
      onCertificateRenewed: this.handleCertificateIssued.bind(this),
      onCertificateFailed: this.handleCertificateFailed.bind(this),
      onCertificateExpiring: (data) => {
        this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
      }
    });
    this.logger.info('External Port80Handler connected to CertificateManager');
    // Register domains with Port80Handler if we have any certificates cached
    if (this.certificateCache.size > 0) {
      const domains = Array.from(this.certificateCache.keys())
        .filter(domain => !domain.includes('*')); // Skip wildcard domains
      this.registerDomainsWithPort80Handler(domains);
    }
  }
  /**
   * Handle newly issued or renewed certificates from Port80Handler
   */
  private handleCertificateIssued(data: { domain: string; certificate: string; privateKey: string; expiryDate: Date }): void {
    const { domain, certificate, privateKey, expiryDate } = data;
    this.logger.info(`Certificate ${this.certificateCache.has(domain) ? 'renewed' : 'issued'} for ${domain}, valid until ${expiryDate.toISOString()}`);
    // Update certificate in HTTPS server
    this.updateCertificateCache(domain, certificate, privateKey, expiryDate);
    // Save the certificate to the filesystem if not using external handler
    if (!this.externalPort80Handler && this.options.acme?.certificateStore) {
      this.saveCertificateToStore(domain, certificate, privateKey);
    }
  }
  /**
   * Handle certificate issuance failures
   */
  private handleCertificateFailed(data: { domain: string; error: string }): void {
    this.logger.error(`Certificate issuance failed for ${data.domain}: ${data.error}`);
  }
  /**
   * Saves certificate and private key to the filesystem
   */
  private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
    try {
      const certPath = path.join(this.certificateStoreDir, `${domain}.cert.pem`);
      const keyPath = path.join(this.certificateStoreDir, `${domain}.key.pem`);
      fs.writeFileSync(certPath, certificate);
      fs.writeFileSync(keyPath, privateKey);
      // Ensure private key has restricted permissions
      try {
        fs.chmodSync(keyPath, 0o600);
      } catch (error) {
        this.logger.warn(`Failed to set permissions on private key for ${domain}: ${error}`);
      }
      this.logger.info(`Saved certificate for ${domain} to ${certPath}`);
    } catch (error) {
      this.logger.error(`Failed to save certificate for ${domain}: ${error}`);
    }
  }
  /**
   * Handles SNI (Server Name Indication) for TLS connections
   * Used by the HTTPS server to select the correct certificate for each domain
   */
  public handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
    this.logger.debug(`SNI request for domain: ${domain}`);
    // Check if we have a certificate for this domain
    const certs = this.certificateCache.get(domain);
    if (certs) {
      try {
        // Create TLS context with the cached certificate
        const context = plugins.tls.createSecureContext({
          key: certs.key,
          cert: certs.cert
        });
        this.logger.debug(`Using cached certificate for ${domain}`);
        cb(null, context);
        return;
      } catch (err) {
        this.logger.error(`Error creating secure context for ${domain}:`, err);
      }
    }
    // No existing certificate: trigger dynamic provisioning via Port80Handler
    if (this.port80Handler) {
      try {
        this.logger.info(`Triggering on-demand certificate retrieval for ${domain}`);
        this.port80Handler.addDomain({
          domainName: domain,
          sslRedirect: false,
          acmeMaintenance: true
        });
      } catch (err) {
        this.logger.error(`Error registering domain for on-demand certificate: ${domain}`, err);
      }
    }
    // Check if we should trigger certificate issuance
    if (this.options.acme?.enabled && this.port80Handler && !domain.includes('*')) {
      // Check if this domain is already registered
      const certData = this.port80Handler.getCertificate(domain);
      if (!certData) {
        this.logger.info(`No certificate found for ${domain}, registering for issuance`);
        // Register with new domain options format
        const domainOptions: IDomainOptions = {
          domainName: domain,
          sslRedirect: true,
          acmeMaintenance: true
        };
        this.port80Handler.addDomain(domainOptions);
      }
    }
    // Fall back to default certificate
    try {
      const context = plugins.tls.createSecureContext({
        key: this.defaultCertificates.key,
        cert: this.defaultCertificates.cert
      });
      this.logger.debug(`Using default certificate for ${domain}`);
      cb(null, context);
    } catch (err) {
      this.logger.error(`Error creating default secure context:`, err);
      cb(new Error('Cannot create secure context'), null);
    }
  }
  /**
   * Updates certificate in cache
   */
  public updateCertificateCache(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
    // Update certificate context in HTTPS server if it's running
    if (this.httpsServer) {
      try {
        this.httpsServer.addContext(domain, {
          key: privateKey,
          cert: certificate
        });
        this.logger.debug(`Updated SSL context for domain: ${domain}`);
      } catch (error) {
        this.logger.error(`Error updating SSL context for domain ${domain}:`, error);
      }
    }
    // Update certificate in cache
    this.certificateCache.set(domain, {
      key: privateKey,
      cert: certificate,
      expires: expiryDate
    });
  }
  /**
   * Gets a certificate for a domain
   */
  public getCertificate(domain: string): ICertificateEntry | undefined {
    return this.certificateCache.get(domain);
  }
  /**
   * Requests a new certificate for a domain
   */
  public async requestCertificate(domain: string): Promise<boolean> {
    if (!this.options.acme?.enabled && !this.externalPort80Handler) {
      this.logger.warn('ACME certificate management is not enabled');
      return false;
    }
    if (!this.port80Handler) {
      this.logger.error('Port80Handler is not initialized');
      return false;
    }
    // Skip wildcard domains - can't get certs for these with HTTP-01 validation
    if (domain.includes('*')) {
      this.logger.error(`Cannot request certificate for wildcard domain: ${domain}`);
      return false;
    }
    try {
      // Use the new domain options format
      const domainOptions: IDomainOptions = {
        domainName: domain,
        sslRedirect: true,
        acmeMaintenance: true
      };
      this.port80Handler.addDomain(domainOptions);
      this.logger.info(`Certificate request submitted for domain: ${domain}`);
      return true;
    } catch (error) {
      this.logger.error(`Error requesting certificate for domain ${domain}:`, error);
      return false;
    }
  }
  /**
   * Registers domains with Port80Handler for ACME certificate management
   */
  public registerDomainsWithPort80Handler(domains: string[]): void {
    if (!this.port80Handler) {
      this.logger.warn('Port80Handler is not initialized');
      return;
    }
    for (const domain of domains) {
      // Skip wildcard domains - can't get certs for these with HTTP-01 validation
      if (domain.includes('*')) {
        this.logger.info(`Skipping wildcard domain for ACME: ${domain}`);
        continue;
      }
      // Skip domains already with certificates if configured to do so
      if (this.options.acme?.skipConfiguredCerts) {
        const cachedCert = this.certificateCache.get(domain);
        if (cachedCert) {
          this.logger.info(`Skipping domain with existing certificate: ${domain}`);
          continue;
        }
      }
      // Register the domain for certificate issuance with new domain options format
      const domainOptions: IDomainOptions = {
        domainName: domain,
        sslRedirect: true,
        acmeMaintenance: true
      };
      this.port80Handler.addDomain(domainOptions);
      this.logger.info(`Registered domain for ACME certificate issuance: ${domain}`);
    }
  }
  /**
   * Initialize internal Port80Handler
   */
  public async initializePort80Handler(): Promise<Port80Handler | null> {
    // Skip if using external handler
    if (this.externalPort80Handler) {
      this.logger.info('Using external Port80Handler, skipping initialization');
      return this.port80Handler;
    }
    if (!this.options.acme?.enabled) {
      return null;
    }
    // Build and configure Port80Handler
    this.port80Handler = buildPort80Handler({
      port: this.options.acme.port,
      accountEmail: this.options.acme.accountEmail,
      useProduction: this.options.acme.useProduction,
      httpsRedirectPort: this.options.port, // Redirect to our HTTPS port
      enabled: this.options.acme.enabled,
      certificateStore: this.options.acme.certificateStore,
      skipConfiguredCerts: this.options.acme.skipConfiguredCerts
    });
    // Subscribe to Port80Handler events
    subscribeToPort80Handler(this.port80Handler, {
      onCertificateIssued: this.handleCertificateIssued.bind(this),
      onCertificateRenewed: this.handleCertificateIssued.bind(this),
      onCertificateFailed: this.handleCertificateFailed.bind(this),
      onCertificateExpiring: (data) => {
        this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
      }
    });
    // Start the handler
    try {
      await this.port80Handler.start();
      this.logger.info(`Port80Handler started on port ${this.options.acme.port}`);
      return this.port80Handler;
    } catch (error) {
      this.logger.error(`Failed to start Port80Handler: ${error}`);
      this.port80Handler = null;
      return null;
    }
  }
  /**
   * Stop the Port80Handler if it was internally created
   */
  public async stopPort80Handler(): Promise<void> {
    if (this.port80Handler && !this.externalPort80Handler) {
      try {
        await this.port80Handler.stop();
        this.logger.info('Port80Handler stopped');
      } catch (error) {
        this.logger.error('Error stopping Port80Handler', error);
      }
    }
  }
 }
--- a/ts/proxies/network-proxy/connection-pool.ts
+++ b/ts/proxies/network-proxy/connection-pool.ts
@ -1,241 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { type INetworkProxyOptions, type IConnectionEntry, type ILogger, createLogger } from './models/types.js';
 /**
 * Manages a pool of backend connections for efficient reuse
 */
 export class ConnectionPool {
  private connectionPool: Map<string, Array<IConnectionEntry>> = new Map();
  private roundRobinPositions: Map<string, number> = new Map();
  private logger: ILogger;
  constructor(private options: INetworkProxyOptions) {
    this.logger = createLogger(options.logLevel || 'info');
  }
  /**
   * Get a connection from the pool or create a new one
   */
  public getConnection(host: string, port: number): Promise<plugins.net.Socket> {
    return new Promise((resolve, reject) => {
      const poolKey = `${host}:${port}`;
      const connectionList = this.connectionPool.get(poolKey) || [];
      // Look for an idle connection
      const idleConnectionIndex = connectionList.findIndex(c => c.isIdle);
      if (idleConnectionIndex >= 0) {
        // Get existing connection from pool
        const connection = connectionList[idleConnectionIndex];
        connection.isIdle = false;
        connection.lastUsed = Date.now();
        this.logger.debug(`Reusing connection from pool for ${poolKey}`);
        // Update the pool
        this.connectionPool.set(poolKey, connectionList);
        resolve(connection.socket);
        return;
      }
      // No idle connection available, create a new one if pool isn't full
      const poolSize = this.options.connectionPoolSize || 50;
      if (connectionList.length < poolSize) {
        this.logger.debug(`Creating new connection to ${host}:${port}`);
        try {
          const socket = plugins.net.connect({
            host,
            port,
            keepAlive: true,
            keepAliveInitialDelay: 30000 // 30 seconds
          });
          socket.once('connect', () => {
            // Add to connection pool
            const connection = {
              socket,
              lastUsed: Date.now(),
              isIdle: false
            };
            connectionList.push(connection);
            this.connectionPool.set(poolKey, connectionList);
            // Setup cleanup when the connection is closed
            socket.once('close', () => {
              const idx = connectionList.findIndex(c => c.socket === socket);
              if (idx >= 0) {
                connectionList.splice(idx, 1);
                this.connectionPool.set(poolKey, connectionList);
                this.logger.debug(`Removed closed connection from pool for ${poolKey}`);
              }
            });
            resolve(socket);
          });
          socket.once('error', (err) => {
            this.logger.error(`Error creating connection to ${host}:${port}`, err);
            reject(err);
          });
        } catch (err) {
          this.logger.error(`Failed to create connection to ${host}:${port}`, err);
          reject(err);
        }
      } else {
        // Pool is full, wait for an idle connection or reject
        this.logger.warn(`Connection pool for ${poolKey} is full (${connectionList.length})`);
        reject(new Error(`Connection pool for ${poolKey} is full`));
      }
    });
  }
  /**
   * Return a connection to the pool for reuse
   */
  public returnConnection(socket: plugins.net.Socket, host: string, port: number): void {
    const poolKey = `${host}:${port}`;
    const connectionList = this.connectionPool.get(poolKey) || [];
    // Find this connection in the pool
    const connectionIndex = connectionList.findIndex(c => c.socket === socket);
    if (connectionIndex >= 0) {
      // Mark as idle and update last used time
      connectionList[connectionIndex].isIdle = true;
      connectionList[connectionIndex].lastUsed = Date.now();
      this.logger.debug(`Returned connection to pool for ${poolKey}`);
    } else {
      this.logger.warn(`Attempted to return unknown connection to pool for ${poolKey}`);
    }
  }
  /**
   * Cleanup the connection pool by removing idle connections
   * or reducing pool size if it exceeds the configured maximum
   */
  public cleanupConnectionPool(): void {
    const now = Date.now();
    const idleTimeout = this.options.keepAliveTimeout || 120000; // 2 minutes default
    for (const [host, connections] of this.connectionPool.entries()) {
      // Sort by last used time (oldest first)
      connections.sort((a, b) => a.lastUsed - b.lastUsed);
      // Remove idle connections older than the idle timeout
      let removed = 0;
      while (connections.length > 0) {
        const connection = connections[0];
        // Remove if idle and exceeds timeout, or if pool is too large
        if ((connection.isIdle && now - connection.lastUsed > idleTimeout) ||
            connections.length > (this.options.connectionPoolSize || 50)) {
          try {
            if (!connection.socket.destroyed) {
              connection.socket.end();
              connection.socket.destroy();
            }
          } catch (err) {
            this.logger.error(`Error destroying pooled connection to ${host}`, err);
          }
          connections.shift(); // Remove from pool
          removed++;
        } else {
          break; // Stop removing if we've reached active or recent connections
        }
      }
      if (removed > 0) {
        this.logger.debug(`Removed ${removed} idle connections from pool for ${host}, ${connections.length} remaining`);
      }
      // Update the pool with the remaining connections
      if (connections.length === 0) {
        this.connectionPool.delete(host);
      } else {
        this.connectionPool.set(host, connections);
      }
    }
  }
  /**
   * Close all connections in the pool
   */
  public closeAllConnections(): void {
    for (const [host, connections] of this.connectionPool.entries()) {
      this.logger.debug(`Closing ${connections.length} connections to ${host}`);
      for (const connection of connections) {
        try {
          if (!connection.socket.destroyed) {
            connection.socket.end();
            connection.socket.destroy();
          }
        } catch (error) {
          this.logger.error(`Error closing connection to ${host}:`, error);
        }
      }
    }
    this.connectionPool.clear();
    this.roundRobinPositions.clear();
  }
  /**
   * Get load balancing target using round-robin
   */
  public getNextTarget(targets: string[], port: number): { host: string, port: number } {
    const targetKey = targets.join(',');
    // Initialize position if not exists
    if (!this.roundRobinPositions.has(targetKey)) {
      this.roundRobinPositions.set(targetKey, 0);
    }
    // Get current position and increment for next time
    const currentPosition = this.roundRobinPositions.get(targetKey)!;
    const nextPosition = (currentPosition + 1) % targets.length;
    this.roundRobinPositions.set(targetKey, nextPosition);
    // Return the selected target
    return {
      host: targets[currentPosition],
      port
    };
  }
  /**
   * Gets the connection pool status
   */
  public getPoolStatus(): Record<string, { total: number, idle: number }> {
    return Object.fromEntries(
      Array.from(this.connectionPool.entries()).map(([host, connections]) => [
        host, 
        {
          total: connections.length, 
          idle: connections.filter(c => c.isIdle).length
        }
      ])
    );
  }
  /**
   * Setup a periodic cleanup task
   */
  public setupPeriodicCleanup(interval: number = 60000): NodeJS.Timeout {
    const timer = setInterval(() => {
      this.cleanupConnectionPool();
    }, interval);
    // Don't prevent process exit
    if (timer.unref) {
      timer.unref();
    }
    return timer;
  }
 }
--- a/ts/proxies/network-proxy/index.ts
+++ b/ts/proxies/network-proxy/index.ts
@ -1,13 +0,0 @@
 /**
 * NetworkProxy implementation
 */
 // Re-export models
 export * from './models/index.js';
 // Export NetworkProxy and supporting classes
 export { NetworkProxy } from './network-proxy.js';
 export { CertificateManager } from './certificate-manager.js';
 export { ConnectionPool } from './connection-pool.js';
 export { RequestHandler } from './request-handler.js';
 export type { IMetricsTracker, MetricsTracker } from './request-handler.js';
 export { WebSocketHandler } from './websocket-handler.js';
--- a/ts/proxies/network-proxy/models/index.ts
+++ b/ts/proxies/network-proxy/models/index.ts
@ -1,4 +0,0 @@
 /**
 * NetworkProxy models
 */
 export * from './types.js';
--- a/ts/proxies/network-proxy/models/types.ts
+++ b/ts/proxies/network-proxy/models/types.ts
@ -1,122 +0,0 @@
 import * as plugins from '../../../plugins.js';
 import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
 /**
 * Configuration options for NetworkProxy
 */
 export interface INetworkProxyOptions {
  port: number;
  maxConnections?: number;
  keepAliveTimeout?: number;
  headersTimeout?: number;
  logLevel?: 'error' | 'warn' | 'info' | 'debug';
  cors?: {
    allowOrigin?: string;
    allowMethods?: string;
    allowHeaders?: string;
    maxAge?: number;
  };
  // Settings for SmartProxy integration
  connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
  portProxyIntegration?: boolean; // Flag to indicate this proxy is used by SmartProxy
  useExternalPort80Handler?: boolean; // Flag to indicate using external Port80Handler
  // Protocol to use when proxying to backends: HTTP/1.x or HTTP/2
  backendProtocol?: 'http1' | 'http2';
  // ACME certificate management options
  acme?: IAcmeOptions;
 }
 /**
 * Interface for a certificate entry in the cache
 */
 export interface ICertificateEntry {
  key: string;
  cert: string;
  expires?: Date;
 }
 /**
 * Interface for reverse proxy configuration
 */
 export interface IReverseProxyConfig {
  destinationIps: string[];
  destinationPorts: number[];
  hostName: string;
  privateKey: string;
  publicKey: string;
  authentication?: {
    type: 'Basic';
    user: string;
    pass: string;
  };
  rewriteHostHeader?: boolean;
  /**
   * Protocol to use when proxying to this backend: 'http1' or 'http2'.
   * Overrides the global backendProtocol option if set.
   */
  backendProtocol?: 'http1' | 'http2';
 }
 /**
 * Interface for connection tracking in the pool
 */
 export interface IConnectionEntry {
  socket: plugins.net.Socket;
  lastUsed: number;
  isIdle: boolean;
 }
 /**
 * WebSocket with heartbeat interface
 */
 export interface IWebSocketWithHeartbeat extends plugins.wsDefault {
  lastPong: number;
  isAlive: boolean;
 }
 /**
 * Logger interface for consistent logging across components
 */
 export interface ILogger {
  debug(message: string, data?: any): void;
  info(message: string, data?: any): void;
  warn(message: string, data?: any): void;
  error(message: string, data?: any): void;
 }
 /**
 * Creates a logger based on the specified log level
 */
 export function createLogger(logLevel: string = 'info'): ILogger {
  const logLevels = {
    error: 0,
    warn: 1,
    info: 2,
    debug: 3
  };
  return {
    debug: (message: string, data?: any) => {
      if (logLevels[logLevel] >= logLevels.debug) {
        console.log(`[DEBUG] ${message}`, data || '');
      }
    },
    info: (message: string, data?: any) => {
      if (logLevels[logLevel] >= logLevels.info) {
        console.log(`[INFO] ${message}`, data || '');
      }
    },
    warn: (message: string, data?: any) => {
      if (logLevels[logLevel] >= logLevels.warn) {
        console.warn(`[WARN] ${message}`, data || '');
      }
    },
    error: (message: string, data?: any) => {
      if (logLevels[logLevel] >= logLevels.error) {
        console.error(`[ERROR] ${message}`, data || '');
      }
    }
  };
 }
--- a/ts/proxies/network-proxy/network-proxy.ts
+++ b/ts/proxies/network-proxy/network-proxy.ts
@ -1,484 +0,0 @@
 import * as plugins from '../../plugins.js';
 import {
  createLogger
 } from './models/types.js';
 import type {
  INetworkProxyOptions,
  ILogger,
  IReverseProxyConfig
 } from './models/types.js';
 import { CertificateManager } from './certificate-manager.js';
 import { ConnectionPool } from './connection-pool.js';
 import { RequestHandler, type IMetricsTracker } from './request-handler.js';
 import { WebSocketHandler } from './websocket-handler.js';
 import { ProxyRouter } from '../../http/router/index.js';
 import { Port80Handler } from '../../http/port80/port80-handler.js';
 /**
 * NetworkProxy provides a reverse proxy with TLS termination, WebSocket support,
 * automatic certificate management, and high-performance connection pooling.
