19.2.0

certs/static-route/cert.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIC...
+-----END CERTIFICATE-----

certs/static-route/key.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MIIE...
+-----END PRIVATE KEY-----

certs/static-route/meta.json

@@ -0,0 +1,5 @@
+{
+  "expiryDate": "2025-08-16T18:25:31.732Z",
+  "issueDate": "2025-05-18T18:25:31.732Z",
+  "savedAt": "2025-05-18T18:25:31.734Z"
+}

changelog.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## 2025-05-18 - 19.2.0 - feat(acme)
+Improve certificate management by adding global ACME configuration support and allowing route-level overrides. Enhanced error messages help identify missing ACME email and misconfigurations (e.g. wildcard domains). Documentation has been updated and new tests added to verify SmartCertManager behavior, ensuring a clearer migration path from legacy implementations.
+
+- Added global ACME defaults (email, useProduction, port, renewThresholdDays, etc.) in SmartProxy options
+- Route-level ACME configuration now overrides global defaults
+- Improved validation and error messages when ACME email is missing or configuration is misconfigured
+- Updated SmartCertManager to consume global ACME settings and set proper renewal thresholds
+- Removed legacy certificate modules and port80-specific code
+- Documentation updated in readme.md, readme.hints.md, certificate-management.md, and readme.plan.md
+- New tests added in test.acme-configuration.node.ts to verify ACME configuration and migration warnings
+
+## 2025-05-18 - 19.1.0 - feat(RouteManager)
+Add getAllRoutes API to RouteManager and update test environment to improve timeouts, logging, and cleanup; remove deprecated test files and adjust devDependencies accordingly
+
+- Removed @push.rocks/tapbundle from devDependencies in package.json
+- Deleted deprecated test.certprovisioner.unit.ts file
+- Improved timeout handling and cleanup logic in test.networkproxy.function-targets.ts
+- Added getAllRoutes public method to RouteManager to retrieve all routes
+- Minor adjustments in SmartAcme integration tests with updated certificate fixture format
+
+## 2025-05-18 - 19.0.0 - BREAKING CHANGE(certificates)
+Remove legacy certificate modules and Port80Handler; update documentation and route configurations to use SmartCertManager for certificate management.
+
+- Removed deprecated files under ts/certificate (acme, events, storage, providers) and ts/http/port80.
+- Updated readme.md and docs/certificate-management.md to reflect new SmartCertManager integration and removal of Port80Handler.
+- Updated route types and models to remove legacy certificate types and references to Port80Handler.
+- Bumped major version to reflect breaking changes in certificate management.
+
 ## 2025-05-18 - 18.2.0 - feat(smartproxy/certificate)
 Integrate HTTP-01 challenge handler into ACME certificate provisioning workflow
 

docs/certificate-management.md

@@ -0,0 +1,259 @@
+# Certificate Management in SmartProxy v19+
+
+## Overview
+
+SmartProxy v19+ enhances certificate management with support for both global and route-level ACME configuration. This guide covers the updated certificate management system, which now supports flexible configuration hierarchies.
+
+## Key Changes from Previous Versions
+
+### v19.0.0 Changes
+- **Global ACME configuration**: Set default ACME settings for all routes with `certificate: 'auto'`
+- **Configuration hierarchy**: Top-level ACME settings serve as defaults, route-level settings override
+- **Better error messages**: Clear guidance when ACME configuration is missing
+- **Improved validation**: Configuration validation warns about common issues
+
+### v18.0.0 Changes (from v17)
+- **No backward compatibility**: Clean break from the legacy certificate system
+- **No separate Port80Handler**: ACME challenges handled as regular SmartProxy routes
+- **Unified route-based configuration**: Certificates configured directly in route definitions
+- **Direct integration with @push.rocks/smartacme**: Leverages SmartAcme's built-in capabilities
+
+## Configuration
+
+### Global ACME Configuration (New in v19+)
+
+Set default ACME settings at the top level that apply to all routes with `certificate: 'auto'`:
+
+```typescript
+const proxy = new SmartProxy({
+  // Global ACME defaults
+  acme: {
+    email: 'ssl@example.com',         // Required for Let's Encrypt
+    useProduction: false,             // Use staging by default
+    port: 80,                         // Port for HTTP-01 challenges
+    renewThresholdDays: 30,           // Renew 30 days before expiry
+    certificateStore: './certs',      // Certificate storage directory
+    autoRenew: true,                  // Enable automatic renewal
+    renewCheckIntervalHours: 24       // Check for renewals daily
+  },
+  
+  routes: [
+    // Routes using certificate: 'auto' will inherit global settings
+    {
+      name: 'website',
+      match: { ports: 443, domains: 'example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'  // Uses global ACME configuration
+        }
+      }
+    }
+  ]
+});
+```
+
+### Route-Level Certificate Configuration
+
+Certificates are now configured at the route level using the `tls` property:
+
+```typescript
+const route: IRouteConfig = {
+  name: 'secure-website',
+  match: {
+    ports: 443,
+    domains: ['example.com', 'www.example.com']
+  },
+  action: {
+    type: 'forward',
+    target: { host: 'localhost', port: 8080 },
+    tls: {
+      mode: 'terminate',
+      certificate: 'auto',  // Use ACME (Let's Encrypt)
+      acme: {
+        email: 'admin@example.com',
+        useProduction: true,
+        renewBeforeDays: 30
+      }
+    }
+  }
+};
+```
+
+### Static Certificate Configuration
+
+For manually managed certificates:
+
+```typescript
+const route: IRouteConfig = {
+  name: 'api-endpoint',
+  match: {
+    ports: 443,
+    domains: 'api.example.com'
+  },
+  action: {
+    type: 'forward',
+    target: { host: 'localhost', port: 9000 },
+    tls: {
+      mode: 'terminate',
+      certificate: {
+        certFile: './certs/api.crt',
+        keyFile: './certs/api.key',
+        ca: '...' // Optional CA chain
+      }
+    }
+  }
+};
+```
+
+## TLS Modes
+
+SmartProxy supports three TLS modes:
+
+1. **terminate**: Decrypt TLS at the proxy and forward plain HTTP
+2. **passthrough**: Pass encrypted TLS traffic directly to the backend
+3. **terminate-and-reencrypt**: Decrypt at proxy, then re-encrypt to backend
+
+## Certificate Storage
+
+Certificates are stored in the `./certs` directory by default:
+
+```
+./certs/
+├── route-name/
+│   ├── cert.pem
+│   ├── key.pem
+│   ├── ca.pem (if available)
+│   └── meta.json
+```
+
+## ACME Integration
+
+### How It Works
+
+1. SmartProxy creates a high-priority route for ACME challenges
+2. When ACME server makes requests to `/.well-known/acme-challenge/*`, SmartProxy handles them automatically
+3. Certificates are obtained and stored locally
+4. Automatic renewal checks every 12 hours
+
+### Configuration Options
+
+```typescript
+export interface IRouteAcme {
+  email: string;                    // Contact email for ACME account
+  useProduction?: boolean;          // Use production servers (default: false)
+  challengePort?: number;           // Port for HTTP-01 challenges (default: 80)
+  renewBeforeDays?: number;         // Days before expiry to renew (default: 30)
+}
+```
+
+## Advanced Usage
+
+### Manual Certificate Operations
+
+```typescript
+// Get certificate status
+const status = proxy.getCertificateStatus('route-name');
+console.log(status);
+// {
+//   domain: 'example.com',
+//   status: 'valid',
+//   source: 'acme',
+//   expiryDate: Date,
+//   issueDate: Date
+// }
+
+// Force certificate renewal
+await proxy.renewCertificate('route-name');
+
+// Manually provision a certificate
+await proxy.provisionCertificate('route-name');
+```
+
+### Events
+
+SmartProxy emits certificate-related events:
+
+```typescript
+proxy.on('certificate:issued', (event) => {
+  console.log(`New certificate for ${event.domain}`);
+});
+
+proxy.on('certificate:renewed', (event) => {
+  console.log(`Certificate renewed for ${event.domain}`);
+});
+
+proxy.on('certificate:expiring', (event) => {
+  console.log(`Certificate expiring soon for ${event.domain}`);
+});
+```
+
+## Migration from Previous Versions
+
+### Before (v17 and earlier)
+
+```typescript
+// Old approach with Port80Handler
+const smartproxy = new SmartProxy({
+  port: 443,
+  acme: {
+    enabled: true,
+    accountEmail: 'admin@example.com',
+    // ... other ACME options
+  }
+});
+
+// Certificate provisioning was automatic or via certProvisionFunction
+```
+
+### After (v18+)
+
+```typescript
+// New approach with route-based configuration
+const smartproxy = new SmartProxy({
+  routes: [{
+    match: { ports: 443, domains: 'example.com' },
+    action: {
+      type: 'forward',
+      target: { host: 'localhost', port: 8080 },
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: {
+          email: 'admin@example.com',
+          useProduction: true
+        }
+      }
+    }
+  }]
+});
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Certificate not provisioning**: Ensure port 80 is accessible for ACME challenges
+2. **ACME rate limits**: Use staging environment for testing
+3. **Permission errors**: Ensure the certificate directory is writable
+
+### Debug Mode
+
+Enable detailed logging to troubleshoot certificate issues:
+
+```typescript
+const proxy = new SmartProxy({
+  enableDetailedLogging: true,
+  // ... other options
+});
+```
+
+## Best Practices
+
+1. **Always test with staging ACME servers first**
+2. **Set up monitoring for certificate expiration**
+3. **Use meaningful route names for easier certificate management**
+4. **Store static certificates securely with appropriate permissions**
+5. **Implement certificate status monitoring in production**

implementation-summary.md

@@ -0,0 +1,92 @@
+# SmartProxy ACME Simplification Implementation Summary
+
+## Overview
+
+We successfully implemented comprehensive support for both global and route-level ACME configuration in SmartProxy v19.0.0, addressing the certificate acquisition issues and improving the developer experience.
+
+## What Was Implemented
+
+### 1. Enhanced Configuration Support
+- Added global ACME configuration at the SmartProxy level
+- Maintained support for route-level ACME configuration
+- Implemented configuration hierarchy where global settings serve as defaults
+- Route-level settings override global defaults when specified
+
+### 2. Updated Core Components
+
+#### SmartProxy Class (`smart-proxy.ts`)
+- Enhanced ACME configuration normalization in constructor
+- Added support for both `email` and `accountEmail` fields
+- Updated `initializeCertificateManager` to prioritize configurations correctly
+- Added `validateAcmeConfiguration` method for comprehensive validation
+
+#### SmartCertManager Class (`certificate-manager.ts`)
+- Added `globalAcmeDefaults` property to store top-level configuration
+- Implemented `setGlobalAcmeDefaults` method
+- Updated `provisionAcmeCertificate` to use global defaults
+- Enhanced error messages to guide users to correct configuration
+
+#### ISmartProxyOptions Interface (`interfaces.ts`)
+- Added comprehensive documentation for global ACME configuration
+- Enhanced IAcmeOptions interface with better field descriptions
+- Added example usage in JSDoc comments
+
+### 3. Configuration Validation
+- Checks for missing ACME email configuration
+- Validates port 80 availability for HTTP-01 challenges
+- Warns about wildcard domains with auto certificates
+- Detects environment mismatches between global and route configs
+
+### 4. Test Coverage
+Created comprehensive test suite (`test.acme-configuration.node.ts`):
+- Top-level ACME configuration
+- Route-level ACME configuration
+- Mixed configuration with overrides
+- Error handling for missing email
+- Support for accountEmail alias
+
+### 5. Documentation Updates
+
+#### Main README (`readme.md`)
+- Added global ACME configuration example
+- Updated code examples to show both configuration styles
+- Added dedicated ACME configuration section
+
+#### Certificate Management Guide (`certificate-management.md`)
+- Updated for v19.0.0 changes
+- Added configuration hierarchy explanation
+- Included troubleshooting section
+- Added migration guide from v18
+
+#### Readme Hints (`readme.hints.md`)
+- Added breaking change warning for ACME configuration
+- Included correct configuration example
+- Added migration considerations
+
+## Key Benefits
+
+1. **Reduced Configuration Duplication**: Global ACME settings eliminate need to repeat configuration
+2. **Better Developer Experience**: Clear error messages guide users to correct configuration
+3. **Backward Compatibility**: Route-level configuration still works as before
+4. **Flexible Configuration**: Can mix global defaults with route-specific overrides
+5. **Improved Validation**: Warns about common configuration issues
+
+## Testing Results
+
+All tests pass successfully:
+- Global ACME configuration works correctly
+- Route-level configuration continues to function
+- Configuration hierarchy behaves as expected
+- Error messages provide clear guidance
+
+## Migration Path
+
+For users upgrading from v18:
+1. Existing route-level ACME configuration continues to work
+2. Can optionally move common settings to global level
+3. Route-specific overrides remain available
+4. No breaking changes for existing configurations
+
+## Conclusion
+
+The implementation successfully addresses the original issue where SmartAcme was not initialized due to missing configuration. Users now have flexible options for configuring ACME, with clear error messages and comprehensive documentation to guide them.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "18.2.0",
+  "version": "19.2.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -18,7 +18,6 @@
     "@git.zone/tsbuild": "^2.5.1",
     "@git.zone/tsrun": "^1.2.44",
     "@git.zone/tstest": "^1.9.0",
-    "@push.rocks/tapbundle": "^6.0.3",
     "@types/node": "^22.15.18",
     "typescript": "^5.8.3"
   },

readme.hints.md

@@ -4,6 +4,12 @@
 - Package: `@push.rocks/smartproxy` – high-performance proxy supporting HTTP(S), TCP, WebSocket, and ACME integration.
 - Written in TypeScript, compiled output in `dist_ts/`, uses ESM with NodeNext resolution.
 
+## Important: ACME Configuration in v19.0.0
+- **Breaking Change**: ACME configuration must be placed within individual route TLS settings, not at the top level
+- Route-level ACME config is the ONLY way to enable SmartAcme initialization
+- SmartCertManager requires email in route config for certificate acquisition
+- Top-level ACME configuration is ignored in v19.0.0
+
 ## Repository Structure
 - `ts/` – TypeScript source files:
   - `index.ts` exports main modules.
@@ -57,8 +63,32 @@
 - CLI entrypoint (`cli.js`) supports command-line usage (ACME, proxy controls).
 - ACME and certificate handling via `Port80Handler` and `helpers.certificates.ts`.
 
+## ACME/Certificate Configuration Example (v19.0.0)
+```typescript
+const proxy = new SmartProxy({
+  routes: [{
+    name: 'example.com',
+    match: { domains: 'example.com', ports: 443 },
+    action: {
+      type: 'forward',
+      target: { host: 'localhost', port: 8080 },
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+        acme: {  // ACME config MUST be here, not at top level
+          email: 'ssl@example.com',
+          useProduction: false,
+          challengePort: 80
+        }
+      }
+    }
+  }]
+});
+```
+
 ## TODOs / Considerations
 - Ensure import extensions in source match build outputs (`.ts` vs `.js`).
 - Update `plugins.ts` when adding new dependencies.
 - Maintain test coverage for new routing or proxy features.
-- Keep `ts/` and `dist_ts/` in sync after refactors.
+- Keep `ts/` and `dist_ts/` in sync after refactors.
+- Consider implementing top-level ACME config support for backward compatibility

readme.md

@@ -21,10 +21,10 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
 │   ├── /models               # Data models and interfaces
 │   ├── /utils                # Shared utilities (IP validation, logging, etc.)
 │   └── /events               # Common event definitions
-├── /certificate              # Certificate management
-│   ├── /acme                 # ACME-specific functionality
-│   ├── /providers            # Certificate providers (static, ACME)
-│   └── /storage              # Certificate storage mechanisms
+├── /certificate              # Certificate management (deprecated in v18+)
+│   ├── /acme                 # Moved to SmartCertManager
+│   ├── /providers            # Now integrated in route configuration 
+│   └── /storage              # Now uses CertStore
 ├── /forwarding               # Forwarding system
 │   ├── /handlers             # Various forwarding handlers
 │   │   ├── base-handler.ts   # Abstract base handler
@@ -37,6 +37,8 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
 │   │   ├── /models           # SmartProxy-specific interfaces
 │   │   │   ├── route-types.ts # Route-based configuration types
 │   │   │   └── interfaces.ts  # SmartProxy interfaces
+│   │   ├── certificate-manager.ts # SmartCertManager (new in v18+)
+│   │   ├── cert-store.ts     # Certificate file storage
 │   │   ├── route-helpers.ts  # Helper functions for creating routes
 │   │   ├── route-manager.ts  # Route management system
 │   │   ├── smart-proxy.ts    # Main SmartProxy class
@@ -47,7 +49,7 @@ SmartProxy has been restructured using a modern, modular architecture with a uni
 │   ├── /sni                  # SNI handling components
 │   └── /alerts               # TLS alerts system
 └── /http                     # HTTP-specific functionality
-    ├── /port80               # Port80Handler components
+    ├── /port80               # Port80Handler (removed in v18+)
     ├── /router               # HTTP routing system
     └── /redirects            # Redirect handlers
 ```
@@ -132,6 +134,14 @@ import {
 
 // Create a new SmartProxy instance with route-based configuration
 const proxy = new SmartProxy({
+  // Global ACME settings for all routes with certificate: 'auto'
+  acme: {
+    email: 'ssl@example.com',      // Required for Let's Encrypt
+    useProduction: false,          // Use staging by default
+    renewThresholdDays: 30,        // Renew 30 days before expiry
+    port: 80                       // Port for HTTP-01 challenges
+  },
+  
   // Define all your routing rules in a single array
   routes: [
     // Basic HTTP route - forward traffic from port 80 to internal service
@@ -139,7 +149,7 @@ const proxy = new SmartProxy({
 
     // HTTPS route with TLS termination and automatic certificates
     createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8080 }, {
-      certificate: 'auto'  // Use Let's Encrypt
+      certificate: 'auto'  // Uses global ACME settings
     }),
 
     // HTTPS passthrough for legacy systems
@@ -348,6 +358,66 @@ interface IRouteAction {
 }
 ```
 
