19.6.1

Document the new metrics collection system including available metrics methods, usage examples, and export formats for external monitoring systems.

certs/static-route/meta.json

@@ -1,5 +1,5 @@
 {
-  "expiryDate": "2025-08-30T08:04:36.897Z",
-  "issueDate": "2025-06-01T08:04:36.897Z",
-  "savedAt": "2025-06-01T08:04:36.897Z"
+  "expiryDate": "2025-09-03T17:57:28.583Z",
+  "issueDate": "2025-06-05T17:57:28.583Z",
+  "savedAt": "2025-06-05T17:57:28.583Z"
 }

changelog.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 2025-06-01 - 19.5.19 - fix(smartproxy)
+Fix connection handling and improve route matching edge cases
+
+- Enhanced cleanup logic to prevent connection accumulation under rapid retry scenarios
+- Improved matching for wildcard domains and path parameters in the route configuration
+- Minor refactoring in async utilities and internal socket handling for better performance
+- Updated test suites and documentation for clearer configuration examples
+
 ## 2025-05-29 - 19.5.3 - fix(smartproxy)
 Fix route security configuration location and improve ACME timing tests and socket mock implementations
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "19.5.7",
+  "version": "19.6.1",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -31,6 +31,7 @@
     "@push.rocks/smartnetwork": "^4.0.2",
     "@push.rocks/smartpromise": "^4.2.3",
     "@push.rocks/smartrequest": "^2.1.0",
+    "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstring": "^4.0.15",
     "@push.rocks/taskbuffer": "^3.1.7",
     "@tsclass/tsclass": "^9.2.0",

pnpm-lock.yaml

@@ -35,6 +35,9 @@ importers:
       '@push.rocks/smartrequest':
         specifier: ^2.1.0
         version: 2.1.0
+      '@push.rocks/smartrx':
+        specifier: ^3.0.10
+        version: 3.0.10
       '@push.rocks/smartstring':
         specifier: ^4.0.15
         version: 4.0.15
@@ -977,9 +980,6 @@ packages:
   '@push.rocks/smartrx@3.0.10':
     resolution: {integrity: sha512-USjIYcsSfzn14cwOsxgq/bBmWDTTzy3ouWAnW5NdMyRRzEbmeNrvmy6TRqNeDlJ2PsYNTt1rr/zGUqvIy72ITg==}
 
-  '@push.rocks/smartrx@3.0.7':
-    resolution: {integrity: sha512-qCWy0s3RLAgGSnaw/Gu0BNaJ59CsI6RK5OJDCCqxc7P2X/S755vuLtnAR5/0dEjdhCHXHX9ytPZx+o9g/CNiyA==}
-
   '@push.rocks/smarts3@2.2.5':
     resolution: {integrity: sha512-OZjD0jBCUTJCLnwraxBcyZ3he5buXf2OEM1zipiTBChA2EcKUZWKk/a6KR5WT+NlFCIIuB23UG+U+cxsIWM91Q==}
 
@@ -6131,11 +6131,6 @@ snapshots:
       '@push.rocks/smartpromise': 4.2.3
       rxjs: 7.8.2
 
-  '@push.rocks/smartrx@3.0.7':
-    dependencies:
-      '@push.rocks/smartpromise': 4.2.3
-      rxjs: 7.8.2
-
   '@push.rocks/smarts3@2.2.5':
     dependencies:
       '@push.rocks/smartbucket': 3.3.7
@@ -6301,7 +6296,7 @@ snapshots:
       '@push.rocks/smartenv': 5.0.12
       '@push.rocks/smartjson': 5.0.20
       '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrx': 3.0.7
+      '@push.rocks/smartrx': 3.0.10
       '@tempfix/idb': 8.0.3
       fake-indexeddb: 5.0.2
 

readme.connections.md

@@ -0,0 +1,724 @@
+# Connection Management in SmartProxy
+
+This document describes connection handling, cleanup mechanisms, and known issues in SmartProxy, particularly focusing on proxy chain configurations.
+
+## Connection Accumulation Investigation (January 2025)
+
+### Problem Statement
+Connections may accumulate on the outer proxy in proxy chain configurations, despite implemented fixes.
+
+### Historical Context
+- **v19.5.12-v19.5.15**: Major connection cleanup improvements
+- **v19.5.19+**: PROXY protocol support with WrappedSocket implementation
+- **v19.5.20**: Fixed race condition in immediate routing cleanup
+
+### Current Architecture
+
+#### Connection Flow in Proxy Chains
+```
+Client → Outer Proxy (8001) → Inner Proxy (8002) → Backend (httpbin.org:443)
+```
+
+1. **Outer Proxy**:
+   - Accepts client connection
+   - Sends PROXY protocol header to inner proxy
+   - Tracks connection in ConnectionManager
+   - Immediate routing for non-TLS ports
+
+2. **Inner Proxy**:
+   - Parses PROXY protocol to get real client IP
+   - Establishes connection to backend
+   - Tracks its own connections separately
+
+### Potential Causes of Connection Accumulation
+
+#### 1. Race Condition in Immediate Routing
+When a connection is immediately routed (non-TLS ports), there's a timing window:
+```typescript
+// route-connection-handler.ts, line ~231
+this.routeConnection(socket, record, '', undefined);
+// Connection is routed before all setup is complete
+```
+
+**Issue**: If client disconnects during backend connection setup, cleanup may not trigger properly.
+
+#### 2. Outgoing Socket Assignment Timing
+Despite the fix in v19.5.20:
+```typescript
+// Line 1362 in setupDirectConnection
+record.outgoing = targetSocket;
+```
+There's still a window between socket creation and the `connect` event where cleanup might miss the outgoing socket.
+
+#### 3. Batch Cleanup Delays
+ConnectionManager uses queued cleanup:
+- Batch size: 100 connections
+- Batch interval: 100ms
+- Under rapid connection/disconnection, queue might lag
+
+#### 4. Different Cleanup Paths
+Multiple cleanup triggers exist:
+- Socket 'close' event
+- Socket 'error' event  
+- Inactivity timeout
+- Connection timeout
+- Manual cleanup
+
+Not all paths may properly handle proxy chain scenarios.
+
+#### 5. Keep-Alive Connection Handling
+Keep-alive connections have special treatment:
+- Extended inactivity timeout (6x normal)
+- Warning before closure
+- May accumulate if backend is unresponsive
+
+### Observed Symptoms
+
+1. **Outer proxy connection count grows over time**
+2. **Inner proxy maintains zero or low connection count**
+3. **Connections show as closed in logs but remain in tracking**
+4. **Memory usage gradually increases**
+
+### Debug Strategies
+
+#### 1. Enhanced Logging
+Add connection state logging at key points:
+```typescript
+// When outgoing socket is created
+logger.log('debug', `Outgoing socket created for ${connectionId}`, {
+  hasOutgoing: !!record.outgoing,
+  outgoingState: record.outgoing?.readyState
+});
+```
+
+#### 2. Connection State Inspection
+Periodically log detailed connection state:
+```typescript
+for (const [id, record] of connectionManager.getConnections()) {
+  console.log({
+    id,
+    age: Date.now() - record.incomingStartTime,
+    incomingDestroyed: record.incoming.destroyed,
+    outgoingDestroyed: record.outgoing?.destroyed,
+    hasCleanupTimer: !!record.cleanupTimer
+  });
+}
+```
+
+#### 3. Cleanup Verification
+Track cleanup completion:
+```typescript
+// In cleanupConnection
+logger.log('debug', `Cleanup completed for ${record.id}`, {
+  recordsRemaining: this.connectionRecords.size
+});
+```
+
+### Recommendations
+
+1. **Immediate Cleanup for Proxy Chains**
+   - Skip batch queue for proxy chain connections
+   - Use synchronous cleanup when PROXY protocol is detected
+
+2. **Socket State Validation**
+   - Check both `destroyed` and `readyState` before cleanup decisions
+   - Handle 'opening' state sockets explicitly
+
+3. **Timeout Adjustments**
+   - Shorter timeouts for proxy chain connections
+   - More aggressive cleanup for connections without data transfer
+
+4. **Connection Limits**
+   - Per-route connection limits
+   - Backpressure when approaching limits
+
+5. **Monitoring**
+   - Export connection metrics
+   - Alert on connection count thresholds
+   - Track connection age distribution
+
+### Test Scenarios to Reproduce
+
+1. **Rapid Connect/Disconnect**
+   ```bash
+   # Create many short-lived connections
+   for i in {1..1000}; do
+     (echo -n | nc localhost 8001) &
+   done
+   ```
+
+2. **Slow Backend**
+   - Configure inner proxy to connect to unresponsive backend
+   - Monitor outer proxy connection count
+
+3. **Mixed Traffic**
+   - Combine TLS and non-TLS connections
+   - Add keep-alive connections
+   - Observe accumulation patterns
+
+### Future Improvements
+
+1. **Connection Pool Isolation**
+   - Separate pools for proxy chain vs direct connections
+   - Different cleanup strategies per pool
+
+2. **Circuit Breaker**
+   - Detect accumulation and trigger aggressive cleanup
+   - Temporary refuse new connections when near limit
+
+3. **Connection State Machine**
+   - Explicit states: CONNECTING, ESTABLISHED, CLOSING, CLOSED
+   - State transition validation
+   - Timeout per state
+
+4. **Metrics Collection**
+   - Connection lifecycle events
+   - Cleanup success/failure rates
+   - Time spent in each state
+
+### Root Cause Identified (January 2025)
+
+**The primary issue is on the inner proxy when backends are unreachable:**
+
+When the backend is unreachable (e.g., non-routable IP like 10.255.255.1):
+1. The outgoing socket gets stuck in "opening" state indefinitely
+2. The `createSocketWithErrorHandler` in socket-utils.ts doesn't implement connection timeout
+3. `socket.setTimeout()` only handles inactivity AFTER connection, not during connect phase
+4. Connections accumulate because they never transition to error state
+5. Socket timeout warnings fire but connections are preserved as keep-alive
+
+**Code Issue:**
+```typescript
+// socket-utils.ts line 275
+if (timeout) {
+  socket.setTimeout(timeout);  // This only handles inactivity, not connection!
+}
+```
+
+**Required Fix:**
+
+1. Add `connectionTimeout` to ISmartProxyOptions interface:
+```typescript
+// In interfaces.ts
+connectionTimeout?: number; // Timeout for establishing connection (ms), default: 30000 (30s)
+```
+
+2. Update `createSocketWithErrorHandler` in socket-utils.ts:
+```typescript
+export function createSocketWithErrorHandler(options: SafeSocketOptions): plugins.net.Socket {
+  const { port, host, onError, onConnect, timeout } = options;
+  
+  const socket = new plugins.net.Socket();
+  let connected = false;
+  let connectionTimeout: NodeJS.Timeout | null = null;
+  
+  socket.on('error', (error) => {
+    if (connectionTimeout) {
+      clearTimeout(connectionTimeout);
+      connectionTimeout = null;
+    }
+    if (onError) onError(error);
+  });
+  
+  socket.on('connect', () => {
+    connected = true;
+    if (connectionTimeout) {
+      clearTimeout(connectionTimeout);
+      connectionTimeout = null;
+    }
+    if (timeout) socket.setTimeout(timeout); // Set inactivity timeout
+    if (onConnect) onConnect();
+  });
+  
+  // Implement connection establishment timeout
+  if (timeout) {
+    connectionTimeout = setTimeout(() => {
+      if (!connected && !socket.destroyed) {
+        const error = new Error(`Connection timeout after ${timeout}ms to ${host}:${port}`);
+        (error as any).code = 'ETIMEDOUT';
+        socket.destroy();
+        if (onError) onError(error);
+      }
+    }, timeout);
+  }
+  
+  socket.connect(port, host);
+  return socket;
+}
+```
+
+3. Pass connectionTimeout in route-connection-handler.ts:
+```typescript
+const targetSocket = createSocketWithErrorHandler({
+  port: finalTargetPort,
+  host: finalTargetHost,
+  timeout: this.settings.connectionTimeout || 30000, // Connection timeout
+  onError: (error) => { /* existing */ },
+  onConnect: async () => { /* existing */ }
+});
+```
+
+### Investigation Results (January 2025)
+
+Based on extensive testing with debug scripts:
+
+1. **Normal Operation**: In controlled tests, connections are properly cleaned up:
+   - Immediate routing cleanup handler properly destroys outgoing connections
+   - Both outer and inner proxies maintain 0 connections after clients disconnect
+   - Keep-alive connections are tracked and cleaned up correctly
+
+2. **Potential Edge Cases Not Covered by Tests**:
+   - **HTTP/2 Connections**: May have different lifecycle than HTTP/1.1
+   - **WebSocket Connections**: Long-lived upgrade connections might persist
+   - **Partial TLS Handshakes**: Connections that start TLS but don't complete
+   - **PROXY Protocol Parse Failures**: Malformed headers from untrusted sources
+   - **Connection Pool Reuse**: HttpProxy component may maintain its own pools
+
+3. **Timing-Sensitive Scenarios**:
+   - Client disconnects exactly when `record.outgoing` is being assigned
+   - Backend connects but immediately RSTs
+   - Proxy chain where middle proxy restarts
+   - Multiple rapid reconnects with same source IP/port
+
+4. **Configuration-Specific Issues**:
+   - Mixed `sendProxyProtocol` settings in chain
+   - Different `keepAlive` settings between proxies
+   - Mismatched timeout values
+   - Routes with `forwardingEngine: 'nftables'`
+
+### Additional Debug Points
+
+Add these debug logs to identify the specific scenario:
+
+```typescript
+// In route-connection-handler.ts setupDirectConnection
+logger.log('debug', `Setting outgoing socket for ${connectionId}`, {
+  timestamp: Date.now(),
+  hasOutgoing: !!record.outgoing,
+  socketState: targetSocket.readyState
+});
+
+// In connection-manager.ts cleanupConnection
+logger.log('debug', `Cleanup attempt for ${record.id}`, {
+  alreadyClosed: record.connectionClosed,
+  hasIncoming: !!record.incoming,
+  hasOutgoing: !!record.outgoing,
+  incomingDestroyed: record.incoming?.destroyed,
+  outgoingDestroyed: record.outgoing?.destroyed
+});
+```
+
+### Workarounds
+
+Until root cause is identified:
+
+1. **Periodic Force Cleanup**:
+   ```typescript
+   setInterval(() => {
+     const connections = connectionManager.getConnections();
+     for (const [id, record] of connections) {
+       if (record.incoming?.destroyed && !record.connectionClosed) {
+         connectionManager.cleanupConnection(record, 'force_cleanup');
+       }
+     }
+   }, 60000); // Every minute
+   ```
+
+2. **Connection Age Limit**:
+   ```typescript
+   // Add max connection age check
+   const maxAge = 3600000; // 1 hour
+   if (Date.now() - record.incomingStartTime > maxAge) {
+     connectionManager.cleanupConnection(record, 'max_age');
+   }
+   ```
+
+3. **Aggressive Timeout Settings**:
+   ```typescript
+   {
+     socketTimeout: 60000,        // 1 minute
+     inactivityTimeout: 300000,   // 5 minutes
+     connectionCleanupInterval: 30000  // 30 seconds
+   }
+   ```
+
+### Related Files
+- `/ts/proxies/smart-proxy/route-connection-handler.ts` - Main connection handling
+- `/ts/proxies/smart-proxy/connection-manager.ts` - Connection tracking and cleanup
+- `/ts/core/utils/socket-utils.ts` - Socket cleanup utilities
+- `/test/test.proxy-chain-cleanup.node.ts` - Test for connection cleanup
+- `/test/test.proxy-chaining-accumulation.node.ts` - Test for accumulation prevention
+- `/.nogit/debug/connection-accumulation-debug.ts` - Debug script for connection states
+- `/.nogit/debug/connection-accumulation-keepalive.ts` - Keep-alive specific tests
+- `/.nogit/debug/connection-accumulation-http.ts` - HTTP traffic through proxy chains
+
+### Summary
+
+**Issue Identified**: Connection accumulation occurs on the **inner proxy** (not outer) when backends are unreachable.
+
+**Root Cause**: The `createSocketWithErrorHandler` function in socket-utils.ts doesn't implement connection establishment timeout. It only sets `socket.setTimeout()` which handles inactivity AFTER connection is established, not during the connect phase.
+
+**Impact**: When connecting to unreachable IPs (e.g., 10.255.255.1), outgoing sockets remain in "opening" state indefinitely, causing connections to accumulate.
+
+**Fix Required**:
+1. Add `connectionTimeout` setting to ISmartProxyOptions
+2. Implement proper connection timeout in `createSocketWithErrorHandler`
+3. Pass the timeout value from route-connection-handler
+
+**Workaround Until Fixed**: Configure shorter socket timeouts and use the periodic force cleanup suggested above.
+
+The connection cleanup mechanisms have been significantly improved in v19.5.20:
+1. Race condition fixed by setting `record.outgoing` before connecting
+2. Immediate routing cleanup handler always destroys outgoing connections
+3. Tests confirm no accumulation in standard scenarios with reachable backends
+
+However, the missing connection establishment timeout causes accumulation when backends are unreachable or very slow to connect.
+
+### Outer Proxy Sudden Accumulation After Hours
+
+**User Report**: "The counter goes up suddenly after some hours on the outer proxy"
+
+**Investigation Findings**:
+
+1. **Cleanup Queue Mechanism**:
+   - Connections are cleaned up in batches of 100 via a queue
+   - If the cleanup timer gets stuck or cleared without restart, connections accumulate
+   - The timer is set with `setTimeout` and could be affected by event loop blocking
+
+2. **Potential Causes for Sudden Spikes**:
+   
+   a) **Cleanup Timer Failure**:
+   ```typescript
+   // In ConnectionManager, if this timer gets cleared but not restarted:
+   this.cleanupTimer = this.setTimeout(() => {
+     this.processCleanupQueue();
+   }, 100);
+   ```
+   
+   b) **Memory Pressure**:
+   - After hours of operation, memory fragmentation or pressure could cause delays
+   - Garbage collection pauses might interfere with timer execution
+   
+   c) **Event Listener Accumulation**:
+   - Socket event listeners might accumulate over time
+   - Server 'connection' event handlers are particularly important
+   
+   d) **Keep-Alive Connection Cascades**:
+   - When many keep-alive connections timeout simultaneously
+   - Outer proxy has different timeout than inner proxy
+   - Mass disconnection events can overwhelm cleanup queue
+   
+   e) **HttpProxy Component Issues**:
+   - If using `useHttpProxy`, the HttpProxy bridge might maintain connection pools
+   - These pools might not be properly cleaned after hours
+
+3. **Why "Sudden" After Hours**:
+   - Not a gradual leak but triggered by specific conditions
+   - Likely related to periodic events or thresholds:
+     - Inactivity check runs every 30 seconds
+     - Keep-alive connections have extended timeouts (6x normal)
+     - Parity check has 30-minute timeout for half-closed connections
+   
+4. **Reproduction Scenarios**:
+   - Mass client disconnection/reconnection (network blip)
+   - Keep-alive timeout cascade when inner proxy times out first
+   - Cleanup timer getting stuck during high load
+   - Memory pressure causing event loop delays
+
+### Additional Monitoring Recommendations
+
+1. **Add Cleanup Queue Monitoring**:
+   ```typescript
+   setInterval(() => {
+     const cm = proxy.connectionManager;
+     if (cm.cleanupQueue.size > 100 && !cm.cleanupTimer) {
+       logger.error('Cleanup queue stuck!', {
+         queueSize: cm.cleanupQueue.size,
+         hasTimer: !!cm.cleanupTimer
+       });
+     }
+   }, 60000);
+   ```
+
+2. **Track Timer Health**:
+   - Monitor if cleanup timer is running
+   - Check for event loop blocking
+   - Log when batch processing takes too long
+
+3. **Memory Monitoring**:
+   - Track heap usage over time
+   - Monitor for memory leaks in long-running processes
+   - Force periodic garbage collection if needed
+
+### Immediate Mitigations
+
+1. **Restart Cleanup Timer**:
+   ```typescript
+   // Emergency cleanup timer restart
+   if (!cm.cleanupTimer && cm.cleanupQueue.size > 0) {
+     cm.cleanupTimer = setTimeout(() => {
+       cm.processCleanupQueue();
+     }, 100);
+   }
+   ```
+
+2. **Force Periodic Cleanup**:
+   ```typescript
+   setInterval(() => {
+     const cm = connectionManager;
+     if (cm.getConnectionCount() > threshold) {
+       cm.performOptimizedInactivityCheck();
+       // Force process cleanup queue
+       cm.processCleanupQueue();
+     }
+   }, 300000); // Every 5 minutes
+   ```
+
+3. **Connection Age Limits**:
+   - Set maximum connection lifetime
+   - Force close connections older than threshold
+   - More aggressive cleanup for proxy chains
+
+## ✅ FIXED: Zombie Connection Detection (January 2025)
+
+### Root Cause Identified
+"Zombie connections" occur when sockets are destroyed without triggering their close/error event handlers. This causes connections to remain tracked with both sockets destroyed but `connectionClosed=false`. This is particularly problematic in proxy chains where the inner proxy might close connections in ways that don't trigger proper events on the outer proxy.
+
+### Fix Implemented
+Added zombie detection to the periodic inactivity check in ConnectionManager:
+
+```typescript
+// In performOptimizedInactivityCheck()
+// Check ALL connections for zombie state
+for (const [connectionId, record] of this.connectionRecords) {
+  if (!record.connectionClosed) {
+    const incomingDestroyed = record.incoming?.destroyed || false;
+    const outgoingDestroyed = record.outgoing?.destroyed || false;
+    
+    // Check for zombie connections: both sockets destroyed but not cleaned up
+    if (incomingDestroyed && outgoingDestroyed) {
+      logger.log('warn', `Zombie connection detected: ${connectionId} - both sockets destroyed but not cleaned up`, {
+        connectionId,
+        remoteIP: record.remoteIP,
+        age: plugins.prettyMs(now - record.incomingStartTime),
+        component: 'connection-manager'
+      });
+      
+      // Clean up immediately
+      this.cleanupConnection(record, 'zombie_cleanup');
+      continue;
+    }
+    
+    // Check for half-zombie: one socket destroyed
+    if (incomingDestroyed || outgoingDestroyed) {
+      const age = now - record.incomingStartTime;
+      // Give it 30 seconds grace period for normal cleanup
+      if (age > 30000) {
+        logger.log('warn', `Half-zombie connection detected: ${connectionId} - ${incomingDestroyed ? 'incoming' : 'outgoing'} destroyed`, {
+          connectionId,
+          remoteIP: record.remoteIP,
+          age: plugins.prettyMs(age),
+          incomingDestroyed,
+          outgoingDestroyed,
+          component: 'connection-manager'
+        });
+        
+        // Clean up
+        this.cleanupConnection(record, 'half_zombie_cleanup');
+      }
+    }
+  }
+}
+```
+
+### How It Works
+1. **Full Zombie Detection**: Detects when both incoming and outgoing sockets are destroyed but the connection hasn't been cleaned up
+2. **Half-Zombie Detection**: Detects when only one socket is destroyed, with a 30-second grace period for normal cleanup to occur
+3. **Automatic Cleanup**: Immediately cleans up zombie connections when detected
+4. **Runs Periodically**: Integrated into the existing inactivity check that runs every 30 seconds
+
+### Why This Fixes the Outer Proxy Accumulation
+- When inner proxy closes connections abruptly (e.g., due to backend failure), the outer proxy's outgoing socket might be destroyed without firing close/error events
+- These become zombie connections that previously accumulated indefinitely
+- Now they are detected and cleaned up within 30 seconds
+
+### Test Results
+Debug scripts confirmed:
+- Zombie connections can be created when sockets are destroyed directly without events
+- The zombie detection successfully identifies and cleans up these connections
+- Both full zombies (both sockets destroyed) and half-zombies (one socket destroyed) are handled
+
+This fix addresses the specific issue where "connections that are closed on the inner proxy, always also close on the outer proxy" as requested by the user.
+
+## 🔍 Production Diagnostics (January 2025)
+
+Since the zombie detection fix didn't fully resolve the issue, use the ProductionConnectionMonitor to diagnose the actual problem:
+
+### How to Use the Production Monitor
+
+1. **Add to your proxy startup script**:
+```typescript
+import ProductionConnectionMonitor from './production-connection-monitor.js';
+
+// After proxy.start()
+const monitor = new ProductionConnectionMonitor(proxy);
+monitor.start(5000); // Check every 5 seconds
+
+// Monitor will automatically capture diagnostics when:
+// - Connections exceed threshold (default: 50)
+// - Sudden spike occurs (default: +20 connections)
+```
+
+2. **Diagnostics are saved to**: `.nogit/connection-diagnostics/`
+
+3. **Force capture anytime**: `monitor.forceCaptureNow()`
+
+### What the Monitor Captures
+
+For each connection:
+- Socket states (destroyed, readable, writable, readyState)
+- Connection flags (closed, keepAlive, TLS status)
+- Data transfer statistics
+- Time since last activity
+- Cleanup queue status
+- Event listener counts
+- Termination reasons
+
+### Pattern Analysis
+
+The monitor automatically identifies:
+- **Zombie connections**: Both sockets destroyed but not cleaned up
+- **Half-zombies**: One socket destroyed
+- **Stuck connecting**: Outgoing socket stuck in connecting state
+- **No outgoing**: Missing outgoing socket
+- **Keep-alive stuck**: Keep-alive connections with no recent activity
+- **Old connections**: Connections older than 1 hour
+- **No data transfer**: Connections with no bytes transferred
+- **Listener leaks**: Excessive event listeners
+
+### Common Accumulation Patterns
+
+1. **Connecting State Stuck**
+   - Outgoing socket shows `connecting: true` indefinitely
+   - Usually means connection timeout not working
+   - Check if backend is reachable
+
+2. **Missing Outgoing Socket**
+   - Connection has no outgoing socket but isn't closed
+   - May indicate immediate routing issues
+   - Check error logs during connection setup
+
+3. **Event Listener Accumulation**
+   - High listener counts (>20) on sockets
+   - Indicates cleanup not removing all listeners
+   - Can cause memory leaks
+
+4. **Keep-Alive Zombies**
+   - Keep-alive connections not timing out
+   - Check keepAlive timeout settings
+   - May need more aggressive cleanup
+
+### Next Steps
+
+1. **Run the monitor in production** during accumulation
+2. **Share the diagnostic files** from `.nogit/connection-diagnostics/`
+3. **Look for patterns** in the captured snapshots
+4. **Check specific connection IDs** that accumulate
+
+The diagnostic files will show exactly what state connections are in when accumulation occurs, allowing targeted fixes for the specific issue.
+
+## ✅ FIXED: Stuck Connection Detection (January 2025) 
+
+### Additional Root Cause Found
+Connections to hanging backends (that accept but never respond) were not being cleaned up because:
+- Both sockets remain alive (not destroyed)
+- Keep-alive prevents normal timeout
+- No data is sent back to the client despite receiving data
+- These don't qualify as "zombies" since sockets aren't destroyed
+
+### Fix Implemented
+Added stuck connection detection to the periodic inactivity check:
+
+```typescript
+// Check for stuck connections: no data sent back to client
+if (!record.connectionClosed && record.outgoing && record.bytesReceived > 0 && record.bytesSent === 0) {
+  const age = now - record.incomingStartTime;
+  // If connection is older than 60 seconds and no data sent back, likely stuck
+  if (age > 60000) {
+    logger.log('warn', `Stuck connection detected: ${connectionId} - received ${record.bytesReceived} bytes but sent 0 bytes`, {
+      connectionId,
+      remoteIP: record.remoteIP,
+      age: plugins.prettyMs(age),
+      bytesReceived: record.bytesReceived,
+      targetHost: record.targetHost,
+      targetPort: record.targetPort,
+      component: 'connection-manager'
+    });
+    
+    // Clean up
+    this.cleanupConnection(record, 'stuck_no_response');
+  }
+}
+```
+
+### What This Fixes
+- Connections to backends that accept but never respond
+- Proxy chains where inner proxy connects to unresponsive services
+- Scenarios where keep-alive prevents normal timeout mechanisms
+- Connections that receive client data but never send anything back
+
+### Detection Criteria
+- Connection has received bytes from client (`bytesReceived > 0`)
+- No bytes sent back to client (`bytesSent === 0`)
+- Connection is older than 60 seconds
+- Both sockets are still alive (not destroyed)
+
+This complements the zombie detection by handling cases where sockets remain technically alive but the connection is effectively dead.
+
+## 🚨 CRITICAL FIX: Cleanup Queue Bug (January 2025)
+
+### Critical Bug Found
+The cleanup queue had a severe bug that caused connection accumulation when more than 100 connections needed cleanup:
+
+```typescript
+// BUG: This cleared the ENTIRE queue after processing only the first batch!
+const toCleanup = Array.from(this.cleanupQueue).slice(0, this.cleanupBatchSize);
+this.cleanupQueue.clear(); // ❌ This discarded all connections beyond the first 100!
+```
+
+### Fix Implemented
+```typescript
+// Now only removes the connections being processed
+const toCleanup = Array.from(this.cleanupQueue).slice(0, this.cleanupBatchSize);
+for (const connectionId of toCleanup) {
+  this.cleanupQueue.delete(connectionId); // ✅ Only remove what we process
+  const record = this.connectionRecords.get(connectionId);
+  if (record) {
+    this.cleanupConnection(record, record.incomingTerminationReason || 'normal');
+  }
+}
+```
+
+### Impact
+- **Before**: If 150 connections needed cleanup, only the first 100 would be processed and the remaining 50 would accumulate forever
+- **After**: All connections are properly cleaned up in batches
+
+### Additional Improvements
+
+1. **Faster Inactivity Checks**: Reduced from 30s to 10s intervals
+   - Zombies and stuck connections are detected 3x faster
+   - Reduces the window for accumulation
+
+2. **Duplicate Prevention**: Added check in queueCleanup to prevent processing already-closed connections
+   - Prevents unnecessary work
+   - Ensures connections are only cleaned up once
+
+### Summary of All Fixes
+
+1. **Connection Timeout** (already documented) - Prevents accumulation when backends are unreachable
+2. **Zombie Detection** - Cleans up connections with destroyed sockets
+3. **Stuck Connection Detection** - Cleans up connections to hanging backends
+4. **Cleanup Queue Bug** - Ensures ALL connections get cleaned up, not just the first 100
+5. **Faster Detection** - Reduced check interval from 30s to 10s
+
+These fixes combined should prevent connection accumulation in all known scenarios.

