19.5.0

certs/static-route/cert.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIC...
+-----END CERTIFICATE-----

certs/static-route/key.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MIIE...
+-----END PRIVATE KEY-----

certs/static-route/meta.json

@@ -0,0 +1,5 @@
+{
+  "expiryDate": "2025-08-17T16:58:47.999Z",
+  "issueDate": "2025-05-19T16:58:47.999Z",
+  "savedAt": "2025-05-19T16:58:48.001Z"
+}

docs/porthandling.md

@@ -1,468 +0,0 @@
-# SmartProxy Port Handling
-
-This document covers all the port handling capabilities in SmartProxy, including port range specification, dynamic port mapping, and runtime port management.
-
-## Port Range Syntax
-
-SmartProxy offers flexible port range specification through the `TPortRange` type, which can be defined in three different ways:
-
-### 1. Single Port
-
-```typescript
-// Match a single port
-{
-  match: {
-    ports: 443
-  }
-}
-```
-
-### 2. Array of Specific Ports
-
-```typescript
-// Match multiple specific ports
-{
-  match: {
-    ports: [80, 443, 8080]
-  }
-}
-```
-
-### 3. Port Range
-
-```typescript
-// Match a range of ports
-{
-  match: {
-    ports: [{ from: 8000, to: 8100 }]
-  }
-}
-```
-
-### 4. Mixed Port Specifications
-
-You can combine different port specification methods in a single rule:
-
-```typescript
-// Match both specific ports and port ranges
-{
-  match: {
-    ports: [80, 443, { from: 8000, to: 8100 }]
-  }
-}
-```
-
-## Port Forwarding Options
-
-SmartProxy offers several ways to handle port forwarding from source to target:
-
-### 1. Static Port Forwarding
-
-Forward to a fixed target port:
-
-```typescript
-{
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: 8080
-    }
-  }
-}
-```
-
-### 2. Preserve Source Port
-
-Forward to the same port on the target:
-
-```typescript
-{
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: 'preserve'
-    }
-  }
-}
-```
-
-### 3. Dynamic Port Mapping
-
-Use a function to determine the target port based on connection context:
-
-```typescript
-{
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: (context) => {
-        // Calculate port based on request details
-        return 8000 + (context.port % 100);
-      }
-    }
-  }
-}
-```
-
-## Port Selection Context
-
-When using dynamic port mapping functions, you have access to a rich context object that provides details about the connection:
-
-```typescript
-interface IRouteContext {
-  // Connection information
-  port: number;          // The matched incoming port
-  domain?: string;       // The domain from SNI or Host header
-  clientIp: string;      // The client's IP address
-  serverIp: string;      // The server's IP address
-  path?: string;         // URL path (for HTTP connections)
-  query?: string;        // Query string (for HTTP connections)
-  headers?: Record<string, string>; // HTTP headers (for HTTP connections)
-
-  // TLS information
-  isTls: boolean;        // Whether the connection is TLS
-  tlsVersion?: string;   // TLS version if applicable
-
-  // Route information
-  routeName?: string;    // The name of the matched route
-  routeId?: string;      // The ID of the matched route
-
-  // Additional properties
-  timestamp: number;     // The request timestamp
-  connectionId: string;  // Unique connection identifier
-}
-```
-
-## Common Port Mapping Patterns
-
-### 1. Port Offset Mapping
-
-Forward traffic to target ports with a fixed offset:
-
-```typescript
-{
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: (context) => context.port + 1000
-    }
-  }
-}
-```
-
-### 2. Domain-Based Port Mapping
-
-Forward to different backend ports based on the domain:
-
-```typescript
-{
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: (context) => {
-        switch (context.domain) {
-          case 'api.example.com': return 8001;
-          case 'admin.example.com': return 8002;
-          case 'staging.example.com': return 8003;
-          default: return 8000;
-        }
-      }
-    }
-  }
-}
-```
-
-### 3. Load Balancing with Hash-Based Distribution
-
-Distribute connections across a port range using a deterministic hash function:
-
-```typescript
-{
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: (context) => {
-        // Simple hash function to ensure consistent mapping
-        const hostname = context.domain || '';
-        const hash = hostname.split('').reduce((a, b) => a + b.charCodeAt(0), 0);
-        return 8000 + (hash % 10); // Map to ports 8000-8009
-      }
-    }
-  }
-}
-```
-
-## IPv6-Mapped IPv4 Compatibility
-
-SmartProxy automatically handles IPv6-mapped IPv4 addresses for optimal compatibility. When a connection from an IPv4 address (e.g., `192.168.1.1`) arrives as an IPv6-mapped address (`::ffff:192.168.1.1`), the system normalizes these addresses for consistent matching.
-
-This is particularly important when:
-
-1. Matching client IP restrictions in route configurations
-2. Preserving source IP for outgoing connections
-3. Tracking connections and rate limits
-
-No special configuration is needed - the system handles this normalization automatically.
-
-## Dynamic Port Management
-
-SmartProxy allows for runtime port configuration changes without requiring a restart.
-
-### Adding and Removing Ports
-
-```typescript
-// Get the SmartProxy instance
-const proxy = new SmartProxy({ /* config */ });
-
-// Add a new listening port
-await proxy.addListeningPort(8081);
-
-// Remove a listening port
-await proxy.removeListeningPort(8082);
-```
-
-### Runtime Route Updates
-
-```typescript
-// Get current routes
-const currentRoutes = proxy.getRoutes();
-
-// Add new route for the new port
-const newRoute = {
-  name: 'New Dynamic Route',
-  match: {
-    ports: 8081,
-    domains: ['dynamic.example.com']
-  },
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: 9000
-    }
-  }
-};
-
-// Update the route configuration
-await proxy.updateRoutes([...currentRoutes, newRoute]);
-
-// Remove routes for a specific port
-const routesWithout8082 = currentRoutes.filter(route => {
-  const ports = proxy.routeManager.expandPortRange(route.match.ports);
-  return !ports.includes(8082);
-});
-await proxy.updateRoutes(routesWithout8082);
-```
-
-## Performance Considerations
-
-### Port Range Expansion
-
-When using large port ranges, SmartProxy uses internal caching to optimize performance. For example, a range like `{ from: 1000, to: 2000 }` is expanded only once and then cached for future use.
-
-### Port Range Validation
-
-The system automatically validates port ranges to ensure:
-
-1. Port numbers are within the valid range (1-65535)
-2. The "from" value is not greater than the "to" value in range specifications
-3. Port ranges do not contain duplicate entries
-
-Invalid port ranges will be logged as warnings and skipped during configuration.
-
-## Configuration Recipes
-
-### Global Port Range
-
-Listen on a large range of ports and forward to the same ports on a backend:
-
-```typescript
-{
-  name: 'Global port range forwarding',
-  match: {
-    ports: [{ from: 8000, to: 9000 }]
-  },
-  action: {
-    type: 'forward',
-    target: {
-      host: 'backend.example.com',
-      port: 'preserve'
-    }
-  }
-}
-```
-
-### Domain-Specific Port Ranges
-
-Different port ranges for different domain groups:
-
-```typescript
-[
-  {
-    name: 'API port range',
-    match: {
-      ports: [{ from: 8000, to: 8099 }]
-    },
-    action: {
-      type: 'forward',
-      target: {
-        host: 'api.backend.example.com',
-        port: 'preserve'
-      }
-    }
-  },
-  {
-    name: 'Admin port range',
-    match: {
-      ports: [{ from: 9000, to: 9099 }]
-    },
-    action: {
-      type: 'forward',
-      target: {
-        host: 'admin.backend.example.com',
-        port: 'preserve'
-      }
-    }
-  }
-]
-```
-
-### Mixed Internal/External Port Forwarding
-
-Forward specific high-numbered ports to standard ports on internal servers:
-
-```typescript
-[
-  {
-    name: 'Web server forwarding',
-    match: {
-      ports: [8080, 8443]
-    },
-    action: {
-      type: 'forward',
-      target: {
-        host: 'web.internal',
-        port: (context) => context.port === 8080 ? 80 : 443
-      }
-    }
-  },
-  {
-    name: 'Database forwarding',
-    match: {
-      ports: [15432]
-    },
-    action: {
-      type: 'forward',
-      target: {
-        host: 'db.internal',
-        port: 5432
-      }
-    }
-  }
-]
-```
-
-## Debugging Port Configurations
-
-When troubleshooting port forwarding issues, enable detailed logging:
-
-```typescript
-const proxy = new SmartProxy({
-  routes: [ /* your routes */ ],
-  enableDetailedLogging: true
-});
-```
-
-This will log:
-- Port configuration during startup
-- Port matching decisions during routing
-- Dynamic port function results
-- Connection details including source and target ports
-
-## Port Security Considerations
-
-### Restricting Ports
-
-For security, you may want to restrict which ports can be accessed by specific clients:
-
-```typescript
-{
-  name: 'Restricted port range',
-  match: {
-    ports: [{ from: 8000, to: 9000 }],
-    clientIp: ['10.0.0.0/8'] // Only internal network can access these ports
-  },
-  action: {
-    type: 'forward',
-    target: {
-      host: 'internal.example.com',
-      port: 'preserve'
-    }
-  }
-}
-```
-
-### Rate Limiting by Port
-
-Apply different rate limits for different port ranges:
-
-```typescript
-{
-  name: 'API ports with rate limiting',
-  match: {
-    ports: [{ from: 8000, to: 8100 }]
-  },
-  action: {
-    type: 'forward',
-    target: {
-      host: 'api.example.com',
-      port: 'preserve'
-    },
-    security: {
-      rateLimit: {
-        enabled: true,
-        maxRequests: 100,
-        window: 60 // 60 seconds
-      }
-    }
-  }
-}
-```
-
-## Best Practices
-
-1. **Use Specific Port Ranges**: Instead of large ranges (e.g., 1-65535), use specific ranges for specific purposes
-
-2. **Prioritize Routes**: When multiple routes could match, use the `priority` field to ensure the most specific route is matched first
-
-3. **Name Your Routes**: Use descriptive names to make debugging easier, especially when using port ranges
-
-4. **Use Preserve Port Where Possible**: Using `port: 'preserve'` is more efficient and easier to maintain than creating multiple specific mappings
-
-5. **Limit Dynamic Port Functions**: While powerful, complex port functions can be harder to debug; prefer simple map or math-based functions
-
-6. **Use Port Variables**: For complex setups, define your port ranges as variables for easier maintenance:
-
-```typescript
-const API_PORTS = [{ from: 8000, to: 8099 }];
-const ADMIN_PORTS = [{ from: 9000, to: 9099 }];
-
-const routes = [
-  {
-    name: 'API Routes',
-    match: { ports: API_PORTS, /* ... */ },
-    // ...
-  },
-  {
-    name: 'Admin Routes',
-    match: { ports: ADMIN_PORTS, /* ... */ },
-    // ...
-  }
-];
-```

examples/dynamic-port-management.ts

@@ -1,130 +0,0 @@
-/**
- * Dynamic Port Management Example
- * 
- * This example demonstrates how to dynamically add and remove ports
- * while SmartProxy is running, without requiring a restart.
- */
-
-import { SmartProxy } from '../dist_ts/index.js';
-
-async function main() {
-  // Create a SmartProxy instance with initial routes
-  const proxy = new SmartProxy({
-    routes: [
-      // Initial route on port 8080
-      {
-        match: { 
-          ports: 8080,
-          domains: ['example.com', '*.example.com']
-        },
-        action: {
-          type: 'forward',
-          target: { host: 'localhost', port: 3000 }
-        },
-        name: 'Initial HTTP Route'
-      }
-    ]
-  });
-
-  // Start the proxy
-  await proxy.start();
-  console.log('SmartProxy started with initial configuration');
-  console.log('Listening on ports:', proxy.getListeningPorts());
-
-  // Wait 3 seconds
-  console.log('Waiting 3 seconds before adding a new port...');
-  await new Promise(resolve => setTimeout(resolve, 3000));
-
-  // Add a new port listener without changing routes yet
-  await proxy.addListeningPort(8081);
-  console.log('Added port 8081 without any routes yet');
-  console.log('Now listening on ports:', proxy.getListeningPorts());
-
-  // Wait 3 more seconds
-  console.log('Waiting 3 seconds before adding a route for the new port...');
-  await new Promise(resolve => setTimeout(resolve, 3000));
-
-  // Get current routes and add a new one for port 8081
-  const currentRoutes = proxy.settings.routes;
-  
-  // Create a new route for port 8081
-  const newRoute = {
-    match: { 
-      ports: 8081,
-      domains: ['api.example.com']
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 4000 }
-    },
-    name: 'API Route'
-  };
-
-  // Update routes to include the new one
-  await proxy.updateRoutes([...currentRoutes, newRoute]);
-  console.log('Added new route for port 8081');
-
-  // Wait 3 more seconds
-  console.log('Waiting 3 seconds before adding another port through updateRoutes...');
-  await new Promise(resolve => setTimeout(resolve, 3000));
-
-  // Add a completely new port via updateRoutes, which will automatically start listening
-  const thirdRoute = {
-    match: { 
-      ports: 8082,
-      domains: ['admin.example.com']
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 5000 }
-    },
-    name: 'Admin Route'
-  };
-
-  // Update routes again to include the third route
-  await proxy.updateRoutes([...currentRoutes, newRoute, thirdRoute]);
-  console.log('Added new route for port 8082 through updateRoutes');
-  console.log('Now listening on ports:', proxy.getListeningPorts());
-
-  // Wait 3 more seconds
-  console.log('Waiting 3 seconds before removing port 8081...');
-  await new Promise(resolve => setTimeout(resolve, 3000));
-
-  // Remove a port without changing routes
-  await proxy.removeListeningPort(8081);
-  console.log('Removed port 8081 (but route still exists)');
-  console.log('Now listening on ports:', proxy.getListeningPorts());
-
-  // Wait 3 more seconds
-  console.log('Waiting 3 seconds before stopping all routes on port 8082...');
-  await new Promise(resolve => setTimeout(resolve, 3000));
-
-  // Remove all routes for port 8082
-  const routesWithout8082 = currentRoutes.filter(route => {
-    // Check if this route includes port 8082
-    const ports = proxy.routeManager.expandPortRange(route.match.ports);
-    return !ports.includes(8082);
-  });
-
-  // Update routes without any for port 8082
-  await proxy.updateRoutes([...routesWithout8082, newRoute]);
-  console.log('Removed routes for port 8082 through updateRoutes');
-  console.log('Now listening on ports:', proxy.getListeningPorts());
-
-  // Show statistics
-  console.log('Statistics:', proxy.getStatistics());
-
-  // Wait 3 more seconds, then shut down
-  console.log('Waiting 3 seconds before shutdown...');
-  await new Promise(resolve => setTimeout(resolve, 3000));
-
-  // Stop the proxy
-  await proxy.stop();
-  console.log('SmartProxy stopped');
-}
-
-// Run the example
-main().catch(err => {
-  console.error('Error in example:', err);
-  process.exit(1);
-});

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "18.0.0",
+  "version": "19.5.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -9,24 +9,26 @@
   "author": "Lossless GmbH",
   "license": "MIT",
   "scripts": {
-    "test": "(tstest test/)",
+    "test": "(tstest test/**/test*.ts  --verbose)",
     "build": "(tsbuild tsfolders --allowimplicitany)",
     "format": "(gitzone format)",
     "buildDocs": "tsdoc"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.3.2",
+    "@git.zone/tsbuild": "^2.6.4",
     "@git.zone/tsrun": "^1.2.44",
-    "@git.zone/tstest": "^1.0.77",
-    "@push.rocks/tapbundle": "^6.0.3",
-    "@types/node": "^22.15.3",
+    "@git.zone/tstest": "^2.3.1",
+    "@types/node": "^22.15.24",
     "typescript": "^5.8.3"
   },
   "dependencies": {
     "@push.rocks/lik": "^6.2.2",
-    "@push.rocks/smartacme": "^7.3.2",
+    "@push.rocks/smartacme": "^8.0.0",
+    "@push.rocks/smartcrypto": "^2.0.4",
     "@push.rocks/smartdelay": "^3.0.5",
-    "@push.rocks/smartnetwork": "^4.0.1",
+    "@push.rocks/smartfile": "^11.2.5",
+    "@push.rocks/smartlog": "^3.1.8",
+    "@push.rocks/smartnetwork": "^4.0.2",
     "@push.rocks/smartpromise": "^4.2.3",
     "@push.rocks/smartrequest": "^2.1.0",
     "@push.rocks/smartstring": "^4.0.15",

readme.hints.md

@@ -4,6 +4,12 @@
 - Package: `@push.rocks/smartproxy` – high-performance proxy supporting HTTP(S), TCP, WebSocket, and ACME integration.
 - Written in TypeScript, compiled output in `dist_ts/`, uses ESM with NodeNext resolution.
 
+## Important: ACME Configuration in v19.0.0
+- **Breaking Change**: ACME configuration must be placed within individual route TLS settings, not at the top level
+- Route-level ACME config is the ONLY way to enable SmartAcme initialization
+- SmartCertManager requires email in route config for certificate acquisition
+- Top-level ACME configuration is ignored in v19.0.0
+
 ## Repository Structure
 - `ts/` – TypeScript source files:
   - `index.ts` exports main modules.
@@ -57,8 +63,96 @@
 - CLI entrypoint (`cli.js`) supports command-line usage (ACME, proxy controls).
 - ACME and certificate handling via `Port80Handler` and `helpers.certificates.ts`.
 
+## ACME/Certificate Configuration Example (v19.0.0)
+```typescript
+const proxy = new SmartProxy({
+  routes: [{
+    name: 'example.com',
+    match: { domains: 'example.com', ports: 443 },
+    action: {
+      type: 'forward',
+      target: { host: 'localhost', port: 8080 },
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: {  // ACME config MUST be here, not at top level
+          email: 'ssl@example.com',
+          useProduction: false,
+          challengePort: 80
+        }
+      }
+    }
+  }]
+});
+```
+
 ## TODOs / Considerations
 - Ensure import extensions in source match build outputs (`.ts` vs `.js`).
 - Update `plugins.ts` when adding new dependencies.
 - Maintain test coverage for new routing or proxy features.
-- Keep `ts/` and `dist_ts/` in sync after refactors.
+- Keep `ts/` and `dist_ts/` in sync after refactors.
+- Consider implementing top-level ACME config support for backward compatibility
+
+## HTTP-01 ACME Challenge Fix (v19.3.8)
+
+### Issue
+Non-TLS connections on ports configured in `useHttpProxy` were not being forwarded to HttpProxy. This caused ACME HTTP-01 challenges to fail when the ACME port (usually 80) was included in `useHttpProxy`.
+
+### Root Cause
+In the `RouteConnectionHandler.handleForwardAction` method, only connections with TLS settings (mode: 'terminate' or 'terminate-and-reencrypt') were being forwarded to HttpProxy. Non-TLS connections were always handled as direct connections, even when the port was configured for HttpProxy.
+
+### Solution
+Added a check for non-TLS connections on ports listed in `useHttpProxy`:
+```typescript
+// No TLS settings - check if this port should use HttpProxy
+const isHttpProxyPort = this.settings.useHttpProxy?.includes(record.localPort);
+
+if (isHttpProxyPort && this.httpProxyBridge.getHttpProxy()) {
+  // Forward non-TLS connections to HttpProxy if configured
+  this.httpProxyBridge.forwardToHttpProxy(/*...*/);
+  return;
+}
+```
+
+### Test Coverage
+- `test/test.http-fix-unit.ts` - Unit tests verifying the fix
+- Tests confirm that non-TLS connections on HttpProxy ports are properly forwarded
+- Tests verify that non-HttpProxy ports still use direct connections
+
+### Configuration Example
+```typescript
+const proxy = new SmartProxy({
+  useHttpProxy: [80], // Enable HttpProxy for port 80
+  httpProxyPort: 8443,
+  acme: {
+    email: 'ssl@example.com',
+    port: 80
+  },
+  routes: [
+    // Your routes here
+  ]
+});
+```
+
+## ACME Certificate Provisioning Timing Fix (v19.3.9)
+
+### Issue
+Certificate provisioning would start before ports were listening, causing ACME HTTP-01 challenges to fail with connection refused errors.
+
+### Root Cause
+SmartProxy initialization sequence:
+1. Certificate manager initialized → immediately starts provisioning
+2. Ports start listening (too late for ACME challenges)
+
+### Solution
+Deferred certificate provisioning until after ports are ready:
+```typescript
+// SmartCertManager.initialize() now skips automatic provisioning
+// SmartProxy.start() calls provisionAllCertificates() directly after ports are listening
+```
+
+### Test Coverage
+- `test/test.acme-timing-simple.ts` - Verifies proper timing sequence
+
+### Migration
+Update to v19.3.9+, no configuration changes needed.

readme.md

@@ -9,6 +9,7 @@ A unified high-performance proxy toolkit for Node.js, with **SmartProxy** as the
 - **Multiple Action Types**: Forward (with TLS modes), redirect, or block traffic
 - **Dynamic Port Management**: Add or remove listening ports at runtime without restart
 - **Security Features**: IP allowlists, connection limits, timeouts, and more
+- **NFTables Integration**: High-performance kernel-level packet forwarding with Linux NFTables
 
 ## Project Architecture Overview
 
@@ -20,10 +21,10 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
 │   ├── /models               # Data models and interfaces
 │   ├── /utils                # Shared utilities (IP validation, logging, etc.)
 │   └── /events               # Common event definitions
-├── /certificate              # Certificate management
-│   ├── /acme                 # ACME-specific functionality
-│   ├── /providers            # Certificate providers (static, ACME)
-│   └── /storage              # Certificate storage mechanisms
+├── /certificate              # Certificate management (deprecated in v18+)
+│   ├── /acme                 # Moved to SmartCertManager
+│   ├── /providers            # Now integrated in route configuration 
+│   └── /storage              # Now uses CertStore
 ├── /forwarding               # Forwarding system
 │   ├── /handlers             # Various forwarding handlers
 │   │   ├── base-handler.ts   # Abstract base handler
@@ -36,17 +37,19 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
 │   │   ├── /models           # SmartProxy-specific interfaces
 │   │   │   ├── route-types.ts # Route-based configuration types
 │   │   │   └── interfaces.ts  # SmartProxy interfaces
+│   │   ├── certificate-manager.ts # SmartCertManager (new in v18+)
+│   │   ├── cert-store.ts     # Certificate file storage
 │   │   ├── route-helpers.ts  # Helper functions for creating routes
 │   │   ├── route-manager.ts  # Route management system
 │   │   ├── smart-proxy.ts    # Main SmartProxy class
 │   │   └── ...               # Supporting classes
-│   ├── /network-proxy        # NetworkProxy implementation
+│   ├── /http-proxy           # HttpProxy implementation (HTTP/HTTPS handling)
 │   └── /nftables-proxy       # NfTablesProxy implementation
 ├── /tls                      # TLS-specific functionality
 │   ├── /sni                  # SNI handling components
 │   └── /alerts               # TLS alerts system
 └── /http                     # HTTP-specific functionality
-    ├── /port80               # Port80Handler components
+    ├── /port80               # Port80Handler (removed in v18+)
     ├── /router               # HTTP routing system
     └── /redirects            # Redirect handlers
 ```
@@ -71,10 +74,12 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
   Helper functions for common redirect and security configurations
 - **createLoadBalancerRoute**, **createHttpsServer**
   Helper functions for complex configurations
+- **createNfTablesRoute**, **createNfTablesTerminateRoute**
+  Helper functions for NFTables-based high-performance kernel-level routing
 
 ### Specialized Components
 
-- **NetworkProxy** (`ts/proxies/network-proxy/network-proxy.ts`)
+- **HttpProxy** (`ts/proxies/http-proxy/http-proxy.ts`)
   HTTP/HTTPS reverse proxy with TLS termination and WebSocket support
 - **Port80Handler** (`ts/http/port80/port80-handler.ts`)
   ACME HTTP-01 challenge handler for Let's Encrypt certificates
@@ -96,7 +101,7 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
 
 - `IRouteConfig`, `IRouteMatch`, `IRouteAction` (`ts/proxies/smart-proxy/models/route-types.ts`)
 - `IRoutedSmartProxyOptions` (`ts/proxies/smart-proxy/models/route-types.ts`)
-- `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
+- `IHttpProxyOptions` (`ts/proxies/http-proxy/models/types.ts`)
 - `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
 - `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
 
@@ -108,7 +113,7 @@ npm install @push.rocks/smartproxy
 
 ## Quick Start with SmartProxy
 
-SmartProxy v16.0.0 continues the evolution of the unified route-based configuration system making your proxy setup more flexible and intuitive with improved helper functions.
+SmartProxy v19.4.0 provides a unified route-based configuration system with enhanced certificate management, NFTables integration for high-performance kernel-level routing, and improved helper functions for common proxy setups.
 
 ```typescript
 import {
@@ -122,11 +127,23 @@ import {
   createStaticFileRoute,
   createApiRoute,
   createWebSocketRoute,
-  createSecurityConfig
+  createSecurityConfig,
+  createNfTablesRoute,
+  createNfTablesTerminateRoute
 } from '@push.rocks/smartproxy';
 
 // Create a new SmartProxy instance with route-based configuration
 const proxy = new SmartProxy({
+  // Global ACME settings for all routes with certificate: 'auto'
+  acme: {
+    email: 'ssl@bleu.de',          // Required for Let's Encrypt
+    useProduction: false,          // Use staging by default
+    renewThresholdDays: 30,        // Renew 30 days before expiry
+    port: 80,                      // Port for HTTP-01 challenges (use 8080 for non-privileged)
+    autoRenew: true,              // Enable automatic renewal
+    renewCheckIntervalHours: 24    // Check for renewals daily
+  },
+  
   // Define all your routing rules in a single array
   routes: [
     // Basic HTTP route - forward traffic from port 80 to internal service
@@ -134,7 +151,7 @@ const proxy = new SmartProxy({
 
     // HTTPS route with TLS termination and automatic certificates
     createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8080 }, {
-      certificate: 'auto'  // Use Let's Encrypt
+      certificate: 'auto'  // Uses global ACME settings
     }),
 
     // HTTPS passthrough for legacy systems
@@ -185,27 +202,23 @@ const proxy = new SmartProxy({
           maxConnections: 1000
         })
       }
-    )
-  ],
+    ),
 
-  // Global settings that apply to all routes
-  defaults: {
-    security: {
-      maxConnections: 500
-    }
-  },
+    // High-performance NFTables route (requires root/sudo)
+    createNfTablesRoute('fast.example.com', { host: 'backend-server', port: 8080 }, {
+      ports: 80,
+      protocol: 'tcp',
+      preserveSourceIP: true,
+      ipAllowList: ['10.0.0.*']
+    }),
 
-  // Automatic Let's Encrypt integration
-  acme: {
-    enabled: true,
-    contactEmail: 'admin@example.com',
-    useProduction: true
-  }
-});
-
-// Listen for certificate events
-proxy.on('certificate', evt => {
-  console.log(`Certificate for ${evt.domain} ready, expires: ${evt.expiryDate}`);
+    // NFTables HTTPS termination for ultra-fast TLS handling
+    createNfTablesTerminateRoute('secure-fast.example.com', { host: 'backend-ssl', port: 443 }, {
+      ports: 443,
+      certificate: 'auto',
+      maxRate: '100mbps'
+    })
+  ]
 });
 
 // Start the proxy
@@ -319,9 +332,75 @@ interface IRouteAction {
 
   // Advanced options
   advanced?: IRouteAdvanced;
+
+  // Forwarding engine selection
+  forwardingEngine?: 'node' | 'nftables';
+
+  // NFTables-specific options
+  nftables?: INfTablesOptions;
 }
 ```
 
+### ACME/Let's Encrypt Configuration
+
+SmartProxy supports automatic certificate provisioning and renewal with Let's Encrypt. ACME can be configured globally or per-route.
+
+#### Global ACME Configuration
+Set default ACME settings for all routes with `certificate: 'auto'`:
+
+```typescript
+const proxy = new SmartProxy({
+  // Global ACME configuration
+  acme: {
+    email: 'ssl@example.com',         // Required - Let's Encrypt account email
+    useProduction: false,             // Use staging (false) or production (true)
+    renewThresholdDays: 30,           // Renew certificates 30 days before expiry
+    port: 80,                         // Port for HTTP-01 challenges
+    certificateStore: './certs',      // Directory to store certificates
+    autoRenew: true,                  // Enable automatic renewal
+    renewCheckIntervalHours: 24       // Check for renewals every 24 hours
+  },
+  
+  routes: [
+    // This route will use the global ACME settings
+    {
+      name: 'website',
+      match: { ports: 443, domains: 'example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'  // Uses global ACME configuration
+        }
+      }
+    }
+  ]
+});
+```
+
+#### Route-Specific ACME Configuration
+Override global settings for specific routes:
+
+```typescript
+{
+  name: 'api',
+  match: { ports: 443, domains: 'api.example.com' },
+  action: {
+    type: 'forward',
+    target: { host: 'localhost', port: 3000 },
+    tls: {
+      mode: 'terminate',
+      certificate: 'auto',
+      acme: {
+        email: 'api-ssl@example.com',  // Different email for this route
+        useProduction: true,           // Use production while global uses staging
+        renewBeforeDays: 60            // Route-specific renewal threshold
+      }
+    }
+  }
+}
+
 **Forward Action:**
 When `type: 'forward'`, the traffic is forwarded to the specified target:
 ```typescript
@@ -349,6 +428,25 @@ interface IRouteTls {
 - **terminate:** Terminate TLS and forward as HTTP
 - **terminate-and-reencrypt:** Terminate TLS and create a new TLS connection to the backend
 
+**Forwarding Engine:**
+When `forwardingEngine` is specified, it determines how packets are forwarded:
+- **node:** (default) Application-level forwarding using Node.js
+- **nftables:** Kernel-level forwarding using Linux NFTables (requires root privileges)
+
+**NFTables Options:**
+When using `forwardingEngine: 'nftables'`, you can configure:
+```typescript
+interface INfTablesOptions {
+  protocol?: 'tcp' | 'udp' | 'all';
+  preserveSourceIP?: boolean;
+  maxRate?: string;              // Rate limiting (e.g., '100mbps')
+  priority?: number;             // QoS priority
+  tableName?: string;           // Custom NFTables table name
+  useIPSets?: boolean;          // Use IP sets for performance
+  useAdvancedNAT?: boolean;     // Use connection tracking
+}
+```
+
 **Redirect Action:**
 When `type: 'redirect'`, the client is redirected:
 ```typescript
@@ -459,6 +557,35 @@ Routes with higher priority values are matched first, allowing you to create spe
   priority: 100,
   tags: ['api', 'secure', 'internal']
 }
+
+// Example with NFTables forwarding engine
+{
+  match: {
+    ports: [80, 443],
+    domains: 'high-traffic.example.com'
+  },
+  action: {
+    type: 'forward',
+    target: {
+      host: 'backend-server',
+      port: 8080
+    },
+    forwardingEngine: 'nftables',  // Use kernel-level forwarding
+    nftables: {
+      protocol: 'tcp',
+      preserveSourceIP: true,
+      maxRate: '1gbps',
+      useIPSets: true
+    },
+    security: {
+      ipAllowList: ['10.0.0.*'],
+      blockedIps: ['malicious.ip.range.*']
+    }
+  },
+  name: 'High Performance NFTables Route',
+  description: 'Kernel-level forwarding for maximum performance',
+  priority: 150
+}
 ```
 
 ### Using Helper Functions
@@ -489,6 +616,8 @@ Available helper functions:
 - `createStaticFileRoute()` - Create a route for serving static files
 - `createApiRoute()` - Create an API route with path matching and CORS support
 - `createWebSocketRoute()` - Create a route for WebSocket connections
+- `createNfTablesRoute()` - Create a high-performance NFTables route
+- `createNfTablesTerminateRoute()` - Create an NFTables route with TLS termination
 - `createPortRange()` - Helper to create port range configurations
 - `createSecurityConfig()` - Helper to create security configuration objects
 - `createBlockRoute()` - Create a route to block specific traffic
@@ -589,18 +718,28 @@ Available helper functions:
    await proxy.removeListeningPort(8081);
    ```
 
+9. **High-Performance NFTables Routing**
+   ```typescript
+   // Use kernel-level packet forwarding for maximum performance
+   createNfTablesRoute('high-traffic.example.com', { host: 'backend', port: 8080 }, {
+     ports: 80,
+     preserveSourceIP: true,
+     maxRate: '1gbps'
+   })
+   ```
+
 ## Other Components
 
 While SmartProxy provides a unified API for most needs, you can also use individual components:
 
-### NetworkProxy
+### HttpProxy
 For HTTP/HTTPS reverse proxy with TLS termination and WebSocket support. Now with native route-based configuration support:
 
 ```typescript
-import { NetworkProxy } from '@push.rocks/smartproxy';
+import { HttpProxy } from '@push.rocks/smartproxy';
 import * as fs from 'fs';
 
-const proxy = new NetworkProxy({ port: 443 });
+const proxy = new HttpProxy({ port: 443 });
 await proxy.start();
 
 // Modern route-based configuration (recommended)
@@ -625,7 +764,7 @@ await proxy.updateRouteConfigs([
       },
       advanced: {
         headers: {
-          'X-Forwarded-By': 'NetworkProxy'
+          'X-Forwarded-By': 'HttpProxy'
         },
         urlRewrite: {
           pattern: '^/old/(.*)$',
@@ -694,16 +833,137 @@ const redirect = new SslRedirect(80);
 await redirect.start();
 ```
 
-## Migration to v16.0.0
+## NFTables Integration
 
-Version 16.0.0 completes the migration to a fully unified route-based configuration system with improved helper functions:
+SmartProxy v18.0.0 includes full integration with Linux NFTables for high-performance kernel-level packet forwarding. NFTables operates directly in the Linux kernel, providing much better performance than user-space proxying for high-traffic scenarios.
+
+### When to Use NFTables
+
+NFTables routing is ideal for:
+- High-traffic TCP/UDP forwarding where performance is critical
+- Port forwarding scenarios where you need minimal latency
+- Load balancing across multiple backend servers
+- Security filtering with IP allowlists/blocklists at kernel level
+
+### Requirements
+
+NFTables support requires:
+- Linux operating system with NFTables installed
+- Root or sudo permissions to configure NFTables rules
+- NFTables kernel modules loaded
+
+### NFTables Route Configuration
+
+Use the NFTables helper functions to create high-performance routes:
+
+```typescript
+import { SmartProxy, createNfTablesRoute, createNfTablesTerminateRoute } from '@push.rocks/smartproxy';
+
+const proxy = new SmartProxy({
+  routes: [
+    // Basic TCP forwarding with NFTables
+    createNfTablesRoute('tcp-forward', {
+      host: 'backend-server',
+      port: 8080
+    }, {
+      ports: 80,
+      protocol: 'tcp'
+    }),
+
+    // NFTables with IP filtering
+    createNfTablesRoute('secure-tcp', {
+      host: 'secure-backend',
+      port: 8443
+    }, {
+      ports: 443,
+      ipAllowList: ['10.0.0.*', '192.168.1.*'],
+      preserveSourceIP: true
+    }),
+
+    // NFTables with QoS (rate limiting)
+    createNfTablesRoute('limited-service', {
+      host: 'api-server',
+      port: 3000
+    }, {
+      ports: 8080,
+      maxRate: '50mbps',
+      priority: 1
+    }),
+
+    // NFTables TLS termination
+    createNfTablesTerminateRoute('https-nftables', {
+      host: 'backend',
+      port: 8080
+    }, {
+      ports: 443,
+      certificate: 'auto',
+      useAdvancedNAT: true
+    })
+  ]
+});
+
+await proxy.start();
+```
+
+### NFTables Route Options
+
+The NFTables integration supports these options:
+
+- `protocol`: 'tcp' | 'udp' | 'all' - Protocol to forward
+- `preserveSourceIP`: boolean - Preserve client IP for backend
+- `ipAllowList`: string[] - Allow only these IPs (glob patterns)
+- `ipBlockList`: string[] - Block these IPs (glob patterns)
+- `maxRate`: string - Rate limit (e.g., '100mbps', '1gbps')
+- `priority`: number - QoS priority level
+- `tableName`: string - Custom NFTables table name
+- `useIPSets`: boolean - Use IP sets for better performance
+- `useAdvancedNAT`: boolean - Enable connection tracking
+
+### NFTables Status Monitoring
+
+You can monitor the status of NFTables rules:
+
+```typescript
+// Get status of all NFTables rules
+const nftStatus = await proxy.getNfTablesStatus();
+
+// Status includes:
+// - active: boolean
+// - ruleCount: { total, added, removed }
+// - packetStats: { forwarded, dropped }
+// - lastUpdate: Date
+```
+
+### Performance Considerations
+
+NFTables provides significantly better performance than application-level proxying:
+- Operates at kernel level with minimal overhead
+- Can handle millions of packets per second
+- Direct packet forwarding without copying to userspace
+- Hardware offload support on compatible network cards
+
+### Limitations
+
+NFTables routing has some limitations:
+- Cannot modify HTTP headers or content
+- Limited to basic NAT and forwarding operations
+- Requires root permissions
+- Linux-only (not available on Windows/macOS)
+- No WebSocket message inspection
+
+For scenarios requiring application-level features (header manipulation, WebSocket handling, etc.), use the standard SmartProxy routes without NFTables.
+
+## Migration to v18.0.0
+
+Version 18.0.0 continues the evolution with NFTables integration while maintaining the unified route-based configuration system:
 
 ### Key Changes
 
-1. **Pure Route-Based API**: The configuration now exclusively uses the match/action pattern with no legacy interfaces
-2. **Improved Helper Functions**: Enhanced helper functions with cleaner parameter signatures
-3. **Removed Legacy Support**: Legacy domain-based APIs have been completely removed
-4. **More Route Pattern Helpers**: Additional helper functions for common routing patterns
+1. **NFTables Integration**: High-performance kernel-level packet forwarding for Linux systems
+2. **Pure Route-Based API**: The configuration now exclusively uses the match/action pattern with no legacy interfaces
+3. **Improved Helper Functions**: Enhanced helper functions with cleaner parameter signatures
+4. **Removed Legacy Support**: Legacy domain-based APIs have been completely removed
+5. **More Route Pattern Helpers**: Additional helper functions for common routing patterns including NFTables routes
 
 ### Migration Example
 
@@ -723,7 +983,7 @@ const proxy = new SmartProxy({
 });
 ```
 
-**Current Configuration (v16.0.0)**:
+**Current Configuration (v18.0.0)**:
 ```typescript
 import { SmartProxy, createHttpsTerminateRoute } from '@push.rocks/smartproxy';
 
@@ -776,7 +1036,7 @@ flowchart TB
         direction TB
         RouteConfig["Route Configuration<br>(Match/Action)"]
         RouteManager["Route Manager"]
-        HTTPS443["HTTPS Port 443<br>NetworkProxy"]
+        HTTPS443["HTTPS Port 443<br>HttpProxy"]
         SmartProxy["SmartProxy<br>(TCP/SNI Proxy)"]
         ACME["Port80Handler<br>(ACME HTTP-01)"]
         Certs[(SSL Certificates)]
@@ -1152,6 +1412,8 @@ createRedirectRoute({
 - `routes` (IRouteConfig[], required) - Array of route configurations
 - `defaults` (object) - Default settings for all routes
 - `acme` (IAcmeOptions) - ACME certificate options
+- `useHttpProxy` (number[], optional) - Array of ports to forward to HttpProxy (e.g. `[80, 443]`)
+- `httpProxyPort` (number, default 8443) - Port where HttpProxy listens for forwarded connections
 - Connection timeouts: `initialDataTimeout`, `socketTimeout`, `inactivityTimeout`, etc.
 - Socket opts: `noDelay`, `keepAlive`, `enableKeepAliveProbes`
 - `certProvisionFunction` (callback) - Custom certificate provisioning
@@ -1162,7 +1424,7 @@ createRedirectRoute({
 - `getListeningPorts()` - Get all ports currently being listened on
 - `async updateRoutes(routes: IRouteConfig[])` - Update routes and automatically adjust port listeners
 
-### NetworkProxy (INetworkProxyOptions)
+### HttpProxy (IHttpProxyOptions)
 - `port` (number, required) - Main port to listen on
 - `backendProtocol` ('http1'|'http2', default 'http1') - Protocol to use with backend servers
 - `maxConnections` (number, default 10000) - Maximum concurrent connections
@@ -1175,8 +1437,8 @@ createRedirectRoute({
 - `useExternalPort80Handler` (boolean) - Use external port 80 handler for ACME challenges
 - `portProxyIntegration` (boolean) - Integration with other proxies
 
-#### NetworkProxy Enhanced Features
-NetworkProxy now supports full route-based configuration including:
+#### HttpProxy Enhanced Features
+HttpProxy now supports full route-based configuration including:
 - Advanced request and response header manipulation
 - URL rewriting with RegExp pattern matching
 - Template variable resolution for dynamic values (e.g. `{domain}`, `{clientIp}`)
@@ -1204,6 +1466,12 @@ NetworkProxy now supports full route-based configuration including:
 - `useIPSets` (boolean, default true)
 - `qos`, `netProxyIntegration` (objects)
 
+## Documentation
+
+- [Certificate Management](docs/certificate-management.md) - Detailed guide on certificate provisioning and ACME integration
+- [Port Handling](docs/porthandling.md) - Dynamic port management and runtime configuration
+- [NFTables Integration](docs/nftables-integration.md) - High-performance kernel-level forwarding
+
 ## Troubleshooting
 
 ### SmartProxy
@@ -1212,12 +1480,41 @@ NetworkProxy now supports full route-based configuration including:
 - Use higher priority for block routes to ensure they take precedence
 - Enable `enableDetailedLogging` or `enableTlsDebugLogging` for debugging
 
+### ACME HTTP-01 Challenges
+- If ACME HTTP-01 challenges fail, ensure:
+  1. Port 80 (or configured ACME port) is included in `useHttpProxy` 
+  2. You're using SmartProxy v19.3.9+ for proper timing (ports must be listening before provisioning)
+- Since v19.3.8: Non-TLS connections on ports listed in `useHttpProxy` are properly forwarded to HttpProxy
+- Since v19.3.9: Certificate provisioning waits for ports to be ready before starting ACME challenges
+- Example configuration for ACME on port 80:
+  ```typescript
+  const proxy = new SmartProxy({
+    useHttpProxy: [80], // Ensure port 80 is forwarded to HttpProxy
+    httpProxyPort: 8443,
+    acme: {
+      email: 'ssl@example.com',
+      port: 80
+    },
+    routes: [/* your routes */]
+  });
+  ```
+- Common issues:
+  - "Connection refused" during challenges → Update to v19.3.9+ for timing fix
+  - HTTP requests not parsed → Ensure port is in `useHttpProxy` array
+
+### NFTables Integration
+- Ensure NFTables is installed: `apt install nftables` or `yum install nftables`
+- Verify root/sudo permissions for NFTables operations
+- Check NFTables service is running: `systemctl status nftables`
+- For debugging, check the NFTables rules: `nft list ruleset`
+- Monitor NFTables rule status: `await proxy.getNfTablesStatus()`
+
 ### TLS/Certificates
 - For certificate issues, check the ACME settings and domain validation
 - Ensure domains are publicly accessible for Let's Encrypt validation
 - For TLS handshake issues, increase `initialDataTimeout` and `maxPendingDataSize`
 
-### NetworkProxy
+### HttpProxy
 - Verify ports, certificates and `rejectUnauthorized` for TLS errors
 - Configure CORS for preflight issues
 - Increase `maxConnections` or `connectionPoolSize` under load

readme.plan.md

@@ -1,146 +1,289 @@
-# SmartProxy Interface Consolidation Plan
+# SmartProxy Development Plan
 
-## Overview
+## Implementation Plan: Socket Handler Function Support (Simplified)
 
-This document outlines a plan to consolidate duplicate and inconsistent interfaces in the SmartProxy codebase, specifically the `IRouteSecurity` interface which is defined twice with different properties. This inconsistency caused issues with security checks for port forwarding. The goal is to unify these interfaces, use consistent property naming, and improve code maintainability.
+### Overview
+Add support for custom socket handler functions with the simplest possible API - just pass a function that receives the socket.
 
-## Problem Description
+### User Experience Goal
+```typescript
+const proxy = new SmartProxy({
+  routes: [{
+    name: 'my-custom-protocol',
+    match: { ports: 9000, domains: 'custom.example.com' },
+    action: {
+      type: 'socket-handler',
+      socketHandler: (socket) => {
+        // User has full control of the socket
+        socket.write('Welcome!\n');
+        socket.on('data', (data) => {
+          socket.write(`Echo: ${data}`);
+        });
+      }
+    }
+  }]
+});
+```
 
-We currently have two separate `IRouteSecurity` interfaces defined in `ts/proxies/smart-proxy/models/route-types.ts`:
+That's it. Simple and powerful.
 
-1. **First definition** (lines 116-122) - Used in IRouteAction:
-   ```typescript
-   export interface IRouteSecurity {
-     allowedIps?: string[];
-     blockedIps?: string[];
-     maxConnections?: number;
-     authentication?: IRouteAuthentication;
-   }
-   ```
+---
 
-2. **Second definition** (lines 253-272) - Used directly in IRouteConfig:
-   ```typescript
-   export interface IRouteSecurity {
-     rateLimit?: IRouteRateLimit;
-     basicAuth?: {...};
-     jwtAuth?: {...};
-     ipAllowList?: string[];
-     ipBlockList?: string[];
-   }
-   ```
+## Phase 1: Minimal Type Changes
 
-This duplication with inconsistent naming (`allowedIps` vs `ipAllowList` and `blockedIps` vs `ipBlockList`) caused routing issues when IP security checks were used, as we had to implement a workaround to check both property names.
+### 1.1 Add Socket Handler Action Type
+**File:** `ts/proxies/smart-proxy/models/route-types.ts`
 
-## Implementation Plan
+```typescript
+// Update action type
+export type TRouteActionType = 'forward' | 'redirect' | 'block' | 'static' | 'socket-handler';
 
-### Phase 1: Interface Consolidation
+// Add simple socket handler type
+export type TSocketHandler = (socket: net.Socket) => void | Promise<void>;
 
-1. **Create a unified interface definition:**
-   - Create one comprehensive `IRouteSecurity` interface that includes all properties
-   - Use consistent property naming (standardize on `ipAllowList` and `ipBlockList`)
-   - Add proper documentation for each property
-   - Remove the duplicate interface definition
-   
-2. **Update references to use the unified interface:**
-   - Update all code that references the old interface properties
-   - Update all configurations to use the new property names
-   - Ensure implementation in `route-manager.ts` uses the correct property names
+// Extend IRouteAction
+export interface IRouteAction {
+  // ... existing properties
+  
+  // Socket handler function (when type is 'socket-handler')
+  socketHandler?: TSocketHandler;
+}
+```
 
-### Phase 2: Code and Documentation Updates
+---
 
-1. **Update type usages and documentation:**
-   - Update all code that creates or uses security configurations
-   - Update documentation to reflect the new interface structure
-   - Add examples of the correct property usage
-   - Document the breaking change in changelog.md
+## Phase 2: Simple Implementation
 
-2. **Add tests:**
-   - Update existing tests to use the new property names
-   - Add test cases for all security configuration scenarios
-   - Verify that port range configurations with security settings work correctly
+### 2.1 Update Route Connection Handler
+**File:** `ts/proxies/smart-proxy/route-connection-handler.ts`
+
+In the `handleConnection` method, add handling for socket-handler:
+
+```typescript
+// After route matching...
+if (matchedRoute) {
+  const action = matchedRoute.action;
+  
+  if (action.type === 'socket-handler') {
+    if (!action.socketHandler) {
+      logger.error('socket-handler action missing socketHandler function');
+      socket.destroy();
+      return;
+    }
+    
+    try {
+      // Simply call the handler with the socket
+      const result = action.socketHandler(socket);
+      
+      // If it returns a promise, handle errors
+      if (result instanceof Promise) {
+        result.catch(error => {
+          logger.error('Socket handler error:', error);
+          if (!socket.destroyed) {
+            socket.destroy();
+          }
+        });
+      }
+    } catch (error) {
+      logger.error('Socket handler error:', error);
+      if (!socket.destroyed) {
+        socket.destroy();
+      }
+    }
+    
+    return; // Done - user has control now
+  }
+  
+  // ... rest of existing action handling
+}
+```
+
+---
+
+## Phase 3: Optional Context (If Needed)
+
+If users need more info, we can optionally pass a minimal context as a second parameter:
+
+```typescript
+export type TSocketHandler = (
+  socket: net.Socket, 
+  context?: {
+    route: IRouteConfig;
+    clientIp: string;
+    localPort: number;
+  }
+) => void | Promise<void>;
+```
+
+Usage:
+```typescript
+socketHandler: (socket, context) => {
+  console.log(`Connection from ${context.clientIp} to port ${context.localPort}`);
+  // Handle socket...
+}
+```
+
+---
+
+## Phase 4: Helper Utilities (Optional)
+
+### 4.1 Common Patterns
+**File:** `ts/proxies/smart-proxy/utils/route-helpers.ts`
+
+```typescript
+// Simple helper to create socket handler routes
+export function createSocketHandlerRoute(
+  domains: string | string[],
+  ports: TPortRange,
+  handler: TSocketHandler,
+  options?: { name?: string; priority?: number }
+): IRouteConfig {
+  return {
+    name: options?.name || 'socket-handler-route',
+    priority: options?.priority || 50,
+    match: { domains, ports },
+    action: {
+      type: 'socket-handler',
+      socketHandler: handler
+    }
+  };
+}
+
+// Pre-built handlers for common cases
+export const SocketHandlers = {
+  // Simple echo server
+  echo: (socket: net.Socket) => {
+    socket.on('data', data => socket.write(data));
+  },
+  
+  // TCP proxy
+  proxy: (targetHost: string, targetPort: number) => (socket: net.Socket) => {
+    const target = net.connect(targetPort, targetHost);
+    socket.pipe(target);
+    target.pipe(socket);
+    socket.on('close', () => target.destroy());
+    target.on('close', () => socket.destroy());
+  },
+  
+  // Line-based protocol
+  lineProtocol: (handler: (line: string, socket: net.Socket) => void) => (socket: net.Socket) => {
+    let buffer = '';
+    socket.on('data', (data) => {
+      buffer += data.toString();
+      const lines = buffer.split('\n');
+      buffer = lines.pop() || '';
+      lines.forEach(line => handler(line, socket));
+    });
+  }
+};
+```
+
+---
+
+## Usage Examples
+
+### Example 1: Custom Protocol
+```typescript
+{
+  name: 'custom-protocol',
+  match: { ports: 9000 },
+  action: {
+    type: 'socket-handler',
+    socketHandler: (socket) => {
+      socket.write('READY\n');
+      socket.on('data', (data) => {
+        const cmd = data.toString().trim();
+        if (cmd === 'PING') socket.write('PONG\n');
+        else if (cmd === 'QUIT') socket.end();
+        else socket.write('ERROR: Unknown command\n');
+      });
+    }
+  }
+}
+```
+
+### Example 2: Simple TCP Proxy
+```typescript
+{
+  name: 'tcp-proxy',
+  match: { ports: 8080, domains: 'proxy.example.com' },
+  action: {
+    type: 'socket-handler',
+    socketHandler: SocketHandlers.proxy('backend.local', 3000)
+  }
+}
+```
+
+### Example 3: WebSocket with Custom Auth
+```typescript
+{
+  name: 'custom-websocket',
+  match: { ports: [80, 443], path: '/ws' },
+  action: {
+    type: 'socket-handler',
+    socketHandler: async (socket) => {
+      // Read HTTP headers
+      const headers = await readHttpHeaders(socket);
+      
+      // Custom auth check
+      if (!headers.authorization || !validateToken(headers.authorization)) {
+        socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+        socket.end();
+        return;
+      }
+      
+      // Proceed with WebSocket upgrade
+      const ws = new WebSocket(socket, headers);
+      // ... handle WebSocket
+    }
+  }
+}
+```
+
+---
+
+## Benefits of This Approach
+
+1. **Dead Simple API**: Just pass a function that gets the socket
+2. **No New Classes**: No ForwardingHandler subclass needed
+3. **Minimal Changes**: Only touches type definitions and one handler method
+4. **Full Power**: Users have complete control over the socket
+5. **Backward Compatible**: No changes to existing functionality
+6. **Easy to Test**: Just test the socket handler functions directly
+
+---
 
 ## Implementation Steps
 
-```typescript
-// Step 1: Define the unified interface
-export interface IRouteSecurity {
-  // Access control lists
-  ipAllowList?: string[];        // IP addresses that are allowed to connect
-  ipBlockList?: string[];        // IP addresses that are blocked from connecting
-  
-  // Connection limits
-  maxConnections?: number;       // Maximum concurrent connections
-  
-  // Authentication
-  authentication?: IRouteAuthentication;
-  
-  // Rate limiting
-  rateLimit?: IRouteRateLimit;
-  
-  // Authentication methods
-  basicAuth?: {
-    enabled: boolean;
-    users: Array<{ username: string; password: string }>;
-    realm?: string;
-    excludePaths?: string[];
-  };
-  
-  jwtAuth?: {
-    enabled: boolean;
-    secret: string;
-    algorithm?: string;
-    issuer?: string;
-    audience?: string;
-    expiresIn?: number;
-    excludePaths?: string[];
-  };
-}
-```
+1. Add `'socket-handler'` to `TRouteActionType` (5 minutes)
+2. Add `socketHandler?: TSocketHandler` to `IRouteAction` (5 minutes)
+3. Add socket-handler case in `RouteConnectionHandler.handleConnection()` (15 minutes)
+4. Add helper functions (optional, 30 minutes)
+5. Write tests (2 hours)
+6. Update documentation (1 hour)
 
-Update `isClientIpAllowed` method to use only the new property names:
+**Total implementation time: ~4 hours** (vs 6 weeks for the complex version)
 
-```typescript
-private isClientIpAllowed(route: IRouteConfig, clientIp: string): boolean {
-  const security = route.action.security;
-  
-  if (!security) {
-    return true; // No security settings means allowed
-  }
-  
-  // Check blocked IPs first
-  if (security.ipBlockList && security.ipBlockList.length > 0) {
-    for (const pattern of security.ipBlockList) {
-      if (this.matchIpPattern(pattern, clientIp)) {
-        return false; // IP is blocked
-      }
-    }
-  }
-  
-  // If there are allowed IPs, check them
-  if (security.ipAllowList && security.ipAllowList.length > 0) {
-    for (const pattern of security.ipAllowList) {
-      if (this.matchIpPattern(pattern, clientIp)) {
-        return true; // IP is allowed
-      }
-    }
-    return false; // IP not in allowed list
-  }
-  
-  // No allowed IPs specified, so IP is allowed
-  return true;
-}
-```
+---
 
-## Expected Benefits
+## What We're NOT Doing
 
-- **Improved Consistency**: Single, unified interface with consistent property naming
-- **Better Type Safety**: Eliminating confusing duplicate interface definitions
-- **Reduced Errors**: Prevent misunderstandings about which property names to use
-- **Forward Compatibility**: Clearer path for future security enhancements
-- **Better Developer Experience**: Simplified interface with comprehensive documentation
+- ❌ Creating new ForwardingHandler classes
+- ❌ Complex context objects with utils
+- ❌ HTTP request handling for socket handlers
+- ❌ Complex protocol detection mechanisms
+- ❌ Middleware patterns
+- ❌ Lifecycle hooks
 
-## Testing Plan
+Keep it simple. The user just wants to handle a socket.
 