+### ACME/Let's Encrypt Configuration
+
+SmartProxy supports automatic certificate provisioning and renewal with Let's Encrypt. ACME can be configured globally or per-route.
+
+#### Global ACME Configuration
+Set default ACME settings for all routes with `certificate: 'auto'`:
+
+```typescript
+const proxy = new SmartProxy({
+  // Global ACME configuration
+  acme: {
+    email: 'ssl@example.com',         // Required - Let's Encrypt account email
+    useProduction: false,             // Use staging (false) or production (true)
+    renewThresholdDays: 30,           // Renew certificates 30 days before expiry
+    port: 80,                         // Port for HTTP-01 challenges
+    certificateStore: './certs',      // Directory to store certificates
+    autoRenew: true,                  // Enable automatic renewal
+    renewCheckIntervalHours: 24       // Check for renewals every 24 hours
+  },
+  
+  routes: [
+    // This route will use the global ACME settings
+    {
+      name: 'website',
+      match: { ports: 443, domains: 'example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'  // Uses global ACME configuration
+        }
+      }
+    }
+  ]
+});
+```
+
+#### Route-Specific ACME Configuration
+Override global settings for specific routes:
+
+```typescript
+{
+  name: 'api',
+  match: { ports: 443, domains: 'api.example.com' },
+  action: {
+    type: 'forward',
+    target: { host: 'localhost', port: 3000 },
+    tls: {
+      mode: 'terminate',
+      certificate: 'auto',
+      acme: {
+        email: 'api-ssl@example.com',  // Different email for this route
+        useProduction: true,           // Use production while global uses staging
+        renewBeforeDays: 60            // Route-specific renewal threshold
+      }
+    }
+  }
+}
+
 **Forward Action:**
 When `type: 'forward'`, the traffic is forwarded to the specified target:
 ```typescript
@@ -1411,6 +1481,12 @@ NetworkProxy now supports full route-based configuration including:
 - `useIPSets` (boolean, default true)
 - `qos`, `netProxyIntegration` (objects)
 
+## Documentation
+
+- [Certificate Management](docs/certificate-management.md) - Detailed guide on certificate provisioning and ACME integration
+- [Port Handling](docs/porthandling.md) - Dynamic port management and runtime configuration
+- [NFTables Integration](docs/nftables-integration.md) - High-performance kernel-level forwarding
+
 ## Troubleshooting
 
 ### SmartProxy

test/test.acme-configuration.node.ts

@@ -0,0 +1,144 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+
+let smartProxy: SmartProxy;
+
+tap.test('should create SmartProxy with top-level ACME configuration', async () => {
+  smartProxy = new SmartProxy({
+    // Top-level ACME configuration
+    acme: {
+      email: 'test@example.com',
+      useProduction: false,
+      port: 80,
+      renewThresholdDays: 30
+    },
+    routes: [{
+      name: 'example.com',
+      match: { domains: 'example.com', ports: 443 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'  // Uses top-level ACME config
+        }
+      }
+    }]
+  });
+  
+  expect(smartProxy).toBeInstanceOf(SmartProxy);
+  expect(smartProxy.settings.acme?.email).toEqual('test@example.com');
+  expect(smartProxy.settings.acme?.useProduction).toEqual(false);
+});
+
+tap.test('should support route-level ACME configuration', async () => {
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'custom.com',
+      match: { domains: 'custom.com', ports: 443 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {  // Route-specific ACME config
+            email: 'custom@example.com',
+            useProduction: true
+          }
+        }
+      }
+    }]
+  });
+  
+  expect(proxy).toBeInstanceOf(SmartProxy);
+});
+
+tap.test('should use top-level ACME as defaults and allow route overrides', async () => {
+  const proxy = new SmartProxy({
+    acme: {
+      email: 'default@example.com',
+      useProduction: false
+    },
+    routes: [{
+      name: 'default-route',
+      match: { domains: 'default.com', ports: 443 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'  // Uses top-level defaults
+        }
+      }
+    }, {
+      name: 'custom-route',
+      match: { domains: 'custom.com', ports: 443 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8081 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {  // Override for this route
+            email: 'special@example.com',
+            useProduction: true
+          }
+        }
+      }
+    }]
+  });
+  
+  expect(proxy.settings.acme?.email).toEqual('default@example.com');
+});
+
+tap.test('should validate ACME configuration warnings', async () => {
+  // Test missing email
+  let errorThrown = false;
+  try {
+    const proxy = new SmartProxy({
+      routes: [{
+        name: 'no-email',
+        match: { domains: 'test.com', ports: 443 },
+        action: {
+          type: 'forward',
+          target: { host: 'localhost', port: 8080 },
+          tls: {
+            mode: 'terminate',
+            certificate: 'auto'  // No ACME email configured
+          }
+        }
+      }]
+    });
+    await proxy.start();
+  } catch (error) {
+    errorThrown = true;
+    expect(error.message).toInclude('ACME email is required');
+  }
+  expect(errorThrown).toBeTrue();
+});
+
+tap.test('should support accountEmail alias', async () => {
+  const proxy = new SmartProxy({
+    acme: {
+      accountEmail: 'account@example.com',  // Using alias
+      useProduction: false
+    },
+    routes: [{
+      name: 'alias-test',
+      match: { domains: 'alias.com', ports: 443 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8080 },
+        tls: {
+          mode: 'terminate',
+          certificate: 'auto'
+        }
+      }
+    }]
+  });
+  
+  expect(proxy.settings.acme?.email).toEqual('account@example.com');
+});
+
+tap.start();

test/test.certificate-provisioning.ts

@@ -45,8 +45,8 @@ tap.test('should handle static certificates', async () => {
         tls: {
           mode: 'terminate',
           certificate: {
-            certFile: './test/fixtures/cert.pem',
-            keyFile: './test/fixtures/key.pem'
+            cert: '-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----',
+            key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----'
           }
         }
       }

test/test.certprovisioner.unit.ts

@@ -1,211 +0,0 @@
-import { tap, expect } from '@push.rocks/tapbundle';
-import * as plugins from '../ts/plugins.js';
-import { CertProvisioner } from '../ts/certificate/providers/cert-provisioner.js';
-import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
-import type { ICertificateData } from '../ts/certificate/models/certificate-types.js';
-import type { TCertProvisionObject } from '../ts/certificate/providers/cert-provisioner.js';
-
-// Fake Port80Handler stub
-class FakePort80Handler extends plugins.EventEmitter {
-  public domainsAdded: string[] = [];
-  public renewCalled: string[] = [];
-  addDomain(opts: { domainName: string; sslRedirect: boolean; acmeMaintenance: boolean }) {
-    this.domainsAdded.push(opts.domainName);
-  }
-  async renewCertificate(domain: string): Promise<void> {
-    this.renewCalled.push(domain);
-  }
-}
-
-// Fake NetworkProxyBridge stub
-class FakeNetworkProxyBridge {
-  public appliedCerts: ICertificateData[] = [];
-  applyExternalCertificate(cert: ICertificateData) {
-    this.appliedCerts.push(cert);
-  }
-}
-
-tap.test('CertProvisioner handles static provisioning', async () => {
-  const domain = 'static.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'Static Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 443 },
-      tls: {
-        mode: 'terminate-and-reencrypt',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  // certProvider returns static certificate
-  const certProvider = async (d: string): Promise<TCertProvisionObject> => {
-    expect(d).toEqual(domain);
-    return {
-      domainName: domain,
-      publicKey: 'CERT',
-      privateKey: 'KEY',
-      validUntil: Date.now() + 3600 * 1000,
-      created: Date.now(),
-      csr: 'CSR',
-      id: 'ID',
-    };
-  };
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1, // low renew threshold
-    1, // short interval
-    false // disable auto renew for unit test
-  );
-  const events: any[] = [];
-  prov.on('certificate', (data) => events.push(data));
-  await prov.start();
-  // Static flow: no addDomain, certificate applied via bridge
-  expect(fakePort80.domainsAdded.length).toEqual(0);
-  expect(fakeBridge.appliedCerts.length).toEqual(1);
-  expect(events.length).toEqual(1);
-  const evt = events[0];
-  expect(evt.domain).toEqual(domain);
-  expect(evt.certificate).toEqual('CERT');
-  expect(evt.privateKey).toEqual('KEY');
-  expect(evt.isRenewal).toEqual(false);
-  expect(evt.source).toEqual('static');
-  expect(evt.routeReference).toBeTruthy();
-  expect(evt.routeReference.routeName).toEqual('Static Route');
-});
-
-tap.test('CertProvisioner handles http01 provisioning', async () => {
-  const domain = 'http01.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'HTTP01 Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 80 },
-      tls: {
-        mode: 'terminate',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  // certProvider returns http01 directive
-  const certProvider = async (): Promise<TCertProvisionObject> => 'http01';
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1,
-    1,
-    false
-  );
-  const events: any[] = [];
-  prov.on('certificate', (data) => events.push(data));
-  await prov.start();
-  // HTTP-01 flow: addDomain called, no static cert applied
-  expect(fakePort80.domainsAdded).toEqual([domain]);
-  expect(fakeBridge.appliedCerts.length).toEqual(0);
-  expect(events.length).toEqual(0);
-});
-
-tap.test('CertProvisioner on-demand http01 renewal', async () => {
-  const domain = 'renew.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'Renewal Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 80 },
-      tls: {
-        mode: 'terminate',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  const certProvider = async (): Promise<TCertProvisionObject> => 'http01';
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1,
-    1,
-    false
-  );
-  // requestCertificate should call renewCertificate
-  await prov.requestCertificate(domain);
-  expect(fakePort80.renewCalled).toEqual([domain]);
-});
-
-tap.test('CertProvisioner on-demand static provisioning', async () => {
-  const domain = 'ondemand.com';
-  // Create route-based configuration for testing
-  const routeConfigs: IRouteConfig[] = [{
-    name: 'On-Demand Route',
-    match: {
-      ports: 443,
-      domains: [domain]
-    },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 443 },
-      tls: {
-        mode: 'terminate-and-reencrypt',
-        certificate: 'auto'
-      }
-    }
-  }];
-  const fakePort80 = new FakePort80Handler();
-  const fakeBridge = new FakeNetworkProxyBridge();
-  const certProvider = async (): Promise<TCertProvisionObject> => ({
-    domainName: domain,
-    publicKey: 'PKEY',
-    privateKey: 'PRIV',
-    validUntil: Date.now() + 1000,
-    created: Date.now(),
-    csr: 'CSR',
-    id: 'ID',
-  });
-  const prov = new CertProvisioner(
-    routeConfigs,
-    fakePort80 as any,
-    fakeBridge as any,
-    certProvider,
-    1,
-    1,
-    false
-  );
-  const events: any[] = [];
-  prov.on('certificate', (data) => events.push(data));
-  await prov.requestCertificate(domain);
-  expect(fakeBridge.appliedCerts.length).toEqual(1);
-  expect(events.length).toEqual(1);
-  expect(events[0].domain).toEqual(domain);
-  expect(events[0].source).toEqual('static');
-  expect(events[0].routeReference).toBeTruthy();
-  expect(events[0].routeReference.routeName).toEqual('On-Demand Route');
-});
-
-export default tap.start();

test/test.networkproxy.function-targets.ts

@@ -4,8 +4,6 @@ import { NetworkProxy } from '../ts/proxies/network-proxy/index.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 import type { IRouteContext } from '../ts/core/models/route-context.js';
 
-const delay = (ms: number) => new Promise(resolve => setTimeout(resolve, ms));
-
 // Declare variables for tests
 let networkProxy: NetworkProxy;
 let testServer: plugins.http.Server;
@@ -14,7 +12,9 @@ let serverPort: number;
 let serverPortHttp2: number;
 
 // Setup test environment
-tap.test('setup NetworkProxy function-based targets test environment', async () => {
+tap.test('setup NetworkProxy function-based targets test environment', async (tools) => {
+  // Set a reasonable timeout for the test
+  tools.timeout = 30000; // 30 seconds
   // Create simple HTTP server to respond to requests
   testServer = plugins.http.createServer((req, res) => {
     res.writeHead(200, { 'Content-Type': 'application/json' });
@@ -41,6 +41,11 @@ tap.test('setup NetworkProxy function-based targets test environment', async ()
     }));
   });
   
+  // Handle HTTP/2 errors
+  testServerHttp2.on('error', (err) => {
+    console.error('HTTP/2 server error:', err);
+  });
+  
   // Start the servers
   await new Promise<void>(resolve => {
     testServer.listen(0, () => {
@@ -318,21 +323,57 @@ tap.test('should support context-based routing with path', async () => {
 
 // Cleanup test environment
 tap.test('cleanup NetworkProxy function-based targets test environment', async () => {
-  if (networkProxy) {
-    await networkProxy.stop();
+  // Skip cleanup if setup failed
+  if (!networkProxy && !testServer && !testServerHttp2) {
+    console.log('Skipping cleanup - setup failed');
+    return;
   }
   
+  // Stop test servers first
   if (testServer) {
-    await new Promise<void>(resolve => {
-      testServer.close(() => resolve());
+    await new Promise<void>((resolve, reject) => {
+      testServer.close((err) => {
+        if (err) {
+          console.error('Error closing test server:', err);
+          reject(err);
+        } else {
+          console.log('Test server closed successfully');
+          resolve();
+        }
+      });
     });
   }
   
   if (testServerHttp2) {
-    await new Promise<void>(resolve => {
-      testServerHttp2.close(() => resolve());
+    await new Promise<void>((resolve, reject) => {
+      testServerHttp2.close((err) => {
+        if (err) {
+          console.error('Error closing HTTP/2 test server:', err);
+          reject(err);
+        } else {
+          console.log('HTTP/2 test server closed successfully');
+          resolve();
+        }
+      });
     });
   }
+  
+  // Stop NetworkProxy last
+  if (networkProxy) {
+    console.log('Stopping NetworkProxy...');
+    await networkProxy.stop();
+    console.log('NetworkProxy stopped successfully');
+  }
+  
+  // Force exit after a short delay to ensure cleanup
+  const cleanupTimeout = setTimeout(() => {
+    console.log('Cleanup completed, exiting');
+  }, 100);
+  
+  // Don't keep the process alive just for this timeout
+  if (cleanupTimeout.unref) {
+    cleanupTimeout.unref();
+  }
 });
 
 // Helper function to make HTTPS requests with self-signed certificate support
@@ -365,5 +406,8 @@ async function makeRequest(options: plugins.http.RequestOptions): Promise<{ stat
   });
 }
 
-// Export the test runner to start tests
-export default tap.start();
+// Start the tests
+tap.start().then(() => {
+  // Ensure process exits after tests complete
+  process.exit(0);
+});

test/test.smartacme-integration.ts

@@ -1,5 +1,5 @@
 import * as plugins from '../ts/plugins.js';
-import { tap } from '@push.rocks/tapbundle';
+import { tap, expect } from '@push.rocks/tapbundle';
 import { SmartCertManager } from '../ts/proxies/smart-proxy/certificate-manager.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
@@ -10,17 +10,21 @@ tap.test('should create a SmartCertManager instance', async () => {
     {
       name: 'test-acme-route',
       match: {
-        domains: ['test.example.com']
+        domains: ['test.example.com'],
+        ports: []
       },
       action: {
-        type: 'proxy',
-        target: 'http://localhost:3000',
+        type: 'forward',
+        target: { 
+          host: 'localhost', 
+          port: 3000 
+        },
         tls: {
           mode: 'terminate',
-          certificate: 'auto'
-        },
-        acme: {
-          email: 'test@example.com'
+          certificate: 'auto',
+          acme: {
+            email: 'test@example.com'
+          }
         }
       }
     }

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '18.2.0',
+  version: '19.2.0',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/certificate/acme/acme-factory.ts

@@ -1,48 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import type { IAcmeOptions } from '../models/certificate-types.js';
-import { ensureCertificateDirectory } from '../utils/certificate-helpers.js';
-// We'll need to update this import when we move the Port80Handler
-import { Port80Handler } from '../../http/port80/port80-handler.js';
-
-/**
- * Factory to create a Port80Handler with common setup.
- * Ensures the certificate store directory exists and instantiates the handler.
- * @param options Port80Handler configuration options
- * @returns A new Port80Handler instance
- */
-export function buildPort80Handler(
-  options: IAcmeOptions
-): Port80Handler {
-  if (options.certificateStore) {
-    ensureCertificateDirectory(options.certificateStore);
-    console.log(`Ensured certificate store directory: ${options.certificateStore}`);
-  }
-  return new Port80Handler(options);
-}
-
-/**
- * Creates default ACME options with sensible defaults
- * @param email Account email for ACME provider
- * @param certificateStore Path to store certificates
- * @param useProduction Whether to use production ACME servers
- * @returns Configured ACME options
- */
-export function createDefaultAcmeOptions(
-  email: string,
-  certificateStore: string,
-  useProduction: boolean = false
-): IAcmeOptions {
-  return {
-    accountEmail: email,
-    enabled: true,
-    port: 80,
-    useProduction,
-    httpsRedirectPort: 443,
-    renewThresholdDays: 30,
-    renewCheckIntervalHours: 24,
-    autoRenew: true,
-    certificateStore,
-    skipConfiguredCerts: false
-  };
-}

ts/certificate/acme/challenge-handler.ts

@@ -1,110 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IAcmeOptions, ICertificateData } from '../models/certificate-types.js';
-import { CertificateEvents } from '../events/certificate-events.js';
-
-/**
- * Manages ACME challenges and certificate validation
- */
-export class AcmeChallengeHandler extends plugins.EventEmitter {
-  private options: IAcmeOptions;
-  private client: any; // ACME client from plugins
-  private pendingChallenges: Map<string, any>;
-
-  /**
-   * Creates a new ACME challenge handler
-   * @param options ACME configuration options
-   */
-  constructor(options: IAcmeOptions) {
-    super();
-    this.options = options;
-    this.pendingChallenges = new Map();
-
-    // Initialize ACME client if needed
-    // This is just a placeholder implementation since we don't use the actual
-    // client directly in this implementation - it's handled by Port80Handler
-    this.client = null;
-    console.log('Created challenge handler with options:',
-      options.accountEmail,
-      options.useProduction ? 'production' : 'staging'
-    );
-  }
-
-  /**
-   * Gets or creates the ACME account key
-   */
-  private getAccountKey(): Buffer {
-    // Implementation details would depend on plugin requirements
-    // This is a simplified version
-    if (!this.options.certificateStore) {
-      throw new Error('Certificate store is required for ACME challenges');
-    }
-    
-    // This is just a placeholder - actual implementation would check for
-    // existing account key and create one if needed
-    return Buffer.from('account-key-placeholder');
-  }
-
-  /**
-   * Validates a domain using HTTP-01 challenge
-   * @param domain Domain to validate
-   * @param challengeToken ACME challenge token
-   * @param keyAuthorization Key authorization for the challenge
-   */
-  public async handleHttpChallenge(
-    domain: string,
-    challengeToken: string,
-    keyAuthorization: string
-  ): Promise<void> {
-    // Store challenge for response
-    this.pendingChallenges.set(challengeToken, keyAuthorization);
-    
-    try {
-      // Wait for challenge validation - this would normally be handled by the ACME client