 */
 export class NetworkProxy implements IMetricsTracker {
  // Provide a minimal JSON representation to avoid circular references during deep equality checks
  public toJSON(): any {
    return {};
  }
  // Configuration
  public options: INetworkProxyOptions;
  public proxyConfigs: IReverseProxyConfig[] = [];
  // Server instances (HTTP/2 with HTTP/1 fallback)
  public httpsServer: any;
  // Core components
  private certificateManager: CertificateManager;
  private connectionPool: ConnectionPool;
  private requestHandler: RequestHandler;
  private webSocketHandler: WebSocketHandler;
  private router = new ProxyRouter();
  // State tracking
  public socketMap = new plugins.lik.ObjectMap<plugins.net.Socket>();
  public activeContexts: Set<string> = new Set();
  public connectedClients: number = 0;
  public startTime: number = 0;
  public requestsServed: number = 0;
  public failedRequests: number = 0;
  // Tracking for SmartProxy integration
  private portProxyConnections: number = 0;
  private tlsTerminatedConnections: number = 0;
  // Timers
  private metricsInterval: NodeJS.Timeout;
  private connectionPoolCleanupInterval: NodeJS.Timeout;
  // Logger
  private logger: ILogger;
  /**
   * Creates a new NetworkProxy instance
   */
  constructor(optionsArg: INetworkProxyOptions) {
    // Set default options
    this.options = {
      port: optionsArg.port,
      maxConnections: optionsArg.maxConnections || 10000,
      keepAliveTimeout: optionsArg.keepAliveTimeout || 120000, // 2 minutes 
      headersTimeout: optionsArg.headersTimeout || 60000, // 1 minute
      logLevel: optionsArg.logLevel || 'info',
      cors: optionsArg.cors || {
        allowOrigin: '*',
        allowMethods: 'GET, POST, PUT, DELETE, OPTIONS',
        allowHeaders: 'Content-Type, Authorization',
        maxAge: 86400
      },
      // Defaults for SmartProxy integration
      connectionPoolSize: optionsArg.connectionPoolSize || 50,
      portProxyIntegration: optionsArg.portProxyIntegration || false,
      useExternalPort80Handler: optionsArg.useExternalPort80Handler || false,
      // Backend protocol (http1 or http2)
      backendProtocol: optionsArg.backendProtocol || 'http1',
      // Default ACME options
      acme: {
        enabled: optionsArg.acme?.enabled || false,
        port: optionsArg.acme?.port || 80,
        accountEmail: optionsArg.acme?.accountEmail || 'admin@example.com',
        useProduction: optionsArg.acme?.useProduction || false, // Default to staging for safety
        renewThresholdDays: optionsArg.acme?.renewThresholdDays || 30,
        autoRenew: optionsArg.acme?.autoRenew !== false, // Default to true
        certificateStore: optionsArg.acme?.certificateStore || './certs',
        skipConfiguredCerts: optionsArg.acme?.skipConfiguredCerts || false
      }
    };
    // Initialize logger
    this.logger = createLogger(this.options.logLevel);
    // Initialize components
    this.certificateManager = new CertificateManager(this.options);
    this.connectionPool = new ConnectionPool(this.options);
    this.requestHandler = new RequestHandler(this.options, this.connectionPool, this.router);
    this.webSocketHandler = new WebSocketHandler(this.options, this.connectionPool, this.router);
    // Connect request handler to this metrics tracker
    this.requestHandler.setMetricsTracker(this);
  }
  /**
   * Implements IMetricsTracker interface to increment request counters
   */
  public incrementRequestsServed(): void {
    this.requestsServed++;
  }
  /**
   * Implements IMetricsTracker interface to increment failed request counters
   */
  public incrementFailedRequests(): void {
    this.failedRequests++;
  }
  /**
   * Returns the port number this NetworkProxy is listening on
   * Useful for SmartProxy to determine where to forward connections
   */
  public getListeningPort(): number {
    return this.options.port;
  }
  /**
   * Updates the server capacity settings
   * @param maxConnections Maximum number of simultaneous connections
   * @param keepAliveTimeout Keep-alive timeout in milliseconds
   * @param connectionPoolSize Size of the connection pool per backend
   */
  public updateCapacity(maxConnections?: number, keepAliveTimeout?: number, connectionPoolSize?: number): void {
    if (maxConnections !== undefined) {
      this.options.maxConnections = maxConnections;
      this.logger.info(`Updated max connections to ${maxConnections}`);
    }
    if (keepAliveTimeout !== undefined) {
      this.options.keepAliveTimeout = keepAliveTimeout;
      if (this.httpsServer) {
        this.httpsServer.keepAliveTimeout = keepAliveTimeout;
        this.logger.info(`Updated keep-alive timeout to ${keepAliveTimeout}ms`);
      }
    }
    if (connectionPoolSize !== undefined) {
      this.options.connectionPoolSize = connectionPoolSize;
      this.logger.info(`Updated connection pool size to ${connectionPoolSize}`);
      // Clean up excess connections in the pool
      this.connectionPool.cleanupConnectionPool();
    }
  }
  /**
   * Returns current server metrics
   * Useful for SmartProxy to determine which NetworkProxy to use for load balancing
   */
  public getMetrics(): any {
    return {
      activeConnections: this.connectedClients,
      totalRequests: this.requestsServed,
      failedRequests: this.failedRequests,
      portProxyConnections: this.portProxyConnections,
      tlsTerminatedConnections: this.tlsTerminatedConnections,
      connectionPoolSize: this.connectionPool.getPoolStatus(),
      uptime: Math.floor((Date.now() - this.startTime) / 1000),
      memoryUsage: process.memoryUsage(),
      activeWebSockets: this.webSocketHandler.getConnectionInfo().activeConnections
    };
  }
  /**
   * Sets an external Port80Handler for certificate management
   * This allows the NetworkProxy to use a centrally managed Port80Handler
   * instead of creating its own
   * 
   * @param handler The Port80Handler instance to use
   */
  public setExternalPort80Handler(handler: Port80Handler): void {
    // Connect it to the certificate manager
    this.certificateManager.setExternalPort80Handler(handler);
  }
  /**
   * Starts the proxy server
   */
  public async start(): Promise<void> {
    this.startTime = Date.now();
    // Initialize Port80Handler if enabled and not using external handler
    if (this.options.acme?.enabled && !this.options.useExternalPort80Handler) {
      await this.certificateManager.initializePort80Handler();
    }
    // Create HTTP/2 server with HTTP/1 fallback
    this.httpsServer = plugins.http2.createSecureServer(
      {
        key: this.certificateManager.getDefaultCertificates().key,
        cert: this.certificateManager.getDefaultCertificates().cert,
        allowHTTP1: true,
        ALPNProtocols: ['h2', 'http/1.1']
      }
    );
    // Track raw TCP connections for metrics and limits
    this.setupConnectionTracking();
    // Handle incoming HTTP/2 streams
    this.httpsServer.on('stream', (stream: any, headers: any) => {
      this.requestHandler.handleHttp2(stream, headers);
    });
    // Handle HTTP/1.x fallback requests
    this.httpsServer.on('request', (req: any, res: any) => {
      this.requestHandler.handleRequest(req, res);
    });
    // Share server with certificate manager for dynamic contexts
    this.certificateManager.setHttpsServer(this.httpsServer);
    // Setup WebSocket support on HTTP/1 fallback
    this.webSocketHandler.initialize(this.httpsServer);
    // Start metrics logging
    this.setupMetricsCollection();
    // Start periodic connection pool cleanup
    this.connectionPoolCleanupInterval = this.connectionPool.setupPeriodicCleanup();
    // Start the server
    return new Promise((resolve) => {
      this.httpsServer.listen(this.options.port, () => {
        this.logger.info(`NetworkProxy started on port ${this.options.port}`);
        resolve();
      });
    });
  }
  /**
   * Sets up tracking of TCP connections
   */
  private setupConnectionTracking(): void {
    this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
      // Check if max connections reached
      if (this.socketMap.getArray().length >= this.options.maxConnections) {
        this.logger.warn(`Max connections (${this.options.maxConnections}) reached, rejecting new connection`);
        connection.destroy();
        return;
      }
      // Add connection to tracking
      this.socketMap.add(connection);
      this.connectedClients = this.socketMap.getArray().length;
      // Check for connection from SmartProxy by inspecting the source port
      const localPort = connection.localPort || 0;
      const remotePort = connection.remotePort || 0;
      // If this connection is from a SmartProxy (usually indicated by it coming from localhost)
      if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
        this.portProxyConnections++;
        this.logger.debug(`New connection from SmartProxy (local: ${localPort}, remote: ${remotePort})`);
      } else {
        this.logger.debug(`New direct connection (local: ${localPort}, remote: ${remotePort})`);
      }
      // Setup connection cleanup handlers
      const cleanupConnection = () => {
        if (this.socketMap.checkForObject(connection)) {
          this.socketMap.remove(connection);
          this.connectedClients = this.socketMap.getArray().length;
          // If this was a SmartProxy connection, decrement the counter
          if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
            this.portProxyConnections--;
          }
          this.logger.debug(`Connection closed. ${this.connectedClients} connections remaining`);
        }
      };
      connection.on('close', cleanupConnection);
      connection.on('error', (err) => {
        this.logger.debug('Connection error', err);
        cleanupConnection();
      });
      connection.on('end', cleanupConnection);
    });
    // Track TLS handshake completions
    this.httpsServer.on('secureConnection', (tlsSocket) => {
      this.tlsTerminatedConnections++;
      this.logger.debug('TLS handshake completed, connection secured');
    });
  }
  /**
   * Sets up metrics collection 
   */
  private setupMetricsCollection(): void {
    this.metricsInterval = setInterval(() => {
      const uptime = Math.floor((Date.now() - this.startTime) / 1000);
      const metrics = {
        uptime,
        activeConnections: this.connectedClients,
        totalRequests: this.requestsServed,
        failedRequests: this.failedRequests,
        portProxyConnections: this.portProxyConnections,
        tlsTerminatedConnections: this.tlsTerminatedConnections,
        activeWebSockets: this.webSocketHandler.getConnectionInfo().activeConnections,
        memoryUsage: process.memoryUsage(),
        activeContexts: Array.from(this.activeContexts),
        connectionPool: this.connectionPool.getPoolStatus()
      };
      this.logger.debug('Proxy metrics', metrics);
    }, 60000); // Log metrics every minute
    // Don't keep process alive just for metrics
    if (this.metricsInterval.unref) {
      this.metricsInterval.unref();
    }
  }
  /**
   * Updates proxy configurations
   */
  public async updateProxyConfigs(
    proxyConfigsArg: IReverseProxyConfig[]
  ): Promise<void> {
    this.logger.info(`Updating proxy configurations (${proxyConfigsArg.length} configs)`);
    // Update internal configs
    this.proxyConfigs = proxyConfigsArg;
    this.router.setNewProxyConfigs(proxyConfigsArg);
    // Collect all hostnames for cleanup later
    const currentHostNames = new Set<string>();
    // Add/update SSL contexts for each host
    for (const config of proxyConfigsArg) {
      currentHostNames.add(config.hostName);
      try {
        // Update certificate in cache
        this.certificateManager.updateCertificateCache(
          config.hostName,
          config.publicKey,
          config.privateKey
        );
        this.activeContexts.add(config.hostName);
      } catch (error) {
        this.logger.error(`Failed to add SSL context for ${config.hostName}`, error);
      }
    }
    // Clean up removed contexts
    for (const hostname of this.activeContexts) {
      if (!currentHostNames.has(hostname)) {
        this.logger.info(`Hostname ${hostname} removed from configuration`);
        this.activeContexts.delete(hostname);
      }
    }
    // Register domains with Port80Handler if available
    const domainsForACME = Array.from(currentHostNames)
      .filter(domain => !domain.includes('*')); // Skip wildcard domains
    this.certificateManager.registerDomainsWithPort80Handler(domainsForACME);
  }
  /**
   * Converts SmartProxy domain configurations to NetworkProxy configs
   * @param domainConfigs SmartProxy domain configs
   * @param sslKeyPair Default SSL key pair to use if not specified
   * @returns Array of NetworkProxy configs
   */
  public convertSmartProxyConfigs(
    domainConfigs: Array<{
      domains: string[];
      targetIPs?: string[];
      allowedIPs?: string[];
    }>,
    sslKeyPair?: { key: string; cert: string }
  ): IReverseProxyConfig[] {
    const proxyConfigs: IReverseProxyConfig[] = [];
    // Use default certificates if not provided
    const defaultCerts = this.certificateManager.getDefaultCertificates();
    const sslKey = sslKeyPair?.key || defaultCerts.key;
    const sslCert = sslKeyPair?.cert || defaultCerts.cert;
    for (const domainConfig of domainConfigs) {
      // Each domain in the domains array gets its own config
      for (const domain of domainConfig.domains) {
        // Skip non-hostname patterns (like IP addresses)
        if (domain.match(/^\d+\.\d+\.\d+\.\d+$/) || domain === '*' || domain === 'localhost') {
          continue;
        }
        proxyConfigs.push({
          hostName: domain,
          destinationIps: domainConfig.targetIPs || ['localhost'],
          destinationPorts: [this.options.port], // Use the NetworkProxy port
          privateKey: sslKey,
          publicKey: sslCert
        });
      }
    }
    this.logger.info(`Converted ${domainConfigs.length} SmartProxy configs to ${proxyConfigs.length} NetworkProxy configs`);
    return proxyConfigs;
  }
  /**
   * Adds default headers to be included in all responses
   */
  public async addDefaultHeaders(headersArg: { [key: string]: string }): Promise<void> {
    this.logger.info('Adding default headers', headersArg);
    this.requestHandler.setDefaultHeaders(headersArg);
  }
  /**
   * Stops the proxy server
   */
  public async stop(): Promise<void> {
    this.logger.info('Stopping NetworkProxy server');
    // Clear intervals
    if (this.metricsInterval) {
      clearInterval(this.metricsInterval);
    }
    if (this.connectionPoolCleanupInterval) {
      clearInterval(this.connectionPoolCleanupInterval);
    }
    // Stop WebSocket handler
    this.webSocketHandler.shutdown();
    // Close all tracked sockets
    for (const socket of this.socketMap.getArray()) {
      try {
        socket.destroy();
      } catch (error) {
        this.logger.error('Error destroying socket', error);
      }
    }
    // Close all connection pool connections
    this.connectionPool.closeAllConnections();
    // Stop Port80Handler if internally managed
    await this.certificateManager.stopPort80Handler();
    // Close the HTTPS server
    return new Promise((resolve) => {
      this.httpsServer.close(() => {
        this.logger.info('NetworkProxy server stopped successfully');
        resolve();
      });
    });
  }
  /**
   * Requests a new certificate for a domain
   * This can be used to manually trigger certificate issuance
   * @param domain The domain to request a certificate for
   * @returns A promise that resolves when the request is submitted (not when the certificate is issued)
   */
  public async requestCertificate(domain: string): Promise<boolean> {
    return this.certificateManager.requestCertificate(domain);
  }
  /**
   * Gets all proxy configurations currently in use
   */
  public getProxyConfigs(): IReverseProxyConfig[] {
    return [...this.proxyConfigs];
  }
 }
--- a/ts/proxies/network-proxy/request-handler.ts
+++ b/ts/proxies/network-proxy/request-handler.ts
@ -1,463 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { type INetworkProxyOptions, type ILogger, createLogger, type IReverseProxyConfig } from './models/types.js';
 import { ConnectionPool } from './connection-pool.js';
 import { ProxyRouter } from '../../http/router/index.js';
 /**
 * Interface for tracking metrics
 */
 export interface IMetricsTracker {
  incrementRequestsServed(): void;
  incrementFailedRequests(): void;
 }
 // Backward compatibility
 export type MetricsTracker = IMetricsTracker;
 /**
 * Handles HTTP request processing and proxying
 */
 export class RequestHandler {
  private defaultHeaders: { [key: string]: string } = {};
  private logger: ILogger;
  private metricsTracker: IMetricsTracker | null = null;
  // HTTP/2 client sessions for backend proxying
  private h2Sessions: Map<string, plugins.http2.ClientHttp2Session> = new Map();
  constructor(
    private options: INetworkProxyOptions,
    private connectionPool: ConnectionPool,
    private router: ProxyRouter
  ) {
    this.logger = createLogger(options.logLevel || 'info');
  }
  /**
   * Set the metrics tracker instance
   */
  public setMetricsTracker(tracker: IMetricsTracker): void {
    this.metricsTracker = tracker;
  }
  /**
   * Set default headers to be included in all responses
   */
  public setDefaultHeaders(headers: { [key: string]: string }): void {
    this.defaultHeaders = {
      ...this.defaultHeaders,
      ...headers
    };
    this.logger.info('Updated default response headers');
  }
  /**
   * Get all default headers
   */
  public getDefaultHeaders(): { [key: string]: string } {
    return { ...this.defaultHeaders };
  }
  /**
   * Apply CORS headers to response if configured
   */
  private applyCorsHeaders(
    res: plugins.http.ServerResponse, 
    req: plugins.http.IncomingMessage
  ): void {
    if (!this.options.cors) {
      return;
    }
    // Apply CORS headers
    if (this.options.cors.allowOrigin) {
      res.setHeader('Access-Control-Allow-Origin', this.options.cors.allowOrigin);
    }
    if (this.options.cors.allowMethods) {
      res.setHeader('Access-Control-Allow-Methods', this.options.cors.allowMethods);
    }
    if (this.options.cors.allowHeaders) {
      res.setHeader('Access-Control-Allow-Headers', this.options.cors.allowHeaders);
    }
    if (this.options.cors.maxAge) {
      res.setHeader('Access-Control-Max-Age', this.options.cors.maxAge.toString());
    }
    // Handle CORS preflight requests
    if (req.method === 'OPTIONS') {
      res.statusCode = 204; // No content
      res.end();
      return;
    }
  }
  /**
   * Apply default headers to response
   */
  private applyDefaultHeaders(res: plugins.http.ServerResponse): void {
    // Apply default headers
    for (const [key, value] of Object.entries(this.defaultHeaders)) {
      if (!res.hasHeader(key)) {
        res.setHeader(key, value);
      }
    }
    // Add server identifier if not already set
    if (!res.hasHeader('Server')) {
      res.setHeader('Server', 'NetworkProxy');
    }
  }
  /**
   * Handle an HTTP request
   */
  public async handleRequest(
    req: plugins.http.IncomingMessage,
    res: plugins.http.ServerResponse
  ): Promise<void> {
    // Record start time for logging
    const startTime = Date.now();
    // Apply CORS headers if configured
    this.applyCorsHeaders(res, req);
    // If this is an OPTIONS request, the response has already been ended in applyCorsHeaders
    // so we should return early to avoid trying to set more headers
    if (req.method === 'OPTIONS') {
      // Increment metrics for OPTIONS requests too
      if (this.metricsTracker) {
        this.metricsTracker.incrementRequestsServed();
      }
      return;
    }
    // Apply default headers
    this.applyDefaultHeaders(res);
    // Determine routing configuration
    let proxyConfig: IReverseProxyConfig | undefined;
    try {
      proxyConfig = this.router.routeReq(req);
    } catch (err) {
      this.logger.error('Error routing request', err);
      res.statusCode = 500;
      res.end('Internal Server Error');
      if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
      return;
    }
    if (!proxyConfig) {
      this.logger.warn(`No proxy configuration for host: ${req.headers.host}`);
      res.statusCode = 404;
      res.end('Not Found: No proxy configuration for this host');
      if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