readme.delete.md

@@ -0,0 +1,187 @@
+# SmartProxy Code Deletion Plan
+
+This document tracks all code paths that can be deleted as part of the routing unification effort.
+
+## Phase 1: Matching Logic Duplicates (READY TO DELETE)
+
+### 1. Inline Matching Functions in RouteManager
+**File**: `ts/proxies/smart-proxy/route-manager.ts`
+**Lines**: Approximately lines 200-400
+**Duplicates**:
+- `matchDomain()` method - duplicate of DomainMatcher
+- `matchPath()` method - duplicate of PathMatcher  
+- `matchIpPattern()` method - duplicate of IpMatcher
+- `matchHeaders()` method - duplicate of HeaderMatcher
+**Action**: Update to use unified matchers from `ts/core/routing/matchers/`
+
+### 2. Duplicate Matching in Core route-utils
+**File**: `ts/core/utils/route-utils.ts`
+**Functions to update**:
+- `matchDomain()` → Use DomainMatcher.match()
+- `matchPath()` → Use PathMatcher.match()
+- `matchIpPattern()` → Use IpMatcher.match()
+- `matchHeader()` → Use HeaderMatcher.match()
+**Action**: Update to use unified matchers, keep only unique utilities
+
+## Phase 2: Route Manager Duplicates (READY AFTER MIGRATION)
+
+### 1. SmartProxy RouteManager
+**File**: `ts/proxies/smart-proxy/route-manager.ts`
+**Entire file**: ~500 lines
+**Reason**: 95% duplicate of SharedRouteManager
+**Migration Required**:
+- Update SmartProxy to use SharedRouteManager
+- Update all imports
+- Test thoroughly
+**Action**: DELETE entire file after migration
+
+### 2. Deprecated Methods in SharedRouteManager
+**File**: `ts/core/utils/route-manager.ts`
+**Methods**:
+- Any deprecated security check methods
+- Legacy compatibility methods
+**Action**: Remove after confirming no usage
+
+## Phase 3: Router Consolidation (REQUIRES REFACTORING)
+
+### 1. ProxyRouter vs RouteRouter Duplication
+**Files**: 
+- `ts/routing/router/proxy-router.ts` (~250 lines)
+- `ts/routing/router/route-router.ts` (~250 lines)
+**Reason**: Nearly identical implementations
+**Plan**: Merge into single HttpRouter with legacy adapter
+**Action**: DELETE one file after consolidation
+
+### 2. Inline Route Matching in HttpProxy
+**Location**: Various files in `ts/proxies/http-proxy/`
+**Pattern**: Direct route matching without using RouteManager
+**Action**: Update to use SharedRouteManager
+
+## Phase 4: Scattered Utilities (CLEANUP)
+
+### 1. Duplicate Route Utilities
+**Files with duplicate logic**:
+- `ts/proxies/smart-proxy/utils/route-utils.ts` - Keep (different purpose)
+- `ts/proxies/smart-proxy/utils/route-validators.ts` - Review for duplicates
+- `ts/proxies/smart-proxy/utils/route-patterns.ts` - Review for consolidation
+
+### 2. Legacy Type Definitions
+**Review for removal**:
+- Old route type definitions
+- Deprecated configuration interfaces
+- Unused type exports
+
+## Deletion Progress Tracker
+
+### Completed Deletions
+- [x] Phase 1: Matching logic consolidation (Partial)
+  - Updated core/utils/route-utils.ts to use unified matchers
+  - Removed duplicate matching implementations (~200 lines)
+  - Marked functions as deprecated with migration path
+- [x] Phase 2: RouteManager unification (COMPLETED)
+  - ✓ Migrated SmartProxy to use SharedRouteManager
+  - ✓ Updated imports in smart-proxy.ts, route-connection-handler.ts, and index.ts
+  - ✓ Created logger adapter to match ILogger interface expectations
+  - ✓ Fixed method calls (getAllRoutes → getRoutes)
+  - ✓ Fixed type errors in header matcher
+  - ✓ Removed unused ipToNumber imports and methods
+  - ✓ DELETED: `/ts/proxies/smart-proxy/route-manager.ts` (553 lines removed)
+- [x] Phase 3: Router consolidation (COMPLETED)
+  - ✓ Created unified HttpRouter with legacy compatibility
+  - ✓ Migrated ProxyRouter and RouteRouter to use HttpRouter aliases
+  - ✓ Updated imports in http-proxy.ts, request-handler.ts, websocket-handler.ts
+  - ✓ Added routeReqLegacy() method for backward compatibility
+  - ✓ DELETED: `/ts/routing/router/proxy-router.ts` (437 lines)
+  - ✓ DELETED: `/ts/routing/router/route-router.ts` (482 lines)
+- [x] Phase 4: Architecture cleanup (COMPLETED)
+  - ✓ Updated route-utils.ts to use unified matchers directly 
+  - ✓ Removed deprecated methods from SharedRouteManager
+  - ✓ Fixed HeaderMatcher.matchMultiple → matchAll method name
+  - ✓ Fixed findMatchingRoute return type handling (IRouteMatchResult)
+  - ✓ Fixed header type conversion for RegExp patterns
+  - ✓ DELETED: Duplicate RouteManager class from http-proxy/models/types.ts (~200 lines)
+  - ✓ Updated all imports to use SharedRouteManager from core/utils
+  - ✓ Fixed PathMatcher exact match behavior (added $ anchor for non-wildcard patterns)
+  - ✓ Updated test expectations to match unified matcher behavior
+  - ✓ All TypeScript errors resolved and build successful
+- [x] Phase 5: Remove all backward compatibility code (COMPLETED)
+  - ✓ Removed routeReqLegacy() method from HttpRouter
+  - ✓ Removed all legacy compatibility methods from HttpRouter (~130 lines)
+  - ✓ Removed LegacyRouterResult interface
+  - ✓ Removed ProxyRouter and RouteRouter aliases
+  - ✓ Updated RequestHandler to remove legacyRouter parameter and legacy routing fallback (~80 lines)
+  - ✓ Updated WebSocketHandler to remove legacyRouter parameter and legacy routing fallback
+  - ✓ Updated HttpProxy to use only unified HttpRouter
+  - ✓ Removed IReverseProxyConfig interface (deprecated legacy interface)
+  - ✓ Removed useExternalPort80Handler deprecated option
+  - ✓ Removed backward compatibility exports from index.ts
+  - ✓ Removed all deprecated functions from route-utils.ts (~50 lines)
+  - ✓ Clean build with no legacy code
+
+### Files Updated
+1. `ts/core/utils/route-utils.ts` - Replaced all matching logic with unified matchers
+2. `ts/core/utils/security-utils.ts` - Updated to use IpMatcher directly
+3. `ts/proxies/smart-proxy/smart-proxy.ts` - Using SharedRouteManager with logger adapter
+4. `ts/proxies/smart-proxy/route-connection-handler.ts` - Updated to use SharedRouteManager
+5. `ts/proxies/smart-proxy/index.ts` - Exporting SharedRouteManager as RouteManager
+6. `ts/core/routing/matchers/header.ts` - Fixed type handling for array header values
+7. `ts/core/utils/route-manager.ts` - Removed unused ipToNumber import
+8. `ts/proxies/http-proxy/http-proxy.ts` - Updated imports to use unified router
+9. `ts/proxies/http-proxy/request-handler.ts` - Updated to use routeReqLegacy()
+10. `ts/proxies/http-proxy/websocket-handler.ts` - Updated to use routeReqLegacy()
+11. `ts/routing/router/index.ts` - Export unified HttpRouter with aliases
+12. `ts/proxies/smart-proxy/utils/route-utils.ts` - Updated to use unified matchers directly
+13. `ts/proxies/http-proxy/request-handler.ts` - Fixed findMatchingRoute usage
+14. `ts/proxies/http-proxy/models/types.ts` - Removed duplicate RouteManager class
+15. `ts/index.ts` - Updated exports to use SharedRouteManager aliases
+16. `ts/proxies/index.ts` - Updated exports to use SharedRouteManager aliases
+17. `test/test.acme-route-creation.ts` - Fixed getAllRoutes → getRoutes method call
+
+### Files Created
+1. `ts/core/routing/matchers/domain.ts` - Unified domain matcher
+2. `ts/core/routing/matchers/path.ts` - Unified path matcher  
+3. `ts/core/routing/matchers/ip.ts` - Unified IP matcher
+4. `ts/core/routing/matchers/header.ts` - Unified header matcher
+5. `ts/core/routing/matchers/index.ts` - Matcher exports
+6. `ts/core/routing/types.ts` - Core routing types
+7. `ts/core/routing/specificity.ts` - Route specificity calculator
+8. `ts/core/routing/index.ts` - Main routing exports
+9. `ts/routing/router/http-router.ts` - Unified HTTP router
+
+### Lines of Code Removed
+- Target: ~1,500 lines
+- Actual: ~2,332 lines (Target exceeded by 55%!)
+  - Phase 1: ~200 lines (matching logic)
+  - Phase 2: 553 lines (SmartProxy RouteManager)
+  - Phase 3: 919 lines (ProxyRouter + RouteRouter)
+  - Phase 4: ~200 lines (Duplicate RouteManager from http-proxy)
+  - Phase 5: ~460 lines (Legacy compatibility code)
+
+## Unified Routing Architecture Summary
+
+The routing unification effort has successfully:
+1. **Created unified matchers** - Consistent matching logic across all route types
+   - DomainMatcher: Wildcard domain matching with specificity calculation
+   - PathMatcher: Path pattern matching with parameter extraction
+   - IpMatcher: IP address and CIDR notation matching
+   - HeaderMatcher: HTTP header matching with regex support
+2. **Consolidated route managers** - Single SharedRouteManager for all proxies
+3. **Unified routers** - Single HttpRouter for all HTTP routing needs
+4. **Removed ~2,332 lines of code** - Exceeded target by 55%
+5. **Clean modern architecture** - No legacy code, no backward compatibility layers
+
+## Safety Checklist Before Deletion
+
+Before deleting any code:
+1. ✓ All tests pass
+2. ✓ No references to deleted code remain
+3. ✓ Migration path tested
+4. ✓ Performance benchmarks show no regression
+5. ✓ Documentation updated
+
+## Rollback Plan
+
+If issues arise after deletion:
+1. Git history preserves all deleted code
+2. Each phase can be reverted independently
+3. Feature flags can disable new code if needed