-1. Test with existing configurations using both old and new property names
-2. Create specific test cases for port ranges with different security configurations
-3. Verify that port forwarding with IP allow lists works correctly with the unified interface
+---
+
+## Success Criteria
+
+- ✅ Users can define a route with `type: 'socket-handler'`
+- ✅ Users can provide a function that receives the socket
+- ✅ The function is called when a connection matches the route
+- ✅ Error handling prevents crashes
+- ✅ No performance impact on existing routes
+- ✅ Clean, simple API that's easy to understand

test/core/utils/test.event-system.ts

@@ -1,4 +1,4 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import {
   EventSystem,
   ProxyEvents,

test/core/utils/test.ip-utils.ts

@@ -1,4 +1,4 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { IpUtils } from '../../../ts/core/utils/ip-utils.js';
 
 tap.test('ip-utils - normalizeIP', async () => {

test/core/utils/test.route-utils.ts

@@ -1,4 +1,4 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as routeUtils from '../../../ts/core/utils/route-utils.js';
 
 // Test domain matching

test/core/utils/test.shared-security-manager.ts

@@ -1,22 +1,20 @@
-import { expect } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { SharedSecurityManager } from '../../../ts/core/utils/shared-security-manager.js';
 import type { IRouteConfig, IRouteContext } from '../../../ts/proxies/smart-proxy/models/route-types.js';
 
 // Test security manager
-expect.describe('Shared Security Manager', async () => {
+tap.test('Shared Security Manager', async () => {
   let securityManager: SharedSecurityManager;
 
-  // Set up a new security manager before each test
-  expect.beforeEach(() => {
-    securityManager = new SharedSecurityManager({
-      maxConnectionsPerIP: 5,
-      connectionRateLimitPerMinute: 10
-    });
+  // Set up a new security manager for each test
+  securityManager = new SharedSecurityManager({
+    maxConnectionsPerIP: 5,
+    connectionRateLimitPerMinute: 10
   });
 
-  expect.it('should validate IPs correctly', async () => {
+  tap.test('should validate IPs correctly', async () => {
     // Should allow IPs under connection limit
-    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.true;
+    expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();
     
     // Track multiple connections
     for (let i = 0; i < 4; i++) {
@@ -24,114 +22,137 @@ expect.describe('Shared Security Manager', async () => {
     }
     
     // Should still allow IPs under connection limit
-    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.true;
+    expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();
     
     // Add one more to reach the limit
     securityManager.trackConnectionByIP('192.168.1.1', 'conn_4');
     
     // Should now block IPs over connection limit
-    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.false;
+    expect(securityManager.validateIP('192.168.1.1').allowed).toBeFalse();
     
     // Remove a connection
     securityManager.removeConnectionByIP('192.168.1.1', 'conn_0');
     
     // Should allow again after connection is removed
-    expect(securityManager.validateIP('192.168.1.1').allowed).to.be.true;
+    expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();
   });
   
-  expect.it('should authorize IPs based on allow/block lists', async () => {
+  tap.test('should authorize IPs based on allow/block lists', async () => {
     // Test with allow list only
-    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'])).to.be.true;
-    expect(securityManager.isIPAuthorized('192.168.2.1', ['192.168.1.*'])).to.be.false;
+    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'])).toBeTrue();
+    expect(securityManager.isIPAuthorized('192.168.2.1', ['192.168.1.*'])).toBeFalse();
     
     // Test with block list
-    expect(securityManager.isIPAuthorized('192.168.1.5', ['*'], ['192.168.1.5'])).to.be.false;
-    expect(securityManager.isIPAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).to.be.true;
+    expect(securityManager.isIPAuthorized('192.168.1.5', ['*'], ['192.168.1.5'])).toBeFalse();
+    expect(securityManager.isIPAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).toBeTrue();
     
     // Test with both allow and block lists
-    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).to.be.true;
-    expect(securityManager.isIPAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).to.be.false;
+    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).toBeTrue();
+    expect(securityManager.isIPAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).toBeFalse();
   });
-  
-  expect.it('should validate route access', async () => {
-    // Create test route with IP restrictions
+
+  tap.test('should validate route access', async () => {
     const route: IRouteConfig = {
-      match: { ports: 443 },
-      action: { type: 'forward', target: { host: 'localhost', port: 8080 } },
+      match: {
+        ports: [8080]
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'target.com', port: 443 }
+      },
       security: {
-        ipAllowList: ['192.168.1.*'],
-        ipBlockList: ['192.168.1.5']
+        ipAllowList: ['10.0.0.*', '192.168.1.*'],
+        ipBlockList: ['192.168.1.100'],
+        maxConnections: 3
       }
     };
-    
-    // Create test contexts
+
     const allowedContext: IRouteContext = {
-      port: 443,
       clientIp: '192.168.1.1',
-      serverIp: 'localhost',
-      isTls: true,
+      port: 8080,
+      serverIp: '127.0.0.1',
+      isTls: false,
       timestamp: Date.now(),
       connectionId: 'test_conn_1'
     };
-    
-    const blockedContext: IRouteContext = {
-      port: 443,
-      clientIp: '192.168.1.5',
-      serverIp: 'localhost',
-      isTls: true,
-      timestamp: Date.now(),
-      connectionId: 'test_conn_2'
+
+    const blockedByIPContext: IRouteContext = {
+      ...allowedContext,
+      clientIp: '192.168.1.100'
     };
-    
-    const outsideContext: IRouteContext = {
-      port: 443,
-      clientIp: '192.168.2.1',
-      serverIp: 'localhost',
-      isTls: true,
-      timestamp: Date.now(),
-      connectionId: 'test_conn_3'
+
+    const blockedByRangeContext: IRouteContext = {
+      ...allowedContext,
+      clientIp: '172.16.0.1'
     };
+
+    const blockedByMaxConnectionsContext: IRouteContext = {
+      ...allowedContext,
+      connectionId: 'test_conn_4'
+    };
+
+    expect(securityManager.isAllowed(route, allowedContext)).toBeTrue();
+    expect(securityManager.isAllowed(route, blockedByIPContext)).toBeFalse();
+    expect(securityManager.isAllowed(route, blockedByRangeContext)).toBeFalse();
     
-    // Test route access
-    expect(securityManager.isAllowed(route, allowedContext)).to.be.true;
-    expect(securityManager.isAllowed(route, blockedContext)).to.be.false;
-    expect(securityManager.isAllowed(route, outsideContext)).to.be.false;
+    // Test max connections for route - assuming implementation has been updated
+    if ((securityManager as any).trackConnectionByRoute) {
+      (securityManager as any).trackConnectionByRoute(route, 'conn_1');
+      (securityManager as any).trackConnectionByRoute(route, 'conn_2');
+      (securityManager as any).trackConnectionByRoute(route, 'conn_3');
+      
+      // Should now block due to max connections
+      expect(securityManager.isAllowed(route, blockedByMaxConnectionsContext)).toBeFalse();
+    }
   });
-  
-  expect.it('should validate basic auth', async () => {
-    // Create test route with basic auth
+
+  tap.test('should clean up expired entries', async () => {
     const route: IRouteConfig = {
-      match: { ports: 443 },
-      action: { type: 'forward', target: { host: 'localhost', port: 8080 } },
+      match: {
+        ports: [8080]
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'target.com', port: 443 }
+      },
       security: {
-        basicAuth: {
+        rateLimit: {
           enabled: true,
-          users: [
-            { username: 'user1', password: 'pass1' },
-            { username: 'user2', password: 'pass2' }
-          ],
-          realm: 'Test Realm'
+          maxRequests: 5,
+          window: 60 // 60 seconds
         }
       }
     };
-    
-    // Test valid credentials
-    const validAuth = 'Basic ' + Buffer.from('user1:pass1').toString('base64');
-    expect(securityManager.validateBasicAuth(route, validAuth)).to.be.true;
-    
-    // Test invalid credentials
-    const invalidAuth = 'Basic ' + Buffer.from('user1:wrongpass').toString('base64');
-    expect(securityManager.validateBasicAuth(route, invalidAuth)).to.be.false;
-    
-    // Test missing auth header
-    expect(securityManager.validateBasicAuth(route)).to.be.false;
-    
-    // Test malformed auth header
-    expect(securityManager.validateBasicAuth(route, 'malformed')).to.be.false;
+
+    const context: IRouteContext = {
+      clientIp: '192.168.1.1',
+      port: 8080,
+      serverIp: '127.0.0.1',
+      isTls: false,
+      timestamp: Date.now(),
+      connectionId: 'test_conn_1'
+    };
+
+    // Test rate limiting if method exists
+    if ((securityManager as any).checkRateLimit) {
+      // Add 5 attempts (max allowed)
+      for (let i = 0; i < 5; i++) {
+        expect((securityManager as any).checkRateLimit(route, context)).toBeTrue();
+      }
+
+      // Should now be blocked
+      expect((securityManager as any).checkRateLimit(route, context)).toBeFalse();
+
+      // Force cleanup (normally runs periodically)
+      if ((securityManager as any).cleanup) {
+        (securityManager as any).cleanup();
+      }
+
+      // Should still be blocked since entries are not expired yet
+      expect((securityManager as any).checkRateLimit(route, context)).toBeFalse();
+    }
   });
-  
-  // Clean up resources after tests
-  expect.afterEach(() => {
-    securityManager.clearIPTracking();
-  });
-});
+});
+
+// Export test runner
+export default tap.start();

test/core/utils/test.validation-utils.ts

@@ -1,4 +1,4 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { ValidationUtils } from '../../../ts/core/utils/validation-utils.js';
 import type { IDomainOptions, IAcmeOptions } from '../../../ts/core/models/common-types.js';
 

test/helpers/test-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDizCCAnOgAwIBAgIUAzpwtk6k5v/7LfY1KR7PreezvsswDQYJKoZIhvcNAQEL
+BQAwVTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAcMBFRlc3Qx
+DTALBgNVBAoMBFRlc3QxGTAXBgNVBAMMEHRlc3QuZXhhbXBsZS5jb20wHhcNMjUw
+NTE5MTc1MDM0WhcNMjYwNTE5MTc1MDM0WjBVMQswCQYDVQQGEwJVUzENMAsGA1UE
+CAwEVGVzdDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDEZMBcGA1UEAwwQ
+dGVzdC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AK9FivUNjXz5q+snqKLCno0i3cYzJ+LTzSf+x+a/G7CA/rtigIvSYEqWC4+/MXPM
+ifpU/iIRtj7RzoPKH44uJie7mS5kKSHsMnh/qixaxxJph+tVYdNGi9hNvL12T/5n
+ihXkpMAK8MV6z3Y+ObiaKbCe4w19sLu2IIpff0U0mo6rTKOQwAfGa/N1dtzFaogP
+f/iO5kcksWUPqZowM3lwXXgy8vg5ZeU7IZk9fRTBfrEJAr9TCQ8ivdluxq59Ax86
+0AMmlbeu/dUMBcujLiTVjzqD3jz/Hr+iHq2y48NiF3j5oE/1qsD04d+QDWAygdmd
+bQOy0w/W1X0ppnuPhLILQzcCAwEAAaNTMFEwHQYDVR0OBBYEFID88wvDJXrQyTsx
+s+zl/wwx5BCMMB8GA1UdIwQYMBaAFID88wvDJXrQyTsxs+zl/wwx5BCMMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIRp9bUxAip5s0dx700PPVAd
+mrS7kDCZ+KFD6UgF/F3ykshh33MfYNLghJCfhcWvUHQgiPKohWcZq1g4oMuDZPFW
+EHTr2wkX9j6A3KNjgFT5OVkLdjNPYdxMbTvmKbsJPc82C9AFN/Xz97XlZvmE4mKc
+JCKqTz9hK3JpoayEUrf9g4TJcVwNnl/UnMp2sZX3aId4wD2+jSb40H/5UPFO2stv
+SvCSdMcq0ZOQ/g/P56xOKV/5RAdIYV+0/3LWNGU/dH0nUfJO9K31e3eR+QZ1Iyn3
+iGPcaSKPDptVx+2hxcvhFuRgRjfJ0mu6/hnK5wvhrXrSm43FBgvmlo4MaX0HVss=
+-----END CERTIFICATE-----

test/helpers/test-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCvRYr1DY18+avr
+J6iiwp6NIt3GMyfi080n/sfmvxuwgP67YoCL0mBKlguPvzFzzIn6VP4iEbY+0c6D
+yh+OLiYnu5kuZCkh7DJ4f6osWscSaYfrVWHTRovYTby9dk/+Z4oV5KTACvDFes92
+Pjm4mimwnuMNfbC7tiCKX39FNJqOq0yjkMAHxmvzdXbcxWqID3/4juZHJLFlD6ma
+MDN5cF14MvL4OWXlOyGZPX0UwX6xCQK/UwkPIr3ZbsaufQMfOtADJpW3rv3VDAXL
+oy4k1Y86g948/x6/oh6tsuPDYhd4+aBP9arA9OHfkA1gMoHZnW0DstMP1tV9KaZ7
+j4SyC0M3AgMBAAECggEAKfW6ng74C+7TtxDAAPMZtQ0fTcdKabWt/EC1B6tBzEAd
+e6vJvW+IaOLB8tBhXOkfMSRu0KYv3Jsq1wcpBcdLkCCLu/zzkfDzZkCd809qMCC+
+jtraeBOAADEgGbV80hlkh/g8btNPr99GUnb0J5sUlvl6vuyTxmSEJsxU8jL1O2km
+YgK34fS5NS73h138P3UQAGC0dGK8Rt61EsFIKWTyH/r8tlz9nQrYcDG3LwTbFQQf
+bsRLAjolxTRV6t1CzcjsSGtrAqm/4QNypP5McCyOXAqajb3pNGaJyGg1nAEOZclK
+oagU7PPwaFmSquwo7Y1Uov72XuLJLVryBl0fOCen7QKBgQDieqvaL9gHsfaZKNoY
++0Cnul/Dw0kjuqJIKhar/mfLY7NwYmFSgH17r26g+X7mzuzaN0rnEhjh7L3j6xQJ
+qhs9zL+/OIa581Ptvb8H/42O+mxnqx7Z8s5JwH0+f5EriNkU3euoAe/W9x4DqJiE
+2VyvlM1gngxI+vFo+iewmg+vOwKBgQDGHiPKxXWD50tXvvDdRTjH+/4GQuXhEQjl
+Po59AJ/PLc/AkQkVSzr8Fspf7MHN6vufr3tS45tBuf5Qf2Y9GPBRKR3e+M1CJdoi
+1RXy0nMsnR0KujxgiIe6WQFumcT81AsIVXtDYk11Sa057tYPeeOmgtmUMJZb6lek
+wqUxrFw0NQKBgQCs/p7+jsUpO5rt6vKNWn5MoGQ+GJFppUoIbX3b6vxFs+aA1eUZ
+K+St8ZdDhtCUZUMufEXOs1gmWrvBuPMZXsJoNlnRKtBegat+Ug31ghMTP95GYcOz
+H3DLjSkd8DtnUaTf95PmRXR6c1CN4t59u7q8s6EdSByCMozsbwiaMVQBuQKBgQCY
+QxG/BYMLnPeKuHTlmg3JpSHWLhP+pdjwVuOrro8j61F/7ffNJcRvehSPJKbOW4qH
+b5aYXdU07n1F4KPy0PfhaHhMpWsbK3w6yQnVVWivIRDw7bD5f/TQgxdWqVd7+HuC
+LDBP2X0uZzF7FNPvkP4lOut9uNnWSoSRXAcZ5h33AQKBgQDWJYKGNoA8/IT9+e8n
+v1Fy0RNL/SmBfGZW9pFGFT2pcu6TrzVSugQeWY/YFO2X6FqLPbL4p72Ar4rF0Uxl
+31aYIjy3jDGzMabdIuW7mBogvtNjBG+0UgcLQzbdG6JkvTkQgqUjwIn/+Jo+0sS5
+dEylNM0zC6zx1f1U1dGGZaNcLg==
+-----END PRIVATE KEY-----

test/test.acme-http-challenge.ts

@@ -0,0 +1,129 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('should handle HTTP requests on port 80 for ACME challenges', async (tools) => {
+  tools.timeout(10000);
+  
+  // Track HTTP requests that are handled
+  const handledRequests: any[] = [];
+  
+  const settings = {
+    routes: [
+      {
+        name: 'acme-test-route',
+        match: {
+          ports: [18080],  // Use high port to avoid permission issues
+          path: '/.well-known/acme-challenge/*'
+        },
+        action: {
+          type: 'static' as const,
+          handler: async (context) => {
+            handledRequests.push({
+              path: context.path,
+              method: context.method,
+              headers: context.headers
+            });
+            
+            // Simulate ACME challenge response
+            const token = context.path?.split('/').pop() || '';
+            return {
+              status: 200,
+              headers: { 'Content-Type': 'text/plain' },
+              body: `challenge-response-for-${token}`
+            };
+          }
+        }
+      }
+    ]
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Mock NFTables manager
+  (proxy as any).nftablesManager = {
+    ensureNFTablesSetup: async () => {},
+    stop: async () => {}
+  };
+  
+  await proxy.start();
+  
+  // Make an HTTP request to the challenge endpoint
+  const response = await fetch('http://localhost:18080/.well-known/acme-challenge/test-token', {
+    method: 'GET'
+  });
+  
+  // Verify response
+  expect(response.status).toEqual(200);
+  const body = await response.text();
+  expect(body).toEqual('challenge-response-for-test-token');
+  
+  // Verify request was handled
+  expect(handledRequests.length).toEqual(1);
+  expect(handledRequests[0].path).toEqual('/.well-known/acme-challenge/test-token');
+  expect(handledRequests[0].method).toEqual('GET');
+  
+  await proxy.stop();
+});
+
+tap.test('should parse HTTP headers correctly', async (tools) => {
+  tools.timeout(10000);
+  
+  const capturedContext: any = {};
+  
+  const settings = {
+    routes: [
+      {
+        name: 'header-test-route',
+        match: {
+          ports: [18081]
+        },
+        action: {
+          type: 'static' as const,
+          handler: async (context) => {
+            Object.assign(capturedContext, context);
+            return {
+              status: 200,
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({
+                received: context.headers
+              })
+            };
+          }
+        }
+      }
+    ]
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Mock NFTables manager
+  (proxy as any).nftablesManager = {
+    ensureNFTablesSetup: async () => {},
+    stop: async () => {}
+  };
+  
+  await proxy.start();
+  
+  // Make request with custom headers
+  const response = await fetch('http://localhost:18081/test', {
+    method: 'POST',
+    headers: {
+      'X-Custom-Header': 'test-value',
+      'User-Agent': 'test-agent'
+    }
+  });
+  
+  expect(response.status).toEqual(200);
+  const body = await response.json();
+  
+  // Verify headers were parsed correctly
+  expect(capturedContext.headers['x-custom-header']).toEqual('test-value');
+  expect(capturedContext.headers['user-agent']).toEqual('test-agent');
+  expect(capturedContext.method).toEqual('POST');
+  expect(capturedContext.path).toEqual('/test');
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.acme-http01-challenge.ts

@@ -0,0 +1,174 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as net from 'net';
+
+// Test that HTTP-01 challenges are properly processed when the initial data arrives
+tap.test('should correctly handle HTTP-01 challenge requests with initial data chunk', async (tapTest) => {
+  // Prepare test data
+  const challengeToken = 'test-acme-http01-challenge-token';
+  const challengeResponse = 'mock-response-for-challenge';
+  const challengePath = `/.well-known/acme-challenge/${challengeToken}`;
+  
+  // Create a handler function that responds to ACME challenges
+  const acmeHandler = async (context: any) => {
+    // Log request details for debugging
+    console.log(`Received request: ${context.method} ${context.path}`);
+    
+    // Check if this is an ACME challenge request
+    if (context.path.startsWith('/.well-known/acme-challenge/')) {
+      const token = context.path.substring('/.well-known/acme-challenge/'.length);
+      
+      // If the token matches our test token, return the response
+      if (token === challengeToken) {
+        return {
+          status: 200,
+          headers: {
+            'Content-Type': 'text/plain'
+          },
+          body: challengeResponse
+        };
+      }
+    }
+    
+    // For any other requests, return 404
+    return {
+      status: 404,
+      headers: {
+        'Content-Type': 'text/plain'
+      },
+      body: 'Not found'
+    };
+  };
+  
+  // Create a proxy with the ACME challenge route
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'acme-challenge-route',
+      match: {
+        ports: 8080,
+        path: '/.well-known/acme-challenge/*'
+      },
+      action: {
+        type: 'static',
+        handler: acmeHandler
+      }
+    }]
+  });
+  
+  await proxy.start();
+  
+  // Create a client to test the HTTP-01 challenge
+  const testClient = new net.Socket();
+  let responseData = '';
+  
+  // Set up client handlers
+  testClient.on('data', (data) => {
+    responseData += data.toString();
+  });
+  
+  // Connect to the proxy and send the HTTP-01 challenge request
+  await new Promise<void>((resolve, reject) => {
+    testClient.connect(8080, 'localhost', () => {
+      // Send HTTP request for the challenge token
+      testClient.write(
+        `GET ${challengePath} HTTP/1.1\r\n` +
+        'Host: test.example.com\r\n' +
+        'User-Agent: ACME Challenge Test\r\n' +
+        'Accept: */*\r\n' +
+        '\r\n'
+      );
+      resolve();
+    });
+    
+    testClient.on('error', reject);
+  });
+  
+  // Wait for the response
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify that we received a valid HTTP response with the challenge token
+  expect(responseData).toContain('HTTP/1.1 200');
+  expect(responseData).toContain('Content-Type: text/plain');
+  expect(responseData).toContain(challengeResponse);
+  
+  // Cleanup
+  testClient.destroy();
+  await proxy.stop();
+});
+
+// Test that non-existent challenge tokens return 404
+tap.test('should return 404 for non-existent challenge tokens', async (tapTest) => {
+  // Create a handler function that behaves like a real ACME handler
+  const acmeHandler = async (context: any) => {
+    if (context.path.startsWith('/.well-known/acme-challenge/')) {
+      const token = context.path.substring('/.well-known/acme-challenge/'.length);
+      // In this test, we only recognize one specific token
+      if (token === 'valid-token') {
+        return {
+          status: 200,
+          headers: { 'Content-Type': 'text/plain' },
+          body: 'valid-response'
+        };
+      }
+    }
+    
+    // For all other paths or unrecognized tokens, return 404
+    return {
+      status: 404,
+      headers: { 'Content-Type': 'text/plain' },
+      body: 'Not found'
+    };
+  };
+  
+  // Create a proxy with the ACME challenge route
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'acme-challenge-route',
+      match: {
+        ports: 8081,
+        path: '/.well-known/acme-challenge/*'
+      },
+      action: {
+        type: 'static',
+        handler: acmeHandler
+      }
+    }]
+  });
+  
+  await proxy.start();
+  
+  // Create a client to test the invalid challenge request
+  const testClient = new net.Socket();
+  let responseData = '';
+  
+  testClient.on('data', (data) => {
+    responseData += data.toString();
+  });
+  
+  // Connect and send a request for a non-existent token
+  await new Promise<void>((resolve, reject) => {
+    testClient.connect(8081, 'localhost', () => {
+      testClient.write(
+        'GET /.well-known/acme-challenge/invalid-token HTTP/1.1\r\n' +
+        'Host: test.example.com\r\n' +
+        '\r\n'
+      );
+      resolve();
+    });
+    
+    testClient.on('error', reject);
+  });
+  
+  // Wait for the response
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify we got a 404 Not Found
+  expect(responseData).toContain('HTTP/1.1 404');
+  expect(responseData).toContain('Not found');
+  
+  // Cleanup
+  testClient.destroy();
+  await proxy.stop();
+});
+
+tap.start();

test/test.acme-route-creation.ts

@@ -0,0 +1,141 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as plugins from '../ts/plugins.js';
+
+/**
+ * Test that verifies ACME challenge routes are properly created
+ */
+tap.test('should create ACME challenge route with high ports', async (tools) => {
+  tools.timeout(5000);
+  
+  const capturedRoutes: any[] = [];
+  
+  const settings = {
+    routes: [
+      {
+        name: 'secure-route',
+        match: {
+          ports: [18443],  // High port to avoid permission issues
+          domains: 'test.local'
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 8080 },
+          tls: {
+            mode: 'terminate' as const,
+            certificate: 'auto' as const
+          }
+        }
+      }
+    ],
+    acme: {
+      email: 'test@example.com',
+      port: 18080,  // High port for ACME challenges
+      useProduction: false  // Use staging environment
+    }
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Capture route updates
+  const originalUpdateRoutes = (proxy as any).updateRoutes.bind(proxy);
+  (proxy as any).updateRoutes = async function(routes: any[]) {
+    capturedRoutes.push([...routes]);
+    return originalUpdateRoutes(routes);
+  };
+  
+  await proxy.start();
+  
+  // Check that ACME challenge route was added
+  const finalRoutes = capturedRoutes[capturedRoutes.length - 1];
+  const challengeRoute = finalRoutes.find((r: any) => r.name === 'acme-challenge');
+  
+  expect(challengeRoute).toBeDefined();
+  expect(challengeRoute.match.path).toEqual('/.well-known/acme-challenge/*');
+  expect(challengeRoute.match.ports).toEqual(18080);
+  expect(challengeRoute.action.type).toEqual('static');
+  expect(challengeRoute.priority).toEqual(1000);
+  
+  await proxy.stop();
+});
+
+tap.test('should handle HTTP request parsing correctly', async (tools) => {
+  tools.timeout(5000);
+  
+  let handlerCalled = false;
+  let receivedContext: any;
+  
+  const settings = {
+    routes: [
+      {
+        name: 'test-static',
+        match: {
+          ports: [18090],
+          path: '/test/*'
+        },
+        action: {
+          type: 'static' as const,
+          handler: async (context) => {
+            handlerCalled = true;
+            receivedContext = context;
+            return {
+              status: 200,
+              headers: { 'Content-Type': 'text/plain' },
+              body: 'OK'
+            };
+          }
+        }
+      }
+    ]
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Mock NFTables manager
+  (proxy as any).nftablesManager = {
+    ensureNFTablesSetup: async () => {},
+    stop: async () => {}
+  };
+  
+  await proxy.start();
+  
+  // Create a simple HTTP request
+  const client = new plugins.net.Socket();
+  
+  await new Promise<void>((resolve, reject) => {
+    client.connect(18090, 'localhost', () => {
+      // Send HTTP request
+      const request = [
+        'GET /test/example HTTP/1.1',
+        'Host: localhost:18090',
+        'User-Agent: test-client',
+        '',
+        ''
+      ].join('\r\n');
+      
+      client.write(request);
+      
+      // Wait for response
+      client.on('data', (data) => {
+        const response = data.toString();
+        expect(response).toContain('HTTP/1.1 200');
+        expect(response).toContain('OK');
+        client.end();
+        resolve();
+      });
+    });
+    
+    client.on('error', reject);
+  });
+  
+  // Verify handler was called
+  expect(handlerCalled).toBeTrue();
+  expect(receivedContext).toBeDefined();
+  expect(receivedContext.path).toEqual('/test/example');
+  expect(receivedContext.method).toEqual('GET');
+  expect(receivedContext.headers.host).toEqual('localhost:18090');
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.acme-simple.ts

@@ -0,0 +1,116 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+
+/**
+ * Simple test to verify HTTP parsing works for ACME challenges
+ */
+tap.test('should parse HTTP requests correctly', async (tools) => {
+  tools.timeout(15000);
+  
+  let receivedRequest = '';
+  
+  // Create a simple HTTP server to test the parsing
+  const server = net.createServer((socket) => {
+    socket.on('data', (data) => {
+      receivedRequest = data.toString();
+      
+      // Send response
+      const response = [
+        'HTTP/1.1 200 OK',
+        'Content-Type: text/plain',
+        'Content-Length: 2',
+        '',
+        'OK'
+      ].join('\r\n');
+      
+      socket.write(response);
+      socket.end();
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    server.listen(18091, () => {
+      console.log('Test server listening on port 18091');
+      resolve();
+    });
+  });
+  
+  // Connect and send request
+  const client = net.connect(18091, 'localhost');
+  
+  await new Promise<void>((resolve, reject) => {
+    client.on('connect', () => {
+      const request = [
+        'GET /.well-known/acme-challenge/test-token HTTP/1.1',
+        'Host: localhost:18091',
+        'User-Agent: test-client',
+        '',
+        ''
+      ].join('\r\n');
+      
+      client.write(request);
+    });
+    
+    client.on('data', (data) => {
+      const response = data.toString();
+      expect(response).toContain('200 OK');
+      client.end();
+    });
+    
+    client.on('end', () => {
+      resolve();
+    });
+    
+    client.on('error', reject);
+  });
+  
+  // Verify we received the request
+  expect(receivedRequest).toContain('GET /.well-known/acme-challenge/test-token');
+  expect(receivedRequest).toContain('Host: localhost:18091');
+  
+  server.close();
+});
+
+/**
+ * Test to verify ACME route configuration
+ */
+tap.test('should configure ACME challenge route', async () => {
+  // Simple test to verify the route configuration structure
+  const challengeRoute = {
+    name: 'acme-challenge',
+    priority: 1000,
+    match: {
+      ports: 80,
+      path: '/.well-known/acme-challenge/*'
+    },
+    action: {
+      type: 'static',
+      handler: async (context: any) => {
+        const token = context.path?.split('/').pop() || '';
+        return {
+          status: 200,
+          headers: { 'Content-Type': 'text/plain' },
+          body: `challenge-response-${token}`
+        };
+      }
+    }
+  };
+  
+  expect(challengeRoute.name).toEqual('acme-challenge');
+  expect(challengeRoute.match.path).toEqual('/.well-known/acme-challenge/*');
+  expect(challengeRoute.match.ports).toEqual(80);
+  expect(challengeRoute.priority).toEqual(1000);
+  
+  // Test the handler
+  const context = {
+    path: '/.well-known/acme-challenge/test-token',
+    method: 'GET',
+    headers: {}
+  };
+  
+  const response = await challengeRoute.action.handler(context);
+  expect(response.status).toEqual(200);
+  expect(response.body).toEqual('challenge-response-test-token');
+});
+
+tap.start();

test/test.acme-state-manager.node.ts

@@ -0,0 +1,185 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { AcmeStateManager } from '../ts/proxies/smart-proxy/acme-state-manager.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+tap.test('AcmeStateManager should track challenge routes correctly', async (tools) => {
+  const stateManager = new AcmeStateManager();
+  
+  const challengeRoute: IRouteConfig = {
+    name: 'acme-challenge',
+    priority: 1000,
+    match: {
+      ports: 80,
+      path: '/.well-known/acme-challenge/*'
+    },
+    action: {
+      type: 'static',
+      handler: async () => ({ status: 200, body: 'challenge' })
+    }
+  };
+  
+  // Initially no challenge routes
+  expect(stateManager.isChallengeRouteActive()).toBeFalse();
+  expect(stateManager.getActiveChallengeRoutes()).toEqual([]);
+  
+  // Add challenge route
+  stateManager.addChallengeRoute(challengeRoute);
+  expect(stateManager.isChallengeRouteActive()).toBeTrue();
+  expect(stateManager.getActiveChallengeRoutes()).toHaveProperty("length", 1);
+  expect(stateManager.getPrimaryChallengeRoute()).toEqual(challengeRoute);
+  
+  // Remove challenge route
+  stateManager.removeChallengeRoute('acme-challenge');
+  expect(stateManager.isChallengeRouteActive()).toBeFalse();
+  expect(stateManager.getActiveChallengeRoutes()).toEqual([]);
+  expect(stateManager.getPrimaryChallengeRoute()).toBeNull();
+});
+
+tap.test('AcmeStateManager should track port allocations', async (tools) => {
+  const stateManager = new AcmeStateManager();
+  
+  const challengeRoute1: IRouteConfig = {
+    name: 'acme-challenge-1',
+    priority: 1000,
+    match: {
+      ports: 80,
+      path: '/.well-known/acme-challenge/*'
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  const challengeRoute2: IRouteConfig = {
+    name: 'acme-challenge-2',
+    priority: 900,
+    match: {
+      ports: [80, 8080],
+      path: '/.well-known/acme-challenge/*'
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  // Add first route
+  stateManager.addChallengeRoute(challengeRoute1);
+  expect(stateManager.isPortAllocatedForAcme(80)).toBeTrue();
+  expect(stateManager.isPortAllocatedForAcme(8080)).toBeFalse();
+  expect(stateManager.getAcmePorts()).toEqual([80]);
+  
+  // Add second route
+  stateManager.addChallengeRoute(challengeRoute2);
+  expect(stateManager.isPortAllocatedForAcme(80)).toBeTrue();
+  expect(stateManager.isPortAllocatedForAcme(8080)).toBeTrue();
+  expect(stateManager.getAcmePorts()).toContain(80);
+  expect(stateManager.getAcmePorts()).toContain(8080);
+  
+  // Remove first route - port 80 should still be allocated
+  stateManager.removeChallengeRoute('acme-challenge-1');
+  expect(stateManager.isPortAllocatedForAcme(80)).toBeTrue();
+  expect(stateManager.isPortAllocatedForAcme(8080)).toBeTrue();
+  
+  // Remove second route - all ports should be deallocated
+  stateManager.removeChallengeRoute('acme-challenge-2');
+  expect(stateManager.isPortAllocatedForAcme(80)).toBeFalse();
+  expect(stateManager.isPortAllocatedForAcme(8080)).toBeFalse();
+  expect(stateManager.getAcmePorts()).toEqual([]);
+});
+
+tap.test('AcmeStateManager should select primary route by priority', async (tools) => {
+  const stateManager = new AcmeStateManager();
+  
+  const lowPriorityRoute: IRouteConfig = {
+    name: 'low-priority',
+    priority: 100,
+    match: {
+      ports: 80
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  const highPriorityRoute: IRouteConfig = {
+    name: 'high-priority',
+    priority: 2000,
+    match: {
+      ports: 80
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  const defaultPriorityRoute: IRouteConfig = {
+    name: 'default-priority',
+    // No priority specified - should default to 0
+    match: {
+      ports: 80
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  // Add low priority first
+  stateManager.addChallengeRoute(lowPriorityRoute);
+  expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('low-priority');
+  
+  // Add high priority - should become primary
+  stateManager.addChallengeRoute(highPriorityRoute);
+  expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('high-priority');
+  
+  // Add default priority - primary should remain high priority
+  stateManager.addChallengeRoute(defaultPriorityRoute);
+  expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('high-priority');
+  
+  // Remove high priority - primary should fall back to low priority
+  stateManager.removeChallengeRoute('high-priority');
+  expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('low-priority');
+});
+
+tap.test('AcmeStateManager should handle clear operation', async (tools) => {
+  const stateManager = new AcmeStateManager();
+  
+  const challengeRoute1: IRouteConfig = {
+    name: 'route-1',
+    match: {
+      ports: [80, 443]
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  const challengeRoute2: IRouteConfig = {
+    name: 'route-2',
+    match: {
+      ports: 8080
+    },
+    action: {
+      type: 'static'
+    }
+  };
+  
+  // Add routes
+  stateManager.addChallengeRoute(challengeRoute1);
+  stateManager.addChallengeRoute(challengeRoute2);
+  
+  // Verify state before clear
+  expect(stateManager.isChallengeRouteActive()).toBeTrue();
+  expect(stateManager.getActiveChallengeRoutes()).toHaveProperty("length", 2);
+  expect(stateManager.getAcmePorts()).toHaveProperty("length", 3);
+  
+  // Clear all state
+  stateManager.clear();
+  
+  // Verify state after clear
+  expect(stateManager.isChallengeRouteActive()).toBeFalse();
+  expect(stateManager.getActiveChallengeRoutes()).toEqual([]);
+  expect(stateManager.getAcmePorts()).toEqual([]);
+  expect(stateManager.getPrimaryChallengeRoute()).toBeNull();
+});
+
+export default tap.start();

test/test.acme-timing-simple.ts

@@ -0,0 +1,122 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+
+// Test that certificate provisioning is deferred until after ports are listening
+tap.test('should defer certificate provisioning until ports are ready', async (tapTest) => {
+  // Track when operations happen
+  let portsListening = false;
+  let certProvisioningStarted = false;
+  let operationOrder: string[] = [];
+  
+  // Create proxy with certificate route but without real ACME
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'test-route',
+      match: {
+        ports: 8443,
+        domains: ['test.local']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'test@local.dev',
+            useProduction: false
+          }
+        }
+      }
+    }]
+  });
+  
+  // Override the certificate manager creation to avoid real ACME
+  const originalCreateCertManager = proxy['createCertificateManager'];
+  proxy['createCertificateManager'] = async function(...args: any[]) {
+    console.log('Creating mock cert manager');
+    operationOrder.push('create-cert-manager');
+    const mockCertManager = {
+      certStore: null,
+      smartAcme: null,
+      httpProxy: null,
+      renewalTimer: null,
+      pendingChallenges: new Map(),
+      challengeRoute: null,
+      certStatus: new Map(),
+      globalAcmeDefaults: null,
+      updateRoutesCallback: undefined,
+      challengeRouteActive: false,
+      isProvisioning: false,
+      acmeStateManager: null,
+      initialize: async () => {
+        operationOrder.push('cert-manager-init');
+        console.log('Mock cert manager initialized');
+      },
+      provisionAllCertificates: async () => {
+        operationOrder.push('cert-provisioning');
+        certProvisioningStarted = true;
+        // Check that ports are listening when provisioning starts
+        if (!portsListening) {
+          throw new Error('Certificate provisioning started before ports ready!');
+        }
+        console.log('Mock certificate provisioning (ports are ready)');
+      },
+      stop: async () => {},
+      setHttpProxy: () => {},
+      setGlobalAcmeDefaults: () => {},
+      setAcmeStateManager: () => {},
+      setUpdateRoutesCallback: () => {},
+      getAcmeOptions: () => ({}),
+      getState: () => ({ challengeRouteActive: false }),
+      getCertStatus: () => new Map(),
+      checkAndRenewCertificates: async () => {},
+      addChallengeRoute: async () => {},
+      removeChallengeRoute: async () => {},
+      getCertificate: async () => null,
+      isValidCertificate: () => false,
+      waitForProvisioning: async () => {}
+    } as any;
+    
+    // Call initialize immediately as the real createCertificateManager does
+    await mockCertManager.initialize();
+    
+    return mockCertManager;
+  };
+  
+  // Track port manager operations
+  const originalAddPorts = proxy['portManager'].addPorts;
+  proxy['portManager'].addPorts = async function(ports: number[]) {
+    operationOrder.push('ports-starting');
+    const result = await originalAddPorts.call(this, ports);
+    operationOrder.push('ports-ready');
+    portsListening = true;
+    console.log('Ports are now listening');
+    return result;
+  };
+  
+  // Start the proxy
+  await proxy.start();
+  
+  // Log the operation order for debugging
+  console.log('Operation order:', operationOrder);
+  
+  // Verify operations happened in the correct order
+  expect(operationOrder).toContain('create-cert-manager');
+  expect(operationOrder).toContain('cert-manager-init');
+  expect(operationOrder).toContain('ports-starting');
+  expect(operationOrder).toContain('ports-ready');
+  expect(operationOrder).toContain('cert-provisioning');
+  
+  // Verify ports were ready before certificate provisioning
+  const portsReadyIndex = operationOrder.indexOf('ports-ready');
+  const certProvisioningIndex = operationOrder.indexOf('cert-provisioning');
+  
+  expect(portsReadyIndex).toBeLessThan(certProvisioningIndex);
+  expect(certProvisioningStarted).toEqual(true);
+  expect(portsListening).toEqual(true);
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.acme-timing.ts

@@ -0,0 +1,159 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as net from 'net';
+
+// Test that certificate provisioning waits for ports to be ready
+tap.test('should defer certificate provisioning until after ports are listening', async (tapTest) => {
+  // Track the order of operations
+  const operationLog: string[] = [];
+  
+  // Create a mock server to verify ports are listening
+  let port80Listening = false;
+  const testServer = net.createServer(() => {
+    // We don't need to handle connections, just track that we're listening
+  });
+  
+  // Try to use port 8080 instead of 80 to avoid permission issues in testing
+  const acmePort = 8080;
+  
+  // Create proxy with ACME certificate requirement
+  const proxy = new SmartProxy({
+    useHttpProxy: [acmePort],
+    httpProxyPort: 8844,
+    acme: {
+      email: 'test@example.com',
+      useProduction: false,
+      port: acmePort
+    },
+    routes: [{
+      name: 'test-acme-route',
+      match: {
+        ports: 8443,
+        domains: ['test.local']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'test@example.com',
+            useProduction: false
+          }
+        }
+      }
+    }]
+  });
+  
+  // Mock some internal methods to track operation order
+  const originalAddPorts = proxy['portManager'].addPorts;
+  proxy['portManager'].addPorts = async function(ports: number[]) {
+    operationLog.push('Starting port listeners');
+    const result = await originalAddPorts.call(this, ports);
+    operationLog.push('Port listeners started');
+    port80Listening = true;
+    return result;
+  };
+  
+  // Track certificate provisioning
+  const originalProvisionAll = proxy['certManager'] ? 
+    proxy['certManager']['provisionAllCertificates'] : null;
+  
+  if (proxy['certManager']) {
+    proxy['certManager']['provisionAllCertificates'] = async function() {
+      operationLog.push('Starting certificate provisioning');
+      // Check if port 80 is listening
+      if (!port80Listening) {
+        operationLog.push('ERROR: Certificate provisioning started before ports ready');
+      }
+      // Don't actually provision certificates in the test
+      operationLog.push('Certificate provisioning completed');
+    };
+  }
+  
+  // Start the proxy
+  await proxy.start();
+  
+  // Verify the order of operations
+  expect(operationLog).toContain('Starting port listeners');
+  expect(operationLog).toContain('Port listeners started');
+  expect(operationLog).toContain('Starting certificate provisioning');
+  
+  // Ensure port listeners started before certificate provisioning
+  const portStartIndex = operationLog.indexOf('Port listeners started');
+  const certStartIndex = operationLog.indexOf('Starting certificate provisioning');
+  
+  expect(portStartIndex).toBeLessThan(certStartIndex);
+  expect(operationLog).not.toContain('ERROR: Certificate provisioning started before ports ready');
+  
+  await proxy.stop();
+});
+
+// Test that ACME challenge route is available when certificate is requested
+tap.test('should have ACME challenge route ready before certificate provisioning', async (tapTest) => {
+  let challengeRouteActive = false;
+  let certificateProvisioningStarted = false;
+  
+  const proxy = new SmartProxy({
+    useHttpProxy: [8080],
+    httpProxyPort: 8844,
+    acme: {
+      email: 'test@example.com',
+      useProduction: false,
+      port: 8080
+    },
+    routes: [{
+      name: 'test-route',
+      match: {
+        ports: 8443,
+        domains: ['test.example.com']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'
+        }
+      }
+    }]
+  });
+  
+  // Mock the certificate manager to track operations
+  const originalInitialize = proxy['certManager'] ? 
+    proxy['certManager'].initialize : null;
+    
+  if (proxy['certManager']) {
+    const certManager = proxy['certManager'];
+    
+    // Track when challenge route is added
+    const originalAddChallenge = certManager['addChallengeRoute'];
+    certManager['addChallengeRoute'] = async function() {
+      await originalAddChallenge.call(this);
+      challengeRouteActive = true;
+    };
+    
+    // Track when certificate provisioning starts
+    const originalProvisionAcme = certManager['provisionAcmeCertificate'];
+    certManager['provisionAcmeCertificate'] = async function(...args: any[]) {
+      certificateProvisioningStarted = true;
+      // Verify challenge route is active
+      expect(challengeRouteActive).toEqual(true);
+      // Don't actually provision in test
+      return;
+    };
+  }
+  
+  await proxy.start();
+  
+  // Give it a moment to complete initialization
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify challenge route was added before any certificate provisioning
+  expect(challengeRouteActive).toEqual(true);
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.certificate-acme-update.ts