      return;
    }
    // Determine protocol to backend (per-domain override or global)
    const backendProto = proxyConfig.backendProtocol || this.options.backendProtocol;
    if (backendProto === 'http2') {
      const destination = this.connectionPool.getNextTarget(
        proxyConfig.destinationIps,
        proxyConfig.destinationPorts[0]
      );
      const key = `${destination.host}:${destination.port}`;
      let session = this.h2Sessions.get(key);
      if (!session || session.closed || (session as any).destroyed) {
        session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
        this.h2Sessions.set(key, session);
        session.on('error', () => this.h2Sessions.delete(key));
        session.on('close', () => this.h2Sessions.delete(key));
      }
      // Build headers for HTTP/2 request
      const hdrs: Record<string, any> = {
        ':method': req.method,
        ':path': req.url,
        ':authority': `${destination.host}:${destination.port}`
      };
      for (const [hk, hv] of Object.entries(req.headers)) {
        if (typeof hv === 'string') hdrs[hk] = hv;
      }
      const h2Stream = session.request(hdrs);
      req.pipe(h2Stream);
      h2Stream.on('response', (hdrs2: any) => {
        const status = (hdrs2[':status'] as number) || 502;
        res.statusCode = status;
        // Copy headers from HTTP/2 response to HTTP/1 response
        for (const [hk, hv] of Object.entries(hdrs2)) {
          if (!hk.startsWith(':') && hv != null) {
            res.setHeader(hk, hv as string | string[]);
          }
        }
        h2Stream.pipe(res);
      });
      h2Stream.on('error', (err) => {
        res.statusCode = 502;
        res.end(`Bad Gateway: ${err.message}`);
        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
      });
      return;
    }
    try {
      // Find target based on hostname
      const proxyConfig = this.router.routeReq(req);
      if (!proxyConfig) {
        // No matching proxy configuration
        this.logger.warn(`No proxy configuration for host: ${req.headers.host}`);
        res.statusCode = 404;
        res.end('Not Found: No proxy configuration for this host');
        // Increment failed requests counter
        if (this.metricsTracker) {
          this.metricsTracker.incrementFailedRequests();
        }
        return;
      }
      // Get destination IP using round-robin if multiple IPs configured
      const destination = this.connectionPool.getNextTarget(
        proxyConfig.destinationIps, 
        proxyConfig.destinationPorts[0]
      );
      // Create options for the proxy request
      const options: plugins.http.RequestOptions = {
        hostname: destination.host,
        port: destination.port,
        path: req.url,
        method: req.method,
        headers: { ...req.headers }
      };
      // Remove host header to avoid issues with virtual hosts on target server
      // The host header should match the target server's expected hostname
      if (options.headers && options.headers.host) {
        if ((proxyConfig as IReverseProxyConfig).rewriteHostHeader) {
          options.headers.host = `${destination.host}:${destination.port}`;
        }
      }
      this.logger.debug(
        `Proxying request to ${destination.host}:${destination.port}${req.url}`,
        { method: req.method }
      );
      // Create proxy request
      const proxyReq = plugins.http.request(options, (proxyRes) => {
        // Copy status code
        res.statusCode = proxyRes.statusCode || 500;
        // Copy headers from proxy response to client response
        for (const [key, value] of Object.entries(proxyRes.headers)) {
          if (value !== undefined) {
            res.setHeader(key, value);
          }
        }
        // Pipe proxy response to client response
        proxyRes.pipe(res);
        // Increment served requests counter when the response finishes
        res.on('finish', () => {
          if (this.metricsTracker) {
            this.metricsTracker.incrementRequestsServed();
          }
          // Log the completed request
          const duration = Date.now() - startTime;
          this.logger.debug(
            `Request completed in ${duration}ms: ${req.method} ${req.url} ${res.statusCode}`,
            { duration, statusCode: res.statusCode }
          );
        });
      });
      // Handle proxy request errors
      proxyReq.on('error', (error) => {
        const duration = Date.now() - startTime;
        this.logger.error(
          `Proxy error for ${req.method} ${req.url}: ${error.message}`,
          { duration, error: error.message }
        );
        // Increment failed requests counter
        if (this.metricsTracker) {
          this.metricsTracker.incrementFailedRequests();
        }
        // Check if headers have already been sent
        if (!res.headersSent) {
          res.statusCode = 502;
          res.end(`Bad Gateway: ${error.message}`);
        } else {
          // If headers already sent, just close the connection
          res.end();
        }
      });
      // Pipe request body to proxy request and handle client-side errors
      req.pipe(proxyReq);
      // Handle client disconnection
      req.on('error', (error) => {
        this.logger.debug(`Client connection error: ${error.message}`);
        proxyReq.destroy();
        // Increment failed requests counter on client errors
        if (this.metricsTracker) {
          this.metricsTracker.incrementFailedRequests();
        }
      });
      // Handle response errors
      res.on('error', (error) => {
        this.logger.debug(`Response error: ${error.message}`);
        proxyReq.destroy();
        // Increment failed requests counter on response errors
        if (this.metricsTracker) {
          this.metricsTracker.incrementFailedRequests();
        }
      });
    } catch (error) {
      // Handle any unexpected errors
      this.logger.error(
        `Unexpected error handling request: ${error.message}`,
        { error: error.stack }
      );
      // Increment failed requests counter
      if (this.metricsTracker) {
        this.metricsTracker.incrementFailedRequests();
      }
      if (!res.headersSent) {
        res.statusCode = 500;
        res.end('Internal Server Error');
      } else {
        res.end();
      }
    }
  }
  /**
   * Handle HTTP/2 stream requests by proxying to HTTP/1 backends
   */
  public async handleHttp2(stream: any, headers: any): Promise<void> {
    const startTime = Date.now();
    const method = headers[':method'] || 'GET';
    const path = headers[':path'] || '/';
    // If configured to proxy to backends over HTTP/2, use HTTP/2 client sessions
    if (this.options.backendProtocol === 'http2') {
      const authority = headers[':authority'] as string || '';
      const host = authority.split(':')[0];
      const fakeReq: any = { headers: { host }, method: headers[':method'], url: headers[':path'], socket: (stream.session as any).socket };
      const proxyConfig = this.router.routeReq(fakeReq);
      if (!proxyConfig) {
        stream.respond({ ':status': 404 });
        stream.end('Not Found');
        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
        return;
      }
      const destination = this.connectionPool.getNextTarget(proxyConfig.destinationIps, proxyConfig.destinationPorts[0]);
      const key = `${destination.host}:${destination.port}`;
      let session = this.h2Sessions.get(key);
      if (!session || session.closed || (session as any).destroyed) {
        session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
        this.h2Sessions.set(key, session);
        session.on('error', () => this.h2Sessions.delete(key));
        session.on('close', () => this.h2Sessions.delete(key));
      }
      // Build headers for backend HTTP/2 request
      const h2Headers: Record<string, any> = {
        ':method': headers[':method'],
        ':path': headers[':path'],
        ':authority': `${destination.host}:${destination.port}`
      };
      for (const [k, v] of Object.entries(headers)) {
        if (!k.startsWith(':') && typeof v === 'string') {
          h2Headers[k] = v;
        }
      }
      const h2Stream2 = session.request(h2Headers);
      stream.pipe(h2Stream2);
      h2Stream2.on('response', (hdrs: any) => {
        // Map status and headers to client
        const resp: Record<string, any> = { ':status': hdrs[':status'] as number };
        for (const [hk, hv] of Object.entries(hdrs)) {
          if (!hk.startsWith(':') && hv) resp[hk] = hv;
        }
        stream.respond(resp);
        h2Stream2.pipe(stream);
      });
      h2Stream2.on('error', (err) => {
        stream.respond({ ':status': 502 });
        stream.end(`Bad Gateway: ${err.message}`);
        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
      });
      return;
    }
    try {
      // Determine host for routing
      const authority = headers[':authority'] as string || '';
      const host = authority.split(':')[0];
      // Fake request object for routing
      const fakeReq: any = { headers: { host }, method, url: path, socket: (stream.session as any).socket };
      const proxyConfig = this.router.routeReq(fakeReq as any);
      if (!proxyConfig) {
        stream.respond({ ':status': 404 });
        stream.end('Not Found');
        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
        return;
      }
      // Select backend target
      const destination = this.connectionPool.getNextTarget(
        proxyConfig.destinationIps,
        proxyConfig.destinationPorts[0]
      );
      // Build headers for HTTP/1 proxy
      const outboundHeaders: Record<string,string> = {};
      for (const [key, value] of Object.entries(headers)) {
        if (typeof key === 'string' && typeof value === 'string' && !key.startsWith(':')) {
          outboundHeaders[key] = value;
        }
      }
      if (outboundHeaders.host && (proxyConfig as IReverseProxyConfig).rewriteHostHeader) {
        outboundHeaders.host = `${destination.host}:${destination.port}`;
      }
      // Create HTTP/1 proxy request
      const proxyReq = plugins.http.request(
        { hostname: destination.host, port: destination.port, path, method, headers: outboundHeaders },
        (proxyRes) => {
          // Map status and headers back to HTTP/2
          const responseHeaders: Record<string, number|string|string[]> = {};
          for (const [k, v] of Object.entries(proxyRes.headers)) {
            if (v !== undefined) {
              responseHeaders[k] = v as string | string[];
            }
          }
          stream.respond({ ':status': proxyRes.statusCode || 500, ...responseHeaders });
          proxyRes.pipe(stream);
          stream.on('close', () => proxyReq.destroy());
          stream.on('error', () => proxyReq.destroy());
          if (this.metricsTracker) stream.on('end', () => this.metricsTracker.incrementRequestsServed());
        }
      );
      proxyReq.on('error', (err) => {
        stream.respond({ ':status': 502 });
        stream.end(`Bad Gateway: ${err.message}`);
        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
      });
      // Pipe client stream to backend
      stream.pipe(proxyReq);
    } catch (err: any) {
      stream.respond({ ':status': 500 });
      stream.end('Internal Server Error');
      if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
    }
  }
 }
--- a/ts/proxies/network-proxy/websocket-handler.ts
+++ b/ts/proxies/network-proxy/websocket-handler.ts
@ -1,226 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { type INetworkProxyOptions, type IWebSocketWithHeartbeat, type ILogger, createLogger, type IReverseProxyConfig } from './models/types.js';
 import { ConnectionPool } from './connection-pool.js';
 import { ProxyRouter } from '../../http/router/index.js';
 /**
 * Handles WebSocket connections and proxying
 */
 export class WebSocketHandler {
  private heartbeatInterval: NodeJS.Timeout | null = null;
  private wsServer: plugins.ws.WebSocketServer | null = null;
  private logger: ILogger;
  constructor(
    private options: INetworkProxyOptions,
    private connectionPool: ConnectionPool,
    private router: ProxyRouter
  ) {
    this.logger = createLogger(options.logLevel || 'info');
  }
  /**
   * Initialize WebSocket server on an existing HTTPS server
   */
  public initialize(server: plugins.https.Server): void {
    // Create WebSocket server
    this.wsServer = new plugins.ws.WebSocketServer({ 
      server: server,
      clientTracking: true
    });
    // Handle WebSocket connections
    this.wsServer.on('connection', (wsIncoming: IWebSocketWithHeartbeat, req: plugins.http.IncomingMessage) => {
      this.handleWebSocketConnection(wsIncoming, req);
    });
    // Start the heartbeat interval
    this.startHeartbeat();
    this.logger.info('WebSocket handler initialized');
  }
  /**
   * Start the heartbeat interval to check for inactive WebSocket connections
   */
  private startHeartbeat(): void {
    // Clean up existing interval if any
    if (this.heartbeatInterval) {
      clearInterval(this.heartbeatInterval);
    }
    // Set up the heartbeat interval (check every 30 seconds)
    this.heartbeatInterval = setInterval(() => {
      if (!this.wsServer || this.wsServer.clients.size === 0) {
        return; // Skip if no active connections
      }
      this.logger.debug(`WebSocket heartbeat check for ${this.wsServer.clients.size} clients`);
      this.wsServer.clients.forEach((ws: plugins.wsDefault) => {
        const wsWithHeartbeat = ws as IWebSocketWithHeartbeat;
        if (wsWithHeartbeat.isAlive === false) {
          this.logger.debug('Terminating inactive WebSocket connection');
          return wsWithHeartbeat.terminate();
        }
        wsWithHeartbeat.isAlive = false;
        wsWithHeartbeat.ping();
      });
    }, 30000);
    // Make sure the interval doesn't keep the process alive
    if (this.heartbeatInterval.unref) {
      this.heartbeatInterval.unref();
    }
  }
  /**
   * Handle a new WebSocket connection
   */
  private handleWebSocketConnection(wsIncoming: IWebSocketWithHeartbeat, req: plugins.http.IncomingMessage): void {
    try {
      // Initialize heartbeat tracking
      wsIncoming.isAlive = true;
      wsIncoming.lastPong = Date.now();
      // Handle pong messages to track liveness
      wsIncoming.on('pong', () => {
        wsIncoming.isAlive = true;
        wsIncoming.lastPong = Date.now();
      });
      // Find target configuration based on request
      const proxyConfig = this.router.routeReq(req);
      if (!proxyConfig) {
        this.logger.warn(`No proxy configuration for WebSocket host: ${req.headers.host}`);
        wsIncoming.close(1008, 'No proxy configuration for this host');
        return;
      }
      // Get destination target using round-robin if multiple targets
      const destination = this.connectionPool.getNextTarget(
        proxyConfig.destinationIps, 
        proxyConfig.destinationPorts[0]
      );
      // Build target URL
      const protocol = (req.socket as any).encrypted ? 'wss' : 'ws';
      const targetUrl = `${protocol}://${destination.host}:${destination.port}${req.url}`;
      this.logger.debug(`WebSocket connection from ${req.socket.remoteAddress} to ${targetUrl}`);
      // Create headers for outgoing WebSocket connection
      const headers: { [key: string]: string } = {};
      // Copy relevant headers from incoming request
      for (const [key, value] of Object.entries(req.headers)) {
        if (value && typeof value === 'string' && 
            key.toLowerCase() !== 'connection' && 
            key.toLowerCase() !== 'upgrade' &&
            key.toLowerCase() !== 'sec-websocket-key' &&
            key.toLowerCase() !== 'sec-websocket-version') {
          headers[key] = value;
        }
      }
      // Override host header if needed
      if ((proxyConfig as IReverseProxyConfig).rewriteHostHeader) {
        headers['host'] = `${destination.host}:${destination.port}`;
      }
      // Create outgoing WebSocket connection
      const wsOutgoing = new plugins.wsDefault(targetUrl, {
        headers: headers,
        followRedirects: true
      });
      // Handle connection errors
      wsOutgoing.on('error', (err) => {
        this.logger.error(`WebSocket target connection error: ${err.message}`);
        if (wsIncoming.readyState === wsIncoming.OPEN) {
          wsIncoming.close(1011, 'Internal server error');
        }
      });
      // Handle outgoing connection open
      wsOutgoing.on('open', () => {
        // Forward incoming messages to outgoing connection
        wsIncoming.on('message', (data, isBinary) => {
          if (wsOutgoing.readyState === wsOutgoing.OPEN) {
            wsOutgoing.send(data, { binary: isBinary });
          }
        });
        // Forward outgoing messages to incoming connection
        wsOutgoing.on('message', (data, isBinary) => {
          if (wsIncoming.readyState === wsIncoming.OPEN) {
            wsIncoming.send(data, { binary: isBinary });
          }
        });
        // Handle closing of connections
        wsIncoming.on('close', (code, reason) => {
          this.logger.debug(`WebSocket client connection closed: ${code} ${reason}`);
          if (wsOutgoing.readyState === wsOutgoing.OPEN) {
            wsOutgoing.close(code, reason);
          }
        });
        wsOutgoing.on('close', (code, reason) => {
          this.logger.debug(`WebSocket target connection closed: ${code} ${reason}`);
          if (wsIncoming.readyState === wsIncoming.OPEN) {
            wsIncoming.close(code, reason);
          }
        });
        this.logger.debug(`WebSocket connection established: ${req.headers.host} -> ${destination.host}:${destination.port}`);
      });
    } catch (error) {
      this.logger.error(`Error handling WebSocket connection: ${error.message}`);
      if (wsIncoming.readyState === wsIncoming.OPEN) {
        wsIncoming.close(1011, 'Internal server error');
      }
    }
  }
  /**
   * Get information about active WebSocket connections
   */
  public getConnectionInfo(): { activeConnections: number } {
    return {
      activeConnections: this.wsServer ? this.wsServer.clients.size : 0
    };
  }
  /**
   * Shutdown the WebSocket handler
   */
  public shutdown(): void {
    // Stop heartbeat interval
    if (this.heartbeatInterval) {
      clearInterval(this.heartbeatInterval);
      this.heartbeatInterval = null;
    }
    // Close all WebSocket connections
    if (this.wsServer) {
      this.logger.info(`Closing ${this.wsServer.clients.size} WebSocket connections`);
      for (const client of this.wsServer.clients) {
        try {
          client.terminate();
        } catch (error) {
          this.logger.error('Error terminating WebSocket client', error);
        }
      }
      // Close the server
      this.wsServer.close();
      this.wsServer = null;
    }
  }
 }
--- a/ts/proxies/nftables-proxy/index.ts
+++ b/ts/proxies/nftables-proxy/index.ts
@ -1,5 +0,0 @@
 /**
 * NfTablesProxy implementation
 */
 export * from './nftables-proxy.js';
 export * from './models/index.js';
--- a/ts/proxies/nftables-proxy/models/errors.ts
+++ b/ts/proxies/nftables-proxy/models/errors.ts
@ -1,30 +0,0 @@
 /**
 * Custom error classes for better error handling
 */
 export class NftBaseError extends Error {
  constructor(message: string) {
    super(message);
    this.name = 'NftBaseError';
  }
 }
 export class NftValidationError extends NftBaseError {
  constructor(message: string) {
    super(message);
    this.name = 'NftValidationError';
  }
 }
 export class NftExecutionError extends NftBaseError {
  constructor(message: string) {
    super(message);
    this.name = 'NftExecutionError';
  }
 }
 export class NftResourceError extends NftBaseError {
  constructor(message: string) {
    super(message);
    this.name = 'NftResourceError';
  }
 }
--- a/ts/proxies/nftables-proxy/models/index.ts
+++ b/ts/proxies/nftables-proxy/models/index.ts
@ -1,5 +0,0 @@
 /**
 * Export all models
 */
 export * from './interfaces.js';
 export * from './errors.js';
--- a/ts/proxies/nftables-proxy/models/interfaces.ts
+++ b/ts/proxies/nftables-proxy/models/interfaces.ts
@ -1,94 +0,0 @@
 /**
 * Interfaces for NfTablesProxy
 */
 /**
 * Represents a port range for forwarding
 */
 export interface PortRange {
  from: number;
  to: number;
 }
 // Legacy interface name for backward compatibility
 export type IPortRange = PortRange;
 /**
 * Settings for NfTablesProxy.