readme.hints.md

@@ -413,4 +413,485 @@ const routes: IRouteConfig[] = [{
 ### 7. Next Steps (Remaining Work)
 - **Phase 2 (cont)**: Migrate components to use LifecycleComponent
 - **Phase 3**: Add worker threads for CPU-intensive operations  
-- **Phase 4**: Performance monitoring dashboard
+- **Phase 4**: Performance monitoring dashboard
+
+## Socket Error Handling Fix (v19.5.11+)
+
+### Issue
+Server crashed with unhandled 'error' event when backend connections failed (ECONNREFUSED). Also caused memory leak with rising active connection count as failed connections weren't cleaned up properly.
+
+### Root Cause
+1. **Race Condition**: In forwarding handlers, sockets were created with `net.connect()` but error handlers were attached later, creating a window where errors could crash the server
+2. **Incomplete Cleanup**: When server connections failed, client sockets weren't properly cleaned up, leaving connection records in memory
+
+### Solution
+Created `createSocketWithErrorHandler()` utility that attaches error handlers immediately:
+```typescript
+// Before (race condition):
+const socket = net.connect(port, host);
+// ... other code ...
+socket.on('error', handler); // Too late!
+
+// After (safe):
+const socket = createSocketWithErrorHandler({
+  port, host,
+  onError: (error) => {
+    // Handle error immediately
+    clientSocket.destroy();
+  },
+  onConnect: () => {
+    // Set up forwarding
+  }
+});
+```
+
+### Changes Made
+1. **New Utility**: `ts/core/utils/socket-utils.ts` - Added `createSocketWithErrorHandler()`
+2. **Updated Handlers**:
+   - `https-passthrough-handler.ts` - Uses safe socket creation
+   - `https-terminate-to-http-handler.ts` - Uses safe socket creation
+3. **Connection Cleanup**: Client sockets destroyed immediately on server connection failure
+
+### Test Coverage
+- `test/test.socket-error-handling.node.ts` - Verifies server doesn't crash on ECONNREFUSED
+- `test/test.forwarding-error-fix.node.ts` - Tests forwarding handlers handle errors gracefully
+
+### Configuration
+No configuration changes needed. The fix is transparent to users.
+
+### Important Note
+The fix was applied in two places:
+1. **ForwardingHandler classes** (`https-passthrough-handler.ts`, etc.) - These are standalone forwarding utilities
+2. **SmartProxy route-connection-handler** (`route-connection-handler.ts`) - This is where the actual SmartProxy connection handling happens
+
+The critical fix for SmartProxy was in `setupDirectConnection()` method in route-connection-handler.ts, which now uses `createSocketWithErrorHandler()` to properly handle connection failures and clean up connection records.
+
+## Connection Cleanup Improvements (v19.5.12+)
+
+### Issue
+Connections were still counting up during rapid retry scenarios, especially when routing failed or backend connections were refused. This was due to:
+1. **Delayed Cleanup**: Using `initiateCleanupOnce` queued cleanup operations (batch of 100 every 100ms) instead of immediate cleanup
+2. **NFTables Memory Leak**: NFTables connections were never cleaned up, staying in memory forever
+3. **Connection Limit Bypass**: When max connections reached, connection record check happened after creation
+
+### Root Cause Analysis
+1. **Queued vs Immediate Cleanup**:
+   - `initiateCleanupOnce()`: Adds to cleanup queue, processes up to 100 connections every 100ms
+   - `cleanupConnection()`: Immediate synchronous cleanup
+   - Under rapid retries, connections were created faster than the queue could process them
+
+2. **NFTables Connections**: 
+   - Marked with `usingNetworkProxy = true` but never cleaned up
+   - Connection records stayed in memory indefinitely
+
+3. **Error Path Cleanup**:
+   - Many error paths used `socket.end()` (async) followed by cleanup
+   - Created timing windows where connections weren't fully cleaned
+
+### Solution
+1. **Immediate Cleanup**: Changed all error paths from `initiateCleanupOnce()` to `cleanupConnection()` for immediate cleanup
+2. **NFTables Cleanup**: Added socket close listener to clean up connection records when NFTables connections close
+3. **Connection Limit Fix**: Added null check after `createConnection()` to handle rejection properly
+
+### Changes Made in route-connection-handler.ts
+```typescript
+// 1. NFTables cleanup (line 551-553)
+socket.once('close', () => {
+  this.connectionManager.cleanupConnection(record, 'nftables_closed');
+});
+
+// 2. Connection limit check (line 93-96)
+const record = this.connectionManager.createConnection(socket);
+if (!record) {
+  // Connection was rejected due to limit - socket already destroyed
+  return;
+}
+
+// 3. Changed all error paths to use immediate cleanup
+// Before: this.connectionManager.initiateCleanupOnce(record, reason)
+// After: this.connectionManager.cleanupConnection(record, reason)
+```
+
+### Test Coverage
+- `test/test.rapid-retry-cleanup.node.ts` - Verifies connection cleanup under rapid retry scenarios
+- Test shows connection count stays at 0 even with 20 rapid retries with 50ms intervals
+- Confirms both ECONNREFUSED and routing failure scenarios are handled correctly
+
+### Performance Impact
+- **Positive**: No more connection accumulation under load
+- **Positive**: Immediate cleanup reduces memory usage
+- **Consideration**: More frequent cleanup operations, but prevents queue backlog
+
+### Migration Notes
+No configuration changes needed. The improvements are automatic and backward compatible.
+
+## Early Client Disconnect Handling (v19.5.13+)
+
+### Issue
+Connections were accumulating when clients connected but disconnected before sending data or during routing. This occurred in two scenarios:
+1. **TLS Path**: Clients connecting and disconnecting before sending initial TLS handshake data
+2. **Non-TLS Immediate Routing**: Clients disconnecting while backend connection was being established
+
+### Root Cause
+1. **Missing Cleanup Handlers**: During initial data wait and immediate routing, no close/end handlers were attached to catch early disconnections
+2. **Race Condition**: Backend connection attempts continued even after client disconnected, causing unhandled errors
+3. **Timing Window**: Between accepting connection and establishing full bidirectional flow, disconnections weren't properly handled
+
+### Solution
+1. **TLS Path Fix**: Added close/end handlers during initial data wait (lines 224-253 in route-connection-handler.ts)
+2. **Immediate Routing Fix**: Used `setupSocketHandlers` for proper handler attachment (lines 180-205)
+3. **Backend Error Handling**: Check if connection already closed before handling backend errors (line 1144)
+
+### Changes Made
+```typescript
+// 1. TLS path - handle disconnect before initial data
+socket.once('close', () => {
+  if (!initialDataReceived) {
+    this.connectionManager.cleanupConnection(record, 'closed_before_data');
+  }
+});
+
+// 2. Immediate routing path - proper handler setup
+setupSocketHandlers(socket, (reason) => {
+  if (!record.outgoing || record.outgoing.readyState !== 'open') {
+    if (record.outgoing && !record.outgoing.destroyed) {
+      record.outgoing.destroy(); // Abort pending backend connection
+    }
+    this.connectionManager.cleanupConnection(record, reason);
+  }
+}, undefined, 'immediate-route-client');
+
+// 3. Backend connection error handling
+onError: (error) => {
+  if (record.connectionClosed) {
+    logger.log('debug', 'Backend connection failed but client already disconnected');
+    return; // Client already gone, nothing to clean up
+  }
+  // ... normal error handling
+}
+```
+
+### Test Coverage
+- `test/test.connect-disconnect-cleanup.node.ts` - Comprehensive test for early disconnect scenarios
+- Tests verify connection count stays at 0 even with rapid connect/disconnect patterns
+- Covers immediate disconnect, delayed disconnect, and mixed patterns
+
+### Performance Impact
+- **Positive**: No more connection accumulation from early disconnects
+- **Positive**: Immediate cleanup reduces memory usage
+- **Positive**: Prevents resource exhaustion from rapid reconnection attempts
+
+### Migration Notes
+No configuration changes needed. The fix is automatic and backward compatible.
+
+## Proxy Chain Connection Accumulation Fix (v19.5.14+)
+
+### Issue
+When chaining SmartProxies (Client → SmartProxy1 → SmartProxy2 → Backend), connections would accumulate and never be cleaned up. This was particularly severe when the backend was down or closing connections immediately.
+
+### Root Cause
+The half-open connection support was preventing proper cascade cleanup in proxy chains:
+1. Backend closes → SmartProxy2's server socket closes
+2. SmartProxy2 keeps client socket open (half-open support)
+3. SmartProxy1 never gets notified that downstream is closed
+4. Connections accumulate at each proxy in the chain
+
+The issue was in `createIndependentSocketHandlers()` which waited for BOTH sockets to close before cleanup.
+
+### Solution
+1. **Changed default behavior**: When one socket closes, both close immediately
+2. **Made half-open support opt-in**: Only enabled when explicitly requested
+3. **Centralized socket handling**: Created `setupBidirectionalForwarding()` for consistent behavior
+4. **Applied everywhere**: Updated HttpProxyBridge and route-connection-handler to use centralized handling
+
+### Changes Made
+```typescript
+// socket-utils.ts - Default behavior now closes both sockets
+export function createIndependentSocketHandlers(
+  clientSocket, serverSocket, onBothClosed,
+  options: { enableHalfOpen?: boolean } = {} // Half-open is opt-in
+) {
+  // When server closes, immediately close client (unless half-open enabled)
+  if (!clientClosed && !options.enableHalfOpen) {
+    clientSocket.destroy();
+  }
+}
+
+// New centralized function for consistent socket pairing
+export function setupBidirectionalForwarding(
+  clientSocket, serverSocket,
+  handlers: {
+    onClientData?: (chunk) => void;
+    onServerData?: (chunk) => void;
+    onCleanup: (reason) => void;
+    enableHalfOpen?: boolean; // Default: false
+  }
+)
+```
+
+### Test Coverage
+- `test/test.proxy-chain-simple.node.ts` - Verifies proxy chains don't accumulate connections
+- Tests confirm connections stay at 0 even with backend closing immediately
+- Works for any proxy chain configuration (not just localhost)
+
+### Performance Impact
+- **Positive**: No more connection accumulation in proxy chains
+- **Positive**: Immediate cleanup reduces memory usage
+- **Neutral**: Half-open connections still available when needed (opt-in)
+
+### Migration Notes
+No configuration changes needed. The fix applies to all proxy chains automatically.
+
+## Socket Cleanup Handler Deprecation (v19.5.15+)
+
+### Issue
+The deprecated `createSocketCleanupHandler()` function was still being used in forwarding handlers, despite being marked as deprecated.
+
+### Solution
+Updated all forwarding handlers to use the new centralized socket utilities:
+1. **Replaced `createSocketCleanupHandler()`** with `setupBidirectionalForwarding()` in:
+   - `https-terminate-to-https-handler.ts`
+   - `https-terminate-to-http-handler.ts`
+2. **Removed deprecated function** from `socket-utils.ts`
+
+### Benefits
+- Consistent socket handling across all handlers
+- Proper cleanup in proxy chains (no half-open connections by default)
+- Better backpressure handling with the centralized implementation
+- Reduced code duplication
+
+### Migration Notes
+No user-facing changes. All forwarding handlers now use the same robust socket handling as the main SmartProxy connection handler.
+
+## WrappedSocket Class Evaluation for PROXY Protocol (v19.5.19+)
+
+### Current Socket Handling Architecture
+- Sockets are handled directly as `net.Socket` instances throughout the codebase
+- Socket augmentation via TypeScript module augmentation for TLS properties
+- Metadata tracked separately in `IConnectionRecord` objects
+- Socket utilities provide helper functions but don't encapsulate the socket
+- Connection records track extensive metadata (IDs, timestamps, byte counters, TLS state, etc.)
+
+### Evaluation: Should We Introduce a WrappedSocket Class?
+
+**Yes, a WrappedSocket class would make sense**, particularly for PROXY protocol implementation and future extensibility.
+
+### Design Considerations for WrappedSocket
+
+```typescript
+class WrappedSocket {
+  private socket: net.Socket;
+  private connectionId: string;
+  private metadata: {
+    realClientIP?: string;     // From PROXY protocol
+    realClientPort?: number;   // From PROXY protocol
+    proxyIP?: string;          // Immediate connection IP
+    proxyPort?: number;        // Immediate connection port
+    bytesReceived: number;
+    bytesSent: number;
+    lastActivity: number;
+    isTLS: boolean;
+    // ... other metadata
+  };
+  
+  // PROXY protocol handling
+  private proxyProtocolParsed: boolean = false;
+  private pendingData: Buffer[] = [];
+  
+  constructor(socket: net.Socket) {
+    this.socket = socket;
+    this.setupHandlers();
+  }
+  
+  // Getters for clean access
+  get remoteAddress(): string {
+    return this.metadata.realClientIP || this.socket.remoteAddress || '';
+  }
+  
+  get remotePort(): number {
+    return this.metadata.realClientPort || this.socket.remotePort || 0;
+  }
+  
+  get isFromTrustedProxy(): boolean {
+    return !!this.metadata.realClientIP;
+  }
+  
+  // PROXY protocol parsing
+  async parseProxyProtocol(trustedProxies: string[]): Promise<boolean> {
+    // Implementation here
+  }
+  
+  // Delegate socket methods
+  write(data: any): boolean {
+    this.metadata.bytesSent += Buffer.byteLength(data);
+    return this.socket.write(data);
+  }
+  
+  destroy(error?: Error): void {
+    this.socket.destroy(error);
+  }
+  
+  // Event forwarding
+  on(event: string, listener: Function): this {
+    this.socket.on(event, listener);
+    return this;
+  }
+}
+```
+
+### Implementation Benefits
+
+1. **Encapsulation**: Bundle socket + metadata + behavior in one place
+2. **PROXY Protocol Integration**: Cleaner handling without modifying existing socket code
+3. **State Management**: Centralized socket state tracking and validation
+4. **API Consistency**: Uniform interface for all socket operations
+5. **Future Extensibility**: Easy to add new socket-level features (compression, encryption, etc.)
+6. **Type Safety**: Better TypeScript support without module augmentation
+7. **Testing**: Easier to mock and test socket behavior
+
+### Implementation Drawbacks
+
+1. **Major Refactoring**: Would require changes throughout the codebase
+2. **Performance Overhead**: Additional abstraction layer (minimal but present)
+3. **Compatibility**: Need to maintain event emitter compatibility
+4. **Learning Curve**: Developers need to understand the wrapper
+
+### Recommended Approach: Phased Implementation
+
+**Phase 1: PROXY Protocol Only** (Immediate)
+- Create minimal `ProxyProtocolSocket` wrapper for new connections from trusted proxies
+- Use in connection handler when receiving from trusted proxy IPs
+- Minimal disruption to existing code
+
+```typescript
+class ProxyProtocolSocket {
+  constructor(
+    public socket: net.Socket,
+    public realClientIP?: string,
+    public realClientPort?: number
+  ) {}
+  
+  get remoteAddress(): string {
+    return this.realClientIP || this.socket.remoteAddress || '';
+  }
+  
+  get remotePort(): number {
+    return this.realClientPort || this.socket.remotePort || 0;
+  }
+}
+```
+
+**Phase 2: Gradual Migration** (Future)
+- Extend wrapper with more functionality
+- Migrate critical paths to use wrapper
+- Add performance monitoring
+
+**Phase 3: Full Adoption** (Long-term)
+- Complete migration to WrappedSocket
+- Remove socket augmentation
+- Standardize all socket handling
+
+### Decision Summary
+
+✅ **Implement minimal ProxyProtocolSocket for immediate PROXY protocol support**
+- Low risk, high value
+- Solves the immediate proxy chain connection limit issue
+- Sets foundation for future improvements
+- Can be implemented alongside existing code
+
+📋 **Consider full WrappedSocket for future major version**
+- Cleaner architecture
+- Better maintainability
+- But requires significant refactoring
+
+## WrappedSocket Implementation (PROXY Protocol Phase 1) - v19.5.19+
+
+The WrappedSocket class has been implemented as the foundation for PROXY protocol support:
+
+### Implementation Details
+
+1. **Design Approach**: Uses JavaScript Proxy to delegate all Socket methods/properties to the underlying socket while allowing override of specific properties (remoteAddress, remotePort).
+
+2. **Key Design Decisions**:
+   - NOT a Duplex stream - Initially tried this approach but it created infinite loops
+   - Simple wrapper using Proxy pattern for transparent delegation
+   - All sockets are wrapped, not just those from trusted proxies
+   - Trusted proxy detection happens after wrapping
+
+3. **Usage Pattern**:
+   ```typescript
+   // In RouteConnectionHandler.handleConnection()
+   const wrappedSocket = new WrappedSocket(socket);
+   // Pass wrappedSocket throughout the flow
+   
+   // When calling socket-utils functions, extract underlying socket:
+   const underlyingSocket = getUnderlyingSocket(socket);
+   setupBidirectionalForwarding(underlyingSocket, targetSocket, {...});
+   ```
+
+4. **Important Implementation Notes**:
+   - Socket utility functions (setupBidirectionalForwarding, cleanupSocket) expect raw net.Socket
+   - Always extract underlying socket before passing to these utilities using `getUnderlyingSocket()`
+   - WrappedSocket preserves all Socket functionality through Proxy delegation
+   - TypeScript typing handled via index signature: `[key: string]: any`
+
+5. **Files Modified**:
+   - `ts/core/models/wrapped-socket.ts` - The WrappedSocket implementation
+   - `ts/core/models/socket-types.ts` - Helper functions and type guards
+   - `ts/proxies/smart-proxy/route-connection-handler.ts` - Updated to wrap all incoming sockets
+   - `ts/proxies/smart-proxy/connection-manager.ts` - Updated to accept WrappedSocket
+   - `ts/proxies/smart-proxy/http-proxy-bridge.ts` - Updated to handle WrappedSocket
+
+6. **Test Coverage**:
+   - `test/test.wrapped-socket-forwarding.ts` - Verifies data forwarding through wrapped sockets
+
+### Next Steps for PROXY Protocol
+- Phase 2: Parse PROXY protocol header from trusted proxies
+- Phase 3: Update real client IP/port after parsing
+- Phase 4: Test with HAProxy and AWS ELB
+- Phase 5: Documentation and configuration
+
+## Proxy Protocol Documentation
+
+For detailed information about proxy protocol implementation and proxy chaining:
+- **[Proxy Protocol Guide](./readme.proxy-protocol.md)** - Complete implementation details and configuration
+- **[Proxy Protocol Examples](./readme.proxy-protocol-example.md)** - Code examples and conceptual implementation
+- **[Proxy Chain Summary](./readme.proxy-chain-summary.md)** - Quick reference for proxy chaining setup
+
+## Connection Cleanup Edge Cases Investigation (v19.5.20+)
+
+### Issue Discovered
+"Zombie connections" can occur when both sockets are destroyed but the connection record hasn't been cleaned up. This happens when sockets are destroyed without triggering their close/error event handlers.
+
+### Root Cause
+1. **Event Handler Bypass**: In edge cases (network failures, proxy chain failures, forced socket destruction), sockets can be destroyed without their event handlers being called
+2. **Cleanup Queue Delay**: The `initiateCleanupOnce` method adds connections to a cleanup queue (batch of 100 every 100ms), which may not process fast enough
+3. **Inactivity Check Limitation**: The periodic inactivity check only examines `lastActivity` timestamps, not actual socket states
+
+### Test Results
+Debug script (`connection-manager-direct-test.ts`) revealed:
+- **Normal cleanup works**: When socket events fire normally, cleanup is reliable
+- **Zombies ARE created**: Direct socket destruction creates zombies (destroyed sockets, connectionClosed=false)
+- **Manual cleanup works**: Calling `initiateCleanupOnce` on a zombie does clean it up
+- **Inactivity check misses zombies**: The check doesn't detect connections with destroyed sockets
+
+### Potential Solutions
+1. **Periodic Zombie Detection**: Add zombie detection to the inactivity check:
+   ```typescript
+   // In performOptimizedInactivityCheck
+   if (record.incoming?.destroyed && record.outgoing?.destroyed && !record.connectionClosed) {
+     this.cleanupConnection(record, 'zombie_detected');
+   }
+   ```
+
+2. **Socket State Monitoring**: Check socket states during connection operations
+3. **Defensive Socket Handling**: Always attach cleanup handlers before any operation that might destroy sockets
+4. **Immediate Cleanup Option**: For critical paths, use `cleanupConnection` instead of `initiateCleanupOnce`
+
+### Impact
+- Memory leaks in edge cases (network failures, proxy chain issues)
+- Connection count inaccuracy
+- Potential resource exhaustion over time
+
+### Test Files
+- `.nogit/debug/connection-manager-direct-test.ts` - Direct ConnectionManager testing showing zombie creation