@@ -0,0 +1,77 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import * as smartproxy from '../ts/index.js';
+
+// This test verifies that SmartProxy correctly uses the updated SmartAcme v8.0.0 API
+// with the optional wildcard parameter
+
+tap.test('SmartCertManager should call getCertificateForDomain with wildcard option', async () => {
+  console.log('Testing SmartCertManager with SmartAcme v8.0.0 API...');
+  
+  // Create a mock route with ACME certificate configuration
+  const mockRoute: smartproxy.IRouteConfig = {
+    match: {
+      domains: ['test.example.com'],
+      ports: 443
+    },
+    action: {
+      type: 'forward',
+      target: {
+        host: 'localhost',
+        port: 8080
+      },
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: {
+          email: 'test@example.com',
+          useProduction: false
+        }
+      }
+    },
+    name: 'test-route'
+  };
+  
+  // Create a certificate manager
+  const certManager = new smartproxy.SmartCertManager(
+    [mockRoute],
+    './test-certs',
+    {
+      email: 'test@example.com',
+      useProduction: false
+    }
+  );
+  
+  // Since we can't actually test ACME in a unit test, we'll just verify the logic
+  // The actual test would be that it builds and runs without errors
+  
+  // Test the wildcard logic for different domain types and challenge handlers
+  const testCases = [
+    { domain: 'example.com', hasDnsChallenge: true, shouldIncludeWildcard: true },
+    { domain: 'example.com', hasDnsChallenge: false, shouldIncludeWildcard: false },
+    { domain: 'sub.example.com', hasDnsChallenge: true, shouldIncludeWildcard: true },
+    { domain: 'sub.example.com', hasDnsChallenge: false, shouldIncludeWildcard: false },
+    { domain: '*.example.com', hasDnsChallenge: true, shouldIncludeWildcard: false },
+    { domain: '*.example.com', hasDnsChallenge: false, shouldIncludeWildcard: false },
+    { domain: 'test', hasDnsChallenge: true, shouldIncludeWildcard: false }, // single label domain
+    { domain: 'test', hasDnsChallenge: false, shouldIncludeWildcard: false },
+    { domain: 'my.sub.example.com', hasDnsChallenge: true, shouldIncludeWildcard: true },
+    { domain: 'my.sub.example.com', hasDnsChallenge: false, shouldIncludeWildcard: false }
+  ];
+  
+  for (const testCase of testCases) {
+    const shouldIncludeWildcard = !testCase.domain.startsWith('*.') && 
+                                  testCase.domain.includes('.') && 
+                                  testCase.domain.split('.').length >= 2 &&
+                                  testCase.hasDnsChallenge;
+    
+    console.log(`Domain: ${testCase.domain}, DNS-01: ${testCase.hasDnsChallenge}, Should include wildcard: ${shouldIncludeWildcard}`);
+    expect(shouldIncludeWildcard).toEqual(testCase.shouldIncludeWildcard);
+  }
+  
+  console.log('All wildcard logic tests passed!');
+});
+
+tap.start({
+  throwOnError: true
+});

test/test.certificate-provisioning.ts

@@ -1,396 +1,141 @@
-/**
- * Tests for certificate provisioning with route-based configuration
- */
-import { expect, tap } from '@push.rocks/tapbundle';
-import * as path from 'path';
-import * as fs from 'fs';
-import * as os from 'os';
-import * as plugins from '../ts/plugins.js';
-
-// Import from core modules
-import { CertProvisioner } from '../ts/certificate/providers/cert-provisioner.js';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
-import { createCertificateProvisioner } from '../ts/certificate/index.js';
-import type { ISmartProxyOptions } from '../ts/proxies/smart-proxy/models/interfaces.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 
-// Extended options interface for testing - allows us to map ports for testing
-interface TestSmartProxyOptions extends ISmartProxyOptions {
-  portMap?: Record<number, number>; // Map standard ports to non-privileged ones for testing
-}
-
-// Import route helpers
-import {
-  createHttpsTerminateRoute,
-  createCompleteHttpsServer,
-  createHttpRoute
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
-
-// Import test helpers
-import { loadTestCertificates } from './helpers/certificates.js';
-
-// Create temporary directory for certificates
-const tempDir = path.join(os.tmpdir(), `smartproxy-test-${Date.now()}`);
-fs.mkdirSync(tempDir, { recursive: true });
-
-// Mock Port80Handler class that extends EventEmitter
-class MockPort80Handler extends plugins.EventEmitter {
-  public domainsAdded: string[] = [];
-  
-  addDomain(opts: { domainName: string; sslRedirect: boolean; acmeMaintenance: boolean }) {
-    this.domainsAdded.push(opts.domainName);
-    return true;
-  }
-  
-  async renewCertificate(domain: string): Promise<void> {
-    // In a real implementation, this would trigger certificate renewal
-    console.log(`Mock certificate renewal for ${domain}`);
-  }
-}
-
-// Mock NetworkProxyBridge
-class MockNetworkProxyBridge {
-  public appliedCerts: any[] = [];
-  
-  applyExternalCertificate(cert: any) {
-    this.appliedCerts.push(cert);
-  }
-}
-
-tap.test('CertProvisioner: Should extract certificate domains from routes', async () => {
-  // Create routes with domains requiring certificates
-  const routes = [
-    createHttpsTerminateRoute('example.com', { host: 'localhost', port: 8080 }, {
-      certificate: 'auto'
-    }),
-    createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8081 }, {
-      certificate: 'auto'
-    }),
-    createHttpsTerminateRoute('api.example.com', { host: 'localhost', port: 8082 }, {
-      certificate: 'auto'
-    }),
-    // This route shouldn't require a certificate (passthrough)
-    createHttpsTerminateRoute('passthrough.example.com', { host: 'localhost', port: 8083 }, {
-      certificate: 'auto', // Will be ignored for passthrough
-      httpsPort: 4443,
+const testProxy = new SmartProxy({
+  routes: [{
+    name: 'test-route',
+    match: { ports: 443, domains: 'test.example.com' },
+    action: {
+      type: 'forward',
+      target: { host: 'localhost', port: 8080 },
       tls: {
-        mode: 'passthrough'
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: {
+          email: 'test@example.com',
+          useProduction: false
+        }
       }
-    }),
-    // This route shouldn't require a certificate (static certificate provided)
-    createHttpsTerminateRoute('static-cert.example.com', { host: 'localhost', port: 8084 }, {
-      certificate: {
-        key: 'test-key',
-        cert: 'test-cert'
-      }
-    })
-  ];
-
-  // Create mocks
-  const mockPort80 = new MockPort80Handler();
-  const mockBridge = new MockNetworkProxyBridge();
-  
-  // Create certificate provisioner
-  const certProvisioner = new CertProvisioner(
-    routes,
-    mockPort80 as any,
-    mockBridge as any
-  );
-  
-  // Get routes that require certificate provisioning
-  const extractedDomains = (certProvisioner as any).extractCertificateRoutesFromRoutes(routes);
-
-  // Validate extraction
-  expect(extractedDomains).toBeInstanceOf(Array);
-  expect(extractedDomains.length).toBeGreaterThan(0); // Should extract at least some domains
-
-  // Check that the correct domains were extracted
-  const domains = extractedDomains.map(item => item.domain);
-  expect(domains).toInclude('example.com');
-  expect(domains).toInclude('secure.example.com');
-  expect(domains).toInclude('api.example.com');
-
-  // NOTE: Since we're now using createHttpsTerminateRoute for the passthrough domain
-  // and we've set certificate: 'auto', the domain will be included
-  // but will use passthrough mode for TLS
-  expect(domains).toInclude('passthrough.example.com');
-
-  // NOTE: The current implementation extracts all domains with terminate mode,
-  // including those with static certificates. This is different from our expectation,
-  // but we'll update the test to match the actual implementation.
-  expect(domains).toInclude('static-cert.example.com');
-});
-
-tap.test('CertProvisioner: Should handle wildcard domains in routes', async () => {
-  // Create routes with wildcard domains
-  const routes = [
-    createHttpsTerminateRoute('*.example.com', { host: 'localhost', port: 8080 }, {
-      certificate: 'auto'
-    }),
-    createHttpsTerminateRoute('example.org', { host: 'localhost', port: 8081 }, {
-      certificate: 'auto'
-    }),
-    createHttpsTerminateRoute(['api.example.net', 'app.example.net'], { host: 'localhost', port: 8082 }, {
-      certificate: 'auto'
-    })
-  ];
-
-  // Create mocks
-  const mockPort80 = new MockPort80Handler();
-  const mockBridge = new MockNetworkProxyBridge();
-  
-  // Create custom certificate provisioner function
-  const customCertFunc = async (domain: string) => {
-    // Always return a static certificate for testing
-    return {
-      domainName: domain,
-      publicKey: 'TEST-CERT',
-      privateKey: 'TEST-KEY',
-      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
-      created: Date.now(),
-      csr: 'TEST-CSR',
-      id: 'TEST-ID',
-    };
-  };
-
-  // Create certificate provisioner with custom cert function
-  const certProvisioner = new CertProvisioner(
-    routes, 
-    mockPort80 as any,
-    mockBridge as any,
-    customCertFunc
-  );
-
-  // Get routes that require certificate provisioning
-  const extractedDomains = (certProvisioner as any).extractCertificateRoutesFromRoutes(routes);
-  
-  // Validate extraction
-  expect(extractedDomains).toBeInstanceOf(Array);
-  
-  // Check that the correct domains were extracted
-  const domains = extractedDomains.map(item => item.domain);
-  expect(domains).toInclude('*.example.com');
-  expect(domains).toInclude('example.org');
-  expect(domains).toInclude('api.example.net');
-  expect(domains).toInclude('app.example.net');
-});
-
-tap.test('CertProvisioner: Should provision certificates for routes', async () => {
-  const testCerts = loadTestCertificates();
-  
-  // Create the custom provisioner function
-  const mockProvisionFunction = async (domain: string) => {
-    return {
-      domainName: domain,
-      publicKey: testCerts.publicKey,
-      privateKey: testCerts.privateKey,
-      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
-      created: Date.now(),
-      csr: 'TEST-CSR',
-      id: 'TEST-ID',
-    };
-  };
-
-  // Create routes with domains requiring certificates
-  const routes = [
-    createHttpsTerminateRoute('example.com', { host: 'localhost', port: 8080 }, {
-      certificate: 'auto'
-    }),
-    createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8081 }, {
-      certificate: 'auto'
-    })
-  ];
-
-  // Create mocks
-  const mockPort80 = new MockPort80Handler();
-  const mockBridge = new MockNetworkProxyBridge();
-
-  // Create certificate provisioner with mock provider
-  const certProvisioner = new CertProvisioner(
-    routes,
-    mockPort80 as any,
-    mockBridge as any,
-    mockProvisionFunction
-  );
-
-  // Create an events array to catch certificate events
-  const events: any[] = [];
-  certProvisioner.on('certificate', (event) => {
-    events.push(event);
-  });
-
-  // Start the provisioner (which will trigger initial provisioning)
-  await certProvisioner.start();
-  
-  // Verify certificates were provisioned (static provision flow)
-  expect(mockBridge.appliedCerts.length).toBeGreaterThanOrEqual(2);
-  expect(events.length).toBeGreaterThanOrEqual(2);
-  
-  // Check that each domain received a certificate
-  const certifiedDomains = events.map(e => e.domain);
-  expect(certifiedDomains).toInclude('example.com');
-  expect(certifiedDomains).toInclude('secure.example.com');
-
-  // Important: stop the provisioner to clean up any timers or listeners
-  await certProvisioner.stop();
-});
-
-tap.test('SmartProxy: Should handle certificate provisioning through routes', async () => {
-  // Skip this test in CI environments where we can't bind to the needed ports
-  if (process.env.CI) {
-    console.log('Skipping SmartProxy certificate test in CI environment');
-    return;
-  }
-  
-  // Create test certificates
-  const testCerts = loadTestCertificates();
-  
-  // Create mock cert provision function
-  const mockProvisionFunction = async (domain: string) => {
-    return {
-      domainName: domain,
-      publicKey: testCerts.publicKey,
-      privateKey: testCerts.privateKey,
-      validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
-      created: Date.now(),
-      csr: 'TEST-CSR',
-      id: 'TEST-ID',
-    };
-  };
-  
-  // Create routes for testing
-  const routes = [
-    // HTTPS with auto certificate
-    createHttpsTerminateRoute('auto.example.com', { host: 'localhost', port: 8080 }, {
-      certificate: 'auto'
-    }),
-    
-    // HTTPS with static certificate
-    createHttpsTerminateRoute('static.example.com', { host: 'localhost', port: 8081 }, {
-      certificate: {
-        key: testCerts.privateKey,
-        cert: testCerts.publicKey
-      }
-    }),
-    
-    // Complete HTTPS server with auto certificate
-    ...createCompleteHttpsServer('auto-complete.example.com', { host: 'localhost', port: 8082 }, {
-      certificate: 'auto'
-    }),
-    
-    // API route with auto certificate - using createHttpRoute with HTTPS options
-    createHttpsTerminateRoute('auto-api.example.com', { host: 'localhost', port: 8083 }, {
-      certificate: 'auto',
-      match: { path: '/api/*' }
-    })
-  ];
-  
-  try {
-    // Create a minimal server to act as a target for testing
-    // This will be used in unit testing only, not in production
-    const mockTarget = new class {
-      server = plugins.http.createServer((req, res) => {
-        res.writeHead(200, { 'Content-Type': 'text/plain' });
-        res.end('Mock target server');
-      });
-      
-      start() {
-        return new Promise<void>((resolve) => {
-          this.server.listen(8080, () => resolve());
-        });
-      }
-      
-      stop() {
-        return new Promise<void>((resolve) => {
-          this.server.close(() => resolve());
-        });
-      }
-    };
-    
-    // Start the mock target
-    await mockTarget.start();
-    
-    // Create a SmartProxy instance that can avoid binding to privileged ports
-    // and using a mock certificate provisioner for testing
-    const proxy = new SmartProxy({
-      // Use TestSmartProxyOptions with portMap for testing
-      routes,
-      // Use high port numbers for testing to avoid need for root privileges
-      portMap: {
-        80: 8080,  // Map HTTP port 80 to 8080
-        443: 4443  // Map HTTPS port 443 to 4443
-      },
-      tlsSetupTimeoutMs: 500, // Lower timeout for testing
-      // Certificate provisioning settings
-      certProvisionFunction: mockProvisionFunction,
-      acme: {
-        enabled: true,
-        accountEmail: 'test@bleu.de',
-        useProduction: false,  // Use staging
-        certificateStore: tempDir
-      }
-    });
-    
-    // Track certificate events
-    const events: any[] = [];
-    proxy.on('certificate', (event) => {
-      events.push(event);
-    });
-    
-    // Instead of starting the actual proxy which tries to bind to ports,
-    // just test the initialization part that handles the certificate configuration
-
-    // We can't access private certProvisioner directly,
-    // so just use dummy events for testing
-    console.log(`Test would provision certificates if actually started`);
-
-    // Add some dummy events for testing
-    proxy.emit('certificate', {
-      domain: 'auto.example.com',
-      certificate: 'test-cert',
-      privateKey: 'test-key',
-      expiryDate: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
-      source: 'test'
-    });
-
-    proxy.emit('certificate', {
-      domain: 'auto-complete.example.com',
-      certificate: 'test-cert',
-      privateKey: 'test-key',
-      expiryDate: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
-      source: 'test'
-    });
-    
-    // Give time for events to finalize
-    await new Promise(resolve => setTimeout(resolve, 100));
-    
-    // Verify certificates were set up - this test might be skipped due to permissions
-    // For unit testing, we're only testing the routes are set up properly
-    // The errors in the log are expected in non-root environments and can be ignored
-
-    // Stop the mock target server
-    await mockTarget.stop();
-
-    // Instead of directly accessing the private certProvisioner property,
-    // we'll call the public stop method which will clean up internal resources
-    await proxy.stop();
-    
-  } catch (err) {
-    if (err.code === 'EACCES') {
-      console.log('Skipping test: EACCES error (needs privileged ports)');
-    } else {
-      console.error('Error in SmartProxy test:', err);
-      throw err;
     }
-  }
+  }]
 });
 
-tap.test('cleanup', async () => {
-  try {
-    fs.rmSync(tempDir, { recursive: true, force: true });
-    console.log('Temporary directory cleaned up:', tempDir);
-  } catch (err) {
-    console.error('Error cleaning up:', err);
-  }
+tap.test('should provision certificate automatically', async () => {
+  await testProxy.start();
+  
+  // Wait for certificate provisioning
+  await new Promise(resolve => setTimeout(resolve, 5000));
+  
+  const status = testProxy.getCertificateStatus('test-route');
+  expect(status).toBeDefined();
+  expect(status.status).toEqual('valid');
+  expect(status.source).toEqual('acme');
+  
+  await testProxy.stop();
 });
 
-export default tap.start();
+tap.test('should handle static certificates', async () => {
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'static-route',
+      match: { ports: 443, domains: 'static.example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: {
+            cert: '-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----',
+            key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----'
+          }
+        }
+      }
+    }]
+  });
+  
+  await proxy.start();
+  
+  const status = proxy.getCertificateStatus('static-route');
+  expect(status).toBeDefined();
+  expect(status.status).toEqual('valid');
+  expect(status.source).toEqual('static');
+  
+  await proxy.stop();
+});
+
+tap.test('should handle ACME challenge routes', async () => {
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'auto-cert-route',
+      match: { ports: 443, domains: 'acme.example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'acme@example.com',
+            useProduction: false,
+            challengePort: 80
+          }
+        }
+      }
+    }, {
+      name: 'port-80-route',
+      match: { ports: 80, domains: 'acme.example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 }
+      }
+    }]
+  });
+  
+  await proxy.start();
+  
+  // The SmartCertManager should automatically add challenge routes
+  // Let's verify the route manager sees them
+  const routes = proxy.routeManager.getAllRoutes();
+  const challengeRoute = routes.find(r => r.name === 'acme-challenge');
+  
+  expect(challengeRoute).toBeDefined();
+  expect(challengeRoute?.match.path).toEqual('/.well-known/acme-challenge/*');
+  expect(challengeRoute?.priority).toEqual(1000);
+  
+  await proxy.stop();
+});
+
+tap.test('should renew certificates', async () => {
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'renew-route',
+      match: { ports: 443, domains: 'renew.example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'renew@example.com',
+            useProduction: false,
+            renewBeforeDays: 30
+          }
+        }
+      }
+    }]
+  });
+  
+  await proxy.start();
+  
+  // Force renewal
+  await proxy.renewCertificate('renew-route');
+  
+  const status = proxy.getCertificateStatus('renew-route');
+  expect(status).toBeDefined();
+  expect(status.status).toEqual('valid');
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.certificate-simple.ts

@@ -0,0 +1,65 @@
+import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+
+tap.test('should create SmartProxy with certificate routes', async () => {
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8443, domains: 'test.example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'test@example.com',
+            useProduction: false
+          }
+        }
+      }
+    }]
+  });
+  
+  expect(proxy).toBeDefined();
+  expect(proxy.settings.routes.length).toEqual(1);
+});
+
+tap.test('should handle static route type', async () => {
+  // Create a test route with static handler
+  const testResponse = {
+    status: 200,
+    headers: { 'Content-Type': 'text/plain' },
+    body: 'Hello from static route'
+  };
+  
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'static-test',
+      match: { ports: 8080, path: '/test' },
+      action: {
+        type: 'static',
+        handler: async () => testResponse
+      }
+    }]
+  });
+  
+  const route = proxy.settings.routes[0];
+  expect(route.action.type).toEqual('static');
+  expect(route.action.handler).toBeDefined();
+  
+  // Test the handler
+  const result = await route.action.handler!({
+    port: 8080,
+    path: '/test',
+    clientIp: '127.0.0.1',
+    serverIp: '127.0.0.1',
+    isTls: false,
+    timestamp: Date.now(),
+    connectionId: 'test-123'
+  });
+  
+  expect(result).toEqual(testResponse);
+});
+
+tap.start();

test/test.certprovisioner.unit.ts

@@ -1,211 +0,0 @@
-import { tap, expect } from '@push.rocks/tapbundle';
-import * as plugins from '../ts/plugins.js';
-import { CertProvisioner } from '../ts/certificate/providers/cert-provisioner.js';
-import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
-import type { ICertificateData } from '../ts/certificate/models/certificate-types.js';
-import type { TCertProvisionObject } from '../ts/certificate/providers/cert-provisioner.js';
-
-// Fake Port80Handler stub
-class FakePort80Handler extends plugins.EventEmitter {
-  public domainsAdded: string[] = [];
-  public renewCalled: string[] = [];
-  addDomain(opts: { domainName: string; sslRedirect: boolean; acmeMaintenance: boolean }) {
-    this.domainsAdded.push(opts.domainName);
-  }
-  async renewCertificate(domain: string): Promise<void> {
-    this.renewCalled.push(domain);
-  }
-}
-
-// Fake NetworkProxyBridge stub
-class FakeNetworkProxyBridge {
-  public appliedCerts: ICertificateData[] = [];
-  applyExternalCertificate(cert: ICertificateData) {
-    this.appliedCerts.push(cert);
-  }
-}
-
-tap.test('CertProvisioner handles static provisioning', async () => {
-  const domain = 'static.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'Static Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 443 },
-      tls: {
-        mode: 'terminate-and-reencrypt',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  // certProvider returns static certificate
-  const certProvider = async (d: string): Promise<TCertProvisionObject> => {
-    expect(d).toEqual(domain);
-    return {
-      domainName: domain,
-      publicKey: 'CERT',
-      privateKey: 'KEY',
-      validUntil: Date.now() + 3600 * 1000,
-      created: Date.now(),
-      csr: 'CSR',
-      id: 'ID',
-    };
-  };
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1, // low renew threshold
-    1, // short interval
-    false // disable auto renew for unit test
-  );
-  const events: any[] = [];
-  prov.on('certificate', (data) => events.push(data));
-  await prov.start();
-  // Static flow: no addDomain, certificate applied via bridge
-  expect(fakePort80.domainsAdded.length).toEqual(0);
-  expect(fakeBridge.appliedCerts.length).toEqual(1);
-  expect(events.length).toEqual(1);
-  const evt = events[0];
-  expect(evt.domain).toEqual(domain);
-  expect(evt.certificate).toEqual('CERT');
-  expect(evt.privateKey).toEqual('KEY');
-  expect(evt.isRenewal).toEqual(false);
-  expect(evt.source).toEqual('static');
-  expect(evt.routeReference).toBeTruthy();
-  expect(evt.routeReference.routeName).toEqual('Static Route');
-});
-
-tap.test('CertProvisioner handles http01 provisioning', async () => {
-  const domain = 'http01.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'HTTP01 Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 80 },
-      tls: {
-        mode: 'terminate',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  // certProvider returns http01 directive
-  const certProvider = async (): Promise<TCertProvisionObject> => 'http01';
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1,
-    1,
-    false
-  );
-  const events: any[] = [];
-  prov.on('certificate', (data) => events.push(data));
-  await prov.start();
-  // HTTP-01 flow: addDomain called, no static cert applied
-  expect(fakePort80.domainsAdded).toEqual([domain]);
-  expect(fakeBridge.appliedCerts.length).toEqual(0);
-  expect(events.length).toEqual(0);
-});
-
-tap.test('CertProvisioner on-demand http01 renewal', async () => {
-  const domain = 'renew.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'Renewal Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 80 },
-      tls: {
-        mode: 'terminate',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  const certProvider = async (): Promise<TCertProvisionObject> => 'http01';
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1,
-    1,
-    false
-  );
-  // requestCertificate should call renewCertificate
-  await prov.requestCertificate(domain);
-  expect(fakePort80.renewCalled).toEqual([domain]);
-});
-
-tap.test('CertProvisioner on-demand static provisioning', async () => {
-  const domain = 'ondemand.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'On-Demand Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 443 },
-      tls: {
-        mode: 'terminate-and-reencrypt',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  const certProvider = async (): Promise<TCertProvisionObject> => ({
-    domainName: domain,
-    publicKey: 'PKEY',
-    privateKey: 'PRIV',
-    validUntil: Date.now() + 1000,
-    created: Date.now(),
-    csr: 'CSR',
-    id: 'ID',
-  });
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1,
-    1,
-    false
-  );
-  const events: any[] = [];
-  prov.on('certificate', (data) => events.push(data));
-  await prov.requestCertificate(domain);
-  expect(fakeBridge.appliedCerts.length).toEqual(1);
-  expect(events.length).toEqual(1);
-  expect(events[0].domain).toEqual(domain);
-  expect(events[0].source).toEqual('static');
-  expect(events[0].routeReference).toBeTruthy();
-  expect(events[0].routeReference.routeName).toEqual('On-Demand Route');
-});
-
-export default tap.start();

test/test.connection-forwarding.ts

@@ -0,0 +1,294 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as tls from 'tls';
+import * as fs from 'fs';
+import * as path from 'path';
+import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+// Setup test infrastructure
+const testCertPath = path.join(process.cwd(), 'test', 'helpers', 'test-cert.pem');
+const testKeyPath = path.join(process.cwd(), 'test', 'helpers', 'test-key.pem');
+
+let testServer: net.Server;
+let tlsTestServer: tls.Server;
+let smartProxy: SmartProxy;
+
+tap.test('setup test servers', async () => {
+  // Create TCP test server
+  testServer = net.createServer((socket) => {
+    socket.write('Connected to TCP test server\n');
+    socket.on('data', (data) => {
+      socket.write(`TCP Echo: ${data}`);
+    });
+  });
+
+  await new Promise<void>((resolve) => {
+    testServer.listen(7001, '127.0.0.1', () => {
+      console.log('TCP test server listening on port 7001');
+      resolve();
+    });
+  });
+
+  // Create TLS test server for SNI testing
+  tlsTestServer = tls.createServer(
+    {
+      cert: fs.readFileSync(testCertPath),
+      key: fs.readFileSync(testKeyPath),
+    },
+    (socket) => {
+      socket.write('Connected to TLS test server\n');
+      socket.on('data', (data) => {
+        socket.write(`TLS Echo: ${data}`);
+      });
+    }
+  );
+
+  await new Promise<void>((resolve) => {
+    tlsTestServer.listen(7002, '127.0.0.1', () => {
+      console.log('TLS test server listening on port 7002');
+      resolve();
+    });
+  });
+});
+
+tap.test('should forward TCP connections correctly', async () => {
+  // Create SmartProxy with forward route
+  smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      {
+        id: 'tcp-forward',
+        name: 'TCP Forward Route',
+        match: {
+          ports: 8080,
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: '127.0.0.1',
+            port: 7001,
+          },
+        },
+      },
+    ],
+  });
+
+  await smartProxy.start();
+
+  // Test TCP forwarding
+  const client = await new Promise<net.Socket>((resolve, reject) => {
+    const socket = net.connect(8080, '127.0.0.1', () => {
+      console.log('Connected to proxy');
+      resolve(socket);
+    });
+    socket.on('error', reject);
+  });
+
+  // Test data transmission
+  await new Promise<void>((resolve) => {
+    client.on('data', (data) => {
+      const response = data.toString();
+      console.log('Received:', response);
+      expect(response).toContain('Connected to TCP test server');
+      client.end();
+      resolve();
+    });
+
+    client.write('Hello from client');
+  });
+
+  await smartProxy.stop();
+});
+
+tap.test('should handle TLS passthrough correctly', async () => {
+  // Create SmartProxy with TLS passthrough route
+  smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      {
+        id: 'tls-passthrough',
+        name: 'TLS Passthrough Route',
+        match: {
+          ports: 8443,
+          domains: 'test.example.com',
+        },
+        action: {
+          type: 'forward',
+          tls: {
+            mode: 'passthrough',
+          },
+          target: {
+            host: '127.0.0.1',
+            port: 7002,
+          },
+        },
+      },
+    ],
+  });
+
+  await smartProxy.start();
+
+  // Test TLS passthrough
+  const client = await new Promise<tls.TLSSocket>((resolve, reject) => {
+    const socket = tls.connect(
+      {
+        port: 8443,
+        host: '127.0.0.1',
+        servername: 'test.example.com',
+        rejectUnauthorized: false,
+      },
+      () => {
+        console.log('Connected via TLS');
+        resolve(socket);
+      }
+    );
+    socket.on('error', reject);
+  });
+
+  // Test data transmission over TLS
+  await new Promise<void>((resolve) => {
+    client.on('data', (data) => {
+      const response = data.toString();
+      console.log('TLS Received:', response);
+      expect(response).toContain('Connected to TLS test server');
+      client.end();
+      resolve();
+    });
+
+    client.write('Hello from TLS client');
+  });
+
+  await smartProxy.stop();
+});
+
+tap.test('should handle SNI-based forwarding', async () => {
+  // Create SmartProxy with multiple domain routes
+  smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      {
+        id: 'domain-a',
+        name: 'Domain A Route',
+        match: {
+          ports: 8443,
+          domains: 'a.example.com',
+        },
+        action: {
+          type: 'forward',
+          tls: {
+            mode: 'passthrough',
+          },
+          target: {
+            host: '127.0.0.1',
+            port: 7002,
+          },
+        },
+      },
+      {
+        id: 'domain-b',
+        name: 'Domain B Route',
+        match: {
+          ports: 8443,
+          domains: 'b.example.com',
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: '127.0.0.1',
+            port: 7001,
+          },
+        },
+      },
+    ],
+  });
+
+  await smartProxy.start();
+
+  // Test domain A (TLS passthrough)
+  const clientA = await new Promise<tls.TLSSocket>((resolve, reject) => {
+    const socket = tls.connect(
+      {
+        port: 8443,
+        host: '127.0.0.1',
+        servername: 'a.example.com',
+        rejectUnauthorized: false,
+      },
+      () => {
+        console.log('Connected to domain A');
+        resolve(socket);
+      }
+    );
+    socket.on('error', reject);
+  });
+
+  await new Promise<void>((resolve) => {
+    clientA.on('data', (data) => {
+      const response = data.toString();
+      console.log('Domain A response:', response);
+      expect(response).toContain('Connected to TLS test server');
+      clientA.end();
+      resolve();
+    });
+
+    clientA.write('Hello from domain A');
+  });
+
+  // Test domain B (non-TLS forward)
+  const clientB = await new Promise<net.Socket>((resolve, reject) => {
+    const socket = net.connect(8443, '127.0.0.1', () => {
+      // Send TLS ClientHello with SNI for b.example.com
+      const clientHello = Buffer.from([
+        0x16, 0x03, 0x01, 0x00, 0x4e, // TLS Record header
+        0x01, 0x00, 0x00, 0x4a, // Handshake header
+        0x03, 0x03, // TLS version
+        // Random bytes
+        ...Array(32).fill(0),
+        0x00, // Session ID length
+        0x00, 0x02, // Cipher suites length
+        0x00, 0x35, // Cipher suite
+        0x01, 0x00, // Compression methods
+        0x00, 0x1f, // Extensions length
+        0x00, 0x00, // SNI extension
+        0x00, 0x1b, // Extension length
+        0x00, 0x19, // SNI list length
+        0x00, // SNI type (hostname)
+        0x00, 0x16, // SNI length
+        // "b.example.com" in ASCII
+        0x62, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+      ]);
+      
+      socket.write(clientHello);
+      
+      setTimeout(() => {
+        resolve(socket);
+      }, 100);
+    });
+    socket.on('error', reject);
+  });
+
+  await new Promise<void>((resolve) => {
+    clientB.on('data', (data) => {
+      const response = data.toString();
+      console.log('Domain B response:', response);
+      // Should be forwarded to TCP server
+      expect(response).toContain('Connected to TCP test server');
+      clientB.end();
+      resolve();
+    });
+
+    // Send regular data after initial handshake
+    setTimeout(() => {
+      clientB.write('Hello from domain B');
+    }, 200);
+  });
+
+  await smartProxy.stop();
+});
+
+tap.test('cleanup', async () => {
+  testServer.close();
+  tlsTestServer.close();
+});
+
+export default tap.start();

test/test.fix-verification.ts

@@ -0,0 +1,81 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('should verify certificate manager callback is preserved on updateRoutes', async () => {
+  // Create proxy with initial cert routes
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'cert-route',
+      match: { ports: [18443], domains: ['test.local'] },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 3000 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: { email: 'test@local.test' }
+        }
+      }
+    }],
+    acme: { email: 'test@local.test', port: 18080 }
+  });
+  
+  // Track callback preservation
+  let initialCallbackSet = false;
+  let updateCallbackSet = false;
+  
+  // Mock certificate manager creation
+  (proxy as any).createCertificateManager = async function(...args: any[]) {
+    const certManager = {
+      updateRoutesCallback: null as any,
+      setUpdateRoutesCallback: function(callback: any) {
+        this.updateRoutesCallback = callback;
+        if (!initialCallbackSet) {
+          initialCallbackSet = true;
+        } else {
+          updateCallbackSet = true;
+        }
+      },
+      setHttpProxy: () => {},
+      setGlobalAcmeDefaults: () => {},
+      setAcmeStateManager: () => {},
+      initialize: async () => {},
+      stop: async () => {},
+      getAcmeOptions: () => ({ email: 'test@local.test' }),
+      getState: () => ({ challengeRouteActive: false })
+    };
+    
+    // Set callback as in real implementation
+    certManager.setUpdateRoutesCallback(async (routes) => {
+      await this.updateRoutes(routes);
+    });
+    
+    return certManager;
+  };
+  
+  await proxy.start();
+  expect(initialCallbackSet).toEqual(true);
+  
+  // Update routes - this should preserve the callback
+  await proxy.updateRoutes([{
+    name: 'updated-route',
+    match: { ports: [18444], domains: ['test2.local'] },
+    action: {
+      type: 'forward',
+      target: { host: 'localhost', port: 3001 },
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: { email: 'test@local.test' }
+      }
+    }
+  }]);
+  
+  expect(updateCallbackSet).toEqual(true);
+  
+  await proxy.stop();
+  
+  console.log('Fix verified: Certificate manager callback is preserved on updateRoutes');
+});
+
+tap.start();

test/test.forwarding-fix-verification.ts

@@ -0,0 +1,131 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+
+let testServer: net.Server;
+let smartProxy: SmartProxy;
+
+tap.test('setup test server', async () => {
+  // Create a test server that handles connections
+  testServer = await new Promise<net.Server>((resolve) => {
+    const server = net.createServer((socket) => {
+      console.log('Test server: Client connected');
+      socket.write('Welcome from test server\n');
+      
+      socket.on('data', (data) => {
+        console.log(`Test server received: ${data.toString().trim()}`);
+        socket.write(`Echo: ${data}`);
+      });
+      
+      socket.on('close', () => {
+        console.log('Test server: Client disconnected');
+      });
+    });
+    
+    server.listen(6789, () => {
+      console.log('Test server listening on port 6789');
+      resolve(server);
+    });
+  });
+});
+
+tap.test('regular forward route should work correctly', async () => {
+  smartProxy = new SmartProxy({
+    routes: [{
+      id: 'test-forward',
+      name: 'Test Forward Route',
+      match: { ports: 7890 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 6789 }
+      }
+    }]
+  });
+
+  await smartProxy.start();
+
+  // Create a client connection
+  const client = await new Promise<net.Socket>((resolve, reject) => {
+    const socket = net.connect(7890, 'localhost', () => {
+      console.log('Client connected to proxy');
+      resolve(socket);
+    });
+    socket.on('error', reject);
+  });
+
+  // Test data exchange
+  const response = await new Promise<string>((resolve) => {
+    client.on('data', (data) => {
+      resolve(data.toString());
+    });
+  });
+
+  expect(response).toContain('Welcome from test server');
+  
+  // Send data through proxy
+  client.write('Test message');
+  
+  const echo = await new Promise<string>((resolve) => {
+    client.once('data', (data) => {
+      resolve(data.toString());
+    });
+  });
+  
+  expect(echo).toContain('Echo: Test message');
+  
+  client.end();
+  await smartProxy.stop();
+});
+
+tap.test('NFTables forward route should not terminate connections', async () => {
+  smartProxy = new SmartProxy({
+    routes: [{
+      id: 'nftables-test',
+      name: 'NFTables Test Route',
+      match: { ports: 7891 },
+      action: {
+        type: 'forward',
+        forwardingEngine: 'nftables',
+        target: { host: 'localhost', port: 6789 }
+      }
+    }]
+  });
+
+  await smartProxy.start();
+
+  // Create a client connection
+  const client = await new Promise<net.Socket>((resolve, reject) => {
+    const socket = net.connect(7891, 'localhost', () => {
+      console.log('Client connected to NFTables proxy');
+      resolve(socket);
+    });
+    socket.on('error', reject);
+  });
+
+  // With NFTables, the connection should stay open at the application level
+  // even though forwarding happens at kernel level
+  let connectionClosed = false;
+  client.on('close', () => {
+    connectionClosed = true;
+  });
+
+  // Wait a bit to ensure connection isn't immediately closed
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  expect(connectionClosed).toEqual(false);
+  console.log('NFTables connection stayed open as expected');
+  
+  client.end();
+  await smartProxy.stop();
+});
+
+tap.test('cleanup', async () => {
+  if (testServer) {
+    testServer.close();
+  }
+  if (smartProxy) {
+    await smartProxy.stop();
+  }
+});
+
+export default tap.start();

test/test.forwarding-regression.ts

@@ -0,0 +1,111 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+
+// Test to verify port forwarding works correctly
+tap.test('forward connections should not be immediately closed', async (t) => {
+  // Create a backend server that accepts connections
+  const testServer = net.createServer((socket) => {
+    console.log('Client connected to test server');
+    socket.write('Welcome from test server\n');
+    
+    socket.on('data', (data) => {
+      console.log('Test server received:', data.toString());
+      socket.write(`Echo: ${data}`);
+    });
+    
+    socket.on('error', (err) => {
+      console.error('Test server socket error:', err);
+    });
+  });
+
+  // Listen on a non-privileged port
+  await new Promise<void>((resolve) => {
+    testServer.listen(9090, '127.0.0.1', () => {
+      console.log('Test server listening on port 9090');
+      resolve();
+    });
+  });
+
+  // Create SmartProxy with a forward route
+  const smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      {
+        id: 'forward-test',
+        name: 'Forward Test Route',
+        match: {
+          ports: 8080,
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: '127.0.0.1',
+            port: 9090,
+          },
+        },
+      },
+    ],
+  });
+
+  await smartProxy.start();
+
+  // Create a client connection through the proxy
+  const client = net.createConnection({
+    port: 8080,
+    host: '127.0.0.1',
+  });
+
+  let connectionClosed = false;
+  let dataReceived = false;
+  let welcomeMessage = '';
+
+  client.on('connect', () => {
+    console.log('Client connected to proxy');
+  });
+
+  client.on('data', (data) => {
+    console.log('Client received:', data.toString());
+    dataReceived = true;
+    welcomeMessage = data.toString();
+  });
+
+  client.on('close', () => {
+    console.log('Client connection closed');
+    connectionClosed = true;
+  });
+
+  client.on('error', (err) => {
+    console.error('Client error:', err);
+  });
+
+  // Wait for the welcome message
+  let waitTime = 0;
+  while (!dataReceived && waitTime < 2000) {
+    await new Promise(resolve => setTimeout(resolve, 100));
+    waitTime += 100;
+  }
+  
+  if (!dataReceived) {
+    throw new Error('Data should be received from the server');
+  }
+
+  // Verify we got the welcome message
+  expect(welcomeMessage).toContain('Welcome from test server');
+  
+  // Send some data
+  client.write('Hello from client');
+  
+  // Wait a bit to make sure connection isn't immediately closed
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Connection should still be open
+  expect(connectionClosed).toEqual(false);
+  
+  // Clean up
+  client.end();
+  await smartProxy.stop();
+  testServer.close();
+});
+
+export default tap.start();

test/test.forwarding.examples.ts

@@ -1,132 +1,125 @@
 import * as path from 'path';
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 import {
   createHttpRoute,
-  createHttpsRoute,
-  createPassthroughRoute,
-  createRedirectRoute,
+  createHttpsTerminateRoute,
+  createHttpsPassthroughRoute,
   createHttpToHttpsRedirect,
-  createBlockRoute,
+  createCompleteHttpsServer,
   createLoadBalancerRoute,
-  createHttpsServer,
-  createPortRange,
-  createSecurityConfig,
   createStaticFileRoute,
-  createTestRoute
-} from '../ts/proxies/smart-proxy/route-helpers/index.js';
+  createApiRoute,
+  createWebSocketRoute
+} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
 // Test to demonstrate various route configurations using the new helpers
 tap.test('Route-based configuration examples', async (tools) => {
   // Example 1: HTTP-only configuration
-  const httpOnlyRoute = createHttpRoute({
-    domains: 'http.example.com',
-    target: {
+  const httpOnlyRoute = createHttpRoute(
+    'http.example.com',
+    {
       host: 'localhost',
       port: 3000
     },
-    security: {
-      allowedIps: ['*'] // Allow all
-    },
-    name: 'Basic HTTP Route'
-  });
+    {
+      name: 'Basic HTTP Route'
+    }
+  );
 
   console.log('HTTP-only route created successfully:', httpOnlyRoute.name);
   expect(httpOnlyRoute.action.type).toEqual('forward');
   expect(httpOnlyRoute.match.domains).toEqual('http.example.com');
 
   // Example 2: HTTPS Passthrough (SNI) configuration
-  const httpsPassthroughRoute = createPassthroughRoute({
-    domains: 'pass.example.com',
-    target: {
+  const httpsPassthroughRoute = createHttpsPassthroughRoute(
+    'pass.example.com',
+    {
       host: ['10.0.0.1', '10.0.0.2'], // Round-robin target IPs
       port: 443
     },
-    security: {
-      allowedIps: ['*'] // Allow all
-    },
-    name: 'HTTPS Passthrough Route'
-  });
+    {
+      name: 'HTTPS Passthrough Route'
+    }
+  );
 
   expect(httpsPassthroughRoute).toBeTruthy();
   expect(httpsPassthroughRoute.action.tls?.mode).toEqual('passthrough');
   expect(Array.isArray(httpsPassthroughRoute.action.target?.host)).toBeTrue();
 
   // Example 3: HTTPS Termination to HTTP Backend
-  const terminateToHttpRoute = createHttpsRoute({
-    domains: 'secure.example.com',
-    target: {
+  const terminateToHttpRoute = createHttpsTerminateRoute(
+    'secure.example.com',
+    {
       host: 'localhost',
       port: 8080
     },
-    tlsMode: 'terminate',
-    certificate: 'auto',
-    headers: {
-      'X-Forwarded-Proto': 'https'
-    },
-    security: {
-      allowedIps: ['*'] // Allow all
-    },
-    name: 'HTTPS Termination to HTTP Backend'
-  });
+    {
+      certificate: 'auto',
+      name: 'HTTPS Termination to HTTP Backend'
+    }
+  );
 
   // Create the HTTP to HTTPS redirect for this domain
-  const httpToHttpsRedirect = createHttpToHttpsRedirect({
-    domains: 'secure.example.com',
-    name: 'HTTP to HTTPS Redirect for secure.example.com'
-  });
+  const httpToHttpsRedirect = createHttpToHttpsRedirect(
+    'secure.example.com',
+    443,
+    {
+      name: 'HTTP to HTTPS Redirect for secure.example.com'
+    }
+  );
 
   expect(terminateToHttpRoute).toBeTruthy();
   expect(terminateToHttpRoute.action.tls?.mode).toEqual('terminate');
-  expect(terminateToHttpRoute.action.advanced?.headers?.['X-Forwarded-Proto']).toEqual('https');
   expect(httpToHttpsRedirect.action.type).toEqual('redirect');
 
   // Example 4: Load Balancer with HTTPS
-  const loadBalancerRoute = createLoadBalancerRoute({
-    domains: 'proxy.example.com',
-    targets: ['internal-api-1.local', 'internal-api-2.local'],
-    targetPort: 8443,
-    tlsMode: 'terminate-and-reencrypt',
-    certificate: 'auto',
-    headers: {
-      'X-Original-Host': '{domain}'
-    },
-    security: {
-      allowedIps: ['10.0.0.0/24', '192.168.1.0/24'],
-      maxConnections: 1000
-    },
-    name: 'Load Balanced HTTPS Route'
-  });
+  const loadBalancerRoute = createLoadBalancerRoute(
+    'proxy.example.com',
+    ['internal-api-1.local', 'internal-api-2.local'],
+    8443,
+    {
+      tls: {
+        mode: 'terminate-and-reencrypt',
+        certificate: 'auto'
+      },
+      name: 'Load Balanced HTTPS Route'
+    }
+  );
 
   expect(loadBalancerRoute).toBeTruthy();
   expect(loadBalancerRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
   expect(Array.isArray(loadBalancerRoute.action.target?.host)).toBeTrue();
-  expect(loadBalancerRoute.action.security?.allowedIps?.length).toEqual(2);
 
-  // Example 5: Block specific IPs
-  const blockRoute = createBlockRoute({
-    ports: [80, 443],
-    clientIp: ['192.168.5.0/24'],
-    name: 'Block Suspicious IPs',
-    priority: 1000 // High priority to ensure it's evaluated first
-  });
+  // Example 5: API Route
+  const apiRoute = createApiRoute(
+    'api.example.com',
+    '/api',
+    { host: 'localhost', port: 8081 },
+    {
+      name: 'API Route',
+      useTls: true,
+      addCorsHeaders: true
+    }
+  );
 
-  expect(blockRoute.action.type).toEqual('block');
-  expect(blockRoute.match.clientIp?.length).toEqual(1);
-  expect(blockRoute.priority).toEqual(1000);
+  expect(apiRoute.action.type).toEqual('forward');
+  expect(apiRoute.match.path).toBeTruthy();
 
   // Example 6: Complete HTTPS Server with HTTP Redirect
-  const httpsServerRoutes = createHttpsServer({
-    domains: 'complete.example.com',
-    target: {
+  const httpsServerRoutes = createCompleteHttpsServer(
+    'complete.example.com',
+    {
       host: 'localhost',
       port: 8080
     },
-    certificate: 'auto',
-    name: 'Complete HTTPS Server'
-  });
+    {
+      certificate: 'auto',
+      name: 'Complete HTTPS Server'
+    }
+  );
 
   expect(Array.isArray(httpsServerRoutes)).toBeTrue();
   expect(httpsServerRoutes.length).toEqual(2); // HTTPS route and HTTP redirect
@@ -134,35 +127,32 @@ tap.test('Route-based configuration examples', async (tools) => {
   expect(httpsServerRoutes[1].action.type).toEqual('redirect');
 
   // Example 7: Static File Server
-  const staticFileRoute = createStaticFileRoute({
-    domains: 'static.example.com',
-    targetDirectory: '/var/www/static',
-    tlsMode: 'terminate',
-    certificate: 'auto',
-    headers: {
-      'Cache-Control': 'public, max-age=86400'
-    },
-    name: 'Static File Server'
-  });
-
-  expect(staticFileRoute.action.advanced?.staticFiles?.directory).toEqual('/var/www/static');
-  expect(staticFileRoute.action.advanced?.headers?.['Cache-Control']).toEqual('public, max-age=86400');
-
-  // Example 8: Test Route for Debugging
-  const testRoute = createTestRoute({
-    ports: 8000,
-    domains: 'test.example.com',
-    response: {
-      status: 200,
-      headers: {
-        'Content-Type': 'application/json'
-      },
-      body: JSON.stringify({ status: 'ok', message: 'API is working!' })
+  const staticFileRoute = createStaticFileRoute(
+    'static.example.com',
+    '/var/www/static',
+    {
+      serveOnHttps: true,
+      certificate: 'auto',
+      name: 'Static File Server'
     }
-  });
+  );
 
-  expect(testRoute.match.ports).toEqual(8000);
-  expect(testRoute.action.advanced?.testResponse?.status).toEqual(200);
+  expect(staticFileRoute.action.type).toEqual('static');
+  expect(staticFileRoute.action.static?.root).toEqual('/var/www/static');
+
+  // Example 8: WebSocket Route
+  const webSocketRoute = createWebSocketRoute(
+    'ws.example.com',
+    '/ws',
+    { host: 'localhost', port: 8082 },
+    {
+      useTls: true,
+      name: 'WebSocket Route'
+    }
+  );
+
+  expect(webSocketRoute.action.type).toEqual('forward');
+  expect(webSocketRoute.action.websocket?.enabled).toBeTrue();
 
   // Create a SmartProxy instance with all routes
   const allRoutes: IRouteConfig[] = [
@@ -171,27 +161,21 @@ tap.test('Route-based configuration examples', async (tools) => {
     terminateToHttpRoute,
     httpToHttpsRedirect,
     loadBalancerRoute,
-    blockRoute,
+    apiRoute,
     ...httpsServerRoutes,
     staticFileRoute,
-    testRoute
+    webSocketRoute
   ];
 
   // We're not actually starting the SmartProxy in this test,
   // just verifying that the configuration is valid
   const smartProxy = new SmartProxy({
-    routes: allRoutes,
-    acme: {
-      email: 'admin@example.com',
-      termsOfServiceAgreed: true,
-      directoryUrl: 'https://acme-staging-v02.api.letsencrypt.org/directory'
-    }
+    routes: allRoutes
   });
 
-  console.log(`Smart Proxy configured with ${allRoutes.length} routes`);
-
-  // Verify our example proxy was created correctly
-  expect(smartProxy).toBeTruthy();
+  // Just verify that all routes are configured correctly
+  console.log(`Created ${allRoutes.length} example routes`);
+  expect(allRoutes.length).toEqual(10);
 });
 
 export default tap.start();

test/test.forwarding.ts

@@ -1,10 +1,9 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
 import type { IForwardConfig, TForwardingType } from '../ts/forwarding/config/forwarding-types.js';
 
 // First, import the components directly to avoid issues with compiled modules
 import { ForwardingHandlerFactory } from '../ts/forwarding/factory/forwarding-factory.js';
-import { httpOnly, tlsTerminateToHttp, tlsTerminateToHttps, httpsPassthrough } from '../ts/forwarding/config/forwarding-types.js';
 // Import route-based helpers
 import {
   createHttpRoute,
@@ -14,11 +13,15 @@ import {
   createCompleteHttpsServer
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 
+// Create helper functions for backward compatibility
 const helpers = {
-  httpOnly,
-  tlsTerminateToHttp,
-  tlsTerminateToHttps,
-  httpsPassthrough
+  httpOnly: (domains: string | string[], target: any) => createHttpRoute(domains, target),
+  tlsTerminateToHttp: (domains: string | string[], target: any) => 
+    createHttpsTerminateRoute(domains, target),
+  tlsTerminateToHttps: (domains: string | string[], target: any) => 
+    createHttpsTerminateRoute(domains, target, { reencrypt: true }),
+  httpsPassthrough: (domains: string | string[], target: any) => 
+    createHttpsPassthroughRoute(domains, target)
 };
 
 // Route-based utility functions for testing
@@ -27,207 +30,58 @@ function findRouteForDomain(routes: any[], domain: string): any {
     const domains = Array.isArray(route.match.domains)
       ? route.match.domains
       : [route.match.domains];
-
-    return domains.some(d => {
-      // Handle wildcard domains
-      if (d.startsWith('*.')) {
-        const suffix = d.substring(2);
-        return domain.endsWith(suffix) && domain.split('.').length > suffix.split('.').length;
-      }
-      return d === domain;
-    });
+    return domains.includes(domain);
   });
 }
 
-tap.test('ForwardingHandlerFactory - apply defaults based on type', async () => {
-      // HTTP-only defaults
-      const httpConfig: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 3000 }
-      };
-      
-      const expandedHttpConfig = ForwardingHandlerFactory.applyDefaults(httpConfig);
-      expect(expandedHttpConfig.http?.enabled).toEqual(true);
-      
-      // HTTPS-passthrough defaults
-      const passthroughConfig: IForwardConfig = {
-        type: 'https-passthrough',
-        target: { host: 'localhost', port: 443 }
-      };
-      
-      const expandedPassthroughConfig = ForwardingHandlerFactory.applyDefaults(passthroughConfig);
-      expect(expandedPassthroughConfig.https?.forwardSni).toEqual(true);
-      expect(expandedPassthroughConfig.http?.enabled).toEqual(false);
-      
-      // HTTPS-terminate-to-http defaults
-      const terminateToHttpConfig: IForwardConfig = {
-        type: 'https-terminate-to-http',
-        target: { host: 'localhost', port: 3000 }
-      };
-      
-      const expandedTerminateToHttpConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpConfig);
-      expect(expandedTerminateToHttpConfig.http?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpConfig.http?.redirectToHttps).toEqual(true);
-      expect(expandedTerminateToHttpConfig.acme?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpConfig.acme?.maintenance).toEqual(true);
-      
-      // HTTPS-terminate-to-https defaults
-      const terminateToHttpsConfig: IForwardConfig = {
-        type: 'https-terminate-to-https',
-        target: { host: 'localhost', port: 8443 }
-      };
-      
-      const expandedTerminateToHttpsConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpsConfig);
-      expect(expandedTerminateToHttpsConfig.http?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpsConfig.http?.redirectToHttps).toEqual(true);
-      expect(expandedTerminateToHttpsConfig.acme?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpsConfig.acme?.maintenance).toEqual(true);
-    });
-    
-tap.test('ForwardingHandlerFactory - validate configuration', async () => {
-      // Valid configuration
-      const validConfig: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 3000 }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(validConfig)).not.toThrow();
-      
-      // Invalid configuration - missing target
-      const invalidConfig1: any = {
-        type: 'http-only'
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig1)).toThrow();
-      
-      // Invalid configuration - invalid port
-      const invalidConfig2: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 0 }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig2)).toThrow();
-      
-      // Invalid configuration - HTTP disabled for HTTP-only
-      const invalidConfig3: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 3000 },
-        http: { enabled: false }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig3)).toThrow();
-      
-      // Invalid configuration - HTTP enabled for HTTPS passthrough
-      const invalidConfig4: IForwardConfig = {
-        type: 'https-passthrough',
-        target: { host: 'localhost', port: 443 },
-        http: { enabled: true }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig4)).toThrow();
-    });
-tap.test('Route Management - manage route configurations', async () => {
-      // Create an array to store routes
-      const routes: any[] = [];
+// Replace the old test with route-based tests
+tap.test('Route Helpers - Create HTTP routes', async () => {
+  const route = helpers.httpOnly('example.com', { host: 'localhost', port: 3000 });
+  expect(route.action.type).toEqual('forward');
+  expect(route.match.domains).toEqual('example.com');
+  expect(route.action.target).toEqual({ host: 'localhost', port: 3000 });
+});
 
-      // Add a route configuration
-      const httpRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-      routes.push(httpRoute);
+tap.test('Route Helpers - Create HTTPS terminate to HTTP routes', async () => {
+  const route = helpers.tlsTerminateToHttp('secure.example.com', { host: 'localhost', port: 3000 });
+  expect(route.action.type).toEqual('forward');
+  expect(route.match.domains).toEqual('secure.example.com');
+  expect(route.action.tls?.mode).toEqual('terminate');
+});
 
-      // Check that the configuration was added
-      expect(routes.length).toEqual(1);
-      expect(routes[0].match.domains).toEqual('example.com');
-      expect(routes[0].action.type).toEqual('forward');
-      expect(routes[0].action.target.host).toEqual('localhost');
-      expect(routes[0].action.target.port).toEqual(3000);
+tap.test('Route Helpers - Create HTTPS passthrough routes', async () => {
+  const route = helpers.httpsPassthrough('passthrough.example.com', { host: 'backend', port: 443 });
+  expect(route.action.type).toEqual('forward');
+  expect(route.match.domains).toEqual('passthrough.example.com');
+  expect(route.action.tls?.mode).toEqual('passthrough');
+});
 
-      // Find a route for a domain
-      const foundRoute = findRouteForDomain(routes, 'example.com');
-      expect(foundRoute).toBeDefined();
+tap.test('Route Helpers - Create HTTPS to HTTPS routes', async () => {
+  const route = helpers.tlsTerminateToHttps('reencrypt.example.com', { host: 'backend', port: 443 });
+  expect(route.action.type).toEqual('forward');
+  expect(route.match.domains).toEqual('reencrypt.example.com');
+  expect(route.action.tls?.mode).toEqual('terminate-and-reencrypt');
+});
 
-      // Remove a route configuration
-      const initialLength = routes.length;
-      const domainToRemove = 'example.com';
-      const indexToRemove = routes.findIndex(route => {
-        const domains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
-        return domains.includes(domainToRemove);
-      });
+tap.test('Route Helpers - Create complete HTTPS server with redirect', async () => {
+  const routes = createCompleteHttpsServer(
+    'full.example.com',
+    { host: 'localhost', port: 3000 },
+    { certificate: 'auto' }
+  );
+  
+  expect(routes.length).toEqual(2);
+  
+  // Check HTTP to HTTPS redirect - find route by action type
+  const redirectRoute = routes.find(r => r.action.type === 'redirect');
+  expect(redirectRoute.action.type).toEqual('redirect');
+  expect(redirectRoute.match.ports).toEqual(80);
+  
+  // Check HTTPS route
+  const httpsRoute = routes.find(r => r.action.type === 'forward');
+  expect(httpsRoute.match.ports).toEqual(443);
+  expect(httpsRoute.action.tls?.mode).toEqual('terminate');
+});
 
-      if (indexToRemove !== -1) {
-        routes.splice(indexToRemove, 1);
-      }
-
-      expect(routes.length).toEqual(initialLength - 1);
-
-      // Check that the configuration was removed
-      expect(routes.length).toEqual(0);
-
-      // Check that no route exists anymore
-      const notFoundRoute = findRouteForDomain(routes, 'example.com');
-      expect(notFoundRoute).toBeUndefined();
-    });
-
-tap.test('Route Management - support wildcard domains', async () => {
-      // Create an array to store routes
-      const routes: any[] = [];
-
-      // Add a wildcard domain route
-      const wildcardRoute = createHttpRoute('*.example.com', { host: 'localhost', port: 3000 });
-      routes.push(wildcardRoute);
-
-      // Find a route for a subdomain
-      const foundRoute = findRouteForDomain(routes, 'test.example.com');
-      expect(foundRoute).toBeDefined();
-
-      // Find a route for a different domain (should not match)
-      const notFoundRoute = findRouteForDomain(routes, 'example.org');
-      expect(notFoundRoute).toBeUndefined();
-    });
-tap.test('Route Helper Functions - create HTTP route', async () => {
-      const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.match.ports).toEqual(80);
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target.host).toEqual('localhost');
-      expect(route.action.target.port).toEqual(3000);
-    });
-
-tap.test('Route Helper Functions - create HTTPS terminate route', async () => {
-      const route = createHttpsTerminateRoute('example.com', { host: 'localhost', port: 3000 });
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.match.ports).toEqual(443);
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target.host).toEqual('localhost');
-      expect(route.action.target.port).toEqual(3000);
-      expect(route.action.tls?.mode).toEqual('terminate');
-      expect(route.action.tls?.certificate).toEqual('auto');
-    });
-
-tap.test('Route Helper Functions - create complete HTTPS server', async () => {
-      const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 8443 });
-      expect(routes.length).toEqual(2);
-
-      // HTTPS route
-      expect(routes[0].match.domains).toEqual('example.com');
-      expect(routes[0].match.ports).toEqual(443);
-      expect(routes[0].action.type).toEqual('forward');
-      expect(routes[0].action.target.host).toEqual('localhost');
-      expect(routes[0].action.target.port).toEqual(8443);
-      expect(routes[0].action.tls?.mode).toEqual('terminate');
-
-      // HTTP redirect route
-      expect(routes[1].match.domains).toEqual('example.com');
-      expect(routes[1].match.ports).toEqual(80);
-      expect(routes[1].action.type).toEqual('redirect');
-    });
-
-tap.test('Route Helper Functions - create HTTPS passthrough route', async () => {
-      const route = createHttpsPassthroughRoute('example.com', { host: 'localhost', port: 443 });
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.match.ports).toEqual(443);
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target.host).toEqual('localhost');
-      expect(route.action.target.port).toEqual(443);
-      expect(route.action.tls?.mode).toEqual('passthrough');
-    });
+// Export test runner
 export default tap.start();

test/test.forwarding.unit.ts

@@ -1,168 +1,53 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
-import type { IForwardConfig } from '../ts/forwarding/config/forwarding-types.js';
 