-      await new Promise(resolve => setTimeout(resolve, 1000));
-      this.emit(CertificateEvents.CERTIFICATE_ISSUED, {
-        domain,
-        success: true
-      });
-    } catch (error) {
-      this.emit(CertificateEvents.CERTIFICATE_FAILED, {
-        domain,
-        error: error instanceof Error ? error.message : String(error),
-        isRenewal: false
-      });
-      throw error;
-    } finally {
-      // Clean up the challenge
-      this.pendingChallenges.delete(challengeToken);
-    }
-  }
-
-  /**
-   * Responds to an HTTP-01 challenge request
-   * @param token Challenge token from the request path
-   * @returns The key authorization if found
-   */
-  public getChallengeResponse(token: string): string | null {
-    return this.pendingChallenges.get(token) || null;
-  }
-
-  /**
-   * Checks if a request path is an ACME challenge
-   * @param path Request path
-   * @returns True if this is an ACME challenge request
-   */
-  public isAcmeChallenge(path: string): boolean {
-    return path.startsWith('/.well-known/acme-challenge/');
-  }
-
-  /**
-   * Extracts the challenge token from an ACME challenge path
-   * @param path Request path
-   * @returns The challenge token if valid
-   */
-  public extractChallengeToken(path: string): string | null {
-    if (!this.isAcmeChallenge(path)) return null;
-    
-    const parts = path.split('/');
-    return parts[parts.length - 1] || null;
-  }
-}

ts/certificate/acme/index.ts

@@ -1,3 +0,0 @@
-/**
- * ACME certificate provisioning
- */

ts/certificate/events/certificate-events.ts

@@ -1,36 +0,0 @@
-/**
- * Certificate-related events emitted by certificate management components
- */
-export enum CertificateEvents {
-  CERTIFICATE_ISSUED = 'certificate-issued',
-  CERTIFICATE_RENEWED = 'certificate-renewed',
-  CERTIFICATE_FAILED = 'certificate-failed',
-  CERTIFICATE_EXPIRING = 'certificate-expiring',
-  CERTIFICATE_APPLIED = 'certificate-applied',
-  // Events moved from Port80Handler for compatibility
-  MANAGER_STARTED = 'manager-started',
-  MANAGER_STOPPED = 'manager-stopped',
-}
-
-/**
- * Port80Handler-specific events including certificate-related ones
- * @deprecated Use CertificateEvents and HttpEvents instead
- */
-export enum Port80HandlerEvents {
-  CERTIFICATE_ISSUED = 'certificate-issued',
-  CERTIFICATE_RENEWED = 'certificate-renewed',
-  CERTIFICATE_FAILED = 'certificate-failed',
-  CERTIFICATE_EXPIRING = 'certificate-expiring',
-  MANAGER_STARTED = 'manager-started',
-  MANAGER_STOPPED = 'manager-stopped',
-  REQUEST_FORWARDED = 'request-forwarded',
-}
-
-/**
- * Certificate provider events
- */
-export enum CertProvisionerEvents {
-  CERTIFICATE_ISSUED = 'certificate',
-  CERTIFICATE_RENEWED = 'certificate',
-  CERTIFICATE_FAILED = 'certificate-failed'
-}

ts/certificate/index.ts

@@ -1,75 +0,0 @@
-/**
- * Certificate management module for SmartProxy
- * Provides certificate provisioning, storage, and management capabilities
- */
-
-// Certificate types and models
-export * from './models/certificate-types.js';
-
-// Certificate events
-export * from './events/certificate-events.js';
-
-// Certificate providers
-export * from './providers/cert-provisioner.js';
-
-// ACME related exports
-export * from './acme/acme-factory.js';
-export * from './acme/challenge-handler.js';
-
-// Certificate utilities
-export * from './utils/certificate-helpers.js';
-
-// Certificate storage
-export * from './storage/file-storage.js';
-
-// Convenience function to create a certificate provisioner with common settings
-import { CertProvisioner } from './providers/cert-provisioner.js';
-import type { TCertProvisionObject } from './providers/cert-provisioner.js';
-import { buildPort80Handler } from './acme/acme-factory.js';
-import type { IAcmeOptions, IRouteForwardConfig } from './models/certificate-types.js';
-import type { IRouteConfig } from '../proxies/smart-proxy/models/route-types.js';
-
-/**
- * Interface for NetworkProxyBridge used by CertProvisioner
- */
-interface ICertNetworkProxyBridge {
-  applyExternalCertificate(certData: any): void;
-}
-
-/**
- * Creates a complete certificate provisioning system with default settings
- * @param routeConfigs Route configurations that may need certificates
- * @param acmeOptions ACME options for certificate provisioning
- * @param networkProxyBridge Bridge to apply certificates to network proxy
- * @param certProvider Optional custom certificate provider
- * @returns Configured CertProvisioner
- */
-export function createCertificateProvisioner(
-  routeConfigs: IRouteConfig[],
-  acmeOptions: IAcmeOptions,
-  networkProxyBridge: ICertNetworkProxyBridge,
-  certProvider?: (domain: string) => Promise<TCertProvisionObject>
-): CertProvisioner {
-  // Build the Port80Handler for ACME challenges
-  const port80Handler = buildPort80Handler(acmeOptions);
-
-  // Extract ACME-specific configuration
-  const {
-    renewThresholdDays = 30,
-    renewCheckIntervalHours = 24,
-    autoRenew = true,
-    routeForwards = []
-  } = acmeOptions;
-
-  // Create and return the certificate provisioner
-  return new CertProvisioner(
-    routeConfigs,
-    port80Handler,
-    networkProxyBridge,
-    certProvider,
-    renewThresholdDays,
-    renewCheckIntervalHours,
-    autoRenew,
-    routeForwards
-  );
-}

ts/certificate/models/certificate-types.ts

@@ -1,109 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-/**
- * Certificate data structure containing all necessary information
- * about a certificate
- */
-export interface ICertificateData {
-  domain: string;
-  certificate: string;
-  privateKey: string;
-  expiryDate: Date;
-  // Optional source and renewal information for event emissions
-  source?: 'static' | 'http01' | 'dns01';
-  isRenewal?: boolean;
-  // Reference to the route that requested this certificate (if available)
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Certificates pair (private and public keys)
- */
-export interface ICertificates {
-  privateKey: string;
-  publicKey: string;
-}
-
-/**
- * Certificate failure payload type
- */
-export interface ICertificateFailure {
-  domain: string;
-  error: string;
-  isRenewal: boolean;
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Certificate expiry payload type
- */
-export interface ICertificateExpiring {
-  domain: string;
-  expiryDate: Date;
-  daysRemaining: number;
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Route-specific forwarding configuration for ACME challenges
- */
-export interface IRouteForwardConfig {
-  domain: string;
-  target: {
-    host: string;
-    port: number;
-  };
-  sslRedirect?: boolean;
-}
-
-/**
- * Domain configuration options for Port80Handler
- *
- * This is used internally by the Port80Handler to manage domains
- * but will eventually be replaced with route-based options.
- */
-export interface IDomainOptions {
-  domainName: string;
-  sslRedirect: boolean;   // if true redirects the request to port 443
-  acmeMaintenance: boolean; // tries to always have a valid cert for this domain
-  forward?: {
-    ip: string;
-    port: number;
-  }; // forwards all http requests to that target
-  acmeForward?: {
-    ip: string;
-    port: number;
-  }; // forwards letsencrypt requests to this config
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Unified ACME configuration options used across proxies and handlers
- */
-export interface IAcmeOptions {
-  accountEmail?: string;          // Email for Let's Encrypt account
-  enabled?: boolean;              // Whether ACME is enabled
-  port?: number;                  // Port to listen on for ACME challenges (default: 80)
-  useProduction?: boolean;        // Use production environment (default: staging)
-  httpsRedirectPort?: number;     // Port to redirect HTTP requests to HTTPS (default: 443)
-  renewThresholdDays?: number;    // Days before expiry to renew certificates
-  renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
-  autoRenew?: boolean;            // Whether to automatically renew certificates
-  certificateStore?: string;      // Directory to store certificates
-  skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
-  routeForwards?: IRouteForwardConfig[]; // Route-specific forwarding configs
-}
-

ts/certificate/providers/cert-provisioner.ts

@@ -1,519 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-import type { ICertificateData, IRouteForwardConfig, IDomainOptions } from '../models/certificate-types.js';
-import { Port80HandlerEvents, CertProvisionerEvents } from '../events/certificate-events.js';
-import { Port80Handler } from '../../http/port80/port80-handler.js';
-
-// Interface for NetworkProxyBridge
-interface INetworkProxyBridge {
-  applyExternalCertificate(certData: ICertificateData): void;
-}
-
-/**
- * Type for static certificate provisioning
- */
-export type TCertProvisionObject = plugins.tsclass.network.ICert | 'http01' | 'dns01';
-
-/**
- * Interface for routes that need certificates
- */
-interface ICertRoute {
-  domain: string;
-  route: IRouteConfig;
-  tlsMode: 'terminate' | 'terminate-and-reencrypt';
-}
-
-/**
- * CertProvisioner manages certificate provisioning and renewal workflows,
- * unifying static certificates and HTTP-01 challenges via Port80Handler.
- *
- * This class directly works with route configurations instead of converting to domain configs.
- */
-export class CertProvisioner extends plugins.EventEmitter {
-  private routeConfigs: IRouteConfig[];
-  private certRoutes: ICertRoute[] = [];
-  private port80Handler: Port80Handler;
-  private networkProxyBridge: INetworkProxyBridge;
-  private certProvisionFunction?: (domain: string) => Promise<TCertProvisionObject>;
-  private routeForwards: IRouteForwardConfig[];
-  private renewThresholdDays: number;
-  private renewCheckIntervalHours: number;
-  private autoRenew: boolean;
-  private renewManager?: plugins.taskbuffer.TaskManager;
-  // Track provisioning type per domain
-  private provisionMap: Map<string, { type: 'http01' | 'dns01' | 'static', routeRef?: ICertRoute }>;
-
-  /**
-   * Extract routes that need certificates
-   * @param routes Route configurations
-   */
-  private extractCertificateRoutesFromRoutes(routes: IRouteConfig[]): ICertRoute[] {
-    const certRoutes: ICertRoute[] = [];
-
-    // Process all HTTPS routes that need certificates
-    for (const route of routes) {
-      // Only process routes with TLS termination that need certificates
-      if (route.action.type === 'forward' &&
-          route.action.tls &&
-          (route.action.tls.mode === 'terminate' || route.action.tls.mode === 'terminate-and-reencrypt') &&
-          route.match.domains) {
-
-        // Extract domains from the route
-        const domains = Array.isArray(route.match.domains)
-          ? route.match.domains
-          : [route.match.domains];
-
-        // For each domain in the route, create a certRoute entry
-        for (const domain of domains) {
-          // Skip wildcard domains that can't use ACME unless we have a certProvider
-          if (domain.includes('*') && (!this.certProvisionFunction || this.certProvisionFunction.length === 0)) {
-            console.warn(`Skipping wildcard domain that requires a certProvisionFunction: ${domain}`);
-            continue;
-          }
-
-          certRoutes.push({
-            domain,
-            route,
-            tlsMode: route.action.tls.mode
-          });
-        }
-      }
-    }
-
-    return certRoutes;
-  }
-
-  /**
-   * Constructor for CertProvisioner
-   *
-   * @param routeConfigs Array of route configurations
-   * @param port80Handler HTTP-01 challenge handler instance
-   * @param networkProxyBridge Bridge for applying external certificates
-   * @param certProvider Optional callback returning a static cert or 'http01'
-   * @param renewThresholdDays Days before expiry to trigger renewals
-   * @param renewCheckIntervalHours Interval in hours to check for renewals
-   * @param autoRenew Whether to automatically schedule renewals
-   * @param routeForwards Route-specific forwarding configs for ACME challenges
-   */
-  constructor(
-    routeConfigs: IRouteConfig[],
-    port80Handler: Port80Handler,
-    networkProxyBridge: INetworkProxyBridge,
-    certProvider?: (domain: string) => Promise<TCertProvisionObject>,
-    renewThresholdDays: number = 30,
-    renewCheckIntervalHours: number = 24,
-    autoRenew: boolean = true,
-    routeForwards: IRouteForwardConfig[] = []
-  ) {
-    super();
-    this.routeConfigs = routeConfigs;
-    this.port80Handler = port80Handler;
-    this.networkProxyBridge = networkProxyBridge;
-    this.certProvisionFunction = certProvider;
-    this.renewThresholdDays = renewThresholdDays;
-    this.renewCheckIntervalHours = renewCheckIntervalHours;
-    this.autoRenew = autoRenew;
-    this.provisionMap = new Map();
-    this.routeForwards = routeForwards;
-
-    // Extract certificate routes during instantiation
-    this.certRoutes = this.extractCertificateRoutesFromRoutes(routeConfigs);
-  }
-
-  /**
-   * Start initial provisioning and schedule renewals.
-   */
-  public async start(): Promise<void> {
-    // Subscribe to Port80Handler certificate events
-    this.setupEventSubscriptions();
-
-    // Apply route forwarding for ACME challenges
-    this.setupForwardingConfigs();
-
-    // Initial provisioning for all domains in routes
-    await this.provisionAllCertificates();
-
-    // Schedule renewals if enabled
-    if (this.autoRenew) {
-      this.scheduleRenewals();
-    }
-  }
-
-  /**
-   * Set up event subscriptions for certificate events
-   */
-  private setupEventSubscriptions(): void {
-    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
-      // Add route reference if we have it
-      const routeRef = this.findRouteForDomain(data.domain);
-      const enhancedData: ICertificateData = {
-        ...data,
-        source: 'http01',
-        isRenewal: false,
-        routeReference: routeRef ? {
-          routeId: routeRef.route.name,
-          routeName: routeRef.route.name
-        } : undefined
-      };
-
-      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, enhancedData);
-    });
-
-    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
-      // Add route reference if we have it
-      const routeRef = this.findRouteForDomain(data.domain);
-      const enhancedData: ICertificateData = {
-        ...data,
-        source: 'http01',
-        isRenewal: true,
-        routeReference: routeRef ? {
-          routeId: routeRef.route.name,
-          routeName: routeRef.route.name
-        } : undefined
-      };
-
-      this.emit(CertProvisionerEvents.CERTIFICATE_RENEWED, enhancedData);
-    });
-
-    this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, (error) => {
-      this.emit(CertProvisionerEvents.CERTIFICATE_FAILED, error);
-    });
-  }
-
-  /**
-   * Find a route for a given domain
-   */
-  private findRouteForDomain(domain: string): ICertRoute | undefined {
-    return this.certRoutes.find(certRoute => certRoute.domain === domain);
-  }
-
-  /**
-   * Set up forwarding configurations for the Port80Handler
-   */
-  private setupForwardingConfigs(): void {
-    for (const config of this.routeForwards) {
-      const domainOptions: IDomainOptions = {
-        domainName: config.domain,
-        sslRedirect: config.sslRedirect || false,
-        acmeMaintenance: false,
-        forward: config.target ? {
-          ip: config.target.host,
-          port: config.target.port
-        } : undefined
-      };
-      this.port80Handler.addDomain(domainOptions);
-    }
-  }
-
-  /**
-   * Provision certificates for all routes that need them
-   */
-  private async provisionAllCertificates(): Promise<void> {
-    for (const certRoute of this.certRoutes) {
-      await this.provisionCertificateForRoute(certRoute);
-    }
-  }
-
-  /**
-   * Provision a certificate for a route
-   */
-  private async provisionCertificateForRoute(certRoute: ICertRoute): Promise<void> {
-    const { domain, route } = certRoute;
-    const isWildcard = domain.includes('*');
-    let provision: TCertProvisionObject = 'http01';
-
-    // Try to get a certificate from the provision function
-    if (this.certProvisionFunction) {
-      try {
-        provision = await this.certProvisionFunction(domain);
-      } catch (err) {
-        console.error(`certProvider error for ${domain} on route ${route.name || 'unnamed'}:`, err);
-      }
-    } else if (isWildcard) {
-      // No certProvider: cannot handle wildcard without DNS-01 support
-      console.warn(`Skipping wildcard domain without certProvisionFunction: ${domain}`);
-      return;
-    }
-
-    // Store the route reference with the provision type
-    this.provisionMap.set(domain, {
-      type: provision === 'http01' || provision === 'dns01' ? provision : 'static',
-      routeRef: certRoute
-    });
-
-    // Handle different provisioning methods
-    if (provision === 'http01') {
-      if (isWildcard) {
-        console.warn(`Skipping HTTP-01 for wildcard domain: ${domain}`);
-        return;
-      }
-
-      this.port80Handler.addDomain({
-        domainName: domain,
-        sslRedirect: true,
-        acmeMaintenance: true,
-        routeReference: {
-          routeId: route.name || domain,
-          routeName: route.name
-        }
-      });
-    } else if (provision === 'dns01') {
-      // DNS-01 challenges would be handled by the certProvisionFunction
-      // DNS-01 handling would go here if implemented
-      console.log(`DNS-01 challenge type set for ${domain}`);
-    } else {
-      // Static certificate (e.g., DNS-01 provisioned or user-provided)
-      const certObj = provision as plugins.tsclass.network.ICert;
-      const certData: ICertificateData = {
-        domain: certObj.domainName,
-        certificate: certObj.publicKey,
-        privateKey: certObj.privateKey,
-        expiryDate: new Date(certObj.validUntil),
-        source: 'static',
-        isRenewal: false,
-        routeReference: {
-          routeId: route.name || domain,
-          routeName: route.name
-        }
-      };
-
-      this.networkProxyBridge.applyExternalCertificate(certData);
-      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
-    }
-  }
-
-  /**
-   * Schedule certificate renewals using a task manager
-   */
-  private scheduleRenewals(): void {
-    this.renewManager = new plugins.taskbuffer.TaskManager();
-
-    const renewTask = new plugins.taskbuffer.Task({
-      name: 'CertificateRenewals',
-      taskFunction: async () => await this.performRenewals()
-    });
-
-    const hours = this.renewCheckIntervalHours;
-    const cronExpr = `0 0 */${hours} * * *`;
-
-    this.renewManager.addAndScheduleTask(renewTask, cronExpr);
-    this.renewManager.start();
-  }
-
-  /**
-   * Perform renewals for all domains that need it
-   */
-  private async performRenewals(): Promise<void> {
-    for (const [domain, info] of this.provisionMap.entries()) {
-      // Skip wildcard domains for HTTP-01 challenges
-      if (domain.includes('*') && info.type === 'http01') continue;
-
-      try {
-        await this.renewCertificateForDomain(domain, info.type, info.routeRef);
-      } catch (err) {
-        console.error(`Renewal error for ${domain}:`, err);
-      }
-    }
-  }
-
-  /**
-   * Renew a certificate for a specific domain
-   * @param domain Domain to renew
-   * @param provisionType Type of provisioning for this domain
-   * @param certRoute The route reference for this domain
-   */
-  private async renewCertificateForDomain(
-    domain: string,
-    provisionType: 'http01' | 'dns01' | 'static',
-    certRoute?: ICertRoute
-  ): Promise<void> {
-    if (provisionType === 'http01') {
-      await this.port80Handler.renewCertificate(domain);
-    } else if ((provisionType === 'static' || provisionType === 'dns01') && this.certProvisionFunction) {
-      const provision = await this.certProvisionFunction(domain);
-
-      if (provision !== 'http01' && provision !== 'dns01') {
-        const certObj = provision as plugins.tsclass.network.ICert;
-        const routeRef = certRoute?.route;
-
-        const certData: ICertificateData = {
-          domain: certObj.domainName,
-          certificate: certObj.publicKey,
-          privateKey: certObj.privateKey,
-          expiryDate: new Date(certObj.validUntil),
-          source: 'static',