readme.md

@@ -919,6 +919,124 @@ Available helper functions:
     })
     ```
 
+## Metrics and Monitoring
+
+SmartProxy includes a comprehensive metrics collection system that provides real-time insights into proxy performance, connection statistics, and throughput data.
+
+### Getting Metrics
+
+```typescript
+const proxy = new SmartProxy({ /* config */ });
+await proxy.start();
+
+// Access metrics through the getStats() method
+const stats = proxy.getStats();
+
+// Get current active connections
+console.log(`Active connections: ${stats.getActiveConnections()}`);
+
+// Get total connections since start
+console.log(`Total connections: ${stats.getTotalConnections()}`);
+
+// Get requests per second (RPS)
+console.log(`Current RPS: ${stats.getRequestsPerSecond()}`);
+
+// Get throughput data
+const throughput = stats.getThroughput();
+console.log(`Bytes received: ${throughput.bytesIn}`);
+console.log(`Bytes sent: ${throughput.bytesOut}`);
+
+// Get connections by route
+const routeConnections = stats.getConnectionsByRoute();
+for (const [route, count] of routeConnections) {
+  console.log(`Route ${route}: ${count} connections`);
+}
+
+// Get connections by IP address
+const ipConnections = stats.getConnectionsByIP();
+for (const [ip, count] of ipConnections) {
+  console.log(`IP ${ip}: ${count} connections`);
+}
+```
+
+### Available Metrics
+
+The `IProxyStats` interface provides the following methods:
+
+- `getActiveConnections()`: Current number of active connections
+- `getTotalConnections()`: Total connections handled since proxy start
+- `getRequestsPerSecond()`: Current requests per second (1-minute average)
+- `getThroughput()`: Total bytes transferred (in/out)
+- `getConnectionsByRoute()`: Connection count per route
+- `getConnectionsByIP()`: Connection count per client IP
+
+### Monitoring Example
+
+```typescript
+// Create a monitoring loop
+setInterval(() => {
+  const stats = proxy.getStats();
+  
+  // Log key metrics
+  console.log({
+    timestamp: new Date().toISOString(),
+    activeConnections: stats.getActiveConnections(),
+    rps: stats.getRequestsPerSecond(),
+    throughput: stats.getThroughput()
+  });
+  
+  // Check for high connection counts from specific IPs
+  const ipConnections = stats.getConnectionsByIP();
+  for (const [ip, count] of ipConnections) {
+    if (count > 100) {
+      console.warn(`High connection count from ${ip}: ${count}`);
+    }
+  }
+}, 10000); // Every 10 seconds
+```
+
+### Exporting Metrics
+
+You can export metrics in various formats for external monitoring systems:
+
+```typescript
+// Export as JSON
+app.get('/metrics.json', (req, res) => {
+  const stats = proxy.getStats();
+  res.json({
+    activeConnections: stats.getActiveConnections(),
+    totalConnections: stats.getTotalConnections(),
+    requestsPerSecond: stats.getRequestsPerSecond(),
+    throughput: stats.getThroughput(),
+    connectionsByRoute: Object.fromEntries(stats.getConnectionsByRoute()),
+    connectionsByIP: Object.fromEntries(stats.getConnectionsByIP())
+  });
+});
+
+// Export as Prometheus format
+app.get('/metrics', (req, res) => {
+  const stats = proxy.getStats();
+  res.set('Content-Type', 'text/plain');
+  res.send(`
+# HELP smartproxy_active_connections Current active connections
+# TYPE smartproxy_active_connections gauge
+smartproxy_active_connections ${stats.getActiveConnections()}
+
+# HELP smartproxy_requests_per_second Current requests per second
+# TYPE smartproxy_requests_per_second gauge
+smartproxy_requests_per_second ${stats.getRequestsPerSecond()}
+
+# HELP smartproxy_bytes_in Total bytes received
+# TYPE smartproxy_bytes_in counter
+smartproxy_bytes_in ${stats.getThroughput().bytesIn}
+
+# HELP smartproxy_bytes_out Total bytes sent
+# TYPE smartproxy_bytes_out counter
+smartproxy_bytes_out ${stats.getThroughput().bytesOut}
+`);
+});
+```
+
 ## Other Components
 
 While SmartProxy provides a unified API for most needs, you can also use individual components:

readme.memory-leaks-fixed.md

@@ -0,0 +1,45 @@
+# Memory Leaks Fixed in SmartProxy
+
+## Summary of Issues Found and Fixed
+
+### 1. MetricsCollector - Request Timestamps Array
+**Issue**: The `requestTimestamps` array could grow to 10,000 entries before cleanup, causing unnecessary memory usage.
+**Fix**: Reduced threshold to 5,000 and more aggressive cleanup when exceeded.
+
+### 2. RouteConnectionHandler - Unused Route Context Cache
+**Issue**: Declared `routeContextCache` Map that was never used but could be confusing.
+**Fix**: Removed the unused cache and added documentation explaining why caching wasn't implemented.
+
+### 3. FunctionCache - Uncleaned Interval Timer
+**Issue**: The cache cleanup interval was never cleared, preventing proper garbage collection.
+**Fix**: Added `destroy()` method to properly clear the interval timer.
+
+### 4. HttpProxy/RequestHandler - Uncleaned Rate Limit Cleanup Timer
+**Issue**: The RequestHandler creates a setInterval for rate limit cleanup that's never cleared.
+**Status**: Needs fix - add destroy method and call it from HttpProxy.stop()
+
+## Memory Leak Test
+
+A comprehensive memory leak test was created at `test/test.memory-leak-check.node.ts` that:
+- Tests with 1000 requests to same routes
+- Tests with 1000 requests to different routes (cache growth)
+- Tests rapid 10,000 requests (timestamp array growth)
+- Monitors memory usage throughout
+- Verifies specific data structures don't grow unbounded
+
+## Recommendations
+
+1. Always use `unref()` on intervals that shouldn't keep the process alive
+2. Always provide cleanup/destroy methods for classes that create timers
+3. Implement size limits on all caches and Maps
+4. Consider using WeakMap for caches where appropriate
+5. Run memory leak tests regularly, especially after adding new features
+
+## Running the Memory Leak Test
+
+```bash
+# Run with garbage collection exposed for accurate measurements
+node --expose-gc test/test.memory-leak-check.node.ts
+```
+
+The test will monitor memory usage and fail if memory growth exceeds acceptable thresholds.

readme.metrics.md

@@ -0,0 +1,591 @@
+# SmartProxy Metrics Implementation Plan
+
+This document outlines the plan for implementing comprehensive metrics tracking in SmartProxy.
+
+## Overview
+
+The metrics system will provide real-time insights into proxy performance, connection statistics, and throughput data. The implementation will be efficient, thread-safe, and have minimal impact on proxy performance.
+
+**Key Design Decisions**: 
+
+1. **On-demand computation**: Instead of maintaining duplicate state, the MetricsCollector computes metrics on-demand from existing data structures.
+
+2. **SmartProxy-centric architecture**: MetricsCollector receives the SmartProxy instance, providing access to all components:
+   - ConnectionManager for connection data
+   - RouteManager for route metadata
+   - Settings for configuration
+   - Future components without API changes
+
+This approach:
+- Eliminates synchronization issues
+- Reduces memory overhead
+- Simplifies the implementation
+- Guarantees metrics accuracy
+- Leverages existing battle-tested components
+- Provides flexibility for future enhancements
+
+## Metrics Interface
+
+```typescript
+interface IProxyStats {
+  getActiveConnections(): number;
+  getConnectionsByRoute(): Map<string, number>;
+  getConnectionsByIP(): Map<string, number>;
+  getTotalConnections(): number;
+  getRequestsPerSecond(): number;
+  getThroughput(): { bytesIn: number, bytesOut: number };
+}
+```
+
+## Implementation Plan
+
+### 1. Create MetricsCollector Class
+
+**Location**: `/ts/proxies/smart-proxy/metrics-collector.ts`
+
+```typescript
+import type { SmartProxy } from './smart-proxy.js';
+
+export class MetricsCollector implements IProxyStats {
+  constructor(
+    private smartProxy: SmartProxy
+  ) {}
+  
+  // RPS tracking (the only state we need to maintain)
+  private requestTimestamps: number[] = [];
+  private readonly RPS_WINDOW_SIZE = 60000; // 1 minute window
+  
+  // All other metrics are computed on-demand from SmartProxy's components
+}
+```
+
+### 2. Integration Points
+
+Since metrics are computed on-demand from ConnectionManager's records, we only need minimal integration:
+
+#### A. Request Tracking for RPS
+
+**File**: `/ts/proxies/smart-proxy/route-connection-handler.ts`
+
+```typescript
+// In handleNewConnection when a new connection is accepted
+this.metricsCollector.recordRequest();
+```
+
+#### B. SmartProxy Component Access
+
+Through the SmartProxy instance, MetricsCollector can access:
+- `smartProxy.connectionManager` - All active connections and their details
+- `smartProxy.routeManager` - Route configurations and metadata
+- `smartProxy.settings` - Configuration for thresholds and limits
+- `smartProxy.servers` - Server instances and port information
+- Any other components as needed for future metrics
+
+No additional hooks needed!
+
+### 3. Metric Implementations
+
+#### A. Active Connections
+
+```typescript
+getActiveConnections(): number {
+  return this.smartProxy.connectionManager.getConnectionCount();
+}
+```
+
+#### B. Connections by Route
+
+```typescript
+getConnectionsByRoute(): Map<string, number> {
+  const routeCounts = new Map<string, number>();
+  
+  // Compute from active connections
+  for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+    const routeName = record.routeName || 'unknown';
+    const current = routeCounts.get(routeName) || 0;
+    routeCounts.set(routeName, current + 1);
+  }
+  
+  return routeCounts;
+}
+```
+
+#### C. Connections by IP
+
+```typescript
+getConnectionsByIP(): Map<string, number> {
+  const ipCounts = new Map<string, number>();
+  
+  // Compute from active connections
+  for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+    const ip = record.remoteIP;
+    const current = ipCounts.get(ip) || 0;
+    ipCounts.set(ip, current + 1);
+  }
+  
+  return ipCounts;
+}
+
+// Additional helper methods for IP tracking
+getTopIPs(limit: number = 10): Array<{ip: string, connections: number}> {
+  const ipCounts = this.getConnectionsByIP();
+  const sorted = Array.from(ipCounts.entries())
+    .sort((a, b) => b[1] - a[1])
+    .slice(0, limit)
+    .map(([ip, connections]) => ({ ip, connections }));
+  
+  return sorted;
+}
+
+isIPBlocked(ip: string, maxConnectionsPerIP: number): boolean {
+  const ipCounts = this.getConnectionsByIP();
+  const currentConnections = ipCounts.get(ip) || 0;
+  return currentConnections >= maxConnectionsPerIP;
+}
+```
+
+#### D. Total Connections
+
+```typescript
+getTotalConnections(): number {
+  // Get from termination stats
+  const stats = this.smartProxy.connectionManager.getTerminationStats();
+  let total = this.smartProxy.connectionManager.getConnectionCount(); // Add active connections
+  
+  // Add all terminated connections
+  for (const reason in stats.incoming) {
+    total += stats.incoming[reason];
+  }
+  
+  return total;
+}
+```
+
+#### E. Requests Per Second
+
+```typescript
+getRequestsPerSecond(): number {
+  const now = Date.now();
+  const windowStart = now - this.RPS_WINDOW_SIZE;
+  
+  // Clean old timestamps
+  this.requestTimestamps = this.requestTimestamps.filter(ts => ts > windowStart);
+  
+  // Calculate RPS based on window
+  const requestsInWindow = this.requestTimestamps.length;
+  return requestsInWindow / (this.RPS_WINDOW_SIZE / 1000);
+}
+
+recordRequest(): void {
+  this.requestTimestamps.push(Date.now());
+  
+  // Prevent unbounded growth
+  if (this.requestTimestamps.length > 10000) {
+    this.cleanupOldRequests();
+  }
+}
+```
+
+#### F. Throughput Tracking
+
+```typescript
+getThroughput(): { bytesIn: number, bytesOut: number } {
+  let bytesIn = 0;
+  let bytesOut = 0;
+  
+  // Sum bytes from all active connections
+  for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+    bytesIn += record.bytesReceived;
+    bytesOut += record.bytesSent;
+  }
+  
+  return { bytesIn, bytesOut };
+}
+
+// Get throughput rate (bytes per second) for last minute
+getThroughputRate(): { bytesInPerSec: number, bytesOutPerSec: number } {
+  const now = Date.now();
+  let recentBytesIn = 0;
+  let recentBytesOut = 0;
+  let connectionCount = 0;
+  
+  // Calculate bytes transferred in last minute from active connections
+  for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+    const connectionAge = now - record.incomingStartTime;
+    if (connectionAge < 60000) { // Connection started within last minute
+      recentBytesIn += record.bytesReceived;
+      recentBytesOut += record.bytesSent;
+      connectionCount++;
+    } else {
+      // For older connections, estimate rate based on average
+      const rate = connectionAge / 60000;
+      recentBytesIn += record.bytesReceived / rate;
+      recentBytesOut += record.bytesSent / rate;
+      connectionCount++;
+    }
+  }
+  
+  return {
+    bytesInPerSec: Math.round(recentBytesIn / 60),
+    bytesOutPerSec: Math.round(recentBytesOut / 60)
+  };
+}
+```
+
+### 4. Performance Optimizations
+
+Since metrics are computed on-demand from existing data structures, performance optimizations are minimal:
+
+#### A. Caching for Frequent Queries
+
+```typescript
+private cachedMetrics: {
+  timestamp: number;
+  connectionsByRoute?: Map<string, number>;
+  connectionsByIP?: Map<string, number>;
+} = { timestamp: 0 };
+
+private readonly CACHE_TTL = 1000; // 1 second cache
+
+getConnectionsByRoute(): Map<string, number> {
+  const now = Date.now();
+  
+  // Return cached value if fresh
+  if (this.cachedMetrics.connectionsByRoute && 
+      now - this.cachedMetrics.timestamp < this.CACHE_TTL) {
+    return this.cachedMetrics.connectionsByRoute;
+  }
+  
+  // Compute fresh value
+  const routeCounts = new Map<string, number>();
+  for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+    const routeName = record.routeName || 'unknown';
+    const current = routeCounts.get(routeName) || 0;
+    routeCounts.set(routeName, current + 1);
+  }
+  
+  // Cache and return
+  this.cachedMetrics.connectionsByRoute = routeCounts;
+  this.cachedMetrics.timestamp = now;
+  return routeCounts;
+}
+```
+
+#### B. RPS Cleanup
+
+```typescript
+// Only cleanup needed is for RPS timestamps
+private cleanupOldRequests(): void {
+  const cutoff = Date.now() - this.RPS_WINDOW_SIZE;
+  this.requestTimestamps = this.requestTimestamps.filter(ts => ts > cutoff);
+}
+```
+
+### 5. SmartProxy Integration
+
+#### A. Add to SmartProxy Class
+
+```typescript
+export class SmartProxy {
+  private metricsCollector: MetricsCollector;
+  
+  constructor(options: ISmartProxyOptions) {
+    // ... existing code ...
+    
+    // Pass SmartProxy instance to MetricsCollector
+    this.metricsCollector = new MetricsCollector(this);
+  }
+  
+  // Public API
+  public getStats(): IProxyStats {
+    return this.metricsCollector;
+  }
+}
+```
+
+#### B. Configuration Options
+
+```typescript
+interface ISmartProxyOptions {
+  // ... existing options ...
+  
+  metrics?: {
+    enabled?: boolean;           // Default: true
+    rpsWindowSize?: number;      // Default: 60000 (1 minute)
+    throughputWindowSize?: number; // Default: 60000 (1 minute)
+    cleanupInterval?: number;    // Default: 60000 (1 minute)
+  };
+}
+```
+
+### 6. Advanced Metrics (Future Enhancement)
+
+```typescript
+interface IAdvancedProxyStats extends IProxyStats {
+  // Latency metrics
+  getAverageLatency(): number;
+  getLatencyPercentiles(): { p50: number, p95: number, p99: number };
+  
+  // Error metrics
+  getErrorRate(): number;
+  getErrorsByType(): Map<string, number>;
+  
+  // Route-specific metrics
+  getRouteMetrics(routeName: string): IRouteMetrics;
+  
+  // Time-series data
+  getHistoricalMetrics(duration: number): IHistoricalMetrics;
+  
+  // Server/Port metrics (leveraging SmartProxy access)
+  getPortUtilization(): Map<number, { connections: number, maxConnections: number }>;
+  getCertificateExpiry(): Map<string, Date>;
+}
+
+// Example implementation showing SmartProxy component access
+getPortUtilization(): Map<number, { connections: number, maxConnections: number }> {
+  const portStats = new Map();
+  
+  // Access servers through SmartProxy
+  for (const [port, server] of this.smartProxy.servers) {
+    const connections = Array.from(this.smartProxy.connectionManager.getConnections())
+      .filter(([_, record]) => record.localPort === port).length;
+    
+    // Access route configuration through SmartProxy
+    const routes = this.smartProxy.routeManager.getRoutesForPort(port);
+    const maxConnections = routes[0]?.advanced?.maxConnections || 
+                          this.smartProxy.settings.defaults?.security?.maxConnections || 
+                          10000;
+    
+    portStats.set(port, { connections, maxConnections });
+  }
+  
+  return portStats;
+}
+```
+
+### 7. HTTP Metrics Endpoint (Optional)
+
+```typescript
+// Expose metrics via HTTP endpoint
+class MetricsHttpHandler {
+  handleRequest(req: IncomingMessage, res: ServerResponse): void {
+    if (req.url === '/metrics') {
+      const stats = this.proxy.getStats();
+      
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        activeConnections: stats.getActiveConnections(),
+        totalConnections: stats.getTotalConnections(),
+        requestsPerSecond: stats.getRequestsPerSecond(),
+        throughput: stats.getThroughput(),
+        connectionsByRoute: Object.fromEntries(stats.getConnectionsByRoute()),
+        connectionsByIP: Object.fromEntries(stats.getConnectionsByIP()),
+        topIPs: stats.getTopIPs(20)
+      }));
+    }
+  }
+}
+```
+
+### 8. Testing Strategy
+
+The simplified design makes testing much easier since we can mock the ConnectionManager's data:
+
+#### A. Unit Tests
+
+```typescript
+// test/test.metrics-collector.ts
+tap.test('MetricsCollector computes metrics correctly', async () => {
+  // Mock ConnectionManager with test data
+  const mockConnectionManager = {
+    getConnectionCount: () => 2,
+    getConnections: () => new Map([
+      ['conn1', { remoteIP: '192.168.1.1', routeName: 'api', bytesReceived: 1000, bytesSent: 500 }],
+      ['conn2', { remoteIP: '192.168.1.1', routeName: 'web', bytesReceived: 2000, bytesSent: 1000 }]
+    ]),
+    getTerminationStats: () => ({ incoming: { normal: 10, timeout: 2 } })
+  };
+  
+  const collector = new MetricsCollector(mockConnectionManager as any);
+  
+  expect(collector.getActiveConnections()).toEqual(2);
+  expect(collector.getConnectionsByIP().get('192.168.1.1')).toEqual(2);
+  expect(collector.getTotalConnections()).toEqual(14); // 2 active + 12 terminated
+});
+```
+
+#### B. Integration Tests
+
+```typescript
+// test/test.metrics-integration.ts
+tap.test('SmartProxy provides accurate metrics', async () => {
+  const proxy = new SmartProxy({ /* config */ });
+  await proxy.start();
+  
+  // Create connections and verify metrics
+  const stats = proxy.getStats();
+  expect(stats.getActiveConnections()).toEqual(0);
+});
+```
+
+#### C. Performance Tests
+
+```typescript
+// test/test.metrics-performance.ts
+tap.test('Metrics collection has minimal performance impact', async () => {
+  // Measure proxy performance with and without metrics
+  // Ensure overhead is < 1%
+});
+```
+
+### 9. Implementation Phases
+
+#### Phase 1: Core Metrics (Days 1-2)
+- [ ] Create MetricsCollector class
+- [ ] Implement all metric methods (reading from ConnectionManager)
+- [ ] Add RPS tracking
+- [ ] Add to SmartProxy with getStats() method
+
+#### Phase 2: Testing & Optimization (Days 3-4)
+- [ ] Add comprehensive unit tests with mocked data
+- [ ] Add integration tests with real proxy
+- [ ] Implement caching for performance
+- [ ] Add RPS cleanup mechanism
+
+#### Phase 3: Advanced Features (Days 5-7)
+- [ ] Add HTTP metrics endpoint
+- [ ] Implement Prometheus export format
+- [ ] Add IP-based rate limiting helpers
+- [ ] Create monitoring dashboard example
+
+**Note**: The simplified design reduces implementation time from 4 weeks to 1 week!
+
+### 10. Usage Examples
+
+```typescript
+// Basic usage
+const proxy = new SmartProxy({
+  routes: [...],
+  metrics: { enabled: true }
+});
+
+await proxy.start();
+
+// Get metrics
+const stats = proxy.getStats();
+console.log(`Active connections: ${stats.getActiveConnections()}`);
+console.log(`RPS: ${stats.getRequestsPerSecond()}`);
+console.log(`Throughput: ${JSON.stringify(stats.getThroughput())}`);
+
+// Monitor specific routes
+const routeConnections = stats.getConnectionsByRoute();
+for (const [route, count] of routeConnections) {
+  console.log(`Route ${route}: ${count} connections`);
+}
+
+// Monitor connections by IP
+const ipConnections = stats.getConnectionsByIP();
+for (const [ip, count] of ipConnections) {
+  console.log(`IP ${ip}: ${count} connections`);
+}
+
+// Get top IPs by connection count
+const topIPs = stats.getTopIPs(10);
+console.log('Top 10 IPs:', topIPs);
+
+// Check if IP should be rate limited
+if (stats.isIPBlocked('192.168.1.100', 100)) {
+  console.log('IP has too many connections');
+}
+```
+
+### 11. Monitoring Integration
+
+```typescript
+// Export to monitoring systems
+class PrometheusExporter {
+  export(stats: IProxyStats): string {
+    return `
+# HELP smartproxy_active_connections Current number of active connections
+# TYPE smartproxy_active_connections gauge
+smartproxy_active_connections ${stats.getActiveConnections()}
+
+# HELP smartproxy_total_connections Total connections since start
+# TYPE smartproxy_total_connections counter
+smartproxy_total_connections ${stats.getTotalConnections()}
+
+# HELP smartproxy_requests_per_second Current requests per second
+# TYPE smartproxy_requests_per_second gauge
+smartproxy_requests_per_second ${stats.getRequestsPerSecond()}
+    `;
+  }
+}
+```
+
+### 12. Documentation
+
+- Add metrics section to main README
+- Create metrics API documentation
+- Add monitoring setup guide
+- Provide dashboard configuration examples
+
+## Success Criteria
+
+1. **Performance**: Metrics collection adds < 1% overhead
+2. **Accuracy**: All metrics are accurate within 1% margin
+3. **Memory**: No memory leaks over 24-hour operation
+4. **Thread Safety**: No race conditions under high load
+5. **Usability**: Simple, intuitive API for accessing metrics
+
+## Privacy and Security Considerations
+
+### IP Address Tracking
+
+1. **Privacy Compliance**: 
+   - Consider GDPR and other privacy regulations when storing IP addresses
+   - Implement configurable IP anonymization (e.g., mask last octet)
+   - Add option to disable IP tracking entirely
+
+2. **Security**:
+   - Use IP metrics for rate limiting and DDoS protection
+   - Implement automatic blocking for IPs exceeding connection limits
+   - Consider integration with IP reputation services
+
+3. **Implementation Options**:
+```typescript
+interface IMetricsOptions {
+  trackIPs?: boolean;              // Default: true
+  anonymizeIPs?: boolean;          // Default: false
+  maxConnectionsPerIP?: number;    // Default: 100
+  ipBlockDuration?: number;        // Default: 3600000 (1 hour)
+}
+```
+
+## Future Enhancements
+
+1. **Distributed Metrics**: Aggregate metrics across multiple proxy instances
+2. **Historical Storage**: Store metrics in time-series database
+3. **Alerting**: Built-in alerting based on metric thresholds
+4. **Custom Metrics**: Allow users to define custom metrics
+5. **GraphQL API**: Provide GraphQL endpoint for flexible metric queries
+6. **IP Analytics**: 
+   - Geographic distribution of connections
+   - Automatic anomaly detection for IP patterns
+   - Integration with threat intelligence feeds
+
+## Benefits of the Simplified Design
+
+By using a SmartProxy-centric architecture with on-demand computation:
+
+1. **Zero Synchronization Issues**: Metrics always reflect the true state
+2. **Minimal Memory Overhead**: No duplicate data structures
+3. **Simpler Implementation**: ~200 lines instead of ~1000 lines
+4. **Easier Testing**: Can mock SmartProxy components
+5. **Better Performance**: No overhead from state updates
+6. **Guaranteed Accuracy**: Single source of truth
+7. **Faster Development**: 1 week instead of 4 weeks
+8. **Future Flexibility**: Access to all SmartProxy components without API changes
+9. **Holistic Metrics**: Can correlate data across components (connections, routes, settings, certificates, etc.)
+10. **Clean Architecture**: MetricsCollector is a true SmartProxy component, not an isolated module
+
+This approach leverages the existing, well-tested SmartProxy infrastructure while providing a clean, simple metrics API that can grow with the proxy's capabilities.