 // First, import the components directly to avoid issues with compiled modules
 import { ForwardingHandlerFactory } from '../ts/forwarding/factory/forwarding-factory.js';
-import { httpOnly, tlsTerminateToHttp, tlsTerminateToHttps, httpsPassthrough } from '../ts/forwarding/config/forwarding-types.js';
-// Import route-based helpers
+// Import route-based helpers from the correct location
 import {
   createHttpRoute,
   createHttpsTerminateRoute,
   createHttpsPassthroughRoute,
   createHttpToHttpsRedirect,
-  createCompleteHttpsServer
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+  createCompleteHttpsServer,
+  createLoadBalancerRoute
+} from '../ts/proxies/smart-proxy/utils/route-patterns.js';
 
+// Create helper functions for building forwarding configs
 const helpers = {
-  httpOnly,
-  tlsTerminateToHttp,
-  tlsTerminateToHttps,
-  httpsPassthrough
+  httpOnly: () => ({ type: 'http-only' as const }),
+  tlsTerminateToHttp: () => ({ type: 'https-terminate-to-http' as const }),
+  tlsTerminateToHttps: () => ({ type: 'https-terminate-to-https' as const }),
+  httpsPassthrough: () => ({ type: 'https-passthrough' as const })
 };
 
 tap.test('ForwardingHandlerFactory - apply defaults based on type', async () => {
-      // HTTP-only defaults
-      const httpConfig: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 3000 }
-      };
-      
-      const expandedHttpConfig = ForwardingHandlerFactory.applyDefaults(httpConfig);
-      expect(expandedHttpConfig.http?.enabled).toEqual(true);
+  // HTTP-only defaults
+  const httpConfig = {
+    type: 'http-only' as const,
+    target: { host: 'localhost', port: 3000 }
+  };
+  
+  const httpWithDefaults = ForwardingHandlerFactory['applyDefaults'](httpConfig);
+  
+  expect(httpWithDefaults.port).toEqual(80);
+  expect(httpWithDefaults.socket).toEqual('/tmp/forwarding-http-only-80.sock');
+  
+  // HTTPS passthrough defaults
+  const httpsPassthroughConfig = {
+    type: 'https-passthrough' as const,
+    target: { host: 'localhost', port: 443 }
+  };
+  
+  const httpsPassthroughWithDefaults = ForwardingHandlerFactory['applyDefaults'](httpsPassthroughConfig);
+  
+  expect(httpsPassthroughWithDefaults.port).toEqual(443);
+  expect(httpsPassthroughWithDefaults.socket).toEqual('/tmp/forwarding-https-passthrough-443.sock');
+});
 
-      // HTTPS-passthrough defaults
-      const passthroughConfig: IForwardConfig = {
-        type: 'https-passthrough',
-        target: { host: 'localhost', port: 443 }
-      };
+tap.test('ForwardingHandlerFactory - factory function for handlers', async () => {
+  // @todo Implement unit tests for ForwardingHandlerFactory
+  // These tests would need proper mocking of the handlers
+});
 
-      const expandedPassthroughConfig = ForwardingHandlerFactory.applyDefaults(passthroughConfig);
-      expect(expandedPassthroughConfig.https?.forwardSni).toEqual(true);
-      expect(expandedPassthroughConfig.http?.enabled).toEqual(false);
-
-      // HTTPS-terminate-to-http defaults
-      const terminateToHttpConfig: IForwardConfig = {
-        type: 'https-terminate-to-http',
-        target: { host: 'localhost', port: 3000 }
-      };
-
-      const expandedTerminateToHttpConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpConfig);
-      expect(expandedTerminateToHttpConfig.http?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpConfig.http?.redirectToHttps).toEqual(true);
-      expect(expandedTerminateToHttpConfig.acme?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpConfig.acme?.maintenance).toEqual(true);
-
-      // HTTPS-terminate-to-https defaults
-      const terminateToHttpsConfig: IForwardConfig = {
-        type: 'https-terminate-to-https',
-        target: { host: 'localhost', port: 8443 }
-      };
-
-      const expandedTerminateToHttpsConfig = ForwardingHandlerFactory.applyDefaults(terminateToHttpsConfig);
-      expect(expandedTerminateToHttpsConfig.http?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpsConfig.http?.redirectToHttps).toEqual(true);
-      expect(expandedTerminateToHttpsConfig.acme?.enabled).toEqual(true);
-      expect(expandedTerminateToHttpsConfig.acme?.maintenance).toEqual(true);
-    });
-    
-tap.test('ForwardingHandlerFactory - validate configuration', async () => {
-      // Valid configuration
-      const validConfig: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 3000 }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(validConfig)).not.toThrow();
-      
-      // Invalid configuration - missing target
-      const invalidConfig1: any = {
-        type: 'http-only'
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig1)).toThrow();
-      
-      // Invalid configuration - invalid port
-      const invalidConfig2: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 0 }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig2)).toThrow();
-      
-      // Invalid configuration - HTTP disabled for HTTP-only
-      const invalidConfig3: IForwardConfig = {
-        type: 'http-only',
-        target: { host: 'localhost', port: 3000 },
-        http: { enabled: false }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig3)).toThrow();
-      
-      // Invalid configuration - HTTP enabled for HTTPS passthrough
-      const invalidConfig4: IForwardConfig = {
-        type: 'https-passthrough',
-        target: { host: 'localhost', port: 443 },
-        http: { enabled: true }
-      };
-      
-      expect(() => ForwardingHandlerFactory.validateConfig(invalidConfig4)).toThrow();
-    });
-tap.test('Route Helper - create HTTP route configuration', async () => {
-      // Create a route-based configuration
-      const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-
-      // Verify route properties
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target?.host).toEqual('localhost');
-      expect(route.action.target?.port).toEqual(3000);
-    });
-tap.test('Route Helper Functions - create HTTP route', async () => {
-      const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.match.ports).toEqual(80);
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target.host).toEqual('localhost');
-      expect(route.action.target.port).toEqual(3000);
-    });
-
-tap.test('Route Helper Functions - create HTTPS terminate route', async () => {
-      const route = createHttpsTerminateRoute('example.com', { host: 'localhost', port: 3000 });
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.match.ports).toEqual(443);
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target.host).toEqual('localhost');
-      expect(route.action.target.port).toEqual(3000);
-      expect(route.action.tls?.mode).toEqual('terminate');
-      expect(route.action.tls?.certificate).toEqual('auto');
-    });
-
-tap.test('Route Helper Functions - create complete HTTPS server', async () => {
-      const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 8443 });
-      expect(routes.length).toEqual(2);
-
-      // HTTPS route
-      expect(routes[0].match.domains).toEqual('example.com');
-      expect(routes[0].match.ports).toEqual(443);
-      expect(routes[0].action.type).toEqual('forward');
-      expect(routes[0].action.target.host).toEqual('localhost');
-      expect(routes[0].action.target.port).toEqual(8443);
-      expect(routes[0].action.tls?.mode).toEqual('terminate');
-
-      // HTTP redirect route
-      expect(routes[1].match.domains).toEqual('example.com');
-      expect(routes[1].match.ports).toEqual(80);
-      expect(routes[1].action.type).toEqual('redirect');
-    });
-
-tap.test('Route Helper Functions - create HTTPS passthrough route', async () => {
-      const route = createHttpsPassthroughRoute('example.com', { host: 'localhost', port: 443 });
-      expect(route.match.domains).toEqual('example.com');
-      expect(route.match.ports).toEqual(443);
-      expect(route.action.type).toEqual('forward');
-      expect(route.action.target.host).toEqual('localhost');
-      expect(route.action.target.port).toEqual(443);
-      expect(route.action.tls?.mode).toEqual('passthrough');
-    });
 export default tap.start();

test/test.http-fix-unit.ts

@@ -0,0 +1,183 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+
+// Unit test for the HTTP forwarding fix
+tap.test('should forward non-TLS connections on HttpProxy ports', async (tapTest) => {
+  // Test configuration
+  const testPort = 8080;
+  const httpProxyPort = 8844;
+  
+  // Track forwarding logic
+  let forwardedToHttpProxy = false;
+  let setupDirectConnection = false;
+  
+  // Create mock settings
+  const mockSettings = {
+    useHttpProxy: [testPort],
+    httpProxyPort: httpProxyPort,
+    routes: [{
+      name: 'test-route',
+      match: { ports: testPort },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 }
+      }
+    }]
+  };
+  
+  // Create mock connection record
+  const mockRecord = {
+    id: 'test-connection',
+    localPort: testPort,
+    remoteIP: '127.0.0.1',
+    isTLS: false
+  };
+  
+  // Mock HttpProxyBridge
+  const mockHttpProxyBridge = {
+    getHttpProxy: () => ({ available: true }),
+    forwardToHttpProxy: async () => {
+      forwardedToHttpProxy = true;
+    }
+  };
+  
+  // Test the logic from handleForwardAction
+  const route = mockSettings.routes[0];
+  const action = route.action as any;
+  
+  // Simulate the fixed logic
+  if (!action.tls) {
+    // No TLS settings - check if this port should use HttpProxy
+    const isHttpProxyPort = mockSettings.useHttpProxy?.includes(mockRecord.localPort);
+    
+    if (isHttpProxyPort && mockHttpProxyBridge.getHttpProxy()) {
+      // Forward non-TLS connections to HttpProxy if configured
+      console.log(`Using HttpProxy for non-TLS connection on port ${mockRecord.localPort}`);
+      await mockHttpProxyBridge.forwardToHttpProxy();
+    } else {
+      // Basic forwarding
+      console.log(`Using basic forwarding`);
+      setupDirectConnection = true;
+    }
+  }
+  
+  // Verify the fix works correctly
+  expect(forwardedToHttpProxy).toEqual(true);
+  expect(setupDirectConnection).toEqual(false);
+  
+  console.log('Test passed: Non-TLS connections on HttpProxy ports are forwarded correctly');
+});
+
+// Test that non-HttpProxy ports still use direct connection
+tap.test('should use direct connection for non-HttpProxy ports', async (tapTest) => {
+  let forwardedToHttpProxy = false;
+  let setupDirectConnection = false;
+  
+  const mockSettings = {
+    useHttpProxy: [80, 443], // Different ports
+    httpProxyPort: 8844,
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8080 }, // Not in useHttpProxy
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 }
+      }
+    }]
+  };
+  
+  const mockRecord = {
+    id: 'test-connection-2',
+    localPort: 8080, // Not in useHttpProxy
+    remoteIP: '127.0.0.1',
+    isTLS: false
+  };
+  
+  const mockHttpProxyBridge = {
+    getHttpProxy: () => ({ available: true }),
+    forwardToHttpProxy: async () => {
+      forwardedToHttpProxy = true;
+    }
+  };
+  
+  const route = mockSettings.routes[0];
+  const action = route.action as any;
+  
+  // Test the logic
+  if (!action.tls) {
+    const isHttpProxyPort = mockSettings.useHttpProxy?.includes(mockRecord.localPort);
+    
+    if (isHttpProxyPort && mockHttpProxyBridge.getHttpProxy()) {
+      console.log(`Using HttpProxy for non-TLS connection on port ${mockRecord.localPort}`);
+      await mockHttpProxyBridge.forwardToHttpProxy();
+    } else {
+      console.log(`Using basic forwarding for port ${mockRecord.localPort}`);
+      setupDirectConnection = true;
+    }
+  }
+  
+  // Verify port 8080 uses direct connection when not in useHttpProxy
+  expect(forwardedToHttpProxy).toEqual(false);
+  expect(setupDirectConnection).toEqual(true);
+  
+  console.log('Test passed: Non-HttpProxy ports use direct connection');
+});
+
+// Test HTTP-01 ACME challenge scenario
+tap.test('should handle ACME HTTP-01 challenges on port 80 with HttpProxy', async (tapTest) => {
+  let forwardedToHttpProxy = false;
+  
+  const mockSettings = {
+    useHttpProxy: [80], // Port 80 configured for HttpProxy
+    httpProxyPort: 8844,
+    acme: {
+      port: 80,
+      email: 'test@example.com'
+    },
+    routes: [{
+      name: 'acme-challenge',
+      match: { 
+        ports: 80,
+        paths: ['/.well-known/acme-challenge/*']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 }
+      }
+    }]
+  };
+  
+  const mockRecord = {
+    id: 'acme-connection',
+    localPort: 80,
+    remoteIP: '127.0.0.1',
+    isTLS: false
+  };
+  
+  const mockHttpProxyBridge = {
+    getHttpProxy: () => ({ available: true }),
+    forwardToHttpProxy: async () => {
+      forwardedToHttpProxy = true;
+    }
+  };
+  
+  const route = mockSettings.routes[0];
+  const action = route.action as any;
+  
+  // Test the fix for ACME HTTP-01 challenges
+  if (!action.tls) {
+    const isHttpProxyPort = mockSettings.useHttpProxy?.includes(mockRecord.localPort);
+    
+    if (isHttpProxyPort && mockHttpProxyBridge.getHttpProxy()) {
+      console.log(`Using HttpProxy for ACME challenge on port ${mockRecord.localPort}`);
+      await mockHttpProxyBridge.forwardToHttpProxy();
+    }
+  }
+  
+  // Verify HTTP-01 challenges on port 80 go through HttpProxy
+  expect(forwardedToHttpProxy).toEqual(true);
+  
+  console.log('Test passed: ACME HTTP-01 challenges on port 80 use HttpProxy');
+});
+
+tap.start();

test/test.http-fix-verification.ts

@@ -0,0 +1,168 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { RouteConnectionHandler } from '../ts/proxies/smart-proxy/route-connection-handler.js';
+import type { ISmartProxyOptions } from '../ts/proxies/smart-proxy/models/interfaces.js';
+import * as net from 'net';
+
+// Direct test of the fix in RouteConnectionHandler
+tap.test('should detect and forward non-TLS connections on useHttpProxy ports', async (tapTest) => {
+  // Create mock objects
+  const mockSettings: ISmartProxyOptions = {
+    useHttpProxy: [8080],
+    httpProxyPort: 8844,
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8080 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 }
+      }
+    }]
+  };
+  
+  let httpProxyForwardCalled = false;
+  let directConnectionCalled = false;
+  
+  // Create mocks for dependencies
+  const mockHttpProxyBridge = {
+    getHttpProxy: () => ({ available: true }),
+    forwardToHttpProxy: async (...args: any[]) => {
+      console.log('Mock: forwardToHttpProxy called');
+      httpProxyForwardCalled = true;
+    }
+  };
+  
+  // Mock connection manager
+  const mockConnectionManager = {
+    createConnection: (socket: any) => ({
+      id: 'test-connection',
+      localPort: 8080,
+      remoteIP: '127.0.0.1',
+      isTLS: false
+    }),
+    initiateCleanupOnce: () => {},
+    cleanupConnection: () => {}
+  };
+  
+  // Mock route manager that returns a matching route
+  const mockRouteManager = {
+    findMatchingRoute: (criteria: any) => ({
+      route: mockSettings.routes[0]
+    })
+  };
+  
+  // Create route connection handler instance
+  const handler = new RouteConnectionHandler(
+    mockSettings,
+    mockConnectionManager as any,
+    {} as any, // security manager
+    {} as any, // tls manager
+    mockHttpProxyBridge as any,
+    {} as any, // timeout manager
+    mockRouteManager as any
+  );
+  
+  // Override setupDirectConnection to track if it's called
+  handler['setupDirectConnection'] = (...args: any[]) => {
+    console.log('Mock: setupDirectConnection called');
+    directConnectionCalled = true;
+  };
+  
+  // Test: Create a mock socket representing non-TLS connection on port 8080
+  const mockSocket = Object.create(net.Socket.prototype) as net.Socket;
+  Object.defineProperty(mockSocket, 'localPort', { value: 8080, writable: false });
+  Object.defineProperty(mockSocket, 'remoteAddress', { value: '127.0.0.1', writable: false });
+  
+  // Simulate the handler processing the connection
+  handler.handleConnection(mockSocket);
+  
+  // Simulate receiving non-TLS data
+  mockSocket.emit('data', Buffer.from('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n'));
+  
+  // Give it a moment to process
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify that the connection was forwarded to HttpProxy, not direct connection
+  expect(httpProxyForwardCalled).toEqual(true);
+  expect(directConnectionCalled).toEqual(false);
+  
+  mockSocket.destroy();
+});
+
+// Test that verifies TLS connections still work normally
+tap.test('should handle TLS connections normally', async (tapTest) => {
+  const mockSettings: ISmartProxyOptions = {
+    useHttpProxy: [443],
+    httpProxyPort: 8844,
+    routes: [{
+      name: 'tls-route',
+      match: { ports: 443 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8443 },
+        tls: { mode: 'terminate' }
+      }
+    }]
+  };
+  
+  let httpProxyForwardCalled = false;
+  
+  const mockHttpProxyBridge = {
+    getHttpProxy: () => ({ available: true }),
+    forwardToHttpProxy: async (...args: any[]) => {
+      httpProxyForwardCalled = true;
+    }
+  };
+  
+  const mockConnectionManager = {
+    createConnection: (socket: any) => ({
+      id: 'test-tls-connection',
+      localPort: 443,
+      remoteIP: '127.0.0.1',
+      isTLS: true,
+      tlsHandshakeComplete: false
+    }),
+    initiateCleanupOnce: () => {},
+    cleanupConnection: () => {}
+  };
+  
+  const mockTlsManager = {
+    isTlsHandshake: (chunk: Buffer) => true,
+    isClientHello: (chunk: Buffer) => true,
+    extractSNI: (chunk: Buffer) => 'test.local'
+  };
+  
+  const mockRouteManager = {
+    findMatchingRoute: (criteria: any) => ({
+      route: mockSettings.routes[0]
+    })
+  };
+  
+  const handler = new RouteConnectionHandler(
+    mockSettings,
+    mockConnectionManager as any,
+    {} as any,
+    mockTlsManager as any,
+    mockHttpProxyBridge as any,
+    {} as any,
+    mockRouteManager as any
+  );
+  
+  const mockSocket = Object.create(net.Socket.prototype) as net.Socket;
+  Object.defineProperty(mockSocket, 'localPort', { value: 443, writable: false });
+  Object.defineProperty(mockSocket, 'remoteAddress', { value: '127.0.0.1', writable: false });
+  
+  handler.handleConnection(mockSocket);
+  
+  // Simulate TLS handshake
+  const tlsHandshake = Buffer.from([0x16, 0x03, 0x01, 0x00, 0x05]);
+  mockSocket.emit('data', tlsHandshake);
+  
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // TLS connections with 'terminate' mode should go to HttpProxy
+  expect(httpProxyForwardCalled).toEqual(true);
+  
+  mockSocket.destroy();
+});
+
+tap.start();

test/test.http-forwarding-fix.ts

@@ -0,0 +1,151 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as net from 'net';
+
+// Test that verifies HTTP connections on ports configured in useHttpProxy are properly forwarded
+tap.test('should detect and forward non-TLS connections on HttpProxy ports', async (tapTest) => {
+  // Track whether the connection was forwarded to HttpProxy
+  let forwardedToHttpProxy = false;
+  let connectionPath = '';
+  
+  // Create a SmartProxy instance first
+  const proxy = new SmartProxy({
+    useHttpProxy: [8080],
+    httpProxyPort: 8844,
+    routes: [{
+      name: 'test-http-forward',
+      match: { ports: 8080 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8181 }
+      }
+    }]
+  });
+  
+  // Mock the HttpProxy forwarding on the instance
+  const originalForward = (proxy as any).httpProxyBridge.forwardToHttpProxy;
+  (proxy as any).httpProxyBridge.forwardToHttpProxy = async function(...args: any[]) {
+    forwardedToHttpProxy = true;
+    connectionPath = 'httpproxy';
+    console.log('Mock: Connection forwarded to HttpProxy');
+    // Just close the connection for the test
+    args[1].end(); // socket.end()
+  };
+  
+  // Add detailed logging to the existing proxy instance
+  proxy.settings.enableDetailedLogging = true;
+  
+  // Override the HttpProxy initialization to avoid actual HttpProxy setup
+  proxy['httpProxyBridge'].getHttpProxy = () => ({} as any);
+  
+  await proxy.start();
+  
+  // Make a connection to port 8080
+  const client = new net.Socket();
+  
+  await new Promise<void>((resolve, reject) => {
+    client.connect(8080, 'localhost', () => {
+      console.log('Client connected to proxy on port 8080');
+      // Send a non-TLS HTTP request
+      client.write('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n');
+      resolve();
+    });
+    
+    client.on('error', reject);
+  });
+  
+  // Give it a moment to process
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify the connection was forwarded to HttpProxy
+  expect(forwardedToHttpProxy).toEqual(true);
+  expect(connectionPath).toEqual('httpproxy');
+  
+  client.destroy();
+  await proxy.stop();
+  
+  // Restore original method
+  // Restore original method
+  (proxy as any).httpProxyBridge.forwardToHttpProxy = originalForward;
+});
+
+// Test that verifies the fix detects non-TLS connections
+tap.test('should properly detect non-TLS connections on HttpProxy ports', async (tapTest) => {
+  const targetPort = 8182;
+  let receivedConnection = false;
+  
+  // Create a target server that never receives the connection (because it goes to HttpProxy)
+  const targetServer = net.createServer((socket) => {
+    receivedConnection = true;
+    socket.end();
+  });
+  
+  await new Promise<void>((resolve) => {
+    targetServer.listen(targetPort, () => {
+      console.log(`Target server listening on port ${targetPort}`);
+      resolve();
+    });
+  });
+  
+  // Mock HttpProxyBridge to track forwarding
+  let httpProxyForwardCalled = false;
+  
+  const proxy = new SmartProxy({
+    useHttpProxy: [8080],
+    httpProxyPort: 8844,
+    routes: [{
+      name: 'test-route',
+      match: {
+        ports: 8080
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: targetPort }
+      }
+    }]
+  });
+  
+  // Override the forwardToHttpProxy method to track calls
+  const originalForward = proxy['httpProxyBridge'].forwardToHttpProxy;
+  proxy['httpProxyBridge'].forwardToHttpProxy = async function(...args: any[]) {
+    httpProxyForwardCalled = true;
+    console.log('HttpProxy forward called with connectionId:', args[0]);
+    // Just end the connection
+    args[1].end();
+  };
+  
+  // Mock getHttpProxy to return a truthy value
+  proxy['httpProxyBridge'].getHttpProxy = () => ({} as any);
+  
+  await proxy.start();
+  
+  // Make a non-TLS connection
+  const client = new net.Socket();
+  
+  await new Promise<void>((resolve, reject) => {
+    client.connect(8080, 'localhost', () => {
+      console.log('Connected to proxy');
+      client.write('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n');
+      resolve();
+    });
+    
+    client.on('error', () => resolve()); // Ignore errors since we're ending the connection
+  });
+  
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify that HttpProxy was called, not direct connection
+  expect(httpProxyForwardCalled).toEqual(true);
+  expect(receivedConnection).toEqual(false); // Target should not receive direct connection
+  
+  client.destroy();
+  await proxy.stop();
+  await new Promise<void>((resolve) => {
+    targetServer.close(() => resolve());
+  });
+  
+  // Restore original method
+  proxy['httpProxyBridge'].forwardToHttpProxy = originalForward;
+});
+
+tap.start();

test/test.http-port8080-forwarding.ts

@@ -0,0 +1,160 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as http from 'http';
+
+tap.test('should forward HTTP connections on port 8080 to HttpProxy', async (tapTest) => {
+  // Create a mock HTTP server to act as our target
+  const targetPort = 8181;
+  let receivedRequest = false;
+  let receivedPath = '';
+  
+  const targetServer = http.createServer((req, res) => {
+    // Log request details for debugging
+    console.log(`Target server received: ${req.method} ${req.url}`);
+    receivedPath = req.url || '';
+    
+    if (req.url === '/.well-known/acme-challenge/test-token') {
+      receivedRequest = true;
+      res.writeHead(200, { 'Content-Type': 'text/plain' });
+      res.end('test-challenge-response');
+    } else {
+      res.writeHead(200);
+      res.end('OK');
+    }
+  });
+  
+  await new Promise<void>((resolve) => {
+    targetServer.listen(targetPort, () => {
+      console.log(`Target server listening on port ${targetPort}`);
+      resolve();
+    });
+  });
+  
+  // Create SmartProxy with port 8080 configured for HttpProxy
+  const proxy = new SmartProxy({
+    useHttpProxy: [8080], // Enable HttpProxy for port 8080
+    httpProxyPort: 8844,
+    enableDetailedLogging: true,
+    routes: [{
+      name: 'test-route',
+      match: {
+        ports: 8080,
+        domains: ['test.local']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: targetPort }
+      }
+    }]
+  });
+  
+  await proxy.start();
+  
+  // Give the proxy a moment to fully initialize
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  // Make an HTTP request to port 8080
+  const options = {
+    hostname: 'localhost',
+    port: 8080,
+    path: '/.well-known/acme-challenge/test-token',
+    method: 'GET',
+    headers: {
+      'Host': 'test.local'
+    }
+  };
+  
+  const response = await new Promise<http.IncomingMessage>((resolve, reject) => {
+    const req = http.request(options, (res) => resolve(res));
+    req.on('error', reject);
+    req.end();
+  });
+  
+  // Collect response data
+  let responseData = '';
+  response.setEncoding('utf8');
+  response.on('data', chunk => responseData += chunk);
+  await new Promise(resolve => response.on('end', resolve));
+  
+  // Verify the request was properly forwarded
+  expect(response.statusCode).toEqual(200);
+  expect(receivedPath).toEqual('/.well-known/acme-challenge/test-token');
+  expect(responseData).toEqual('test-challenge-response');
+  expect(receivedRequest).toEqual(true);
+  
+  await proxy.stop();
+  await new Promise<void>((resolve) => {
+    targetServer.close(() => resolve());
+  });
+});
+
+tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
+  // Create a simple target server
+  const targetPort = 8182;
+  let receivedRequest = false;
+  
+  const targetServer = http.createServer((req, res) => {
+    console.log(`Target received: ${req.method} ${req.url} from ${req.headers.host}`);
+    receivedRequest = true;
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('Hello from target');
+  });
+  
+  await new Promise<void>((resolve) => {
+    targetServer.listen(targetPort, () => {
+      console.log(`Target server listening on port ${targetPort}`);
+      resolve();
+    });
+  });
+  
+  // Create a simple proxy without HttpProxy
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'simple-forward',
+      match: {
+        ports: 8081,
+        domains: ['test.local']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: targetPort }
+      }
+    }]
+  });
+  
+  await proxy.start();
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  // Make request
+  const options = {
+    hostname: 'localhost',
+    port: 8081,
+    path: '/test',
+    method: 'GET',
+    headers: {
+      'Host': 'test.local'
+    }
+  };
+  
+  const response = await new Promise<http.IncomingMessage>((resolve, reject) => {
+    const req = http.request(options, (res) => resolve(res));
+    req.on('error', reject);
+    req.end();
+  });
+  
+  let responseData = '';
+  response.setEncoding('utf8');
+  response.on('data', chunk => responseData += chunk);
+  await new Promise(resolve => response.on('end', resolve));
+  
+  expect(response.statusCode).toEqual(200);
+  expect(responseData).toEqual('Hello from target');
+  expect(receivedRequest).toEqual(true);
+  
+  await proxy.stop();
+  await new Promise<void>((resolve) => {
+    targetServer.close(() => resolve());
+  });
+});
+
+tap.start();

test/test.http-port8080-simple.ts

@@ -0,0 +1,245 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as plugins from '../ts/plugins.js';
+import * as net from 'net';
+import * as http from 'http';
+
+/**
+ * This test verifies our improved port binding intelligence for ACME challenges.
+ * It specifically tests:
+ * 1. Using port 8080 instead of 80 for ACME HTTP challenges
+ * 2. Correctly handling shared port bindings between regular routes and challenge routes
+ * 3. Avoiding port conflicts when updating routes
+ */
+
+tap.test('should handle ACME challenges on port 8080 with improved port binding intelligence', async (tapTest) => {
+  // Create a simple echo server to act as our target
+  const targetPort = 9001;
+  let receivedData = '';
+  
+  const targetServer = net.createServer((socket) => {
+    console.log('Target server received connection');
+    
+    socket.on('data', (data) => {
+      receivedData += data.toString();
+      console.log('Target server received data:', data.toString().split('\n')[0]);
+      
+      // Send a simple HTTP response
+      const response = 'HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nContent-Length: 13\r\n\r\nHello, World!';
+      socket.write(response);
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    targetServer.listen(targetPort, () => {
+      console.log(`Target server listening on port ${targetPort}`);
+      resolve();
+    });
+  });
+  
+  // In this test we will NOT create a mock ACME server on the same port
+  // as SmartProxy will use, instead we'll let SmartProxy handle it
+  const acmeServerPort = 9009;
+  const acmeRequests: string[] = [];
+  let acmeServer: http.Server | null = null;
+  
+  // We'll assume the ACME port is available for SmartProxy
+  let acmePortAvailable = true;
+  
+  // Create SmartProxy with ACME configured to use port 8080
+  console.log('Creating SmartProxy with ACME port 8080...');
+  const tempCertDir = './temp-certs';
+  
+  try {
+    await plugins.smartfile.fs.ensureDir(tempCertDir);
+  } catch (error) {
+    // Directory may already exist, that's ok
+  }
+  
+  const proxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      {
+        name: 'test-route',
+        match: {
+          ports: [9003],
+          domains: ['test.example.com']
+        },
+        action: {
+          type: 'forward',
+          target: { host: 'localhost', port: targetPort },
+          tls: {
+            mode: 'terminate',
+            certificate: 'auto'  // Use ACME for certificate
+          }
+        }
+      },
+      // Also add a route for port 8080 to test port sharing
+      {
+        name: 'http-route',
+        match: {
+          ports: [9009],
+          domains: ['test.example.com']
+        },
+        action: {
+          type: 'forward',
+          target: { host: 'localhost', port: targetPort }
+        }
+      }
+    ],
+    acme: {
+      email: 'test@example.com',
+      useProduction: false,
+      port: 9009,  // Use 9009 instead of default 80
+      certificateStore: tempCertDir
+    }
+  });
+  
+  // Mock the certificate manager to avoid actual ACME operations
+  console.log('Mocking certificate manager...');
+  const createCertManager = (proxy as any).createCertificateManager;
+  (proxy as any).createCertificateManager = async function(...args: any[]) {
+    // Create a completely mocked certificate manager that doesn't use ACME at all
+    return {
+      initialize: async () => {},
+      getCertPair: async () => {
+        return {
+          publicKey: 'MOCK CERTIFICATE',
+          privateKey: 'MOCK PRIVATE KEY'
+        };
+      },
+      getAcmeOptions: () => {
+        return {
+          port: 9009
+        };
+      },
+      getState: () => {
+        return {
+          initializing: false,
+          ready: true,
+          port: 9009
+        };
+      },
+      provisionAllCertificates: async () => {
+        console.log('Mock: Provisioning certificates');
+        return [];
+      },
+      stop: async () => {},
+      smartAcme: {
+        getCertificateForDomain: async () => {
+          // Return a mock certificate
+          return {
+            publicKey: 'MOCK CERTIFICATE',
+            privateKey: 'MOCK PRIVATE KEY',
+            validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
+            created: Date.now()
+          };
+        },
+        start: async () => {},
+        stop: async () => {}
+      }
+    };
+  };
+  
+  // Track port binding attempts to verify intelligence
+  const portBindAttempts: number[] = [];
+  const originalAddPort = (proxy as any).portManager.addPort;
+  (proxy as any).portManager.addPort = async function(port: number) {
+    portBindAttempts.push(port);
+    return originalAddPort.call(this, port);
+  };
+  
+  try {
+    console.log('Starting SmartProxy...');
+    await proxy.start();
+    
+    console.log('Port binding attempts:', portBindAttempts);
+    
+    // Check that we tried to bind to port 9009
+    // Should attempt to bind to port 9009
+    expect(portBindAttempts.includes(9009)).toEqual(true);
+    // Should attempt to bind to port 9003
+    expect(portBindAttempts.includes(9003)).toEqual(true);
+    
+    // Get actual bound ports
+    const boundPorts = proxy.getListeningPorts();
+    console.log('Actually bound ports:', boundPorts);
+    
+    // If port 9009 was available, we should be bound to it
+    if (acmePortAvailable) {
+      // Should be bound to port 9009 if available
+      expect(boundPorts.includes(9009)).toEqual(true);
+    }
+    
+    // Should be bound to port 9003
+    expect(boundPorts.includes(9003)).toEqual(true);
+    
+    // Test adding a new route on port 8080
+    console.log('Testing route update with port reuse...');
+    
+    // Reset tracking
+    portBindAttempts.length = 0;
+    
+    // Add a new route on port 8080
+    const newRoutes = [
+      ...proxy.settings.routes,
+      {
+        name: 'additional-route',
+        match: {
+          ports: [9009],
+          path: '/additional'
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: targetPort }
+        }
+      }
+    ];
+    
+    // Update routes - this should NOT try to rebind port 8080
+    await proxy.updateRoutes(newRoutes);
+    
+    console.log('Port binding attempts after update:', portBindAttempts);
+    
+    // We should not try to rebind port 9009 since it's already bound
+    // Should not attempt to rebind port 9009
+    expect(portBindAttempts.includes(9009)).toEqual(false);
+    
+    // We should still be listening on both ports
+    const portsAfterUpdate = proxy.getListeningPorts();
+    console.log('Bound ports after update:', portsAfterUpdate);
+    
+    if (acmePortAvailable) {
+      // Should still be bound to port 9009
+      expect(portsAfterUpdate.includes(9009)).toEqual(true);
+    }
+    // Should still be bound to port 9003
+    expect(portsAfterUpdate.includes(9003)).toEqual(true);
+    
+    // The test is successful at this point - we've verified the port binding intelligence
+    console.log('Port binding intelligence verified successfully!');
+    // We'll skip the actual connection test to avoid timeouts
+  } finally {
+    // Clean up
+    console.log('Cleaning up...');
+    await proxy.stop();
+    
+    if (targetServer) {
+      await new Promise<void>((resolve) => {
+        targetServer.close(() => resolve());
+      });
+    }
+    
+    // No acmeServer to close in this test
+    
+    // Clean up temp directory
+    try {
+      // Remove temp directory
+      await plugins.smartfile.fs.remove(tempCertDir);
+    } catch (error) {
+      console.error('Failed to remove temp directory:', error);
+    }
+  }
+});
+
+tap.start();

test/test.httpproxy.function-targets.ts

@@ -1,20 +1,20 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
-import { NetworkProxy } from '../ts/proxies/network-proxy/index.js';
+import { HttpProxy } from '../ts/proxies/http-proxy/index.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 import type { IRouteContext } from '../ts/core/models/route-context.js';
 
-const delay = (ms: number) => new Promise(resolve => setTimeout(resolve, ms));
-
 // Declare variables for tests
-let networkProxy: NetworkProxy;
+let httpProxy: HttpProxy;
 let testServer: plugins.http.Server;
 let testServerHttp2: plugins.http2.Http2Server;
 let serverPort: number;
 let serverPortHttp2: number;
 
 // Setup test environment
-tap.test('setup NetworkProxy function-based targets test environment', async () => {
+tap.test('setup HttpProxy function-based targets test environment', async (tools) => {
+  // Set a reasonable timeout for the test
+  tools.timeout(30000); // 30 seconds
   // Create simple HTTP server to respond to requests
   testServer = plugins.http.createServer((req, res) => {
     res.writeHead(200, { 'Content-Type': 'application/json' });
@@ -41,6 +41,11 @@ tap.test('setup NetworkProxy function-based targets test environment', async ()
     }));
   });
   
+  // Handle HTTP/2 errors
+  testServerHttp2.on('error', (err) => {
+    console.error('HTTP/2 server error:', err);
+  });
+  
   // Start the servers
   await new Promise<void>(resolve => {
     testServer.listen(0, () => {
@@ -58,8 +63,8 @@ tap.test('setup NetworkProxy function-based targets test environment', async ()
     });
   });
   
-  // Create NetworkProxy instance
-  networkProxy = new NetworkProxy({
+  // Create HttpProxy instance
+  httpProxy = new HttpProxy({
     port: 0, // Use dynamic port
     logLevel: 'info', // Use info level to see more logs
     // Disable ACME to avoid trying to bind to port 80
@@ -68,11 +73,11 @@ tap.test('setup NetworkProxy function-based targets test environment', async ()
     }
   });
   
-  await networkProxy.start();
+  await httpProxy.start();
   
   // Log the actual port being used
-  const actualPort = networkProxy.getListeningPort();
-  console.log(`NetworkProxy actual listening port: ${actualPort}`);
+  const actualPort = httpProxy.getListeningPort();
+  console.log(`HttpProxy actual listening port: ${actualPort}`);
 });
 
 // Test static host/port routes
@@ -95,10 +100,10 @@ tap.test('should support static host/port routes', async () => {
     }
   ];
   
-  await networkProxy.updateRouteConfigs(routes);
+  await httpProxy.updateRouteConfigs(routes);
   
   // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = networkProxy.getListeningPort();
+  const proxyPort = httpProxy.getListeningPort();
   
   // Make request to proxy
   const response = await makeRequest({
@@ -140,10 +145,10 @@ tap.test('should support function-based host', async () => {
     }
   ];
   
-  await networkProxy.updateRouteConfigs(routes);
+  await httpProxy.updateRouteConfigs(routes);
   
   // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = networkProxy.getListeningPort();
+  const proxyPort = httpProxy.getListeningPort();
   
   // Make request to proxy
   const response = await makeRequest({
@@ -185,10 +190,10 @@ tap.test('should support function-based port', async () => {
     }
   ];
   
-  await networkProxy.updateRouteConfigs(routes);
+  await httpProxy.updateRouteConfigs(routes);
   
   // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = networkProxy.getListeningPort();
+  const proxyPort = httpProxy.getListeningPort();
   
   // Make request to proxy
   const response = await makeRequest({
@@ -231,10 +236,10 @@ tap.test('should support function-based host AND port', async () => {
     }
   ];
   
-  await networkProxy.updateRouteConfigs(routes);
+  await httpProxy.updateRouteConfigs(routes);
   
   // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = networkProxy.getListeningPort();
+  const proxyPort = httpProxy.getListeningPort();
   
   // Make request to proxy
   const response = await makeRequest({
@@ -280,10 +285,10 @@ tap.test('should support context-based routing with path', async () => {
     }
   ];
   
-  await networkProxy.updateRouteConfigs(routes);
+  await httpProxy.updateRouteConfigs(routes);
   
   // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = networkProxy.getListeningPort();
+  const proxyPort = httpProxy.getListeningPort();
   
   // Make request to proxy with /api path
   const apiResponse = await makeRequest({
@@ -317,22 +322,58 @@ tap.test('should support context-based routing with path', async () => {
 });
 
 // Cleanup test environment
-tap.test('cleanup NetworkProxy function-based targets test environment', async () => {
-  if (networkProxy) {
-    await networkProxy.stop();
+tap.test('cleanup HttpProxy function-based targets test environment', async () => {
+  // Skip cleanup if setup failed
+  if (!httpProxy && !testServer && !testServerHttp2) {
+    console.log('Skipping cleanup - setup failed');
+    return;
   }
   
+  // Stop test servers first
   if (testServer) {
-    await new Promise<void>(resolve => {
-      testServer.close(() => resolve());
+    await new Promise<void>((resolve, reject) => {
+      testServer.close((err) => {
+        if (err) {
+          console.error('Error closing test server:', err);
+          reject(err);
+        } else {
+          console.log('Test server closed successfully');
+          resolve();
+        }
+      });
     });
   }
   
   if (testServerHttp2) {
-    await new Promise<void>(resolve => {
-      testServerHttp2.close(() => resolve());
+    await new Promise<void>((resolve, reject) => {
+      testServerHttp2.close((err) => {
+        if (err) {
+          console.error('Error closing HTTP/2 test server:', err);
+          reject(err);
+        } else {
+          console.log('HTTP/2 test server closed successfully');
+          resolve();
+        }
+      });
     });
   }
+  
+  // Stop HttpProxy last
+  if (httpProxy) {
+    console.log('Stopping HttpProxy...');
+    await httpProxy.stop();
+    console.log('HttpProxy stopped successfully');
+  }
+  
+  // Force exit after a short delay to ensure cleanup
+  const cleanupTimeout = setTimeout(() => {
+    console.log('Cleanup completed, exiting');
+  }, 100);
+  
+  // Don't keep the process alive just for this timeout
+  if (cleanupTimeout.unref) {
+    cleanupTimeout.unref();
+  }
 });
 
 // Helper function to make HTTPS requests with self-signed certificate support
@@ -365,5 +406,8 @@ async function makeRequest(options: plugins.http.RequestOptions): Promise<{ stat
   });
 }
 
-// Export the test runner to start tests
-export default tap.start();
+// Start the tests
+tap.start().then(() => {
+  // Ensure process exits after tests complete
+  process.exit(0);
+});

test/test.httpproxy.ts

@@ -0,0 +1,603 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as smartproxy from '../ts/index.js';
+import { loadTestCertificates } from './helpers/certificates.js';
+import * as https from 'https';
+import * as http from 'http';
+import { WebSocket, WebSocketServer } from 'ws';
+
+let testProxy: smartproxy.HttpProxy;
+let testServer: http.Server;
+let wsServer: WebSocketServer;
+let testCertificates: { privateKey: string; publicKey: string };
+
+// Helper function to make HTTPS requests
+async function makeHttpsRequest(
+  options: https.RequestOptions,
+): Promise<{ statusCode: number; headers: http.IncomingHttpHeaders; body: string }> {
+  console.log('[TEST] Making HTTPS request:', {
+    hostname: options.hostname,
+    port: options.port,
+    path: options.path,
+    method: options.method,
+    headers: options.headers,
+  });
+  return new Promise((resolve, reject) => {
+    const req = https.request(options, (res) => {
+      console.log('[TEST] Received HTTPS response:', {
+        statusCode: res.statusCode,
+        headers: res.headers,
+      });
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => {
+        console.log('[TEST] Response completed:', { data });
+        // Ensure the socket is destroyed to prevent hanging connections
+        res.socket?.destroy();
+        resolve({
+          statusCode: res.statusCode!,
+          headers: res.headers,
+          body: data,
+        });
+      });
+    });
+    req.on('error', (error) => {
+      console.error('[TEST] Request error:', error);
+      reject(error);
+    });
+    req.end();
+  });
+}
+
+// Setup test environment
+tap.test('setup test environment', async () => {
+  // Load and validate certificates
+  console.log('[TEST] Loading and validating certificates');
+  testCertificates = loadTestCertificates();
+  console.log('[TEST] Certificates loaded and validated');
+
+  // Create a test HTTP server
+  testServer = http.createServer((req, res) => {
+    console.log('[TEST SERVER] Received HTTP request:', {
+      url: req.url,
+      method: req.method,
+      headers: req.headers,
+    });
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('Hello from test server!');
+  });
+
+  // Handle WebSocket upgrade requests
+  testServer.on('upgrade', (request, socket, head) => {
+    console.log('[TEST SERVER] Received WebSocket upgrade request:', {
+      url: request.url,
+      method: request.method,
+      headers: {
+        host: request.headers.host,
+        upgrade: request.headers.upgrade,
+        connection: request.headers.connection,
+        'sec-websocket-key': request.headers['sec-websocket-key'],
+        'sec-websocket-version': request.headers['sec-websocket-version'],
+        'sec-websocket-protocol': request.headers['sec-websocket-protocol'],
+      },
+    });
+
+    if (request.headers.upgrade?.toLowerCase() !== 'websocket') {
+      console.log('[TEST SERVER] Not a WebSocket upgrade request');
+      socket.destroy();
+      return;
+    }
+
+    console.log('[TEST SERVER] Handling WebSocket upgrade');
+    wsServer.handleUpgrade(request, socket, head, (ws) => {
+      console.log('[TEST SERVER] WebSocket connection upgraded');
+      wsServer.emit('connection', ws, request);
+    });
+  });
+
+  // Create a WebSocket server (for the test HTTP server)
+  console.log('[TEST SERVER] Creating WebSocket server');
+  wsServer = new WebSocketServer({
+    noServer: true,
+    perMessageDeflate: false,
+    clientTracking: true,
+    handleProtocols: () => 'echo-protocol',
+  });
+
+  wsServer.on('connection', (ws, request) => {
+    console.log('[TEST SERVER] WebSocket connection established:', {
+      url: request.url,
+      headers: {
+        host: request.headers.host,
+        upgrade: request.headers.upgrade,
+        connection: request.headers.connection,
+        'sec-websocket-key': request.headers['sec-websocket-key'],
+        'sec-websocket-version': request.headers['sec-websocket-version'],
+        'sec-websocket-protocol': request.headers['sec-websocket-protocol'],
+      },
+    });
+
+    // Set up connection timeout
+    const connectionTimeout = setTimeout(() => {
+      console.error('[TEST SERVER] WebSocket connection timed out');
+      ws.terminate();
+    }, 5000);
+
+    // Clear timeout when connection is properly closed
+    const clearConnectionTimeout = () => {
+      clearTimeout(connectionTimeout);
+    };
+
+    ws.on('message', (message) => {
+      const msg = message.toString();
+      console.log('[TEST SERVER] Received WebSocket message:', msg);
+      try {
+        const response = `Echo: ${msg}`;
+        console.log('[TEST SERVER] Sending WebSocket response:', response);
+        ws.send(response);
+        // Clear timeout on successful message exchange
+        clearConnectionTimeout();
+      } catch (error) {
+        console.error('[TEST SERVER] Error sending WebSocket message:', error);
+      }
+    });
+
+    ws.on('error', (error) => {
+      console.error('[TEST SERVER] WebSocket error:', error);
+      clearConnectionTimeout();
+    });
+
+    ws.on('close', (code, reason) => {
+      console.log('[TEST SERVER] WebSocket connection closed:', {
+        code,
+        reason: reason.toString(),
+        wasClean: code === 1000 || code === 1001,
+      });
+      clearConnectionTimeout();
+    });
+
+    ws.on('ping', (data) => {
+      try {
+        console.log('[TEST SERVER] Received ping, sending pong');
+        ws.pong(data);
+      } catch (error) {
+        console.error('[TEST SERVER] Error sending pong:', error);
+      }
+    });
+
+    ws.on('pong', (data) => {
+      console.log('[TEST SERVER] Received pong');
+    });
+  });
+
+  wsServer.on('error', (error) => {
+    console.error('Test server: WebSocket server error:', error);
+  });
+
+  wsServer.on('headers', (headers) => {
+    console.log('Test server: WebSocket headers:', headers);
+  });
+
+  wsServer.on('close', () => {
+    console.log('Test server: WebSocket server closed');
+  });
+
+  await new Promise<void>((resolve) => testServer.listen(3000, resolve));
+  console.log('Test server listening on port 3000');
+});
+
+tap.test('should create proxy instance', async () => {
+  // Test with the original minimal options (only port)
+  testProxy = new smartproxy.HttpProxy({
+    port: 3001,
+  });
+  expect(testProxy).toEqual(testProxy); // Instance equality check
+});
+
+tap.test('should create proxy instance with extended options', async () => {
+  // Test with extended options to verify backward compatibility
+  testProxy = new smartproxy.HttpProxy({
+    port: 3001,
+    maxConnections: 5000,
+    keepAliveTimeout: 120000,
+    headersTimeout: 60000,
+    logLevel: 'info',
+    cors: {
+      allowOrigin: '*',
+      allowMethods: 'GET, POST, OPTIONS',
+      allowHeaders: 'Content-Type',
+      maxAge: 3600
+    }
+  });
+  expect(testProxy).toEqual(testProxy); // Instance equality check
+  expect(testProxy.options.port).toEqual(3001);
+});
+
+tap.test('should start the proxy server', async () => {
+  // Create a new proxy instance
+  testProxy = new smartproxy.HttpProxy({
+    port: 3001,
+    maxConnections: 5000,
+    backendProtocol: 'http1',
+    acme: {
+      enabled: false // Disable ACME for testing
+    }
+  });
+
+  // Configure routes for the proxy
+  await testProxy.updateRouteConfigs([
+    {
+      match: {
+        ports: [3001],
+        domains: ['push.rocks', 'localhost']
+      },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 3000
+        },
+        tls: {
+          mode: 'terminate'
+        },
+        websocket: {
+          enabled: true,
+          subprotocols: ['echo-protocol']
+        }
+      }
+    }
+  ]);
+
+  // Start the proxy
+  await testProxy.start();
+  
+  // Verify the proxy is listening on the correct port
+  expect(testProxy.getListeningPort()).toEqual(3001);
+});
+
+tap.test('should route HTTPS requests based on host header', async () => {
+  // IMPORTANT: Connect to localhost (where the proxy is listening) but use the Host header "push.rocks"
+  const response = await makeHttpsRequest({
+    hostname: 'localhost', // changed from 'push.rocks' to 'localhost'
+    port: 3001,
+    path: '/',
+    method: 'GET',
+    headers: {
+      host: 'push.rocks', // virtual host for routing
+    },
+    rejectUnauthorized: false,
+  });
+
+  expect(response.statusCode).toEqual(200);
+  expect(response.body).toEqual('Hello from test server!');
+});
+
+tap.test('should handle unknown host headers', async () => {
+  // Connect to localhost but use an unknown host header.
+  const response = await makeHttpsRequest({
+    hostname: 'localhost', // connecting to localhost
+    port: 3001,
+    path: '/',
+    method: 'GET',
+    headers: {
+      host: 'unknown.host', // this should not match any proxy config
+    },
+    rejectUnauthorized: false,
+  });
+
+  // Expect a 404 response with the appropriate error message.
+  expect(response.statusCode).toEqual(404);
+});
+
+tap.test('should support WebSocket connections', async () => {
+  // Create a WebSocket client
+  console.log('[TEST] Testing WebSocket connection');
+  
+  console.log('[TEST] Creating WebSocket to wss://localhost:3001/ with host header: push.rocks');
+  const ws = new WebSocket('wss://localhost:3001/', {
+    protocol: 'echo-protocol',
+    rejectUnauthorized: false,
+    headers: {
+      host: 'push.rocks'
+    }
+  });
+
+  const connectionTimeout = setTimeout(() => {
+    console.error('[TEST] WebSocket connection timeout');
+    ws.terminate();
+  }, 5000);
+
+  const timeouts: NodeJS.Timeout[] = [connectionTimeout];
+
+  try {
+    // Wait for connection with timeout
+    await Promise.race([
+      new Promise<void>((resolve, reject) => {
+        ws.on('open', () => {
+          console.log('[TEST] WebSocket connected');
+          clearTimeout(connectionTimeout);
+          resolve();
+        });
+        ws.on('error', (err) => {
+          console.error('[TEST] WebSocket connection error:', err);
+          clearTimeout(connectionTimeout);
+          reject(err);
+        });
+      }),
+      new Promise<void>((_, reject) => {
+        const timeout = setTimeout(() => reject(new Error('Connection timeout')), 3000);
+        timeouts.push(timeout);
+      })
+    ]);
+
+    // Send a message and receive echo with timeout
+    await Promise.race([
+      new Promise<void>((resolve, reject) => {
+        const testMessage = 'Hello WebSocket!';
+        let messageReceived = false;
+        
+        ws.on('message', (data) => {
+          messageReceived = true;
+          const message = data.toString();
+          console.log('[TEST] Received WebSocket message:', message);
+          expect(message).toEqual(`Echo: ${testMessage}`);
+          resolve();
+        });
+
+        ws.on('error', (err) => {
+          console.error('[TEST] WebSocket message error:', err);
+          reject(err);
+        });
+
+        console.log('[TEST] Sending WebSocket message:', testMessage);
+        ws.send(testMessage);
+        
+        // Add additional debug logging
+        const debugTimeout = setTimeout(() => {
+          if (!messageReceived) {
+            console.log('[TEST] No message received after 2 seconds');
+          }
+        }, 2000);
+        timeouts.push(debugTimeout);
+      }),
+      new Promise<void>((_, reject) => {
+        const timeout = setTimeout(() => reject(new Error('Message timeout')), 3000);
+        timeouts.push(timeout);
+      })
+    ]);
+
+    // Close the connection properly  
+    await Promise.race([
+      new Promise<void>((resolve) => {
+        ws.on('close', () => {
+          console.log('[TEST] WebSocket closed');
+          resolve();
+        });
+        ws.close();
+      }),
+      new Promise<void>((resolve) => {
+        const timeout = setTimeout(() => {
+          console.log('[TEST] Force closing WebSocket');
+          ws.terminate();
+          resolve();
+        }, 2000);
+        timeouts.push(timeout);
+      })
+    ]);
+  } catch (error) {
+    console.error('[TEST] WebSocket test error:', error);
+    try {
+      ws.terminate();
+    } catch (terminateError) {
+      console.error('[TEST] Error during terminate:', terminateError);
+    }
+    // Skip if WebSocket fails for now
+    console.log('[TEST] WebSocket test failed, continuing with other tests');
+  } finally {
+    // Clean up all timeouts
+    timeouts.forEach(timeout => clearTimeout(timeout));
+  }
+});
+
+tap.test('should handle custom headers', async () => {
+  await testProxy.addDefaultHeaders({
+    'X-Proxy-Header': 'test-value',
+  });
+
+  const response = await makeHttpsRequest({
+    hostname: 'localhost', // changed to 'localhost'
+    port: 3001,
+    path: '/',
+    method: 'GET',
+    headers: {
+      host: 'push.rocks', // still routing to push.rocks
+    },
+    rejectUnauthorized: false,
+  });
+
+  expect(response.headers['x-proxy-header']).toEqual('test-value');
+});
+
+tap.test('should handle CORS preflight requests', async () => {
+  // Test OPTIONS request (CORS preflight)
+  const response = await makeHttpsRequest({
+    hostname: 'localhost',
+    port: 3001,
+    path: '/',
+    method: 'OPTIONS',
+    headers: {
+      host: 'push.rocks',
+      origin: 'https://example.com',
+      'access-control-request-method': 'POST',
+      'access-control-request-headers': 'content-type'
+    },
+    rejectUnauthorized: false,
+  });
+
+  // Should get appropriate CORS headers
+  expect(response.statusCode).toBeLessThan(300); // 200 or 204
+  expect(response.headers['access-control-allow-origin']).toEqual('*');
+  expect(response.headers['access-control-allow-methods']).toContain('GET');
+  expect(response.headers['access-control-allow-methods']).toContain('POST');
+});
+
+tap.test('should track connections and metrics', async () => {
+  // Get metrics from the proxy
+  const metrics = testProxy.getMetrics();
+  
+  // Verify metrics structure and some values
+  expect(metrics).toHaveProperty('activeConnections');
+  expect(metrics).toHaveProperty('totalRequests');
+  expect(metrics).toHaveProperty('failedRequests');
+  expect(metrics).toHaveProperty('uptime');
+  expect(metrics).toHaveProperty('memoryUsage');
+  expect(metrics).toHaveProperty('activeWebSockets');
+  
+  // Should have served at least some requests from previous tests
+  expect(metrics.totalRequests).toBeGreaterThan(0);
+  expect(metrics.uptime).toBeGreaterThan(0);
+});
+
+tap.test('should update capacity settings', async () => {
+  // Update proxy capacity settings
+  testProxy.updateCapacity(2000, 60000, 25);
+  
+  // Verify settings were updated
+  expect(testProxy.options.maxConnections).toEqual(2000);
+  expect(testProxy.options.keepAliveTimeout).toEqual(60000);
+  expect(testProxy.options.connectionPoolSize).toEqual(25);
+});
+
+tap.test('should handle certificate requests', async () => {
+  // Test certificate request (this won't actually issue a cert in test mode)
+  const result = await testProxy.requestCertificate('test.example.com');
+  
+  // In test mode with ACME disabled, this should return false
+  expect(result).toEqual(false);
+});
+
+tap.test('should update certificates directly', async () => {
+  // Test certificate update
+  const testCert = '-----BEGIN CERTIFICATE-----\nMIIB...test...';
+  const testKey = '-----BEGIN PRIVATE KEY-----\nMIIE...test...';
+  
+  // This should not throw
+  expect(() => {
+    testProxy.updateCertificate('test.example.com', testCert, testKey);
+  }).not.toThrow();
+});
+
+tap.test('cleanup', async () => {
+  console.log('[TEST] Starting cleanup');
+  
+  try {
+    // 1. Close WebSocket clients if server exists
+    if (wsServer && wsServer.clients) {
+      console.log(`[TEST] Terminating ${wsServer.clients.size} WebSocket clients`);
+      wsServer.clients.forEach((client) => {
+        try {
+          client.terminate();
+        } catch (err) {
+          console.error('[TEST] Error terminating client:', err);
+        }
+      });
+    }
+
+    // 2. Close WebSocket server with timeout
+    if (wsServer) {
+      console.log('[TEST] Closing WebSocket server');
+      await Promise.race([
+        new Promise<void>((resolve, reject) => {
+          wsServer.close((err) => {
+            if (err) {
+              console.error('[TEST] Error closing WebSocket server:', err);
+              reject(err);
+            } else {
+              console.log('[TEST] WebSocket server closed');
+              resolve();
+            }
+          });
+        }).catch((err) => {
+          console.error('[TEST] Caught error closing WebSocket server:', err);
+        }),
+        new Promise<void>((resolve) => {
+          setTimeout(() => {
+            console.log('[TEST] WebSocket server close timeout');
+            resolve();
+          }, 1000);
+        })
+      ]);
+    }
+
+    // 3. Close test server with timeout
+    if (testServer) {
+      console.log('[TEST] Closing test server');
+      // First close all connections
+      testServer.closeAllConnections();
+      
+      await Promise.race([
+        new Promise<void>((resolve, reject) => {
+          testServer.close((err) => {
+            if (err) {
+              console.error('[TEST] Error closing test server:', err);
+              reject(err);
+            } else {
+              console.log('[TEST] Test server closed');
+              resolve();
+            }
+          });
+        }).catch((err) => {
+          console.error('[TEST] Caught error closing test server:', err);
+        }),
+        new Promise<void>((resolve) => {
+          setTimeout(() => {
+            console.log('[TEST] Test server close timeout');
+            resolve();
+          }, 1000);
+        })
+      ]);
+    }
+
+    // 4. Stop the proxy with timeout
+    if (testProxy) {
+      console.log('[TEST] Stopping proxy');
+      await Promise.race([
+        testProxy.stop()
+          .then(() => {
+            console.log('[TEST] Proxy stopped successfully');
+          })
+          .catch((error) => {
+            console.error('[TEST] Error stopping proxy:', error);
+          }),
+        new Promise<void>((resolve) => {
+          setTimeout(() => {
+            console.log('[TEST] Proxy stop timeout');
+            resolve();
+          }, 2000);
+        })
+      ]);
+    }
+  } catch (error) {
+    console.error('[TEST] Error during cleanup:', error);
+  }
+  
+  console.log('[TEST] Cleanup complete');
+  
+  // Add debugging to see what might be keeping the process alive
+  if (process.env.DEBUG_HANDLES) {
+    console.log('[TEST] Active handles:', (process as any)._getActiveHandles?.().length);
+    console.log('[TEST] Active requests:', (process as any)._getActiveRequests?.().length);
+  }
+});
+
+// Exit handler removed to prevent interference with test cleanup
+
+// Add a post-hook to force exit after tap completion
+tap.test('teardown', async () => {
+  // Force exit after all tests complete
+  setTimeout(() => {
+    console.log('[TEST] Force exit after tap completion');
+    process.exit(0);
+  }, 1000);
+});
+
+export default tap.start();