-          isRenewal: true,
-          routeReference: routeRef ? {
-            routeId: routeRef.name || domain,
-            routeName: routeRef.name
-          } : undefined
-        };
-
-        this.networkProxyBridge.applyExternalCertificate(certData);
-        this.emit(CertProvisionerEvents.CERTIFICATE_RENEWED, certData);
-      }
-    }
-  }
-
-  /**
-   * Stop all scheduled renewal tasks.
-   */
-  public async stop(): Promise<void> {
-    if (this.renewManager) {
-      this.renewManager.stop();
-    }
-  }
-
-  /**
-   * Request a certificate on-demand for the given domain.
-   * This will look for a matching route configuration and provision accordingly.
-   *
-   * @param domain Domain name to provision
-   */
-  public async requestCertificate(domain: string): Promise<void> {
-    const isWildcard = domain.includes('*');
-    // Find matching route
-    const certRoute = this.findRouteForDomain(domain);
-
-    // Determine provisioning method
-    let provision: TCertProvisionObject = 'http01';
-
-    if (this.certProvisionFunction) {
-      provision = await this.certProvisionFunction(domain);
-    } else if (isWildcard) {
-      // Cannot perform HTTP-01 on wildcard without certProvider
-      throw new Error(`Cannot request certificate for wildcard domain without certProvisionFunction: ${domain}`);
-    }
-
-    if (provision === 'http01') {
-      if (isWildcard) {
-        throw new Error(`Cannot request HTTP-01 certificate for wildcard domain: ${domain}`);
-      }
-      await this.port80Handler.renewCertificate(domain);
-    } else if (provision === 'dns01') {
-      // DNS-01 challenges would be handled by external mechanisms
-      console.log(`DNS-01 challenge requested for ${domain}`);
-    } else {
-      // Static certificate (e.g., DNS-01 provisioned) supports wildcards
-      const certObj = provision as plugins.tsclass.network.ICert;
-      const certData: ICertificateData = {
-        domain: certObj.domainName,
-        certificate: certObj.publicKey,
-        privateKey: certObj.privateKey,
-        expiryDate: new Date(certObj.validUntil),
-        source: 'static',
-        isRenewal: false,
-        routeReference: certRoute ? {
-          routeId: certRoute.route.name || domain,
-          routeName: certRoute.route.name
-        } : undefined
-      };
-
-      this.networkProxyBridge.applyExternalCertificate(certData);
-      this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
-    }
-  }
-
-  /**
-   * Add a new domain for certificate provisioning
-   *
-   * @param domain Domain to add
-   * @param options Domain configuration options
-   */
-  public async addDomain(domain: string, options?: {
-    sslRedirect?: boolean;
-    acmeMaintenance?: boolean;
-    routeId?: string;
-    routeName?: string;
-  }): Promise<void> {
-    const domainOptions: IDomainOptions = {
-      domainName: domain,
-      sslRedirect: options?.sslRedirect ?? true,
-      acmeMaintenance: options?.acmeMaintenance ?? true,
-      routeReference: {
-        routeId: options?.routeId,
-        routeName: options?.routeName
-      }
-    };
-
-    this.port80Handler.addDomain(domainOptions);
-
-    // Find matching route or create a generic one
-    const existingRoute = this.findRouteForDomain(domain);
-    if (existingRoute) {
-      await this.provisionCertificateForRoute(existingRoute);
-    } else {
-      // We don't have a route, just provision the domain
-      const isWildcard = domain.includes('*');
-      let provision: TCertProvisionObject = 'http01';
-
-      if (this.certProvisionFunction) {
-        provision = await this.certProvisionFunction(domain);
-      } else if (isWildcard) {
-        throw new Error(`Cannot request certificate for wildcard domain without certProvisionFunction: ${domain}`);
-      }
-
-      this.provisionMap.set(domain, {
-        type: provision === 'http01' || provision === 'dns01' ? provision : 'static'
-      });
-
-      if (provision !== 'http01' && provision !== 'dns01') {
-        const certObj = provision as plugins.tsclass.network.ICert;
-        const certData: ICertificateData = {
-          domain: certObj.domainName,
-          certificate: certObj.publicKey,
-          privateKey: certObj.privateKey,
-          expiryDate: new Date(certObj.validUntil),
-          source: 'static',
-          isRenewal: false,
-          routeReference: {
-            routeId: options?.routeId,
-            routeName: options?.routeName
-          }
-        };
-
-        this.networkProxyBridge.applyExternalCertificate(certData);
-        this.emit(CertProvisionerEvents.CERTIFICATE_ISSUED, certData);
-      }
-    }
-  }
-
-  /**
-   * Update routes with new configurations
-   * This replaces all existing routes with new ones and re-provisions certificates as needed
-   *
-   * @param newRoutes New route configurations to use
-   */
-  public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
-    // Store the new route configs
-    this.routeConfigs = newRoutes;
-
-    // Extract new certificate routes
-    const newCertRoutes = this.extractCertificateRoutesFromRoutes(newRoutes);
-
-    // Find domains that no longer need certificates
-    const oldDomains = new Set(this.certRoutes.map(r => r.domain));
-    const newDomains = new Set(newCertRoutes.map(r => r.domain));
-
-    // Domains to remove
-    const domainsToRemove = [...oldDomains].filter(d => !newDomains.has(d));
-
-    // Remove obsolete domains from provision map
-    for (const domain of domainsToRemove) {
-      this.provisionMap.delete(domain);
-    }
-
-    // Update the cert routes
-    this.certRoutes = newCertRoutes;
-
-    // Provision certificates for new routes
-    for (const certRoute of newCertRoutes) {
-      if (!oldDomains.has(certRoute.domain)) {
-        await this.provisionCertificateForRoute(certRoute);
-      }
-    }
-  }
-}
-
-// Type alias for backward compatibility
-export type TSmartProxyCertProvisionObject = TCertProvisionObject;

ts/certificate/providers/index.ts

@@ -1,3 +0,0 @@
-/**
- * Certificate providers
- */

ts/certificate/storage/file-storage.ts

@@ -1,234 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import * as plugins from '../../plugins.js';
-import type { ICertificateData, ICertificates } from '../models/certificate-types.js';
-import { ensureCertificateDirectory } from '../utils/certificate-helpers.js';
-
-/**
- * FileStorage provides file system storage for certificates
- */
-export class FileStorage {
-  private storageDir: string;
-  
-  /**
-   * Creates a new file storage provider
-   * @param storageDir Directory to store certificates
-   */
-  constructor(storageDir: string) {
-    this.storageDir = path.resolve(storageDir);
-    ensureCertificateDirectory(this.storageDir);
-  }
-  
-  /**
-   * Save a certificate to the file system
-   * @param domain Domain name
-   * @param certData Certificate data to save
-   */
-  public async saveCertificate(domain: string, certData: ICertificateData): Promise<void> {
-    const sanitizedDomain = this.sanitizeDomain(domain);
-    const certDir = path.join(this.storageDir, sanitizedDomain);
-    ensureCertificateDirectory(certDir);
-    
-    const certPath = path.join(certDir, 'fullchain.pem');
-    const keyPath = path.join(certDir, 'privkey.pem');
-    const metaPath = path.join(certDir, 'metadata.json');
-    
-    // Write certificate and private key
-    await fs.promises.writeFile(certPath, certData.certificate, 'utf8');
-    await fs.promises.writeFile(keyPath, certData.privateKey, 'utf8');
-    
-    // Write metadata
-    const metadata = {
-      domain: certData.domain,
-      expiryDate: certData.expiryDate.toISOString(),
-      source: certData.source || 'unknown',
-      issuedAt: new Date().toISOString()
-    };
-    
-    await fs.promises.writeFile(
-      metaPath, 
-      JSON.stringify(metadata, null, 2), 
-      'utf8'
-    );
-  }
-  
-  /**
-   * Load a certificate from the file system
-   * @param domain Domain name
-   * @returns Certificate data if found, null otherwise
-   */
-  public async loadCertificate(domain: string): Promise<ICertificateData | null> {
-    const sanitizedDomain = this.sanitizeDomain(domain);
-    const certDir = path.join(this.storageDir, sanitizedDomain);
-    
-    if (!fs.existsSync(certDir)) {
-      return null;
-    }
-    
-    const certPath = path.join(certDir, 'fullchain.pem');
-    const keyPath = path.join(certDir, 'privkey.pem');
-    const metaPath = path.join(certDir, 'metadata.json');
-    
-    try {
-      // Check if all required files exist
-      if (!fs.existsSync(certPath) || !fs.existsSync(keyPath)) {
-        return null;
-      }
-      
-      // Read certificate and private key
-      const certificate = await fs.promises.readFile(certPath, 'utf8');
-      const privateKey = await fs.promises.readFile(keyPath, 'utf8');
-      
-      // Try to read metadata if available
-      let expiryDate = new Date();
-      let source: 'static' | 'http01' | 'dns01' | undefined;
-      
-      if (fs.existsSync(metaPath)) {
-        const metaContent = await fs.promises.readFile(metaPath, 'utf8');
-        const metadata = JSON.parse(metaContent);
-        
-        if (metadata.expiryDate) {
-          expiryDate = new Date(metadata.expiryDate);
-        }
-        
-        if (metadata.source) {
-          source = metadata.source as 'static' | 'http01' | 'dns01';
-        }
-      }
-      
-      return {
-        domain,
-        certificate,
-        privateKey,
-        expiryDate,
-        source
-      };
-    } catch (error) {
-      console.error(`Error loading certificate for ${domain}:`, error);
-      return null;
-    }
-  }
-  
-  /**
-   * Delete a certificate from the file system
-   * @param domain Domain name
-   */
-  public async deleteCertificate(domain: string): Promise<boolean> {
-    const sanitizedDomain = this.sanitizeDomain(domain);
-    const certDir = path.join(this.storageDir, sanitizedDomain);
-    
-    if (!fs.existsSync(certDir)) {
-      return false;
-    }
-    
-    try {
-      // Recursively delete the certificate directory
-      await this.deleteDirectory(certDir);
-      return true;
-    } catch (error) {
-      console.error(`Error deleting certificate for ${domain}:`, error);
-      return false;
-    }
-  }
-  
-  /**
-   * List all domains with stored certificates
-   * @returns Array of domain names
-   */
-  public async listCertificates(): Promise<string[]> {
-    try {
-      const entries = await fs.promises.readdir(this.storageDir, { withFileTypes: true });
-      return entries
-        .filter(entry => entry.isDirectory())
-        .map(entry => entry.name);
-    } catch (error) {
-      console.error('Error listing certificates:', error);
-      return [];
-    }
-  }
-  
-  /**
-   * Check if a certificate is expiring soon
-   * @param domain Domain name
-   * @param thresholdDays Days threshold to consider expiring
-   * @returns Information about expiring certificate or null
-   */
-  public async isExpiringSoon(
-    domain: string, 
-    thresholdDays: number = 30
-  ): Promise<{ domain: string; expiryDate: Date; daysRemaining: number } | null> {
-    const certData = await this.loadCertificate(domain);
-    
-    if (!certData) {
-      return null;
-    }
-    
-    const now = new Date();
-    const expiryDate = certData.expiryDate;
-    const timeRemaining = expiryDate.getTime() - now.getTime();
-    const daysRemaining = Math.floor(timeRemaining / (1000 * 60 * 60 * 24));
-    
-    if (daysRemaining <= thresholdDays) {
-      return {
-        domain,
-        expiryDate,
-        daysRemaining
-      };
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Check all certificates for expiration
-   * @param thresholdDays Days threshold to consider expiring
-   * @returns List of expiring certificates
-   */
-  public async getExpiringCertificates(
-    thresholdDays: number = 30
-  ): Promise<Array<{ domain: string; expiryDate: Date; daysRemaining: number }>> {
-    const domains = await this.listCertificates();
-    const expiringCerts = [];
-    
-    for (const domain of domains) {
-      const expiring = await this.isExpiringSoon(domain, thresholdDays);
-      if (expiring) {
-        expiringCerts.push(expiring);
-      }
-    }
-    
-    return expiringCerts;
-  }
-  
-  /**
-   * Delete a directory recursively
-   * @param directoryPath Directory to delete
-   */
-  private async deleteDirectory(directoryPath: string): Promise<void> {
-    if (fs.existsSync(directoryPath)) {
-      const entries = await fs.promises.readdir(directoryPath, { withFileTypes: true });
-      
-      for (const entry of entries) {
-        const fullPath = path.join(directoryPath, entry.name);
-        
-        if (entry.isDirectory()) {
-          await this.deleteDirectory(fullPath);
-        } else {
-          await fs.promises.unlink(fullPath);
-        }
-      }
-      
-      await fs.promises.rmdir(directoryPath);
-    }
-  }
-  
-  /**
-   * Sanitize a domain name for use as a directory name
-   * @param domain Domain name
-   * @returns Sanitized domain name
-   */
-  private sanitizeDomain(domain: string): string {
-    // Replace wildcard and any invalid filesystem characters
-    return domain.replace(/\*/g, '_wildcard_').replace(/[/\\:*?"<>|]/g, '_');
-  }
-}

ts/certificate/storage/index.ts

@@ -1,3 +0,0 @@
-/**
- * Certificate storage mechanisms
- */

ts/certificate/utils/certificate-helpers.ts

@@ -1,50 +0,0 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import { fileURLToPath } from 'url';
-import type { ICertificates } from '../models/certificate-types.js';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-
-/**
- * Loads the default SSL certificates from the assets directory
- * @returns The certificate key pair
- */
-export function loadDefaultCertificates(): ICertificates {
-  try {
-    // Need to adjust path from /ts/certificate/utils to /assets/certs
-    const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
-    const privateKey = fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8');
-    const publicKey = fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8');
-
-    if (!privateKey || !publicKey) {
-      throw new Error('Failed to load default certificates');
-    }
-
-    return {
-      privateKey,
-      publicKey
-    };
-  } catch (error) {
-    console.error('Error loading default certificates:', error);
-    throw error;
-  }
-}
-
-/**
- * Checks if a certificate file exists at the specified path
- * @param certPath Path to check for certificate
- * @returns True if the certificate exists, false otherwise
- */
-export function certificateExists(certPath: string): boolean {
-  return fs.existsSync(certPath);
-}
-
-/**
- * Ensures the certificate directory exists
- * @param dirPath Path to the certificate directory
- */
-export function ensureCertificateDirectory(dirPath: string): void {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}

ts/common/eventUtils.ts

@@ -1,4 +1,4 @@
-import type { Port80Handler } from '../http/port80/port80-handler.js';
+// Port80Handler removed - use SmartCertManager instead
 import { Port80HandlerEvents } from './types.js';
 import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from './types.js';
 
@@ -16,7 +16,7 @@ export interface Port80HandlerSubscribers {
  * Subscribes to Port80Handler events based on provided callbacks
  */
 export function subscribeToPort80Handler(
-  handler: Port80Handler,
+  handler: any,
   subscribers: Port80HandlerSubscribers
 ): void {
   if (subscribers.onCertificateIssued) {

ts/core/models/common-types.ts

@@ -34,7 +34,7 @@ export interface ICertificateData {
 }
 
 /**
- * Events emitted by the Port80Handler
+ * @deprecated Events emitted by the Port80Handler - use SmartCertManager instead
  */
 export enum Port80HandlerEvents {
   CERTIFICATE_ISSUED = 'certificate-issued',

ts/core/utils/event-utils.ts

@@ -1,34 +1,25 @@
-import type { Port80Handler } from '../../http/port80/port80-handler.js';
+// Port80Handler has been removed - use SmartCertManager instead
 import { Port80HandlerEvents } from '../models/common-types.js';
-import type { ICertificateData, ICertificateFailure, ICertificateExpiring } from '../models/common-types.js';
+
+// Re-export for backward compatibility
+export { Port80HandlerEvents };
 
 /**
- * Subscribers callback definitions for Port80Handler events
+ * @deprecated Use SmartCertManager instead
  */
 export interface IPort80HandlerSubscribers {
-  onCertificateIssued?: (data: ICertificateData) => void;
-  onCertificateRenewed?: (data: ICertificateData) => void;
-  onCertificateFailed?: (data: ICertificateFailure) => void;
-  onCertificateExpiring?: (data: ICertificateExpiring) => void;
+  onCertificateIssued?: (data: any) => void;
+  onCertificateRenewed?: (data: any) => void;
+  onCertificateFailed?: (data: any) => void;
+  onCertificateExpiring?: (data: any) => void;
 }
 
 /**
- * Subscribes to Port80Handler events based on provided callbacks
+ * @deprecated Use SmartCertManager instead
  */
 export function subscribeToPort80Handler(
-  handler: Port80Handler,
+  handler: any,
   subscribers: IPort80HandlerSubscribers
 ): void {
-  if (subscribers.onCertificateIssued) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, subscribers.onCertificateIssued);
-  }
-  if (subscribers.onCertificateRenewed) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, subscribers.onCertificateRenewed);
-  }
-  if (subscribers.onCertificateFailed) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, subscribers.onCertificateFailed);
-  }
-  if (subscribers.onCertificateExpiring) {
-    handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, subscribers.onCertificateExpiring);
-  }
+  console.warn('subscribeToPort80Handler is deprecated - use SmartCertManager instead');
 }

ts/http/models/http-types.ts

@@ -1,8 +1,12 @@
 import * as plugins from '../../plugins.js';
-import type {
-  IDomainOptions,
-  IAcmeOptions
-} from '../../certificate/models/certificate-types.js';
+// Certificate types have been removed - use SmartCertManager instead
+export interface IDomainOptions {
+  domainName: string;
+  sslRedirect: boolean;
+  acmeMaintenance: boolean;
+  forward?: { ip: string; port: number };
+  acmeForward?: { ip: string; port: number };
+}
 
 /**
  * HTTP-specific event types

ts/http/port80/acme-interfaces.ts

@@ -1,169 +0,0 @@
-/**
- * Type definitions for SmartAcme interfaces used by ChallengeResponder
- * These reflect the actual SmartAcme API based on the documentation
- *
- * Also includes route-based interfaces for Port80Handler to extract domains
- * that need certificate management from route configurations.
- */
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-/**
- * Structure for SmartAcme certificate result
- */
-export interface ISmartAcmeCert {
-  id?: string;
-  domainName: string;
-  created?: number | Date | string;
-  privateKey: string;
-  publicKey: string;
-  csr?: string;
-  validUntil: number | Date | string;
-}
-
-/**
- * Structure for SmartAcme options
- */
-export interface ISmartAcmeOptions {
-  accountEmail: string;
-  certManager: ICertManager;
-  environment: 'production' | 'integration';
-  challengeHandlers: IChallengeHandler<any>[];
-  challengePriority?: string[];
-  retryOptions?: {
-    retries?: number;
-    factor?: number;
-    minTimeoutMs?: number;
-    maxTimeoutMs?: number;
-  };
-}
-
-/**
- * Interface for certificate manager
- */
-export interface ICertManager {
-  init(): Promise<void>;
-  get(domainName: string): Promise<ISmartAcmeCert | null>;
-  put(cert: ISmartAcmeCert): Promise<ISmartAcmeCert>;
-  delete(domainName: string): Promise<void>;
-  close?(): Promise<void>;
-}
-
-/**
- * Interface for challenge handler
- */
-export interface IChallengeHandler<T> {
-  getSupportedTypes(): string[];
-  prepare(ch: T): Promise<void>;
-  verify?(ch: T): Promise<void>;
-  cleanup(ch: T): Promise<void>;
-  checkWetherDomainIsSupported(domain: string): Promise<boolean>;
-}
-
-/**
- * HTTP-01 challenge type
- */
-export interface IHttp01Challenge {
-  type: string; // 'http-01'
-  token: string;
-  keyAuthorization: string;
-  webPath: string;
-}
-
-/**
- * HTTP-01 Memory Handler Interface
- */
-export interface IHttp01MemoryHandler extends IChallengeHandler<IHttp01Challenge> {
-  handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse, next?: () => void): void;