 */
 export interface NfTableProxyOptions {
  // Basic settings
  fromPort: number | PortRange | Array<number | PortRange>; // Support single port, port range, or multiple ports/ranges
  toPort: number | PortRange | Array<number | PortRange>;
  toHost?: string; // Target host for proxying; defaults to 'localhost'
  // Advanced settings
  preserveSourceIP?: boolean; // If true, the original source IP is preserved
  deleteOnExit?: boolean;     // If true, clean up rules before process exit
  protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
  enableLogging?: boolean;    // Enable detailed logging
  ipv6Support?: boolean;      // Enable IPv6 support
  logFormat?: 'plain' | 'json'; // Format for logs
  // Source filtering
  allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
  bannedSourceIPs?: string[];  // If provided, these IPs are blocked
  useIPSets?: boolean;        // Use nftables sets for efficient IP management
  // Rule management
  forceCleanSlate?: boolean;   // Clear all NfTablesProxy rules before starting
  tableName?: string;          // Custom table name (defaults to 'portproxy')
  // Connection management
  maxRetries?: number;        // Maximum number of retries for failed commands
  retryDelayMs?: number;      // Delay between retries in milliseconds
  useAdvancedNAT?: boolean;   // Use connection tracking for stateful NAT
  // Quality of Service
  qos?: {
    enabled: boolean;
    maxRate?: string;         // e.g. "10mbps"
    priority?: number;        // 1 (highest) to 10 (lowest)
    markConnections?: boolean; // Mark connections for easier management
  };
  // Integration with PortProxy/NetworkProxy
  netProxyIntegration?: {
    enabled: boolean;
    redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
    sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
  };
 }
 // Legacy interface name for backward compatibility
 export type INfTableProxySettings = NfTableProxyOptions;
 /**
 * Interface for status reporting
 */
 export interface NfTablesStatus {
  active: boolean;
  ruleCount: {
    total: number;
    added: number;
    verified: number;
  };
  tablesConfigured: { family: string; tableName: string }[];
  metrics: {
    forwardedConnections?: number;
    activeConnections?: number;
    bytesForwarded?: {
      sent: number;
      received: number;
    };
  };
  qosEnabled?: boolean;
  ipSetsConfigured?: {
    name: string;
    elementCount: number;
    type: string;
  }[];
 }
 // Legacy interface name for backward compatibility
 export type INfTablesStatus = NfTablesStatus;
--- a/ts/proxies/nftables-proxy/nftables-proxy.ts
+++ b/ts/proxies/nftables-proxy/nftables-proxy.ts
--- a/ts/proxies/smart-proxy/connection-manager.ts
+++ b/ts/proxies/smart-proxy/connection-manager.ts
@ -1,446 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import { SecurityManager } from './security-manager.js';
 import { TimeoutManager } from './timeout-manager.js';
 /**
 * Manages connection lifecycle, tracking, and cleanup
 */
 export class ConnectionManager {
  private connectionRecords: Map<string, IConnectionRecord> = new Map();
  private terminationStats: {
    incoming: Record<string, number>;
    outgoing: Record<string, number>;
  } = { incoming: {}, outgoing: {} };
  constructor(
    private settings: ISmartProxyOptions,
    private securityManager: SecurityManager,
    private timeoutManager: TimeoutManager
  ) {}
  /**
   * Generate a unique connection ID
   */
  public generateConnectionId(): string {
    return Math.random().toString(36).substring(2, 15) + 
           Math.random().toString(36).substring(2, 15);
  }
  /**
   * Create and track a new connection
   */
  public createConnection(socket: plugins.net.Socket): IConnectionRecord {
    const connectionId = this.generateConnectionId();
    const remoteIP = socket.remoteAddress || '';
    const localPort = socket.localPort || 0;
    const record: IConnectionRecord = {
      id: connectionId,
      incoming: socket,
      outgoing: null,
      incomingStartTime: Date.now(),
      lastActivity: Date.now(),
      connectionClosed: false,
      pendingData: [],
      pendingDataSize: 0,
      bytesReceived: 0,
      bytesSent: 0,
      remoteIP,
      localPort,
      isTLS: false,
      tlsHandshakeComplete: false,
      hasReceivedInitialData: false,
      hasKeepAlive: false,
      incomingTerminationReason: null,
      outgoingTerminationReason: null,
      usingNetworkProxy: false,
      isBrowserConnection: false,
      domainSwitches: 0
    };
    this.trackConnection(connectionId, record);
    return record;
  }
  /**
   * Track an existing connection
   */
  public trackConnection(connectionId: string, record: IConnectionRecord): void {
    this.connectionRecords.set(connectionId, record);
    this.securityManager.trackConnectionByIP(record.remoteIP, connectionId);
  }
  /**
   * Get a connection by ID
   */
  public getConnection(connectionId: string): IConnectionRecord | undefined {
    return this.connectionRecords.get(connectionId);
  }
  /**
   * Get all active connections
   */
  public getConnections(): Map<string, IConnectionRecord> {
    return this.connectionRecords;
  }
  /**
   * Get count of active connections
   */
  public getConnectionCount(): number {
    return this.connectionRecords.size;
  }
  /**
   * Initiates cleanup once for a connection
   */
  public initiateCleanupOnce(record: IConnectionRecord, reason: string = 'normal'): void {
    if (this.settings.enableDetailedLogging) {
      console.log(`[${record.id}] Connection cleanup initiated for ${record.remoteIP} (${reason})`);
    }
    if (
      record.incomingTerminationReason === null ||
      record.incomingTerminationReason === undefined
    ) {
      record.incomingTerminationReason = reason;
      this.incrementTerminationStat('incoming', reason);
    }
    this.cleanupConnection(record, reason);
  }
  /**
   * Clean up a connection record
   */
  public cleanupConnection(record: IConnectionRecord, reason: string = 'normal'): void {
    if (!record.connectionClosed) {
      record.connectionClosed = true;
      // Track connection termination
      this.securityManager.removeConnectionByIP(record.remoteIP, record.id);
      if (record.cleanupTimer) {
        clearTimeout(record.cleanupTimer);
        record.cleanupTimer = undefined;
      }
      // Detailed logging data
      const duration = Date.now() - record.incomingStartTime;
      const bytesReceived = record.bytesReceived;
      const bytesSent = record.bytesSent;
      // Remove all data handlers to make sure we clean up properly
      if (record.incoming) {
        try {
          // Remove our safe data handler
          record.incoming.removeAllListeners('data');
          // Reset the handler references
          record.renegotiationHandler = undefined;
        } catch (err) {
          console.log(`[${record.id}] Error removing data handlers: ${err}`);
        }
      }
      // Handle incoming socket
      this.cleanupSocket(record, 'incoming', record.incoming);
      // Handle outgoing socket
      if (record.outgoing) {
        this.cleanupSocket(record, 'outgoing', record.outgoing);
      }
      // Clear pendingData to avoid memory leaks
      record.pendingData = [];
      record.pendingDataSize = 0;
      // Remove the record from the tracking map
      this.connectionRecords.delete(record.id);
      // Log connection details
      if (this.settings.enableDetailedLogging) {
        console.log(
          `[${record.id}] Connection from ${record.remoteIP} on port ${record.localPort} terminated (${reason}).` +
            ` Duration: ${plugins.prettyMs(duration)}, Bytes IN: ${bytesReceived}, OUT: ${bytesSent}, ` +
            `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}` +
            `${record.usingNetworkProxy ? ', Using NetworkProxy' : ''}` +
            `${record.domainSwitches ? `, Domain switches: ${record.domainSwitches}` : ''}`
        );
      } else {
        console.log(
          `[${record.id}] Connection from ${record.remoteIP} terminated (${reason}). Active connections: ${this.connectionRecords.size}`
        );
      }
    }
  }
  /**
   * Helper method to clean up a socket
   */
  private cleanupSocket(record: IConnectionRecord, side: 'incoming' | 'outgoing', socket: plugins.net.Socket): void {
    try {
      if (!socket.destroyed) {
        // Try graceful shutdown first, then force destroy after a short timeout
        socket.end();
        const socketTimeout = setTimeout(() => {
          try {
            if (!socket.destroyed) {
              socket.destroy();
            }
          } catch (err) {
            console.log(`[${record.id}] Error destroying ${side} socket: ${err}`);
          }
        }, 1000);
        // Ensure the timeout doesn't block Node from exiting
        if (socketTimeout.unref) {
          socketTimeout.unref();
        }
      }
    } catch (err) {
      console.log(`[${record.id}] Error closing ${side} socket: ${err}`);
      try {
        if (!socket.destroyed) {
          socket.destroy();
        }
      } catch (destroyErr) {
        console.log(`[${record.id}] Error destroying ${side} socket: ${destroyErr}`);
      }
    }
  }
  /**
   * Creates a generic error handler for incoming or outgoing sockets
   */
  public handleError(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
    return (err: Error) => {
      const code = (err as any).code;
      let reason = 'error';
      const now = Date.now();
      const connectionDuration = now - record.incomingStartTime;
      const lastActivityAge = now - record.lastActivity;
      if (code === 'ECONNRESET') {
        reason = 'econnreset';
        console.log(
          `[${record.id}] ECONNRESET on ${side} side from ${record.remoteIP}: ${err.message}. ` +
          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
        );
      } else if (code === 'ETIMEDOUT') {
        reason = 'etimedout';
        console.log(
          `[${record.id}] ETIMEDOUT on ${side} side from ${record.remoteIP}: ${err.message}. ` +
          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
        );
      } else {
        console.log(
          `[${record.id}] Error on ${side} side from ${record.remoteIP}: ${err.message}. ` +
          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
        );
      }
      if (side === 'incoming' && record.incomingTerminationReason === null) {
        record.incomingTerminationReason = reason;
        this.incrementTerminationStat('incoming', reason);
      } else if (side === 'outgoing' && record.outgoingTerminationReason === null) {
        record.outgoingTerminationReason = reason;
        this.incrementTerminationStat('outgoing', reason);
      }
      this.initiateCleanupOnce(record, reason);
    };
  }
  /**
   * Creates a generic close handler for incoming or outgoing sockets
   */
  public handleClose(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
    return () => {
      if (this.settings.enableDetailedLogging) {
        console.log(`[${record.id}] Connection closed on ${side} side from ${record.remoteIP}`);
      }
      if (side === 'incoming' && record.incomingTerminationReason === null) {
        record.incomingTerminationReason = 'normal';
        this.incrementTerminationStat('incoming', 'normal');
      } else if (side === 'outgoing' && record.outgoingTerminationReason === null) {
        record.outgoingTerminationReason = 'normal';
        this.incrementTerminationStat('outgoing', 'normal');
        // Record the time when outgoing socket closed.
        record.outgoingClosedTime = Date.now();
      }
      this.initiateCleanupOnce(record, 'closed_' + side);
    };
  }
  /**
   * Increment termination statistics
   */
  public incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
  }
  /**
   * Get termination statistics
   */
  public getTerminationStats(): { incoming: Record<string, number>; outgoing: Record<string, number> } {
    return this.terminationStats;
  }
  /**
   * Check for stalled/inactive connections
   */
  public performInactivityCheck(): void {
    const now = Date.now();
    const connectionIds = [...this.connectionRecords.keys()];
    for (const id of connectionIds) {
      const record = this.connectionRecords.get(id);
      if (!record) continue;
      // Skip inactivity check if disabled or for immortal keep-alive connections
      if (
        this.settings.disableInactivityCheck ||
        (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal')
      ) {
        continue;
      }
      const inactivityTime = now - record.lastActivity;
      // Use extended timeout for extended-treatment keep-alive connections
      let effectiveTimeout = this.settings.inactivityTimeout!;
      if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
        const multiplier = this.settings.keepAliveInactivityMultiplier || 6;
        effectiveTimeout = effectiveTimeout * multiplier;
      }
      if (inactivityTime > effectiveTimeout && !record.connectionClosed) {
        // For keep-alive connections, issue a warning first
        if (record.hasKeepAlive && !record.inactivityWarningIssued) {
          console.log(
            `[${id}] Warning: Keep-alive connection from ${record.remoteIP} inactive for ${
              plugins.prettyMs(inactivityTime)
            }. Will close in 10 minutes if no activity.`
          );
          // Set warning flag and add grace period
          record.inactivityWarningIssued = true;
          record.lastActivity = now - (effectiveTimeout - 600000);
          // Try to stimulate activity with a probe packet
          if (record.outgoing && !record.outgoing.destroyed) {
            try {
              record.outgoing.write(Buffer.alloc(0));
              if (this.settings.enableDetailedLogging) {
                console.log(`[${id}] Sent probe packet to test keep-alive connection`);
              }
            } catch (err) {
              console.log(`[${id}] Error sending probe packet: ${err}`);
            }
          }
        } else {
          // For non-keep-alive or after warning, close the connection
          console.log(
            `[${id}] Inactivity check: No activity on connection from ${record.remoteIP} ` +
            `for ${plugins.prettyMs(inactivityTime)}.` +
            (record.hasKeepAlive ? ' Despite keep-alive being enabled.' : '')
          );
          this.cleanupConnection(record, 'inactivity');
        }
      } else if (inactivityTime <= effectiveTimeout && record.inactivityWarningIssued) {
        // If activity detected after warning, clear the warning
        if (this.settings.enableDetailedLogging) {
          console.log(
            `[${id}] Connection activity detected after inactivity warning, resetting warning`
          );
        }
        record.inactivityWarningIssued = false;
      }
      // Parity check: if outgoing socket closed and incoming remains active
      if (
        record.outgoingClosedTime &&
        !record.incoming.destroyed &&
        !record.connectionClosed &&
        now - record.outgoingClosedTime > 120000
      ) {
        console.log(
          `[${id}] Parity check: Incoming socket for ${record.remoteIP} still active ${
            plugins.prettyMs(now - record.outgoingClosedTime)
          } after outgoing closed.`
        );
        this.cleanupConnection(record, 'parity_check');
      }
    }
  }
  /**
   * Clear all connections (for shutdown)
   */
  public clearConnections(): void {
    // Create a copy of the keys to avoid modification during iteration
    const connectionIds = [...this.connectionRecords.keys()];
    // First pass: End all connections gracefully
    for (const id of connectionIds) {
      const record = this.connectionRecords.get(id);
      if (record) {
        try {
          // Clear any timers
          if (record.cleanupTimer) {
            clearTimeout(record.cleanupTimer);
            record.cleanupTimer = undefined;
          }
          // End sockets gracefully
          if (record.incoming && !record.incoming.destroyed) {
            record.incoming.end();
          }
          if (record.outgoing && !record.outgoing.destroyed) {
            record.outgoing.end();
          }
        } catch (err) {
          console.log(`Error during graceful connection end for ${id}: ${err}`);
        }
      }
    }
    // Short delay to allow graceful ends to process
    setTimeout(() => {
      // Second pass: Force destroy everything
      for (const id of connectionIds) {
        const record = this.connectionRecords.get(id);
        if (record) {
          try {
            // Remove all listeners to prevent memory leaks
            if (record.incoming) {
              record.incoming.removeAllListeners();
              if (!record.incoming.destroyed) {
                record.incoming.destroy();
              }
            }
            if (record.outgoing) {
              record.outgoing.removeAllListeners();
              if (!record.outgoing.destroyed) {
                record.outgoing.destroy();
              }
            }
          } catch (err) {
            console.log(`Error during forced connection destruction for ${id}: ${err}`);
          }
        }
      }
      // Clear all maps
      this.connectionRecords.clear();
      this.terminationStats = { incoming: {}, outgoing: {} };
    }, 100);
  }
 }
--- a/ts/proxies/smart-proxy/domain-config-manager.ts.bak
+++ b/ts/proxies/smart-proxy/domain-config-manager.ts.bak
@ -1,441 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type { IDomainConfig, ISmartProxyOptions } from './models/interfaces.js';
 import type { TForwardingType, IForwardConfig } from '../../forwarding/config/forwarding-types.js';
 import type { ForwardingHandler } from '../../forwarding/handlers/base-handler.js';
 import { ForwardingHandlerFactory } from '../../forwarding/factory/forwarding-factory.js';
 import type { IRouteConfig } from './models/route-types.js';
 import { RouteManager } from './route-manager.js';
 /**
 * Manages domain configurations and target selection
 */
 export class DomainConfigManager {
  // Track round-robin indices for domain configs
  private domainTargetIndices: Map<IDomainConfig, number> = new Map();
  // Cache forwarding handlers for each domain config
  private forwardingHandlers: Map<IDomainConfig, ForwardingHandler> = new Map();
  // Store derived domain configs from routes
  private derivedDomainConfigs: IDomainConfig[] = [];
  // Reference to RouteManager for route-based configuration
  private routeManager?: RouteManager;
  constructor(private settings: ISmartProxyOptions) {
    // Initialize with derived domain configs if using route-based configuration
    if (settings.routes && !settings.domainConfigs) {
      this.generateDomainConfigsFromRoutes();
    }
  }
  /**
   * Set the route manager reference for route-based queries
   */
  public setRouteManager(routeManager: RouteManager): void {
    this.routeManager = routeManager;
    // Regenerate domain configs from routes if needed
    if (this.settings.routes && (!this.settings.domainConfigs || this.settings.domainConfigs.length === 0)) {
      this.generateDomainConfigsFromRoutes();
    }
  }
  /**
   * Generate domain configs from routes
   */
  public generateDomainConfigsFromRoutes(): void {
    this.derivedDomainConfigs = [];
    if (!this.settings.routes) return;
    for (const route of this.settings.routes) {
      if (route.action.type !== 'forward' || !route.match.domains) continue;
      // Convert route to domain config
      const domainConfig = this.routeToDomainConfig(route);
      if (domainConfig) {
        this.derivedDomainConfigs.push(domainConfig);
      }
    }
  }
  /**
   * Convert a route to a domain config
   */
  private routeToDomainConfig(route: IRouteConfig): IDomainConfig | null {
    if (route.action.type !== 'forward' || !route.action.target) return null;
    // Get domains from route
    const domains = Array.isArray(route.match.domains) ?