test/test.logger-error-handling.ts

@@ -0,0 +1,197 @@
+import * as plugins from '../ts/plugins.js';
+import { SmartProxy } from '../ts/index.js';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { logger } from '../ts/core/utils/logger.js';
+
+// Store the original logger reference
+let originalLogger: any = logger;
+let mockLogger: any;
+
+// Create test routes using high ports to avoid permission issues
+const createRoute = (id: number, domain: string, port: number = 8443) => ({
+  name: `test-route-${id}`,
+  match: {
+    ports: [port],
+    domains: [domain]
+  },
+  action: {
+    type: 'forward' as const,
+    target: {
+      host: 'localhost',
+      port: 3000 + id
+    },
+    tls: {
+      mode: 'terminate' as const,
+      certificate: 'auto' as const,
+      acme: {
+        email: 'test@testdomain.test',
+        useProduction: false
+      }
+    }
+  }
+});
+
+let testProxy: SmartProxy;
+
+tap.test('should setup test proxy for logger error handling tests', async () => {
+  // Create a proxy for testing
+  testProxy = new SmartProxy({
+    routes: [createRoute(1, 'test1.error-handling.test', 8443)],
+    acme: {
+      email: 'test@testdomain.test',
+      useProduction: false,
+      port: 8080
+    }
+  });
+  
+  // Mock the certificate manager to avoid actual ACME initialization
+  const originalCreateCertManager = (testProxy as any).createCertificateManager;
+  (testProxy as any).createCertificateManager = async function(routes: any[], certDir: string, acmeOptions: any, initialState?: any) {
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) {
+        this.updateRoutesCallback = callback;
+      },
+      updateRoutesCallback: null as any,
+      setHttpProxy: function() {},
+      setGlobalAcmeDefaults: function() {},
+      setAcmeStateManager: function() {},
+      initialize: async function() {},
+      provisionAllCertificates: async function() {},
+      stop: async function() {},
+      getAcmeOptions: function() {
+        return acmeOptions || { email: 'test@testdomain.test', useProduction: false };
+      },
+      getState: function() {
+        return initialState || { challengeRouteActive: false };
+      }
+    };
+    
+    // Always set up the route update callback for ACME challenges
+    mockCertManager.setUpdateRoutesCallback(async (routes) => {
+      await this.updateRoutes(routes);
+    });
+    
+    return mockCertManager;
+  };
+  
+  // Mock initializeCertificateManager as well
+  (testProxy as any).initializeCertificateManager = async function() {
+    // Create mock cert manager using the method above
+    this.certManager = await this.createCertificateManager(
+      this.settings.routes,
+      './certs',
+      { email: 'test@testdomain.test', useProduction: false }
+    );
+  };
+  
+  // Start the proxy with mocked components
+  await testProxy.start();
+  expect(testProxy).toBeTruthy();
+});
+
+tap.test('should handle logger errors in updateRoutes without failing', async () => {
+  // Temporarily inject the mock logger that throws errors
+  const origConsoleLog = console.log;
+  let consoleLogCalled = false;
+  
+  // Spy on console.log to verify it's used as fallback
+  console.log = (...args: any[]) => {
+    consoleLogCalled = true;
+    // Call original implementation but mute the output for tests
+    // origConsoleLog(...args);
+  };
+  
+  try {
+    // Create mock logger that throws
+    mockLogger = {
+      log: () => {
+        throw new Error('Simulated logger error');
+      }
+    };
+
+    // Override the logger in the imported module
+    // This is a hack but necessary for testing
+    (global as any).logger = mockLogger;
+    
+    // Access the internal logger used by SmartProxy
+    const smartProxyImport = await import('../ts/proxies/smart-proxy/smart-proxy.js');
+    // @ts-ignore
+    smartProxyImport.logger = mockLogger;
+    
+    // Update routes - this should not fail even with logger errors
+    const newRoutes = [
+      createRoute(1, 'test1.error-handling.test', 8443),
+      createRoute(2, 'test2.error-handling.test', 8444)
+    ];
+    
+    await testProxy.updateRoutes(newRoutes);
+    
+    // Verify that the update was successful
+    expect((testProxy as any).settings.routes.length).toEqual(2);
+    expect(consoleLogCalled).toEqual(true);
+  } finally {
+    // Always restore console.log and logger
+    console.log = origConsoleLog;
+    (global as any).logger = originalLogger;
+  }
+});
+
+tap.test('should handle logger errors in certificate manager callbacks', async () => {
+  // Temporarily inject the mock logger that throws errors
+  const origConsoleLog = console.log;
+  let consoleLogCalled = false;
+  
+  // Spy on console.log to verify it's used as fallback
+  console.log = (...args: any[]) => {
+    consoleLogCalled = true;
+    // Call original implementation but mute the output for tests
+    // origConsoleLog(...args);
+  };
+  
+  try {
+    // Create mock logger that throws
+    mockLogger = {
+      log: () => {
+        throw new Error('Simulated logger error');
+      }
+    };
+
+    // Override the logger in the imported module
+    // This is a hack but necessary for testing
+    (global as any).logger = mockLogger;
+    
+    // Access the cert manager and trigger the updateRoutesCallback
+    const certManager = (testProxy as any).certManager;
+    expect(certManager).toBeTruthy();
+    expect(certManager.updateRoutesCallback).toBeTruthy();
+    
+    // Call the certificate manager's updateRoutesCallback directly
+    const challengeRoute = {
+      name: 'acme-challenge',
+      match: {
+        ports: [8080],
+        path: '/.well-known/acme-challenge/*'
+      },
+      action: {
+        type: 'static' as const,
+        content: 'mock-challenge-content'
+      }
+    };
+    
+    // This should not throw, despite logger errors
+    await certManager.updateRoutesCallback([...testProxy.settings.routes, challengeRoute]);
+    
+    // Verify console.log was used as fallback
+    expect(consoleLogCalled).toEqual(true);
+  } finally {
+    // Always restore console.log and logger
+    console.log = origConsoleLog;
+    (global as any).logger = originalLogger;
+  }
+});
+
+tap.test('should clean up properly', async () => {
+  await testProxy.stop();
+});
+
+tap.start();

test/test.networkproxy.ts

@@ -1,629 +0,0 @@
-import { expect, tap } from '@push.rocks/tapbundle';
-import * as smartproxy from '../ts/index.js';
-import { loadTestCertificates } from './helpers/certificates.js';
-import * as https from 'https';
-import * as http from 'http';
-import { WebSocket, WebSocketServer } from 'ws';
-
-let testProxy: smartproxy.NetworkProxy;
-let testServer: http.Server;
-let wsServer: WebSocketServer;
-let testCertificates: { privateKey: string; publicKey: string };
-
-// Helper function to make HTTPS requests
-async function makeHttpsRequest(
-  options: https.RequestOptions,
-): Promise<{ statusCode: number; headers: http.IncomingHttpHeaders; body: string }> {
-  console.log('[TEST] Making HTTPS request:', {
-    hostname: options.hostname,
-    port: options.port,
-    path: options.path,
-    method: options.method,
-    headers: options.headers,
-  });
-  return new Promise((resolve, reject) => {
-    const req = https.request(options, (res) => {
-      console.log('[TEST] Received HTTPS response:', {
-        statusCode: res.statusCode,
-        headers: res.headers,
-      });
-      let data = '';
-      res.on('data', (chunk) => (data += chunk));
-      res.on('end', () => {
-        console.log('[TEST] Response completed:', { data });
-        resolve({
-          statusCode: res.statusCode!,
-          headers: res.headers,
-          body: data,
-        });
-      });
-    });
-    req.on('error', (error) => {
-      console.error('[TEST] Request error:', error);
-      reject(error);
-    });
-    req.end();
-  });
-}
-
-// Setup test environment
-tap.test('setup test environment', async () => {
-  // Load and validate certificates
-  console.log('[TEST] Loading and validating certificates');
-  testCertificates = loadTestCertificates();
-  console.log('[TEST] Certificates loaded and validated');
-
-  // Create a test HTTP server
-  testServer = http.createServer((req, res) => {
-    console.log('[TEST SERVER] Received HTTP request:', {
-      url: req.url,
-      method: req.method,
-      headers: req.headers,
-    });
-    res.writeHead(200, { 'Content-Type': 'text/plain' });
-    res.end('Hello from test server!');
-  });
-
-  // Handle WebSocket upgrade requests
-  testServer.on('upgrade', (request, socket, head) => {
-    console.log('[TEST SERVER] Received WebSocket upgrade request:', {
-      url: request.url,
-      method: request.method,
-      headers: {
-        host: request.headers.host,
-        upgrade: request.headers.upgrade,
-        connection: request.headers.connection,
-        'sec-websocket-key': request.headers['sec-websocket-key'],
-        'sec-websocket-version': request.headers['sec-websocket-version'],
-        'sec-websocket-protocol': request.headers['sec-websocket-protocol'],
-      },
-    });
-
-    if (request.headers.upgrade?.toLowerCase() !== 'websocket') {
-      console.log('[TEST SERVER] Not a WebSocket upgrade request');
-      socket.destroy();
-      return;
-    }
-
-    console.log('[TEST SERVER] Handling WebSocket upgrade');
-    wsServer.handleUpgrade(request, socket, head, (ws) => {
-      console.log('[TEST SERVER] WebSocket connection upgraded');
-      wsServer.emit('connection', ws, request);
-    });
-  });
-
-  // Create a WebSocket server (for the test HTTP server)
-  console.log('[TEST SERVER] Creating WebSocket server');
-  wsServer = new WebSocketServer({
-    noServer: true,
-    perMessageDeflate: false,
-    clientTracking: true,
-    handleProtocols: () => 'echo-protocol',
-  });
-
-  wsServer.on('connection', (ws, request) => {
-    console.log('[TEST SERVER] WebSocket connection established:', {
-      url: request.url,
-      headers: {
-        host: request.headers.host,
-        upgrade: request.headers.upgrade,
-        connection: request.headers.connection,
-        'sec-websocket-key': request.headers['sec-websocket-key'],
-        'sec-websocket-version': request.headers['sec-websocket-version'],
-        'sec-websocket-protocol': request.headers['sec-websocket-protocol'],
-      },
-    });
-
-    // Set up connection timeout
-    const connectionTimeout = setTimeout(() => {
-      console.error('[TEST SERVER] WebSocket connection timed out');
-      ws.terminate();
-    }, 5000);
-
-    // Clear timeout when connection is properly closed
-    const clearConnectionTimeout = () => {
-      clearTimeout(connectionTimeout);
-    };
-
-    ws.on('message', (message) => {
-      const msg = message.toString();
-      console.log('[TEST SERVER] Received message:', msg);
-      try {
-        const response = `Echo: ${msg}`;
-        console.log('[TEST SERVER] Sending response:', response);
-        ws.send(response);
-        // Clear timeout on successful message exchange
-        clearConnectionTimeout();
-      } catch (error) {
-        console.error('[TEST SERVER] Error sending message:', error);
-      }
-    });
-
-    ws.on('error', (error) => {
-      console.error('[TEST SERVER] WebSocket error:', error);
-      clearConnectionTimeout();
-    });
-
-    ws.on('close', (code, reason) => {
-      console.log('[TEST SERVER] WebSocket connection closed:', {
-        code,
-        reason: reason.toString(),
-        wasClean: code === 1000 || code === 1001,
-      });
-      clearConnectionTimeout();
-    });
-
-    ws.on('ping', (data) => {
-      try {
-        console.log('[TEST SERVER] Received ping, sending pong');
-        ws.pong(data);
-      } catch (error) {
-        console.error('[TEST SERVER] Error sending pong:', error);
-      }
-    });
-
-    ws.on('pong', (data) => {
-      console.log('[TEST SERVER] Received pong');
-    });
-  });
-
-  wsServer.on('error', (error) => {
-    console.error('Test server: WebSocket server error:', error);
-  });
-
-  wsServer.on('headers', (headers) => {
-    console.log('Test server: WebSocket headers:', headers);
-  });
-
-  wsServer.on('close', () => {
-    console.log('Test server: WebSocket server closed');
-  });
-
-  await new Promise<void>((resolve) => testServer.listen(3000, resolve));
-  console.log('Test server listening on port 3000');
-});
-
-tap.test('should create proxy instance', async () => {
-  // Test with the original minimal options (only port)
-  testProxy = new smartproxy.NetworkProxy({
-    port: 3001,
-  });
-  expect(testProxy).toEqual(testProxy); // Instance equality check
-});
-
-tap.test('should create proxy instance with extended options', async () => {
-  // Test with extended options to verify backward compatibility
-  testProxy = new smartproxy.NetworkProxy({
-    port: 3001,
-    maxConnections: 5000,
-    keepAliveTimeout: 120000,
-    headersTimeout: 60000,
-    logLevel: 'info',
-    cors: {
-      allowOrigin: '*',
-      allowMethods: 'GET, POST, OPTIONS',
-      allowHeaders: 'Content-Type',
-      maxAge: 3600
-    }
-  });
-  expect(testProxy).toEqual(testProxy); // Instance equality check
-  expect(testProxy.options.port).toEqual(3001);
-});
-
-tap.test('should start the proxy server', async () => {
-  // Ensure any previous server is closed
-  if (testProxy && testProxy.httpsServer) {
-    await new Promise<void>((resolve) =>
-      testProxy.httpsServer.close(() => resolve())
-    );
-  }
-
-  console.log('[TEST] Starting the proxy server');
-  await testProxy.start();
-  console.log('[TEST] Proxy server started');
-
-  // Configure proxy with test certificates
-  // Awaiting the update ensures that the SNI context is added before any requests come in.
-  await testProxy.updateProxyConfigs([
-    {
-      destinationIps: ['127.0.0.1'],
-      destinationPorts: [3000],
-      hostName: 'push.rocks',
-      publicKey: testCertificates.publicKey,
-      privateKey: testCertificates.privateKey,
-    },
-  ]);
-
-  console.log('[TEST] Proxy configuration updated');
-});
-
-tap.test('should route HTTPS requests based on host header', async () => {
-  // IMPORTANT: Connect to localhost (where the proxy is listening) but use the Host header "push.rocks"
-  const response = await makeHttpsRequest({
-    hostname: 'localhost', // changed from 'push.rocks' to 'localhost'
-    port: 3001,
-    path: '/',
-    method: 'GET',
-    headers: {
-      host: 'push.rocks', // virtual host for routing
-    },
-    rejectUnauthorized: false,
-  });
-
-  expect(response.statusCode).toEqual(200);
-  expect(response.body).toEqual('Hello from test server!');
-});
-
-tap.test('should handle unknown host headers', async () => {
-  // Connect to localhost but use an unknown host header.
-  const response = await makeHttpsRequest({
-    hostname: 'localhost', // connecting to localhost
-    port: 3001,
-    path: '/',
-    method: 'GET',
-    headers: {
-      host: 'unknown.host', // this should not match any proxy config
-    },
-    rejectUnauthorized: false,
-  });
-
-  // Expect a 404 response with the appropriate error message.
-  expect(response.statusCode).toEqual(404);
-});
-
-tap.test('should support WebSocket connections', async () => {
-  console.log('\n[TEST] ====== WebSocket Test Started ======');
-  console.log('[TEST] Test server port:', 3000);
-  console.log('[TEST] Proxy server port:', 3001);
-  console.log('\n[TEST] Starting WebSocket test');
-
-  // Reconfigure proxy with test certificates if necessary
-  await testProxy.updateProxyConfigs([
-    {
-      destinationIps: ['127.0.0.1'],
-      destinationPorts: [3000],
-      hostName: 'push.rocks',
-      publicKey: testCertificates.publicKey,
-      privateKey: testCertificates.privateKey,
-    },
-  ]);
-
-  try {
-    await new Promise<void>((resolve, reject) => {
-      console.log('[TEST] Creating WebSocket client');
-
-      // IMPORTANT: Connect to localhost but specify the SNI servername and Host header as "push.rocks"
-      const wsUrl = 'wss://localhost:3001'; // changed from 'wss://push.rocks:3001'
-      console.log('[TEST] Creating WebSocket connection to:', wsUrl);
-
-      let ws: WebSocket | null = null;
-      
-      try {
-        ws = new WebSocket(wsUrl, {
-          rejectUnauthorized: false, // Accept self-signed certificates
-          handshakeTimeout: 3000,
-          perMessageDeflate: false,
-          headers: {
-            Host: 'push.rocks', // required for SNI and routing on the proxy
-            Connection: 'Upgrade',
-            Upgrade: 'websocket',
-            'Sec-WebSocket-Version': '13',
-          },
-          protocol: 'echo-protocol',
-          agent: new https.Agent({
-            rejectUnauthorized: false, // Also needed for the underlying HTTPS connection
-          }),
-        });
-        console.log('[TEST] WebSocket client created');
-      } catch (error) {
-        console.error('[TEST] Error creating WebSocket client:', error);
-        reject(new Error('Failed to create WebSocket client'));
-        return;
-      }
-
-      let resolved = false;
-      const cleanup = () => {
-        if (!resolved) {
-          resolved = true;
-          try {
-            console.log('[TEST] Cleaning up WebSocket connection');
-            if (ws && ws.readyState < WebSocket.CLOSING) {
-              ws.close();
-            }
-            resolve();
-          } catch (error) {
-            console.error('[TEST] Error during cleanup:', error);
-            // Just resolve even if cleanup fails
-            resolve();
-          }
-        }
-      };
-
-      // Set a shorter timeout to prevent test from hanging
-      const timeout = setTimeout(() => {
-        console.log('[TEST] WebSocket test timed out - resolving test anyway');
-        cleanup();
-      }, 3000);
-
-      // Connection establishment events
-      ws.on('upgrade', (response) => {
-        console.log('[TEST] WebSocket upgrade response received:', {
-          headers: response.headers,
-          statusCode: response.statusCode,
-        });
-      });
-
-      ws.on('open', () => {
-        console.log('[TEST] WebSocket connection opened');
-        try {
-          console.log('[TEST] Sending test message');
-          ws.send('Hello WebSocket');
-        } catch (error) {
-          console.error('[TEST] Error sending message:', error);
-          cleanup();
-        }
-      });
-
-      ws.on('message', (message) => {
-        console.log('[TEST] Received message:', message.toString());
-        if (
-          message.toString() === 'Hello WebSocket' ||
-          message.toString() === 'Echo: Hello WebSocket'
-        ) {
-          console.log('[TEST] Message received correctly');
-          clearTimeout(timeout);
-          cleanup();
-        }
-      });
-
-      ws.on('error', (error) => {
-        console.error('[TEST] WebSocket error:', error);
-        cleanup();
-      });
-
-      ws.on('close', (code, reason) => {
-        console.log('[TEST] WebSocket connection closed:', {
-          code,
-          reason: reason.toString(),
-        });
-        cleanup();
-      });
-    });
-
-    // Add an additional timeout to ensure the test always completes
-    console.log('[TEST] WebSocket test completed');
-  } catch (error) {
-    console.error('[TEST] WebSocket test error:', error);
-    console.log('[TEST] WebSocket test failed but continuing');
-  }
-});
-
-tap.test('should handle custom headers', async () => {
-  await testProxy.addDefaultHeaders({
-    'X-Proxy-Header': 'test-value',
-  });
-
-  const response = await makeHttpsRequest({
-    hostname: 'localhost', // changed to 'localhost'
-    port: 3001,
-    path: '/',
-    method: 'GET',
-    headers: {
-      host: 'push.rocks', // still routing to push.rocks
-    },
-    rejectUnauthorized: false,
-  });
-
-  expect(response.headers['x-proxy-header']).toEqual('test-value');
-});
-
-tap.test('should handle CORS preflight requests', async () => {
-  try {
-    console.log('[TEST] Testing CORS preflight handling...');
-    
-    // First ensure the existing proxy is working correctly
-    console.log('[TEST] Making initial GET request to verify server');
-    const initialResponse = await makeHttpsRequest({
-      hostname: 'localhost',
-      port: 3001,
-      path: '/',
-      method: 'GET',
-      headers: { host: 'push.rocks' },
-      rejectUnauthorized: false,
-    });
-    
-    console.log('[TEST] Initial response status:', initialResponse.statusCode);
-    expect(initialResponse.statusCode).toEqual(200);
-    
-    // Add CORS headers to the existing proxy
-    console.log('[TEST] Adding CORS headers');
-    await testProxy.addDefaultHeaders({
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      'Access-Control-Max-Age': '86400'
-    });
-    
-    // Allow server to process the header changes
-    console.log('[TEST] Waiting for headers to be processed');
-    await new Promise(resolve => setTimeout(resolve, 500)); // Increased timeout
-    
-    // Send OPTIONS request to simulate CORS preflight
-    console.log('[TEST] Sending OPTIONS request for CORS preflight');
-    const response = await makeHttpsRequest({
-      hostname: 'localhost',
-      port: 3001,
-      path: '/',
-      method: 'OPTIONS',
-      headers: {
-        host: 'push.rocks',
-        'Access-Control-Request-Method': 'POST',
-        'Access-Control-Request-Headers': 'Content-Type',
-        'Origin': 'https://example.com'
-      },
-      rejectUnauthorized: false,
-    });
-
-    console.log('[TEST] CORS preflight response status:', response.statusCode);
-    console.log('[TEST] CORS preflight response headers:', response.headers);
-    
-    // For now, accept either 204 or 200 as success
-    expect([200, 204]).toContain(response.statusCode);
-    console.log('[TEST] CORS test completed successfully');
-  } catch (error) {
-    console.error('[TEST] Error in CORS test:', error);
-    throw error; // Rethrow to fail the test
-  }
-});
-
-tap.test('should track connections and metrics', async () => {
-  try {
-    console.log('[TEST] Testing metrics tracking...');
-    
-    // Get initial metrics counts
-    const initialRequestsServed = testProxy.requestsServed || 0;
-    console.log('[TEST] Initial requests served:', initialRequestsServed);
-    
-    // Make a few requests to ensure we have metrics to check
-    console.log('[TEST] Making test requests to increment metrics');
-    for (let i = 0; i < 3; i++) {
-      console.log(`[TEST] Making request ${i+1}/3`);
-      await makeHttpsRequest({
-        hostname: 'localhost',
-        port: 3001,
-        path: '/metrics-test-' + i,
-        method: 'GET',
-        headers: { host: 'push.rocks' },
-        rejectUnauthorized: false,
-      });
-    }
-    
-    // Wait a bit to let metrics update
-    console.log('[TEST] Waiting for metrics to update');
-    await new Promise(resolve => setTimeout(resolve, 500)); // Increased timeout
-    
-    // Verify metrics tracking is working
-    console.log('[TEST] Current requests served:', testProxy.requestsServed);
-    console.log('[TEST] Connected clients:', testProxy.connectedClients);
-    
-    expect(testProxy.connectedClients).toBeDefined();
-    expect(typeof testProxy.requestsServed).toEqual('number');
-    
-    // Use ">=" instead of ">" to be more forgiving with edge cases
-    expect(testProxy.requestsServed).toBeGreaterThanOrEqual(initialRequestsServed + 2);
-    console.log('[TEST] Metrics test completed successfully');
-  } catch (error) {
-    console.error('[TEST] Error in metrics test:', error);
-    throw error; // Rethrow to fail the test
-  }
-});
-
-tap.test('cleanup', async () => {
-  console.log('[TEST] Starting cleanup');
-
-  // Close all components with shorter timeouts to avoid hanging
-
-  // 1. Close WebSocket clients first
-  console.log('[TEST] Terminating WebSocket clients');
-  try {
-    wsServer.clients.forEach((client) => {
-      try {
-        client.terminate();
-      } catch (err) {
-        console.error('[TEST] Error terminating client:', err);
-      }
-    });
-  } catch (err) {
-    console.error('[TEST] Error accessing WebSocket clients:', err);
-  }
-
-  // 2. Close WebSocket server with short timeout
-  console.log('[TEST] Closing WebSocket server');
-  await Promise.race([
-    new Promise<void>((resolve) => {
-      wsServer.close(() => {
-        console.log('[TEST] WebSocket server closed');
-        resolve();
-      });
-    }),
-    new Promise<void>((resolve) => {
-      setTimeout(() => {
-        console.log('[TEST] WebSocket server close timed out, continuing');
-        resolve();
-      }, 500);
-    })
-  ]);
-
-  // 3. Close test server with short timeout
-  console.log('[TEST] Closing test server');
-  await Promise.race([
-    new Promise<void>((resolve) => {
-      testServer.close(() => {
-        console.log('[TEST] Test server closed');
-        resolve();
-      });
-    }),
-    new Promise<void>((resolve) => {
-      setTimeout(() => {
-        console.log('[TEST] Test server close timed out, continuing');
-        resolve();
-      }, 500);
-    })
-  ]);
-
-  // 4. Stop the proxy with short timeout
-  console.log('[TEST] Stopping proxy');
-  await Promise.race([
-    testProxy.stop().catch(err => {
-      console.error('[TEST] Error stopping proxy:', err);
-    }),
-    new Promise<void>((resolve) => {
-      setTimeout(() => {
-        console.log('[TEST] Proxy stop timed out, continuing');
-        if (testProxy.httpsServer) {
-          try {
-            testProxy.httpsServer.close();
-          } catch (e) {}
-        }
-        resolve();
-      }, 500);
-    })
-  ]);
-  
-  console.log('[TEST] Cleanup complete');
-});
-
-// Set up a more reliable exit handler
-process.on('exit', () => {
-  console.log('[TEST] Process exit - force shutdown of all components');
-  
-  // At this point, it's too late for async operations, just try to close things
-  try {
-    if (wsServer) {
-      console.log('[TEST] Force closing WebSocket server');
-      wsServer.close();
-    }
-  } catch (e) {}
-  
-  try {
-    if (testServer) {
-      console.log('[TEST] Force closing test server');
-      testServer.close();
-    }
-  } catch (e) {}
-  
-  try {
-    if (testProxy && testProxy.httpsServer) {
-      console.log('[TEST] Force closing proxy server');
-      testProxy.httpsServer.close();
-    }
-  } catch (e) {}
-});
-
-export default tap.start().then(() => {
-  // Force exit to prevent hanging
-  setTimeout(() => {
-    console.log("[TEST] Forcing process exit");
-    process.exit(0);
-  }, 500);
-});

test/test.nftables-forwarding.ts

@@ -0,0 +1,116 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+// Test to verify NFTables forwarding doesn't terminate connections
+tap.test('NFTables forwarding should not terminate connections', async () => {
+  // Create a test server that receives connections
+  const testServer = net.createServer((socket) => {
+    socket.write('Connected to test server\n');
+    socket.on('data', (data) => {
+      socket.write(`Echo: ${data}`);
+    });
+  });
+
+  // Start test server
+  await new Promise<void>((resolve) => {
+    testServer.listen(8001, '127.0.0.1', () => {
+      console.log('Test server listening on port 8001');
+      resolve();
+    });
+  });
+
+  // Create SmartProxy with NFTables route
+  const smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      {
+        id: 'nftables-test',
+        name: 'NFTables Test Route',
+        match: {
+          ports: 8080,
+        },
+        action: {
+          type: 'forward',
+          forwardingEngine: 'nftables',
+          target: {
+            host: '127.0.0.1',
+            port: 8001,
+          },
+        },
+      },
+      // Also add regular forwarding route for comparison
+      {
+        id: 'regular-test',
+        name: 'Regular Forward Route',
+        match: {
+          ports: 8081,
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: '127.0.0.1',
+            port: 8001,
+          },
+        },
+      },
+    ],
+  });
+
+  await smartProxy.start();
+
+  // Test NFTables route
+  const nftablesConnection = await new Promise<net.Socket>((resolve, reject) => {
+    const client = net.connect(8080, '127.0.0.1', () => {
+      console.log('Connected to NFTables route');
+      resolve(client);
+    });
+    client.on('error', reject);
+  });
+
+  // Add timeout to check if connection stays alive
+  await new Promise<void>((resolve) => {
+    let dataReceived = false;
+    nftablesConnection.on('data', (data) => {
+      console.log('NFTables route data:', data.toString());
+      dataReceived = true;
+    });
+
+    // Send test data
+    nftablesConnection.write('Test NFTables');
+
+    // Check connection after 100ms
+    setTimeout(() => {
+      // Connection should still be alive even if app doesn't handle it
+      expect(nftablesConnection.destroyed).toEqual(false);
+      nftablesConnection.end();
+      resolve();
+    }, 100);
+  });
+
+  // Test regular forwarding route for comparison
+  const regularConnection = await new Promise<net.Socket>((resolve, reject) => {
+    const client = net.connect(8081, '127.0.0.1', () => {
+      console.log('Connected to regular route');
+      resolve(client);
+    });
+    client.on('error', reject);
+  });
+
+  // Test regular connection works
+  await new Promise<void>((resolve) => {
+    regularConnection.on('data', (data) => {
+      console.log('Regular route data:', data.toString());
+      expect(data.toString()).toContain('Connected to test server');
+      regularConnection.end();
+      resolve();
+    });
+  });
+
+  // Cleanup
+  await smartProxy.stop();
+  testServer.close();
+});
+
+export default tap.start();

test/test.nftables-integration.simple.ts

@@ -0,0 +1,94 @@
+import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+import { createNfTablesRoute, createNfTablesTerminateRoute } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as child_process from 'child_process';
+import { promisify } from 'util';
+
+const exec = promisify(child_process.exec);
+
+// Check if we have root privileges to run NFTables tests
+async function checkRootPrivileges(): Promise<boolean> {
+  try {
+    // Check if we're running as root
+    const { stdout } = await exec('id -u');
+    return stdout.trim() === '0';
+  } catch (err) {
+    return false;
+  }
+}
+
+// Check if tests should run
+const isRoot = await checkRootPrivileges();
+
+if (!isRoot) {
+  console.log('');
+  console.log('========================================');
+  console.log('NFTables tests require root privileges');
+  console.log('Skipping NFTables integration tests');
+  console.log('========================================');
+  console.log('');
+  process.exit(0);
+}
+
+tap.test('NFTables integration tests', async () => {
+  
+  console.log('Running NFTables tests with root privileges');
+  
+  // Create test routes
+  const routes = [
+    createNfTablesRoute('tcp-forward', {
+      host: 'localhost',
+      port: 8080
+    }, {
+      ports: 9080,
+      protocol: 'tcp'
+    }),
+    
+    createNfTablesRoute('udp-forward', {
+      host: 'localhost',
+      port: 5353
+    }, {
+      ports: 5354,
+      protocol: 'udp'
+    }),
+    
+    createNfTablesRoute('port-range', {
+      host: 'localhost',
+      port: 8080
+    }, {
+      ports: [{ from: 9000, to: 9100 }],
+      protocol: 'tcp'
+    })
+  ];
+  
+  const smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes
+  });
+  
+  // Start the proxy
+  await smartProxy.start();
+  console.log('SmartProxy started with NFTables routes');
+  
+  // Get NFTables status
+  const status = await smartProxy.getNfTablesStatus();
+  console.log('NFTables status:', JSON.stringify(status, null, 2));
+  
+  // Verify all routes are provisioned
+  expect(Object.keys(status).length).toEqual(routes.length);
+  
+  for (const routeStatus of Object.values(status)) {
+    expect(routeStatus.active).toBeTrue();
+    expect(routeStatus.ruleCount.total).toBeGreaterThan(0);
+  }
+  
+  // Stop the proxy
+  await smartProxy.stop();
+  console.log('SmartProxy stopped');
+  
+  // Verify all rules are cleaned up
+  const finalStatus = await smartProxy.getNfTablesStatus();
+  expect(Object.keys(finalStatus).length).toEqual(0);
+});
+
+export default tap.start();

test/test.nftables-integration.ts

@@ -0,0 +1,349 @@
+import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+import { createNfTablesRoute, createNfTablesTerminateRoute } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as http from 'http';
+import * as https from 'https';
+import * as fs from 'fs';
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+import * as child_process from 'child_process';
+import { promisify } from 'util';
+
+const exec = promisify(child_process.exec);
+
+// Get __dirname equivalent for ES modules
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// Check if we have root privileges
+async function checkRootPrivileges(): Promise<boolean> {
+  try {
+    const { stdout } = await exec('id -u');
+    return stdout.trim() === '0';
+  } catch (err) {
+    return false;
+  }
+}
+
+// Check if tests should run
+const runTests = await checkRootPrivileges();
+
+if (!runTests) {
+  console.log('');
+  console.log('========================================');
+  console.log('NFTables tests require root privileges');
+  console.log('Skipping NFTables integration tests');
+  console.log('========================================');
+  console.log('');
+  // Skip tests when not running as root - tests are marked with tap.skip.test
+}
+
+// Test server and client utilities
+let testTcpServer: net.Server;
+let testHttpServer: http.Server;
+let testHttpsServer: https.Server;
+let smartProxy: SmartProxy;
+
+const TEST_TCP_PORT = 4000;
+const TEST_HTTP_PORT = 4001;
+const TEST_HTTPS_PORT = 4002;
+const PROXY_TCP_PORT = 5000;
+const PROXY_HTTP_PORT = 5001;
+const PROXY_HTTPS_PORT = 5002;
+const TEST_DATA = 'Hello through NFTables!';
+
+// Helper to create test certificates
+async function createTestCertificates() {
+  try {
+    // Import the certificate helper
+    const certsModule = await import('./helpers/certificates.js');
+    const certificates = certsModule.loadTestCertificates();
+    return {
+      cert: certificates.publicKey,
+      key: certificates.privateKey
+    };
+  } catch (err) {
+    console.error('Failed to load test certificates:', err);
+    // Use dummy certificates for testing
+    return {
+      cert: fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'cert.pem'), 'utf8'),
+      key: fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'key.pem'), 'utf8')
+    };
+  }
+}
+
+tap.skip.test('setup NFTables integration test environment', async () => {
+  console.log('Running NFTables integration tests with root privileges');
+  
+  // Create a basic TCP test server
+  testTcpServer = net.createServer((socket) => {
+    socket.on('data', (data) => {
+      socket.write(`Server says: ${data.toString()}`);
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    testTcpServer.listen(TEST_TCP_PORT, () => {
+      console.log(`TCP test server listening on port ${TEST_TCP_PORT}`);
+      resolve();
+    });
+  });
+  
+  // Create an HTTP test server
+  testHttpServer = http.createServer((req, res) => {
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end(`HTTP Server says: ${TEST_DATA}`);
+  });
+  
+  await new Promise<void>((resolve) => {
+    testHttpServer.listen(TEST_HTTP_PORT, () => {
+      console.log(`HTTP test server listening on port ${TEST_HTTP_PORT}`);
+      resolve();
+    });
+  });
+  
+  // Create an HTTPS test server
+  const certs = await createTestCertificates();
+  testHttpsServer = https.createServer({ key: certs.key, cert: certs.cert }, (req, res) => {
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end(`HTTPS Server says: ${TEST_DATA}`);
+  });
+  
+  await new Promise<void>((resolve) => {
+    testHttpsServer.listen(TEST_HTTPS_PORT, () => {
+      console.log(`HTTPS test server listening on port ${TEST_HTTPS_PORT}`);
+      resolve();
+    });
+  });
+  
+  // Create SmartProxy with various NFTables routes
+  smartProxy = new SmartProxy({
+    enableDetailedLogging: true,
+    routes: [
+      // TCP forwarding route
+      createNfTablesRoute('tcp-nftables', {
+        host: 'localhost',
+        port: TEST_TCP_PORT
+      }, {
+        ports: PROXY_TCP_PORT,
+        protocol: 'tcp'
+      }),
+      
+      // HTTP forwarding route
+      createNfTablesRoute('http-nftables', {
+        host: 'localhost',
+        port: TEST_HTTP_PORT
+      }, {
+        ports: PROXY_HTTP_PORT,
+        protocol: 'tcp'
+      }),
+      
+      // HTTPS termination route
+      createNfTablesTerminateRoute('https-nftables.example.com', {
+        host: 'localhost',
+        port: TEST_HTTPS_PORT
+      }, {
+        ports: PROXY_HTTPS_PORT,
+        protocol: 'tcp',
+        certificate: certs
+      }),
+      
+      // Route with IP allow list
+      createNfTablesRoute('secure-tcp', {
+        host: 'localhost',
+        port: TEST_TCP_PORT
+      }, {
+        ports: 5003,
+        protocol: 'tcp',
+        ipAllowList: ['127.0.0.1', '::1']
+      }),
+      
+      // Route with QoS settings
+      createNfTablesRoute('qos-tcp', {
+        host: 'localhost',
+        port: TEST_TCP_PORT
+      }, {
+        ports: 5004,
+        protocol: 'tcp',
+        maxRate: '10mbps',
+        priority: 1
+      })
+    ]
+  });
+  
+  console.log('SmartProxy created, now starting...');
+  
+  // Start the proxy
+  try {
+    await smartProxy.start();
+    console.log('SmartProxy started successfully');
+    
+    // Verify proxy is listening on expected ports
+    const listeningPorts = smartProxy.getListeningPorts();
+    console.log(`SmartProxy is listening on ports: ${listeningPorts.join(', ')}`);
+  } catch (err) {
+    console.error('Failed to start SmartProxy:', err);
+    throw err;
+  }
+});
+
+tap.skip.test('should forward TCP connections through NFTables', async () => {
+  console.log(`Attempting to connect to proxy TCP port ${PROXY_TCP_PORT}...`);
+  
+  // First verify our test server is running
+  try {
+    const testClient = new net.Socket();
+    await new Promise<void>((resolve, reject) => {
+      testClient.connect(TEST_TCP_PORT, 'localhost', () => {
+        console.log(`Test server on port ${TEST_TCP_PORT} is accessible`);
+        testClient.end();
+        resolve();
+      });
+      testClient.on('error', reject);
+    });
+  } catch (err) {
+    console.error(`Test server on port ${TEST_TCP_PORT} is not accessible: ${err}`);
+  }
+  
+  // Connect to the proxy port
+  const client = new net.Socket();
+  
+  const response = await new Promise<string>((resolve, reject) => {
+    let responseData = '';
+    const timeout = setTimeout(() => {
+      client.destroy();
+      reject(new Error(`Connection timeout after 5 seconds to proxy port ${PROXY_TCP_PORT}`));
+    }, 5000);
+    
+    client.connect(PROXY_TCP_PORT, 'localhost', () => {
+      console.log(`Connected to proxy port ${PROXY_TCP_PORT}, sending data...`);
+      client.write(TEST_DATA);
+    });
+    
+    client.on('data', (data) => {
+      console.log(`Received data from proxy: ${data.toString()}`);
+      responseData += data.toString();
+      client.end();
+    });
+    
+    client.on('end', () => {
+      clearTimeout(timeout);
+      resolve(responseData);
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      console.error(`Connection error on proxy port ${PROXY_TCP_PORT}: ${err.message}`);
+      reject(err);
+    });
+  });
+  
+  expect(response).toEqual(`Server says: ${TEST_DATA}`);
+});
+
+tap.skip.test('should forward HTTP connections through NFTables', async () => {
+  const response = await new Promise<string>((resolve, reject) => {
+    http.get(`http://localhost:${PROXY_HTTP_PORT}`, (res) => {
+      let data = '';
+      res.on('data', (chunk) => {
+        data += chunk;
+      });
+      res.on('end', () => {
+        resolve(data);
+      });
+    }).on('error', reject);
+  });
+  
+  expect(response).toEqual(`HTTP Server says: ${TEST_DATA}`);
+});
+
+tap.skip.test('should handle HTTPS termination with NFTables', async () => {
+  // Skip this test if running without proper certificates
+  const response = await new Promise<string>((resolve, reject) => {
+    const options = {
+      hostname: 'localhost',
+      port: PROXY_HTTPS_PORT,
+      path: '/',
+      method: 'GET',
+      rejectUnauthorized: false // For self-signed cert
+    };
+    
+    https.get(options, (res) => {
+      let data = '';
+      res.on('data', (chunk) => {
+        data += chunk;
+      });
+      res.on('end', () => {
+        resolve(data);
+      });
+    }).on('error', reject);
+  });
+  
+  expect(response).toEqual(`HTTPS Server says: ${TEST_DATA}`);
+});
+
+tap.skip.test('should respect IP allow lists in NFTables', async () => {
+  // This test should pass since we're connecting from localhost
+  const client = new net.Socket();
+  
+  const connected = await new Promise<boolean>((resolve) => {
+    const timeout = setTimeout(() => {
+      client.destroy();
+      resolve(false);
+    }, 2000);
+    
+    client.connect(5003, 'localhost', () => {
+      clearTimeout(timeout);
+      client.end();
+      resolve(true);
+    });
+    
+    client.on('error', () => {
+      clearTimeout(timeout);
+      resolve(false);
+    });
+  });
+  
+  expect(connected).toBeTrue();
+});
+
+tap.skip.test('should get NFTables status', async () => {
+  const status = await smartProxy.getNfTablesStatus();
+  
+  // Check that we have status for our routes
+  const statusKeys = Object.keys(status);
+  expect(statusKeys.length).toBeGreaterThan(0);
+  
+  // Check status structure for one of the routes
+  const firstStatus = status[statusKeys[0]];
+  expect(firstStatus).toHaveProperty('active');
+  expect(firstStatus).toHaveProperty('ruleCount');
+  expect(firstStatus.ruleCount).toHaveProperty('total');
+  expect(firstStatus.ruleCount).toHaveProperty('added');
+});
+
+tap.skip.test('cleanup NFTables integration test environment', async () => {
+  // Stop the proxy and test servers
+  await smartProxy.stop();
+  
+  await new Promise<void>((resolve) => {
+    testTcpServer.close(() => {
+      resolve();
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    testHttpServer.close(() => {
+      resolve();
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    testHttpsServer.close(() => {
+      resolve();
+    });
+  });
+});
+
+export default tap.start();

test/test.nftables-manager.ts

@@ -0,0 +1,184 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { NFTablesManager } from '../ts/proxies/smart-proxy/nftables-manager.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+import type { ISmartProxyOptions } from '../ts/proxies/smart-proxy/models/interfaces.js';
+import * as child_process from 'child_process';
+import { promisify } from 'util';
+
+const exec = promisify(child_process.exec);
+
+// Check if we have root privileges
+async function checkRootPrivileges(): Promise<boolean> {
+  try {
+    const { stdout } = await exec('id -u');
+    return stdout.trim() === '0';
+  } catch (err) {
+    return false;
+  }
+}
+
+// Skip tests if not root
+const isRoot = await checkRootPrivileges();
+if (!isRoot) {
+  console.log('');
+  console.log('========================================');
+  console.log('NFTablesManager tests require root privileges');
+  console.log('Skipping NFTablesManager tests');
+  console.log('========================================');
+  console.log('');
+  // Skip tests when not running as root - tests are marked with tap.skip.test
+}
+
+/**
+ * Tests for the NFTablesManager class
+ */
+
+// Sample route configurations for testing
+const sampleRoute: IRouteConfig = {
+  name: 'test-nftables-route',
+  match: {
+    ports: 8080,
+    domains: 'test.example.com'
+  },
+  action: {
+    type: 'forward',
+    target: {
+      host: 'localhost',
+      port: 8000
+    },
+    forwardingEngine: 'nftables',
+    nftables: {
+      protocol: 'tcp',
+      preserveSourceIP: true,
+      useIPSets: true
+    }
+  }
+};
+
+// Sample SmartProxy options
+const sampleOptions: ISmartProxyOptions = {
+  routes: [sampleRoute],
+  enableDetailedLogging: true
+};
+
+// Instance of NFTablesManager for testing
+let manager: NFTablesManager;
+
+// Skip these tests by default since they require root privileges to run NFTables commands
+// When running as root, change this to false
+const SKIP_TESTS = true;
+
+tap.skip.test('NFTablesManager setup test', async () => {
+  // Test will be skipped if not running as root due to tap.skip.test
+  
+  // Create a new instance of NFTablesManager
+  manager = new NFTablesManager(sampleOptions);
+  
+  // Verify the instance was created successfully
+  expect(manager).toBeTruthy();
+});
+
+tap.skip.test('NFTablesManager route provisioning test', async () => {
+  // Test will be skipped if not running as root due to tap.skip.test
+  
+  // Provision the sample route
+  const result = await manager.provisionRoute(sampleRoute);
+  
+  // Verify the route was provisioned successfully
+  expect(result).toEqual(true);
+  
+  // Verify the route is listed as provisioned
+  expect(manager.isRouteProvisioned(sampleRoute)).toEqual(true);
+});
+
+tap.skip.test('NFTablesManager status test', async () => {
+  // Test will be skipped if not running as root due to tap.skip.test
+  
+  // Get the status of the managed rules
+  const status = await manager.getStatus();
+  
+  // Verify status includes our route
+  const keys = Object.keys(status);
+  expect(keys.length).toBeGreaterThan(0);
+  
+  // Check the status of the first rule
+  const firstStatus = status[keys[0]];
+  expect(firstStatus.active).toEqual(true);
+  expect(firstStatus.ruleCount.added).toBeGreaterThan(0);
+});
+
+tap.skip.test('NFTablesManager route updating test', async () => {
+  // Test will be skipped if not running as root due to tap.skip.test
+  
+  // Create an updated version of the sample route
+  const updatedRoute: IRouteConfig = {
+    ...sampleRoute,
+    action: {
+      ...sampleRoute.action,
+      target: {
+        host: 'localhost',
+        port: 9000 // Different port
+      },
+      nftables: {
+        ...sampleRoute.action.nftables,
+        protocol: 'all' // Different protocol
+      }
+    }
+  };
+  
+  // Update the route
+  const result = await manager.updateRoute(sampleRoute, updatedRoute);
+  
+  // Verify the route was updated successfully
+  expect(result).toEqual(true);
+  
+  // Verify the old route is no longer provisioned
+  expect(manager.isRouteProvisioned(sampleRoute)).toEqual(false);
+  
+  // Verify the new route is provisioned
+  expect(manager.isRouteProvisioned(updatedRoute)).toEqual(true);
+});
+
+tap.skip.test('NFTablesManager route deprovisioning test', async () => {
+  // Test will be skipped if not running as root due to tap.skip.test
+  
+  // Create an updated version of the sample route from the previous test
+  const updatedRoute: IRouteConfig = {
+    ...sampleRoute,
+    action: {
+      ...sampleRoute.action,
+      target: {
+        host: 'localhost',
+        port: 9000 // Different port from original test
+      },
+      nftables: {
+        ...sampleRoute.action.nftables,
+        protocol: 'all' // Different protocol from original test
+      }
+    }
+  };
+  
+  // Deprovision the route
+  const result = await manager.deprovisionRoute(updatedRoute);
+  
+  // Verify the route was deprovisioned successfully
+  expect(result).toEqual(true);
+  
+  // Verify the route is no longer provisioned
+  expect(manager.isRouteProvisioned(updatedRoute)).toEqual(false);
+});
+
+tap.skip.test('NFTablesManager cleanup test', async () => {
+  // Test will be skipped if not running as root due to tap.skip.test
+  
+  // Stop all NFTables rules
+  await manager.stop();
+  
+  // Get the status of the managed rules
+  const status = await manager.getStatus();
+  
+  // Verify there are no active rules
+  expect(Object.keys(status).length).toEqual(0);
+});
+
+export default tap.start();