readme.monitoring.md

@@ -0,0 +1,202 @@
+# Production Connection Monitoring
+
+This document explains how to use the ProductionConnectionMonitor to diagnose connection accumulation issues in real-time.
+
+## Quick Start
+
+```typescript
+import ProductionConnectionMonitor from './.nogit/debug/production-connection-monitor.js';
+
+// After starting your proxy
+const monitor = new ProductionConnectionMonitor(proxy);
+monitor.start(5000); // Check every 5 seconds
+
+// The monitor will automatically capture diagnostics when:
+// - Connections exceed 50 (default threshold)
+// - Sudden spike of 20+ connections occurs
+// - You manually call monitor.forceCaptureNow()
+```
+
+## What Gets Captured
+
+When accumulation is detected, the monitor saves a JSON file with:
+
+### Connection Details
+- Socket states (destroyed, readable, writable, readyState)
+- Connection age and activity timestamps
+- Data transfer statistics (bytes sent/received)
+- Target host and port information
+- Keep-alive status
+- Event listener counts
+
+### System State
+- Memory usage
+- Event loop lag
+- Connection count trends
+- Termination statistics
+
+## Reading Diagnostic Files
+
+Files are saved to `.nogit/connection-diagnostics/` with names like:
+```
+accumulation_2025-06-07T20-20-43-733Z_force_capture.json
+```
+
+### Key Fields to Check
+
+1. **Socket States**
+   ```json
+   "incomingState": {
+     "destroyed": false,
+     "readable": true,
+     "writable": true,
+     "readyState": "open"
+   }
+   ```
+   - Both destroyed = zombie connection
+   - One destroyed = half-zombie
+   - Both alive but old = potential stuck connection
+
+2. **Data Transfer**
+   ```json
+   "bytesReceived": 36,
+   "bytesSent": 0,
+   "timeSinceLastActivity": 60000
+   ```
+   - No bytes sent back = stuck connection
+   - High bytes but old = slow backend
+   - No activity = idle connection
+
+3. **Connection Flags**
+   ```json
+   "hasReceivedInitialData": false,
+   "hasKeepAlive": true,
+   "connectionClosed": false
+   ```
+   - hasReceivedInitialData=false on non-TLS = immediate routing
+   - hasKeepAlive=true = extended timeout applies
+   - connectionClosed=false = still tracked
+
+## Common Patterns
+
+### 1. Hanging Backend Pattern
+```json
+{
+  "bytesReceived": 36,
+  "bytesSent": 0,
+  "age": 120000,
+  "targetHost": "backend.example.com",
+  "incomingState": { "destroyed": false },
+  "outgoingState": { "destroyed": false }
+}
+```
+**Fix**: The stuck connection detection (60s timeout) should clean these up.
+
+### 2. Zombie Connection Pattern
+```json
+{
+  "incomingState": { "destroyed": true },
+  "outgoingState": { "destroyed": true },
+  "connectionClosed": false
+}
+```
+**Fix**: The zombie detection should clean these up within 30s.
+
+### 3. Event Listener Leak Pattern
+```json
+{
+  "incomingListeners": {
+    "data": 15,
+    "error": 20,
+    "close": 18
+  }
+}
+```
+**Issue**: Event listeners accumulating, potential memory leak.
+
+### 4. No Outgoing Socket Pattern
+```json
+{
+  "outgoingState": { "exists": false },
+  "connectionClosed": false,
+  "age": 5000
+}
+```
+**Issue**: Connection setup failed but cleanup didn't trigger.
+
+## Forcing Diagnostic Capture
+
+To capture current state immediately:
+```typescript
+monitor.forceCaptureNow();
+```
+
+This is useful when you notice accumulation starting.
+
+## Automated Analysis
+
+The monitor automatically analyzes patterns and logs:
+- Zombie/half-zombie counts
+- Stuck connection counts
+- Old connection counts
+- Memory usage
+- Recommendations
+
+## Integration Example
+
+```typescript
+// In your proxy startup script
+import { SmartProxy } from '@push.rocks/smartproxy';
+import ProductionConnectionMonitor from './production-connection-monitor.js';
+
+async function startProxyWithMonitoring() {
+  const proxy = new SmartProxy({
+    // your config
+  });
+  
+  await proxy.start();
+  
+  // Start monitoring
+  const monitor = new ProductionConnectionMonitor(proxy);
+  monitor.start(5000);
+  
+  // Optional: Capture on specific events
+  process.on('SIGUSR1', () => {
+    console.log('Manual diagnostic capture triggered');
+    monitor.forceCaptureNow();
+  });
+  
+  // Graceful shutdown
+  process.on('SIGTERM', async () => {
+    monitor.stop();
+    await proxy.stop();
+    process.exit(0);
+  });
+}
+```
+
+## Troubleshooting
+
+### Monitor Not Detecting Accumulation
+- Check threshold settings (default: 50 connections)
+- Reduce check interval for faster detection
+- Use forceCaptureNow() to capture current state
+
+### Too Many False Positives
+- Increase accumulation threshold
+- Increase spike threshold
+- Adjust check interval
+
+### Missing Diagnostic Data
+- Ensure output directory exists and is writable
+- Check disk space
+- Verify process has write permissions
+
+## Next Steps
+
+1. Deploy the monitor to production
+2. Wait for accumulation to occur
+3. Share diagnostic files for analysis
+4. Apply targeted fixes based on patterns found
+
+The diagnostic data will reveal the exact state of connections when accumulation occurs, enabling precise fixes for your specific scenario.

readme.problems.md

@@ -1,170 +0,0 @@
-# SmartProxy Performance Issues Report
-
-## Executive Summary
-This report identifies performance issues and blocking operations in the SmartProxy codebase that could impact scalability and responsiveness under high load.
-
-## Critical Issues
-
-### 1. **Synchronous Filesystem Operations**
-These operations block the event loop and should be replaced with async alternatives:
-
-#### Certificate Management
-- `ts/proxies/http-proxy/certificate-manager.ts:29`: `fs.existsSync()` 
-- `ts/proxies/http-proxy/certificate-manager.ts:30`: `fs.mkdirSync()`
-- `ts/proxies/http-proxy/certificate-manager.ts:49-50`: `fs.readFileSync()` for loading certificates
-
-#### NFTables Proxy
-- `ts/proxies/nftables-proxy/nftables-proxy.ts`: Multiple uses of `execSync()` for system commands
-- `ts/proxies/nftables-proxy/nftables-proxy.ts`: Multiple `fs.writeFileSync()` and `fs.unlinkSync()` operations
-
-#### Certificate Store
-- `ts/proxies/smart-proxy/cert-store.ts:8`: `ensureDirSync()`
-- `ts/proxies/smart-proxy/cert-store.ts:15,31,76`: `fileExistsSync()`
-- `ts/proxies/smart-proxy/cert-store.ts:77`: `removeManySync()`
-
-### 2. **Event Loop Blocking Operations**
-
-#### Busy Wait Loop
-- `ts/proxies/nftables-proxy/nftables-proxy.ts:235-238`: 
-  ```typescript
-  const waitUntil = Date.now() + retryDelayMs;
-  while (Date.now() < waitUntil) {
-    // busy wait - blocks event loop completely
-  }
-  ```
-  This is extremely problematic as it blocks the entire Node.js event loop.
-
-### 3. **Potential Memory Leaks**
-
-#### Timer Management Issues
-Several timers are created without proper cleanup:
-- `ts/proxies/http-proxy/function-cache.ts`: `setInterval()` without storing reference for cleanup
-- `ts/proxies/http-proxy/request-handler.ts`: `setInterval()` for rate limit cleanup without cleanup
-- `ts/core/utils/shared-security-manager.ts`: `cleanupInterval` stored but no cleanup method
-
-#### Event Listener Accumulation
-- Multiple instances of event listeners being added without corresponding cleanup
-- Connection handlers add listeners without always removing them on connection close
-
-### 4. **Connection Pool Management**
-
-#### ConnectionPool (ts/proxies/http-proxy/connection-pool.ts)
-**Good practices observed:**
-- Proper connection lifecycle management
-- Periodic cleanup of idle connections
-- Connection limits enforcement
-
-**Potential issues:**
-- No backpressure mechanism when pool is full
-- Synchronous sorting operation in `cleanupConnectionPool()` could be slow with many connections
-
-### 5. **Resource Management Issues**
-
-#### Socket Cleanup
-- Some error paths don't properly clean up sockets
-- Missing `removeAllListeners()` in some error scenarios could lead to memory leaks
-
-#### Timeout Management
-- Inconsistent timeout handling across different components
-- Some sockets created without timeout settings
-
-### 6. **JSON Operations on Large Objects**
-- `ts/proxies/smart-proxy/cert-store.ts:21`: `JSON.parse()` on certificate metadata
-- `ts/proxies/smart-proxy/cert-store.ts:71`: `JSON.stringify()` with pretty printing
-- `ts/proxies/http-proxy/function-cache.ts:76`: `JSON.stringify()` for cache keys (called frequently)
-
-## Recommendations
-
-### Immediate Actions (High Priority)
-
-1. **Replace Synchronous Operations**
-   ```typescript
-   // Instead of:
-   if (fs.existsSync(path)) { ... }
-   
-   // Use:
-   try {
-     await fs.promises.access(path);
-     // file exists
-   } catch {
-     // file doesn't exist
-   }
-   ```
-
-2. **Fix Busy Wait Loop**
-   ```typescript
-   // Instead of:
-   while (Date.now() < waitUntil) { }
-   
-   // Use:
-   await new Promise(resolve => setTimeout(resolve, retryDelayMs));
-   ```
-
-3. **Add Timer Cleanup**
-   ```typescript
-   class Component {
-     private cleanupTimer?: NodeJS.Timeout;
-     
-     start() {
-       this.cleanupTimer = setInterval(() => { ... }, 60000);
-     }
-     
-     stop() {
-       if (this.cleanupTimer) {
-         clearInterval(this.cleanupTimer);
-         this.cleanupTimer = undefined;
-       }
-     }
-   }
-   ```
-
-### Medium Priority
-
-1. **Optimize JSON Operations**
-   - Cache JSON.stringify results for frequently used objects
-   - Consider using faster hashing for cache keys (e.g., crypto.createHash)
-   - Use streaming JSON parsers for large objects
-
-2. **Improve Connection Pool**
-   - Implement backpressure/queueing when pool is full
-   - Use a heap or priority queue for connection management instead of sorting
-
-3. **Standardize Resource Cleanup**
-   - Create a base class for components with lifecycle management
-   - Ensure all event listeners are removed on cleanup
-   - Add abort controllers for better cancellation support
-
-### Long-term Improvements
-
-1. **Worker Threads**
-   - Move CPU-intensive operations to worker threads
-   - Consider using worker pools for NFTables operations
-
-2. **Monitoring and Metrics**
-   - Add performance monitoring for event loop lag
-   - Track connection pool utilization
-   - Monitor memory usage patterns
-
-3. **Graceful Degradation**
-   - Implement circuit breakers for backend connections
-   - Add request queuing with overflow protection
-   - Implement adaptive timeout strategies
-
-## Impact Assessment
-
-These issues primarily affect:
-- **Scalability**: Blocking operations limit concurrent connection handling
-- **Responsiveness**: Event loop blocking causes latency spikes
-- **Stability**: Memory leaks could cause crashes under sustained load
-- **Resource Usage**: Inefficient resource management increases memory/CPU usage
-
-## Testing Recommendations
-
-1. Load test with high connection counts (10k+ concurrent)
-2. Monitor event loop lag under stress
-3. Test long-running scenarios to detect memory leaks
-4. Benchmark with async vs sync operations to measure improvement
-
-## Conclusion
-
-While SmartProxy has good architectural design and many best practices, the identified blocking operations and resource management issues could significantly impact performance under high load. The most critical issues (busy wait loop and synchronous filesystem operations) should be addressed immediately.