      route.match.domains :
      (route.match.domains ? [route.match.domains] : []);
    if (domains.length === 0) return null;
    // Determine forwarding type based on TLS mode
    let forwardingType: TForwardingType = 'http-only';
    if (route.action.tls) {
      switch (route.action.tls.mode) {
        case 'passthrough':
          forwardingType = 'https-passthrough';
          break;
        case 'terminate':
          forwardingType = 'https-terminate-to-http';
          break;
        case 'terminate-and-reencrypt':
          forwardingType = 'https-terminate-to-https';
          break;
      }
    }
    // Create domain config
    return {
      domains,
      forwarding: {
        type: forwardingType,
        target: {
          host: route.action.target.host,
          port: route.action.target.port
        },
        security: route.action.security ? {
          allowedIps: route.action.security.allowedIps,
          blockedIps: route.action.security.blockedIps,
          maxConnections: route.action.security.maxConnections
        } : undefined,
        https: route.action.tls && route.action.tls.certificate !== 'auto' ? {
          customCert: route.action.tls.certificate
        } : undefined,
        advanced: route.action.advanced
      }
    };
  }
  /**
   * Updates the domain configurations
   */
  public updateDomainConfigs(newDomainConfigs: IDomainConfig[]): void {
    // If we're using domainConfigs property, update it
    if (this.settings.domainConfigs) {
      this.settings.domainConfigs = newDomainConfigs;
    } else {
      // Otherwise update our derived configs
      this.derivedDomainConfigs = newDomainConfigs;
    }
    // Reset target indices for removed configs
    const currentConfigSet = new Set(newDomainConfigs);
    for (const [config] of this.domainTargetIndices) {
      if (!currentConfigSet.has(config)) {
        this.domainTargetIndices.delete(config);
      }
    }
    // Clear handlers for removed configs and create handlers for new configs
    const handlersToRemove: IDomainConfig[] = [];
    for (const [config] of this.forwardingHandlers) {
      if (!currentConfigSet.has(config)) {
        handlersToRemove.push(config);
      }
    }
    // Remove handlers that are no longer needed
    for (const config of handlersToRemove) {
      this.forwardingHandlers.delete(config);
    }
    // Create handlers for new configs
    for (const config of newDomainConfigs) {
      if (!this.forwardingHandlers.has(config)) {
        try {
          const handler = this.createForwardingHandler(config);
          this.forwardingHandlers.set(config, handler);
        } catch (err) {
          console.log(`Error creating forwarding handler for domain ${config.domains.join(', ')}: ${err}`);
        }
      }
    }
  }
  /**
   * Get all domain configurations
   */
  public getDomainConfigs(): IDomainConfig[] {
    // Use domainConfigs from settings if available, otherwise use derived configs
    return this.settings.domainConfigs || this.derivedDomainConfigs;
  }
  /**
   * Find domain config matching a server name
   */
  public findDomainConfig(serverName: string): IDomainConfig | undefined {
    if (!serverName) return undefined;
    // Get domain configs from the appropriate source
    const domainConfigs = this.getDomainConfigs();
    // Check for direct match
    for (const config of domainConfigs) {
      if (config.domains.some(d => plugins.minimatch(serverName, d))) {
        return config;
      }
    }
    // No match found
    return undefined;
  }
  /**
   * Find domain config for a specific port
   */
  public findDomainConfigForPort(port: number): IDomainConfig | undefined {
    // Get domain configs from the appropriate source
    const domainConfigs = this.getDomainConfigs();
    // Check if any domain config has a matching port range
    for (const domain of domainConfigs) {
      const portRanges = domain.forwarding?.advanced?.portRanges;
      if (portRanges && portRanges.length > 0 && this.isPortInRanges(port, portRanges)) {
        return domain;
      }
    }
    // If we're in route-based mode, also check routes for this port
    if (this.settings.routes && (!this.settings.domainConfigs || this.settings.domainConfigs.length === 0)) {
      const routesForPort = this.settings.routes.filter(route => {
        // Check if this port is in the route's ports
        if (typeof route.match.ports === 'number') {
          return route.match.ports === port;
        } else if (Array.isArray(route.match.ports)) {
          return route.match.ports.some(p => {
            if (typeof p === 'number') {
              return p === port;
            } else if (p.from && p.to) {
              return port >= p.from && port <= p.to;
            }
            return false;
          });
        }
        return false;
      });
      // If we found any routes for this port, convert the first one to a domain config
      if (routesForPort.length > 0 && routesForPort[0].action.type === 'forward') {
        const domainConfig = this.routeToDomainConfig(routesForPort[0]);
        if (domainConfig) {
          return domainConfig;
        }
      }
    }
    return undefined;
  }
  /**
   * Check if a port is within any of the given ranges
   */
  public isPortInRanges(port: number, ranges: Array<{ from: number; to: number }>): boolean {
    return ranges.some((range) => port >= range.from && port <= range.to);
  }
  /**
   * Get target IP with round-robin support
   */
  public getTargetIP(domainConfig: IDomainConfig): string {
    const targetHosts = Array.isArray(domainConfig.forwarding.target.host)
      ? domainConfig.forwarding.target.host
      : [domainConfig.forwarding.target.host];
    if (targetHosts.length > 0) {
      const currentIndex = this.domainTargetIndices.get(domainConfig) || 0;
      const ip = targetHosts[currentIndex % targetHosts.length];
      this.domainTargetIndices.set(domainConfig, currentIndex + 1);
      return ip;
    }
    return this.settings.targetIP || 'localhost';
  }
  /**
   * Get target host with round-robin support (for tests)
   * This is just an alias for getTargetIP for easier test compatibility
   */
  public getTargetHost(domainConfig: IDomainConfig): string {
    return this.getTargetIP(domainConfig);
  }
  /**
   * Get target port from domain config
   */
  public getTargetPort(domainConfig: IDomainConfig, defaultPort: number): number {
    return domainConfig.forwarding.target.port || defaultPort;
  }
  /**
   * Checks if a domain should use NetworkProxy
   */
  public shouldUseNetworkProxy(domainConfig: IDomainConfig): boolean {
    const forwardingType = this.getForwardingType(domainConfig);
    return forwardingType === 'https-terminate-to-http' ||
           forwardingType === 'https-terminate-to-https';
  }
  /**
   * Gets the NetworkProxy port for a domain
   */
  public getNetworkProxyPort(domainConfig: IDomainConfig): number | undefined {
    // First check if we should use NetworkProxy at all
    if (!this.shouldUseNetworkProxy(domainConfig)) {
      return undefined;
    }
    return domainConfig.forwarding.advanced?.networkProxyPort || this.settings.networkProxyPort;
  }
  /**
   * Get effective allowed and blocked IPs for a domain
   *
   * This method combines domain-specific security rules from the forwarding configuration
   * with global security defaults when necessary.
   */
  public getEffectiveIPRules(domainConfig: IDomainConfig): {
    allowedIPs: string[],
    blockedIPs: string[]
  } {
    // Start with empty arrays
    const allowedIPs: string[] = [];
    const blockedIPs: string[] = [];
    // Add IPs from forwarding security settings if available
    if (domainConfig.forwarding?.security?.allowedIps) {
      allowedIPs.push(...domainConfig.forwarding.security.allowedIps);
    } else {
      // If no allowed IPs are specified in forwarding config and global defaults exist, use them
      if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
        allowedIPs.push(...this.settings.defaultAllowedIPs);
      } else {
        // Default to allow all if no specific rules
        allowedIPs.push('*');
      }
    }
    // Add blocked IPs from forwarding security settings if available
    if (domainConfig.forwarding?.security?.blockedIps) {
      blockedIPs.push(...domainConfig.forwarding.security.blockedIps);
    }
    // Always add global blocked IPs, even if domain has its own rules
    // This ensures that global blocks take precedence
    if (this.settings.defaultBlockedIPs && this.settings.defaultBlockedIPs.length > 0) {
      // Add only unique IPs that aren't already in the list
      for (const ip of this.settings.defaultBlockedIPs) {
        if (!blockedIPs.includes(ip)) {
          blockedIPs.push(ip);
        }
      }
    }
    return {
      allowedIPs,
      blockedIPs
    };
  }
  /**
   * Get connection timeout for a domain
   */
  public getConnectionTimeout(domainConfig?: IDomainConfig): number {
    if (domainConfig?.forwarding.advanced?.timeout) {
      return domainConfig.forwarding.advanced.timeout;
    }
    return this.settings.maxConnectionLifetime || 86400000; // 24 hours default
  }
  /**
   * Creates a forwarding handler for a domain configuration
   */
  private createForwardingHandler(domainConfig: IDomainConfig): ForwardingHandler {
    // Create a new handler using the factory
    const handler = ForwardingHandlerFactory.createHandler(domainConfig.forwarding);
    // Initialize the handler
    handler.initialize().catch(err => {
      console.log(`Error initializing forwarding handler for ${domainConfig.domains.join(', ')}: ${err}`);
    });
    return handler;
  }
  /**
   * Gets a forwarding handler for a domain config
   * If no handler exists, creates one
   */
  public getForwardingHandler(domainConfig: IDomainConfig): ForwardingHandler {
    // If we already have a handler, return it
    if (this.forwardingHandlers.has(domainConfig)) {
      return this.forwardingHandlers.get(domainConfig)!;
    }
    // Otherwise create a new handler
    const handler = this.createForwardingHandler(domainConfig);
    this.forwardingHandlers.set(domainConfig, handler);
    return handler;
  }
  /**
   * Gets the forwarding type for a domain config
   */
  public getForwardingType(domainConfig?: IDomainConfig): TForwardingType | undefined {
    if (!domainConfig?.forwarding) return undefined;
    return domainConfig.forwarding.type;
  }
  /**
   * Checks if the forwarding type requires TLS termination
   */
  public requiresTlsTermination(domainConfig?: IDomainConfig): boolean {
    if (!domainConfig) return false;
    const forwardingType = this.getForwardingType(domainConfig);
    return forwardingType === 'https-terminate-to-http' ||
           forwardingType === 'https-terminate-to-https';
  }
  /**
   * Checks if the forwarding type supports HTTP
   */
  public supportsHttp(domainConfig?: IDomainConfig): boolean {
    if (!domainConfig) return false;
    const forwardingType = this.getForwardingType(domainConfig);
    // HTTP-only always supports HTTP
    if (forwardingType === 'http-only') return true;
    // For termination types, check the HTTP settings
    if (forwardingType === 'https-terminate-to-http' ||
        forwardingType === 'https-terminate-to-https') {
      // HTTP is supported by default for termination types
      return domainConfig.forwarding?.http?.enabled !== false;
    }
    // HTTPS-passthrough doesn't support HTTP
    return false;
  }
  /**
   * Checks if HTTP requests should be redirected to HTTPS
   */
  public shouldRedirectToHttps(domainConfig?: IDomainConfig): boolean {
    if (!domainConfig?.forwarding) return false;
    // Only check for redirect if HTTP is enabled
    if (this.supportsHttp(domainConfig)) {
      return !!domainConfig.forwarding.http?.redirectToHttps;
    }
    return false;
  }
 }
--- a/ts/proxies/smart-proxy/index.ts
+++ b/ts/proxies/smart-proxy/index.ts
@ -1,34 +0,0 @@
 /**
 * SmartProxy implementation
 *
 * Version 14.0.0: Unified Route-Based Configuration API
 */
 // Re-export models
 export * from './models/index.js';
 // Export the main SmartProxy class
 export { SmartProxy } from './smart-proxy.js';
 // Export core supporting classes
 export { ConnectionManager } from './connection-manager.js';
 export { SecurityManager } from './security-manager.js';
 export { TimeoutManager } from './timeout-manager.js';
 export { TlsManager } from './tls-manager.js';
 export { NetworkProxyBridge } from './network-proxy-bridge.js';
 // Export route-based components
 export { RouteManager } from './route-manager.js';
 export { RouteConnectionHandler } from './route-connection-handler.js';
 // Export route helpers for configuration
 export {
  createRoute,
  createHttpRoute,
  createHttpsRoute,
  createPassthroughRoute,
  createRedirectRoute,
  createHttpToHttpsRedirect,
  createBlockRoute,
  createLoadBalancerRoute,
  createHttpsServer
 } from './route-helpers.js';
--- a/ts/proxies/smart-proxy/models/index.ts
+++ b/ts/proxies/smart-proxy/models/index.ts
@ -1,8 +0,0 @@
 /**
 * SmartProxy models
 */
 export * from './interfaces.js';
 export * from './route-types.js';
 // Re-export IRoutedSmartProxyOptions explicitly to avoid ambiguity
 export type { ISmartProxyOptions as IRoutedSmartProxyOptions } from './interfaces.js';
--- a/ts/proxies/smart-proxy/models/interfaces.ts
+++ b/ts/proxies/smart-proxy/models/interfaces.ts
@ -1,158 +0,0 @@
 import * as plugins from '../../../plugins.js';
 import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
 import type { IRouteConfig } from './route-types.js';
 import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
 /**
 * Provision object for static or HTTP-01 certificate
 */
 export type TSmartProxyCertProvisionObject = plugins.tsclass.network.ICert | 'http01';
 /**
 * Alias for backward compatibility with code that uses IRoutedSmartProxyOptions
 */
 export type IRoutedSmartProxyOptions = ISmartProxyOptions;
 /**
 * Helper functions for type checking configuration types
 */
 export function isLegacyOptions(options: any): boolean {
  // Legacy options are no longer supported
  return false;
 }
 export function isRoutedOptions(options: any): boolean {
  // All configurations are now route-based
  return true;
 }
 /**
 * SmartProxy configuration options
 */
 export interface ISmartProxyOptions {
  // The unified configuration array (required)
  routes: IRouteConfig[];
  // Port range configuration
  globalPortRanges?: Array<{ from: number; to: number }>;
  forwardAllGlobalRanges?: boolean;
  preserveSourceIP?: boolean;
  // Global/default settings
  defaults?: {
    target?: {
      host: string; // Default host to use when not specified in routes
      port: number; // Default port to use when not specified in routes
    };
    security?: {
      allowedIps?: string[]; // Default allowed IPs
      blockedIps?: string[]; // Default blocked IPs
      maxConnections?: number; // Default max connections
    };
    preserveSourceIP?: boolean; // Default source IP preservation
  };
  // TLS options
  pfx?: Buffer;
  key?: string | Buffer | Array<Buffer | string>;
  passphrase?: string;
  cert?: string | Buffer | Array<string | Buffer>;
  ca?: string | Buffer | Array<string | Buffer>;
  ciphers?: string;
  honorCipherOrder?: boolean;
  rejectUnauthorized?: boolean;
  secureProtocol?: string;
  servername?: string;
  minVersion?: string;
  maxVersion?: string;
  // Timeout settings
  initialDataTimeout?: number; // Timeout for initial data/SNI (ms), default: 60000 (60s)
  socketTimeout?: number; // Socket inactivity timeout (ms), default: 3600000 (1h)
  inactivityCheckInterval?: number; // How often to check for inactive connections (ms), default: 60000 (60s)
  maxConnectionLifetime?: number; // Default max connection lifetime (ms), default: 86400000 (24h)
  inactivityTimeout?: number; // Inactivity timeout (ms), default: 14400000 (4h)
  gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
  // Socket optimization settings
  noDelay?: boolean; // Disable Nagle's algorithm (default: true)
  keepAlive?: boolean; // Enable TCP keepalive (default: true)
  keepAliveInitialDelay?: number; // Initial delay before sending keepalive probes (ms)
  maxPendingDataSize?: number; // Maximum bytes to buffer during connection setup
  // Enhanced features
  disableInactivityCheck?: boolean; // Disable inactivity checking entirely
  enableKeepAliveProbes?: boolean; // Enable TCP keep-alive probes
  enableDetailedLogging?: boolean; // Enable detailed connection logging
  enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
  enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
  // Rate limiting and security
  maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
  connectionRateLimitPerMinute?: number; // Max new connections per minute from a single IP
  // Enhanced keep-alive settings
  keepAliveTreatment?: 'standard' | 'extended' | 'immortal'; // How to treat keep-alive connections
  keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
  extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
  // NetworkProxy integration
  useNetworkProxy?: number[]; // Array of ports to forward to NetworkProxy
  networkProxyPort?: number; // Port where NetworkProxy is listening (default: 8443)
  // ACME configuration options for SmartProxy
  acme?: IAcmeOptions;
  /**
   * Optional certificate provider callback. Return 'http01' to use HTTP-01 challenges,
   * or a static certificate object for immediate provisioning.
   */
  certProvisionFunction?: (domain: string) => Promise<TSmartProxyCertProvisionObject>;
 }
 /**
 * Enhanced connection record
 */
 export interface IConnectionRecord {
  id: string; // Unique connection identifier
  incoming: plugins.net.Socket;
  outgoing: plugins.net.Socket | null;
  incomingStartTime: number;
  outgoingStartTime?: number;
  outgoingClosedTime?: number;
  lockedDomain?: string; // Used to lock this connection to the initial SNI
  connectionClosed: boolean; // Flag to prevent multiple cleanup attempts
  cleanupTimer?: NodeJS.Timeout; // Timer for max lifetime/inactivity
  alertFallbackTimeout?: NodeJS.Timeout; // Timer for fallback after alert
  lastActivity: number; // Last activity timestamp for inactivity detection
  pendingData: Buffer[]; // Buffer to hold data during connection setup
  pendingDataSize: number; // Track total size of pending data
  // Enhanced tracking fields
  bytesReceived: number; // Total bytes received
  bytesSent: number; // Total bytes sent
  remoteIP: string; // Remote IP (cached for logging after socket close)
  localPort: number; // Local port (cached for logging)
  isTLS: boolean; // Whether this connection is a TLS connection
  tlsHandshakeComplete: boolean; // Whether the TLS handshake is complete
  hasReceivedInitialData: boolean; // Whether initial data has been received
  routeConfig?: IRouteConfig; // Associated route config for this connection
  // Keep-alive tracking
  hasKeepAlive: boolean; // Whether keep-alive is enabled for this connection
  inactivityWarningIssued?: boolean; // Whether an inactivity warning has been issued
  incomingTerminationReason?: string | null; // Reason for incoming termination
  outgoingTerminationReason?: string | null; // Reason for outgoing termination
  // NetworkProxy tracking
  usingNetworkProxy?: boolean; // Whether this connection is using a NetworkProxy
  // Renegotiation handler
  renegotiationHandler?: (chunk: Buffer) => void; // Handler for renegotiation detection
  // Browser connection tracking
  isBrowserConnection?: boolean; // Whether this connection appears to be from a browser
  domainSwitches?: number; // Number of times the domain has been switched on this connection
 }
--- a/ts/proxies/smart-proxy/models/route-types.ts
+++ b/ts/proxies/smart-proxy/models/route-types.ts
@ -1,314 +0,0 @@
 import * as plugins from '../../../plugins.js';
 import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
 import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
 /**
 * Supported action types for route configurations
 */
 export type TRouteActionType = 'forward' | 'redirect' | 'block' | 'static';
 /**
 * TLS handling modes for route configurations
 */
 export type TTlsMode = 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
 /**
 * Port range specification format
 */
 export type TPortRange = number | number[] | Array<{ from: number; to: number }>;
 /**
 * Route match criteria for incoming requests
 */
 export interface IRouteMatch {
  // Listen on these ports (required)
  ports: TPortRange;
  // Optional domain patterns to match (default: all domains)
  domains?: string | string[];
  // Advanced matching criteria
  path?: string;           // Match specific paths
  clientIp?: string[];     // Match specific client IPs
  tlsVersion?: string[];   // Match specific TLS versions
  headers?: Record<string, string | RegExp>; // Match specific HTTP headers
 }
 /**
 * Target configuration for forwarding
 */
 export interface IRouteTarget {
  host: string | string[];  // Support single host or round-robin
  port: number;
  preservePort?: boolean;   // Use incoming port as target port
 }
 /**
 * TLS configuration for route actions
 */
 export interface IRouteTls {
  mode: TTlsMode;
  certificate?: 'auto' | {   // Auto = use ACME
    key: string;
    cert: string;
  };
 }
 /**
 * Redirect configuration for route actions
 */
 export interface IRouteRedirect {
  to: string;            // URL or template with {domain}, {port}, etc.