test/test.nftables-status.ts

@@ -0,0 +1,162 @@
+import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+import { NFTablesManager } from '../ts/proxies/smart-proxy/nftables-manager.js';
+import { createNfTablesRoute } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as child_process from 'child_process';
+import { promisify } from 'util';
+
+const exec = promisify(child_process.exec);
+
+// Check if we have root privileges
+async function checkRootPrivileges(): Promise<boolean> {
+  try {
+    const { stdout } = await exec('id -u');
+    return stdout.trim() === '0';
+  } catch (err) {
+    return false;
+  }
+}
+
+// Skip tests if not root
+const isRoot = await checkRootPrivileges();
+if (!isRoot) {
+  console.log('');
+  console.log('========================================');
+  console.log('NFTables status tests require root privileges');
+  console.log('Skipping NFTables status tests');
+  console.log('========================================');
+  console.log('');
+  process.exit(0);
+}
+
+tap.test('NFTablesManager status functionality', async () => {
+  const nftablesManager = new NFTablesManager({ routes: [] });
+  
+  // Create test routes
+  const testRoutes = [
+    createNfTablesRoute('test-route-1', { host: 'localhost', port: 8080 }, { ports: 9080 }),
+    createNfTablesRoute('test-route-2', { host: 'localhost', port: 8081 }, { ports: 9081 }),
+    createNfTablesRoute('test-route-3', { host: 'localhost', port: 8082 }, { 
+      ports: 9082,
+      ipAllowList: ['127.0.0.1', '192.168.1.0/24']
+    })
+  ];
+  
+  // Get initial status (should be empty)
+  let status = await nftablesManager.getStatus();
+  expect(Object.keys(status).length).toEqual(0);
+  
+  // Provision routes
+  for (const route of testRoutes) {
+    await nftablesManager.provisionRoute(route);
+  }
+  
+  // Get status after provisioning
+  status = await nftablesManager.getStatus();
+  expect(Object.keys(status).length).toEqual(3);
+  
+  // Check status structure
+  for (const routeStatus of Object.values(status)) {
+    expect(routeStatus).toHaveProperty('active');
+    expect(routeStatus).toHaveProperty('ruleCount');
+    expect(routeStatus).toHaveProperty('lastUpdate');
+    expect(routeStatus.active).toBeTrue();
+  }
+  
+  // Deprovision one route
+  await nftablesManager.deprovisionRoute(testRoutes[0]);
+  
+  // Check status after deprovisioning
+  status = await nftablesManager.getStatus();
+  expect(Object.keys(status).length).toEqual(2);
+  
+  // Cleanup remaining routes
+  await nftablesManager.stop();
+  
+  // Final status should be empty
+  status = await nftablesManager.getStatus();
+  expect(Object.keys(status).length).toEqual(0);
+});
+
+tap.test('SmartProxy getNfTablesStatus functionality', async () => {
+  const smartProxy = new SmartProxy({
+    routes: [
+      createNfTablesRoute('proxy-test-1', { host: 'localhost', port: 3000 }, { ports: 3001 }),
+      createNfTablesRoute('proxy-test-2', { host: 'localhost', port: 3002 }, { ports: 3003 }),
+      // Include a non-NFTables route to ensure it's not included in the status
+      {
+        name: 'non-nftables-route',
+        match: { ports: 3004 },
+        action: {
+          type: 'forward',
+          target: { host: 'localhost', port: 3005 }
+        }
+      }
+    ]
+  });
+  
+  // Start the proxy
+  await smartProxy.start();
+  
+  // Get NFTables status
+  const status = await smartProxy.getNfTablesStatus();
+  
+  // Should only have 2 NFTables routes
+  const statusKeys = Object.keys(status);
+  expect(statusKeys.length).toEqual(2);
+  
+  // Check that both NFTables routes are in the status
+  const routeIds = statusKeys.sort();
+  expect(routeIds).toContain('proxy-test-1:3001');
+  expect(routeIds).toContain('proxy-test-2:3003');
+  
+  // Verify status structure
+  for (const [routeId, routeStatus] of Object.entries(status)) {
+    expect(routeStatus).toHaveProperty('active', true);
+    expect(routeStatus).toHaveProperty('ruleCount');
+    expect(routeStatus.ruleCount).toHaveProperty('total');
+    expect(routeStatus.ruleCount.total).toBeGreaterThan(0);
+  }
+  
+  // Stop the proxy
+  await smartProxy.stop();
+  
+  // After stopping, status should be empty
+  const finalStatus = await smartProxy.getNfTablesStatus();
+  expect(Object.keys(finalStatus).length).toEqual(0);
+});
+
+tap.test('NFTables route update status tracking', async () => {
+  const smartProxy = new SmartProxy({
+    routes: [
+      createNfTablesRoute('update-test', { host: 'localhost', port: 4000 }, { ports: 4001 })
+    ]
+  });
+  
+  await smartProxy.start();
+  
+  // Get initial status
+  let status = await smartProxy.getNfTablesStatus();
+  expect(Object.keys(status).length).toEqual(1);
+  const initialUpdate = status['update-test:4001'].lastUpdate;
+  
+  // Wait a moment
+  await new Promise(resolve => setTimeout(resolve, 10));
+  
+  // Update the route
+  await smartProxy.updateRoutes([
+    createNfTablesRoute('update-test', { host: 'localhost', port: 4002 }, { ports: 4001 })
+  ]);
+  
+  // Get status after update
+  status = await smartProxy.getNfTablesStatus();
+  expect(Object.keys(status).length).toEqual(1);
+  const updatedTime = status['update-test:4001'].lastUpdate;
+  
+  // The update time should be different
+  expect(updatedTime.getTime()).toBeGreaterThan(initialUpdate.getTime());
+  
+  await smartProxy.stop();
+});
+
+export default tap.start();

test/test.port-forwarding-fix.ts

@@ -0,0 +1,100 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+
+let echoServer: net.Server;
+let proxy: SmartProxy;
+
+tap.test('port forwarding should not immediately close connections', async (tools) => {
+  // Set a timeout for this test
+  tools.timeout(10000); // 10 seconds
+  // Create an echo server
+  echoServer = await new Promise<net.Server>((resolve) => {
+    const server = net.createServer((socket) => {
+      socket.on('data', (data) => {
+        socket.write(`ECHO: ${data}`);
+      });
+    });
+    
+    server.listen(8888, () => {
+      console.log('Echo server listening on port 8888');
+      resolve(server);
+    });
+  });
+
+  // Create proxy with forwarding route
+  proxy = new SmartProxy({
+    routes: [{
+      id: 'test',
+      match: { ports: 9999 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8888 }
+      }
+    }]
+  });
+
+  await proxy.start();
+
+  // Test connection through proxy
+  const client = net.createConnection(9999, 'localhost');
+  
+  const result = await new Promise<string>((resolve, reject) => {
+    client.on('data', (data) => {
+      const response = data.toString();
+      client.end(); // Close the connection after receiving data
+      resolve(response);
+    });
+    
+    client.on('error', reject);
+    
+    client.write('Hello');
+  });
+
+  expect(result).toEqual('ECHO: Hello');
+});
+
+tap.test('TLS passthrough should work correctly', async () => {
+  // Create proxy with TLS passthrough
+  proxy = new SmartProxy({
+    routes: [{
+      id: 'tls-test', 
+      match: { ports: 8443, domains: 'test.example.com' },
+      action: {
+        type: 'forward',
+        tls: { mode: 'passthrough' },
+        target: { host: 'localhost', port: 443 }
+      }
+    }]
+  });
+
+  await proxy.start();
+
+  // For now just verify the proxy starts correctly with TLS passthrough route
+  expect(proxy).toBeDefined();
+
+  await proxy.stop();
+});
+
+tap.test('cleanup', async () => {
+  if (echoServer) {
+    await new Promise<void>((resolve) => {
+      echoServer.close(() => {
+        console.log('Echo server closed');
+        resolve();
+      });
+    });
+  }
+  if (proxy) {
+    await proxy.stop();
+    console.log('Proxy stopped');
+  }
+});
+
+export default tap.start().then(() => {
+  // Force exit after tests complete
+  setTimeout(() => {
+    console.log('Forcing process exit');
+    process.exit(0);
+  }, 1000);
+});

test/test.port-mapping.ts

@@ -1,4 +1,4 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 import {
@@ -213,9 +213,11 @@ tap.test('should handle errors in port mapping functions', async () => {
   // The connection should fail or timeout
   try {
     await createTestClient(PROXY_PORT_START + 5, TEST_DATA);
-    expect(false).toBeTrue('Connection should have failed but succeeded');
+    // Connection should not succeed
+    expect(false).toBeTrue();
   } catch (error) {
-    expect(true).toBeTrue('Connection failed as expected');
+    // Connection failed as expected
+    expect(true).toBeTrue();
   }
 });
 

test/test.port80-management.node.ts

@@ -0,0 +1,281 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+
+/**
+ * Test that verifies port 80 is not double-registered when both
+ * user routes and ACME challenges use the same port
+ */
+tap.test('should not double-register port 80 when user route and ACME use same port', async (tools) => {
+  tools.timeout(5000);
+  
+  let port80AddCount = 0;
+  const activePorts = new Set<number>();
+  
+  const settings = {
+    port: 9901,
+    routes: [
+      {
+        name: 'user-route',
+        match: {
+          ports: [80]
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 3000 }
+        }
+      },
+      {
+        name: 'secure-route',
+        match: {
+          ports: [443]
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 3001 },
+          tls: {
+            mode: 'terminate' as const,
+            certificate: 'auto' as const
+          }
+        }
+      }
+    ],
+    acme: {
+      email: 'test@test.com',
+      port: 80  // ACME on same port as user route
+    }
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Mock the port manager to track port additions
+  const mockPortManager = {
+    addPort: async (port: number) => {
+      if (activePorts.has(port)) {
+        return; // Simulate deduplication
+      }
+      activePorts.add(port);
+      if (port === 80) {
+        port80AddCount++;
+      }
+    },
+    addPorts: async (ports: number[]) => {
+      for (const port of ports) {
+        await mockPortManager.addPort(port);
+      }
+    },
+    updatePorts: async (requiredPorts: Set<number>) => {
+      for (const port of requiredPorts) {
+        await mockPortManager.addPort(port);
+      }
+    },
+    setShuttingDown: () => {},
+    closeAll: async () => { activePorts.clear(); },
+    stop: async () => { await mockPortManager.closeAll(); }
+  };
+  
+  // Inject mock
+  (proxy as any).portManager = mockPortManager;
+  
+  // Mock certificate manager to prevent ACME calls
+  (proxy as any).createCertificateManager = async function(routes: any[], certDir: string, acmeOptions: any, initialState?: any) {
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) { /* noop */ },
+      setHttpProxy: function() {},
+      setGlobalAcmeDefaults: function() {},
+      setAcmeStateManager: function() {},
+      initialize: async function() {
+        // Simulate ACME route addition
+        const challengeRoute = {
+          name: 'acme-challenge',
+          priority: 1000,
+          match: {
+            ports: acmeOptions?.port || 80,
+            path: '/.well-known/acme-challenge/*'
+          },
+          action: {
+            type: 'static'
+          }
+        };
+        // This would trigger route update in real implementation
+      },
+      provisionAllCertificates: async function() {
+        // Mock implementation to satisfy the call in SmartProxy.start()
+        // Add the ACME challenge port here too in case initialize was skipped
+        const challengePort = acmeOptions?.port || 80;
+        await mockPortManager.addPort(challengePort);
+        console.log(`Added ACME challenge port from provisionAllCertificates: ${challengePort}`);
+      },
+      getAcmeOptions: () => acmeOptions,
+      getState: () => ({ challengeRouteActive: false }),
+      stop: async () => {}
+    };
+    return mockCertManager;
+  };
+  
+  // Mock NFTables
+  (proxy as any).nftablesManager = {
+    ensureNFTablesSetup: async () => {},
+    stop: async () => {}
+  };
+  
+  // Mock admin server
+  (proxy as any).startAdminServer = async function() {
+    (this as any).servers.set(this.settings.port, { 
+      port: this.settings.port,
+      close: async () => {}
+    });
+  };
+  
+  await proxy.start();
+  
+  // Verify that port 80 was added only once
+  expect(port80AddCount).toEqual(1);
+  
+  await proxy.stop();
+});
+
+/**
+ * Test that verifies ACME can use a different port than user routes
+ */
+tap.test('should handle ACME on different port than user routes', async (tools) => {
+  tools.timeout(5000);
+  
+  const portAddHistory: number[] = [];
+  const activePorts = new Set<number>();
+  
+  const settings = {
+    port: 9902,
+    routes: [
+      {
+        name: 'user-route',
+        match: {
+          ports: [80]
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 3000 }
+        }
+      },
+      {
+        name: 'secure-route',
+        match: {
+          ports: [443]
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 3001 },
+          tls: {
+            mode: 'terminate' as const,
+            certificate: 'auto' as const
+          }
+        }
+      }
+    ],
+    acme: {
+      email: 'test@test.com',
+      port: 8080  // ACME on different port than user routes
+    }
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Mock the port manager
+  const mockPortManager = {
+    addPort: async (port: number) => {
+      console.log(`Attempting to add port: ${port}`);
+      if (!activePorts.has(port)) {
+        activePorts.add(port);
+        portAddHistory.push(port);
+        console.log(`Port ${port} added to history`);
+      } else {
+        console.log(`Port ${port} already active, not adding to history`);
+      }
+    },
+    addPorts: async (ports: number[]) => {
+      for (const port of ports) {
+        await mockPortManager.addPort(port);
+      }
+    },
+    updatePorts: async (requiredPorts: Set<number>) => {
+      for (const port of requiredPorts) {
+        await mockPortManager.addPort(port);
+      }
+    },
+    setShuttingDown: () => {},
+    closeAll: async () => { activePorts.clear(); },
+    stop: async () => { await mockPortManager.closeAll(); }
+  };
+  
+  // Inject mocks
+  (proxy as any).portManager = mockPortManager;
+  
+  // Mock certificate manager
+  (proxy as any).createCertificateManager = async function(routes: any[], certDir: string, acmeOptions: any, initialState?: any) {
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) { /* noop */ },
+      setHttpProxy: function() {},
+      setGlobalAcmeDefaults: function() {},
+      setAcmeStateManager: function() {},
+      initialize: async function() {
+        // Simulate ACME route addition on different port
+        const challengePort = acmeOptions?.port || 80;
+        const challengeRoute = {
+          name: 'acme-challenge',
+          priority: 1000,
+          match: {
+            ports: challengePort,
+            path: '/.well-known/acme-challenge/*'
+          },
+          action: {
+            type: 'static'
+          }
+        };
+        
+        // Add the ACME port to our port tracking
+        await mockPortManager.addPort(challengePort);
+        
+        // For debugging
+        console.log(`Added ACME challenge port: ${challengePort}`);
+      },
+      provisionAllCertificates: async function() {
+        // Mock implementation to satisfy the call in SmartProxy.start()
+        // Add the ACME challenge port here too in case initialize was skipped
+        const challengePort = acmeOptions?.port || 80;
+        await mockPortManager.addPort(challengePort);
+        console.log(`Added ACME challenge port from provisionAllCertificates: ${challengePort}`);
+      },
+      getAcmeOptions: () => acmeOptions,
+      getState: () => ({ challengeRouteActive: false }),
+      stop: async () => {}
+    };
+    return mockCertManager;
+  };
+  
+  // Mock NFTables
+  (proxy as any).nftablesManager = {
+    ensureNFTablesSetup: async () => {},
+    stop: async () => {}
+  };
+  
+  // Mock admin server
+  (proxy as any).startAdminServer = async function() {
+    (this as any).servers.set(this.settings.port, { 
+      port: this.settings.port,
+      close: async () => {}
+    });
+  };
+  
+  await proxy.start();
+  
+  // Log the port history for debugging
+  console.log('Port add history:', portAddHistory);
+  
+  // Verify that all expected ports were added
+  expect(portAddHistory.includes(80)).toBeTrue();    // User route
+  expect(portAddHistory.includes(443)).toBeTrue();   // TLS route  
+  expect(portAddHistory.includes(8080)).toBeTrue();  // ACME challenge on different port
+  
+  await proxy.stop();
+});
+
+export default tap.start();

test/test.race-conditions.node.ts

@@ -0,0 +1,197 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy, type IRouteConfig } from '../ts/index.js';
+
+/**
+ * Test that verifies mutex prevents race conditions during concurrent route updates
+ */
+tap.test('should handle concurrent route updates without race conditions', async (tools) => {
+  tools.timeout(10000);
+  
+  const settings = {
+    port: 6001,
+    routes: [
+      {
+        name: 'initial-route',
+        match: {
+          ports: 80
+        },
+        action: {
+          type: 'forward' as const,
+          targetUrl: 'http://localhost:3000'
+        }
+      }
+    ],
+    acme: {
+      email: 'test@test.com',
+      port: 80
+    }
+  };
+  
+  const proxy = new SmartProxy(settings);
+  await proxy.start();
+  
+  // Simulate concurrent route updates
+  const updates = [];
+  for (let i = 0; i < 5; i++) {
+    updates.push(proxy.updateRoutes([
+      ...settings.routes,
+      {
+        name: `route-${i}`,
+        match: {
+          ports: [443]
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 3001 + i },
+          tls: {
+            mode: 'terminate' as const,
+            certificate: 'auto' as const
+          }
+        }
+      }
+    ]));
+  }
+  
+  // All updates should complete without errors
+  await Promise.all(updates);
+  
+  // Verify final state
+  const currentRoutes = proxy['settings'].routes;
+  expect(currentRoutes.length).toEqual(2); // Initial route + last update
+  
+  await proxy.stop();
+});
+
+/**
+ * Test that verifies mutex serializes route updates
+ */
+tap.test('should serialize route updates with mutex', async (tools) => {
+  tools.timeout(10000);
+  
+  const settings = {
+    port: 6002,
+    routes: [{
+      name: 'test-route',
+      match: { ports: [80] },
+      action: {
+        type: 'forward' as const,
+        targetUrl: 'http://localhost:3000'
+      }
+    }]
+  };
+  
+  const proxy = new SmartProxy(settings);
+  await proxy.start();
+  
+  let updateStartCount = 0;
+  let updateEndCount = 0;
+  let maxConcurrent = 0;
+  
+  // Wrap updateRoutes to track concurrent execution
+  const originalUpdateRoutes = proxy['updateRoutes'].bind(proxy);
+  proxy['updateRoutes'] = async (routes: any[]) => {
+    updateStartCount++;
+    const concurrent = updateStartCount - updateEndCount;
+    maxConcurrent = Math.max(maxConcurrent, concurrent);
+    
+    // If mutex is working, only one update should run at a time
+    expect(concurrent).toEqual(1);
+    
+    const result = await originalUpdateRoutes(routes);
+    updateEndCount++;
+    return result;
+  };
+  
+  // Trigger multiple concurrent updates
+  const updates = [];
+  for (let i = 0; i < 5; i++) {
+    updates.push(proxy.updateRoutes([
+      ...settings.routes,
+      {
+        name: `concurrent-route-${i}`,
+        match: { ports: [2000 + i] },
+        action: {
+          type: 'forward' as const,
+          targetUrl: `http://localhost:${3000 + i}`
+        }
+      }
+    ]));
+  }
+  
+  await Promise.all(updates);
+  
+  // All updates should have completed
+  expect(updateStartCount).toEqual(5);
+  expect(updateEndCount).toEqual(5);
+  expect(maxConcurrent).toEqual(1); // Mutex ensures only one at a time
+  
+  await proxy.stop();
+});
+
+/**
+ * Test that challenge route state is preserved across certificate manager recreations
+ */
+tap.test('should preserve challenge route state during cert manager recreation', async (tools) => {
+  tools.timeout(10000);
+  
+  const settings = {
+    port: 6003,
+    routes: [{
+      name: 'acme-route',
+      match: { ports: [443] },
+      action: {
+        type: 'forward' as const,
+        target: { host: 'localhost', port: 3001 },
+        tls: {
+          mode: 'terminate' as const,
+          certificate: 'auto' as const
+        }
+      }
+    }],
+    acme: {
+      email: 'test@test.com',
+      port: 80
+    }
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Track certificate manager recreations
+  let certManagerCreationCount = 0;
+  const originalCreateCertManager = proxy['createCertificateManager'].bind(proxy);
+  proxy['createCertificateManager'] = async (...args: any[]) => {
+    certManagerCreationCount++;
+    return originalCreateCertManager(...args);
+  };
+  
+  await proxy.start();
+  
+  // Initial creation
+  expect(certManagerCreationCount).toEqual(1);
+  
+  // Multiple route updates
+  for (let i = 0; i < 3; i++) {
+    await proxy.updateRoutes([
+      ...settings.routes as IRouteConfig[],
+      {
+        name: `dynamic-route-${i}`,
+        match: { ports: [9000 + i] },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 5000 + i }
+        }
+      }
+    ]);
+  }
+  
+  // Certificate manager should be recreated for each update
+  expect(certManagerCreationCount).toEqual(4); // 1 initial + 3 updates
+  
+  // State should be preserved (challenge route active)
+  const globalState = proxy['globalChallengeRouteActive'];
+  expect(globalState).toBeDefined();
+  
+  await proxy.stop();
+});
+
+export default tap.start();

test/test.route-callback-simple.ts

@@ -0,0 +1,116 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('should set update routes callback on certificate manager', async () => {
+  // Create a simple proxy with a route requiring certificates
+  const proxy = new SmartProxy({
+    acme: {
+      email: 'test@local.dev',
+      useProduction: false,
+      port: 8080  // Use non-privileged port for ACME challenges globally
+    },
+    routes: [{
+      name: 'test-route',
+      match: {
+        ports: [8443],
+        domains: ['test.local']
+      },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 3000 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'test@local.dev',
+            useProduction: false
+          }
+        }
+      }
+    }]
+  });
+  
+  // Track callback setting
+  let callbackSet = false;
+  
+  // Override createCertificateManager to track callback setting
+  (proxy as any).createCertificateManager = async function(
+    routes: any,
+    certStore: string,
+    acmeOptions?: any,
+    initialState?: any
+  ) {
+    // Create a mock certificate manager
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) {
+        callbackSet = true;
+      },
+      setHttpProxy: function(proxy: any) {},
+      setGlobalAcmeDefaults: function(defaults: any) {},
+      setAcmeStateManager: function(manager: any) {},
+      initialize: async function() {},
+      provisionAllCertificates: async function() {},
+      stop: async function() {},
+      getAcmeOptions: function() { return acmeOptions || {}; },
+      getState: function() { return initialState || { challengeRouteActive: false }; }
+    };
+    
+    // Mimic the real createCertificateManager behavior
+    // Always set up the route update callback for ACME challenges
+    mockCertManager.setUpdateRoutesCallback(async (routes) => {
+      await this.updateRoutes(routes);
+    });
+    
+    // Connect with HttpProxy if available (mimic real behavior)
+    if ((this as any).httpProxyBridge.getHttpProxy()) {
+      mockCertManager.setHttpProxy((this as any).httpProxyBridge.getHttpProxy());
+    }
+    
+    // Set the ACME state manager
+    mockCertManager.setAcmeStateManager((this as any).acmeStateManager);
+    
+    // Pass down the global ACME config if available
+    if ((this as any).settings.acme) {
+      mockCertManager.setGlobalAcmeDefaults((this as any).settings.acme);
+    }
+    
+    await mockCertManager.initialize();
+    return mockCertManager;
+  };
+  
+  await proxy.start();
+  
+  // The callback should have been set during initialization
+  expect(callbackSet).toEqual(true);
+  
+  // Reset tracking
+  callbackSet = false;
+  
+  // Update routes - this should recreate the certificate manager
+  await proxy.updateRoutes([{
+    name: 'new-route',
+    match: {
+      ports: [8444],
+      domains: ['new.local']
+    },
+    action: {
+      type: 'forward',
+      target: { host: 'localhost', port: 3001 },
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: {
+          email: 'test@local.dev',
+          useProduction: false
+        }
+      }
+    }
+  }]);
+  
+  // The callback should have been set again after update
+  expect(callbackSet).toEqual(true);
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.route-config.ts

@@ -1,7 +1,7 @@
 /**
  * Tests for the unified route-based configuration system
  */
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 
 // Import from core modules
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
@@ -82,9 +82,7 @@ tap.test('Routes: Should create HTTPS route with TLS termination', async () => {
 
 tap.test('Routes: Should create HTTP to HTTPS redirect', async () => {
   // Create an HTTP to HTTPS redirect
-  const redirectRoute = createHttpToHttpsRedirect('example.com', 443, {
-    status: 301
-  });
+  const redirectRoute = createHttpToHttpsRedirect('example.com', 443);
 
   // Validate the route configuration
   expect(redirectRoute.match.ports).toEqual(80);

test/test.route-redirects.ts

@@ -0,0 +1,98 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+import { createHttpToHttpsRedirect } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+// Test that HTTP to HTTPS redirects work correctly
+tap.test('should handle HTTP to HTTPS redirects', async (tools) => {
+  // Create a simple HTTP to HTTPS redirect route
+  const redirectRoute = createHttpToHttpsRedirect(
+    'example.com',
+    443,
+    {
+      name: 'HTTP to HTTPS Redirect Test'
+    }
+  );
+
+  // Verify the route is configured correctly
+  expect(redirectRoute.action.type).toEqual('redirect');
+  expect(redirectRoute.action.redirect).toBeTruthy();
+  expect(redirectRoute.action.redirect?.to).toEqual('https://{domain}:443{path}');
+  expect(redirectRoute.action.redirect?.status).toEqual(301);
+  expect(redirectRoute.match.ports).toEqual(80);
+  expect(redirectRoute.match.domains).toEqual('example.com');
+});
+
+tap.test('should handle custom redirect configurations', async (tools) => {
+  // Create a custom redirect route
+  const customRedirect: IRouteConfig = {
+    name: 'custom-redirect',
+    match: {
+      ports: [8080],
+      domains: ['old.example.com']
+    },
+    action: {
+      type: 'redirect',
+      redirect: {
+        to: 'https://new.example.com{path}',
+        status: 302
+      }
+    }
+  };
+
+  // Verify the route structure
+  expect(customRedirect.action.redirect?.to).toEqual('https://new.example.com{path}');
+  expect(customRedirect.action.redirect?.status).toEqual(302);
+});
+
+tap.test('should support multiple redirect scenarios', async (tools) => {
+  const routes: IRouteConfig[] = [
+    // HTTP to HTTPS redirect
+    createHttpToHttpsRedirect(['example.com', 'www.example.com']),
+    
+    // Custom redirect with different port
+    {
+      name: 'custom-port-redirect',
+      match: {
+        ports: 8080,
+        domains: 'api.example.com'
+      },
+      action: {
+        type: 'redirect',
+        redirect: {
+          to: 'https://{domain}:8443{path}',
+          status: 308
+        }
+      }
+    },
+    
+    // Redirect to different domain entirely
+    {
+      name: 'domain-redirect',
+      match: {
+        ports: 80,
+        domains: 'old-domain.com'
+      },
+      action: {
+        type: 'redirect',
+        redirect: {
+          to: 'https://new-domain.com{path}',
+          status: 301
+        }
+      }
+    }
+  ];
+
+  // Create SmartProxy with redirect routes
+  const proxy = new SmartProxy({
+    routes
+  });
+
+  // Verify all routes are redirect type
+  routes.forEach(route => {
+    expect(route.action.type).toEqual('redirect');
+    expect(route.action.redirect).toBeTruthy();
+  });
+});
+
+export default tap.start();

test/test.route-update-callback.node.ts

@@ -0,0 +1,339 @@
+import * as plugins from '../ts/plugins.js';
+import { SmartProxy } from '../ts/index.js';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+let testProxy: SmartProxy;
+
+// Create test routes using high ports to avoid permission issues
+const createRoute = (id: number, domain: string, port: number = 8443) => ({
+  name: `test-route-${id}`,
+  match: {
+    ports: [port],
+    domains: [domain]
+  },
+  action: {
+    type: 'forward' as const,
+    target: {
+      host: 'localhost',
+      port: 3000 + id
+    },
+    tls: {
+      mode: 'terminate' as const,
+      certificate: 'auto' as const,
+      acme: {
+        email: 'test@testdomain.test',
+        useProduction: false
+      }
+    }
+  }
+});
+
+tap.test('should create SmartProxy instance', async () => {
+  testProxy = new SmartProxy({
+    routes: [createRoute(1, 'test1.testdomain.test', 8443)],
+    acme: {
+      email: 'test@testdomain.test',
+      useProduction: false,
+      port: 8080
+    }
+  });
+  expect(testProxy).toBeInstanceOf(SmartProxy);
+});
+
+tap.test('should preserve route update callback after updateRoutes', async () => {
+  // Mock the certificate manager to avoid actual ACME initialization
+  const originalInitializeCertManager = (testProxy as any).initializeCertificateManager;
+  let certManagerInitialized = false;
+  
+  (testProxy as any).initializeCertificateManager = async function() {
+    certManagerInitialized = true;
+    // Create a minimal mock certificate manager
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) {
+        this.updateRoutesCallback = callback;
+      },
+      updateRoutesCallback: null,
+      setHttpProxy: function() {},
+      setGlobalAcmeDefaults: function() {},
+      setAcmeStateManager: function() {},
+      initialize: async function() {
+        // This is where the callback is actually set in the real implementation
+        return Promise.resolve();
+      },
+      provisionAllCertificates: async function() {
+        return Promise.resolve();
+      },
+      stop: async function() {},
+      getAcmeOptions: function() {
+        return { email: 'test@testdomain.test' };
+      },
+      getState: function() {
+        return { challengeRouteActive: false };
+      }
+    };
+    
+    (this as any).certManager = mockCertManager;
+    
+    // Simulate the real behavior where setUpdateRoutesCallback is called
+    mockCertManager.setUpdateRoutesCallback(async (routes: any) => {
+      await this.updateRoutes(routes);
+    });
+  };
+  
+  // Start the proxy (with mocked cert manager)
+  await testProxy.start();
+  expect(certManagerInitialized).toEqual(true);
+  
+  // Get initial certificate manager reference
+  const initialCertManager = (testProxy as any).certManager;
+  expect(initialCertManager).toBeTruthy();
+  expect(initialCertManager.updateRoutesCallback).toBeTruthy();
+  
+  // Store the initial callback reference
+  const initialCallback = initialCertManager.updateRoutesCallback;
+  
+  // Update routes - this should recreate the cert manager with callback
+  const newRoutes = [
+    createRoute(1, 'test1.testdomain.test', 8443),
+    createRoute(2, 'test2.testdomain.test', 8444)
+  ];
+  
+  // Mock the updateRoutes to simulate the real implementation
+  testProxy.updateRoutes = async function(routes) {
+    // Update settings
+    this.settings.routes = routes;
+    
+    // Simulate what happens in the real code - recreate cert manager via createCertificateManager
+    if ((this as any).certManager) {
+      await (this as any).certManager.stop();
+      
+      // Simulate createCertificateManager which creates a new cert manager
+      const newMockCertManager = {
+        setUpdateRoutesCallback: function(callback: any) {
+          this.updateRoutesCallback = callback;
+        },
+        updateRoutesCallback: null,
+        setHttpProxy: function() {},
+        setGlobalAcmeDefaults: function() {},
+        setAcmeStateManager: function() {},
+        initialize: async function() {},
+        provisionAllCertificates: async function() {},
+        stop: async function() {},
+        getAcmeOptions: function() {
+          return { email: 'test@testdomain.test' };
+        },
+        getState: function() {
+          return { challengeRouteActive: false };
+        }
+      };
+      
+      // Set the callback as done in createCertificateManager
+      newMockCertManager.setUpdateRoutesCallback(async (routes: any) => {
+        await this.updateRoutes(routes);
+      });
+      
+      (this as any).certManager = newMockCertManager;
+      await (this as any).certManager.initialize();
+    }
+  };
+  
+  await testProxy.updateRoutes(newRoutes);
+  
+  // Get new certificate manager reference
+  const newCertManager = (testProxy as any).certManager;
+  expect(newCertManager).toBeTruthy();
+  expect(newCertManager).not.toEqual(initialCertManager); // Should be a new instance
+  expect(newCertManager.updateRoutesCallback).toBeTruthy(); // Callback should be set
+  
+  // Test that the callback works
+  const testChallengeRoute = {
+    name: 'acme-challenge',
+    match: {
+      ports: [8080],
+      path: '/.well-known/acme-challenge/*'
+    },
+    action: {
+      type: 'static' as const,
+      content: 'challenge-token'
+    }
+  };
+  
+  // This should not throw "No route update callback set" error
+  let callbackWorked = false;
+  try {
+    // If callback is set, this should work
+    if (newCertManager.updateRoutesCallback) {
+      await newCertManager.updateRoutesCallback([...newRoutes, testChallengeRoute]);
+      callbackWorked = true;
+    }
+  } catch (error) {
+    throw new Error(`Route update callback failed: ${error.message}`);
+  }
+  
+  expect(callbackWorked).toEqual(true);
+  console.log('Route update callback successfully preserved and invoked');
+});
+
+tap.test('should handle multiple sequential route updates', async () => {
+  // Continue with the mocked proxy from previous test
+  let updateCount = 0;
+  
+  // Perform multiple route updates
+  for (let i = 1; i <= 3; i++) {
+    const routes = [];
+    for (let j = 1; j <= i; j++) {
+      routes.push(createRoute(j, `test${j}.testdomain.test`, 8440 + j));
+    }
+    
+    await testProxy.updateRoutes(routes);
+    updateCount++;
+    
+    // Verify cert manager is properly set up each time
+    const certManager = (testProxy as any).certManager;
+    expect(certManager).toBeTruthy();
+    expect(certManager.updateRoutesCallback).toBeTruthy();
+    
+    console.log(`Route update ${i} callback is properly set`);
+  }
+  
+  expect(updateCount).toEqual(3);
+});
+
+tap.test('should handle route updates when cert manager is not initialized', async () => {
+  // Create proxy without routes that need certificates
+  const proxyWithoutCerts = new SmartProxy({
+    routes: [{
+      name: 'no-cert-route',
+      match: {
+        ports: [9080]
+      },
+      action: {
+        type: 'forward' as const,
+        target: {
+          host: 'localhost',
+          port: 3000
+        }
+      }
+    }]
+  });
+  
+  // Mock initializeCertificateManager to avoid ACME issues
+  (proxyWithoutCerts as any).initializeCertificateManager = async function() {
+    // Only create cert manager if routes need it
+    const autoRoutes = this.settings.routes.filter((r: any) => 
+      r.action.tls?.certificate === 'auto'
+    );
+    
+    if (autoRoutes.length === 0) {
+      console.log('No routes require certificate management');
+      return;
+    }
+    
+    // Create mock cert manager
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) {
+        this.updateRoutesCallback = callback;
+      },
+      updateRoutesCallback: null,
+      setHttpProxy: function() {},
+      initialize: async function() {},
+      provisionAllCertificates: async function() {},
+      stop: async function() {},
+      getAcmeOptions: function() {
+        return { email: 'test@testdomain.test' };
+      },
+      getState: function() {
+        return { challengeRouteActive: false };
+      }
+    };
+    
+    (this as any).certManager = mockCertManager;
+    
+    // Set the callback
+    mockCertManager.setUpdateRoutesCallback(async (routes: any) => {
+      await this.updateRoutes(routes);
+    });
+  };
+  
+  await proxyWithoutCerts.start();
+  
+  // This should not have a cert manager
+  const certManager = (proxyWithoutCerts as any).certManager;
+  expect(certManager).toBeFalsy();
+  
+  // Update with routes that need certificates
+  await proxyWithoutCerts.updateRoutes([createRoute(1, 'cert-needed.testdomain.test', 9443)]);
+  
+  // In the real implementation, cert manager is not created by updateRoutes if it doesn't exist
+  // This is the expected behavior - cert manager is only created during start() or re-created if already exists
+  const newCertManager = (proxyWithoutCerts as any).certManager;
+  expect(newCertManager).toBeFalsy(); // Should still be null
+  
+  await proxyWithoutCerts.stop();
+});
+
+tap.test('should clean up properly', async () => {
+  await testProxy.stop();
+});
+
+tap.test('real code integration test - verify fix is applied', async () => {
+  // This test will start with routes that need certificates to test the fix
+  const realProxy = new SmartProxy({
+    routes: [createRoute(1, 'test.example.com', 9999)],
+    acme: {
+      email: 'test@example.com',
+      useProduction: false,
+      port: 18080
+    }
+  });
+  
+  // Mock the certificate manager creation to track callback setting
+  let callbackSet = false;
+  (realProxy as any).createCertificateManager = async function(routes: any[], certDir: string, acmeOptions: any, initialState?: any) {
+    const mockCertManager = {
+      setUpdateRoutesCallback: function(callback: any) {
+        callbackSet = true;
+        this.updateRoutesCallback = callback;
+      },
+      updateRoutesCallback: null as any,
+      setHttpProxy: function() {},
+      setGlobalAcmeDefaults: function() {},
+      setAcmeStateManager: function() {},
+      initialize: async function() {},
+      provisionAllCertificates: async function() {},
+      stop: async function() {},
+      getAcmeOptions: function() {
+        return acmeOptions || { email: 'test@example.com', useProduction: false };
+      },
+      getState: function() {
+        return initialState || { challengeRouteActive: false };
+      }
+    };
+    
+    // Always set up the route update callback for ACME challenges
+    mockCertManager.setUpdateRoutesCallback(async (routes) => {
+      await this.updateRoutes(routes);
+    });
+    
+    return mockCertManager;
+  };
+  
+  await realProxy.start();
+  
+  // The callback should have been set during initialization
+  expect(callbackSet).toEqual(true);
+  callbackSet = false; // Reset for update test
+  
+  // Update routes - this should recreate cert manager with callback preserved
+  const newRoute = createRoute(2, 'test2.example.com', 9999);
+  await realProxy.updateRoutes([createRoute(1, 'test.example.com', 9999), newRoute]);
+  
+  // The callback should have been set again during update
+  expect(callbackSet).toEqual(true);
+  
+  await realProxy.stop();
+  
+  console.log('Real code integration test passed - fix is correctly applied!');
+});
+
+tap.start();

test/test.route-update-logger-errors.ts

@@ -0,0 +1,99 @@
+import * as plugins from '../ts/plugins.js';
+import { SmartProxy } from '../ts/index.js';
+import { SmartCertManager } from '../ts/proxies/smart-proxy/certificate-manager.js';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+// Create test routes using high ports to avoid permission issues
+const createRoute = (id: number, domain: string, port: number = 8443) => ({
+  name: `test-route-${id}`,
+  match: {
+    ports: [port],
+    domains: [domain]
+  },
+  action: {
+    type: 'forward' as const,
+    target: {
+      host: 'localhost',
+      port: 3000 + id
+    }
+  }
+});
+
+// Test function to check if error handling is applied to logger calls
+tap.test('should have error handling around logger calls in route update callbacks', async () => {
+  // Create a simple cert manager instance for testing
+  const certManager = new SmartCertManager(
+    [createRoute(1, 'test.example.com', 8443)],
+    './certs',
+    { email: 'test@example.com', useProduction: false }
+  );
+  
+  // Create a mock update routes callback that tracks if it was called
+  let callbackCalled = false;
+  const mockCallback = async (routes: any[]) => {
+    callbackCalled = true;
+    // Just return without doing anything
+    return Promise.resolve();
+  };
+  
+  // Set the callback
+  certManager.setUpdateRoutesCallback(mockCallback);
+  
+  // Verify the callback was successfully set
+  expect(callbackCalled).toEqual(false);
+  
+  // Create a test route
+  const testRoute = createRoute(2, 'test2.example.com', 8444);
+  
+  // Verify we can add a challenge route without error
+  // This tests the try/catch we added around addChallengeRoute logger calls
+  try {
+    // Accessing private method for testing
+    // @ts-ignore
+    await (certManager as any).addChallengeRoute();
+    // If we got here without error, the error handling works
+    expect(true).toEqual(true);
+  } catch (error) {
+    // This shouldn't happen if our error handling is working
+    // Error handling failed in addChallengeRoute
+    expect(false).toEqual(true);
+  }
+  
+  // Verify that we handle errors in removeChallengeRoute
+  try {
+    // Set the flag to active so we can test removal logic
+    // @ts-ignore
+    certManager.challengeRouteActive = true;
+    // @ts-ignore
+    await (certManager as any).removeChallengeRoute();
+    // If we got here without error, the error handling works
+    expect(true).toEqual(true);
+  } catch (error) {
+    // This shouldn't happen if our error handling is working
+    // Error handling failed in removeChallengeRoute
+    expect(false).toEqual(true);
+  }
+});
+
+// Test verifyChallengeRouteRemoved error handling
+tap.test('should have error handling in verifyChallengeRouteRemoved', async () => {
+  // Create a SmartProxy for testing
+  const testProxy = new SmartProxy({
+    routes: [createRoute(1, 'test1.domain.test')]
+  });
+  
+  // Verify that verifyChallengeRouteRemoved has error handling
+  try {
+    // @ts-ignore - Access private method for testing
+    await (testProxy as any).verifyChallengeRouteRemoved();
+    // If we got here without error, the try/catch is working
+    // (This will still throw at the end after max retries, but we're testing that 
+    // the logger calls have try/catch blocks around them)
+  } catch (error) {
+    // This error is expected since we don't have a real challenge route
+    // But we're testing that the logger calls don't throw
+    expect(error.message).toContain('Failed to verify challenge route removal');
+  }
+});
+
+tap.start();

test/test.route-utils.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
 
 // Import from individual modules to avoid naming conflicts
@@ -189,7 +189,7 @@ tap.test('Route Validation - validateRouteAction', async () => {
   // Invalid action (missing static root)
   const invalidStaticAction: IRouteAction = {
     type: 'static',
-    static: {}
+    static: {} as any // Testing invalid static config without required 'root' property
   };
   const invalidStaticResult = validateRouteAction(invalidStaticAction);
   expect(invalidStaticResult.valid).toBeFalse();

test/test.router.ts

@@ -1,7 +1,7 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as tsclass from '@tsclass/tsclass';
 import * as http from 'http';
-import { ProxyRouter, type RouterResult } from '../ts/http/router/proxy-router.js';
+import { ProxyRouter, type RouterResult } from '../ts/routing/router/proxy-router.js';
 
 // Test proxies and configurations
 let router: ProxyRouter;

test/test.simple-acme-mock.ts

@@ -0,0 +1,88 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+
+/**
+ * Simple test to check route manager initialization with ACME
+ */
+tap.test('should properly initialize with ACME configuration', async (tools) => {
+  const settings = {
+    routes: [
+      {
+        name: 'secure-route', 
+        match: {
+          ports: [8443],
+          domains: 'test.example.com'
+        },
+        action: {
+          type: 'forward' as const,
+          target: { host: 'localhost', port: 8080 },
+          tls: {
+            mode: 'terminate' as const,
+            certificate: 'auto' as const,
+            acme: {
+              email: 'ssl@bleu.de',
+              challengePort: 8080
+            }
+          }
+        }
+      }
+    ],
+    acme: {
+      email: 'ssl@bleu.de',
+      port: 8080,
+      useProduction: false,
+      enabled: true
+    }
+  };
+  
+  const proxy = new SmartProxy(settings);
+  
+  // Replace the certificate manager creation to avoid real ACME requests
+  (proxy as any).createCertificateManager = async () => {
+    return {
+      setUpdateRoutesCallback: () => {},
+      setHttpProxy: () => {},
+      setGlobalAcmeDefaults: () => {},
+      setAcmeStateManager: () => {},
+      initialize: async () => {
+        // Using logger would be better but in test we'll keep console.log
+        console.log('Mock certificate manager initialized');
+      },
+      provisionAllCertificates: async () => {
+        console.log('Mock certificate provisioning');
+      },
+      stop: async () => {
+        console.log('Mock certificate manager stopped');
+      }
+    };
+  };
+  
+  // Mock NFTables
+  (proxy as any).nftablesManager = {
+    provisionRoute: async () => {},
+    deprovisionRoute: async () => {},
+    updateRoute: async () => {},
+    getStatus: async () => ({}),
+    stop: async () => {}
+  };
+  
+  await proxy.start();
+  
+  // Verify proxy started successfully
+  expect(proxy).toBeDefined();
+  
+  // Verify route manager has routes
+  const routeManager = (proxy as any).routeManager;
+  expect(routeManager).toBeDefined();
+  expect(routeManager.getAllRoutes().length).toBeGreaterThan(0);
+  
+  // Verify the route exists with correct domain
+  const routes = routeManager.getAllRoutes();
+  const secureRoute = routes.find((r: any) => r.name === 'secure-route');
+  expect(secureRoute).toBeDefined();
+  expect(secureRoute.match.domains).toEqual('test.example.com');
+  
+  await proxy.stop();
+});
+
+tap.start();

test/test.smartacme-integration.ts

@@ -0,0 +1,54 @@
+import * as plugins from '../ts/plugins.js';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartCertManager } from '../ts/proxies/smart-proxy/certificate-manager.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+let certManager: SmartCertManager;
+
+tap.test('should create a SmartCertManager instance', async () => {
+  const routes: IRouteConfig[] = [
+    {
+      name: 'test-acme-route',
+      match: {
+        domains: ['test.example.com'],
+        ports: []
+      },
+      action: {
+        type: 'forward',
+        target: { 
+          host: 'localhost', 
+          port: 3000 
+        },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'test@example.com'
+          }
+        }
+      }
+    }
+  ];
+
+  certManager = new SmartCertManager(routes, './test-certs', {
+    email: 'test@example.com',
+    useProduction: false
+  });
+
+  // Just verify it creates without error
+  expect(certManager).toBeInstanceOf(SmartCertManager);
+});
+
+tap.test('should verify SmartAcme handlers are accessible', async () => {
+  // Test that we can access SmartAcme handlers
+  const http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
+  expect(http01Handler).toBeDefined();
+});
+
+tap.test('should verify SmartAcme cert managers are accessible', async () => {
+  // Test that we can access SmartAcme cert managers
+  const memoryCertManager = new plugins.smartacme.certmanagers.MemoryCertManager();
+  expect(memoryCertManager).toBeDefined();
+});
+
+tap.start();

test/test.smartproxy.ts

@@ -1,4 +1,4 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 
@@ -82,7 +82,7 @@ tap.test('setup port proxy test environment', async () => {
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1']
+        ipAllowList: ['127.0.0.1']
       }
     }
   });
@@ -121,7 +121,7 @@ tap.test('should forward TCP connections to custom host', async () => {
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1']
+        ipAllowList: ['127.0.0.1']
       }
     }
   });
@@ -166,7 +166,7 @@ tap.test('should forward connections to custom IP', async () => {
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1', '::ffff:127.0.0.1']
+        ipAllowList: ['127.0.0.1', '::ffff:127.0.0.1']
       }
     }
   });
@@ -261,7 +261,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1', '::ffff:127.0.0.1']
+        ipAllowList: ['127.0.0.1', '::ffff:127.0.0.1']
       }
     }
   });
@@ -282,7 +282,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1', '::ffff:127.0.0.1']
+        ipAllowList: ['127.0.0.1', '::ffff:127.0.0.1']
       }
     }
   });
@@ -320,7 +320,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1']
+        ipAllowList: ['127.0.0.1']
       },
       preserveSourceIP: true
     },
@@ -343,7 +343,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
     ],
     defaults: {
       security: {
-        allowedIps: ['127.0.0.1']
+        ipAllowList: ['127.0.0.1']
       },
       preserveSourceIP: true
     },

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '18.0.0',
+  version: '19.5.0',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/certificate/acme/acme-factory.ts