-}
-
-/**
- * SmartAcme main class interface
- */
-export interface ISmartAcme {
-  start(): Promise<void>;
-  stop(): Promise<void>;
-  getCertificateForDomain(domain: string): Promise<ISmartAcmeCert>;
-  on?(event: string, listener: (data: any) => void): void;
-  eventEmitter?: plugins.EventEmitter;
-}
-
-/**
- * Port80Handler route options
- */
-export interface IPort80RouteOptions {
-  // The domain for the certificate
-  domain: string;
-
-  // Whether to redirect HTTP to HTTPS
-  sslRedirect: boolean;
-
-  // Whether to enable ACME certificate management
-  acmeMaintenance: boolean;
-
-  // Optional target for forwarding HTTP requests
-  forward?: {
-    ip: string;
-    port: number;
-  };
-
-  // Optional target for forwarding ACME challenge requests
-  acmeForward?: {
-    ip: string;
-    port: number;
-  };
-
-  // Reference to the route that requested this certificate
-  routeReference?: {
-    routeId?: string;
-    routeName?: string;
-  };
-}
-
-/**
- * Extract domains that need certificate management from routes
- * @param routes Route configurations to extract domains from
- * @returns Array of Port80RouteOptions for each domain
- */
-export function extractPort80RoutesFromRoutes(routes: IRouteConfig[]): IPort80RouteOptions[] {
-  const result: IPort80RouteOptions[] = [];
-
-  for (const route of routes) {
-    // Skip routes that don't have domains or TLS configuration
-    if (!route.match.domains || !route.action.tls) continue;
-
-    // Skip routes that don't terminate TLS
-    if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
-
-    // Only routes with automatic certificates need ACME
-    if (route.action.tls.certificate !== 'auto') continue;
-
-    // Get domains from route
-    const domains = Array.isArray(route.match.domains)
-      ? route.match.domains
-      : [route.match.domains];
-
-    // Create Port80RouteOptions for each domain
-    for (const domain of domains) {
-      // Skip wildcards (we can't get certificates for them)
-      if (domain.includes('*')) continue;
-
-      // Create Port80RouteOptions
-      const options: IPort80RouteOptions = {
-        domain,
-        sslRedirect: true, // Default to true for HTTPS routes
-        acmeMaintenance: true, // Default to true for auto certificates
-
-        // Add route reference
-        routeReference: {
-          routeName: route.name
-        }
-      };
-
-      // Add domain to result
-      result.push(options);
-    }
-  }
-
-  return result;
-}

ts/http/port80/challenge-responder.ts

@@ -1,246 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { IncomingMessage, ServerResponse } from 'http';
-import {
-  CertificateEvents
-} from '../../certificate/events/certificate-events.js';
-import type {
-  ICertificateData,
-  ICertificateFailure,
-  ICertificateExpiring
-} from '../../certificate/models/certificate-types.js';
-import type {
-  ISmartAcme,
-  ISmartAcmeCert,
-  ISmartAcmeOptions,
-  IHttp01MemoryHandler
-} from './acme-interfaces.js';
-
-/**
- * ChallengeResponder handles ACME HTTP-01 challenges by leveraging SmartAcme
- * It acts as a bridge between the HTTP server and the ACME challenge verification process
- */
-export class ChallengeResponder extends plugins.EventEmitter {
-  private smartAcme: ISmartAcme | null = null;
-  private http01Handler: IHttp01MemoryHandler | null = null;
-
-  /**
-   * Creates a new challenge responder
-   * @param useProduction Whether to use production ACME servers
-   * @param email Account email for ACME
-   * @param certificateStore Directory to store certificates
-   */
-  constructor(
-    private readonly useProduction: boolean = false,
-    private readonly email: string = 'admin@example.com',
-    private readonly certificateStore: string = './certs'
-  ) {
-    super();
-  }
-
-  /**
-   * Initialize the ACME client
-   */
-  public async initialize(): Promise<void> {
-    try {
-      // Create the HTTP-01 memory handler from SmartACME
-      this.http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
-
-      // Ensure certificate store directory exists
-      await this.ensureCertificateStore();
-
-      // Create a MemoryCertManager for certificate storage
-      const certManager = new plugins.smartacme.certmanagers.MemoryCertManager();
-
-      // Initialize the SmartACME client with appropriate options
-      this.smartAcme = new plugins.smartacme.SmartAcme({
-        accountEmail: this.email,
-        certManager: certManager,
-        environment: this.useProduction ? 'production' : 'integration',
-        challengeHandlers: [this.http01Handler],
-        challengePriority: ['http-01']
-      });
-
-      // Set up event forwarding from SmartAcme
-      this.setupEventListeners();
-
-      // Start the SmartACME client
-      await this.smartAcme.start();
-      console.log('ACME client initialized successfully');
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to initialize ACME client: ${errorMessage}`);
-    }
-  }
-
-  /**
-   * Ensure the certificate store directory exists
-   */
-  private async ensureCertificateStore(): Promise<void> {
-    try {
-      await plugins.fs.promises.mkdir(this.certificateStore, { recursive: true });
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to create certificate store: ${errorMessage}`);
-    }
-  }
-
-  /**
-   * Setup event listeners to forward SmartACME events to our own event emitter
-   */
-  private setupEventListeners(): void {
-    if (!this.smartAcme) return;
-
-    const setupEvents = (emitter: { on: (event: string, listener: (data: any) => void) => void }) => {
-      // Forward certificate events
-      emitter.on('certificate', (data: any) => {
-        const isRenewal = !!data.isRenewal;
-
-        const certData: ICertificateData = {
-          domain: data.domainName || data.domain,
-          certificate: data.publicKey || data.cert,
-          privateKey: data.privateKey || data.key,
-          expiryDate: new Date(data.validUntil || data.expiryDate || Date.now()),
-          source: 'http01',
-          isRenewal
-        };
-
-        const eventType = isRenewal
-          ? CertificateEvents.CERTIFICATE_RENEWED
-          : CertificateEvents.CERTIFICATE_ISSUED;
-
-        this.emit(eventType, certData);
-      });
-
-      // Forward error events
-      emitter.on('error', (error: any) => {
-        const domain = error.domainName || error.domain || 'unknown';
-        const failureData: ICertificateFailure = {
-          domain,
-          error: error.message || String(error),
-          isRenewal: !!error.isRenewal
-        };
-
-        this.emit(CertificateEvents.CERTIFICATE_FAILED, failureData);
-      });
-    };
-
-    // Check for direct event methods on SmartAcme
-    if (typeof this.smartAcme.on === 'function') {
-      setupEvents(this.smartAcme as any);
-    }
-    // Check for eventEmitter property
-    else if (this.smartAcme.eventEmitter) {
-      setupEvents(this.smartAcme.eventEmitter);
-    }
-    // If no proper event handling, log a warning
-    else {
-      console.warn('SmartAcme instance does not support expected event interface - events may not be forwarded');
-    }
-  }
-
-  /**
-   * Handle HTTP request by checking if it's an ACME challenge
-   * @param req HTTP request object
-   * @param res HTTP response object
-   * @returns true if the request was handled, false otherwise
-   */
-  public handleRequest(req: IncomingMessage, res: ServerResponse): boolean {
-    if (!this.http01Handler) return false;
-
-    // Check if this is an ACME challenge request (/.well-known/acme-challenge/*)
-    const url = req.url || '';
-    if (url.startsWith('/.well-known/acme-challenge/')) {
-      try {
-        // Delegate to the HTTP-01 memory handler, which knows how to serve challenges
-        this.http01Handler.handleRequest(req, res);
-        return true;
-      } catch (error) {
-        console.error('Error handling ACME challenge:', error);
-        // If there was an error, send a 404 response
-        res.writeHead(404);
-        res.end('Not found');
-        return true;
-      }
-    }
-    
-    return false;
-  }
-
-  /**
-   * Request a certificate for a domain
-   * @param domain Domain name to request a certificate for
-   * @param isRenewal Whether this is a renewal request
-   */
-  public async requestCertificate(domain: string, isRenewal: boolean = false): Promise<ICertificateData> {
-    if (!this.smartAcme) {
-      throw new Error('ACME client not initialized');
-    }
-
-    try {
-      // Request certificate using SmartACME
-      const certObj = await this.smartAcme.getCertificateForDomain(domain);
-      
-      // Convert the certificate object to our CertificateData format
-      const certData: ICertificateData = {
-        domain,
-        certificate: certObj.publicKey,
-        privateKey: certObj.privateKey,
-        expiryDate: new Date(certObj.validUntil),
-        source: 'http01',
-        isRenewal
-      };
-      
-      return certData;
-    } catch (error) {
-      // Create failure object
-      const failure: ICertificateFailure = {
-        domain,
-        error: error instanceof Error ? error.message : String(error),
-        isRenewal
-      };
-      
-      // Emit failure event
-      this.emit(CertificateEvents.CERTIFICATE_FAILED, failure);
-      
-      // Rethrow with more context
-      throw new Error(`Failed to ${isRenewal ? 'renew' : 'obtain'} certificate for ${domain}: ${
-        error instanceof Error ? error.message : String(error)
-      }`);
-    }
-  }
-
-  /**
-   * Check if a certificate is expiring soon and trigger renewal if needed
-   * @param domain Domain name
-   * @param certificate Certificate data
-   * @param thresholdDays Days before expiry to trigger renewal
-   */
-  public checkCertificateExpiry(
-    domain: string,
-    certificate: ICertificateData,
-    thresholdDays: number = 30
-  ): void {
-    if (!certificate.expiryDate) return;
-    
-    const now = new Date();
-    const expiryDate = certificate.expiryDate;
-    const daysDifference = Math.floor((expiryDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
-    
-    if (daysDifference <= thresholdDays) {
-      const expiryInfo: ICertificateExpiring = {
-        domain,
-        expiryDate,
-        daysRemaining: daysDifference
-      };
-      
-      this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiryInfo);
-      
-      // Automatically attempt renewal if expiring
-      if (this.smartAcme) {
-        this.requestCertificate(domain, true).catch(error => {
-          console.error(`Failed to auto-renew certificate for ${domain}:`, error);
-        });
-      }
-    }
-  }
-}

ts/http/port80/index.ts

@@ -1,13 +0,0 @@
-/**
- * Port 80 handling
- */
-
-// Export the main components
-export { Port80Handler } from './port80-handler.js';
-export { ChallengeResponder } from './challenge-responder.js';
-
-// Export backward compatibility interfaces and types
-export {
-  HttpError as Port80HandlerError,
-  CertificateError as CertError
-} from '../models/http-types.js';

ts/http/port80/port80-handler.ts

@@ -1,728 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { IncomingMessage, ServerResponse } from 'http';
-import { CertificateEvents } from '../../certificate/events/certificate-events.js';
-import type {
-  IDomainOptions, // Kept for backward compatibility
-  ICertificateData,
-  ICertificateFailure,
-  ICertificateExpiring,
-  IAcmeOptions,
-  IRouteForwardConfig
-} from '../../certificate/models/certificate-types.js';
-import {
-  HttpEvents,
-  HttpStatus,
-  HttpError,
-  CertificateError,
-  ServerError,
-} from '../models/http-types.js';
-import type { IDomainCertificate } from '../models/http-types.js';
-import { ChallengeResponder } from './challenge-responder.js';
-import { extractPort80RoutesFromRoutes } from './acme-interfaces.js';
-import type { IPort80RouteOptions } from './acme-interfaces.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-// Re-export for backward compatibility
-export {
-  HttpError as Port80HandlerError,
-  CertificateError,
-  ServerError
-}
-
-// Port80Handler events enum for backward compatibility
-export const Port80HandlerEvents = CertificateEvents;
-
-/**
- * Configuration options for the Port80Handler
- */
-// Port80Handler options moved to common types
-
-
-/**
- * Port80Handler with ACME certificate management and request forwarding capabilities
- * Now with glob pattern support for domain matching
- */
-export class Port80Handler extends plugins.EventEmitter {
-  private domainCertificates: Map<string, IDomainCertificate>;
-  private challengeResponder: ChallengeResponder | null = null;
-  private server: plugins.http.Server | null = null;
-
-  // Renewal scheduling is handled externally by SmartProxy
-  private isShuttingDown: boolean = false;
-  private options: Required<IAcmeOptions>;
-
-  /**
-   * Creates a new Port80Handler
-   * @param options Configuration options
-   */
-  constructor(options: IAcmeOptions = {}) {
-    super();
-    this.domainCertificates = new Map<string, IDomainCertificate>();
-
-    // Default options
-    this.options = {
-      port: options.port ?? 80,
-      accountEmail: options.accountEmail ?? 'admin@example.com',
-      useProduction: options.useProduction ?? false, // Safer default: staging
-      httpsRedirectPort: options.httpsRedirectPort ?? 443,
-      enabled: options.enabled ?? true, // Enable by default
-      certificateStore: options.certificateStore ?? './certs',
-      skipConfiguredCerts: options.skipConfiguredCerts ?? false,
-      renewThresholdDays: options.renewThresholdDays ?? 30,
-      renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24,
-      autoRenew: options.autoRenew ?? true,
-      routeForwards: options.routeForwards ?? []
-    };
-
-    // Initialize challenge responder
-    if (this.options.enabled) {
-      this.challengeResponder = new ChallengeResponder(
-        this.options.useProduction,
-        this.options.accountEmail,
-        this.options.certificateStore
-      );
-
-      // Forward certificate events from the challenge responder
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
-        this.emit(CertificateEvents.CERTIFICATE_ISSUED, data);
-      });
-
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
-        this.emit(CertificateEvents.CERTIFICATE_RENEWED, data);
-      });
-
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_FAILED, (error: ICertificateFailure) => {
-        this.emit(CertificateEvents.CERTIFICATE_FAILED, error);
-      });
-
-      this.challengeResponder.on(CertificateEvents.CERTIFICATE_EXPIRING, (expiry: ICertificateExpiring) => {
-        this.emit(CertificateEvents.CERTIFICATE_EXPIRING, expiry);
-      });
-    }
-  }
-
-  /**
-   * Starts the HTTP server for ACME challenges
-   */
-  public async start(): Promise<void> {
-    if (this.server) {
-      throw new ServerError('Server is already running');
-    }
-
-    if (this.isShuttingDown) {
-      throw new ServerError('Server is shutting down');
-    }
-
-    // Skip if disabled
-    if (this.options.enabled === false) {
-      console.log('Port80Handler is disabled, skipping start');
-      return;
-    }
-
-    // Initialize the challenge responder if enabled
-    if (this.options.enabled && this.challengeResponder) {
-      try {
-        await this.challengeResponder.initialize();
-      } catch (error) {
-        throw new ServerError(`Failed to initialize challenge responder: ${
-          error instanceof Error ? error.message : String(error)
-        }`);
-      }
-    }
-
-    return new Promise((resolve, reject) => {
-      try {
-        this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
-
-        this.server.on('error', (error: NodeJS.ErrnoException) => {
-          if (error.code === 'EACCES') {
-            reject(new ServerError(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`, error.code));
-          } else if (error.code === 'EADDRINUSE') {
-            reject(new ServerError(`Port ${this.options.port} is already in use.`, error.code));
-          } else {
-            reject(new ServerError(error.message, error.code));
-          }
-        });
-
-        this.server.listen(this.options.port, () => {
-          console.log(`Port80Handler is listening on port ${this.options.port}`);
-          this.emit(CertificateEvents.MANAGER_STARTED, this.options.port);
-
-          // Start certificate process for domains with acmeMaintenance enabled
-          for (const [domain, domainInfo] of this.domainCertificates.entries()) {
-            // Skip glob patterns for certificate issuance
-            if (this.isGlobPattern(domain)) {
-              console.log(`Skipping initial certificate for glob pattern: ${domain}`);
-              continue;
-            }
-
-            if (domainInfo.options.acmeMaintenance && !domainInfo.certObtained && !domainInfo.obtainingInProgress) {
-              this.obtainCertificate(domain).catch(err => {
-                console.error(`Error obtaining initial certificate for ${domain}:`, err);
-              });
-            }
-          }
-
-          resolve();
-        });
-      } catch (error) {
-        const message = error instanceof Error ? error.message : 'Unknown error starting server';
-        reject(new ServerError(message));
-      }
-    });
-  }
-
-  /**
-   * Stops the HTTP server and cleanup resources
-   */
-  public async stop(): Promise<void> {
-    if (!this.server) {
-      return;
-    }
-
-    this.isShuttingDown = true;
-
-    return new Promise<void>((resolve) => {
-      if (this.server) {
-        this.server.close(() => {
-          this.server = null;
-          this.isShuttingDown = false;
-          this.emit(CertificateEvents.MANAGER_STOPPED);
-          resolve();
-        });
-      } else {
-        this.isShuttingDown = false;
-        resolve();
-      }
-    });
-  }
-
-  /**
-   * Adds a domain with configuration options
-   * @param options Domain configuration options
-   */
-  public addDomain(options: IDomainOptions | IPort80RouteOptions): void {
-    // Normalize options format (handle both IDomainOptions and IPort80RouteOptions)
-    const normalizedOptions: IDomainOptions = this.normalizeOptions(options);
-
-    if (!normalizedOptions.domainName || typeof normalizedOptions.domainName !== 'string') {
-      throw new HttpError('Invalid domain name');
-    }
-
-    const domainName = normalizedOptions.domainName;
-
-    if (!this.domainCertificates.has(domainName)) {
-      this.domainCertificates.set(domainName, {
-        options: normalizedOptions,
-        certObtained: false,
-        obtainingInProgress: false
-      });
-
-      console.log(`Domain added: ${domainName} with configuration:`, {
-        sslRedirect: normalizedOptions.sslRedirect,
-        acmeMaintenance: normalizedOptions.acmeMaintenance,
-        hasForward: !!normalizedOptions.forward,
-        hasAcmeForward: !!normalizedOptions.acmeForward,
-        routeReference: normalizedOptions.routeReference
-      });
-
-      // If acmeMaintenance is enabled and not a glob pattern, start certificate process immediately
-      if (normalizedOptions.acmeMaintenance && this.server && !this.isGlobPattern(domainName)) {
-        this.obtainCertificate(domainName).catch(err => {
-          console.error(`Error obtaining initial certificate for ${domainName}:`, err);
-        });
-      }
-    } else {
-      // Update existing domain with new options
-      const existing = this.domainCertificates.get(domainName)!;
-      existing.options = normalizedOptions;
-      console.log(`Domain ${domainName} configuration updated`);
-    }
-  }
-
-  /**
-   * Add domains from route configurations
-   * @param routes Array of route configurations
-   */
-  public addDomainsFromRoutes(routes: IRouteConfig[]): void {
-    // Extract Port80RouteOptions from routes
-    const routeOptions = extractPort80RoutesFromRoutes(routes);
-
-    // Add each domain
-    for (const options of routeOptions) {
-      this.addDomain(options);
-    }
-
-    console.log(`Added ${routeOptions.length} domains from routes for certificate management`);
-  }
-
-  /**
-   * Normalize options from either IDomainOptions or IPort80RouteOptions
-   * @param options Options to normalize
-   * @returns Normalized IDomainOptions
-   * @private
-   */