  status: 301 | 302 | 307 | 308;
 }
 /**
 * Authentication options
 */
 export interface IRouteAuthentication {
  type: 'basic' | 'digest' | 'oauth' | 'jwt';
  credentials?: {
    username: string;
    password: string;
  }[];
  realm?: string;
  jwtSecret?: string;
  jwtIssuer?: string;
  oauthProvider?: string;
  oauthClientId?: string;
  oauthClientSecret?: string;
  oauthRedirectUri?: string;
  [key: string]: any;  // Allow additional auth-specific options
 }
 /**
 * Security options for route actions
 */
 export interface IRouteSecurity {
  allowedIps?: string[];
  blockedIps?: string[];
  maxConnections?: number;
  authentication?: IRouteAuthentication;
 }
 /**
 * Static file server configuration
 */
 export interface IRouteStaticFiles {
  root: string;
  index?: string[];
  headers?: Record<string, string>;
  directory?: string;
  indexFiles?: string[];
  cacheControl?: string;
  expires?: number;
  followSymlinks?: boolean;
  disableDirectoryListing?: boolean;
 }
 /**
 * Test route response configuration
 */
 export interface IRouteTestResponse {
  status: number;
  headers: Record<string, string>;
  body: string;
 }
 /**
 * Advanced options for route actions
 */
 export interface IRouteAdvanced {
  timeout?: number;
  headers?: Record<string, string>;
  keepAlive?: boolean;
  staticFiles?: IRouteStaticFiles;
  testResponse?: IRouteTestResponse;
  // Additional advanced options would go here
 }
 /**
 * WebSocket configuration
 */
 export interface IRouteWebSocket {
  enabled: boolean;
  pingInterval?: number;
  pingTimeout?: number;
  maxPayloadSize?: number;
 }
 /**
 * Load balancing configuration
 */
 export interface IRouteLoadBalancing {
  algorithm: 'round-robin' | 'least-connections' | 'ip-hash';
  healthCheck?: {
    path: string;
    interval: number;
    timeout: number;
    unhealthyThreshold: number;
    healthyThreshold: number;
  };
 }
 /**
 * Action configuration for route handling
 */
 export interface IRouteAction {
  // Basic routing
  type: TRouteActionType;
  // Target for forwarding
  target?: IRouteTarget;
  // TLS handling
  tls?: IRouteTls;
  // For redirects
  redirect?: IRouteRedirect;
  // For static files
  static?: IRouteStaticFiles;
  // WebSocket support
  websocket?: IRouteWebSocket;
  // Load balancing options
  loadBalancing?: IRouteLoadBalancing;
  // Security options
  security?: IRouteSecurity;
  // Advanced options
  advanced?: IRouteAdvanced;
 }
 /**
 * Rate limiting configuration
 */
 export interface IRouteRateLimit {
  enabled: boolean;
  maxRequests: number;
  window: number; // Time window in seconds
  keyBy?: 'ip' | 'path' | 'header';
  headerName?: string;
  errorMessage?: string;
 }
 /**
 * Security features for routes
 */
 export interface IRouteSecurity {
  rateLimit?: IRouteRateLimit;
  basicAuth?: {
    enabled: boolean;
    users: Array<{ username: string; password: string }>;
    realm?: string;
    excludePaths?: string[];
  };
  jwtAuth?: {
    enabled: boolean;
    secret: string;
    algorithm?: string;
    issuer?: string;
    audience?: string;
    expiresIn?: number;
    excludePaths?: string[];
  };
  ipAllowList?: string[];
  ipBlockList?: string[];
 }
 /**
 * Headers configuration
 */
 export interface IRouteHeaders {
  request?: Record<string, string>;
  response?: Record<string, string>;
 }
 /**
 * The core unified configuration interface
 */
 export interface IRouteConfig {
  // Unique identifier
  id?: string;
  // What to match
  match: IRouteMatch;
  // What to do with matched traffic
  action: IRouteAction;
  // Custom headers
  headers?: IRouteHeaders;
  // Security features
  security?: IRouteSecurity;
  // Optional metadata
  name?: string;             // Human-readable name for this route
  description?: string;      // Description of the route's purpose
  priority?: number;         // Controls matching order (higher = matched first)
  tags?: string[];           // Arbitrary tags for categorization
  enabled?: boolean;         // Whether the route is active (default: true)
 }
 /**
 * Unified SmartProxy options with routes-based configuration
 */
 export interface IRoutedSmartProxyOptions {
  // The unified configuration array (required)
  routes: IRouteConfig[];
  // Global/default settings
  defaults?: {
    target?: {
      host: string;
      port: number;
    };
    security?: IRouteSecurity;
    tls?: IRouteTls;
    // ...other defaults
  };
  // Other global settings remain (acme, etc.)
  acme?: IAcmeOptions;
  // Connection timeouts and other global settings
  initialDataTimeout?: number;
  socketTimeout?: number;
  inactivityCheckInterval?: number;
  maxConnectionLifetime?: number;
  inactivityTimeout?: number;
  gracefulShutdownTimeout?: number;
  // Socket optimization settings
  noDelay?: boolean;
  keepAlive?: boolean;
  keepAliveInitialDelay?: number;
  maxPendingDataSize?: number;
  // Enhanced features
  disableInactivityCheck?: boolean;
  enableKeepAliveProbes?: boolean;
  enableDetailedLogging?: boolean;
  enableTlsDebugLogging?: boolean;
  enableRandomizedTimeouts?: boolean;
  allowSessionTicket?: boolean;
  // Rate limiting and security
  maxConnectionsPerIP?: number;
  connectionRateLimitPerMinute?: number;
  // Enhanced keep-alive settings
  keepAliveTreatment?: 'standard' | 'extended' | 'immortal';
  keepAliveInactivityMultiplier?: number;
  extendedKeepAliveLifetime?: number;
  /**
   * Optional certificate provider callback. Return 'http01' to use HTTP-01 challenges,
   * or a static certificate object for immediate provisioning.
   */
  certProvisionFunction?: (domain: string) => Promise<any>;
 }
--- a/ts/proxies/smart-proxy/network-proxy-bridge.ts
+++ b/ts/proxies/smart-proxy/network-proxy-bridge.ts
@ -1,542 +0,0 @@
 import * as plugins from '../../plugins.js';
 import { NetworkProxy } from '../network-proxy/index.js';
 import { Port80Handler } from '../../http/port80/port80-handler.js';
 import { Port80HandlerEvents } from '../../core/models/common-types.js';
 import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
 import type { ICertificateData } from '../../certificate/models/certificate-types.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import type { IRouteConfig } from './models/route-types.js';
 /**
 * Manages NetworkProxy integration for TLS termination
 *
 * NetworkProxyBridge connects SmartProxy with NetworkProxy to handle TLS termination.
 * It directly maps route configurations to NetworkProxy configuration format and manages
 * certificate provisioning through Port80Handler when ACME is enabled.
 *
 * It is used by SmartProxy for routes that have:
 * - TLS mode of 'terminate' or 'terminate-and-reencrypt'
 * - Certificate set to 'auto' or custom certificate
 */
 export class NetworkProxyBridge {
  private networkProxy: NetworkProxy | null = null;
  private port80Handler: Port80Handler | null = null;
  constructor(private settings: ISmartProxyOptions) {}
  /**
   * Set the Port80Handler to use for certificate management
   */
  public setPort80Handler(handler: Port80Handler): void {
    this.port80Handler = handler;
    // Subscribe to certificate events
    subscribeToPort80Handler(handler, {
      onCertificateIssued: this.handleCertificateEvent.bind(this),
      onCertificateRenewed: this.handleCertificateEvent.bind(this)
    });
    // If NetworkProxy is already initialized, connect it with Port80Handler
    if (this.networkProxy) {
      this.networkProxy.setExternalPort80Handler(handler);
    }
    console.log('Port80Handler connected to NetworkProxyBridge');
  }
  /**
   * Initialize NetworkProxy instance
   */
  public async initialize(): Promise<void> {
    if (!this.networkProxy && this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0) {
      // Configure NetworkProxy options based on PortProxy settings
      const networkProxyOptions: any = {
        port: this.settings.networkProxyPort!,
        portProxyIntegration: true,
        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info',
        useExternalPort80Handler: !!this.port80Handler // Use Port80Handler if available
      };
      this.networkProxy = new NetworkProxy(networkProxyOptions);
      console.log(`Initialized NetworkProxy on port ${this.settings.networkProxyPort}`);
      // Connect Port80Handler if available
      if (this.port80Handler) {
        this.networkProxy.setExternalPort80Handler(this.port80Handler);
      }
      // Apply route configurations to NetworkProxy
      await this.syncRoutesToNetworkProxy(this.settings.routes || []);
    }
  }
  /**
   * Handle certificate issuance or renewal events
   */
  private handleCertificateEvent(data: ICertificateData): void {
    if (!this.networkProxy) return;
    console.log(`Received certificate for ${data.domain} from Port80Handler, updating NetworkProxy`);
    try {
      // Find existing config for this domain
      const existingConfigs = this.networkProxy.getProxyConfigs()
        .filter(config => config.hostName === data.domain);
      if (existingConfigs.length > 0) {
        // Update existing configs with new certificate
        for (const config of existingConfigs) {
          config.privateKey = data.privateKey;
          config.publicKey = data.certificate;
        }
        // Apply updated configs
        this.networkProxy.updateProxyConfigs(existingConfigs)
          .then(() => console.log(`Updated certificate for ${data.domain} in NetworkProxy`))
          .catch(err => console.log(`Error updating certificate in NetworkProxy: ${err}`));
      } else {
        // Create a new config for this domain
        console.log(`No existing config found for ${data.domain}, creating new config in NetworkProxy`);
      }
    } catch (err) {
      console.log(`Error handling certificate event: ${err}`);
    }
  }
  /**
   * Apply an external (static) certificate into NetworkProxy
   */
  public applyExternalCertificate(data: ICertificateData): void {
    if (!this.networkProxy) {
      console.log(`NetworkProxy not initialized: cannot apply external certificate for ${data.domain}`);
      return;
    }
    this.handleCertificateEvent(data);
  }
  /**
   * Get the NetworkProxy instance
   */
  public getNetworkProxy(): NetworkProxy | null {
    return this.networkProxy;
  }
  /**
   * Get the NetworkProxy port
   */
  public getNetworkProxyPort(): number {
    return this.networkProxy ? this.networkProxy.getListeningPort() : this.settings.networkProxyPort || 8443;
  }
  /**
   * Start NetworkProxy
   */
  public async start(): Promise<void> {
    if (this.networkProxy) {
      await this.networkProxy.start();
      console.log(`NetworkProxy started on port ${this.settings.networkProxyPort}`);
    }
  }
  /**
   * Stop NetworkProxy
   */
  public async stop(): Promise<void> {
    if (this.networkProxy) {
      try {
        console.log('Stopping NetworkProxy...');
        await this.networkProxy.stop();
        console.log('NetworkProxy stopped successfully');
      } catch (err) {
        console.log(`Error stopping NetworkProxy: ${err}`);
      }
    }
  }
  /**
   * Register domains from routes with Port80Handler for certificate management
   *
   * Extracts domains from routes that require TLS termination and registers them
   * with the Port80Handler for certificate issuance and renewal.
   *
   * @param routes The route configurations to extract domains from
   */
  public registerDomainsWithPort80Handler(routes: IRouteConfig[]): void {
    if (!this.port80Handler) {
      console.log('Cannot register domains - Port80Handler not initialized');
      return;
    }
    // Extract domains from routes that require TLS termination
    const domainsToRegister = new Set<string>();
    for (const route of routes) {
      // Skip routes without domains or TLS configuration
      if (!route.match.domains || !route.action.tls) continue;
      // Only register domains for routes that terminate TLS
      if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
      // Extract domains from route
      const domains = Array.isArray(route.match.domains)
        ? route.match.domains
        : [route.match.domains];
      // Add each domain to the set (avoiding duplicates)
      for (const domain of domains) {
        // Skip wildcards
        if (domain.includes('*')) {
          console.log(`Skipping wildcard domain for ACME: ${domain}`);
          continue;
        }
        domainsToRegister.add(domain);
      }
    }
    // Register each unique domain with Port80Handler
    for (const domain of domainsToRegister) {
      try {
        this.port80Handler.addDomain({
          domainName: domain,
          sslRedirect: true,
          acmeMaintenance: true,
          // Include route reference if we can find it
          routeReference: this.findRouteReferenceForDomain(domain, routes)
        });
        console.log(`Registered domain with Port80Handler: ${domain}`);
      } catch (err) {
        console.log(`Error registering domain ${domain} with Port80Handler: ${err}`);
      }
    }
  }
  /**
   * Finds the route reference for a given domain
   *
   * @param domain The domain to find a route reference for
   * @param routes The routes to search
   * @returns The route reference if found, undefined otherwise
   */
  private findRouteReferenceForDomain(domain: string, routes: IRouteConfig[]): { routeId?: string; routeName?: string } | undefined {
    // Find the first route that matches this domain
    for (const route of routes) {
      if (!route.match.domains) continue;
      const domains = Array.isArray(route.match.domains)
        ? route.match.domains
        : [route.match.domains];
      if (domains.includes(domain)) {
        return {
          routeId: undefined, // No explicit IDs in our current routes
          routeName: route.name
        };
      }
    }
    return undefined;
  }
  /**
   * Forwards a TLS connection to a NetworkProxy for handling
   */
  public forwardToNetworkProxy(
    connectionId: string,
    socket: plugins.net.Socket,
    record: IConnectionRecord,
    initialData: Buffer,
    customProxyPort?: number,
    onError?: (reason: string) => void
  ): void {
    // Ensure NetworkProxy is initialized
    if (!this.networkProxy) {
      console.log(
        `[${connectionId}] NetworkProxy not initialized. Cannot forward connection.`
      );
      if (onError) {
        onError('network_proxy_not_initialized');
      }
      return;
    }
    // Use the custom port if provided, otherwise use the default NetworkProxy port
    const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
    const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
    if (this.settings.enableDetailedLogging) {
      console.log(
        `[${connectionId}] Forwarding TLS connection to NetworkProxy at ${proxyHost}:${proxyPort}`
      );
    }
    // Create a connection to the NetworkProxy
    const proxySocket = plugins.net.connect({
      host: proxyHost,
      port: proxyPort,
    });
    // Store the outgoing socket in the record
    record.outgoing = proxySocket;
    record.outgoingStartTime = Date.now();
    record.usingNetworkProxy = true;
    // Set up error handlers
    proxySocket.on('error', (err) => {
      console.log(`[${connectionId}] Error connecting to NetworkProxy: ${err.message}`);
      if (onError) {
        onError('network_proxy_connect_error');
      }
    });
    // Handle connection to NetworkProxy
    proxySocket.on('connect', () => {
      if (this.settings.enableDetailedLogging) {
        console.log(`[${connectionId}] Connected to NetworkProxy at ${proxyHost}:${proxyPort}`);
      }
      // First send the initial data that contains the TLS ClientHello
      proxySocket.write(initialData);
      // Now set up bidirectional piping between client and NetworkProxy
      socket.pipe(proxySocket);
      proxySocket.pipe(socket);
      // Update activity on data transfer (caller should handle this)
      if (this.settings.enableDetailedLogging) {
        console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
      }
    });
  }
  /**
   * Synchronizes routes to NetworkProxy
   *
   * This method directly maps route configurations to NetworkProxy format and updates
   * the NetworkProxy with these configurations. It handles:
   *
   * - Extracting domain, target, and certificate information from routes
   * - Converting TLS mode settings to NetworkProxy configuration
   * - Applying security and advanced settings
   * - Registering domains for ACME certificate provisioning when needed
   *
   * @param routes The route configurations to sync to NetworkProxy
   */
  public async syncRoutesToNetworkProxy(routes: IRouteConfig[]): Promise<void> {
    if (!this.networkProxy) {
      console.log('Cannot sync configurations - NetworkProxy not initialized');
      return;
    }
    try {
      // Get SSL certificates from assets
      // Import fs directly since it's not in plugins
      const fs = await import('fs');
      let defaultCertPair;
      try {
        defaultCertPair = {
          key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
        };
      } catch (certError) {
        console.log(`Warning: Could not read default certificates: ${certError}`);
        console.log(
          'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
        );
        // Use empty placeholders - NetworkProxy will use its internal defaults
        // or ACME will generate proper ones if enabled
        defaultCertPair = {
          key: '',
          cert: '',
        };
      }
      // Map routes directly to NetworkProxy configs
      const proxyConfigs = this.mapRoutesToNetworkProxyConfigs(routes, defaultCertPair);
      // Update the proxy configs
      await this.networkProxy.updateProxyConfigs(proxyConfigs);
      console.log(`Synced ${proxyConfigs.length} configurations to NetworkProxy`);
      // Register domains with Port80Handler for certificate issuance
      if (this.port80Handler) {
        this.registerDomainsWithPort80Handler(routes);
      }
    } catch (err) {
      console.log(`Error syncing routes to NetworkProxy: ${err}`);
    }
  }
  /**
   * Map routes directly to NetworkProxy configuration format
   *
   * This method directly maps route configurations to NetworkProxy's format
   * without any intermediate domain-based representation. It processes each route
   * and creates appropriate NetworkProxy configs for domains that require TLS termination.
   *
   * @param routes Array of route configurations to map
   * @param defaultCertPair Default certificate to use if no custom certificate is specified
   * @returns Array of NetworkProxy configurations
   */
  public mapRoutesToNetworkProxyConfigs(
    routes: IRouteConfig[],
    defaultCertPair: { key: string; cert: string }
  ): plugins.tsclass.network.IReverseProxyConfig[] {
    const configs: plugins.tsclass.network.IReverseProxyConfig[] = [];
    for (const route of routes) {
      // Skip routes without domains
      if (!route.match.domains) continue;
      // Skip non-forward routes
      if (route.action.type !== 'forward') continue;
      // Skip routes without TLS configuration
      if (!route.action.tls || !route.action.target) continue;
      // Skip routes that don't require TLS termination
      if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
      // Get domains from route
      const domains = Array.isArray(route.match.domains)
        ? route.match.domains
        : [route.match.domains];
      // Create a config for each domain
      for (const domain of domains) {
        // Get certificate
        let certKey = defaultCertPair.key;
        let certCert = defaultCertPair.cert;
        // Use custom certificate if specified
        if (route.action.tls.certificate !== 'auto' && typeof route.action.tls.certificate === 'object') {
          certKey = route.action.tls.certificate.key;
          certCert = route.action.tls.certificate.cert;
        }
        // Determine target hosts and ports
        const targetHosts = Array.isArray(route.action.target.host)
          ? route.action.target.host
          : [route.action.target.host];
        const targetPort = route.action.target.port;
        // Create the NetworkProxy config
        const config: plugins.tsclass.network.IReverseProxyConfig = {
          hostName: domain,
          privateKey: certKey,
          publicKey: certCert,
          destinationIps: targetHosts,
          destinationPorts: [targetPort]
          // Note: We can't include additional metadata as it's not supported in the interface
        };
        configs.push(config);
      }
    }
    return configs;
  }
  /**
   * @deprecated This method is kept for backward compatibility.
   * Use mapRoutesToNetworkProxyConfigs() instead.
   */
  public convertRoutesToNetworkProxyConfigs(
    routes: IRouteConfig[],
    defaultCertPair: { key: string; cert: string }
  ): plugins.tsclass.network.IReverseProxyConfig[] {
    return this.mapRoutesToNetworkProxyConfigs(routes, defaultCertPair);
  }
  /**
   * @deprecated This method is deprecated and will be removed in a future version.
   * Use syncRoutesToNetworkProxy() instead.
   *
   * This legacy method exists only for backward compatibility and
   * simply forwards to syncRoutesToNetworkProxy().