@@ -1,48 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import type { IAcmeOptions } from '../models/certificate-types.js';
-import { ensureCertificateDirectory } from '../utils/certificate-helpers.js';
-// We'll need to update this import when we move the Port80Handler
-import { Port80Handler } from '../../http/port80/port80-handler.js';
-
-/**
- * Factory to create a Port80Handler with common setup.
- * Ensures the certificate store directory exists and instantiates the handler.
- * @param options Port80Handler configuration options
- * @returns A new Port80Handler instance
- */
-export function buildPort80Handler(
-  options: IAcmeOptions
-): Port80Handler {
-  if (options.certificateStore) {
-    ensureCertificateDirectory(options.certificateStore);
-    console.log(`Ensured certificate store directory: ${options.certificateStore}`);
-  }
-  return new Port80Handler(options);
-}
-
-/**
- * Creates default ACME options with sensible defaults
- * @param email Account email for ACME provider
- * @param certificateStore Path to store certificates
- * @param useProduction Whether to use production ACME servers
- * @returns Configured ACME options
- */
-export function createDefaultAcmeOptions(
-  email: string,
-  certificateStore: string,
-  useProduction: boolean = false
-): IAcmeOptions {
-  return {
-    accountEmail: email,
-    enabled: true,
-    port: 80,
-    useProduction,
-    httpsRedirectPort: 443,
-    renewThresholdDays: 30,
-    renewCheckIntervalHours: 24,
-    autoRenew: true,
-    certificateStore,
-    skipConfiguredCerts: false
-  };
-}

ts/certificate/acme/challenge-handler.ts

@@ -1,110 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IAcmeOptions, ICertificateData } from '../models/certificate-types.js';
-import { CertificateEvents } from '../events/certificate-events.js';
-
-/**
- * Manages ACME challenges and certificate validation
- */
-export class AcmeChallengeHandler extends plugins.EventEmitter {
-  private options: IAcmeOptions;
-  private client: any; // ACME client from plugins
-  private pendingChallenges: Map<string, any>;
-
-  /**
-   * Creates a new ACME challenge handler
-   * @param options ACME configuration options
-   */
-  constructor(options: IAcmeOptions) {
-    super();
-    this.options = options;
-    this.pendingChallenges = new Map();
-
-    // Initialize ACME client if needed
-    // This is just a placeholder implementation since we don't use the actual
-    // client directly in this implementation - it's handled by Port80Handler
-    this.client = null;
-    console.log('Created challenge handler with options:',
-      options.accountEmail,
-      options.useProduction ? 'production' : 'staging'
-    );
-  }
-
-  /**
-   * Gets or creates the ACME account key
-   */
-  private getAccountKey(): Buffer {
-    // Implementation details would depend on plugin requirements
-    // This is a simplified version
-    if (!this.options.certificateStore) {
-      throw new Error('Certificate store is required for ACME challenges');
-    }
-    
-    // This is just a placeholder - actual implementation would check for
-    // existing account key and create one if needed
-    return Buffer.from('account-key-placeholder');
-  }
-
-  /**
-   * Validates a domain using HTTP-01 challenge
-   * @param domain Domain to validate
-   * @param challengeToken ACME challenge token
-   * @param keyAuthorization Key authorization for the challenge
-   */
-  public async handleHttpChallenge(
-    domain: string,
-    challengeToken: string,
-    keyAuthorization: string
-  ): Promise<void> {
-    // Store challenge for response
-    this.pendingChallenges.set(challengeToken, keyAuthorization);
-    
-    try {
-      // Wait for challenge validation - this would normally be handled by the ACME client
-      await new Promise(resolve => setTimeout(resolve, 1000));
-      this.emit(CertificateEvents.CERTIFICATE_ISSUED, {
-        domain,
-        success: true
-      });
-    } catch (error) {
-      this.emit(CertificateEvents.CERTIFICATE_FAILED, {
-        domain,
-        error: error instanceof Error ? error.message : String(error),
-        isRenewal: false
-      });
-      throw error;
-    } finally {
-      // Clean up the challenge
-      this.pendingChallenges.delete(challengeToken);
-    }
-  }
-
-  /**
-   * Responds to an HTTP-01 challenge request
-   * @param token Challenge token from the request path
-   * @returns The key authorization if found
-   */
-  public getChallengeResponse(token: string): string | null {
-    return this.pendingChallenges.get(token) || null;
-  }
-
-  /**
-   * Checks if a request path is an ACME challenge
-   * @param path Request path
-   * @returns True if this is an ACME challenge request
-   */
-  public isAcmeChallenge(path: string): boolean {
-    return path.startsWith('/.well-known/acme-challenge/');
-  }
-
-  /**
-   * Extracts the challenge token from an ACME challenge path
-   * @param path Request path
-   * @returns The challenge token if valid
-   */
-  public extractChallengeToken(path: string): string | null {
-    if (!this.isAcmeChallenge(path)) return null;
-    
-    const parts = path.split('/');
-    return parts[parts.length - 1] || null;
-  }
-}

ts/certificate/acme/index.ts

@@ -1,3 +0,0 @@
-/**
- * ACME certificate provisioning
- */

ts/certificate/events/certificate-events.ts

@@ -1,36 +0,0 @@
-/**
- * Certificate-related events emitted by certificate management components
- */
-export enum CertificateEvents {
-  CERTIFICATE_ISSUED = 'certificate-issued',
-  CERTIFICATE_RENEWED = 'certificate-renewed',
-  CERTIFICATE_FAILED = 'certificate-failed',
-  CERTIFICATE_EXPIRING = 'certificate-expiring',
-  CERTIFICATE_APPLIED = 'certificate-applied',
-  // Events moved from Port80Handler for compatibility
-  MANAGER_STARTED = 'manager-started',
-  MANAGER_STOPPED = 'manager-stopped',
-}
-
-/**
- * Port80Handler-specific events including certificate-related ones
- * @deprecated Use CertificateEvents and HttpEvents instead
- */
-export enum Port80HandlerEvents {
-  CERTIFICATE_ISSUED = 'certificate-issued',
-  CERTIFICATE_RENEWED = 'certificate-renewed',
-  CERTIFICATE_FAILED = 'certificate-failed',
-  CERTIFICATE_EXPIRING = 'certificate-expiring',
-  MANAGER_STARTED = 'manager-started',
-  MANAGER_STOPPED = 'manager-stopped',
-  REQUEST_FORWARDED = 'request-forwarded',
-}
-
-/**
- * Certificate provider events
- */
-export enum CertProvisionerEvents {
-  CERTIFICATE_ISSUED = 'certificate',
-  CERTIFICATE_RENEWED = 'certificate',
-  CERTIFICATE_FAILED = 'certificate-failed'
-}

ts/certificate/index.ts

@@ -1,75 +0,0 @@
-/**
- * Certificate management module for SmartProxy
- * Provides certificate provisioning, storage, and management capabilities
- */
-
-// Certificate types and models
-export * from './models/certificate-types.js';
-
-// Certificate events
-export * from './events/certificate-events.js';
-
-// Certificate providers
-export * from './providers/cert-provisioner.js';
-
-// ACME related exports
-export * from './acme/acme-factory.js';
-export * from './acme/challenge-handler.js';
-
-// Certificate utilities
-export * from './utils/certificate-helpers.js';
-
-// Certificate storage
-export * from './storage/file-storage.js';
-
-// Convenience function to create a certificate provisioner with common settings
-import { CertProvisioner } from './providers/cert-provisioner.js';
-import type { TCertProvisionObject } from './providers/cert-provisioner.js';
-import { buildPort80Handler } from './acme/acme-factory.js';
-import type { IAcmeOptions, IRouteForwardConfig } from './models/certificate-types.js';
-import type { IRouteConfig } from '../proxies/smart-proxy/models/route-types.js';
-
-/**
- * Interface for NetworkProxyBridge used by CertProvisioner
- */
-interface ICertNetworkProxyBridge {
-  applyExternalCertificate(certData: any): void;
-}
-
-/**
- * Creates a complete certificate provisioning system with default settings
- * @param routeConfigs Route configurations that may need certificates
- * @param acmeOptions ACME options for certificate provisioning
- * @param networkProxyBridge Bridge to apply certificates to network proxy
- * @param certProvider Optional custom certificate provider
- * @returns Configured CertProvisioner
- */
-export function createCertificateProvisioner(
-  routeConfigs: IRouteConfig[],
-  acmeOptions: IAcmeOptions,
-  networkProxyBridge: ICertNetworkProxyBridge,
-  certProvider?: (domain: string) => Promise<TCertProvisionObject>
-): CertProvisioner {
-  // Build the Port80Handler for ACME challenges
-  const port80Handler = buildPort80Handler(acmeOptions);
-
-  // Extract ACME-specific configuration
-  const {
-    renewThresholdDays = 30,
-    renewCheckIntervalHours = 24,
-    autoRenew = true,
-    routeForwards = []
-  } = acmeOptions;
-
-  // Create and return the certificate provisioner
-  return new CertProvisioner(
-    routeConfigs,
-    port80Handler,
-    networkProxyBridge,
-    certProvider,
-    renewThresholdDays,
-    renewCheckIntervalHours,
-    autoRenew,
-    routeForwards
-  );
-}

ts/certificate/models/certificate-types.ts

@@ -1,109 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-/**
- * Certificate data structure containing all necessary information
- * about a certificate
- */
-export interface ICertificateData {
-  domain: string;
-  certificate: string;
-  privateKey: string;
-  expiryDate: Date;
-  // Optional source and renewal information for event emissions
-  source?: 'static' | 'http01' | 'dns01';
-  isRenewal?: boolean;
-  // Reference to the route that requested this certificate (if available)
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Certificates pair (private and public keys)
- */
-export interface ICertificates {
-  privateKey: string;
-  publicKey: string;
-}
-
-/**
- * Certificate failure payload type
- */
-export interface ICertificateFailure {
-  domain: string;
-  error: string;
-  isRenewal: boolean;
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Certificate expiry payload type
- */
-export interface ICertificateExpiring {
-  domain: string;
-  expiryDate: Date;
-  daysRemaining: number;
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Route-specific forwarding configuration for ACME challenges
- */
-export interface IRouteForwardConfig {
-  domain: string;
-  target: {
-    host: string;
-    port: number;
-  };
-  sslRedirect?: boolean;
-}
-
-/**
- * Domain configuration options for Port80Handler
- *
- * This is used internally by the Port80Handler to manage domains
- * but will eventually be replaced with route-based options.
- */
-export interface IDomainOptions {
-  domainName: string;
-  sslRedirect: boolean;   // if true redirects the request to port 443
-  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
-  forward?: {
-    ip: string;
-    port: number;
-  }; // forwards all http requests to that target
-  acmeForward?: {
-    ip: string;
-    port: number;
-  }; // forwards letsencrypt requests to this config
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Unified ACME configuration options used across proxies and handlers
- */
-export interface IAcmeOptions {
-  accountEmail?: string;          // Email for Let's Encrypt account
-  enabled?: boolean;              // Whether ACME is enabled
-  port?: number;                  // Port to listen on for ACME challenges (default: 80)
-  useProduction?: boolean;        // Use production environment (default: staging)
-  httpsRedirectPort?: number;     // Port to redirect HTTP requests to HTTPS (default: 443)
-  renewThresholdDays?: number;    // Days before expiry to renew certificates
-  renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
-  autoRenew?: boolean;            // Whether to automatically renew certificates
-  certificateStore?: string;      // Directory to store certificates
-  skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
-  routeForwards?: IRouteForwardConfig[]; // Route-specific forwarding configs
-}
-

ts/certificate/providers/cert-provisioner.ts

@@ -1,519 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-import type { ICertificateData, IRouteForwardConfig, IDomainOptions } from '../models/certificate-types.js';
-import { Port80HandlerEvents, CertProvisionerEvents } from '../events/certificate-events.js';
-import { Port80Handler } from '../../http/port80/port80-handler.js';
-
-// Interface for NetworkProxyBridge
-interface INetworkProxyBridge {
-  applyExternalCertificate(certData: ICertificateData): void;
-}
-
-/**
- * Type for static certificate provisioning
- */
-export type TCertProvisionObject = plugins.tsclass.network.ICert | 'http01' | 'dns01';
-
-/**
- * Interface for routes that need certificates
- */
-interface ICertRoute {
-  domain: string;
-  route: IRouteConfig;
-  tlsMode: 'terminate' | 'terminate-and-reencrypt';
-}
-
-/**
- * CertProvisioner manages certificate provisioning and renewal workflows,
- * unifying static certificates and HTTP-01 challenges via Port80Handler.
- *
- * This class directly works with route configurations instead of converting to domain configs.
- */
-export class CertProvisioner extends plugins.EventEmitter {
-  private routeConfigs: IRouteConfig[];
-  private certRoutes: ICertRoute[] = [];
-  private port80Handler: Port80Handler;
-  private networkProxyBridge: INetworkProxyBridge;
-  private certProvisionFunction?: (domain: string) => Promise<TCertProvisionObject>;
-  private routeForwards: IRouteForwardConfig[];
-  private renewThresholdDays: number;
-  private renewCheckIntervalHours: number;
-  private autoRenew: boolean;
-  private renewManager?: plugins.taskbuffer.TaskManager;
-  // Track provisioning type per domain
-  private provisionMap: Map<string, { type: 'http01' | 'dns01' | 'static', routeRef?: ICertRoute }>;
-
-  /**
-   * Extract routes that need certificates
-   * @param routes Route configurations
-   */
-  private extractCertificateRoutesFromRoutes(routes: IRouteConfig[]): ICertRoute[] {
-    const certRoutes: ICertRoute[] = [];
-
-    // Process all HTTPS routes that need certificates
-    for (const route of routes) {
-      // Only process routes with TLS termination that need certificates
-      if (route.action.type === 'forward' &&
-          route.action.tls &&
-          (route.action.tls.mode === 'terminate' || route.action.tls.mode === 'terminate-and-reencrypt') &&
-          route.match.domains) {
-
-        // Extract domains from the route
-        const domains = Array.isArray(route.match.domains)
-          ? route.match.domains
-          : [route.match.domains];
-
-        // For each domain in the route, create a certRoute entry
-        for (const domain of domains) {
-          // Skip wildcard domains that can't use ACME unless we have a certProvider
-          if (domain.includes('*') && (!this.certProvisionFunction || this.certProvisionFunction.length === 0)) {
-            console.warn(`Skipping wildcard domain that requires a certProvisionFunction: ${domain}`);
-            continue;
-          }
-
-          certRoutes.push({
-            domain,
-            route,
-            tlsMode: route.action.tls.mode
-          });
-        }
-      }
-    }
-
-    return certRoutes;
-  }
-
-  /**
-   * Constructor for CertProvisioner
-   *
-   * @param routeConfigs Array of route configurations
-   * @param port80Handler HTTP-01 challenge handler instance
-   * @param networkProxyBridge Bridge for applying external certificates
-   * @param certProvider Optional callback returning a static cert or 'http01'
-   * @param renewThresholdDays Days before expiry to trigger renewals
-   * @param renewCheckIntervalHours Interval in hours to check for renewals
-   * @param autoRenew Whether to automatically schedule renewals
-   * @param routeForwards Route-specific forwarding configs for ACME challenges
-   */
-  constructor(
-    routeConfigs: IRouteConfig[],
-    port80Handler: Port80Handler,
-    networkProxyBridge: INetworkProxyBridge,
-    certProvider?: (domain: string) => Promise<TCertProvisionObject>,
-    renewThresholdDays: number = 30,
-    renewCheckIntervalHours: number = 24,
-    autoRenew: boolean = true,
-    routeForwards: IRouteForwardConfig[] = []
-  ) {
-    super();
-    this.routeConfigs = routeConfigs;
-    this.port80Handler = port80Handler;
-    this.networkProxyBridge = networkProxyBridge;
-    this.certProvisionFunction = certProvider;
-    this.renewThresholdDays = renewThresholdDays;
-    this.renewCheckIntervalHours = renewCheckIntervalHours;
-    this.autoRenew = autoRenew;
-    this.provisionMap = new Map();
-    this.routeForwards = routeForwards;
-
-    // Extract certificate routes during instantiation
-    this.certRoutes = this.extractCertificateRoutesFromRoutes(routeConfigs);
-  }
-
-  /**
-   * Start initial provisioning and schedule renewals.
-   */
-  public async start(): Promise<void> {
-    // Subscribe to Port80Handler certificate events
-    this.setupEventSubscriptions();
-
-    // Apply route forwarding for ACME challenges
-    this.setupForwardingConfigs();
-
-    // Initial provisioning for all domains in routes
-    await this.provisionAllCertificates();
-
-    // Schedule renewals if enabled
-    if (this.autoRenew) {
-      this.scheduleRenewals();
-    }
-  }
-
-  /**
-   * Set up event subscriptions for certificate events
-   */
-  private setupEventSubscriptions(): void {
-    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
-      // Add route reference if we have it
-      const routeRef = this.findRouteForDomain(data.domain);
-      const enhancedData: ICertificateData = {
-        ...data,
-        source: 'http01',
-        isRenewal: false,
-        routeReference: routeRef ? {
-          routeId: routeRef.route.name,
-          routeName: routeRef.route.name
-        } : undefined
-      };
-
-      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, enhancedData);
-    });
-
-    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
-      // Add route reference if we have it
-      const routeRef = this.findRouteForDomain(data.domain);
-      const enhancedData: ICertificateData = {
-        ...data,
-        source: 'http01',
-        isRenewal: true,
-        routeReference: routeRef ? {
-          routeId: routeRef.route.name,
-          routeName: routeRef.route.name
-        } : undefined
-      };
-
-      this.emit(CertProvisionerEvents.CERTIFICATE_RENEWED, enhancedData);
-    });
-
-    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, (error) => {
-      this.emit(CertProvisionerEvents.CERTIFICATE_FAILED, error);
-    });
-  }
-
-  /**
-   * Find a route for a given domain
-   */
-  private findRouteForDomain(domain: string): ICertRoute | undefined {
-    return this.certRoutes.find(certRoute => certRoute.domain === domain);
-  }
-
-  /**
-   * Set up forwarding configurations for the Port80Handler
-   */
-  private setupForwardingConfigs(): void {
-    for (const config of this.routeForwards) {
-      const domainOptions: IDomainOptions = {
-        domainName: config.domain,
-        sslRedirect: config.sslRedirect || false,
-        acmeMaintenance: false,
-        forward: config.target ? {
-          ip: config.target.host,
-          port: config.target.port
-        } : undefined
-      };
-      this.port80Handler.addDomain(domainOptions);
-    }
-  }
-
-  /**
-   * Provision certificates for all routes that need them
-   */
-  private async provisionAllCertificates(): Promise<void> {
-    for (const certRoute of this.certRoutes) {
-      await this.provisionCertificateForRoute(certRoute);
-    }
-  }
-
-  /**
-   * Provision a certificate for a route
-   */
-  private async provisionCertificateForRoute(certRoute: ICertRoute): Promise<void> {
-    const { domain, route } = certRoute;
-    const isWildcard = domain.includes('*');
-    let provision: TCertProvisionObject = 'http01';
-
-    // Try to get a certificate from the provision function
-    if (this.certProvisionFunction) {
-      try {
-        provision = await this.certProvisionFunction(domain);
-      } catch (err) {
-        console.error(`certProvider error for ${domain} on route ${route.name || 'unnamed'}:`, err);
-      }
-    } else if (isWildcard) {
-      // No certProvider: cannot handle wildcard without DNS-01 support
-      console.warn(`Skipping wildcard domain without certProvisionFunction: ${domain}`);
-      return;
-    }
-
-    // Store the route reference with the provision type
-    this.provisionMap.set(domain, {
-      type: provision === 'http01' || provision === 'dns01' ? provision : 'static',
-      routeRef: certRoute
-    });
-
-    // Handle different provisioning methods
-    if (provision === 'http01') {
-      if (isWildcard) {
-        console.warn(`Skipping HTTP-01 for wildcard domain: ${domain}`);
-        return;
-      }
-
-      this.port80Handler.addDomain({
-        domainName: domain,
-        sslRedirect: true,
-        acmeMaintenance: true,
-        routeReference: {
-          routeId: route.name || domain,
-          routeName: route.name
-        }
-      });
-    } else if (provision === 'dns01') {
-      // DNS-01 challenges would be handled by the certProvisionFunction
-      // DNS-01 handling would go here if implemented
-      console.log(`DNS-01 challenge type set for ${domain}`);
-    } else {
-      // Static certificate (e.g., DNS-01 provisioned or user-provided)
-      const certObj = provision as plugins.tsclass.network.ICert;
-      const certData: ICertificateData = {
-        domain: certObj.domainName,
-        certificate: certObj.publicKey,
-        privateKey: certObj.privateKey,
-        expiryDate: new Date(certObj.validUntil),
-        source: 'static',
-        isRenewal: false,
-        routeReference: {
-          routeId: route.name || domain,
-          routeName: route.name
-        }
-      };
-
-      this.networkProxyBridge.applyExternalCertificate(certData);
-      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
-    }
-  }
-
-  /**
-   * Schedule certificate renewals using a task manager
-   */
-  private scheduleRenewals(): void {
-    this.renewManager = new plugins.taskbuffer.TaskManager();
-
-    const renewTask = new plugins.taskbuffer.Task({
-      name: 'CertificateRenewals',
-      taskFunction: async () => await this.performRenewals()
-    });
-
-    const hours = this.renewCheckIntervalHours;
-    const cronExpr = `0 0 */${hours} * * *`;
-
-    this.renewManager.addAndScheduleTask(renewTask, cronExpr);
-    this.renewManager.start();
-  }
-
-  /**
-   * Perform renewals for all domains that need it
-   */
-  private async performRenewals(): Promise<void> {
-    for (const [domain, info] of this.provisionMap.entries()) {
-      // Skip wildcard domains for HTTP-01 challenges
-      if (domain.includes('*') && info.type === 'http01') continue;
-
-      try {
-        await this.renewCertificateForDomain(domain, info.type, info.routeRef);
-      } catch (err) {
-        console.error(`Renewal error for ${domain}:`, err);
-      }
-    }
-  }
-
-  /**
-   * Renew a certificate for a specific domain
-   * @param domain Domain to renew
-   * @param provisionType Type of provisioning for this domain
-   * @param certRoute The route reference for this domain
-   */
-  private async renewCertificateForDomain(
-    domain: string,
-    provisionType: 'http01' | 'dns01' | 'static',
-    certRoute?: ICertRoute
-  ): Promise<void> {
-    if (provisionType === 'http01') {
-      await this.port80Handler.renewCertificate(domain);
-    } else if ((provisionType === 'static' || provisionType === 'dns01') && this.certProvisionFunction) {
-      const provision = await this.certProvisionFunction(domain);
-
-      if (provision !== 'http01' && provision !== 'dns01') {
-        const certObj = provision as plugins.tsclass.network.ICert;
-        const routeRef = certRoute?.route;
-
-        const certData: ICertificateData = {
-          domain: certObj.domainName,
-          certificate: certObj.publicKey,
-          privateKey: certObj.privateKey,
-          expiryDate: new Date(certObj.validUntil),
-          source: 'static',
-          isRenewal: true,
-          routeReference: routeRef ? {
-            routeId: routeRef.name || domain,
-            routeName: routeRef.name
-          } : undefined
-        };
-
-        this.networkProxyBridge.applyExternalCertificate(certData);
-        this.emit(CertProvisionerEvents.CERTIFICATE_RENEWED, certData);
-      }
-    }
-  }
-
-  /**
-   * Stop all scheduled renewal tasks.
-   */
-  public async stop(): Promise<void> {
-    if (this.renewManager) {
-      this.renewManager.stop();
-    }
-  }
-
-  /**
-   * Request a certificate on-demand for the given domain.
-   * This will look for a matching route configuration and provision accordingly.
-   *
-   * @param domain Domain name to provision
-   */
-  public async requestCertificate(domain: string): Promise<void> {
-    const isWildcard = domain.includes('*');
-    // Find matching route
-    const certRoute = this.findRouteForDomain(domain);
-
-    // Determine provisioning method
-    let provision: TCertProvisionObject = 'http01';
-
-    if (this.certProvisionFunction) {
-      provision = await this.certProvisionFunction(domain);
-    } else if (isWildcard) {
-      // Cannot perform HTTP-01 on wildcard without certProvider
-      throw new Error(`Cannot request certificate for wildcard domain without certProvisionFunction: ${domain}`);
-    }
-
-    if (provision === 'http01') {
-      if (isWildcard) {
-        throw new Error(`Cannot request HTTP-01 certificate for wildcard domain: ${domain}`);
-      }
-      await this.port80Handler.renewCertificate(domain);
-    } else if (provision === 'dns01') {
-      // DNS-01 challenges would be handled by external mechanisms
-      console.log(`DNS-01 challenge requested for ${domain}`);
-    } else {
-      // Static certificate (e.g., DNS-01 provisioned) supports wildcards
-      const certObj = provision as plugins.tsclass.network.ICert;
-      const certData: ICertificateData = {
-        domain: certObj.domainName,
-        certificate: certObj.publicKey,
-        privateKey: certObj.privateKey,
-        expiryDate: new Date(certObj.validUntil),
-        source: 'static',
-        isRenewal: false,
-        routeReference: certRoute ? {
-          routeId: certRoute.route.name || domain,
-          routeName: certRoute.route.name
-        } : undefined
-      };
-
-      this.networkProxyBridge.applyExternalCertificate(certData);
-      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
-    }
-  }
-
-  /**
-   * Add a new domain for certificate provisioning
-   *
-   * @param domain Domain to add
-   * @param options Domain configuration options
-   */
-  public async addDomain(domain: string, options?: {
-    sslRedirect?: boolean;
-    acmeMaintenance?: boolean;
-    routeId?: string;
-    routeName?: string;
-  }): Promise<void> {
-    const domainOptions: IDomainOptions = {
-      domainName: domain,
-      sslRedirect: options?.sslRedirect ?? true,
-      acmeMaintenance: options?.acmeMaintenance ?? true,
-      routeReference: {
-        routeId: options?.routeId,
-        routeName: options?.routeName
-      }
-    };
-
-    this.port80Handler.addDomain(domainOptions);
-
-    // Find matching route or create a generic one
-    const existingRoute = this.findRouteForDomain(domain);
-    if (existingRoute) {
-      await this.provisionCertificateForRoute(existingRoute);
-    } else {
-      // We don't have a route, just provision the domain
-      const isWildcard = domain.includes('*');
-      let provision: TCertProvisionObject = 'http01';
-
-      if (this.certProvisionFunction) {
-        provision = await this.certProvisionFunction(domain);
-      } else if (isWildcard) {
-        throw new Error(`Cannot request certificate for wildcard domain without certProvisionFunction: ${domain}`);
-      }
-
-      this.provisionMap.set(domain, {
-        type: provision === 'http01' || provision === 'dns01' ? provision : 'static'
-      });
-
-      if (provision !== 'http01' && provision !== 'dns01') {
-        const certObj = provision as plugins.tsclass.network.ICert;
-        const certData: ICertificateData = {
-          domain: certObj.domainName,
-          certificate: certObj.publicKey,
-          privateKey: certObj.privateKey,
-          expiryDate: new Date(certObj.validUntil),
-          source: 'static',
-          isRenewal: false,
-          routeReference: {
-            routeId: options?.routeId,
-            routeName: options?.routeName
-          }
-        };
-
-        this.networkProxyBridge.applyExternalCertificate(certData);
-        this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
-      }
-    }
-  }
-
-  /**
-   * Update routes with new configurations
-   * This replaces all existing routes with new ones and re-provisions certificates as needed
-   *
-   * @param newRoutes New route configurations to use
-   */
-  public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
-    // Store the new route configs
-    this.routeConfigs = newRoutes;
-
-    // Extract new certificate routes
-    const newCertRoutes = this.extractCertificateRoutesFromRoutes(newRoutes);
-
-    // Find domains that no longer need certificates
-    const oldDomains = new Set(this.certRoutes.map(r => r.domain));
-    const newDomains = new Set(newCertRoutes.map(r => r.domain));
-
-    // Domains to remove
-    const domainsToRemove = [...oldDomains].filter(d => !newDomains.has(d));
-
-    // Remove obsolete domains from provision map
-    for (const domain of domainsToRemove) {
-      this.provisionMap.delete(domain);
-    }
-
-    // Update the cert routes
-    this.certRoutes = newCertRoutes;
-
-    // Provision certificates for new routes
-    for (const certRoute of newCertRoutes) {
-      if (!oldDomains.has(certRoute.domain)) {
-        await this.provisionCertificateForRoute(certRoute);
-      }
-    }
-  }
-}
-
-// Type alias for backward compatibility
-export type TSmartProxyCertProvisionObject = TCertProvisionObject;

ts/certificate/providers/index.ts

@@ -1,3 +0,0 @@
-/**
- * Certificate providers
- */

ts/certificate/storage/file-storage.ts

@@ -1,234 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import * as plugins from '../../plugins.js';
-import type { ICertificateData, ICertificates } from '../models/certificate-types.js';
-import { ensureCertificateDirectory } from '../utils/certificate-helpers.js';
-
-/**
- * FileStorage provides file system storage for certificates
- */
-export class FileStorage {
-  private storageDir: string;
-  
-  /**
-   * Creates a new file storage provider
-   * @param storageDir Directory to store certificates
-   */
-  constructor(storageDir: string) {
-    this.storageDir = path.resolve(storageDir);
-    ensureCertificateDirectory(this.storageDir);
-  }
-  
-  /**
-   * Save a certificate to the file system
-   * @param domain Domain name
-   * @param certData Certificate data to save
-   */
-  public async saveCertificate(domain: string, certData: ICertificateData): Promise<void> {
-    const sanitizedDomain = this.sanitizeDomain(domain);
-    const certDir = path.join(this.storageDir, sanitizedDomain);
-    ensureCertificateDirectory(certDir);
-    
-    const certPath = path.join(certDir, 'fullchain.pem');
-    const keyPath = path.join(certDir, 'privkey.pem');
-    const metaPath = path.join(certDir, 'metadata.json');
-    
-    // Write certificate and private key
-    await fs.promises.writeFile(certPath, certData.certificate, 'utf8');
-    await fs.promises.writeFile(keyPath, certData.privateKey, 'utf8');
-    
-    // Write metadata
-    const metadata = {
-      domain: certData.domain,
-      expiryDate: certData.expiryDate.toISOString(),
-      source: certData.source || 'unknown',
-      issuedAt: new Date().toISOString()
-    };
-    
-    await fs.promises.writeFile(
-      metaPath, 
-      JSON.stringify(metadata, null, 2), 
-      'utf8'
-    );
-  }
-  
-  /**
-   * Load a certificate from the file system
-   * @param domain Domain name
-   * @returns Certificate data if found, null otherwise
-   */
-  public async loadCertificate(domain: string): Promise<ICertificateData | null> {
-    const sanitizedDomain = this.sanitizeDomain(domain);
-    const certDir = path.join(this.storageDir, sanitizedDomain);
-    
-    if (!fs.existsSync(certDir)) {
-      return null;
-    }
-    
-    const certPath = path.join(certDir, 'fullchain.pem');
-    const keyPath = path.join(certDir, 'privkey.pem');
-    const metaPath = path.join(certDir, 'metadata.json');
-    
-    try {
-      // Check if all required files exist
-      if (!fs.existsSync(certPath) || !fs.existsSync(keyPath)) {
-        return null;
-      }
-      
-      // Read certificate and private key
-      const certificate = await fs.promises.readFile(certPath, 'utf8');
-      const privateKey = await fs.promises.readFile(keyPath, 'utf8');
-      
-      // Try to read metadata if available
-      let expiryDate = new Date();
-      let source: 'static' | 'http01' | 'dns01' | undefined;
-      
-      if (fs.existsSync(metaPath)) {
-        const metaContent = await fs.promises.readFile(metaPath, 'utf8');
-        const metadata = JSON.parse(metaContent);
-        
-        if (metadata.expiryDate) {
-          expiryDate = new Date(metadata.expiryDate);
-        }
-        
-        if (metadata.source) {
-          source = metadata.source as 'static' | 'http01' | 'dns01';
-        }
-      }
-      
-      return {
-        domain,
-        certificate,
-        privateKey,
-        expiryDate,
-        source
-      };
-    } catch (error) {
-      console.error(`Error loading certificate for ${domain}:`, error);
-      return null;
-    }
-  }
-  
-  /**
-   * Delete a certificate from the file system
-   * @param domain Domain name
-   */
-  public async deleteCertificate(domain: string): Promise<boolean> {
-    const sanitizedDomain = this.sanitizeDomain(domain);
-    const certDir = path.join(this.storageDir, sanitizedDomain);
-    
-    if (!fs.existsSync(certDir)) {
-      return false;
-    }
-    
-    try {
-      // Recursively delete the certificate directory
-      await this.deleteDirectory(certDir);
-      return true;
-    } catch (error) {
-      console.error(`Error deleting certificate for ${domain}:`, error);
-      return false;
-    }
-  }
-  
-  /**
-   * List all domains with stored certificates
-   * @returns Array of domain names
-   */
-  public async listCertificates(): Promise<string[]> {
-    try {
-      const entries = await fs.promises.readdir(this.storageDir, { withFileTypes: true });
-      return entries
-        .filter(entry => entry.isDirectory())
-        .map(entry => entry.name);
-    } catch (error) {
-      console.error('Error listing certificates:', error);
-      return [];
-    }
-  }
-  
-  /**
-   * Check if a certificate is expiring soon
-   * @param domain Domain name
-   * @param thresholdDays Days threshold to consider expiring
-   * @returns Information about expiring certificate or null
-   */
-  public async isExpiringSoon(
-    domain: string, 
-    thresholdDays: number = 30
-  ): Promise<{ domain: string; expiryDate: Date; daysRemaining: number } | null> {
-    const certData = await this.loadCertificate(domain);
-    
-    if (!certData) {
-      return null;
-    }
-    
-    const now = new Date();
-    const expiryDate = certData.expiryDate;
-    const timeRemaining = expiryDate.getTime() - now.getTime();
-    const daysRemaining = Math.floor(timeRemaining / (1000 * 60 * 60 * 24));
-    
-    if (daysRemaining <= thresholdDays) {
-      return {
-        domain,
-        expiryDate,
-        daysRemaining
-      };
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Check all certificates for expiration
-   * @param thresholdDays Days threshold to consider expiring
-   * @returns List of expiring certificates
-   */
-  public async getExpiringCertificates(
-    thresholdDays: number = 30
-  ): Promise<Array<{ domain: string; expiryDate: Date; daysRemaining: number }>> {
-    const domains = await this.listCertificates();
-    const expiringCerts = [];
-    
-    for (const domain of domains) {
-      const expiring = await this.isExpiringSoon(domain, thresholdDays);
-      if (expiring) {
-        expiringCerts.push(expiring);
-      }
-    }
-    
-    return expiringCerts;
-  }
-  
-  /**
-   * Delete a directory recursively
-   * @param directoryPath Directory to delete
-   */
-  private async deleteDirectory(directoryPath: string): Promise<void> {
-    if (fs.existsSync(directoryPath)) {
-      const entries = await fs.promises.readdir(directoryPath, { withFileTypes: true });
-      
-      for (const entry of entries) {
-        const fullPath = path.join(directoryPath, entry.name);
-        
-        if (entry.isDirectory()) {
-          await this.deleteDirectory(fullPath);
-        } else {
-          await fs.promises.unlink(fullPath);
-        }
-      }
-      
-      await fs.promises.rmdir(directoryPath);
-    }
-  }
-  
-  /**
-   * Sanitize a domain name for use as a directory name
-   * @param domain Domain name
-   * @returns Sanitized domain name
-   */
-  private sanitizeDomain(domain: string): string {
-    // Replace wildcard and any invalid filesystem characters
-    return domain.replace(/\*/g, '_wildcard_').replace(/[/\\:*?"<>|]/g, '_');
-  }
-}

ts/certificate/storage/index.ts

@@ -1,3 +0,0 @@
-/**
- * Certificate storage mechanisms
- */

ts/certificate/utils/certificate-helpers.ts

@@ -1,50 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import { fileURLToPath } from 'url';
-import type { ICertificates } from '../models/certificate-types.js';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-
-/**
- * Loads the default SSL certificates from the assets directory
- * @returns The certificate key pair
- */
-export function loadDefaultCertificates(): ICertificates {
-  try {
-    // Need to adjust path from /ts/certificate/utils to /assets/certs
-    const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
-    const privateKey = fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8');
-    const publicKey = fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8');
-
-    if (!privateKey || !publicKey) {
-      throw new Error('Failed to load default certificates');
-    }
-
-    return {
-      privateKey,
-      publicKey
-    };
-  } catch (error) {
-    console.error('Error loading default certificates:', error);
-    throw error;
-  }
-}
-
-/**
- * Checks if a certificate file exists at the specified path
- * @param certPath Path to check for certificate
- * @returns True if the certificate exists, false otherwise
- */
-export function certificateExists(certPath: string): boolean {
-  return fs.existsSync(certPath);
-}
-
-/**
- * Ensures the certificate directory exists
- * @param dirPath Path to the certificate directory
- */
-export function ensureCertificateDirectory(dirPath: string): void {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}

ts/common/eventUtils.ts

@@ -1,4 +1,4 @@
-import type { Port80Handler } from '../http/port80/port80-handler.js';
+// Port80Handler removed - use SmartCertManager instead
 import { Port80HandlerEvents } from './types.js';
 import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from './types.js';
 
@@ -16,7 +16,7 @@ export interface Port80HandlerSubscribers {
  * Subscribes to Port80Handler events based on provided callbacks
  */
 export function subscribeToPort80Handler(
-  handler: Port80Handler,
+  handler: any,
   subscribers: Port80HandlerSubscribers
 ): void {
   if (subscribers.onCertificateIssued) {

ts/common/port80-adapter.ts

@@ -1,111 +0,0 @@
-import * as plugins from '../plugins.js';
-
-import type {
-  IForwardConfig as ILegacyForwardConfig,
-  IDomainOptions
-} from './types.js';
-
-import type {
-  IForwardConfig
-} from '../forwarding/config/forwarding-types.js';
-
-/**
- * Converts a forwarding configuration target to the legacy format
- * for Port80Handler
- */
-export function convertToLegacyForwardConfig(
-  forwardConfig: IForwardConfig
-): ILegacyForwardConfig {
-  // Determine host from the target configuration
-  const host = Array.isArray(forwardConfig.target.host)
-    ? forwardConfig.target.host[0]  // Use the first host in the array
-    : forwardConfig.target.host;
-
-  // Extract port number, handling different port formats
-  let port: number;
-  if (typeof forwardConfig.target.port === 'function') {
-    // Use a default port for function-based ports in adapter context
-    port = 80;
-  } else if (forwardConfig.target.port === 'preserve') {
-    // For 'preserve', use the default port 80 in this adapter context
-    port = 80;
-  } else {
-    port = forwardConfig.target.port;
-  }
-
-  return {
-    ip: host,
-    port: port
-  };
-}
-
-/**
- * Creates Port80Handler domain options from a domain name and forwarding config
- */
-export function createPort80HandlerOptions(
-  domain: string,
-  forwardConfig: IForwardConfig
-): IDomainOptions {
-  // Determine if we should redirect HTTP to HTTPS
-  let sslRedirect = false;
-  if (forwardConfig.http?.redirectToHttps) {
-    sslRedirect = true;
-  }
-  
-  // Determine if ACME maintenance should be enabled
-  // Enable by default for termination types, unless explicitly disabled
-  const requiresTls = 
-    forwardConfig.type === 'https-terminate-to-http' || 
-    forwardConfig.type === 'https-terminate-to-https';
-  
-  const acmeMaintenance = 
-    requiresTls && 
-    forwardConfig.acme?.enabled !== false;
-  
-  // Set up forwarding configuration
-  const options: IDomainOptions = {
-    domainName: domain,
-    sslRedirect,
-    acmeMaintenance
-  };
-  
-  // Add ACME challenge forwarding if configured
-  if (forwardConfig.acme?.forwardChallenges) {
-    options.acmeForward = {
-      ip: Array.isArray(forwardConfig.acme.forwardChallenges.host) 
-        ? forwardConfig.acme.forwardChallenges.host[0]
-        : forwardConfig.acme.forwardChallenges.host,
-      port: forwardConfig.acme.forwardChallenges.port
-    };
-  }
-  
-  // Add HTTP forwarding if this is an HTTP-only config or if HTTP is enabled
-  const supportsHttp = 
-    forwardConfig.type === 'http-only' || 
-    (forwardConfig.http?.enabled !== false &&
-     (forwardConfig.type === 'https-terminate-to-http' || 
-      forwardConfig.type === 'https-terminate-to-https'));
-  
-  if (supportsHttp) {
-    // Determine port value handling different formats
-    let port: number;
-    if (typeof forwardConfig.target.port === 'function') {
-      // Use a default port for function-based ports
-      port = 80;
-    } else if (forwardConfig.target.port === 'preserve') {
-      // For 'preserve', use 80 in this adapter context
-      port = 80;
-    } else {
-      port = forwardConfig.target.port;
-    }
-
-    options.forward = {
-      ip: Array.isArray(forwardConfig.target.host) 
-        ? forwardConfig.target.host[0]
-        : forwardConfig.target.host,
-      port: port
-    };
-  }
-  
-  return options;
-}

ts/core/models/common-types.ts

@@ -34,7 +34,7 @@ export interface ICertificateData {
 }
 
 /**
- * Events emitted by the Port80Handler
+ * @deprecated Events emitted by the Port80Handler - use SmartCertManager instead
  */
 export enum Port80HandlerEvents {
   CERTIFICATE_ISSUED = 'certificate-issued',

ts/core/utils/event-utils.ts

@@ -1,34 +1,25 @@
-import type { Port80Handler } from '../../http/port80/port80-handler.js';
+// Port80Handler has been removed - use SmartCertManager instead
 import { Port80HandlerEvents } from '../models/common-types.js';
-import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from '../models/common-types.js';
+
+// Re-export for backward compatibility
+export { Port80HandlerEvents };
 
 /**
- * Subscribers callback definitions for Port80Handler events
+ * @deprecated Use SmartCertManager instead
  */
 export interface IPort80HandlerSubscribers {
-  onCertificateIssued?: (data: ICertificateData) => void;
-  onCertificateRenewed?: (data: ICertificateData) => void;
-  onCertificateFailed?: (data: ICertificateFailure) => void;
-  onCertificateExpiring?: (data: ICertificateExpiring) => void;
+  onCertificateIssued?: (data: any) => void;
+  onCertificateRenewed?: (data: any) => void;
+  onCertificateFailed?: (data: any) => void;
+  onCertificateExpiring?: (data: any) => void;
 }
 
 /**
- * Subscribes to Port80Handler events based on provided callbacks
+ * @deprecated Use SmartCertManager instead
  */
 export function subscribeToPort80Handler(
-  handler: Port80Handler,
+  handler: any,
   subscribers: IPort80HandlerSubscribers
 ): void {
-  if (subscribers.onCertificateIssued) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, subscribers.onCertificateIssued);
-  }
-  if (subscribers.onCertificateRenewed) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, subscribers.onCertificateRenewed);
-  }
-  if (subscribers.onCertificateFailed) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, subscribers.onCertificateFailed);
-  }
-  if (subscribers.onCertificateExpiring) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, subscribers.onCertificateExpiring);
-  }
+  console.warn('subscribeToPort80Handler is deprecated - use SmartCertManager instead');
 }

ts/core/utils/index.ts

@@ -12,3 +12,4 @@ export * from './security-utils.js';
 export * from './shared-security-manager.js';
 export * from './event-system.js';
 export * from './websocket-utils.js';
+export * from './logger.js';

ts/core/utils/logger.ts

@@ -0,0 +1,10 @@
+import * as plugins from '../../plugins.js';
+
+export const logger = new plugins.smartlog.Smartlog({
+  logContext: {},
+  minimumLogLevel: 'info',
+});
+
+logger.addLogDestination(new plugins.smartlogDestinationLocal.DestinationLocal());
+
+logger.log('info', 'Logger initialized');

ts/core/utils/route-utils.ts

@@ -209,18 +209,18 @@ export function matchIpPattern(pattern: string, ip: string): boolean {
  * Match an IP against allowed and blocked IP patterns
  * 
  * @param ip IP to check
- * @param allowedIps Array of allowed IP patterns
- * @param blockedIps Array of blocked IP patterns
+ * @param ipAllowList Array of allowed IP patterns
+ * @param ipBlockList Array of blocked IP patterns
  * @returns Whether the IP is allowed
  */
 export function isIpAuthorized(
   ip: string, 
-  allowedIps: string[] = ['*'], 
-  blockedIps: string[] = []
+  ipAllowList: string[] = ['*'], 
+  ipBlockList: string[] = []
 ): boolean {
   // Check blocked IPs first
-  if (blockedIps.length > 0) {
-    for (const pattern of blockedIps) {
+  if (ipBlockList.length > 0) {
+    for (const pattern of ipBlockList) {
       if (matchIpPattern(pattern, ip)) {
         return false; // IP is blocked
       }
@@ -228,13 +228,13 @@ export function isIpAuthorized(
   }
   
   // If there are allowed IPs, check them
-  if (allowedIps.length > 0) {
+  if (ipAllowList.length > 0) {
     // Special case: if '*' is in allowed IPs, all non-blocked IPs are allowed
-    if (allowedIps.includes('*')) {
+    if (ipAllowList.includes('*')) {
       return true;
     }
     
-    for (const pattern of allowedIps) {
+    for (const pattern of ipAllowList) {
       if (matchIpPattern(pattern, ip)) {
         return true; // IP is allowed
       }

ts/forwarding/factory/forwarding-factory.ts

@@ -52,6 +52,13 @@ export class ForwardingHandlerFactory {
           enabled: true,
           ...config.http
         };
+        // Set default port and socket if not provided
+        if (!result.port) {
+          result.port = 80;
+        }
+        if (!result.socket) {
+          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
+        }
         break;
         
       case 'https-passthrough':
@@ -65,6 +72,13 @@ export class ForwardingHandlerFactory {
           enabled: false,
           ...config.http
         };
+        // Set default port and socket if not provided
+        if (!result.port) {
+          result.port = 443;
+        }
+        if (!result.socket) {
+          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
+        }
         break;
         
       case 'https-terminate-to-http':
@@ -84,6 +98,13 @@ export class ForwardingHandlerFactory {
           maintenance: true,
           ...config.acme
         };
+        // Set default port and socket if not provided
+        if (!result.port) {
+          result.port = 443;
+        }
+        if (!result.socket) {
+          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
+        }
         break;
         
       case 'https-terminate-to-https':
@@ -101,6 +122,13 @@ export class ForwardingHandlerFactory {
           maintenance: true,
           ...config.acme
         };
+        // Set default port and socket if not provided
+        if (!result.port) {
+          result.port = 443;
+        }
+        if (!result.socket) {
+          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
+        }
         break;
     }
     

ts/http/index.ts

@@ -1,23 +0,0 @@
-/**
- * HTTP functionality module
- */
-
-// Export types and models
-export * from './models/http-types.js';
-
-// Export submodules
-export * from './port80/index.js';
-export * from './router/index.js';
-export * from './redirects/index.js';
-
-// Import the components we need for the namespace
-import { Port80Handler } from './port80/port80-handler.js';
-import { ChallengeResponder } from './port80/challenge-responder.js';
-
-// Convenience namespace exports
-export const Http = {
-  Port80: {
-    Handler: Port80Handler,
-    ChallengeResponder: ChallengeResponder
-  }
-};

ts/http/models/http-types.ts

@@ -1,104 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type {
-  IDomainOptions,
-  IAcmeOptions
-} from '../../certificate/models/certificate-types.js';
-
-/**
- * HTTP-specific event types
- */
-export enum HttpEvents {
-  REQUEST_RECEIVED = 'request-received',
-  REQUEST_FORWARDED = 'request-forwarded',
-  REQUEST_HANDLED = 'request-handled',
-  REQUEST_ERROR = 'request-error',
-}
-
-/**
- * HTTP status codes as an enum for better type safety
- */
-export enum HttpStatus {
-  OK = 200,
-  MOVED_PERMANENTLY = 301,
-  FOUND = 302,
-  TEMPORARY_REDIRECT = 307,
-  PERMANENT_REDIRECT = 308,
-  BAD_REQUEST = 400,
-  NOT_FOUND = 404,
-  METHOD_NOT_ALLOWED = 405,
-  INTERNAL_SERVER_ERROR = 500,
-  NOT_IMPLEMENTED = 501,
-  SERVICE_UNAVAILABLE = 503,
-}
-
-/**
- * Represents a domain configuration with certificate status information
- */
-export interface IDomainCertificate {
-  options: IDomainOptions;
-  certObtained: boolean;
-  obtainingInProgress: boolean;
-  certificate?: string;
-  privateKey?: string;
-  expiryDate?: Date;
-  lastRenewalAttempt?: Date;
-}
-
-/**
- * Base error class for HTTP-related errors
- */
-export class HttpError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = 'HttpError';
-  }
-}
-
-/**
- * Error related to certificate operations
- */
-export class CertificateError extends HttpError {
-  constructor(
-    message: string,
-    public readonly domain: string,
-    public readonly isRenewal: boolean = false
-  ) {
-    super(`${message} for domain ${domain}${isRenewal ? ' (renewal)' : ''}`);
-    this.name = 'CertificateError';
-  }
-}
-
-/**
- * Error related to server operations
- */
-export class ServerError extends HttpError {
-  constructor(message: string, public readonly code?: string) {
-    super(message);
-    this.name = 'ServerError';
-  }
-}
-
-/**
- * Redirect configuration for HTTP requests
- */
-export interface IRedirectConfig {
-  source: string;           // Source path or pattern
-  destination: string;      // Destination URL
-  type: HttpStatus;         // Redirect status code
-  preserveQuery?: boolean;  // Whether to preserve query parameters
-}
-
-/**
- * HTTP router configuration
- */
-export interface IRouterConfig {
-  routes: Array<{
-    path: string;
-    handler: (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void;
-  }>;
-  notFoundHandler?: (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void;
-}
-
-// Backward compatibility interfaces
-export { HttpError as Port80HandlerError };
-export { CertificateError as CertError };

ts/http/port80/acme-interfaces.ts

@@ -1,169 +0,0 @@
-/**
- * Type definitions for SmartAcme interfaces used by ChallengeResponder
- * These reflect the actual SmartAcme API based on the documentation
- *
- * Also includes route-based interfaces for Port80Handler to extract domains
- * that need certificate management from route configurations.
- */
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-/**
- * Structure for SmartAcme certificate result
- */
-export interface ISmartAcmeCert {
-  id?: string;
-  domainName: string;
-  created?: number | Date | string;
-  privateKey: string;
-  publicKey: string;
-  csr?: string;
-  validUntil: number | Date | string;
-}
-
-/**
- * Structure for SmartAcme options
- */
-export interface ISmartAcmeOptions {
-  accountEmail: string;
-  certManager: ICertManager;
-  environment: 'production' | 'integration';
-  challengeHandlers: IChallengeHandler<any>[];
-  challengePriority?: string[];
-  retryOptions?: {
-    retries?: number;
-    factor?: number;
-    minTimeoutMs?: number;
-    maxTimeoutMs?: number;
-  };
-}
-
-/**
- * Interface for certificate manager
- */
-export interface ICertManager {
-  init(): Promise<void>;
-  get(domainName: string): Promise<ISmartAcmeCert | null>;
-  put(cert: ISmartAcmeCert): Promise<ISmartAcmeCert>;
-  delete(domainName: string): Promise<void>;
-  close?(): Promise<void>;
-}
-
-/**
- * Interface for challenge handler
- */
-export interface IChallengeHandler<T> {
-  getSupportedTypes(): string[];
-  prepare(ch: T): Promise<void>;
-  verify?(ch: T): Promise<void>;
-  cleanup(ch: T): Promise<void>;
-  checkWetherDomainIsSupported(domain: string): Promise<boolean>;
-}
-
-/**
- * HTTP-01 challenge type
- */
-export interface IHttp01Challenge {
-  type: string; // 'http-01'
-  token: string;
-  keyAuthorization: string;
-  webPath: string;
-}
-
-/**
- * HTTP-01 Memory Handler Interface
- */
-export interface IHttp01MemoryHandler extends IChallengeHandler<IHttp01Challenge> {
-  handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse, next?: () => void): void;
-}
-
-/**
- * SmartAcme main class interface
- */
-export interface ISmartAcme {
-  start(): Promise<void>;
-  stop(): Promise<void>;
-  getCertificateForDomain(domain: string): Promise<ISmartAcmeCert>;
-  on?(event: string, listener: (data: any) => void): void;
-  eventEmitter?: plugins.EventEmitter;
-}
-
-/**
- * Port80Handler route options
- */
-export interface IPort80RouteOptions {
-  // The domain for the certificate
-  domain: string;
-
-  // Whether to redirect HTTP to HTTPS
-  sslRedirect: boolean;
-
-  // Whether to enable ACME certificate management
-  acmeMaintenance: boolean;
-
-  // Optional target for forwarding HTTP requests
-  forward?: {
-    ip: string;
-    port: number;
-  };
-
-  // Optional target for forwarding ACME challenge requests
-  acmeForward?: {
-    ip: string;
-    port: number;
-  };
-
-  // Reference to the route that requested this certificate
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Extract domains that need certificate management from routes
- * @param routes Route configurations to extract domains from
- * @returns Array of Port80RouteOptions for each domain
- */
-export function extractPort80RoutesFromRoutes(routes: IRouteConfig[]): IPort80RouteOptions[] {
-  const result: IPort80RouteOptions[] = [];
-
-  for (const route of routes) {
-    // Skip routes that don't have domains or TLS configuration
-    if (!route.match.domains || !route.action.tls) continue;
-
-    // Skip routes that don't terminate TLS
-    if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
-
-    // Only routes with automatic certificates need ACME
-    if (route.action.tls.certificate !== 'auto') continue;
-
-    // Get domains from route
-    const domains = Array.isArray(route.match.domains)
-      ? route.match.domains
-      : [route.match.domains];
-
-    // Create Port80RouteOptions for each domain
-    for (const domain of domains) {
-      // Skip wildcards (we can't get certificates for them)
-      if (domain.includes('*')) continue;
-
-      // Create Port80RouteOptions
-      const options: IPort80RouteOptions = {
-        domain,
-        sslRedirect: true, // Default to true for HTTPS routes
-        acmeMaintenance: true, // Default to true for auto certificates
-
-        // Add route reference
-        routeReference: {
-          routeName: route.name
-        }
-      };
-
-      // Add domain to result
-      result.push(options);
-    }
-  }
-
-  return result;
-}