-  private normalizeOptions(options: IDomainOptions | IPort80RouteOptions): IDomainOptions {
-    // Handle IPort80RouteOptions format
-    if ('domain' in options) {
-      return {
-        domainName: options.domain,
-        sslRedirect: options.sslRedirect,
-        acmeMaintenance: options.acmeMaintenance,
-        forward: options.forward,
-        acmeForward: options.acmeForward,
-        routeReference: options.routeReference
-      };
-    }
-
-    // Already in IDomainOptions format
-    return options;
-  }
-
-  /**
-   * Removes a domain from management
-   * @param domain The domain to remove
-   */
-  public removeDomain(domain: string): void {
-    if (this.domainCertificates.delete(domain)) {
-      console.log(`Domain removed: ${domain}`);
-    }
-  }
-  
-  /**
-   * Gets the certificate for a domain if it exists
-   * @param domain The domain to get the certificate for
-   */
-  public getCertificate(domain: string): ICertificateData | null {
-    // Can't get certificates for glob patterns
-    if (this.isGlobPattern(domain)) {
-      return null;
-    }
-
-    const domainInfo = this.domainCertificates.get(domain);
-
-    if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) {
-      return null;
-    }
-
-    return {
-      domain,
-      certificate: domainInfo.certificate,
-      privateKey: domainInfo.privateKey,
-      expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
-    };
-  }
-
-
-
-  /**
-   * Check if a domain is a glob pattern
-   * @param domain Domain to check
-   * @returns True if the domain is a glob pattern
-   */
-  private isGlobPattern(domain: string): boolean {
-    return domain.includes('*');
-  }
-  
-  /**
-   * Get domain info for a specific domain, using glob pattern matching if needed
-   * @param requestDomain The actual domain from the request
-   * @returns The domain info or null if not found
-   */
-  private getDomainInfoForRequest(requestDomain: string): { domainInfo: IDomainCertificate, pattern: string } | null {
-    // Try direct match first
-    if (this.domainCertificates.has(requestDomain)) {
-      return {
-        domainInfo: this.domainCertificates.get(requestDomain)!,
-        pattern: requestDomain
-      };
-    }
-
-    // Then try glob patterns
-    for (const [pattern, domainInfo] of this.domainCertificates.entries()) {
-      if (this.isGlobPattern(pattern) && this.domainMatchesPattern(requestDomain, pattern)) {
-        return { domainInfo, pattern };
-      }
-    }
-
-    return null;
-  }
-  
-  /**
-   * Check if a domain matches a glob pattern
-   * @param domain The domain to check
-   * @param pattern The pattern to match against
-   * @returns True if the domain matches the pattern
-   */
-  private domainMatchesPattern(domain: string, pattern: string): boolean {
-    // Handle different glob pattern styles
-    if (pattern.startsWith('*.')) {
-      // *.example.com matches any subdomain
-      const suffix = pattern.substring(2);
-      return domain.endsWith(suffix) && domain.includes('.') && domain !== suffix;
-    } else if (pattern.endsWith('.*')) {
-      // example.* matches any TLD
-      const prefix = pattern.substring(0, pattern.length - 2);
-      const domainParts = domain.split('.');
-      return domain.startsWith(prefix + '.') && domainParts.length >= 2;
-    } else if (pattern === '*') {
-      // Wildcard matches everything
-      return true;
-    } else {
-      // Exact match (shouldn't reach here as we check exact matches first)
-      return domain === pattern;
-    }
-  }
-
-
-  /**
-   * Handles incoming HTTP requests
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  private handleRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    // Emit request received event with basic info
-    this.emit(HttpEvents.REQUEST_RECEIVED, {
-      url: req.url,
-      method: req.method,
-      headers: req.headers
-    });
-
-    const hostHeader = req.headers.host;
-    if (!hostHeader) {
-      res.statusCode = HttpStatus.BAD_REQUEST;
-      res.end('Bad Request: Host header is missing');
-      return;
-    }
-
-    // Extract domain (ignoring any port in the Host header)
-    const domain = hostHeader.split(':')[0];
-
-    // Check if this is an ACME challenge request that our ChallengeResponder can handle
-    if (this.challengeResponder && req.url?.startsWith('/.well-known/acme-challenge/')) {
-      // Handle ACME HTTP-01 challenge with the challenge responder
-      const domainMatch = this.getDomainInfoForRequest(domain);
-
-      // If there's a specific ACME forwarding config for this domain, use that instead
-      if (domainMatch?.domainInfo.options.acmeForward) {
-        this.forwardRequest(req, res, domainMatch.domainInfo.options.acmeForward, 'ACME challenge');
-        return;
-      }
-
-      // If domain exists and has acmeMaintenance enabled, or we don't have the domain yet
-      // (for auto-provisioning), try to handle the ACME challenge
-      if (!domainMatch || domainMatch.domainInfo.options.acmeMaintenance) {
-        // Let the challenge responder try to handle this request
-        if (this.challengeResponder.handleRequest(req, res)) {
-          // Challenge was handled
-          return;
-        }
-      }
-    }
-
-    // Dynamic provisioning: if domain not yet managed, register for ACME and return 503
-    if (!this.domainCertificates.has(domain)) {
-      try {
-        this.addDomain({ domainName: domain, sslRedirect: false, acmeMaintenance: true });
-      } catch (err) {
-        console.error(`Error registering domain for on-demand provisioning: ${err}`);
-      }
-      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
-      res.end('Certificate issuance in progress');
-      return;
-    }
-
-    // Get domain config, using glob pattern matching if needed
-    const domainMatch = this.getDomainInfoForRequest(domain);
-    if (!domainMatch) {
-      res.statusCode = HttpStatus.NOT_FOUND;
-      res.end('Domain not configured');
-      return;
-    }
-
-    const { domainInfo, pattern } = domainMatch;
-    const options = domainInfo.options;
-
-    // Check if we should forward non-ACME requests
-    if (options.forward) {
-      this.forwardRequest(req, res, options.forward, 'HTTP');
-      return;
-    }
-
-    // If certificate exists and sslRedirect is enabled, redirect to HTTPS
-    // (Skip for glob patterns as they won't have certificates)
-    if (!this.isGlobPattern(pattern) && domainInfo.certObtained && options.sslRedirect) {
-      const httpsPort = this.options.httpsRedirectPort;
-      const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`;
-      const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`;
-
-      res.statusCode = HttpStatus.MOVED_PERMANENTLY;
-      res.setHeader('Location', redirectUrl);
-      res.end(`Redirecting to ${redirectUrl}`);
-      return;
-    }
-
-    // Handle case where certificate maintenance is enabled but not yet obtained
-    // (Skip for glob patterns as they can't have certificates)
-    if (!this.isGlobPattern(pattern) && options.acmeMaintenance && !domainInfo.certObtained) {
-      // Trigger certificate issuance if not already running
-      if (!domainInfo.obtainingInProgress) {
-        this.obtainCertificate(domain).catch(err => {
-          const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-          this.emit(CertificateEvents.CERTIFICATE_FAILED, {
-            domain,
-            error: errorMessage,
-            isRenewal: false
-          });
-          console.error(`Error obtaining certificate for ${domain}:`, err);
-        });
-      }
-
-      res.statusCode = HttpStatus.SERVICE_UNAVAILABLE;
-      res.end('Certificate issuance in progress, please try again later.');
-      return;
-    }
-
-    // Default response for unhandled request
-    res.statusCode = HttpStatus.NOT_FOUND;
-    res.end('No handlers configured for this request');
-
-    // Emit request handled event
-    this.emit(HttpEvents.REQUEST_HANDLED, {
-      domain,
-      url: req.url,
-      statusCode: res.statusCode
-    });
-  }
-  
-  /**
-   * Forwards an HTTP request to the specified target
-   * @param req The original request
-   * @param res The response object
-   * @param target The forwarding target (IP and port)
-   * @param requestType Type of request for logging
-   */
-  private forwardRequest(
-    req: plugins.http.IncomingMessage,
-    res: plugins.http.ServerResponse,
-    target: { ip: string; port: number },
-    requestType: string
-  ): void {
-    const options = {
-      hostname: target.ip,
-      port: target.port,
-      path: req.url,
-      method: req.method,
-      headers: { ...req.headers }
-    };
-
-    const domain = req.headers.host?.split(':')[0] || 'unknown';
-    console.log(`Forwarding ${requestType} request for ${domain} to ${target.ip}:${target.port}`);
-
-    const proxyReq = plugins.http.request(options, (proxyRes) => {
-      // Copy status code
-      res.statusCode = proxyRes.statusCode || HttpStatus.INTERNAL_SERVER_ERROR;
-
-      // Copy headers
-      for (const [key, value] of Object.entries(proxyRes.headers)) {
-        if (value) res.setHeader(key, value);
-      }
-
-      // Pipe response data
-      proxyRes.pipe(res);
-
-      this.emit(HttpEvents.REQUEST_FORWARDED, {
-        domain,
-        requestType,
-        target: `${target.ip}:${target.port}`,
-        statusCode: proxyRes.statusCode
-      });
-    });
-
-    proxyReq.on('error', (error) => {
-      console.error(`Error forwarding request to ${target.ip}:${target.port}:`, error);
-
-      this.emit(HttpEvents.REQUEST_ERROR, {
-        domain,
-        error: error.message,
-        target: `${target.ip}:${target.port}`
-      });
-
-      if (!res.headersSent) {
-        res.statusCode = HttpStatus.INTERNAL_SERVER_ERROR;
-        res.end(`Proxy error: ${error.message}`);
-      } else {
-        res.end();
-      }
-    });
-
-    // Pipe original request to proxy request
-    if (req.readable) {
-      req.pipe(proxyReq);
-    } else {
-      proxyReq.end();
-    }
-  }
-
-
-  /**
-   * Obtains a certificate for a domain using ACME HTTP-01 challenge
-   * @param domain The domain to obtain a certificate for
-   * @param isRenewal Whether this is a renewal attempt
-   */
-  private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> {
-    if (this.isGlobPattern(domain)) {
-      throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal);
-    }
-
-    const domainInfo = this.domainCertificates.get(domain)!;
-
-    if (!domainInfo.options.acmeMaintenance) {
-      console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`);
-      return;
-    }
-
-    if (domainInfo.obtainingInProgress) {
-      console.log(`Certificate issuance already in progress for ${domain}`);
-      return;
-    }
-
-    if (!this.challengeResponder) {
-      throw new HttpError('Challenge responder is not initialized');
-    }
-
-    domainInfo.obtainingInProgress = true;
-    domainInfo.lastRenewalAttempt = new Date();
-
-    try {
-      // Request certificate via ChallengeResponder
-      // The ChallengeResponder handles all ACME client interactions and will emit events
-      const certData = await this.challengeResponder.requestCertificate(domain, isRenewal);
-
-      // Update domain info with certificate data
-      domainInfo.certificate = certData.certificate;
-      domainInfo.privateKey = certData.privateKey;
-      domainInfo.certObtained = true;
-      domainInfo.expiryDate = certData.expiryDate;
-
-      console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
-    } catch (error: any) {
-      const errorMsg = error instanceof Error ? error.message : String(error);
-      console.error(`Error during certificate issuance for ${domain}:`, error);
-      throw new CertificateError(errorMsg, domain, isRenewal);
-    } finally {
-      domainInfo.obtainingInProgress = false;
-    }
-  }
-
-  
-  /**
-   * Extract expiry date from certificate using a more robust approach
-   * @param certificate Certificate PEM string
-   * @param domain Domain for logging
-   * @returns Extracted expiry date or default
-   */
-  private extractExpiryDateFromCertificate(certificate: string, domain: string): Date {
-    try {
-      // This is still using regex, but in a real implementation you would use
-      // a library like node-forge or x509 to properly parse the certificate
-      const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
-      if (matches && matches[1]) {
-        const expiryDate = new Date(matches[1]);
-        
-        // Validate that we got a valid date
-        if (!isNaN(expiryDate.getTime())) {
-          console.log(`Certificate for ${domain} will expire on ${expiryDate.toISOString()}`);
-          return expiryDate;
-        }
-      }
-      
-      console.warn(`Could not extract valid expiry date from certificate for ${domain}, using default`);
-      return this.getDefaultExpiryDate();
-    } catch (error) {
-      console.warn(`Failed to extract expiry date from certificate for ${domain}, using default`);
-      return this.getDefaultExpiryDate();
-    }
-  }
-  
-  /**
-   * Get a default expiry date (90 days from now)
-   * @returns Default expiry date
-   */
-  private getDefaultExpiryDate(): Date {
-    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days default
-  }
-  
-  /**
-   * Emits a certificate event with the certificate data
-   * @param eventType The event type to emit
-   * @param data The certificate data
-   */
-  private emitCertificateEvent(eventType: CertificateEvents, data: ICertificateData): void {
-    this.emit(eventType, data);
-  }
-  
-  /**
-   * Gets all domains and their certificate status
-   * @returns Map of domains to certificate status
-   */
-  public getDomainCertificateStatus(): Map<string, {
-    certObtained: boolean;
-    expiryDate?: Date;
-    daysRemaining?: number;
-    obtainingInProgress: boolean;
-    lastRenewalAttempt?: Date;
-  }> {
-    const result = new Map<string, {
-      certObtained: boolean;
-      expiryDate?: Date;
-      daysRemaining?: number;
-      obtainingInProgress: boolean;
-      lastRenewalAttempt?: Date;
-    }>();
-    
-    const now = new Date();
-    
-    for (const [domain, domainInfo] of this.domainCertificates.entries()) {
-      // Skip glob patterns
-      if (this.isGlobPattern(domain)) continue;
-      
-      const status: {
-        certObtained: boolean;
-        expiryDate?: Date;
-        daysRemaining?: number;
-        obtainingInProgress: boolean;
-        lastRenewalAttempt?: Date;
-      } = {
-        certObtained: domainInfo.certObtained,
-        expiryDate: domainInfo.expiryDate,
-        obtainingInProgress: domainInfo.obtainingInProgress,
-        lastRenewalAttempt: domainInfo.lastRenewalAttempt
-      };
-      
-      // Calculate days remaining if expiry date is available
-      if (domainInfo.expiryDate) {
-        const daysRemaining = Math.ceil(
-          (domainInfo.expiryDate.getTime() - now.getTime()) / (24 * 60 * 60 * 1000)
-        );
-        status.daysRemaining = daysRemaining;
-      }
-      
-      result.set(domain, status);
-    }
-    
-    return result;
-  }
-  
-  /**
-   * Request a certificate renewal for a specific domain.
-   * @param domain The domain to renew.
-   */
-  public async renewCertificate(domain: string): Promise<void> {
-    if (!this.domainCertificates.has(domain)) {
-      throw new HttpError(`Domain not managed: ${domain}`);
-    }
-    // Trigger renewal via ACME
-    await this.obtainCertificate(domain, true);
-  }
-}

ts/index.ts

@@ -9,39 +9,36 @@ export * from './proxies/nftables-proxy/index.js';
 // Export NetworkProxy elements selectively to avoid RouteManager ambiguity
 export { NetworkProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './proxies/network-proxy/index.js';
 export type { IMetricsTracker, MetricsTracker } from './proxies/network-proxy/index.js';
-export * from './proxies/network-proxy/models/index.js';
+// Export models except IAcmeOptions to avoid conflict
+export type { INetworkProxyOptions, ICertificateEntry, ILogger } from './proxies/network-proxy/models/types.js';
 export { RouteManager as NetworkProxyRouteManager } from './proxies/network-proxy/models/types.js';
 
-// Export port80handler elements selectively to avoid conflicts
-export {
-  Port80Handler,
-  Port80HandlerError as HttpError,
-  ServerError,
-  CertificateError
-} from './http/port80/port80-handler.js';
-// Use re-export to control the names
-export { Port80HandlerEvents } from './certificate/events/certificate-events.js';
+// Certificate and Port80 modules have been removed - use SmartCertManager instead
 
 export * from './redirect/classes.redirect.js';
 
 // Export SmartProxy elements selectively to avoid RouteManager ambiguity
 export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, NetworkProxyBridge, RouteConnectionHandler } from './proxies/smart-proxy/index.js';
 export { RouteManager } from './proxies/smart-proxy/route-manager.js';
-export * from './proxies/smart-proxy/models/index.js';
+// Export smart-proxy models
+export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './proxies/smart-proxy/models/index.js';
+export type { TSmartProxyCertProvisionObject } from './proxies/smart-proxy/models/interfaces.js';
 export * from './proxies/smart-proxy/utils/index.js';
 
 // Original: export * from './smartproxy/classes.pp.snihandler.js'
 // Now we export from the new module
 export { SniHandler } from './tls/sni/sni-handler.js';
 // Original: export * from './smartproxy/classes.pp.interfaces.js'
-// Now we export from the new module
-export * from './proxies/smart-proxy/models/interfaces.js';
+// Now we export from the new module (selectively to avoid conflicts)
 
 // Core types and utilities
 export * from './core/models/common-types.js';
 
+// Export IAcmeOptions from one place only
+export type { IAcmeOptions } from './proxies/smart-proxy/models/interfaces.js';
+
 // Modular exports for new architecture
 export * as forwarding from './forwarding/index.js';
-export * as certificate from './certificate/index.js';
+// Certificate module has been removed - use SmartCertManager instead
 export * as tls from './tls/index.js';
 export * as http from './http/index.js';

ts/proxies/index.ts

@@ -2,16 +2,19 @@
  * Proxy implementations module
  */
 
-// Export NetworkProxy with selective imports to avoid RouteManager ambiguity
+// Export NetworkProxy with selective imports to avoid conflicts
 export { NetworkProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './network-proxy/index.js';
 export type { IMetricsTracker, MetricsTracker } from './network-proxy/index.js';
-export * from './network-proxy/models/index.js';
+// Export network-proxy models except IAcmeOptions
+export type { INetworkProxyOptions, ICertificateEntry, ILogger } from './network-proxy/models/types.js';
+export { RouteManager as NetworkProxyRouteManager } from './network-proxy/models/types.js';
 
-// Export SmartProxy with selective imports to avoid RouteManager ambiguity
+// Export SmartProxy with selective imports to avoid conflicts
 export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, NetworkProxyBridge, RouteConnectionHandler } from './smart-proxy/index.js';
 export { RouteManager as SmartProxyRouteManager } from './smart-proxy/route-manager.js';
 export * from './smart-proxy/utils/index.js';
-export * from './smart-proxy/models/index.js';
+// Export smart-proxy models except IAcmeOptions
+export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './smart-proxy/models/index.js';
 
 // Export NFTables proxy (no conflicts)
 export * from './nftables-proxy/index.js';

ts/proxies/network-proxy/certificate-manager.ts

@@ -3,21 +3,17 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
 import { type INetworkProxyOptions, type ICertificateEntry, type ILogger, createLogger } from './models/types.js';
-import { Port80Handler } from '../../http/port80/port80-handler.js';
-import { CertificateEvents } from '../../certificate/events/certificate-events.js';
-import { buildPort80Handler } from '../../certificate/acme/acme-factory.js';
-import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
-import type { IDomainOptions } from '../../certificate/models/certificate-types.js';
 import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
 
 /**