   */
  public async syncDomainConfigsToNetworkProxy(): Promise<void> {
    console.log('DEPRECATED: Method syncDomainConfigsToNetworkProxy will be removed in a future version.');
    console.log('Please use syncRoutesToNetworkProxy() instead for direct route-based configuration.');
    await this.syncRoutesToNetworkProxy(this.settings.routes || []);
  }
  /**
   * Request a certificate for a specific domain
   *
   * @param domain The domain to request a certificate for
   * @param routeName Optional route name to associate with this certificate
   */
  public async requestCertificate(domain: string, routeName?: string): Promise<boolean> {
    // Delegate to Port80Handler if available
    if (this.port80Handler) {
      try {
        // Check if the domain is already registered
        const cert = this.port80Handler.getCertificate(domain);
        if (cert) {
          console.log(`Certificate already exists for ${domain}`);
          return true;
        }
        // Build the domain options
        const domainOptions: any = {
          domainName: domain,
          sslRedirect: true,
          acmeMaintenance: true,
        };
        // Add route reference if available
        if (routeName) {
          domainOptions.routeReference = {
            routeName
          };
        } else {
          // Try to find a route reference from the current routes
          const routeReference = this.findRouteReferenceForDomain(domain, this.settings.routes || []);
          if (routeReference) {
            domainOptions.routeReference = routeReference;
          }
        }
        // Register the domain for certificate issuance
        this.port80Handler.addDomain(domainOptions);
        console.log(`Domain ${domain} registered for certificate issuance`);
        return true;
      } catch (err) {
        console.log(`Error requesting certificate: ${err}`);
        return false;
      }
    }
    // Fall back to NetworkProxy if Port80Handler is not available
    if (!this.networkProxy) {
      console.log('Cannot request certificate - NetworkProxy not initialized');
      return false;
    }
    if (!this.settings.acme?.enabled) {
      console.log('Cannot request certificate - ACME is not enabled');
      return false;
    }
    try {
      const result = await this.networkProxy.requestCertificate(domain);
      if (result) {
        console.log(`Certificate request for ${domain} submitted successfully`);
      } else {
        console.log(`Certificate request for ${domain} failed`);
      }
      return result;
    } catch (err) {
      console.log(`Error requesting certificate: ${err}`);
      return false;
    }
  }
 }
--- a/ts/proxies/smart-proxy/route-connection-handler.ts
+++ b/ts/proxies/smart-proxy/route-connection-handler.ts
@ -1,954 +0,0 @@
 import * as plugins from '../../plugins.js';
 import type {
  IConnectionRecord,
  ISmartProxyOptions
 } from './models/interfaces.js';
 import {
  isRoutedOptions
 } from './models/interfaces.js';
 import type {
  IRouteConfig,
  IRouteAction
 } from './models/route-types.js';
 import { ConnectionManager } from './connection-manager.js';
 import { SecurityManager } from './security-manager.js';
 import { TlsManager } from './tls-manager.js';
 import { NetworkProxyBridge } from './network-proxy-bridge.js';
 import { TimeoutManager } from './timeout-manager.js';
 import { RouteManager } from './route-manager.js';
 import type { ForwardingHandler } from '../../forwarding/handlers/base-handler.js';
 /**
 * Handles new connection processing and setup logic with support for route-based configuration
 */
 export class RouteConnectionHandler {
  private settings: ISmartProxyOptions;
  constructor(
    settings: ISmartProxyOptions,
    private connectionManager: ConnectionManager,
    private securityManager: SecurityManager,
    private tlsManager: TlsManager,
    private networkProxyBridge: NetworkProxyBridge,
    private timeoutManager: TimeoutManager,
    private routeManager: RouteManager
  ) {
    this.settings = settings;
  }
  /**
   * Handle a new incoming connection
   */
  public handleConnection(socket: plugins.net.Socket): void {
    const remoteIP = socket.remoteAddress || '';
    const localPort = socket.localPort || 0;
    // Validate IP against rate limits and connection limits
    const ipValidation = this.securityManager.validateIP(remoteIP);
    if (!ipValidation.allowed) {
      console.log(`Connection rejected from ${remoteIP}: ${ipValidation.reason}`);
      socket.end();
      socket.destroy();
      return;
    }
    // Create a new connection record
    const record = this.connectionManager.createConnection(socket);
    const connectionId = record.id;
    // Apply socket optimizations
    socket.setNoDelay(this.settings.noDelay);
    // Apply keep-alive settings if enabled
    if (this.settings.keepAlive) {
      socket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
      record.hasKeepAlive = true;
      // Apply enhanced TCP keep-alive options if enabled
      if (this.settings.enableKeepAliveProbes) {
        try {
          // These are platform-specific and may not be available
          if ('setKeepAliveProbes' in socket) {
            (socket as any).setKeepAliveProbes(10);
          }
          if ('setKeepAliveInterval' in socket) {
            (socket as any).setKeepAliveInterval(1000);
          }
        } catch (err) {
          // Ignore errors - these are optional enhancements
          if (this.settings.enableDetailedLogging) {
            console.log(`[${connectionId}] Enhanced TCP keep-alive settings not supported: ${err}`);
          }
        }
      }
    }
    if (this.settings.enableDetailedLogging) {
      console.log(
        `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` +
          `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
          `Active connections: ${this.connectionManager.getConnectionCount()}`
      );
    } else {
      console.log(
        `New connection from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionManager.getConnectionCount()}`
      );
    }
    // Start TLS SNI handling
    this.handleTlsConnection(socket, record);
  }
  /**
   * Handle a connection and wait for TLS handshake for SNI extraction if needed
   */
  private handleTlsConnection(socket: plugins.net.Socket, record: IConnectionRecord): void {
    const connectionId = record.id;
    const localPort = record.localPort;
    let initialDataReceived = false;
    // Set an initial timeout for handshake data
    let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
      if (!initialDataReceived) {
        console.log(
          `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
        );
        // Add a grace period
        setTimeout(() => {
          if (!initialDataReceived) {
            console.log(`[${connectionId}] Final initial data timeout after grace period`);
            if (record.incomingTerminationReason === null) {
              record.incomingTerminationReason = 'initial_timeout';
              this.connectionManager.incrementTerminationStat('incoming', 'initial_timeout');
            }
            socket.end();
            this.connectionManager.cleanupConnection(record, 'initial_timeout');
          }
        }, 30000);
      }
    }, this.settings.initialDataTimeout!);
    // Make sure timeout doesn't keep the process alive
    if (initialTimeout.unref) {
      initialTimeout.unref();
    }
    // Set up error handler
    socket.on('error', this.connectionManager.handleError('incoming', record));
    // First data handler to capture initial TLS handshake
    socket.once('data', (chunk: Buffer) => {
      // Clear the initial timeout since we've received data
      if (initialTimeout) {
        clearTimeout(initialTimeout);
        initialTimeout = null;
      }
      initialDataReceived = true;
      record.hasReceivedInitialData = true;
      // Block non-TLS connections on port 443
      if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
        console.log(
          `[${connectionId}] Non-TLS connection detected on port 443. ` +
            `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
        );
        if (record.incomingTerminationReason === null) {
          record.incomingTerminationReason = 'non_tls_blocked';
          this.connectionManager.incrementTerminationStat('incoming', 'non_tls_blocked');
        }
        socket.end();
        this.connectionManager.cleanupConnection(record, 'non_tls_blocked');
        return;
      }
      // Check if this looks like a TLS handshake
      let serverName = '';
      if (this.tlsManager.isTlsHandshake(chunk)) {
        record.isTLS = true;
        // Check for ClientHello to extract SNI
        if (this.tlsManager.isClientHello(chunk)) {
          // Create connection info for SNI extraction
          const connInfo = {
            sourceIp: record.remoteIP,
            sourcePort: socket.remotePort || 0,
            destIp: socket.localAddress || '',
            destPort: socket.localPort || 0,
          };
          // Extract SNI
          serverName = this.tlsManager.extractSNI(chunk, connInfo) || '';
          // Lock the connection to the negotiated SNI
          record.lockedDomain = serverName;
          // Check if we should reject connections without SNI
          if (!serverName && this.settings.allowSessionTicket === false) {
            console.log(`[${connectionId}] No SNI detected in TLS ClientHello; sending TLS alert.`);
            if (record.incomingTerminationReason === null) {
              record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
              this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni');
            }
            const alert = Buffer.from([0x15, 0x03, 0x03, 0x00, 0x02, 0x01, 0x70]);
            try { 
              socket.cork(); 
              socket.write(alert); 
              socket.uncork(); 
              socket.end(); 
            } catch { 
              socket.end(); 
            }
            this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
            return;
          }
          if (this.settings.enableDetailedLogging) {
            console.log(`[${connectionId}] TLS connection with SNI: ${serverName || '(empty)'}`);
          }
        }
      }
      // Find the appropriate route for this connection
      this.routeConnection(socket, record, serverName, chunk);
    });
  }
  /**
   * Route the connection based on match criteria
   */
  private routeConnection(
    socket: plugins.net.Socket, 
    record: IConnectionRecord,
    serverName: string,
    initialChunk?: Buffer
  ): void {
    const connectionId = record.id;
    const localPort = record.localPort;
    const remoteIP = record.remoteIP;
    // Find matching route
    const routeMatch = this.routeManager.findMatchingRoute({
      port: localPort,
      domain: serverName,
      clientIp: remoteIP,
      path: undefined, // We don't have path info at this point
      tlsVersion: undefined // We don't extract TLS version yet
    });
    if (!routeMatch) {
      console.log(`[${connectionId}] No route found for ${serverName || 'connection'} on port ${localPort}`);
      // No matching route, use default/fallback handling
      console.log(`[${connectionId}] Using default route handling for connection`);
      // Check default security settings
      const defaultSecuritySettings = this.settings.defaults?.security;
      if (defaultSecuritySettings) {
        if (defaultSecuritySettings.allowedIps && defaultSecuritySettings.allowedIps.length > 0) {
          const isAllowed = this.securityManager.isIPAuthorized(
            remoteIP,
            defaultSecuritySettings.allowedIps,
            defaultSecuritySettings.blockedIps || []
          );
          if (!isAllowed) {
            console.log(`[${connectionId}] IP ${remoteIP} not in default allowed list`);
            socket.end();
            this.connectionManager.cleanupConnection(record, 'ip_blocked');
            return;
          }
        }
      }
      // Setup direct connection with default settings
      if (this.settings.defaults?.target) {
        // Use defaults from configuration
        const targetHost = this.settings.defaults.target.host;
        const targetPort = this.settings.defaults.target.port;
        return this.setupDirectConnection(
          socket,
          record,
          undefined,
          serverName,
          initialChunk,
          undefined,
          targetHost,
          targetPort
        );
      } else {
        // No default target available, terminate the connection
        console.log(`[${connectionId}] No default target configured. Closing connection.`);
        socket.end();
        this.connectionManager.cleanupConnection(record, 'no_default_target');
        return;
      }
    }
    // A matching route was found
    const route = routeMatch.route;
    if (this.settings.enableDetailedLogging) {
      console.log(
        `[${connectionId}] Route matched: "${route.name || 'unnamed'}" for ${serverName || 'connection'} on port ${localPort}`
      );
    }
    // Handle the route based on its action type
    switch (route.action.type) {
      case 'forward':
        return this.handleForwardAction(socket, record, route, initialChunk);
      case 'redirect':
        return this.handleRedirectAction(socket, record, route);
      case 'block':
        return this.handleBlockAction(socket, record, route);
      default:
        console.log(`[${connectionId}] Unknown action type: ${(route.action as any).type}`);
        socket.end();
        this.connectionManager.cleanupConnection(record, 'unknown_action');
    }
  }
  /**
   * Handle a forward action for a route
   */
  private handleForwardAction(
    socket: plugins.net.Socket,
    record: IConnectionRecord,
    route: IRouteConfig,
    initialChunk?: Buffer
  ): void {
    const connectionId = record.id;
    const action = route.action;
    // We should have a target configuration for forwarding
    if (!action.target) {
      console.log(`[${connectionId}] Forward action missing target configuration`);
      socket.end();
      this.connectionManager.cleanupConnection(record, 'missing_target');
      return;
    }
    // Determine if this needs TLS handling
    if (action.tls) {
      switch (action.tls.mode) {
        case 'passthrough':
          // For TLS passthrough, just forward directly
          if (this.settings.enableDetailedLogging) {
            console.log(`[${connectionId}] Using TLS passthrough to ${action.target.host}`);
          }
          // Allow for array of hosts
          const targetHost = Array.isArray(action.target.host) 
            ? action.target.host[Math.floor(Math.random() * action.target.host.length)]
            : action.target.host;
          // Determine target port - either target port or preserve incoming port
          const targetPort = action.target.preservePort ? record.localPort : action.target.port;
          return this.setupDirectConnection(
            socket,
            record,
            undefined,
            record.lockedDomain,
            initialChunk,
            undefined,
            targetHost,
            targetPort
          );
        case 'terminate':
        case 'terminate-and-reencrypt':
          // For TLS termination, use NetworkProxy
          if (this.networkProxyBridge.getNetworkProxy()) {
            if (this.settings.enableDetailedLogging) {
              console.log(
                `[${connectionId}] Using NetworkProxy for TLS termination to ${action.target.host}`
              );
            }
            // If we have an initial chunk with TLS data, start processing it
            if (initialChunk && record.isTLS) {
              return this.networkProxyBridge.forwardToNetworkProxy(
                connectionId,
                socket,
                record,
                initialChunk,
                this.settings.networkProxyPort,
                (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
              );
            }
            // This shouldn't normally happen - we should have TLS data at this point
            console.log(`[${connectionId}] TLS termination route without TLS data`);
            socket.end();
            this.connectionManager.cleanupConnection(record, 'tls_error');
            return;
          } else {
            console.log(`[${connectionId}] NetworkProxy not available for TLS termination`);
            socket.end();
            this.connectionManager.cleanupConnection(record, 'no_network_proxy');
            return;
          }
      }
    } else {
      // No TLS settings - basic forwarding
      if (this.settings.enableDetailedLogging) {
        console.log(`[${connectionId}] Using basic forwarding to ${action.target.host}:${action.target.port}`);
      }
      // Allow for array of hosts
      const targetHost = Array.isArray(action.target.host) 
        ? action.target.host[Math.floor(Math.random() * action.target.host.length)]
        : action.target.host;
      // Determine target port - either target port or preserve incoming port
      const targetPort = action.target.preservePort ? record.localPort : action.target.port;
      return this.setupDirectConnection(
        socket,
        record,
        undefined,
        record.lockedDomain,
        initialChunk,
        undefined,
        targetHost,
        targetPort
      );
    }
  }
  /**
   * Handle a redirect action for a route
   */
  private handleRedirectAction(
    socket: plugins.net.Socket,
    record: IConnectionRecord,
    route: IRouteConfig
  ): void {
    const connectionId = record.id;
    const action = route.action;
    // We should have a redirect configuration
    if (!action.redirect) {
      console.log(`[${connectionId}] Redirect action missing redirect configuration`);
      socket.end();
      this.connectionManager.cleanupConnection(record, 'missing_redirect');
      return;
    }
    // For TLS connections, we can't do redirects at the TCP level
    if (record.isTLS) {
      console.log(`[${connectionId}] Cannot redirect TLS connection at TCP level`);
      socket.end();
      this.connectionManager.cleanupConnection(record, 'tls_redirect_error');
      return;
    }
    // Wait for the first HTTP request to perform the redirect
    const dataListeners: ((chunk: Buffer) => void)[] = [];
    const httpDataHandler = (chunk: Buffer) => {
      // Remove all data listeners to avoid duplicated processing
      for (const listener of dataListeners) {
        socket.removeListener('data', listener);
      }
      // Parse HTTP request to get path
      try {
        const headersEnd = chunk.indexOf('\r\n\r\n');
        if (headersEnd === -1) {
          // Not a complete HTTP request, need more data
          socket.once('data', httpDataHandler);
          dataListeners.push(httpDataHandler);
          return;
        }
        const httpHeaders = chunk.slice(0, headersEnd).toString();
        const requestLine = httpHeaders.split('\r\n')[0];
        const [method, path] = requestLine.split(' ');
        // Extract Host header
        const hostMatch = httpHeaders.match(/Host: (.+?)(\r\n|\r|\n|$)/i);
        const host = hostMatch ? hostMatch[1].trim() : record.lockedDomain || '';
        // Process the redirect URL with template variables
        let redirectUrl = action.redirect.to;
        redirectUrl = redirectUrl.replace(/\{domain\}/g, host);
        redirectUrl = redirectUrl.replace(/\{path\}/g, path || '');
        redirectUrl = redirectUrl.replace(/\{port\}/g, record.localPort.toString());
        // Prepare the HTTP redirect response
        const redirectResponse = [
          `HTTP/1.1 ${action.redirect.status} Moved`,
          `Location: ${redirectUrl}`,
          'Connection: close',
          'Content-Length: 0',
          '',
          ''
        ].join('\r\n');
        if (this.settings.enableDetailedLogging) {
          console.log(`[${connectionId}] Redirecting to ${redirectUrl} with status ${action.redirect.status}`);
        }
        // Send the redirect response
        socket.end(redirectResponse);
        this.connectionManager.initiateCleanupOnce(record, 'redirect_complete');
      } catch (err) {
        console.log(`[${connectionId}] Error processing HTTP redirect: ${err}`);
        socket.end();
        this.connectionManager.initiateCleanupOnce(record, 'redirect_error');
      }
    };
    // Setup the HTTP data handler
    socket.once('data', httpDataHandler);
    dataListeners.push(httpDataHandler);
  }
  /**
   * Handle a block action for a route
   */
  private handleBlockAction(
    socket: plugins.net.Socket,
    record: IConnectionRecord,
    route: IRouteConfig
  ): void {
    const connectionId = record.id;
    if (this.settings.enableDetailedLogging) {
      console.log(`[${connectionId}] Blocking connection based on route "${route.name || 'unnamed'}"`);
    }
    // Simply close the connection
    socket.end();
    this.connectionManager.initiateCleanupOnce(record, 'route_blocked');
  }
  /**
   * Legacy connection handling has been removed in favor of pure route-based approach
   */
  /**
   * Sets up a direct connection to the target
   */
  private setupDirectConnection(
    socket: plugins.net.Socket,
    record: IConnectionRecord,
    _unused?: any, // kept for backward compatibility
    serverName?: string,
    initialChunk?: Buffer,
    overridePort?: number,
    targetHost?: string,
    targetPort?: number
  ): void {
    const connectionId = record.id;
    // Determine target host and port if not provided
    const finalTargetHost = targetHost ||
      (this.settings.defaults?.target?.host || 'localhost');
    // Determine target port
    const finalTargetPort = targetPort ||
      (overridePort !== undefined ? overridePort :
       (this.settings.defaults?.target?.port || 443));
    // Setup connection options
    const connectionOptions: plugins.net.NetConnectOpts = {
      host: finalTargetHost,
      port: finalTargetPort,
    };
    // Preserve source IP if configured
    if (this.settings.defaults?.preserveSourceIP || this.settings.preserveSourceIP) {
      connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
    }
    // Create a safe queue for incoming data
    const dataQueue: Buffer[] = [];
    let queueSize = 0;
    let processingQueue = false;
    let drainPending = false;
    let pipingEstablished = false;
    // Pause the incoming socket to prevent buffer overflows
    socket.pause();
    // Function to safely process the data queue without losing events
    const processDataQueue = () => {
      if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
      processingQueue = true;
      try {
        // Process all queued chunks with the current active handler
        while (dataQueue.length > 0) {
          const chunk = dataQueue.shift()!;
          queueSize -= chunk.length;
          // Once piping is established, we shouldn't get here,
          // but just in case, pass to the outgoing socket directly
          if (pipingEstablished && record.outgoing) {
            record.outgoing.write(chunk);
            continue;
          }
          // Track bytes received
          record.bytesReceived += chunk.length;
          // Check for TLS handshake
          if (!record.isTLS && this.tlsManager.isTlsHandshake(chunk)) {
            record.isTLS = true;
            if (this.settings.enableTlsDebugLogging) {
              console.log(
                `[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
              );
            }
          }
          // Check if adding this chunk would exceed the buffer limit
          const newSize = record.pendingDataSize + chunk.length;
          if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
            console.log(
              `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
            );
            socket.end(); // Gracefully close the socket
            this.connectionManager.initiateCleanupOnce(record, 'buffer_limit_exceeded');
            return;
          }
          // Buffer the chunk and update the size counter
          record.pendingData.push(Buffer.from(chunk));
          record.pendingDataSize = newSize;
          this.timeoutManager.updateActivity(record);