ts/http/port80/challenge-responder.ts

@@ -1,246 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { IncomingMessage, ServerResponse } from 'http';
-import {
-  CertificateEvents
-} from '../../certificate/events/certificate-events.js';
-import type {
-  ICertificateData,
-  ICertificateFailure,
-  ICertificateExpiring
-} from '../../certificate/models/certificate-types.js';
-import type {
-  ISmartAcme,
-  ISmartAcmeCert,
-  ISmartAcmeOptions,
-  IHttp01MemoryHandler
-} from './acme-interfaces.js';
-
-/**
- * ChallengeResponder handles ACME HTTP-01 challenges by leveraging SmartAcme
- * It acts as a bridge between the HTTP server and the ACME challenge verification process
- */
-export class ChallengeResponder extends plugins.EventEmitter {
-  private smartAcme: ISmartAcme | null = null;
-  private http01Handler: IHttp01MemoryHandler | null = null;
-
-  /**
-   * Creates a new challenge responder
-   * @param useProduction Whether to use production ACME servers
-   * @param email Account email for ACME
-   * @param certificateStore Directory to store certificates
-   */
-  constructor(
-    private readonly useProduction: boolean = false,
-    private readonly email: string = 'admin@example.com',
-    private readonly certificateStore: string = './certs'
-  ) {
-    super();
-  }
-
-  /**
-   * Initialize the ACME client
-   */
-  public async initialize(): Promise<void> {
-    try {
-      // Create the HTTP-01 memory handler from SmartACME
-      this.http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
-
-      // Ensure certificate store directory exists
-      await this.ensureCertificateStore();
-
-      // Create a MemoryCertManager for certificate storage
-      const certManager = new plugins.smartacme.certmanagers.MemoryCertManager();
-
-      // Initialize the SmartACME client with appropriate options
-      this.smartAcme = new plugins.smartacme.SmartAcme({
-        accountEmail: this.email,
-        certManager: certManager,
-        environment: this.useProduction ? 'production' : 'integration',
-        challengeHandlers: [this.http01Handler],
-        challengePriority: ['http-01']
-      });
-
-      // Set up event forwarding from SmartAcme
-      this.setupEventListeners();
-
-      // Start the SmartACME client
-      await this.smartAcme.start();
-      console.log('ACME client initialized successfully');
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to initialize ACME client: ${errorMessage}`);
-    }
-  }
-
-  /**
-   * Ensure the certificate store directory exists
-   */
-  private async ensureCertificateStore(): Promise<void> {
-    try {
-      await plugins.fs.promises.mkdir(this.certificateStore, { recursive: true });
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to create certificate store: ${errorMessage}`);
-    }
-  }
-
-  /**
-   * Setup event listeners to forward SmartACME events to our own event emitter
-   */
-  private setupEventListeners(): void {
-    if (!this.smartAcme) return;
-
-    const setupEvents = (emitter: { on: (event: string, listener: (data: any) => void) => void }) => {
-      // Forward certificate events
-      emitter.on('certificate', (data: any) => {
-        const isRenewal = !!data.isRenewal;
-
-        const certData: ICertificateData = {
-          domain: data.domainName || data.domain,
-          certificate: data.publicKey || data.cert,
-          privateKey: data.privateKey || data.key,
-          expiryDate: new Date(data.validUntil || data.expiryDate || Date.now()),
-          source: 'http01',
-          isRenewal
-        };
-
-        const eventType = isRenewal
-          ? CertificateEvents.CERTIFICATE_RENEWED
-          : CertificateEvents.CERTIFICATE_ISSUED;
-
-        this.emit(eventType, certData);
-      });
-
-      // Forward error events
-      emitter.on('error', (error: any) => {
-        const domain = error.domainName || error.domain || 'unknown';
-        const failureData: ICertificateFailure = {
-          domain,
-          error: error.message || String(error),
-          isRenewal: !!error.isRenewal
-        };
-
-        this.emit(CertificateEvents.CERTIFICATE_FAILED, failureData);
-      });
-    };
-
-    // Check for direct event methods on SmartAcme
-    if (typeof this.smartAcme.on === 'function') {
-      setupEvents(this.smartAcme as any);
-    }
-    // Check for eventEmitter property
-    else if (this.smartAcme.eventEmitter) {
-      setupEvents(this.smartAcme.eventEmitter);
-    }
-    // If no proper event handling, log a warning
-    else {
-      console.warn('SmartAcme instance does not support expected event interface - events may not be forwarded');
-    }
-  }
-
-  /**
-   * Handle HTTP request by checking if it's an ACME challenge
-   * @param req HTTP request object
-   * @param res HTTP response object
-   * @returns true if the request was handled, false otherwise
-   */
-  public handleRequest(req: IncomingMessage, res: ServerResponse): boolean {
-    if (!this.http01Handler) return false;
-
-    // Check if this is an ACME challenge request (/.well-known/acme-challenge/*)
-    const url = req.url || '';
-    if (url.startsWith('/.well-known/acme-challenge/')) {
-      try {
-        // Delegate to the HTTP-01 memory handler, which knows how to serve challenges
-        this.http01Handler.handleRequest(req, res);
-        return true;
-      } catch (error) {
-        console.error('Error handling ACME challenge:', error);
-        // If there was an error, send a 404 response
-        res.writeHead(404);
-        res.end('Not found');
-        return true;
-      }
-    }
-    
-    return false;
-  }
-
-  /**
-   * Request a certificate for a domain
-   * @param domain Domain name to request a certificate for
-   * @param isRenewal Whether this is a renewal request
-   */
-  public async requestCertificate(domain: string, isRenewal: boolean = false): Promise<ICertificateData> {
-    if (!this.smartAcme) {
-      throw new Error('ACME client not initialized');
-    }
-
-    try {
-      // Request certificate using SmartACME
-      const certObj = await this.smartAcme.getCertificateForDomain(domain);
-      
-      // Convert the certificate object to our CertificateData format
-      const certData: ICertificateData = {
-        domain,
-        certificate: certObj.publicKey,
-        privateKey: certObj.privateKey,
-        expiryDate: new Date(certObj.validUntil),
-        source: 'http01',
-        isRenewal
-      };
-      
-      return certData;
-    } catch (error) {
-      // Create failure object
-      const failure: ICertificateFailure = {
-        domain,
-        error: error instanceof Error ? error.message : String(error),
-        isRenewal
-      };
-      
-      // Emit failure event
-      this.emit(CertificateEvents.CERTIFICATE_FAILED, failure);
-      
-      // Rethrow with more context
-      throw new Error(`Failed to ${isRenewal ? 'renew' : 'obtain'} certificate for ${domain}: ${
-        error instanceof Error ? error.message : String(error)
-      }`);
-    }
-  }
-
-  /**
-   * Check if a certificate is expiring soon and trigger renewal if needed
-   * @param domain Domain name
-   * @param certificate Certificate data
-   * @param thresholdDays Days before expiry to trigger renewal
-   */
-  public checkCertificateExpiry(
-    domain: string,
-    certificate: ICertificateData,
-    thresholdDays: number = 30
-  ): void {
-    if (!certificate.expiryDate) return;
-    
-    const now = new Date();
-    const expiryDate = certificate.expiryDate;
-    const daysDifference = Math.floor((expiryDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
-    
-    if (daysDifference <= thresholdDays) {
-      const expiryInfo: ICertificateExpiring = {
-        domain,
-        expiryDate,
-        daysRemaining: daysDifference
-      };
-      
-      this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiryInfo);
-      
-      // Automatically attempt renewal if expiring
-      if (this.smartAcme) {
-        this.requestCertificate(domain, true).catch(error => {
-          console.error(`Failed to auto-renew certificate for ${domain}:`, error);
-        });
-      }
-    }
-  }
-}

ts/http/port80/index.ts

@@ -1,13 +0,0 @@
-/**
- * Port 80 handling
- */
-
-// Export the main components
-export { Port80Handler } from './port80-handler.js';
-export { ChallengeResponder } from './challenge-responder.js';
-
-// Export backward compatibility interfaces and types
-export {
-  HttpError as Port80HandlerError,
-  CertificateError as CertError
-} from '../models/http-types.js';

ts/http/port80/port80-handler.ts

@@ -1,728 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { IncomingMessage, ServerResponse } from 'http';
-import { CertificateEvents } from '../../certificate/events/certificate-events.js';
-import type {
-  IDomainOptions, // Kept for backward compatibility
-  ICertificateData,
-  ICertificateFailure,
-  ICertificateExpiring,
-  IAcmeOptions,
-  IRouteForwardConfig
-} from '../../certificate/models/certificate-types.js';
-import {
-  HttpEvents,
-  HttpStatus,
-  HttpError,
-  CertificateError,
-  ServerError,
-} from '../models/http-types.js';
-import type { IDomainCertificate } from '../models/http-types.js';
-import { ChallengeResponder } from './challenge-responder.js';
-import { extractPort80RoutesFromRoutes } from './acme-interfaces.js';
-import type { IPort80RouteOptions } from './acme-interfaces.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-// Re-export for backward compatibility
-export {
-  HttpError as Port80HandlerError,
-  CertificateError,
-  ServerError
-}
-
-// Port80Handler events enum for backward compatibility
-export const Port80HandlerEvents = CertificateEvents;
-
-/**
- * Configuration options for the Port80Handler
- */
-// Port80Handler options moved to common types
-
-
-/**
- * Port80Handler with ACME certificate management and request forwarding capabilities
- * Now with glob pattern support for domain matching
- */
-export class Port80Handler extends plugins.EventEmitter {
-  private domainCertificates: Map<string, IDomainCertificate>;
-  private challengeResponder: ChallengeResponder | null = null;
-  private server: plugins.http.Server | null = null;
-
-  // Renewal scheduling is handled externally by SmartProxy
-  private isShuttingDown: boolean = false;
-  private options: Required<IAcmeOptions>;
-
-  /**
-   * Creates a new Port80Handler
-   * @param options Configuration options
-   */
-  constructor(options: IAcmeOptions = {}) {
-    super();
-    this.domainCertificates = new Map<string, IDomainCertificate>();
-
-    // Default options
-    this.options = {
-      port: options.port ?? 80,
-      accountEmail: options.accountEmail ?? 'admin@example.com',
-      useProduction: options.useProduction ?? false, // Safer default: staging
-      httpsRedirectPort: options.httpsRedirectPort ?? 443,
-      enabled: options.enabled ?? true, // Enable by default
-      certificateStore: options.certificateStore ?? './certs',
-      skipConfiguredCerts: options.skipConfiguredCerts ?? false,
-      renewThresholdDays: options.renewThresholdDays ?? 30,
-      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
-      autoRenew: options.autoRenew ?? true,
-      routeForwards: options.routeForwards ?? []
-    };
-
-    // Initialize challenge responder
-    if (this.options.enabled) {
-      this.challengeResponder = new ChallengeResponder(
-        this.options.useProduction,
-        this.options.accountEmail,
-        this.options.certificateStore
-      );
-
-      // Forward certificate events from the challenge responder
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
-        this.emit(CertificateEvents.CERTIFICATE_ISSUED, data);
-      });
-
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
-        this.emit(CertificateEvents.CERTIFICATE_RENEWED, data);
-      });
-
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_FAILED, (error: ICertificateFailure) => {
-        this.emit(CertificateEvents.CERTIFICATE_FAILED, error);
-      });
-
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_EXPIRING, (expiry: ICertificateExpiring) => {
-        this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiry);
-      });
-    }
-  }
-
-  /**
-   * Starts the HTTP server for ACME challenges
-   */
-  public async start(): Promise<void> {
-    if (this.server) {
-      throw new ServerError('Server is already running');
-    }
-
-    if (this.isShuttingDown) {
-      throw new ServerError('Server is shutting down');
-    }
-
-    // Skip if disabled
-    if (this.options.enabled === false) {
-      console.log('Port80Handler is disabled, skipping start');
-      return;
-    }
-
-    // Initialize the challenge responder if enabled
-    if (this.options.enabled && this.challengeResponder) {
-      try {
-        await this.challengeResponder.initialize();
-      } catch (error) {
-        throw new ServerError(`Failed to initialize challenge responder: ${
-          error instanceof Error ? error.message : String(error)
-        }`);
-      }
-    }
-
-    return new Promise((resolve, reject) => {
-      try {
-        this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
-
-        this.server.on('error', (error: NodeJS.ErrnoException) => {
-          if (error.code === 'EACCES') {
-            reject(new ServerError(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`, error.code));
-          } else if (error.code === 'EADDRINUSE') {
-            reject(new ServerError(`Port ${this.options.port} is already in use.`, error.code));
-          } else {
-            reject(new ServerError(error.message, error.code));
-          }
-        });
-
-        this.server.listen(this.options.port, () => {
-          console.log(`Port80Handler is listening on port ${this.options.port}`);
-          this.emit(CertificateEvents.MANAGER_STARTED, this.options.port);
-
-          // Start certificate process for domains with acmeMaintenance enabled
-          for (const [domain, domainInfo] of this.domainCertificates.entries()) {
-            // Skip glob patterns for certificate issuance
-            if (this.isGlobPattern(domain)) {
-              console.log(`Skipping initial certificate for glob pattern: ${domain}`);
-              continue;
-            }
-
-            if (domainInfo.options.acmeMaintenance && !domainInfo.certObtained && !domainInfo.obtainingInProgress) {
-              this.obtainCertificate(domain).catch(err => {
-                console.error(`Error obtaining initial certificate for ${domain}:`, err);
-              });
-            }
-          }
-
-          resolve();
-        });
-      } catch (error) {
-        const message = error instanceof Error ? error.message : 'Unknown error starting server';
-        reject(new ServerError(message));
-      }
-    });
-  }
-
-  /**
-   * Stops the HTTP server and cleanup resources
-   */
-  public async stop(): Promise<void> {
-    if (!this.server) {
-      return;
-    }
-
-    this.isShuttingDown = true;
-
-    return new Promise<void>((resolve) => {
-      if (this.server) {
-        this.server.close(() => {
-          this.server = null;
-          this.isShuttingDown = false;
-          this.emit(CertificateEvents.MANAGER_STOPPED);
-          resolve();
-        });
-      } else {
-        this.isShuttingDown = false;
-        resolve();
-      }
-    });
-  }
-
-  /**
-   * Adds a domain with configuration options
-   * @param options Domain configuration options
-   */
-  public addDomain(options: IDomainOptions | IPort80RouteOptions): void {
-    // Normalize options format (handle both IDomainOptions and IPort80RouteOptions)
-    const normalizedOptions: IDomainOptions = this.normalizeOptions(options);
-
-    if (!normalizedOptions.domainName || typeof normalizedOptions.domainName !== 'string') {
-      throw new HttpError('Invalid domain name');
-    }
-
-    const domainName = normalizedOptions.domainName;
-
-    if (!this.domainCertificates.has(domainName)) {
-      this.domainCertificates.set(domainName, {
-        options: normalizedOptions,
-        certObtained: false,
-        obtainingInProgress: false
-      });
-
-      console.log(`Domain added: ${domainName} with configuration:`, {
-        sslRedirect: normalizedOptions.sslRedirect,
-        acmeMaintenance: normalizedOptions.acmeMaintenance,
-        hasForward: !!normalizedOptions.forward,
-        hasAcmeForward: !!normalizedOptions.acmeForward,
-        routeReference: normalizedOptions.routeReference
-      });
-
-      // If acmeMaintenance is enabled and not a glob pattern, start certificate process immediately
-      if (normalizedOptions.acmeMaintenance && this.server && !this.isGlobPattern(domainName)) {
-        this.obtainCertificate(domainName).catch(err => {
-          console.error(`Error obtaining initial certificate for ${domainName}:`, err);
-        });
-      }
-    } else {
-      // Update existing domain with new options
-      const existing = this.domainCertificates.get(domainName)!;
-      existing.options = normalizedOptions;
-      console.log(`Domain ${domainName} configuration updated`);
-    }
-  }
-
-  /**
-   * Add domains from route configurations
-   * @param routes Array of route configurations
-   */
-  public addDomainsFromRoutes(routes: IRouteConfig[]): void {
-    // Extract Port80RouteOptions from routes
-    const routeOptions = extractPort80RoutesFromRoutes(routes);
-
-    // Add each domain
-    for (const options of routeOptions) {
-      this.addDomain(options);
-    }
-
-    console.log(`Added ${routeOptions.length} domains from routes for certificate management`);
-  }
-
-  /**
-   * Normalize options from either IDomainOptions or IPort80RouteOptions
-   * @param options Options to normalize
-   * @returns Normalized IDomainOptions
-   * @private
-   */
-  private normalizeOptions(options: IDomainOptions | IPort80RouteOptions): IDomainOptions {
-    // Handle IPort80RouteOptions format
-    if ('domain' in options) {
-      return {
-        domainName: options.domain,
-        sslRedirect: options.sslRedirect,
-        acmeMaintenance: options.acmeMaintenance,
-        forward: options.forward,
-        acmeForward: options.acmeForward,
-        routeReference: options.routeReference
-      };
-    }
-
-    // Already in IDomainOptions format
-    return options;
-  }
-
-  /**
-   * Removes a domain from management
-   * @param domain The domain to remove
-   */
-  public removeDomain(domain: string): void {
-    if (this.domainCertificates.delete(domain)) {
-      console.log(`Domain removed: ${domain}`);
-    }
-  }
-  
-  /**
-   * Gets the certificate for a domain if it exists
-   * @param domain The domain to get the certificate for
-   */
-  public getCertificate(domain: string): ICertificateData | null {
-    // Can't get certificates for glob patterns
-    if (this.isGlobPattern(domain)) {
-      return null;
-    }
-
-    const domainInfo = this.domainCertificates.get(domain);
-
-    if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
-      return null;
-    }
-
-    return {
-      domain,
-      certificate: domainInfo.certificate,
-      privateKey: domainInfo.privateKey,
-      expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
-    };
-  }
-
-
-
-  /**
-   * Check if a domain is a glob pattern
-   * @param domain Domain to check
-   * @returns True if the domain is a glob pattern
-   */
-  private isGlobPattern(domain: string): boolean {
-    return domain.includes('*');
-  }
-  
-  /**
-   * Get domain info for a specific domain, using glob pattern matching if needed
-   * @param requestDomain The actual domain from the request
-   * @returns The domain info or null if not found
-   */
-  private getDomainInfoForRequest(requestDomain: string): { domainInfo: IDomainCertificate, pattern: string } | null {
-    // Try direct match first
-    if (this.domainCertificates.has(requestDomain)) {
-      return {
-        domainInfo: this.domainCertificates.get(requestDomain)!,
-        pattern: requestDomain
-      };
-    }
-
-    // Then try glob patterns
-    for (const [pattern, domainInfo] of this.domainCertificates.entries()) {
-      if (this.isGlobPattern(pattern) && this.domainMatchesPattern(requestDomain, pattern)) {
-        return { domainInfo, pattern };
-      }
-    }
-
-    return null;
-  }
-  
-  /**
-   * Check if a domain matches a glob pattern
-   * @param domain The domain to check
-   * @param pattern The pattern to match against
-   * @returns True if the domain matches the pattern
-   */
-  private domainMatchesPattern(domain: string, pattern: string): boolean {
-    // Handle different glob pattern styles
-    if (pattern.startsWith('*.')) {
-      // *.example.com matches any subdomain
-      const suffix = pattern.substring(2);
-      return domain.endsWith(suffix) && domain.includes('.') && domain !== suffix;
-    } else if (pattern.endsWith('.*')) {
-      // example.* matches any TLD
-      const prefix = pattern.substring(0, pattern.length - 2);
-      const domainParts = domain.split('.');
-      return domain.startsWith(prefix + '.') && domainParts.length >= 2;
-    } else if (pattern === '*') {
-      // Wildcard matches everything
-      return true;
-    } else {
-      // Exact match (shouldn't reach here as we check exact matches first)
-      return domain === pattern;
-    }
-  }
-
-
-  /**
-   * Handles incoming HTTP requests
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  private handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    // Emit request received event with basic info
-    this.emit(HttpEvents.REQUEST_RECEIVED, {
-      url: req.url,
-      method: req.method,
-      headers: req.headers
-    });
-
-    const hostHeader = req.headers.host;
-    if (!hostHeader) {
-      res.statusCode = HttpStatus.BAD_REQUEST;
-      res.end('Bad Request: Host header is missing');
-      return;
-    }
-
-    // Extract domain (ignoring any port in the Host header)
-    const domain = hostHeader.split(':')[0];
-
-    // Check if this is an ACME challenge request that our ChallengeResponder can handle
-    if (this.challengeResponder && req.url?.startsWith('/.well-known/acme-challenge/')) {
-      // Handle ACME HTTP-01 challenge with the challenge responder
-      const domainMatch = this.getDomainInfoForRequest(domain);
-
-      // If there's a specific ACME forwarding config for this domain, use that instead
-      if (domainMatch?.domainInfo.options.acmeForward) {
-        this.forwardRequest(req, res, domainMatch.domainInfo.options.acmeForward, 'ACME challenge');
-        return;
-      }
-
-      // If domain exists and has acmeMaintenance enabled, or we don't have the domain yet
-      // (for auto-provisioning), try to handle the ACME challenge
-      if (!domainMatch || domainMatch.domainInfo.options.acmeMaintenance) {
-        // Let the challenge responder try to handle this request
-        if (this.challengeResponder.handleRequest(req, res)) {
-          // Challenge was handled
-          return;
-        }
-      }
-    }
-
-    // Dynamic provisioning: if domain not yet managed, register for ACME and return 503
-    if (!this.domainCertificates.has(domain)) {
-      try {
-        this.addDomain({ domainName: domain, sslRedirect: false, acmeMaintenance: true });
-      } catch (err) {
-        console.error(`Error registering domain for on-demand provisioning: ${err}`);
-      }
-      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
-      res.end('Certificate issuance in progress');
-      return;
-    }
-
-    // Get domain config, using glob pattern matching if needed
-    const domainMatch = this.getDomainInfoForRequest(domain);
-    if (!domainMatch) {
-      res.statusCode = HttpStatus.NOT_FOUND;
-      res.end('Domain not configured');
-      return;
-    }
-
-    const { domainInfo, pattern } = domainMatch;
-    const options = domainInfo.options;
-
-    // Check if we should forward non-ACME requests
-    if (options.forward) {
-      this.forwardRequest(req, res, options.forward, 'HTTP');
-      return;
-    }
-
-    // If certificate exists and sslRedirect is enabled, redirect to HTTPS
-    // (Skip for glob patterns as they won't have certificates)
-    if (!this.isGlobPattern(pattern) && domainInfo.certObtained && options.sslRedirect) {
-      const httpsPort = this.options.httpsRedirectPort;
-      const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
-      const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;
-
-      res.statusCode = HttpStatus.MOVED_PERMANENTLY;
-      res.setHeader('Location', redirectUrl);
-      res.end(`Redirecting to ${redirectUrl}`);
-      return;
-    }
-
-    // Handle case where certificate maintenance is enabled but not yet obtained
-    // (Skip for glob patterns as they can't have certificates)
-    if (!this.isGlobPattern(pattern) && options.acmeMaintenance && !domainInfo.certObtained) {
-      // Trigger certificate issuance if not already running
-      if (!domainInfo.obtainingInProgress) {
-        this.obtainCertificate(domain).catch(err => {
-          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-          this.emit(CertificateEvents.CERTIFICATE_FAILED, {
-            domain,
-            error: errorMessage,
-            isRenewal: false
-          });
-          console.error(`Error obtaining certificate for ${domain}:`, err);
-        });
-      }
-
-      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
-      res.end('Certificate issuance in progress, please try again later.');
-      return;
-    }
-
-    // Default response for unhandled request
-    res.statusCode = HttpStatus.NOT_FOUND;
-    res.end('No handlers configured for this request');
-
-    // Emit request handled event
-    this.emit(HttpEvents.REQUEST_HANDLED, {
-      domain,
-      url: req.url,
-      statusCode: res.statusCode
-    });
-  }
-  
-  /**
-   * Forwards an HTTP request to the specified target
-   * @param req The original request
-   * @param res The response object
-   * @param target The forwarding target (IP and port)
-   * @param requestType Type of request for logging
-   */
-  private forwardRequest(
-    req: plugins.http.IncomingMessage,
-    res: plugins.http.ServerResponse,
-    target: { ip: string; port: number },
-    requestType: string
-  ): void {
-    const options = {
-      hostname: target.ip,
-      port: target.port,
-      path: req.url,
-      method: req.method,
-      headers: { ...req.headers }
-    };
-
-    const domain = req.headers.host?.split(':')[0] || 'unknown';
-    console.log(`Forwarding ${requestType} request for ${domain} to ${target.ip}:${target.port}`);
-
-    const proxyReq = plugins.http.request(options, (proxyRes) => {
-      // Copy status code
-      res.statusCode = proxyRes.statusCode || HttpStatus.INTERNAL_SERVER_ERROR;
-
-      // Copy headers
-      for (const [key, value] of Object.entries(proxyRes.headers)) {
-        if (value) res.setHeader(key, value);
-      }
-
-      // Pipe response data
-      proxyRes.pipe(res);
-
-      this.emit(HttpEvents.REQUEST_FORWARDED, {
-        domain,
-        requestType,
-        target: `${target.ip}:${target.port}`,
-        statusCode: proxyRes.statusCode
-      });
-    });
-
-    proxyReq.on('error', (error) => {
-      console.error(`Error forwarding request to ${target.ip}:${target.port}:`, error);
-
-      this.emit(HttpEvents.REQUEST_ERROR, {
-        domain,
-        error: error.message,
-        target: `${target.ip}:${target.port}`
-      });
-
-      if (!res.headersSent) {
-        res.statusCode = HttpStatus.INTERNAL_SERVER_ERROR;
-        res.end(`Proxy error: ${error.message}`);
-      } else {
-        res.end();
-      }
-    });
-
-    // Pipe original request to proxy request
-    if (req.readable) {
-      req.pipe(proxyReq);
-    } else {
-      proxyReq.end();
-    }
-  }
-
-
-  /**
-   * Obtains a certificate for a domain using ACME HTTP-01 challenge
-   * @param domain The domain to obtain a certificate for
-   * @param isRenewal Whether this is a renewal attempt
-   */
-  private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
-    if (this.isGlobPattern(domain)) {
-      throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal);
-    }
-
-    const domainInfo = this.domainCertificates.get(domain)!;
-
-    if (!domainInfo.options.acmeMaintenance) {
-      console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`);
-      return;
-    }
-
-    if (domainInfo.obtainingInProgress) {
-      console.log(`Certificate issuance already in progress for ${domain}`);
-      return;
-    }
-
-    if (!this.challengeResponder) {
-      throw new HttpError('Challenge responder is not initialized');
-    }
-
-    domainInfo.obtainingInProgress = true;
-    domainInfo.lastRenewalAttempt = new Date();
-
-    try {
-      // Request certificate via ChallengeResponder
-      // The ChallengeResponder handles all ACME client interactions and will emit events
-      const certData = await this.challengeResponder.requestCertificate(domain, isRenewal);
-
-      // Update domain info with certificate data
-      domainInfo.certificate = certData.certificate;
-      domainInfo.privateKey = certData.privateKey;
-      domainInfo.certObtained = true;
-      domainInfo.expiryDate = certData.expiryDate;
-
-      console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
-    } catch (error: any) {
-      const errorMsg = error instanceof Error ? error.message : String(error);
-      console.error(`Error during certificate issuance for ${domain}:`, error);
-      throw new CertificateError(errorMsg, domain, isRenewal);
-    } finally {
-      domainInfo.obtainingInProgress = false;
-    }
-  }
-
-  
-  /**
-   * Extract expiry date from certificate using a more robust approach
-   * @param certificate Certificate PEM string
-   * @param domain Domain for logging
-   * @returns Extracted expiry date or default
-   */
-  private extractExpiryDateFromCertificate(certificate: string, domain: string): Date {
-    try {
-      // This is still using regex, but in a real implementation you would use
-      // a library like node-forge or x509 to properly parse the certificate
-      const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
-      if (matches && matches[1]) {
-        const expiryDate = new Date(matches[1]);
-        
-        // Validate that we got a valid date
-        if (!isNaN(expiryDate.getTime())) {
-          console.log(`Certificate for ${domain} will expire on ${expiryDate.toISOString()}`);
-          return expiryDate;
-        }
-      }
-      
-      console.warn(`Could not extract valid expiry date from certificate for ${domain}, using default`);
-      return this.getDefaultExpiryDate();
-    } catch (error) {
-      console.warn(`Failed to extract expiry date from certificate for ${domain}, using default`);
-      return this.getDefaultExpiryDate();
-    }
-  }
-  
-  /**
-   * Get a default expiry date (90 days from now)
-   * @returns Default expiry date
-   */
-  private getDefaultExpiryDate(): Date {
-    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days default
-  }
-  
-  /**
-   * Emits a certificate event with the certificate data
-   * @param eventType The event type to emit
-   * @param data The certificate data
-   */
-  private emitCertificateEvent(eventType: CertificateEvents, data: ICertificateData): void {
-    this.emit(eventType, data);
-  }
-  
-  /**
-   * Gets all domains and their certificate status
-   * @returns Map of domains to certificate status
-   */
-  public getDomainCertificateStatus(): Map<string, {
-    certObtained: boolean;
-    expiryDate?: Date;
-    daysRemaining?: number;
-    obtainingInProgress: boolean;
-    lastRenewalAttempt?: Date;
-  }> {
-    const result = new Map<string, {
-      certObtained: boolean;
-      expiryDate?: Date;
-      daysRemaining?: number;
-      obtainingInProgress: boolean;
-      lastRenewalAttempt?: Date;
-    }>();
-    
-    const now = new Date();
-    
-    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
-      // Skip glob patterns
-      if (this.isGlobPattern(domain)) continue;
-      
-      const status: {
-        certObtained: boolean;
-        expiryDate?: Date;
-        daysRemaining?: number;
-        obtainingInProgress: boolean;
-        lastRenewalAttempt?: Date;
-      } = {
-        certObtained: domainInfo.certObtained,
-        expiryDate: domainInfo.expiryDate,
-        obtainingInProgress: domainInfo.obtainingInProgress,
-        lastRenewalAttempt: domainInfo.lastRenewalAttempt
-      };
-      
-      // Calculate days remaining if expiry date is available
-      if (domainInfo.expiryDate) {
-        const daysRemaining = Math.ceil(
-          (domainInfo.expiryDate.getTime() - now.getTime()) / (24 * 60 * 60 * 1000)
-        );
-        status.daysRemaining = daysRemaining;
-      }
-      
-      result.set(domain, status);
-    }
-    
-    return result;
-  }
-  
-  /**
-   * Request a certificate renewal for a specific domain.
-   * @param domain The domain to renew.
-   */
-  public async renewCertificate(domain: string): Promise<void> {
-    if (!this.domainCertificates.has(domain)) {
-      throw new HttpError(`Domain not managed: ${domain}`);
-    }
-    // Trigger renewal via ACME
-    await this.obtainCertificate(domain, true);
-  }
-}

ts/http/redirects/index.ts

@@ -1,3 +0,0 @@
-/**
- * HTTP redirects
- */

ts/index.ts

@@ -6,42 +6,43 @@
 // Migrated to the new proxies structure
 export * from './proxies/nftables-proxy/index.js';
 
-// Export NetworkProxy elements selectively to avoid RouteManager ambiguity
-export { NetworkProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './proxies/network-proxy/index.js';
-export type { IMetricsTracker, MetricsTracker } from './proxies/network-proxy/index.js';
-export * from './proxies/network-proxy/models/index.js';
-export { RouteManager as NetworkProxyRouteManager } from './proxies/network-proxy/models/types.js';
+// Export HttpProxy elements selectively to avoid RouteManager ambiguity
+export { HttpProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './proxies/http-proxy/index.js';
+export type { IMetricsTracker, MetricsTracker } from './proxies/http-proxy/index.js';
+// Export models except IAcmeOptions to avoid conflict
+export type { IHttpProxyOptions, ICertificateEntry, ILogger } from './proxies/http-proxy/models/types.js';
+export { RouteManager as HttpProxyRouteManager } from './proxies/http-proxy/models/types.js';
 
-// Export port80handler elements selectively to avoid conflicts
-export {
-  Port80Handler,
-  Port80HandlerError as HttpError,
-  ServerError,
-  CertificateError
-} from './http/port80/port80-handler.js';
-// Use re-export to control the names
-export { Port80HandlerEvents } from './certificate/events/certificate-events.js';
+// Backward compatibility exports (deprecated)
+export { HttpProxy as NetworkProxy } from './proxies/http-proxy/index.js';
+export type { IHttpProxyOptions as INetworkProxyOptions } from './proxies/http-proxy/models/types.js';
+export { HttpProxyBridge as NetworkProxyBridge } from './proxies/smart-proxy/index.js';
 
-export * from './redirect/classes.redirect.js';
+// Certificate and Port80 modules have been removed - use SmartCertManager instead
+// Redirect module has been removed - use route-based redirects instead
 
 // Export SmartProxy elements selectively to avoid RouteManager ambiguity
-export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, NetworkProxyBridge, RouteConnectionHandler } from './proxies/smart-proxy/index.js';
+export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, HttpProxyBridge, RouteConnectionHandler, SmartCertManager } from './proxies/smart-proxy/index.js';
 export { RouteManager } from './proxies/smart-proxy/route-manager.js';
-export * from './proxies/smart-proxy/models/index.js';
+// Export smart-proxy models
+export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './proxies/smart-proxy/models/index.js';
+export type { TSmartProxyCertProvisionObject } from './proxies/smart-proxy/models/interfaces.js';
 export * from './proxies/smart-proxy/utils/index.js';
 
 // Original: export * from './smartproxy/classes.pp.snihandler.js'
 // Now we export from the new module
 export { SniHandler } from './tls/sni/sni-handler.js';
 // Original: export * from './smartproxy/classes.pp.interfaces.js'
-// Now we export from the new module
-export * from './proxies/smart-proxy/models/interfaces.js';
+// Now we export from the new module (selectively to avoid conflicts)
 
 // Core types and utilities
 export * from './core/models/common-types.js';
 
+// Export IAcmeOptions from one place only
+export type { IAcmeOptions } from './proxies/smart-proxy/models/interfaces.js';
+
 // Modular exports for new architecture
 export * as forwarding from './forwarding/index.js';
-export * as certificate from './certificate/index.js';
+// Certificate module has been removed - use SmartCertManager instead
 export * as tls from './tls/index.js';
-export * as http from './http/index.js';
+export * as routing from './routing/index.js';

ts/plugins.ts

@@ -21,10 +21,13 @@ import * as smartdelay from '@push.rocks/smartdelay';
 import * as smartpromise from '@push.rocks/smartpromise';
 import * as smartrequest from '@push.rocks/smartrequest';
 import * as smartstring from '@push.rocks/smartstring';
-
+import * as smartfile from '@push.rocks/smartfile';
+import * as smartcrypto from '@push.rocks/smartcrypto';
 import * as smartacme from '@push.rocks/smartacme';
 import * as smartacmePlugins from '@push.rocks/smartacme/dist_ts/smartacme.plugins.js';
 import * as smartacmeHandlers from '@push.rocks/smartacme/dist_ts/handlers/index.js';
+import * as smartlog from '@push.rocks/smartlog';
+import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
 import * as taskbuffer from '@push.rocks/taskbuffer';
 
 export {
@@ -33,9 +36,13 @@ export {
   smartrequest,
   smartpromise,
   smartstring,
+  smartfile,
+  smartcrypto,
   smartacme,
   smartacmePlugins,
   smartacmeHandlers,
+  smartlog,
+  smartlogDestinationLocal,
   taskbuffer,
 };
 

ts/proxies/http-proxy/certificate-manager.ts

@@ -0,0 +1,193 @@
+import * as plugins from '../../plugins.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+import { type IHttpProxyOptions, type ICertificateEntry, type ILogger, createLogger } from './models/types.js';
+import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
+
+/**
+ * @deprecated This class is deprecated. Use SmartCertManager instead.
+ * 
+ * This is a stub implementation that maintains backward compatibility
+ * while the functionality has been moved to SmartCertManager.
+ */
+export class CertificateManager {
+  private defaultCertificates: { key: string; cert: string };
+  private certificateCache: Map<string, ICertificateEntry> = new Map();
+  private certificateStoreDir: string;
+  private logger: ILogger;
+  private httpsServer: plugins.https.Server | null = null;
+
+  constructor(private options: IHttpProxyOptions) {
+    this.certificateStoreDir = path.resolve(options.acme?.certificateStore || './certs');
+    this.logger = createLogger(options.logLevel || 'info');
+    
+    this.logger.warn('CertificateManager is deprecated - use SmartCertManager instead');
+    
+    // Ensure certificate store directory exists
+    try {
+      if (!fs.existsSync(this.certificateStoreDir)) {
+        fs.mkdirSync(this.certificateStoreDir, { recursive: true });
+        this.logger.info(`Created certificate store directory: ${this.certificateStoreDir}`);
+      }
+    } catch (error) {
+      this.logger.warn(`Failed to create certificate store directory: ${error}`);
+    }
+    
+    this.loadDefaultCertificates();
+  }
+  
+  /**
+   * Loads default certificates from the filesystem
+   */
+  public loadDefaultCertificates(): void {
+    const __dirname = path.dirname(fileURLToPath(import.meta.url));
+    const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
+
+    try {
+      this.defaultCertificates = {
+        key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
+        cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
+      };
+      this.logger.info('Loaded default certificates from filesystem');
+    } catch (error) {
+      this.logger.error(`Failed to load default certificates: ${error}`);
+      this.generateSelfSignedCertificate();
+    }
+  }
+
+  /**
+   * Generates self-signed certificates as fallback
+   */
+  private generateSelfSignedCertificate(): void {
+    // Generate a self-signed certificate using forge or similar
+    // For now, just use a placeholder
+    const selfSignedCert = `-----BEGIN CERTIFICATE-----
+MIIBkTCB+wIJAKHHIgIIA0/cMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAYTAlVT
+MB4XDTE0MDEwMTAwMDAwMFoXDTI0MDEwMTAwMDAwMFowDTELMAkGA1UEBhMCVVMw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRiH0VwnOH3jCV7c6JFZWYrvuqy
+-----END CERTIFICATE-----`;
+    
+    const selfSignedKey = `-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMRiH0VwnOH3jCV7
+c6JFZWYrvuqyALCLXj0pcr1iqNdHjegNXnkl5zjdaUjq4edNOKl7M1AlFiYjG2xk
+-----END PRIVATE KEY-----`;
+
+    this.defaultCertificates = {
+      key: selfSignedKey,
+      cert: selfSignedCert
+    };
+
+    this.logger.warn('Using self-signed certificate as fallback');
+  }
+
+  /**
+   * Gets the default certificates
+   */
+  public getDefaultCertificates(): { key: string; cert: string } {
+    return this.defaultCertificates;
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public setExternalPort80Handler(handler: any): void {
+    this.logger.warn('setExternalPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public async updateRoutes(routes: IRouteConfig[]): Promise<void> {
+    this.logger.warn('updateRoutes is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * Handles SNI callback to provide appropriate certificate
+   */
+  public handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
+    const certificate = this.getCachedCertificate(domain);
+    
+    if (certificate) {
+      const context = plugins.tls.createSecureContext({
+        key: certificate.key,
+        cert: certificate.cert
+      });
+      cb(null, context);
+      return;
+    }
+    
+    // Use default certificate if no domain-specific certificate found
+    const defaultContext = plugins.tls.createSecureContext({
+      key: this.defaultCertificates.key,
+      cert: this.defaultCertificates.cert
+    });
+    cb(null, defaultContext);
+  }
+
+  /**
+   * Updates a certificate in the cache
+   */
+  public updateCertificate(domain: string, cert: string, key: string): void {
+    this.certificateCache.set(domain, {
+      cert,
+      key,
+      expires: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days
+    });
+    
+    this.logger.info(`Certificate updated for ${domain}`);
+  }
+
+  /**
+   * Gets a cached certificate
+   */
+  private getCachedCertificate(domain: string): ICertificateEntry | null {
+    return this.certificateCache.get(domain) || null;
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public async initializePort80Handler(): Promise<any> {
+    this.logger.warn('initializePort80Handler is deprecated - use SmartCertManager instead');
+    return null;
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public async stopPort80Handler(): Promise<void> {
+    this.logger.warn('stopPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public registerDomainsWithPort80Handler(domains: string[]): void {
+    this.logger.warn('registerDomainsWithPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public registerRoutesWithPort80Handler(routes: IRouteConfig[]): void {
+    this.logger.warn('registerRoutesWithPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * Sets the HTTPS server for certificate updates
+   */
+  public setHttpsServer(server: plugins.https.Server): void {
+    this.httpsServer = server;
+  }
+
+  /**
+   * Gets statistics for metrics
+   */
+  public getStats() {
+    return {
+      cachedCertificates: this.certificateCache.size,
+      defaultCertEnabled: true
+    };
+  }
+}

ts/proxies/http-proxy/connection-pool.ts

@@ -1,5 +1,5 @@
 import * as plugins from '../../plugins.js';
-import { type INetworkProxyOptions, type IConnectionEntry, type ILogger, createLogger } from './models/types.js';
+import { type IHttpProxyOptions, type IConnectionEntry, type ILogger, createLogger } from './models/types.js';
 
 /**
  * Manages a pool of backend connections for efficient reuse
@@ -9,7 +9,7 @@ export class ConnectionPool {
   private roundRobinPositions: Map<string, number> = new Map();
   private logger: ILogger;
 
-  constructor(private options: INetworkProxyOptions) {
+  constructor(private options: IHttpProxyOptions) {
     this.logger = createLogger(options.logLevel || 'info');
   }
   

ts/proxies/http-proxy/handlers/index.ts

@@ -0,0 +1,6 @@
+/**
+ * HTTP handlers for various route types
+ */
+
+export { RedirectHandler } from './redirect-handler.js';
+export { StaticHandler } from './static-handler.js';

ts/proxies/http-proxy/handlers/redirect-handler.ts

@@ -0,0 +1,105 @@
+import * as plugins from '../../../plugins.js';
+import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
+import type { IConnectionRecord } from '../../smart-proxy/models/interfaces.js';
+import type { ILogger } from '../models/types.js';
+import { createLogger } from '../models/types.js';
+import { HttpStatus, getStatusText } from '../models/http-types.js';
+
+export interface IRedirectHandlerContext {
+  connectionId: string;
+  connectionManager: any; // Avoid circular deps
+  settings: any;
+  logger?: ILogger;
+}
+
+/**
+ * Handles HTTP redirect routes
+ */
+export class RedirectHandler {
+  /**
+   * Handle redirect routes
+   */
+  public static async handleRedirect(
+    socket: plugins.net.Socket,
+    route: IRouteConfig,
+    context: IRedirectHandlerContext
+  ): Promise<void> {
+    const { connectionId, connectionManager, settings } = context;
+    const logger = context.logger || createLogger(settings.logLevel || 'info');
+    const action = route.action;
+
+    // We should have a redirect configuration
+    if (!action.redirect) {
+      logger.error(`[${connectionId}] Redirect action missing redirect configuration`);
+      socket.end();
+      connectionManager.cleanupConnection({ id: connectionId }, 'missing_redirect');
+      return;
+    }
+
+    // For TLS connections, we can't do redirects at the TCP level
+    // This check should be done before calling this handler
+    
+    // Wait for the first HTTP request to perform the redirect
+    const dataListeners: ((chunk: Buffer) => void)[] = [];
+
+    const httpDataHandler = (chunk: Buffer) => {
+      // Remove all data listeners to avoid duplicated processing
+      for (const listener of dataListeners) {
+        socket.removeListener('data', listener);
+      }
+
+      // Parse HTTP request to get path
+      try {
+        const headersEnd = chunk.indexOf('\r\n\r\n');
+        if (headersEnd === -1) {
+          // Not a complete HTTP request, need more data
+          socket.once('data', httpDataHandler);
+          dataListeners.push(httpDataHandler);
+          return;
+        }
+
+        const httpHeaders = chunk.slice(0, headersEnd).toString();
+        const requestLine = httpHeaders.split('\r\n')[0];
+        const [method, path] = requestLine.split(' ');
+
+        // Extract Host header
+        const hostMatch = httpHeaders.match(/Host: (.+?)(\r\n|\r|\n|$)/i);
+        const host = hostMatch ? hostMatch[1].trim() : '';
+
+        // Process the redirect URL with template variables
+        let redirectUrl = action.redirect.to;
+        redirectUrl = redirectUrl.replace(/\{domain\}/g, host);
+        redirectUrl = redirectUrl.replace(/\{path\}/g, path || '');
+        redirectUrl = redirectUrl.replace(/\{port\}/g, socket.localPort?.toString() || '80');
+
+        // Prepare the HTTP redirect response
+        const redirectResponse = [
+          `HTTP/1.1 ${action.redirect.status} Moved`,
+          `Location: ${redirectUrl}`,
+          'Connection: close',
+          'Content-Length: 0',
+          '',
+          '',
+        ].join('\r\n');
+
+        if (settings.enableDetailedLogging) {
+          logger.info(
+            `[${connectionId}] Redirecting to ${redirectUrl} with status ${action.redirect.status}`
+          );
+        }
+
+        // Send the redirect response
+        socket.end(redirectResponse);
+        connectionManager.initiateCleanupOnce({ id: connectionId }, 'redirect_complete');
+      } catch (err) {
+        logger.error(`[${connectionId}] Error processing HTTP redirect: ${err}`);
+        socket.end();
+        connectionManager.initiateCleanupOnce({ id: connectionId }, 'redirect_error');
+      }
+    };
+
+    // Setup the HTTP data handler
+    socket.once('data', httpDataHandler);
+    dataListeners.push(httpDataHandler);
+  }
+}

ts/proxies/http-proxy/handlers/static-handler.ts

@@ -0,0 +1,261 @@
+import * as plugins from '../../../plugins.js';
+import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
+import type { IConnectionRecord } from '../../smart-proxy/models/interfaces.js';
+import type { ILogger } from '../models/types.js';
+import { createLogger } from '../models/types.js';
+import type { IRouteContext } from '../../../core/models/route-context.js';
+import { HttpStatus, getStatusText } from '../models/http-types.js';
+
+export interface IStaticHandlerContext {
+  connectionId: string;
+  connectionManager: any; // Avoid circular deps
+  settings: any;
+  logger?: ILogger;
+}
+
+/**
+ * Handles static routes including ACME challenges
+ */
+export class StaticHandler {
+  /**
+   * Handle static routes
+   */
+  public static async handleStatic(
+    socket: plugins.net.Socket,
+    route: IRouteConfig,
+    context: IStaticHandlerContext,
+    record: IConnectionRecord,
+    initialChunk?: Buffer
+  ): Promise<void> {
+    const { connectionId, connectionManager, settings } = context;
+    const logger = context.logger || createLogger(settings.logLevel || 'info');
+
+    if (!route.action.handler) {
+      logger.error(`[${connectionId}] Static route '${route.name}' has no handler`);
+      socket.end();
+      connectionManager.cleanupConnection(record, 'no_handler');
+      return;
+    }
+
+    let buffer = Buffer.alloc(0);
+    let processingData = false;
+
+    const handleHttpData = async (chunk: Buffer) => {
+      // Accumulate the data
+      buffer = Buffer.concat([buffer, chunk]);
+
+      // Prevent concurrent processing of the same buffer
+      if (processingData) return;
+      processingData = true;
+
+      try {
+        // Process data until we have a complete request or need more data
+        await processBuffer();
+      } finally {
+        processingData = false;
+      }
+    };
+
+    const processBuffer = async () => {
+      // Look for end of HTTP headers
+      const headerEndIndex = buffer.indexOf('\r\n\r\n');
+      if (headerEndIndex === -1) {
+        // Need more data
+        if (buffer.length > 8192) {
+          // Prevent excessive buffering
+          logger.error(`[${connectionId}] HTTP headers too large`);
+          socket.end();
+          connectionManager.cleanupConnection(record, 'headers_too_large');
+        }
+        return; // Wait for more data to arrive
+      }
+
+      // Parse the HTTP request
+      const headerBuffer = buffer.slice(0, headerEndIndex);
+      const headers = headerBuffer.toString();
+      const lines = headers.split('\r\n');
+
+      if (lines.length === 0) {
+        logger.error(`[${connectionId}] Invalid HTTP request`);
+        socket.end();
+        connectionManager.cleanupConnection(record, 'invalid_request');
+        return;
+      }
+
+      // Parse request line
+      const requestLine = lines[0];
+      const requestParts = requestLine.split(' ');
+      if (requestParts.length < 3) {
+        logger.error(`[${connectionId}] Invalid HTTP request line`);
+        socket.end();
+        connectionManager.cleanupConnection(record, 'invalid_request_line');
+        return;
+      }
+
+      const [method, path, httpVersion] = requestParts;
+
+      // Parse headers
+      const headersMap: Record<string, string> = {};
+      for (let i = 1; i < lines.length; i++) {
+        const colonIndex = lines[i].indexOf(':');
+        if (colonIndex > 0) {
+          const key = lines[i].slice(0, colonIndex).trim().toLowerCase();
+          const value = lines[i].slice(colonIndex + 1).trim();
+          headersMap[key] = value;
+        }
+      }
+
+      // Check for Content-Length to handle request body
+      const requestBodyLength = parseInt(headersMap['content-length'] || '0', 10);
+      const bodyStartIndex = headerEndIndex + 4; // Skip the \r\n\r\n
+
+      // If there's a body, ensure we have the full body
+      if (requestBodyLength > 0) {
+        const totalExpectedLength = bodyStartIndex + requestBodyLength;
+
+        // If we don't have the complete body yet, wait for more data
+        if (buffer.length < totalExpectedLength) {
+          // Implement a reasonable body size limit to prevent memory issues
+          if (requestBodyLength > 1024 * 1024) {
+            // 1MB limit
+            logger.error(`[${connectionId}] Request body too large`);
+            socket.end();
+            connectionManager.cleanupConnection(record, 'body_too_large');
+            return;
+          }
+          return; // Wait for more data
+        }
+      }
+
+      // Extract query string if present
+      let pathname = path;
+      let query: string | undefined;
+      const queryIndex = path.indexOf('?');
+      if (queryIndex !== -1) {
+        pathname = path.slice(0, queryIndex);
+        query = path.slice(queryIndex + 1);
+      }
+
+      try {
+        // Get request body if present
+        let requestBody: Buffer | undefined;
+        if (requestBodyLength > 0) {
+          requestBody = buffer.slice(bodyStartIndex, bodyStartIndex + requestBodyLength);
+        }
+
+        // Pause socket to prevent data loss during async processing
+        socket.pause();
+
+        // Remove the data listener since we're handling the request
+        socket.removeListener('data', handleHttpData);
+
+        // Build route context with parsed HTTP information
+        const context: IRouteContext = {
+          port: record.localPort,
+          domain: record.lockedDomain || headersMap['host']?.split(':')[0],
+          clientIp: record.remoteIP,
+          serverIp: socket.localAddress!,
+          path: pathname,
+          query: query,
+          headers: headersMap,
+          isTls: record.isTLS,
+          tlsVersion: record.tlsVersion,
+          routeName: route.name,
+          routeId: route.id,
+          timestamp: Date.now(),
+          connectionId,
+        };
+
+        // Since IRouteContext doesn't have a body property,
+        // we need an alternative approach to handle the body
+        let response;
+
+        if (requestBody) {
+          if (settings.enableDetailedLogging) {
+            logger.info(
+              `[${connectionId}] Processing request with body (${requestBody.length} bytes)`
+            );
+          }
+
+          // Pass the body as an additional parameter by extending the context object
+          // This is not type-safe, but it allows handlers that expect a body to work
+          const extendedContext = {
+            ...context,
+            // Provide both raw buffer and string representation
+            requestBody: requestBody,
+            requestBodyText: requestBody.toString(),
+            method: method,
+          };
+
+          // Call the handler with the extended context
+          // The handler needs to know to look for the non-standard properties
+          response = await route.action.handler(extendedContext as any);
+        } else {
+          // Call the handler with the standard context
+          const extendedContext = {
+            ...context,
+            method: method,
+          };
+          response = await route.action.handler(extendedContext as any);
+        }
+
+        // Prepare the HTTP response
+        const responseHeaders = response.headers || {};
+        const contentLength = Buffer.byteLength(response.body || '');
+        responseHeaders['Content-Length'] = contentLength.toString();
+
+        if (!responseHeaders['Content-Type']) {
+          responseHeaders['Content-Type'] = 'text/plain';
+        }
+
+        // Build the response
+        let httpResponse = `HTTP/1.1 ${response.status} ${getStatusText(response.status)}\r\n`;
+        for (const [key, value] of Object.entries(responseHeaders)) {
+          httpResponse += `${key}: ${value}\r\n`;
+        }
+        httpResponse += '\r\n';
+
+        // Send response
+        socket.write(httpResponse);
+        if (response.body) {
+          socket.write(response.body);
+        }
+        socket.end();
+
+        connectionManager.cleanupConnection(record, 'completed');
+      } catch (error) {
+        logger.error(`[${connectionId}] Error in static handler: ${error}`);
+
+        // Send error response
+        const errorResponse =
+          'HTTP/1.1 500 Internal Server Error\r\n' +
+          'Content-Type: text/plain\r\n' +
+          'Content-Length: 21\r\n' +
+          '\r\n' +
+          'Internal Server Error';
+        socket.write(errorResponse);
+        socket.end();
+
+        connectionManager.cleanupConnection(record, 'handler_error');
+      }
+    };
+
+    // Process initial chunk if provided
+    if (initialChunk && initialChunk.length > 0) {
+      if (settings.enableDetailedLogging) {
+        logger.info(`[${connectionId}] Processing initial data chunk (${initialChunk.length} bytes)`);
+      }
+      // Process the initial chunk immediately
+      handleHttpData(initialChunk);
+    }
+
+    // Listen for additional data
+    socket.on('data', handleHttpData);
+
+    // Ensure cleanup on socket close
+    socket.once('close', () => {
+      socket.removeListener('data', handleHttpData);
+    });
+  }
+}
+