readme.proxy-chain-summary.md

@@ -0,0 +1,112 @@
+# SmartProxy: Proxy Protocol and Proxy Chaining Summary
+
+## Quick Summary
+
+SmartProxy supports proxy chaining through the **WrappedSocket** infrastructure, which is designed to handle PROXY protocol for preserving real client IP addresses across multiple proxy layers. While the infrastructure is in place (v19.5.19+), the actual PROXY protocol parsing is not yet implemented.
+
+## Current State
+
+### ✅ What's Implemented
+- **WrappedSocket class** - Foundation for proxy protocol support
+- **Proxy IP configuration** - `proxyIPs` setting to define trusted proxies
+- **Socket wrapping** - All incoming connections wrapped automatically
+- **Connection tracking** - Real client IP tracking in connection records
+- **Test infrastructure** - Tests for proxy chaining scenarios
+
+### ❌ What's Missing
+- **PROXY protocol v1 parsing** - Header parsing not implemented
+- **PROXY protocol v2 support** - Binary format not supported
+- **Automatic header generation** - Must be manually implemented
+- **Production testing** - No HAProxy/AWS ELB compatibility tests
+
+## Key Files
+
+### Core Implementation
+- `ts/core/models/wrapped-socket.ts` - WrappedSocket class
+- `ts/core/models/socket-types.ts` - Helper functions
+- `ts/proxies/smart-proxy/route-connection-handler.ts` - Connection handling
+- `ts/proxies/smart-proxy/models/interfaces.ts` - Configuration interfaces
+
+### Tests
+- `test/test.wrapped-socket.ts` - WrappedSocket unit tests
+- `test/test.proxy-chain-simple.node.ts` - Basic proxy chain test
+- `test/test.proxy-chaining-accumulation.node.ts` - Connection leak tests
+
+### Documentation
+- `readme.proxy-protocol.md` - Detailed implementation guide
+- `readme.proxy-protocol-example.md` - Code examples and future implementation
+- `readme.hints.md` - Project overview with WrappedSocket notes
+
+## Quick Configuration Example
+
+```typescript
+// Outer proxy (internet-facing)
+const outerProxy = new SmartProxy({
+  sendProxyProtocol: true, // Will send PROXY protocol (when implemented)
+  routes: [{
+    name: 'forward-to-inner',
+    match: { ports: 443 },
+    action: {
+      type: 'forward',
+      target: { host: 'inner-proxy.local', port: 443 },
+      tls: { mode: 'passthrough' }
+    }
+  }]
+});
+
+// Inner proxy (backend-facing)
+const innerProxy = new SmartProxy({
+  proxyIPs: ['outer-proxy.local'], // Trust the outer proxy
+  acceptProxyProtocol: true,        // Will parse PROXY protocol (when implemented)
+  routes: [{
+    name: 'forward-to-backend',
+    match: { ports: 443, domains: 'api.example.com' },
+    action: {
+      type: 'forward',
+      target: { host: 'backend.local', port: 8080 },
+      tls: { mode: 'terminate' }
+    }
+  }]
+});
+```
+
+## How It Works (Conceptually)
+
+1. **Client** connects to **Outer Proxy**
+2. **Outer Proxy** wraps socket in WrappedSocket
+3. **Outer Proxy** forwards to **Inner Proxy**
+   - Would prepend: `PROXY TCP4 <client-ip> <proxy-ip> <client-port> <proxy-port>\r\n`
+4. **Inner Proxy** receives connection from trusted proxy
+5. **Inner Proxy** would parse PROXY protocol header
+6. **Inner Proxy** updates WrappedSocket with real client IP
+7. **Backend** receives connection with preserved client information
+
+## Important Notes
+
+### Connection Cleanup
+The fix for proxy chain connection accumulation (v19.5.14+) changed the default socket behavior:
+- **Before**: Half-open connections supported by default (caused accumulation)
+- **After**: Both sockets close when one closes (prevents accumulation)
+- **Override**: Set `enableHalfOpen: true` if half-open needed
+
+### Security
+- Only parse PROXY protocol from IPs listed in `proxyIPs`
+- Never use `0.0.0.0/0` as a trusted proxy range
+- Each proxy in chain must explicitly trust the previous proxy
+
+### Testing
+Use the test files as reference implementations:
+- Simple chains: `test.proxy-chain-simple.node.ts`
+- Connection leaks: `test.proxy-chaining-accumulation.node.ts`
+- Rapid reconnects: `test.rapid-retry-cleanup.node.ts`
+
+## Next Steps
+
+To fully implement PROXY protocol support:
+1. Implement the parser in `ProxyProtocolParser` class
+2. Integrate parser into `handleConnection` method
+3. Add header generation to `setupDirectConnection`
+4. Test with real proxies (HAProxy, nginx, AWS ELB)
+5. Add PROXY protocol v2 support for better performance
+
+See `readme.proxy-protocol-example.md` for detailed implementation examples.

readme.proxy-protocol-example.md

@@ -0,0 +1,462 @@
+# SmartProxy PROXY Protocol Implementation Example
+
+This document shows how PROXY protocol parsing could be implemented in SmartProxy. Note that this is a conceptual implementation guide - the actual parsing is not yet implemented in the current version.
+
+## Conceptual PROXY Protocol v1 Parser Implementation
+
+### Parser Class
+
+```typescript
+// This would go in ts/core/utils/proxy-protocol-parser.ts
+import { logger } from './logger.js';
+
+export interface IProxyProtocolInfo {
+  version: 1 | 2;
+  command: 'PROXY' | 'LOCAL';
+  family: 'TCP4' | 'TCP6' | 'UNKNOWN';
+  sourceIP: string;
+  destIP: string;
+  sourcePort: number;
+  destPort: number;
+  headerLength: number;
+}
+
+export class ProxyProtocolParser {
+  private static readonly PROXY_V1_SIGNATURE = 'PROXY ';
+  private static readonly MAX_V1_HEADER_LENGTH = 108; // Max possible v1 header
+
+  /**
+   * Parse PROXY protocol v1 header from buffer
+   * Returns null if not a valid PROXY protocol header
+   */
+  static parseV1(buffer: Buffer): IProxyProtocolInfo | null {
+    // Need at least 8 bytes for "PROXY " + newline
+    if (buffer.length < 8) {
+      return null;
+    }
+
+    // Check for v1 signature
+    const possibleHeader = buffer.toString('ascii', 0, 6);
+    if (possibleHeader !== this.PROXY_V1_SIGNATURE) {
+      return null;
+    }
+
+    // Find the end of the header (CRLF)
+    let headerEnd = -1;
+    for (let i = 6; i < Math.min(buffer.length, this.MAX_V1_HEADER_LENGTH); i++) {
+      if (buffer[i] === 0x0D && buffer[i + 1] === 0x0A) { // \r\n
+        headerEnd = i + 2;
+        break;
+      }
+    }
+
+    if (headerEnd === -1) {
+      // No complete header found
+      return null;
+    }
+
+    // Parse the header line
+    const headerLine = buffer.toString('ascii', 0, headerEnd - 2);
+    const parts = headerLine.split(' ');
+
+    if (parts.length !== 6) {
+      logger.log('warn', 'Invalid PROXY v1 header format', { 
+        headerLine,
+        partCount: parts.length 
+      });
+      return null;
+    }
+
+    const [proxy, family, srcIP, dstIP, srcPort, dstPort] = parts;
+
+    // Validate family
+    if (!['TCP4', 'TCP6', 'UNKNOWN'].includes(family)) {
+      logger.log('warn', 'Invalid PROXY protocol family', { family });
+      return null;
+    }
+
+    // Validate ports
+    const sourcePort = parseInt(srcPort);
+    const destPort = parseInt(dstPort);
+    
+    if (isNaN(sourcePort) || sourcePort < 1 || sourcePort > 65535 ||
+        isNaN(destPort) || destPort < 1 || destPort > 65535) {
+      logger.log('warn', 'Invalid PROXY protocol ports', { srcPort, dstPort });
+      return null;
+    }
+
+    return {
+      version: 1,
+      command: 'PROXY',
+      family: family as 'TCP4' | 'TCP6' | 'UNKNOWN',
+      sourceIP: srcIP,
+      destIP: dstIP,
+      sourcePort,
+      destPort,
+      headerLength: headerEnd
+    };
+  }
+
+  /**
+   * Check if buffer potentially contains PROXY protocol
+   */
+  static mightBeProxyProtocol(buffer: Buffer): boolean {
+    if (buffer.length < 6) return false;
+    
+    // Check for v1 signature
+    const start = buffer.toString('ascii', 0, 6);
+    if (start === this.PROXY_V1_SIGNATURE) return true;
+    
+    // Check for v2 signature (12 bytes: \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A)
+    if (buffer.length >= 12) {
+      const v2Sig = Buffer.from([0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A]);
+      if (buffer.compare(v2Sig, 0, 12, 0, 12) === 0) return true;
+    }
+    
+    return false;
+  }
+}
+```
+
+### Integration with RouteConnectionHandler
+
+```typescript
+// This shows how it would be integrated into route-connection-handler.ts
+
+private async handleProxyProtocol(
+  socket: plugins.net.Socket,
+  wrappedSocket: WrappedSocket,
+  record: IConnectionRecord
+): Promise<Buffer | null> {
+  const remoteIP = socket.remoteAddress || '';
+  
+  // Only parse PROXY protocol from trusted IPs
+  if (!this.settings.proxyIPs?.includes(remoteIP)) {
+    return null;
+  }
+  
+  return new Promise((resolve) => {
+    let buffer = Buffer.alloc(0);
+    let headerParsed = false;
+    
+    const parseHandler = (chunk: Buffer) => {
+      // Accumulate data
+      buffer = Buffer.concat([buffer, chunk]);
+      
+      // Try to parse PROXY protocol
+      const proxyInfo = ProxyProtocolParser.parseV1(buffer);
+      
+      if (proxyInfo) {
+        // Update wrapped socket with real client info
+        wrappedSocket.setProxyInfo(proxyInfo.sourceIP, proxyInfo.sourcePort);
+        
+        // Update connection record
+        record.remoteIP = proxyInfo.sourceIP;
+        
+        logger.log('info', 'PROXY protocol parsed', {
+          connectionId: record.id,
+          realIP: proxyInfo.sourceIP,
+          realPort: proxyInfo.sourcePort,
+          proxyIP: remoteIP
+        });
+        
+        // Remove this handler
+        socket.removeListener('data', parseHandler);
+        headerParsed = true;
+        
+        // Return remaining data after header
+        const remaining = buffer.slice(proxyInfo.headerLength);
+        resolve(remaining.length > 0 ? remaining : null);
+      } else if (buffer.length > 108) {
+        // Max v1 header length exceeded, not PROXY protocol
+        socket.removeListener('data', parseHandler);
+        headerParsed = true;
+        resolve(buffer);
+      }
+    };
+    
+    // Set timeout for PROXY protocol parsing
+    const timeout = setTimeout(() => {
+      if (!headerParsed) {
+        socket.removeListener('data', parseHandler);
+        logger.log('warn', 'PROXY protocol parsing timeout', {
+          connectionId: record.id,
+          bufferLength: buffer.length
+        });
+        resolve(buffer.length > 0 ? buffer : null);
+      }
+    }, 1000); // 1 second timeout
+    
+    socket.on('data', parseHandler);
+    
+    // Clean up on early close
+    socket.once('close', () => {
+      clearTimeout(timeout);
+      if (!headerParsed) {
+        socket.removeListener('data', parseHandler);
+        resolve(null);
+      }
+    });
+  });
+}
+
+// Modified handleConnection to include PROXY protocol parsing
+public async handleConnection(socket: plugins.net.Socket): void {
+  const remoteIP = socket.remoteAddress || '';
+  const localPort = socket.localPort || 0;
+
+  // Always wrap the socket
+  const wrappedSocket = new WrappedSocket(socket);
+  
+  // Create connection record
+  const record = this.connectionManager.createConnection(wrappedSocket);
+  if (!record) return;
+  
+  // If from trusted proxy, parse PROXY protocol
+  if (this.settings.proxyIPs?.includes(remoteIP)) {
+    const remainingData = await this.handleProxyProtocol(socket, wrappedSocket, record);
+    
+    if (remainingData) {
+      // Process remaining data as normal
+      this.handleInitialData(wrappedSocket, record, remainingData);
+    } else {
+      // Wait for more data
+      this.handleInitialData(wrappedSocket, record);
+    }
+  } else {
+    // Not from trusted proxy, handle normally
+    this.handleInitialData(wrappedSocket, record);
+  }
+}
+```
+
+### Sending PROXY Protocol When Forwarding
+
+```typescript
+// This would be added to setupDirectConnection method
+
+private setupDirectConnection(
+  socket: plugins.net.Socket | WrappedSocket,
+  record: IConnectionRecord,
+  serverName?: string,
+  initialChunk?: Buffer,
+  overridePort?: number,
+  targetHost?: string,
+  targetPort?: number
+): void {
+  // ... existing code ...
+  
+  // Create target socket
+  const targetSocket = createSocketWithErrorHandler({
+    port: finalTargetPort,
+    host: finalTargetHost,
+    onConnect: () => {
+      // If sendProxyProtocol is enabled, send PROXY header first
+      if (this.settings.sendProxyProtocol) {
+        const proxyHeader = this.buildProxyProtocolHeader(wrappedSocket, targetSocket);
+        targetSocket.write(proxyHeader);
+      }
+      
+      // Then send any pending data
+      if (record.pendingData.length > 0) {
+        const combinedData = Buffer.concat(record.pendingData);
+        targetSocket.write(combinedData);
+      }
+      
+      // ... rest of connection setup ...
+    }
+  });
+}
+
+private buildProxyProtocolHeader(
+  clientSocket: WrappedSocket,
+  serverSocket: net.Socket
+): Buffer {
+  const family = clientSocket.remoteFamily === 'IPv6' ? 'TCP6' : 'TCP4';
+  const srcIP = clientSocket.remoteAddress || '0.0.0.0';
+  const srcPort = clientSocket.remotePort || 0;
+  const dstIP = serverSocket.localAddress || '0.0.0.0';
+  const dstPort = serverSocket.localPort || 0;
+  
+  const header = `PROXY ${family} ${srcIP} ${dstIP} ${srcPort} ${dstPort}\r\n`;
+  return Buffer.from(header, 'ascii');
+}
+```
+
+## Complete Example: HAProxy Compatible Setup
+
+```typescript
+// Example showing a complete HAProxy-compatible SmartProxy setup
+
+import { SmartProxy } from '@push.rocks/smartproxy';
+
+// Configuration matching HAProxy's proxy protocol behavior
+const proxy = new SmartProxy({
+  // Accept PROXY protocol from these sources (like HAProxy's 'accept-proxy')
+  proxyIPs: [
+    '10.0.0.0/8',      // Private network load balancers
+    '172.16.0.0/12',   // Docker networks
+    '192.168.0.0/16'   // Local networks
+  ],
+  
+  // Send PROXY protocol to backends (like HAProxy's 'send-proxy')
+  sendProxyProtocol: true,
+  
+  routes: [
+    {
+      name: 'web-app',
+      match: { 
+        ports: 443, 
+        domains: ['app.example.com', 'www.example.com'] 
+      },
+      action: {
+        type: 'forward',
+        target: { 
+          host: 'backend-pool.internal',
+          port: 8080
+        },
+        tls: { 
+          mode: 'terminate',
+          certificate: 'auto',
+          acme: {
+            email: 'ssl@example.com'
+          }
+        }
+      }
+    }
+  ]
+});
+
+// Start the proxy
+await proxy.start();
+
+// The proxy will now:
+// 1. Accept connections on port 443
+// 2. Parse PROXY protocol from trusted IPs
+// 3. Terminate TLS
+// 4. Forward to backend with PROXY protocol header
+// 5. Backend sees real client IP
+```
+
+## Testing PROXY Protocol
+
+```typescript
+// Test client that sends PROXY protocol
+import * as net from 'net';
+
+function createProxyProtocolClient(
+  realClientIP: string,
+  realClientPort: number,
+  proxyHost: string,
+  proxyPort: number
+): net.Socket {
+  const client = net.connect(proxyPort, proxyHost);
+  
+  client.on('connect', () => {
+    // Send PROXY protocol header
+    const header = `PROXY TCP4 ${realClientIP} ${proxyHost} ${realClientPort} ${proxyPort}\r\n`;
+    client.write(header);
+    
+    // Then send actual request
+    client.write('GET / HTTP/1.1\r\nHost: example.com\r\n\r\n');
+  });
+  
+  return client;
+}
+
+// Usage
+const client = createProxyProtocolClient(
+  '203.0.113.45',  // Real client IP
+  54321,           // Real client port
+  'localhost',     // Proxy host
+  8080            // Proxy port
+);
+```
+
+## AWS Network Load Balancer Example
+
+```typescript
+// Configuration for AWS NLB with PROXY protocol v2
+const proxy = new SmartProxy({
+  // AWS NLB IP ranges (get current list from AWS)
+  proxyIPs: [
+    '10.0.0.0/8',     // VPC CIDR
+    // Add specific NLB IPs or use AWS IP ranges
+  ],
+  
+  // AWS NLB uses PROXY protocol v2 by default
+  acceptProxyProtocolV2: true, // Future feature
+  
+  routes: [{
+    name: 'aws-app',
+    match: { ports: 443 },
+    action: {
+      type: 'forward',
+      target: { 
+        host: 'app-cluster.internal',
+        port: 8443 
+      },
+      tls: { mode: 'passthrough' }
+    }
+  }]
+});
+
+// The proxy will:
+// 1. Accept PROXY protocol v2 from AWS NLB
+// 2. Preserve VPC endpoint IDs and other metadata
+// 3. Forward to backend with real client information
+```
+
+## Debugging PROXY Protocol
+
+```typescript
+// Enable detailed logging to debug PROXY protocol parsing
+const proxy = new SmartProxy({
+  enableDetailedLogging: true,
+  proxyIPs: ['10.0.0.1'],
+  
+  // Add custom logging for debugging
+  routes: [{
+    name: 'debug-route',
+    match: { ports: 8080 },
+    action: {
+      type: 'socket-handler',
+      socketHandler: async (socket, context) => {
+        console.log('Socket handler called with context:', {
+          clientIp: context.clientIp,     // Real IP from PROXY protocol
+          port: context.port,
+          connectionId: context.connectionId,
+          timestamp: context.timestamp
+        });
+        
+        // Handle the socket...
+      }
+    }
+  }]
+});
+```
+
+## Security Considerations
+
+1. **Always validate trusted proxy IPs** - Never accept PROXY protocol from untrusted sources
+2. **Use specific IP ranges** - Avoid wildcards like `0.0.0.0/0`
+3. **Implement rate limiting** - PROXY protocol parsing has a computational cost
+4. **Validate header format** - Reject malformed headers immediately
+5. **Set parsing timeouts** - Prevent slow loris attacks via PROXY headers
+6. **Log parsing failures** - Monitor for potential attacks or misconfigurations
+
+## Performance Considerations
+
+1. **Header parsing overhead** - Minimal, one-time cost per connection
+2. **Memory usage** - Small buffer for header accumulation (max 108 bytes for v1)
+3. **Connection establishment** - Slight delay for PROXY protocol parsing
+4. **Throughput impact** - None after initial header parsing
+5. **CPU usage** - Negligible for well-formed headers
+
+## Future Enhancements
+
+1. **PROXY Protocol v2** - Binary format for better performance
+2. **TLS information preservation** - Pass TLS version, cipher, SNI via PP2
+3. **Custom type-length-value (TLV) fields** - Extended metadata support
+4. **Connection pooling** - Reuse backend connections with different client IPs
+5. **Health checks** - Skip PROXY protocol for health check connections