- * Manages SSL certificates for NetworkProxy including ACME integration
+ * @deprecated This class is deprecated. Use SmartCertManager instead.
+ * 
+ * This is a stub implementation that maintains backward compatibility
+ * while the functionality has been moved to SmartCertManager.
  */
 export class CertificateManager {
   private defaultCertificates: { key: string; cert: string };
   private certificateCache: Map<string, ICertificateEntry> = new Map();
-  private port80Handler: Port80Handler | null = null;
-  private externalPort80Handler: boolean = false;
   private certificateStoreDir: string;
   private logger: ILogger;
   private httpsServer: plugins.https.Server | null = null;
@@ -26,6 +22,8 @@ export class CertificateManager {
     this.certificateStoreDir = path.resolve(options.acme?.certificateStore || './certs');
     this.logger = createLogger(options.logLevel || 'info');
     
+    this.logger.warn('CertificateManager is deprecated - use SmartCertManager instead');
+    
     // Ensure certificate store directory exists
     try {
       if (!fs.existsSync(this.certificateStoreDir)) {
@@ -44,7 +42,6 @@ export class CertificateManager {
    */
   public loadDefaultCertificates(): void {
     const __dirname = path.dirname(fileURLToPath(import.meta.url));
-    // Fix the path to look for certificates at the project root instead of inside ts directory
     const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
 
     try {
@@ -52,467 +49,145 @@ export class CertificateManager {
         key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
         cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
       };
-      this.logger.info('Default certificates loaded successfully');
+      this.logger.info('Loaded default certificates from filesystem');
     } catch (error) {
-      this.logger.error('Error loading default certificates', error);
-
-      // Generate self-signed fallback certificates
-      try {
-        // This is a placeholder for actual certificate generation code
-        // In a real implementation, you would use a library like selfsigned to generate certs
-        this.defaultCertificates = {
-          key: "FALLBACK_KEY_CONTENT",
-          cert: "FALLBACK_CERT_CONTENT"
-        };
-        this.logger.warn('Using fallback self-signed certificates');
-      } catch (fallbackError) {
-        this.logger.error('Failed to generate fallback certificates', fallbackError);
-        throw new Error('Could not load or generate SSL certificates');
-      }
+      this.logger.error(`Failed to load default certificates: ${error}`);
+      this.generateSelfSignedCertificate();
     }
   }
-  
+
   /**
-   * Set the HTTPS server reference for context updates
+   * Generates self-signed certificates as fallback
+   */
+  private generateSelfSignedCertificate(): void {
+    // Generate a self-signed certificate using forge or similar
+    // For now, just use a placeholder
+    const selfSignedCert = `-----BEGIN CERTIFICATE-----
+MIIBkTCB+wIJAKHHIgIIA0/cMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAYTAlVT
+MB4XDTE0MDEwMTAwMDAwMFoXDTI0MDEwMTAwMDAwMFowDTELMAkGA1UEBhMCVVMw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRiH0VwnOH3jCV7c6JFZWYrvuqy
+-----END CERTIFICATE-----`;
+    
+    const selfSignedKey = `-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMRiH0VwnOH3jCV7
+c6JFZWYrvuqyALCLXj0pcr1iqNdHjegNXnkl5zjdaUjq4edNOKl7M1AlFiYjG2xk
+-----END PRIVATE KEY-----`;
+
+    this.defaultCertificates = {
+      key: selfSignedKey,
+      cert: selfSignedCert
+    };
+
+    this.logger.warn('Using self-signed certificate as fallback');
+  }
+
+  /**
+   * Gets the default certificates
+   */
+  public getDefaultCertificates(): { key: string; cert: string } {
+    return this.defaultCertificates;
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public setExternalPort80Handler(handler: any): void {
+    this.logger.warn('setExternalPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public async updateRoutes(routes: IRouteConfig[]): Promise<void> {
+    this.logger.warn('updateRoutes is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * Handles SNI callback to provide appropriate certificate
+   */
+  public handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
+    const certificate = this.getCachedCertificate(domain);
+    
+    if (certificate) {
+      const context = plugins.tls.createSecureContext({
+        key: certificate.key,
+        cert: certificate.cert
+      });
+      cb(null, context);
+      return;
+    }
+    
+    // Use default certificate if no domain-specific certificate found
+    const defaultContext = plugins.tls.createSecureContext({
+      key: this.defaultCertificates.key,
+      cert: this.defaultCertificates.cert
+    });
+    cb(null, defaultContext);
+  }
+
+  /**
+   * Updates a certificate in the cache
+   */
+  public updateCertificate(domain: string, cert: string, key: string): void {
+    this.certificateCache.set(domain, {
+      cert,
+      key,
+      expires: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days
+    });
+    
+    this.logger.info(`Certificate updated for ${domain}`);
+  }
+
+  /**
+   * Gets a cached certificate
+   */
+  private getCachedCertificate(domain: string): ICertificateEntry | null {
+    return this.certificateCache.get(domain) || null;
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public async initializePort80Handler(): Promise<any> {
+    this.logger.warn('initializePort80Handler is deprecated - use SmartCertManager instead');
+    return null;
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public async stopPort80Handler(): Promise<void> {
+    this.logger.warn('stopPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public registerDomainsWithPort80Handler(domains: string[]): void {
+    this.logger.warn('registerDomainsWithPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * @deprecated Use SmartCertManager instead
+   */
+  public registerRoutesWithPort80Handler(routes: IRouteConfig[]): void {
+    this.logger.warn('registerRoutesWithPort80Handler is deprecated - use SmartCertManager instead');
+  }
+
+  /**
+   * Sets the HTTPS server for certificate updates
    */
   public setHttpsServer(server: plugins.https.Server): void {
     this.httpsServer = server;
   }
-  
-  /**
-   * Get default certificates
-   */
-  public getDefaultCertificates(): { key: string; cert: string } {
-    return { ...this.defaultCertificates };
-  }
-  
-  /**
-   * Sets an external Port80Handler for certificate management
-   */
-  public setExternalPort80Handler(handler: Port80Handler): void {
-    if (this.port80Handler && !this.externalPort80Handler) {
-      this.logger.warn('Replacing existing internal Port80Handler with external handler');
-
-      // Clean up existing handler if needed
-      if (this.port80Handler !== handler) {
-        // Unregister event handlers to avoid memory leaks
-        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_ISSUED);
-        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_RENEWED);
-        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_FAILED);
-        this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_EXPIRING);
-      }
-    }
-
-    // Set the external handler
-    this.port80Handler = handler;
-    this.externalPort80Handler = true;
-
-    // Subscribe to Port80Handler events
-    subscribeToPort80Handler(this.port80Handler, {
-      onCertificateIssued: this.handleCertificateIssued.bind(this),
-      onCertificateRenewed: this.handleCertificateIssued.bind(this),
-      onCertificateFailed: this.handleCertificateFailed.bind(this),
-      onCertificateExpiring: (data) => {
-        this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
-      }
-    });
-
-    this.logger.info('External Port80Handler connected to CertificateManager');
-
-    // Register domains with Port80Handler if we have any certificates cached
-    if (this.certificateCache.size > 0) {
-      const domains = Array.from(this.certificateCache.keys())
-        .filter(domain => !domain.includes('*')); // Skip wildcard domains
-
-      this.registerDomainsWithPort80Handler(domains);
-    }
-  }
 
   /**
-   * Update route configurations managed by this certificate manager
-   * This method is called when route configurations change
-   *
-   * @param routes Array of route configurations
+   * Gets statistics for metrics
    */
-  public updateRouteConfigs(routes: IRouteConfig[]): void {
-    if (!this.port80Handler) {
-      this.logger.warn('Cannot update routes - Port80Handler is not initialized');
-      return;
-    }
-
-    // Register domains from routes with Port80Handler
-    this.registerRoutesWithPort80Handler(routes);
-
-    // Process individual routes for certificate requirements
-    for (const route of routes) {
-      this.processRouteForCertificates(route);
-    }
-
-    this.logger.info(`Updated certificate management for ${routes.length} routes`);
-  }
-  
-  /**
-   * Handle newly issued or renewed certificates from Port80Handler
-   */
-  private handleCertificateIssued(data: { domain: string; certificate: string; privateKey: string; expiryDate: Date }): void {
-    const { domain, certificate, privateKey, expiryDate } = data;
-    
-    this.logger.info(`Certificate ${this.certificateCache.has(domain) ? 'renewed' : 'issued'} for ${domain}, valid until ${expiryDate.toISOString()}`);
-    
-    // Update certificate in HTTPS server
-    this.updateCertificateCache(domain, certificate, privateKey, expiryDate);
-    
-    // Save the certificate to the filesystem if not using external handler
-    if (!this.externalPort80Handler && this.options.acme?.certificateStore) {
-      this.saveCertificateToStore(domain, certificate, privateKey);
-    }
-  }
-  
-  /**
-   * Handle certificate issuance failures
-   */
-  private handleCertificateFailed(data: { domain: string; error: string }): void {
-    this.logger.error(`Certificate issuance failed for ${data.domain}: ${data.error}`);
-  }
-  
-  /**
-   * Saves certificate and private key to the filesystem
-   */
-  private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
-    try {
-      const certPath = path.join(this.certificateStoreDir, `${domain}.cert.pem`);
-      const keyPath = path.join(this.certificateStoreDir, `${domain}.key.pem`);
-      
-      fs.writeFileSync(certPath, certificate);
-      fs.writeFileSync(keyPath, privateKey);
-      
-      // Ensure private key has restricted permissions
-      try {
-        fs.chmodSync(keyPath, 0o600);
-      } catch (error) {
-        this.logger.warn(`Failed to set permissions on private key for ${domain}: ${error}`);
-      }
-      
-      this.logger.info(`Saved certificate for ${domain} to ${certPath}`);
-    } catch (error) {
-      this.logger.error(`Failed to save certificate for ${domain}: ${error}`);
-    }
-  }
-  
-  /**
-   * Handles SNI (Server Name Indication) for TLS connections
-   * Used by the HTTPS server to select the correct certificate for each domain
-   */
-  public handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
-    this.logger.debug(`SNI request for domain: ${domain}`);
-    
-    // Check if we have a certificate for this domain
-    const certs = this.certificateCache.get(domain);
-    if (certs) {
-      try {
-        // Create TLS context with the cached certificate
-        const context = plugins.tls.createSecureContext({
-          key: certs.key,
-          cert: certs.cert
-        });
-        this.logger.debug(`Using cached certificate for ${domain}`);
-        cb(null, context);
-        return;
-      } catch (err) {
-        this.logger.error(`Error creating secure context for ${domain}:`, err);
-      }
-    }
-    // No existing certificate: trigger dynamic provisioning via Port80Handler
-    if (this.port80Handler) {
-      try {
-        this.logger.info(`Triggering on-demand certificate retrieval for ${domain}`);
-        this.port80Handler.addDomain({
-          domainName: domain,
-          sslRedirect: false,
-          acmeMaintenance: true
-        });
-      } catch (err) {
-        this.logger.error(`Error registering domain for on-demand certificate: ${domain}`, err);
-      }
-    }
-    
-    // Check if we should trigger certificate issuance
-    if (this.options.acme?.enabled && this.port80Handler && !domain.includes('*')) {
-      // Check if this domain is already registered
-      const certData = this.port80Handler.getCertificate(domain);
-      
-      if (!certData) {
-        this.logger.info(`No certificate found for ${domain}, registering for issuance`);
-
-        // Register with new domain options format
-        const domainOptions: IDomainOptions = {
-          domainName: domain,
-          sslRedirect: true,
-          acmeMaintenance: true
-        };
-        
-        this.port80Handler.addDomain(domainOptions);
-      }
-    }
-    
-    // Fall back to default certificate
-    try {
-      const context = plugins.tls.createSecureContext({
-        key: this.defaultCertificates.key,
-        cert: this.defaultCertificates.cert
-      });
-      
-      this.logger.debug(`Using default certificate for ${domain}`);
-      cb(null, context);
-    } catch (err) {
-      this.logger.error(`Error creating default secure context:`, err);
-      cb(new Error('Cannot create secure context'), null);
-    }
-  }
-  
-  /**
-   * Updates certificate in cache
-   */
-  public updateCertificateCache(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
-    // Update certificate context in HTTPS server if it's running
-    if (this.httpsServer) {
-      try {
-        this.httpsServer.addContext(domain, {
-          key: privateKey,
-          cert: certificate
-        });
-        this.logger.debug(`Updated SSL context for domain: ${domain}`);
-      } catch (error) {
-        this.logger.error(`Error updating SSL context for domain ${domain}:`, error);
-      }
-    }
-    
-    // Update certificate in cache
-    this.certificateCache.set(domain, {
-      key: privateKey,
-      cert: certificate,
-      expires: expiryDate
-    });
-  }
-  
-  /**
-   * Gets a certificate for a domain
-   */
-  public getCertificate(domain: string): ICertificateEntry | undefined {
-    return this.certificateCache.get(domain);
-  }
-  
-  /**
-   * Requests a new certificate for a domain
-   */
-  public async requestCertificate(domain: string): Promise<boolean> {
-    if (!this.options.acme?.enabled && !this.externalPort80Handler) {
-      this.logger.warn('ACME certificate management is not enabled');
-      return false;
-    }
-    
-    if (!this.port80Handler) {
-      this.logger.error('Port80Handler is not initialized');
-      return false;
-    }
-    
-    // Skip wildcard domains - can't get certs for these with HTTP-01 validation
-    if (domain.includes('*')) {
-      this.logger.error(`Cannot request certificate for wildcard domain: ${domain}`);
-      return false;
-    }
-    
-    try {
-      // Use the new domain options format
-      const domainOptions: IDomainOptions = {
-        domainName: domain,
-        sslRedirect: true,
-        acmeMaintenance: true
-      };
-      
-      this.port80Handler.addDomain(domainOptions);
-      this.logger.info(`Certificate request submitted for domain: ${domain}`);
-      return true;
-    } catch (error) {
-      this.logger.error(`Error requesting certificate for domain ${domain}:`, error);
-      return false;
-    }
-  }
-  
-  /**
-   * Registers domains with Port80Handler for ACME certificate management
-   * @param domains String array of domains to register
-   */
-  public registerDomainsWithPort80Handler(domains: string[]): void {
-    if (!this.port80Handler) {
-      this.logger.warn('Port80Handler is not initialized');
-      return;
-    }
-
-    for (const domain of domains) {
-      // Skip wildcard domains - can't get certs for these with HTTP-01 validation
-      if (domain.includes('*')) {
-        this.logger.info(`Skipping wildcard domain for ACME: ${domain}`);
-        continue;
-      }
-
-      // Skip domains already with certificates if configured to do so
-      if (this.options.acme?.skipConfiguredCerts) {
-        const cachedCert = this.certificateCache.get(domain);
-        if (cachedCert) {
-          this.logger.info(`Skipping domain with existing certificate: ${domain}`);
-          continue;
-        }
-      }
-
-      // Register the domain for certificate issuance with new domain options format
-      const domainOptions: IDomainOptions = {
-        domainName: domain,
-        sslRedirect: true,
-        acmeMaintenance: true
-      };
-
-      this.port80Handler.addDomain(domainOptions);
-      this.logger.info(`Registered domain for ACME certificate issuance: ${domain}`);
-    }
-  }
-
-  /**
-   * Extract domains from route configurations and register with Port80Handler
-   * This method enables direct integration with route-based configuration
-   *
-   * @param routes Array of route configurations
-   */
-  public registerRoutesWithPort80Handler(routes: IRouteConfig[]): void {
-    if (!this.port80Handler) {
-      this.logger.warn('Port80Handler is not initialized');
-      return;
-    }
-
-    // Extract domains from route configurations
-    const domains: Set<string> = new Set();
-
-    for (const route of routes) {
-      // Skip disabled routes
-      if (route.enabled === false) {
-        continue;
-      }
-
-      // Skip routes without HTTPS termination
-      if (route.action.type !== 'forward' || route.action.tls?.mode !== 'terminate') {
-        continue;
-      }
-
-      // Extract domains from match criteria
-      if (route.match.domains) {
-        if (typeof route.match.domains === 'string') {
-          domains.add(route.match.domains);
-        } else if (Array.isArray(route.match.domains)) {
-          for (const domain of route.match.domains) {
-            domains.add(domain);
-          }
-        }
-      }
-    }
-
-    // Register extracted domains
-    this.registerDomainsWithPort80Handler(Array.from(domains));
-  }
-
-  /**
-   * Process a route config to determine if it requires automatic certificate provisioning
-   * @param route Route configuration to process
-   */
-  public processRouteForCertificates(route: IRouteConfig): void {
-    // Skip disabled routes
-    if (route.enabled === false) {
-      return;
-    }
-
-    // Skip routes without HTTPS termination or auto certificate
-    if (route.action.type !== 'forward' ||
-        route.action.tls?.mode !== 'terminate' ||
-        route.action.tls?.certificate !== 'auto') {
-      return;
-    }
-
-    // Extract domains from match criteria
-    const domains: string[] = [];
-    if (route.match.domains) {
-      if (typeof route.match.domains === 'string') {
-        domains.push(route.match.domains);
-      } else if (Array.isArray(route.match.domains)) {
-        domains.push(...route.match.domains);
-      }
-    }
-
-    // Request certificates for the domains
-    for (const domain of domains) {
-      if (!domain.includes('*')) { // Skip wildcard domains
-        this.requestCertificate(domain).catch(err => {
-          this.logger.error(`Error requesting certificate for domain ${domain}:`, err);
-        });
-      }
-    }
-  }
-  
-  /**
-   * Initialize internal Port80Handler
-   */
-  public async initializePort80Handler(): Promise<Port80Handler | null> {
-    // Skip if using external handler
-    if (this.externalPort80Handler) {
-      this.logger.info('Using external Port80Handler, skipping initialization');
-      return this.port80Handler;
-    }
-    
-    if (!this.options.acme?.enabled) {
-      return null;
-    }
-    
-    // Build and configure Port80Handler
-    this.port80Handler = buildPort80Handler({
-      port: this.options.acme.port,
-      accountEmail: this.options.acme.accountEmail,
-      useProduction: this.options.acme.useProduction,
-      httpsRedirectPort: this.options.port, // Redirect to our HTTPS port
-      enabled: this.options.acme.enabled,
-      certificateStore: this.options.acme.certificateStore,
-      skipConfiguredCerts: this.options.acme.skipConfiguredCerts
-    });
-    // Subscribe to Port80Handler events
-    subscribeToPort80Handler(this.port80Handler, {
-      onCertificateIssued: this.handleCertificateIssued.bind(this),
-      onCertificateRenewed: this.handleCertificateIssued.bind(this),