        }
      } finally {
        processingQueue = false;
        // If there's a pending drain and we've processed everything,
        // signal we're ready for more data if we haven't established piping yet
        if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
          drainPending = false;
          socket.resume();
        }
      }
    };
    // Unified data handler that safely queues incoming data
    const safeDataHandler = (chunk: Buffer) => {
      // If piping is already established, just let the pipe handle it
      if (pipingEstablished) return;
      // Add to our queue for orderly processing
      dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
      queueSize += chunk.length;
      // If queue is getting large, pause socket until we catch up
      if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
        socket.pause();
        drainPending = true;
      }
      // Process the queue
      processDataQueue();
    };
    // Add our safe data handler
    socket.on('data', safeDataHandler);
    // Add initial chunk to pending data if present
    if (initialChunk) {
      record.bytesReceived += initialChunk.length;
      record.pendingData.push(Buffer.from(initialChunk));
      record.pendingDataSize = initialChunk.length;
    }
    // Create the target socket but don't set up piping immediately
    const targetSocket = plugins.net.connect(connectionOptions);
    record.outgoing = targetSocket;
    record.outgoingStartTime = Date.now();
    // Apply socket optimizations
    targetSocket.setNoDelay(this.settings.noDelay);
    // Apply keep-alive settings to the outgoing connection as well
    if (this.settings.keepAlive) {
      targetSocket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
      // Apply enhanced TCP keep-alive options if enabled
      if (this.settings.enableKeepAliveProbes) {
        try {
          if ('setKeepAliveProbes' in targetSocket) {
            (targetSocket as any).setKeepAliveProbes(10);
          }
          if ('setKeepAliveInterval' in targetSocket) {
            (targetSocket as any).setKeepAliveInterval(1000);
          }
        } catch (err) {
          // Ignore errors - these are optional enhancements
          if (this.settings.enableDetailedLogging) {
            console.log(
              `[${connectionId}] Enhanced TCP keep-alive not supported for outgoing socket: ${err}`
            );
          }
        }
      }
    }
    // Setup specific error handler for connection phase
    targetSocket.once('error', (err) => {
      // This handler runs only once during the initial connection phase
      const code = (err as any).code;
      console.log(
        `[${connectionId}] Connection setup error to ${finalTargetHost}:${connectionOptions.port}: ${err.message} (${code})`
      );
      // Resume the incoming socket to prevent it from hanging
      socket.resume();
      if (code === 'ECONNREFUSED') {
        console.log(
          `[${connectionId}] Target ${finalTargetHost}:${connectionOptions.port} refused connection`
        );
      } else if (code === 'ETIMEDOUT') {
        console.log(
          `[${connectionId}] Connection to ${finalTargetHost}:${connectionOptions.port} timed out`
        );
      } else if (code === 'ECONNRESET') {
        console.log(
          `[${connectionId}] Connection to ${finalTargetHost}:${connectionOptions.port} was reset`
        );
      } else if (code === 'EHOSTUNREACH') {
        console.log(`[${connectionId}] Host ${finalTargetHost} is unreachable`);
      }
      // Clear any existing error handler after connection phase
      targetSocket.removeAllListeners('error');
      // Re-add the normal error handler for established connections
      targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
      if (record.outgoingTerminationReason === null) {
        record.outgoingTerminationReason = 'connection_failed';
        this.connectionManager.incrementTerminationStat('outgoing', 'connection_failed');
      }
      // Route-based configuration doesn't use domain handlers
      // Clean up the connection
      this.connectionManager.initiateCleanupOnce(record, `connection_failed_${code}`);
    });
    // Setup close handler
    targetSocket.on('close', this.connectionManager.handleClose('outgoing', record));
    socket.on('close', this.connectionManager.handleClose('incoming', record));
    // Handle timeouts with keep-alive awareness
    socket.on('timeout', () => {
      // For keep-alive connections, just log a warning instead of closing
      if (record.hasKeepAlive) {
        console.log(
          `[${connectionId}] Timeout event on incoming keep-alive connection from ${
            record.remoteIP
          } after ${plugins.prettyMs(
            this.settings.socketTimeout || 3600000
          )}. Connection preserved.`
        );
        return;
      }
      // For non-keep-alive connections, proceed with normal cleanup
      console.log(
        `[${connectionId}] Timeout on incoming side from ${
          record.remoteIP
        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
      );
      if (record.incomingTerminationReason === null) {
        record.incomingTerminationReason = 'timeout';
        this.connectionManager.incrementTerminationStat('incoming', 'timeout');
      }
      this.connectionManager.initiateCleanupOnce(record, 'timeout_incoming');
    });
    targetSocket.on('timeout', () => {
      // For keep-alive connections, just log a warning instead of closing
      if (record.hasKeepAlive) {
        console.log(
          `[${connectionId}] Timeout event on outgoing keep-alive connection from ${
            record.remoteIP
          } after ${plugins.prettyMs(
            this.settings.socketTimeout || 3600000
          )}. Connection preserved.`
        );
        return;
      }
      // For non-keep-alive connections, proceed with normal cleanup
      console.log(
        `[${connectionId}] Timeout on outgoing side from ${
          record.remoteIP
        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
      );
      if (record.outgoingTerminationReason === null) {
        record.outgoingTerminationReason = 'timeout';
        this.connectionManager.incrementTerminationStat('outgoing', 'timeout');
      }
      this.connectionManager.initiateCleanupOnce(record, 'timeout_outgoing');
    });
    // Apply socket timeouts
    this.timeoutManager.applySocketTimeouts(record);
    // Track outgoing data for bytes counting
    targetSocket.on('data', (chunk: Buffer) => {
      record.bytesSent += chunk.length;
      this.timeoutManager.updateActivity(record);
    });
    // Wait for the outgoing connection to be ready before setting up piping
    targetSocket.once('connect', () => {
      // Clear the initial connection error handler
      targetSocket.removeAllListeners('error');
      // Add the normal error handler for established connections
      targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
      // Process any remaining data in the queue before switching to piping
      processDataQueue();
      // Set up piping immediately
      pipingEstablished = true;
      // Flush all pending data to target
      if (record.pendingData.length > 0) {
        const combinedData = Buffer.concat(record.pendingData);
        if (this.settings.enableDetailedLogging) {
          console.log(
            `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
          );
        }
        // Write pending data immediately
        targetSocket.write(combinedData, (err) => {
          if (err) {
            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
            return this.connectionManager.initiateCleanupOnce(record, 'write_error');
          }
        });
        // Clear the buffer now that we've processed it
        record.pendingData = [];
        record.pendingDataSize = 0;
      }
      // Setup piping in both directions without any delays
      socket.pipe(targetSocket);
      targetSocket.pipe(socket);
      // Resume the socket to ensure data flows
      socket.resume();
      // Process any data that might be queued in the interim
      if (dataQueue.length > 0) {
        // Write any remaining queued data directly to the target socket
        for (const chunk of dataQueue) {
          targetSocket.write(chunk);
        }
        // Clear the queue
        dataQueue.length = 0;
        queueSize = 0;
      }
      if (this.settings.enableDetailedLogging) {
        console.log(
          `[${connectionId}] Connection established: ${record.remoteIP} -> ${finalTargetHost}:${connectionOptions.port}` +
            `${
              serverName
                ? ` (SNI: ${serverName})`
                : record.lockedDomain
                ? ` (Domain: ${record.lockedDomain})`
                : ''
            }` +
            ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
              record.hasKeepAlive ? 'Yes' : 'No'
            }`
        );
      } else {
        console.log(
          `Connection established: ${record.remoteIP} -> ${finalTargetHost}:${connectionOptions.port}` +
            `${
              serverName
                ? ` (SNI: ${serverName})`
                : record.lockedDomain
                ? ` (Domain: ${record.lockedDomain})`
                : ''
            }`
        );
      }
      // Add the renegotiation handler for SNI validation
      if (serverName) {
        // Create connection info object for the existing connection
        const connInfo = {
          sourceIp: record.remoteIP,
          sourcePort: record.incoming.remotePort || 0,
          destIp: record.incoming.localAddress || '',
          destPort: record.incoming.localPort || 0,
        };
        // Create a renegotiation handler function
        const renegotiationHandler = this.tlsManager.createRenegotiationHandler(
          connectionId,
          serverName,
          connInfo,
          (connectionId, reason) => this.connectionManager.initiateCleanupOnce(record, reason)
        );
        // Store the handler in the connection record so we can remove it during cleanup
        record.renegotiationHandler = renegotiationHandler;
        // Add the handler to the socket
        socket.on('data', renegotiationHandler);
        if (this.settings.enableDetailedLogging) {
          console.log(
            `[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
          );
          if (this.settings.allowSessionTicket === false) {
            console.log(
              `[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`
            );
          }
        }
      }
      // Set connection timeout
      record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
        console.log(
          `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.`
        );
        this.connectionManager.initiateCleanupOnce(record, reason);
      });
      // Mark TLS handshake as complete for TLS connections
      if (record.isTLS) {
        record.tlsHandshakeComplete = true;
        if (this.settings.enableTlsDebugLogging) {
          console.log(
            `[${connectionId}] TLS handshake complete for connection from ${record.remoteIP}`
          );
        }
      }
    });
  }
 }
--- a/ts/proxies/smart-proxy/route-helpers.ts
+++ b/ts/proxies/smart-proxy/route-helpers.ts
@ -1,498 +0,0 @@
 import type {
  IRouteConfig,
  IRouteMatch,
  IRouteAction,
  IRouteTarget,
  IRouteTls,
  IRouteRedirect,
  IRouteSecurity,
  IRouteAdvanced,
  TPortRange
 } from './models/route-types.js';
 /**
 * Basic helper function to create a route configuration
 */
 export function createRoute(
  match: IRouteMatch,
  action: IRouteAction,
  metadata?: {
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  return {
    match,
    action,
    ...metadata
  };
 }
 /**
 * Create a basic HTTP route configuration
 */
 export function createHttpRoute(
  options: {
    ports?: number | number[]; // Default: 80
    domains?: string | string[];
    path?: string;
    target: IRouteTarget;
    headers?: Record<string, string>;
    security?: IRouteSecurity;
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  return createRoute(
    {
      ports: options.ports || 80,
      ...(options.domains ? { domains: options.domains } : {}),
      ...(options.path ? { path: options.path } : {})
    },
    {
      type: 'forward',
      target: options.target,
      ...(options.headers || options.security ? {
        advanced: {
          ...(options.headers ? { headers: options.headers } : {})
        },
        ...(options.security ? { security: options.security } : {})
      } : {})
    },
    {
      name: options.name || 'HTTP Route',
      description: options.description,
      priority: options.priority,
      tags: options.tags
    }
  );
 }
 /**
 * Create an HTTPS route configuration with TLS termination
 */
 export function createHttpsRoute(
  options: {
    ports?: number | number[]; // Default: 443
    domains: string | string[];
    path?: string;
    target: IRouteTarget;
    tlsMode?: 'terminate' | 'terminate-and-reencrypt';
    certificate?: 'auto' | { key: string; cert: string };
    headers?: Record<string, string>;
    security?: IRouteSecurity;
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  return createRoute(
    {
      ports: options.ports || 443,
      domains: options.domains,
      ...(options.path ? { path: options.path } : {})
    },
    {
      type: 'forward',
      target: options.target,
      tls: {
        mode: options.tlsMode || 'terminate',
        certificate: options.certificate || 'auto'
      },
      ...(options.headers || options.security ? {
        advanced: {
          ...(options.headers ? { headers: options.headers } : {})
        },
        ...(options.security ? { security: options.security } : {})
      } : {})
    },
    {
      name: options.name || 'HTTPS Route',
      description: options.description,
      priority: options.priority,
      tags: options.tags
    }
  );
 }
 /**
 * Create an HTTPS passthrough route configuration
 */
 export function createPassthroughRoute(
  options: {
    ports?: number | number[]; // Default: 443
    domains?: string | string[];
    target: IRouteTarget;
    security?: IRouteSecurity;
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  return createRoute(
    {
      ports: options.ports || 443,
      ...(options.domains ? { domains: options.domains } : {})
    },
    {
      type: 'forward',
      target: options.target,
      tls: {
        mode: 'passthrough'
      },
      ...(options.security ? { security: options.security } : {})
    },
    {
      name: options.name || 'HTTPS Passthrough Route',
      description: options.description,
      priority: options.priority,
      tags: options.tags
    }
  );
 }
 /**
 * Create a redirect route configuration
 */
 export function createRedirectRoute(
  options: {
    ports?: number | number[]; // Default: 80
    domains?: string | string[];
    path?: string;
    redirectTo: string;
    statusCode?: 301 | 302 | 307 | 308;
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  return createRoute(
    {
      ports: options.ports || 80,
      ...(options.domains ? { domains: options.domains } : {}),
      ...(options.path ? { path: options.path } : {})
    },
    {
      type: 'redirect',
      redirect: {
        to: options.redirectTo,
        status: options.statusCode || 301
      }
    },
    {
      name: options.name || 'Redirect Route',
      description: options.description,
      priority: options.priority,
      tags: options.tags
    }
  );
 }
 /**
 * Create an HTTP to HTTPS redirect route configuration
 */
 export function createHttpToHttpsRedirect(
  options: {
    domains: string | string[];
    statusCode?: 301 | 302 | 307 | 308;
    name?: string;
    priority?: number;
  }
 ): IRouteConfig {
  const domainArray = Array.isArray(options.domains) ? options.domains : [options.domains];
  return createRedirectRoute({
    ports: 80,
    domains: options.domains,
    redirectTo: 'https://{domain}{path}',
    statusCode: options.statusCode || 301,
    name: options.name || `HTTP to HTTPS Redirect for ${domainArray.join(', ')}`,
    priority: options.priority || 100 // High priority for redirects
  });
 }
 /**
 * Create a block route configuration
 */
 export function createBlockRoute(
  options: {
    ports: number | number[];
    domains?: string | string[];
    clientIp?: string[];
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  return createRoute(
    {
      ports: options.ports,
      ...(options.domains ? { domains: options.domains } : {}),
      ...(options.clientIp ? { clientIp: options.clientIp } : {})
    },
    {
      type: 'block'
    },
    {
      name: options.name || 'Block Route',
      description: options.description,
      priority: options.priority || 1000, // Very high priority for blocks
      tags: options.tags
    }
  );
 }
 /**
 * Create a load balancer route configuration
 */
 export function createLoadBalancerRoute(
  options: {
    ports?: number | number[]; // Default: 443
    domains: string | string[];
    path?: string;
    targets: string[]; // Array of host names/IPs for load balancing
    targetPort: number;
    tlsMode?: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
    certificate?: 'auto' | { key: string; cert: string };
    headers?: Record<string, string>;
    security?: IRouteSecurity;
    name?: string;
    description?: string;
    tags?: string[];
  }
 ): IRouteConfig {
  const useTls = options.tlsMode !== undefined;
  const defaultPort = useTls ? 443 : 80;
  return createRoute(
    {
      ports: options.ports || defaultPort,
      domains: options.domains,
      ...(options.path ? { path: options.path } : {})
    },
    {
      type: 'forward',
      target: {
        host: options.targets,
        port: options.targetPort
      },
      ...(useTls ? {
        tls: {
          mode: options.tlsMode!,
          ...(options.tlsMode !== 'passthrough' && options.certificate ? {
            certificate: options.certificate
          } : {})
        }
      } : {}),
      ...(options.headers || options.security ? {
        advanced: {
          ...(options.headers ? { headers: options.headers } : {})
        },
        ...(options.security ? { security: options.security } : {})
      } : {})
    },
    {
      name: options.name || 'Load Balanced Route',
      description: options.description || `Load balancing across ${options.targets.length} backends`,
      tags: options.tags
    }
  );
 }
 /**
 * Create a complete HTTPS server configuration with HTTP redirect
 */
 export function createHttpsServer(
  options: {
    domains: string | string[];
    target: IRouteTarget;
    certificate?: 'auto' | { key: string; cert: string };
    security?: IRouteSecurity;
    addHttpRedirect?: boolean;
    name?: string;
  }
 ): IRouteConfig[] {
  const routes: IRouteConfig[] = [];
  const domainArray = Array.isArray(options.domains) ? options.domains : [options.domains];
  // Add HTTPS route
  routes.push(createHttpsRoute({
    domains: options.domains,
    target: options.target,
    certificate: options.certificate || 'auto',
    security: options.security,
    name: options.name || `HTTPS Server for ${domainArray.join(', ')}`
  }));
  // Add HTTP to HTTPS redirect if requested
  if (options.addHttpRedirect !== false) {
    routes.push(createHttpToHttpsRedirect({
      domains: options.domains,
      name: `HTTP to HTTPS Redirect for ${domainArray.join(', ')}`,
      priority: 100
    }));
  }
  return routes;
 }
 /**
 * Create a port range configuration from various input formats
 */
 export function createPortRange(
  ports: number | number[] | string | Array<{ from: number; to: number }>
 ): TPortRange {
  // If it's a string like "80,443" or "8000-9000", parse it
  if (typeof ports === 'string') {
    if (ports.includes('-')) {
      // Handle range like "8000-9000"
      const [start, end] = ports.split('-').map(p => parseInt(p.trim(), 10));
      return [{ from: start, to: end }];
    } else if (ports.includes(',')) {
      // Handle comma-separated list like "80,443,8080"
      return ports.split(',').map(p => parseInt(p.trim(), 10));
    } else {
      // Handle single port as string
      return parseInt(ports.trim(), 10);
    }
  }
  // Otherwise return as is
  return ports;
 }
 /**
 * Create a security configuration object
 */
 export function createSecurityConfig(
  options: {
    allowedIps?: string[];
    blockedIps?: string[];
    maxConnections?: number;
    authentication?: {
      type: 'basic' | 'digest' | 'oauth';
      // Auth-specific options
      [key: string]: any;
    };
  }
 ): IRouteSecurity {
  return {
    ...(options.allowedIps ? { allowedIps: options.allowedIps } : {}),
    ...(options.blockedIps ? { blockedIps: options.blockedIps } : {}),
    ...(options.maxConnections ? { maxConnections: options.maxConnections } : {}),
    ...(options.authentication ? { authentication: options.authentication } : {})
  };
 }
 /**
 * Create a static file server route
 */
 export function createStaticFileRoute(
  options: {
    ports?: number | number[]; // Default: 80
    domains: string | string[];
    path?: string;
    targetDirectory: string;
    tlsMode?: 'terminate' | 'terminate-and-reencrypt';
    certificate?: 'auto' | { key: string; cert: string };
    headers?: Record<string, string>;
    security?: IRouteSecurity;
    name?: string;
    description?: string;
    priority?: number;
    tags?: string[];
  }
 ): IRouteConfig {
  const useTls = options.tlsMode !== undefined;
  const defaultPort = useTls ? 443 : 80;
  return createRoute(
    {
      ports: options.ports || defaultPort,
      domains: options.domains,
      ...(options.path ? { path: options.path } : {})
    },
    {
      type: 'forward',
      target: {
        host: 'localhost', // Static file serving is typically handled locally
        port: 0, // Special value indicating a static file server
        preservePort: false
      },
      ...(useTls ? {
        tls: {
          mode: options.tlsMode!,
          certificate: options.certificate || 'auto'
        }
      } : {}),
      advanced: {
        ...(options.headers ? { headers: options.headers } : {}),
        staticFiles: {
          root: options.targetDirectory,
          index: ['index.html', 'index.htm'],
          directory: options.targetDirectory // For backward compatibility
        }
      },
      ...(options.security ? { security: options.security } : {})
    },
    {
      name: options.name || 'Static File Server',
      description: options.description || `Serving static files from ${options.targetDirectory}`,
      priority: options.priority,
      tags: options.tags
    }
  );
 }
 /**
 * Create a test route for debugging purposes
 */
 export function createTestRoute(
  options: {
    ports?: number | number[]; // Default: 8000
    domains?: string | string[];
    path?: string;
    response?: {
      status?: number;
      headers?: Record<string, string>;
      body?: string;
    };
    name?: string;
  }
 ): IRouteConfig {
  return createRoute(
    {
      ports: options.ports || 8000,
      ...(options.domains ? { domains: options.domains } : {}),
      ...(options.path ? { path: options.path } : {})
    },
    {
      type: 'forward',
      target: {
        host: 'test',  // Special value indicating a test route
        port: 0
      },
      advanced: {
        testResponse: {
          status: options.response?.status || 200,
          headers: options.response?.headers || { 'Content-Type': 'text/plain' },
          body: options.response?.body || 'Test route is working!'
        }
      }
    },
    {
      name: options.name || 'Test Route',
      description: 'Route for testing and debugging',
      priority: 500,
      tags: ['test', 'debug']
    }
  );
 }
--- a/ts/proxies/smart-proxy/route-helpers/index.ts
+++ b/ts/proxies/smart-proxy/route-helpers/index.ts
@ -1,9 +0,0 @@
 /**
 * Route helpers for SmartProxy
 * 
 * This module provides helper functions for creating various types of route configurations
 * to be used with the SmartProxy system.
 */
 // Re-export all functions from the route-helpers.ts file
 export * from '../route-helpers.js';
--- a/Show More
+++ b/Show More