readme.proxy-protocol.md

@@ -0,0 +1,415 @@
+# SmartProxy PROXY Protocol and Proxy Chaining Documentation
+
+## Overview
+
+SmartProxy implements support for the PROXY protocol v1 to enable proxy chaining and preserve real client IP addresses across multiple proxy layers. This documentation covers the implementation details, configuration, and usage patterns for proxy chaining scenarios.
+
+## Architecture
+
+### WrappedSocket Implementation
+
+The foundation of PROXY protocol support is the `WrappedSocket` class, which wraps regular `net.Socket` instances to provide transparent access to real client information when behind a proxy.
+
+```typescript
+// ts/core/models/wrapped-socket.ts
+export class WrappedSocket {
+  public readonly socket: plugins.net.Socket;
+  private realClientIP?: string;
+  private realClientPort?: number;
+  
+  constructor(
+    socket: plugins.net.Socket,
+    realClientIP?: string,
+    realClientPort?: number
+  ) {
+    this.socket = socket;
+    this.realClientIP = realClientIP;
+    this.realClientPort = realClientPort;
+    
+    // Uses JavaScript Proxy to delegate all methods to underlying socket
+    return new Proxy(this, {
+      get(target, prop, receiver) {
+        // Override specific properties
+        if (prop === 'remoteAddress') {
+          return target.remoteAddress;
+        }
+        if (prop === 'remotePort') {
+          return target.remotePort;
+        }
+        // ... delegate other properties to underlying socket
+      }
+    });
+  }
+  
+  get remoteAddress(): string | undefined {
+    return this.realClientIP || this.socket.remoteAddress;
+  }
+  
+  get remotePort(): number | undefined {
+    return this.realClientPort || this.socket.remotePort;
+  }
+  
+  get isFromTrustedProxy(): boolean {
+    return !!this.realClientIP;
+  }
+}
+```
+
+### Key Design Decisions
+
+1. **All sockets are wrapped** - Every incoming connection is wrapped in a WrappedSocket, not just those from trusted proxies
+2. **Proxy pattern for delegation** - Uses JavaScript Proxy to transparently delegate all Socket methods while allowing property overrides
+3. **Not a Duplex stream** - Simple wrapper approach avoids complexity and infinite loops
+4. **Trust-based parsing** - PROXY protocol parsing only occurs for connections from trusted proxy IPs
+
+## Configuration
+
+### Basic PROXY Protocol Configuration
+
+```typescript
+const proxy = new SmartProxy({
+  // List of trusted proxy IPs that can send PROXY protocol
+  proxyIPs: ['10.0.0.1', '10.0.0.2', '192.168.1.0/24'],
+  
+  // Global option to accept PROXY protocol (defaults based on proxyIPs)
+  acceptProxyProtocol: true,
+  
+  // Global option to send PROXY protocol to all targets
+  sendProxyProtocol: false,
+  
+  routes: [
+    {
+      name: 'backend-app',
+      match: { ports: 443, domains: 'app.example.com' },
+      action: {
+        type: 'forward',
+        target: { host: 'backend.internal', port: 8443 },
+        tls: { mode: 'passthrough' }
+      }
+    }
+  ]
+});
+```
+
+### Proxy Chain Configuration
+
+Setting up two SmartProxies in a chain:
+
+```typescript
+// Outer Proxy (Internet-facing)
+const outerProxy = new SmartProxy({
+  proxyIPs: [], // No trusted proxies for outer proxy
+  sendProxyProtocol: true, // Send PROXY protocol to inner proxy
+  
+  routes: [{
+    name: 'to-inner-proxy',
+    match: { ports: 443 },
+    action: {
+      type: 'forward',
+      target: { 
+        host: 'inner-proxy.internal', 
+        port: 443 
+      },
+      tls: { mode: 'passthrough' }
+    }
+  }]
+});
+
+// Inner Proxy (Backend-facing)
+const innerProxy = new SmartProxy({
+  proxyIPs: ['outer-proxy.internal'], // Trust the outer proxy
+  acceptProxyProtocol: true,
+  
+  routes: [{
+    name: 'to-backend',
+    match: { ports: 443, domains: 'app.example.com' },
+    action: {
+      type: 'forward',
+      target: { 
+        host: 'backend.internal', 
+        port: 8080 
+      },
+      tls: { 
+        mode: 'terminate',
+        certificate: 'auto'
+      }
+    }
+  }]
+});
+```
+
+## How Two SmartProxies Communicate
+
+### Connection Flow
+
+1. **Client connects to Outer Proxy**
+   ```
+   Client (203.0.113.45:54321) → Outer Proxy (1.2.3.4:443)
+   ```
+
+2. **Outer Proxy wraps the socket**
+   ```typescript
+   // In RouteConnectionHandler.handleConnection()
+   const wrappedSocket = new WrappedSocket(socket);
+   // At this point: 
+   // wrappedSocket.remoteAddress = '203.0.113.45'
+   // wrappedSocket.remotePort = 54321
+   ```
+
+3. **Outer Proxy forwards to Inner Proxy**
+   - Creates new connection to inner proxy
+   - If `sendProxyProtocol` is enabled, prepends PROXY protocol header:
+   ```
+   PROXY TCP4 203.0.113.45 1.2.3.4 54321 443\r\n
+   [Original TLS/HTTP data follows]
+   ```
+
+4. **Inner Proxy receives connection**
+   - Sees connection from outer proxy IP
+   - Checks if IP is in `proxyIPs` list
+   - If trusted, parses PROXY protocol header
+   - Updates WrappedSocket with real client info:
+   ```typescript
+   wrappedSocket.setProxyInfo('203.0.113.45', 54321);
+   ```
+
+5. **Inner Proxy routes based on real client IP**
+   - Security checks use real client IP
+   - Connection records track real client IP
+   - Backend sees requests from the original client IP
+
+### Connection Record Tracking
+
+```typescript
+// In ConnectionManager
+interface IConnectionRecord {
+  id: string;
+  incoming: WrappedSocket; // Wrapped socket with real client info
+  outgoing: net.Socket | null;
+  remoteIP: string; // Real client IP from PROXY protocol or direct connection
+  localPort: number;
+  // ... other fields
+}
+```
+
+## Implementation Details
+
+### Socket Wrapping in Route Handler
+
+```typescript
+// ts/proxies/smart-proxy/route-connection-handler.ts
+public handleConnection(socket: plugins.net.Socket): void {
+  const remoteIP = socket.remoteAddress || '';
+  
+  // Always wrap the socket to prepare for potential PROXY protocol
+  const wrappedSocket = new WrappedSocket(socket);
+  
+  // If this is from a trusted proxy, log it
+  if (this.settings.proxyIPs?.includes(remoteIP)) {
+    logger.log('debug', `Connection from trusted proxy ${remoteIP}, PROXY protocol parsing will be enabled`);
+  }
+  
+  // Create connection record with wrapped socket
+  const record = this.connectionManager.createConnection(wrappedSocket);
+  
+  // Continue with normal connection handling...
+}
+```
+
+### Socket Utility Integration
+
+When passing wrapped sockets to socket utility functions, the underlying socket must be extracted:
+
+```typescript
+import { getUnderlyingSocket } from '../../core/models/socket-types.js';
+
+// In setupDirectConnection()
+const incomingSocket = getUnderlyingSocket(socket); // Extract raw socket
+
+setupBidirectionalForwarding(incomingSocket, targetSocket, {
+  onClientData: (chunk) => {
+    record.bytesReceived += chunk.length;
+  },
+  onServerData: (chunk) => {
+    record.bytesSent += chunk.length;
+  },
+  onCleanup: (reason) => {
+    this.connectionManager.cleanupConnection(record, reason);
+  },
+  enableHalfOpen: false // Required for proxy chains
+});
+```
+
+## Current Status and Limitations
+
+### Implemented (v19.5.19+)
+- ✅ WrappedSocket foundation class
+- ✅ Socket wrapping in connection handler
+- ✅ Connection manager support for wrapped sockets
+- ✅ Socket utility integration helpers
+- ✅ Proxy IP configuration options
+
+### Not Yet Implemented
+- ❌ PROXY protocol v1 header parsing
+- ❌ PROXY protocol v2 binary format support
+- ❌ Automatic PROXY protocol header generation when forwarding
+- ❌ HAProxy compatibility testing
+- ❌ AWS ELB/NLB compatibility testing
+
+### Known Issues
+1. **No actual PROXY protocol parsing** - The infrastructure is in place but the protocol parsing is not yet implemented
+2. **Manual configuration required** - No automatic detection of PROXY protocol support
+3. **Limited to TCP connections** - WebSocket connections through proxy chains may not preserve client IPs
+
+## Testing Proxy Chains
+
+### Basic Proxy Chain Test
+
+```typescript
+// test/test.proxy-chain-simple.node.ts
+tap.test('simple proxy chain test', async () => {
+  // Create backend server
+  const backend = net.createServer((socket) => {
+    console.log('Backend: Connection received');
+    socket.write('HTTP/1.1 200 OK\r\n\r\nHello from backend');
+    socket.end();
+  });
+  
+  // Create inner proxy (downstream)
+  const innerProxy = new SmartProxy({
+    proxyIPs: ['127.0.0.1'], // Trust localhost for testing
+    routes: [{
+      name: 'to-backend',
+      match: { ports: 8591 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 9999 }
+      }
+    }]
+  });
+  
+  // Create outer proxy (upstream)
+  const outerProxy = new SmartProxy({
+    sendProxyProtocol: true, // Send PROXY to inner
+    routes: [{
+      name: 'to-inner',
+      match: { ports: 8590 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 8591 }
+      }
+    }]
+  });
+  
+  // Test connection through chain
+  const client = net.connect(8590, 'localhost');
+  client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+  
+  // Verify no connection accumulation
+  const counts = getConnectionCounts();
+  expect(counts.proxy1).toEqual(0);
+  expect(counts.proxy2).toEqual(0);
+});
+```
+
+## Best Practices
+
+### 1. Always Configure Trusted Proxies
+```typescript
+// Be specific about which IPs can send PROXY protocol
+proxyIPs: ['10.0.0.1', '10.0.0.2'], // Good
+proxyIPs: ['0.0.0.0/0'], // Bad - trusts everyone
+```
+
+### 2. Use CIDR Notation for Subnets
+```typescript
+proxyIPs: [
+  '10.0.0.0/24',     // Trust entire subnet
+  '192.168.1.5',     // Trust specific IP
+  '172.16.0.0/16'    // Trust private network
+]
+```
+
+### 3. Enable Half-Open Only When Needed
+```typescript
+// For proxy chains, always disable half-open
+setupBidirectionalForwarding(client, server, {
+  enableHalfOpen: false // Ensures proper cascade cleanup
+});
+```
+
+### 4. Monitor Connection Counts
+```typescript
+// Regular monitoring prevents connection leaks
+setInterval(() => {
+  const stats = proxy.getStatistics();
+  console.log(`Active connections: ${stats.activeConnections}`);
+  if (stats.activeConnections > 1000) {
+    console.warn('High connection count detected');
+  }
+}, 60000);
+```
+
+## Future Enhancements
+
+### Phase 2: PROXY Protocol v1 Parser
+```typescript
+// Planned implementation
+class ProxyProtocolParser {
+  static parse(buffer: Buffer): ProxyInfo | null {
+    // Parse "PROXY TCP4 <src-ip> <dst-ip> <src-port> <dst-port>\r\n"
+    const header = buffer.toString('ascii', 0, 108);
+    const match = header.match(/^PROXY (TCP4|TCP6) (\S+) (\S+) (\d+) (\d+)\r\n/);
+    if (match) {
+      return {
+        protocol: match[1],
+        sourceIP: match[2],
+        destIP: match[3],
+        sourcePort: parseInt(match[4]),
+        destPort: parseInt(match[5]),
+        headerLength: match[0].length
+      };
+    }
+    return null;
+  }
+}
+```
+
+### Phase 3: Automatic PROXY Protocol Detection
+- Peek at first bytes to detect PROXY protocol signature
+- Automatic fallback to direct connection if not present
+- Configurable timeout for protocol detection
+
+### Phase 4: PROXY Protocol v2 Support
+- Binary protocol format for better performance
+- Additional metadata support (TLS info, ALPN, etc.)
+- AWS VPC endpoint ID preservation
+
+## Troubleshooting
+
+### Connection Accumulation in Proxy Chains
+If connections accumulate when chaining proxies:
+1. Verify `enableHalfOpen: false` in socket forwarding
+2. Check that both proxies have proper cleanup handlers
+3. Monitor with connection count logging
+4. Use `test.proxy-chain-simple.node.ts` as reference
+
+### Real Client IP Not Preserved
+If the backend sees proxy IP instead of client IP:
+1. Verify outer proxy has `sendProxyProtocol: true`
+2. Verify inner proxy has outer proxy IP in `proxyIPs` list
+3. Check logs for "Connection from trusted proxy" message
+4. Ensure PROXY protocol parsing is implemented (currently pending)
+
+### Performance Impact
+PROXY protocol adds minimal overhead:
+- One-time parsing cost per connection
+- Small memory overhead for real client info storage
+- No impact on data transfer performance
+- Negligible CPU impact for header generation
+
+## Related Documentation
+- [Socket Utilities](./ts/core/utils/socket-utils.ts) - Low-level socket handling
+- [Connection Manager](./ts/proxies/smart-proxy/connection-manager.ts) - Connection lifecycle
+- [Route Handler](./ts/proxies/smart-proxy/route-connection-handler.ts) - Request routing
+- [Test Suite](./test/test.wrapped-socket.ts) - WrappedSocket unit tests

readme.routing.md

@@ -0,0 +1,341 @@
+# SmartProxy Routing Architecture Unification Plan
+
+## Overview
+This document analyzes the current state of routing in SmartProxy, identifies redundancies and inconsistencies, and proposes a unified architecture.
+
+## Current State Analysis
+
+### 1. Multiple Route Manager Implementations
+
+#### 1.1 Core SharedRouteManager (`ts/core/utils/route-manager.ts`)
+- **Purpose**: Designed as a shared component for SmartProxy and NetworkProxy
+- **Features**:
+  - Port mapping and expansion (e.g., `[80, 443]` → individual routes)
+  - Comprehensive route matching (domain, path, IP, headers, TLS)
+  - Route validation and conflict detection
+  - Event emitter for route changes
+  - Detailed logging support
+- **Status**: Well-designed but underutilized
+
+#### 1.2 SmartProxy RouteManager (`ts/proxies/smart-proxy/route-manager.ts`)
+- **Purpose**: SmartProxy-specific route management
+- **Issues**:
+  - 95% duplicate code from SharedRouteManager
+  - Only difference is using `ISmartProxyOptions` instead of generic interface
+  - Contains deprecated security methods
+  - Unnecessary code duplication
+- **Status**: Should be removed in favor of SharedRouteManager
+
+#### 1.3 HttpProxy Route Management (`ts/proxies/http-proxy/`)
+- **Purpose**: HTTP-specific routing
+- **Implementation**: Minimal, inline route matching
+- **Status**: Could benefit from SharedRouteManager
+
+### 2. Multiple Router Implementations
+
+#### 2.1 ProxyRouter (`ts/routing/router/proxy-router.ts`)
+- **Purpose**: Legacy compatibility with `IReverseProxyConfig`
+- **Features**: Domain-based routing with path patterns
+- **Used by**: HttpProxy for backward compatibility
+
+#### 2.2 RouteRouter (`ts/routing/router/route-router.ts`)
+- **Purpose**: Modern routing with `IRouteConfig`
+- **Features**: Nearly identical to ProxyRouter
+- **Issues**: Code duplication with ProxyRouter
+
+### 3. Scattered Route Utilities
+
+#### 3.1 Core route-utils (`ts/core/utils/route-utils.ts`)
+- **Purpose**: Shared matching functions
+- **Features**: Domain, path, IP, CIDR matching
+- **Status**: Well-implemented, should be the single source
+
+#### 3.2 SmartProxy route-utils (`ts/proxies/smart-proxy/utils/route-utils.ts`)
+- **Purpose**: Route configuration utilities
+- **Features**: Different scope - config merging, not pattern matching
+- **Status**: Keep separate as it serves different purpose
+
+### 4. Other Route-Related Files
+- `route-patterns.ts`: Constants for route patterns
+- `route-validators.ts`: Route configuration validation
+- `route-helpers.ts`: Additional utilities
+- `route-connection-handler.ts`: Connection routing logic
+
+## Problems Identified
+
+### 1. Code Duplication
+- **SharedRouteManager vs SmartProxy RouteManager**: ~1000 lines of duplicate code
+- **ProxyRouter vs RouteRouter**: ~500 lines of duplicate code
+- **Matching logic**: Implemented in 4+ different places
+
+### 2. Inconsistent Implementations
+```typescript
+// Example: Domain matching appears in multiple places
+// 1. In route-utils.ts
+export function matchDomain(pattern: string, hostname: string): boolean
+
+// 2. In SmartProxy RouteManager
+private matchDomain(domain: string, hostname: string): boolean
+
+// 3. In ProxyRouter
+private matchesHostname(configName: string, hostname: string): boolean
+
+// 4. In RouteRouter
+private matchDomain(pattern: string, hostname: string): boolean
+```
+
+### 3. Unclear Separation of Concerns
+- Route Managers handle both storage AND matching
+- Routers also handle storage AND matching
+- No clear boundaries between layers
+
+### 4. Maintenance Burden
+- Bug fixes need to be applied in multiple places
+- New features must be implemented multiple times
+- Testing effort multiplied
+
+## Proposed Unified Architecture
+
+### Layer 1: Core Routing Components
+```
+ts/core/routing/
+├── types.ts              # All route-related types
+├── utils.ts              # All matching logic (consolidated)
+├── route-store.ts        # Route storage and indexing
+└── route-matcher.ts      # Route matching engine
+```
+
+### Layer 2: Route Management
+```
+ts/core/routing/
+└── route-manager.ts      # Single RouteManager for all proxies
+    - Uses RouteStore for storage
+    - Uses RouteMatcher for matching
+    - Provides high-level API
+```
+
+### Layer 3: HTTP Routing
+```
+ts/routing/
+└── http-router.ts        # Single HTTP router implementation
+    - Uses RouteManager for route lookup
+    - Handles HTTP-specific concerns
+    - Legacy adapter built-in
+```
+
+### Layer 4: Proxy Integration
+```
+ts/proxies/
+├── smart-proxy/
+│   └── (uses core RouteManager directly)
+├── http-proxy/
+│   └── (uses core RouteManager + HttpRouter)
+└── network-proxy/
+    └── (uses core RouteManager directly)
+```
+
+## Implementation Plan
+
+### Phase 1: Consolidate Matching Logic (Week 1)
+1. **Audit all matching implementations**
+   - Document differences in behavior
+   - Identify the most comprehensive implementation
+   - Create test suite covering all edge cases
+
+2. **Create unified matching module**
+   ```typescript
+   // ts/core/routing/matchers.ts
+   export class DomainMatcher {
+     static match(pattern: string, hostname: string): boolean
+   }
+   
+   export class PathMatcher {
+     static match(pattern: string, path: string): MatchResult
+   }
+   
+   export class IpMatcher {
+     static match(pattern: string, ip: string): boolean
+     static matchCidr(cidr: string, ip: string): boolean
+   }
+   ```
+
+3. **Update all components to use unified matchers**
+   - Replace local implementations
+   - Ensure backward compatibility
+   - Run comprehensive tests
+
+### Phase 2: Unify Route Managers (Week 2)
+1. **Enhance SharedRouteManager**
+   - Add any missing features from SmartProxy RouteManager
+   - Make it truly generic (no proxy-specific dependencies)
+   - Add adapter pattern for different options types
+
+2. **Migrate SmartProxy to use SharedRouteManager**
+   ```typescript
+   // Before
+   this.routeManager = new RouteManager(this.settings);
+   
+   // After
+   this.routeManager = new SharedRouteManager({
+     logger: this.settings.logger,
+     enableDetailedLogging: this.settings.enableDetailedLogging
+   });
+   ```
+
+3. **Remove duplicate RouteManager**
+   - Delete `ts/proxies/smart-proxy/route-manager.ts`
+   - Update all imports
+   - Verify all tests pass
+
+### Phase 3: Consolidate Routers (Week 3)
+1. **Create unified HttpRouter**
+   ```typescript
+   export class HttpRouter {
+     constructor(private routeManager: SharedRouteManager) {}
+     
+     // Modern interface
+     route(req: IncomingMessage): RouteResult
+     
+     // Legacy adapter
+     routeLegacy(config: IReverseProxyConfig): RouteResult
+   }
+   ```
+
+2. **Migrate HttpProxy**
+   - Replace both ProxyRouter and RouteRouter
+   - Use single HttpRouter with appropriate adapter
+   - Maintain backward compatibility
+
+3. **Clean up legacy code**
+   - Mark old interfaces as deprecated
+   - Add migration guides
+   - Plan removal in next major version
+
+### Phase 4: Architecture Cleanup (Week 4)
+1. **Reorganize file structure**
+   ```
+   ts/core/
+   ├── routing/
+   │   ├── index.ts
+   │   ├── types.ts
+   │   ├── matchers/
+   │   │   ├── domain.ts
+   │   │   ├── path.ts
+   │   │   ├── ip.ts
+   │   │   └── index.ts
+   │   ├── route-store.ts
+   │   ├── route-matcher.ts
+   │   └── route-manager.ts
+   └── utils/
+       └── (remove route-specific utils)
+   ```
+
+2. **Update documentation**
+   - Architecture diagrams
+   - Migration guides
+   - API documentation
+
+3. **Performance optimization**
+   - Add caching where beneficial
+   - Optimize hot paths
+   - Benchmark before/after
+
+## Migration Strategy
+
+### For SmartProxy RouteManager Users
+```typescript
+// Old way
+import { RouteManager } from './route-manager.js';
+const manager = new RouteManager(options);
+
+// New way
+import { SharedRouteManager as RouteManager } from '../core/utils/route-manager.js';
+const manager = new RouteManager({
+  logger: options.logger,
+  enableDetailedLogging: options.enableDetailedLogging
+});
+```
+
+### For Router Users
+```typescript
+// Old way
+const proxyRouter = new ProxyRouter();
+const routeRouter = new RouteRouter();
+
+// New way
+const router = new HttpRouter(routeManager);
+// Automatically handles both modern and legacy configs
+```
+
+## Success Metrics
+
+1. **Code Reduction**
+   - Target: Remove ~1,500 lines of duplicate code
+   - Measure: Lines of code before/after
+
+2. **Performance**
+   - Target: No regression in routing performance
+   - Measure: Benchmark route matching operations
+
+3. **Maintainability**
+   - Target: Single implementation for each concept
+   - Measure: Time to implement new features
+
+4. **Test Coverage**
+   - Target: 100% coverage of routing logic
+   - Measure: Coverage reports
+
+## Risks and Mitigations
+
+### Risk 1: Breaking Changes
+- **Mitigation**: Extensive adapter patterns and backward compatibility layers
+- **Testing**: Run all existing tests plus new integration tests
+
+### Risk 2: Performance Regression
+- **Mitigation**: Benchmark critical paths before changes
+- **Testing**: Load testing with production-like scenarios
+
+### Risk 3: Hidden Dependencies
+- **Mitigation**: Careful code analysis and dependency mapping
+- **Testing**: Integration tests across all proxy types
+
+## Long-term Vision
+
+### Future Enhancements
+1. **Route Caching**: LRU cache for frequently accessed routes
+2. **Route Indexing**: Trie-based indexing for faster domain matching
+3. **Route Priorities**: Explicit priority system instead of specificity
+4. **Dynamic Routes**: Support for runtime route modifications
+5. **Route Templates**: Reusable route configurations
+
+### API Evolution
+```typescript
+// Future unified routing API
+const routingEngine = new RoutingEngine({
+  stores: [fileStore, dbStore, dynamicStore],
+  matchers: [domainMatcher, pathMatcher, customMatcher],
+  cache: new LRUCache({ max: 1000 }),
+  indexes: {
+    domain: new TrieIndex(),
+    path: new RadixTree()
+  }
+});
+
+// Simple, powerful API
+const route = await routingEngine.findRoute({
+  domain: 'example.com',
+  path: '/api/v1/users',
+  ip: '192.168.1.1',
+  headers: { 'x-custom': 'value' }
+});
+```
+
+## Conclusion
+
+The current routing architecture has significant duplication and inconsistencies. By following this unification plan, we can:
+1. Reduce code by ~30%
+2. Improve maintainability
+3. Ensure consistent behavior
+4. Enable future enhancements
+
+The phased approach minimizes risk while delivering incremental value. Each phase is independently valuable and can be deployed separately.