-      onCertificateFailed: this.handleCertificateFailed.bind(this),
-      onCertificateExpiring: (data) => {
-        this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
-      }
-    });
-    
-    // Start the handler
-    try {
-      await this.port80Handler.start();
-      this.logger.info(`Port80Handler started on port ${this.options.acme.port}`);
-      return this.port80Handler;
-    } catch (error) {
-      this.logger.error(`Failed to start Port80Handler: ${error}`);
-      this.port80Handler = null;
-      return null;
-    }
-  }
-  
-  /**
-   * Stop the Port80Handler if it was internally created
-   */
-  public async stopPort80Handler(): Promise<void> {
-    if (this.port80Handler && !this.externalPort80Handler) {
-      try {
-        await this.port80Handler.stop();
-        this.logger.info('Port80Handler stopped');
-      } catch (error) {
-        this.logger.error('Error stopping Port80Handler', error);
-      }
-    }
+  public getStats() {
+    return {
+      cachedCertificates: this.certificateCache.size,
+      defaultCertEnabled: true
+    };
   }
 }

ts/proxies/network-proxy/models/types.ts

@@ -1,5 +1,17 @@
 import * as plugins from '../../../plugins.js';
-import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
+// Certificate types removed - define IAcmeOptions locally
+export interface IAcmeOptions {
+  enabled: boolean;
+  email?: string;
+  accountEmail?: string;
+  port?: number;
+  certificateStore?: string;
+  environment?: 'production' | 'staging';
+  useProduction?: boolean;
+  renewThresholdDays?: number;
+  autoRenew?: boolean;
+  skipConfiguredCerts?: boolean;
+}
 import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
 import type { IRouteContext } from '../../../core/models/route-context.js';
 
@@ -22,7 +34,7 @@ export interface INetworkProxyOptions {
   // Settings for SmartProxy integration
   connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
   portProxyIntegration?: boolean; // Flag to indicate this proxy is used by SmartProxy
-  useExternalPort80Handler?: boolean; // Flag to indicate using external Port80Handler
+  useExternalPort80Handler?: boolean; // @deprecated - use SmartCertManager instead
   // Protocol to use when proxying to backends: HTTP/1.x or HTTP/2
   backendProtocol?: 'http1' | 'http2';
 

ts/proxies/network-proxy/network-proxy.ts

@@ -18,7 +18,6 @@ import { RequestHandler, type IMetricsTracker } from './request-handler.js';
 import { WebSocketHandler } from './websocket-handler.js';
 import { ProxyRouter } from '../../http/router/index.js';
 import { RouteRouter } from '../../http/router/route-router.js';
-import { Port80Handler } from '../../http/port80/port80-handler.js';
 import { FunctionCache } from './function-cache.js';
 
 /**
@@ -221,15 +220,10 @@ export class NetworkProxy implements IMetricsTracker {
   }
 
   /**
-   * Sets an external Port80Handler for certificate management
-   * This allows the NetworkProxy to use a centrally managed Port80Handler
-   * instead of creating its own
-   * 
-   * @param handler The Port80Handler instance to use
+   * @deprecated Use SmartCertManager instead
    */
-  public setExternalPort80Handler(handler: Port80Handler): void {
-    // Connect it to the certificate manager
-    this.certificateManager.setExternalPort80Handler(handler);
+  public setExternalPort80Handler(handler: any): void {
+    this.logger.warn('Port80Handler is deprecated - use SmartCertManager instead');
   }
 
   /**
@@ -238,10 +232,7 @@ export class NetworkProxy implements IMetricsTracker {
   public async start(): Promise<void> {
     this.startTime = Date.now();
     
-    // Initialize Port80Handler if enabled and not using external handler
-    if (this.options.acme?.enabled && !this.options.useExternalPort80Handler) {
-      await this.certificateManager.initializePort80Handler();
-    }
+    // Certificate management is now handled by SmartCertManager
     
     // Create HTTP/2 server with HTTP/1 fallback
     this.httpsServer = plugins.http2.createSecureServer(
@@ -385,7 +376,7 @@ export class NetworkProxy implements IMetricsTracker {
 
     // Directly update the certificate manager with the new routes
     // This will extract domains and handle certificate provisioning
-    this.certificateManager.updateRouteConfigs(routes);
+    this.certificateManager.updateRoutes(routes);
 
     // Collect all domains and certificates for configuration
     const currentHostnames = new Set<string>();
@@ -425,7 +416,7 @@ export class NetworkProxy implements IMetricsTracker {
     // Update certificate cache with any static certificates
     for (const [domain, certData] of certificateUpdates.entries()) {
       try {
-        this.certificateManager.updateCertificateCache(
+        this.certificateManager.updateCertificate(
           domain,
           certData.cert,
           certData.key
@@ -547,8 +538,7 @@ export class NetworkProxy implements IMetricsTracker {
     // Close all connection pool connections
     this.connectionPool.closeAllConnections();
     
-    // Stop Port80Handler if internally managed
-    await this.certificateManager.stopPort80Handler();
+    // Certificate management cleanup is handled by SmartCertManager
     
     // Close the HTTPS server
     return new Promise((resolve) => {
@@ -566,7 +556,8 @@ export class NetworkProxy implements IMetricsTracker {
    * @returns A promise that resolves when the request is submitted (not when the certificate is issued)
    */
   public async requestCertificate(domain: string): Promise<boolean> {
-    return this.certificateManager.requestCertificate(domain);
+    this.logger.warn('requestCertificate is deprecated - use SmartCertManager instead');
+    return false;
   }
   
   /**
@@ -587,7 +578,7 @@ export class NetworkProxy implements IMetricsTracker {
     expiryDate?: Date
   ): void {
     this.logger.info(`Updating certificate for ${domain}`);
-    this.certificateManager.updateCertificateCache(domain, certificate, privateKey, expiryDate);
+    this.certificateManager.updateCertificate(domain, certificate, privateKey);
   }
 
   /**

ts/proxies/smart-proxy/certificate-manager.ts

@@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import { NetworkProxy } from '../network-proxy/index.js';
 import type { IRouteConfig, IRouteTls } from './models/route-types.js';
+import type { IAcmeOptions } from './models/interfaces.js';
 import { CertStore } from './cert-store.js';
 
 export interface ICertStatus {
@@ -31,6 +32,9 @@ export class SmartCertManager {
   // Track certificate status by route name
   private certStatus: Map<string, ICertStatus> = new Map();
   
+  // Global ACME defaults from top-level configuration
+  private globalAcmeDefaults: IAcmeOptions | null = null;
+  
   // Callback to update SmartProxy routes for challenges
   private updateRoutesCallback?: (routes: IRouteConfig[]) => Promise<void>;
   
@@ -50,6 +54,13 @@ export class SmartCertManager {
     this.networkProxy = networkProxy;
   }
   
+  /**
+   * Set global ACME defaults from top-level configuration
+   */
+  public setGlobalAcmeDefaults(defaults: IAcmeOptions): void {
+    this.globalAcmeDefaults = defaults;
+  }
+  
   /**
    * Set callback for updating routes (used for challenge routes)
    */
@@ -146,7 +157,12 @@ export class SmartCertManager {
     domains: string[]
   ): Promise<void> {
     if (!this.smartAcme) {
-      throw new Error('SmartAcme not initialized');
+      throw new Error(
+        'SmartAcme not initialized. This usually means no ACME email was provided. ' +
+        'Please ensure you have configured ACME with an email address either:\n' +
+        '1. In the top-level "acme" configuration\n' +
+        '2. In the route\'s "tls.acme" configuration'
+      );
     }
     
     const primaryDomain = domains[0];
@@ -161,7 +177,12 @@ export class SmartCertManager {
       return;
     }
     
-    console.log(`Requesting ACME certificate for ${domains.join(', ')}`);
+    // Apply renewal threshold from global defaults or route config
+    const renewThreshold = route.action.tls?.acme?.renewBeforeDays || 
+                         this.globalAcmeDefaults?.renewThresholdDays || 
+                         30;
+    
+    console.log(`Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`);
     this.updateCertStatus(routeName, 'pending', 'acme');
     
     try {
@@ -303,7 +324,10 @@ export class SmartCertManager {
    */
   private isCertificateValid(cert: ICertificateData): boolean {
     const now = new Date();
-    const expiryThreshold = new Date(now.getTime() + 30 * 24 * 60 * 60 * 1000); // 30 days
+    
+    // Use renewal threshold from global defaults or fallback to 30 days
+    const renewThresholdDays = this.globalAcmeDefaults?.renewThresholdDays || 30;
+    const expiryThreshold = new Date(now.getTime() + renewThresholdDays * 24 * 60 * 60 * 1000);
     
     return cert.expiryDate > expiryThreshold;
   }
@@ -417,12 +441,15 @@ export class SmartCertManager {
    * Setup challenge handler integration with SmartProxy routing
    */
   private setupChallengeHandler(http01Handler: plugins.smartacme.handlers.Http01MemoryHandler): void {
+    // Use challenge port from global config or default to 80
+    const challengePort = this.globalAcmeDefaults?.port || 80;
+    
     // Create a challenge route that delegates to SmartAcme's HTTP-01 handler
     const challengeRoute: IRouteConfig = {
       name: 'acme-challenge',
       priority: 1000,  // High priority
       match: {
-        ports: 80,
+        ports: challengePort,
         path: '/.well-known/acme-challenge/*'
       },
       action: {

ts/proxies/smart-proxy/models/index.ts

@@ -1,5 +1,6 @@
 /**
  * SmartProxy models
  */
-export * from './interfaces.js';
+// Export everything except IAcmeOptions from interfaces
+export type { ISmartProxyOptions, IConnectionRecord, TSmartProxyCertProvisionObject } from './interfaces.js';
 export * from './route-types.js';

ts/proxies/smart-proxy/models/interfaces.ts

@@ -1,5 +1,19 @@
 import * as plugins from '../../../plugins.js';
-import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
+// Certificate types removed - define IAcmeOptions locally
+export interface IAcmeOptions {
+  enabled?: boolean;
+  email?: string; // Required when any route uses certificate: 'auto'
+  environment?: 'production' | 'staging';
+  accountEmail?: string; // Alias for email
+  port?: number; // Port for HTTP-01 challenges (default: 80)
+  useProduction?: boolean; // Use Let's Encrypt production (default: false)
+  renewThresholdDays?: number; // Days before expiry to renew (default: 30)
+  autoRenew?: boolean; // Enable automatic renewal (default: true)
+  certificateStore?: string; // Directory to store certificates (default: './certs')
+  skipConfiguredCerts?: boolean;
+  renewCheckIntervalHours?: number; // How often to check for renewals (default: 24)
+  routeForwards?: any[];
+}
 import type { IRouteConfig } from './route-types.js';
 import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
 
@@ -84,7 +98,22 @@ export interface ISmartProxyOptions {
   useNetworkProxy?: number[]; // Array of ports to forward to NetworkProxy
   networkProxyPort?: number; // Port where NetworkProxy is listening (default: 8443)
 
-  // ACME configuration options for SmartProxy
+  /**
+   * Global ACME configuration options for SmartProxy
+   * 
+   * When set, these options will be used as defaults for all routes
+   * with certificate: 'auto' that don't have their own ACME configuration.
+   * Route-specific ACME settings will override these defaults.
+   * 
+   * Example:
+   * ```ts
+   * acme: {
+   *   email: 'ssl@example.com',
+   *   useProduction: false,
+   *   port: 80
+   * }
+   * ```
+   */
   acme?: IAcmeOptions;
 
   /**

ts/proxies/smart-proxy/models/route-types.ts

@@ -1,5 +1,5 @@
 import * as plugins from '../../../plugins.js';
-import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
+// Certificate types removed - use local definition
 import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
 import type { PortRange } from '../../../proxies/nftables-proxy/models/interfaces.js';
 

ts/proxies/smart-proxy/route-manager.ts

@@ -173,6 +173,13 @@ export class RouteManager extends plugins.EventEmitter {
     return this.portMap.get(port) || [];
   }
   
+  /**
+   * Get all routes
+   */
+  public getAllRoutes(): IRouteConfig[] {
+    return [...this.routes];
+  }
+  
   /**
    * Test if a pattern matches a domain using glob matching
    */

ts/proxies/smart-proxy/smart-proxy.ts

@@ -115,21 +115,26 @@ export class SmartProxy extends plugins.EventEmitter {
       networkProxyPort: settingsArg.networkProxyPort || 8443,
     };
     
-    // Set default ACME options if not provided
-    this.settings.acme = this.settings.acme || {};
-    if (Object.keys(this.settings.acme).length === 0) {
+    // Normalize ACME options if provided (support both email and accountEmail)
+    if (this.settings.acme) {
+      // Support both 'email' and 'accountEmail' fields
+      if (this.settings.acme.accountEmail && !this.settings.acme.email) {
+        this.settings.acme.email = this.settings.acme.accountEmail;
+      }
+      
+      // Set reasonable defaults for commonly used fields
       this.settings.acme = {
-        enabled: false,
-        port: 80,
-        accountEmail: 'admin@example.com',
-        useProduction: false,
-        renewThresholdDays: 30,
-        autoRenew: true,
-        certificateStore: './certs',
-        skipConfiguredCerts: false,
-        httpsRedirectPort: 443,
-        renewCheckIntervalHours: 24,
-        routeForwards: []
+        enabled: this.settings.acme.enabled !== false, // Enable by default if acme object exists
+        port: this.settings.acme.port || 80,
+        email: this.settings.acme.email,
+        useProduction: this.settings.acme.useProduction || false,
+        renewThresholdDays: this.settings.acme.renewThresholdDays || 30,
+        autoRenew: this.settings.acme.autoRenew !== false, // Enable by default
+        certificateStore: this.settings.acme.certificateStore || './certs',
+        skipConfiguredCerts: this.settings.acme.skipConfiguredCerts || false,
+        renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours || 24,
+        routeForwards: this.settings.acme.routeForwards || [],
+        ...this.settings.acme // Preserve any additional fields
       };
     }
     
@@ -187,19 +192,55 @@ export class SmartProxy extends plugins.EventEmitter {
       return;
     }
     
-    // Use the first auto route's ACME config as defaults
-    const defaultAcme = autoRoutes[0]?.action.tls?.acme;
+    // Prepare ACME options with priority:
+    // 1. Use top-level ACME config if available
+    // 2. Fall back to first auto route's ACME config
+    // 3. Otherwise use undefined
+    let acmeOptions: { email?: string; useProduction?: boolean; port?: number } | undefined;
+    
+    if (this.settings.acme?.email) {
+      // Use top-level ACME config
+      acmeOptions = {
+        email: this.settings.acme.email,
+        useProduction: this.settings.acme.useProduction || false,
+        port: this.settings.acme.port || 80
+      };
+      console.log(`Using top-level ACME configuration with email: ${acmeOptions.email}`);
+    } else if (autoRoutes.length > 0) {
+      // Check for route-level ACME config
+      const routeWithAcme = autoRoutes.find(r => r.action.tls?.acme?.email);
+      if (routeWithAcme?.action.tls?.acme) {
+        const routeAcme = routeWithAcme.action.tls.acme;
+        acmeOptions = {
+          email: routeAcme.email,
+          useProduction: routeAcme.useProduction || false,
+          port: routeAcme.challengePort || 80
+        };
+        console.log(`Using route-level ACME configuration from route '${routeWithAcme.name}' with email: ${acmeOptions.email}`);
+      }
+    }
+    
+    // Validate we have required configuration
+    if (autoRoutes.length > 0 && !acmeOptions?.email) {
+      throw new Error(
+        'ACME email is required for automatic certificate provisioning. ' +
+        'Please provide email in either:\n' +
+        '1. Top-level "acme" configuration\n' +
+        '2. Individual route\'s "tls.acme" configuration'
+      );
+    }
     
     this.certManager = new SmartCertManager(
       this.settings.routes,
-      './certs', // Certificate directory
-      defaultAcme ? {
-        email: defaultAcme.email,
-        useProduction: defaultAcme.useProduction,
-        port: defaultAcme.challengePort || 80
-      } : undefined
+      this.settings.acme?.certificateStore || './certs',
+      acmeOptions
     );
     
+    // Pass down the global ACME config to the cert manager
+    if (this.settings.acme) {
+      this.certManager.setGlobalAcmeDefaults(this.settings.acme);
+    }
+    
     // Connect with NetworkProxy
     if (this.networkProxyBridge.getNetworkProxy()) {
       this.certManager.setNetworkProxy(this.networkProxyBridge.getNetworkProxy());
@@ -250,9 +291,14 @@ export class SmartProxy extends plugins.EventEmitter {
 
     // Validate the route configuration
     const configWarnings = this.routeManager.validateConfiguration();
-    if (configWarnings.length > 0) {
-      console.log("Route configuration warnings:");
-      for (const warning of configWarnings) {
+    
+    // Also validate ACME configuration
+    const acmeWarnings = this.validateAcmeConfiguration();
+    const allWarnings = [...configWarnings, ...acmeWarnings];
+    
+    if (allWarnings.length > 0) {
+      console.log("Configuration warnings:");
+      for (const warning of allWarnings) {
         console.log(` - ${warning}`);
       }
     }
@@ -664,5 +710,76 @@ export class SmartProxy extends plugins.EventEmitter {
   public async getNfTablesStatus(): Promise<Record<string, any>> {
     return this.nftablesManager.getStatus();
   }
+  
+  /**
+   * Validate ACME configuration
+   */
+  private validateAcmeConfiguration(): string[] {
+    const warnings: string[] = [];
+    
+    // Check for routes with certificate: 'auto'
+    const autoRoutes = this.settings.routes.filter(r => 
+      r.action.tls?.certificate === 'auto'
+    );
+    
+    if (autoRoutes.length === 0) {
+      return warnings;
+    }
+    
+    // Check if we have ACME email configuration
+    const hasTopLevelEmail = this.settings.acme?.email;
+    const routesWithEmail = autoRoutes.filter(r => r.action.tls?.acme?.email);
+    
+    if (!hasTopLevelEmail && routesWithEmail.length === 0) {
+      warnings.push(
+        'Routes with certificate: "auto" require ACME email configuration. ' +
+        'Add email to either top-level "acme" config or individual route\'s "tls.acme" config.'
+      );
+    }
+    
+    // Check for port 80 availability for challenges
+    if (autoRoutes.length > 0) {
+      const challengePort = this.settings.acme?.port || 80;
+      const portsInUse = this.routeManager.getListeningPorts();
+      
+      if (!portsInUse.includes(challengePort)) {
+        warnings.push(
+          `Port ${challengePort} is not configured for any routes but is needed for ACME challenges. ` +
+          `Add a route listening on port ${challengePort} or ensure it's accessible for HTTP-01 challenges.`
+        );
+      }
+    }
+    
+    // Check for mismatched environments
+    if (this.settings.acme?.useProduction) {
+      const stagingRoutes = autoRoutes.filter(r => 
+        r.action.tls?.acme?.useProduction === false
+      );
+      if (stagingRoutes.length > 0) {
+        warnings.push(
+          'Top-level ACME uses production but some routes use staging. ' +
+          'Consider aligning environments to avoid certificate issues.'
+        );
+      }
+    }
+    
+    // Check for wildcard domains with auto certificates
+    for (const route of autoRoutes) {
+      const domains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : [route.match.domains];
+      
+      const wildcardDomains = domains.filter(d => d?.includes('*'));
+      if (wildcardDomains.length > 0) {
+        warnings.push(
+          `Route "${route.name}" has wildcard domain(s) ${wildcardDomains.join(', ')} ` +
+          'with certificate: "auto". Wildcard certificates require DNS-01 challenges, ' +
+          'which are not currently supported. Use static certificates instead.'
+        );
+      }
+    }
+    
+    return warnings;
+  }
 
 }