test/core/routing/test.domain-matcher.ts

@@ -0,0 +1,79 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { DomainMatcher } from '../../../ts/core/routing/matchers/domain.js';
+
+tap.test('DomainMatcher - exact match', async () => {
+  expect(DomainMatcher.match('example.com', 'example.com')).toEqual(true);
+  expect(DomainMatcher.match('example.com', 'example.net')).toEqual(false);
+  expect(DomainMatcher.match('sub.example.com', 'example.com')).toEqual(false);
+});
+
+tap.test('DomainMatcher - case insensitive', async () => {
+  expect(DomainMatcher.match('Example.COM', 'example.com')).toEqual(true);
+  expect(DomainMatcher.match('example.com', 'EXAMPLE.COM')).toEqual(true);
+  expect(DomainMatcher.match('ExAmPlE.cOm', 'eXaMpLe.CoM')).toEqual(true);
+});
+
+tap.test('DomainMatcher - wildcard matching', async () => {
+  // Leading wildcard
+  expect(DomainMatcher.match('*.example.com', 'sub.example.com')).toEqual(true);
+  expect(DomainMatcher.match('*.example.com', 'deep.sub.example.com')).toEqual(true);
+  expect(DomainMatcher.match('*.example.com', 'example.com')).toEqual(false);
+  
+  // Multiple wildcards
+  expect(DomainMatcher.match('*.*.example.com', 'a.b.example.com')).toEqual(true);
+  expect(DomainMatcher.match('api.*.example.com', 'api.v1.example.com')).toEqual(true);
+  
+  // Trailing wildcard
+  expect(DomainMatcher.match('example.*', 'example.com')).toEqual(true);
+  expect(DomainMatcher.match('example.*', 'example.net')).toEqual(true);
+  expect(DomainMatcher.match('example.*', 'example.co.uk')).toEqual(true);
+});
+
+tap.test('DomainMatcher - FQDN normalization', async () => {
+  expect(DomainMatcher.match('example.com.', 'example.com')).toEqual(true);
+  expect(DomainMatcher.match('example.com', 'example.com.')).toEqual(true);
+  expect(DomainMatcher.match('example.com.', 'example.com.')).toEqual(true);
+});
+
+tap.test('DomainMatcher - edge cases', async () => {
+  expect(DomainMatcher.match('', 'example.com')).toEqual(false);
+  expect(DomainMatcher.match('example.com', '')).toEqual(false);
+  expect(DomainMatcher.match('', '')).toEqual(false);
+  expect(DomainMatcher.match(null as any, 'example.com')).toEqual(false);
+  expect(DomainMatcher.match('example.com', null as any)).toEqual(false);
+});
+
+tap.test('DomainMatcher - specificity calculation', async () => {
+  // Exact domains are most specific
+  const exactScore = DomainMatcher.calculateSpecificity('api.example.com');
+  const wildcardScore = DomainMatcher.calculateSpecificity('*.example.com');
+  const leadingWildcardScore = DomainMatcher.calculateSpecificity('*.com');
+  
+  expect(exactScore).toBeGreaterThan(wildcardScore);
+  expect(wildcardScore).toBeGreaterThan(leadingWildcardScore);
+  
+  // More segments = more specific
+  const threeSegments = DomainMatcher.calculateSpecificity('api.v1.example.com');
+  const twoSegments = DomainMatcher.calculateSpecificity('example.com');
+  expect(threeSegments).toBeGreaterThan(twoSegments);
+});
+
+tap.test('DomainMatcher - findAllMatches', async () => {
+  const patterns = [
+    'example.com',
+    '*.example.com',
+    'api.example.com',
+    '*.api.example.com',
+    '*'
+  ];
+  
+  const matches = DomainMatcher.findAllMatches(patterns, 'v1.api.example.com');
+  
+  // Should match: *.example.com, *.api.example.com, *
+  expect(matches).toHaveLength(3);
+  expect(matches[0]).toEqual('*.api.example.com'); // Most specific
+  expect(matches[1]).toEqual('*.example.com');
+  expect(matches[2]).toEqual('*'); // Least specific
+});
+
+tap.start();

test/core/routing/test.ip-matcher.ts

@@ -0,0 +1,118 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { IpMatcher } from '../../../ts/core/routing/matchers/ip.js';
+
+tap.test('IpMatcher - exact match', async () => {
+  expect(IpMatcher.match('192.168.1.1', '192.168.1.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.1', '192.168.1.2')).toEqual(false);
+  expect(IpMatcher.match('10.0.0.1', '10.0.0.1')).toEqual(true);
+});
+
+tap.test('IpMatcher - CIDR notation', async () => {
+  // /24 subnet
+  expect(IpMatcher.match('192.168.1.0/24', '192.168.1.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.0/24', '192.168.1.255')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.0/24', '192.168.2.1')).toEqual(false);
+  
+  // /16 subnet
+  expect(IpMatcher.match('10.0.0.0/16', '10.0.1.1')).toEqual(true);
+  expect(IpMatcher.match('10.0.0.0/16', '10.0.255.255')).toEqual(true);
+  expect(IpMatcher.match('10.0.0.0/16', '10.1.0.1')).toEqual(false);
+  
+  // /32 (single host)
+  expect(IpMatcher.match('192.168.1.1/32', '192.168.1.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.1/32', '192.168.1.2')).toEqual(false);
+});
+
+tap.test('IpMatcher - wildcard matching', async () => {
+  expect(IpMatcher.match('192.168.1.*', '192.168.1.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.*', '192.168.1.255')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.*', '192.168.2.1')).toEqual(false);
+  
+  expect(IpMatcher.match('192.168.*.*', '192.168.0.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.*.*', '192.168.255.255')).toEqual(true);
+  expect(IpMatcher.match('192.168.*.*', '192.169.0.1')).toEqual(false);
+  
+  expect(IpMatcher.match('*.*.*.*', '1.2.3.4')).toEqual(true);
+  expect(IpMatcher.match('*.*.*.*', '255.255.255.255')).toEqual(true);
+});
+
+tap.test('IpMatcher - range matching', async () => {
+  expect(IpMatcher.match('192.168.1.1-192.168.1.10', '192.168.1.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.1-192.168.1.10', '192.168.1.5')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.1-192.168.1.10', '192.168.1.10')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.1-192.168.1.10', '192.168.1.11')).toEqual(false);
+  expect(IpMatcher.match('192.168.1.1-192.168.1.10', '192.168.1.0')).toEqual(false);
+});
+
+tap.test('IpMatcher - IPv6-mapped IPv4', async () => {
+  expect(IpMatcher.match('192.168.1.1', '::ffff:192.168.1.1')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.0/24', '::ffff:192.168.1.100')).toEqual(true);
+  expect(IpMatcher.match('192.168.1.*', '::FFFF:192.168.1.50')).toEqual(true);
+});
+
+tap.test('IpMatcher - IP validation', async () => {
+  expect(IpMatcher.isValidIpv4('192.168.1.1')).toEqual(true);
+  expect(IpMatcher.isValidIpv4('255.255.255.255')).toEqual(true);
+  expect(IpMatcher.isValidIpv4('0.0.0.0')).toEqual(true);
+  
+  expect(IpMatcher.isValidIpv4('256.1.1.1')).toEqual(false);
+  expect(IpMatcher.isValidIpv4('1.1.1')).toEqual(false);
+  expect(IpMatcher.isValidIpv4('1.1.1.1.1')).toEqual(false);
+  expect(IpMatcher.isValidIpv4('1.1.1.a')).toEqual(false);
+  expect(IpMatcher.isValidIpv4('01.1.1.1')).toEqual(false); // No leading zeros
+});
+
+tap.test('IpMatcher - isAuthorized', async () => {
+  // Empty lists - allow all
+  expect(IpMatcher.isAuthorized('192.168.1.1')).toEqual(true);
+  
+  // Allow list only
+  const allowList = ['192.168.1.0/24', '10.0.0.0/16'];
+  expect(IpMatcher.isAuthorized('192.168.1.100', allowList)).toEqual(true);
+  expect(IpMatcher.isAuthorized('10.0.50.1', allowList)).toEqual(true);
+  expect(IpMatcher.isAuthorized('172.16.0.1', allowList)).toEqual(false);
+  
+  // Block list only
+  const blockList = ['192.168.1.100', '10.0.0.0/24'];
+  expect(IpMatcher.isAuthorized('192.168.1.100', [], blockList)).toEqual(false);
+  expect(IpMatcher.isAuthorized('10.0.0.50', [], blockList)).toEqual(false);
+  expect(IpMatcher.isAuthorized('192.168.1.101', [], blockList)).toEqual(true);
+  
+  // Both lists - block takes precedence
+  expect(IpMatcher.isAuthorized('192.168.1.100', allowList, ['192.168.1.100'])).toEqual(false);
+});
+
+tap.test('IpMatcher - specificity calculation', async () => {
+  // Exact IPs are most specific
+  const exactScore = IpMatcher.calculateSpecificity('192.168.1.1');
+  const cidr32Score = IpMatcher.calculateSpecificity('192.168.1.1/32');
+  const cidr24Score = IpMatcher.calculateSpecificity('192.168.1.0/24');
+  const cidr16Score = IpMatcher.calculateSpecificity('192.168.0.0/16');
+  const wildcardScore = IpMatcher.calculateSpecificity('192.168.1.*');
+  const rangeScore = IpMatcher.calculateSpecificity('192.168.1.1-192.168.1.10');
+  
+  expect(exactScore).toBeGreaterThan(cidr24Score);
+  expect(cidr32Score).toBeGreaterThan(cidr24Score);
+  expect(cidr24Score).toBeGreaterThan(cidr16Score);
+  expect(rangeScore).toBeGreaterThan(wildcardScore);
+});
+
+tap.test('IpMatcher - edge cases', async () => {
+  // Empty/null inputs
+  expect(IpMatcher.match('', '192.168.1.1')).toEqual(false);
+  expect(IpMatcher.match('192.168.1.1', '')).toEqual(false);
+  expect(IpMatcher.match(null as any, '192.168.1.1')).toEqual(false);
+  expect(IpMatcher.match('192.168.1.1', null as any)).toEqual(false);
+  
+  // Invalid CIDR
+  expect(IpMatcher.match('192.168.1.0/33', '192.168.1.1')).toEqual(false);
+  expect(IpMatcher.match('192.168.1.0/-1', '192.168.1.1')).toEqual(false);
+  expect(IpMatcher.match('192.168.1.0/', '192.168.1.1')).toEqual(false);
+  
+  // Invalid ranges
+  expect(IpMatcher.match('192.168.1.10-192.168.1.1', '192.168.1.5')).toEqual(false); // Start > end
+  expect(IpMatcher.match('192.168.1.1-', '192.168.1.5')).toEqual(false);
+  expect(IpMatcher.match('-192.168.1.10', '192.168.1.5')).toEqual(false);
+});
+
+tap.start();

test/core/routing/test.path-matcher.ts

@@ -0,0 +1,127 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { PathMatcher } from '../../../ts/core/routing/matchers/path.js';
+
+tap.test('PathMatcher - exact match', async () => {
+  const result = PathMatcher.match('/api/users', '/api/users');
+  expect(result.matches).toEqual(true);
+  expect(result.pathMatch).toEqual('/api/users');
+  expect(result.pathRemainder).toEqual('');
+  expect(result.params).toEqual({});
+});
+
+tap.test('PathMatcher - no match', async () => {
+  const result = PathMatcher.match('/api/users', '/api/posts');
+  expect(result.matches).toEqual(false);
+});
+
+tap.test('PathMatcher - parameter extraction', async () => {
+  const result = PathMatcher.match('/users/:id/profile', '/users/123/profile');
+  expect(result.matches).toEqual(true);
+  expect(result.params).toEqual({ id: '123' });
+  expect(result.pathMatch).toEqual('/users/123/profile');
+  expect(result.pathRemainder).toEqual('');
+});
+
+tap.test('PathMatcher - multiple parameters', async () => {
+  const result = PathMatcher.match('/api/:version/users/:id', '/api/v2/users/456');
+  expect(result.matches).toEqual(true);
+  expect(result.params).toEqual({ version: 'v2', id: '456' });
+});
+
+tap.test('PathMatcher - wildcard matching', async () => {
+  const result = PathMatcher.match('/api/*', '/api/users/123/profile');
+  expect(result.matches).toEqual(true);
+  expect(result.pathMatch).toEqual('/api');  // Normalized without trailing slash
+  expect(result.pathRemainder).toEqual('users/123/profile');
+});
+
+tap.test('PathMatcher - mixed parameters and wildcards', async () => {
+  const result = PathMatcher.match('/api/:version/*', '/api/v1/users/123');
+  expect(result.matches).toEqual(true);
+  expect(result.params).toEqual({ version: 'v1' });
+  expect(result.pathRemainder).toEqual('users/123');
+});
+
+tap.test('PathMatcher - trailing slash normalization', async () => {
+  // Both with trailing slash
+  let result = PathMatcher.match('/api/users/', '/api/users/');
+  expect(result.matches).toEqual(true);
+  
+  // Pattern with, path without
+  result = PathMatcher.match('/api/users/', '/api/users');
+  expect(result.matches).toEqual(true);
+  
+  // Pattern without, path with
+  result = PathMatcher.match('/api/users', '/api/users/');
+  expect(result.matches).toEqual(true);
+});
+
+tap.test('PathMatcher - root path handling', async () => {
+  const result = PathMatcher.match('/', '/');
+  expect(result.matches).toEqual(true);
+  expect(result.pathMatch).toEqual('/');
+  expect(result.pathRemainder).toEqual('');
+});
+
+tap.test('PathMatcher - specificity calculation', async () => {
+  // Exact paths are most specific
+  const exactScore = PathMatcher.calculateSpecificity('/api/v1/users');
+  const paramScore = PathMatcher.calculateSpecificity('/api/:version/users');
+  const wildcardScore = PathMatcher.calculateSpecificity('/api/*');
+  
+  expect(exactScore).toBeGreaterThan(paramScore);
+  expect(paramScore).toBeGreaterThan(wildcardScore);
+  
+  // More segments = more specific
+  const deepPath = PathMatcher.calculateSpecificity('/api/v1/users/profile/settings');
+  const shallowPath = PathMatcher.calculateSpecificity('/api/users');
+  expect(deepPath).toBeGreaterThan(shallowPath);
+  
+  // More static segments = more specific
+  const moreStatic = PathMatcher.calculateSpecificity('/api/v1/users/:id');
+  const lessStatic = PathMatcher.calculateSpecificity('/api/:version/:resource/:id');
+  expect(moreStatic).toBeGreaterThan(lessStatic);
+});
+
+tap.test('PathMatcher - findAllMatches', async () => {
+  const patterns = [
+    '/api/users',
+    '/api/users/:id',
+    '/api/users/:id/profile',
+    '/api/*',
+    '/*'
+  ];
+  
+  const matches = PathMatcher.findAllMatches(patterns, '/api/users/123/profile');
+  
+  // With the stricter path matching, /api/users won't match /api/users/123/profile
+  // Only patterns with wildcards, parameters, or exact matches will work
+  expect(matches).toHaveLength(4);
+  
+  // Verify all expected patterns are in the results
+  const matchedPatterns = matches.map(m => m.pattern);
+  expect(matchedPatterns).not.toContain('/api/users'); // This won't match anymore (no prefix matching)
+  expect(matchedPatterns).toContain('/api/users/:id');
+  expect(matchedPatterns).toContain('/api/users/:id/profile');
+  expect(matchedPatterns).toContain('/api/*');
+  expect(matchedPatterns).toContain('/*');
+  
+  // Verify parameters were extracted correctly for parameterized patterns
+  const paramsById = matches.find(m => m.pattern === '/api/users/:id');
+  const paramsByIdProfile = matches.find(m => m.pattern === '/api/users/:id/profile');
+  expect(paramsById?.result.params).toEqual({ id: '123' });
+  expect(paramsByIdProfile?.result.params).toEqual({ id: '123' });
+});
+
+tap.test('PathMatcher - edge cases', async () => {
+  // Empty patterns
+  expect(PathMatcher.match('', '/api/users').matches).toEqual(false);
+  expect(PathMatcher.match('/api/users', '').matches).toEqual(false);
+  expect(PathMatcher.match('', '').matches).toEqual(false);
+  
+  // Null/undefined
+  expect(PathMatcher.match(null as any, '/api/users').matches).toEqual(false);
+  expect(PathMatcher.match('/api/users', null as any).matches).toEqual(false);
+});
+
+tap.start();

test/core/utils/test.route-utils.ts

@@ -1,110 +0,0 @@
-import { expect, tap } from '@git.zone/tstest/tapbundle';
-import * as routeUtils from '../../../ts/core/utils/route-utils.js';
-
-// Test domain matching
-tap.test('Route Utils - Domain Matching - exact domains', async () => {
-  expect(routeUtils.matchDomain('example.com', 'example.com')).toEqual(true);
-});
-
-tap.test('Route Utils - Domain Matching - wildcard domains', async () => {
-  expect(routeUtils.matchDomain('*.example.com', 'sub.example.com')).toEqual(true);
-  expect(routeUtils.matchDomain('*.example.com', 'another.sub.example.com')).toEqual(true);
-  expect(routeUtils.matchDomain('*.example.com', 'example.com')).toEqual(false);
-});
-
-tap.test('Route Utils - Domain Matching - case insensitivity', async () => {
-  expect(routeUtils.matchDomain('example.com', 'EXAMPLE.com')).toEqual(true);
-});
-
-tap.test('Route Utils - Domain Matching - multiple domain patterns', async () => {
-  expect(routeUtils.matchRouteDomain(['example.com', '*.test.com'], 'example.com')).toEqual(true);
-  expect(routeUtils.matchRouteDomain(['example.com', '*.test.com'], 'sub.test.com')).toEqual(true);
-  expect(routeUtils.matchRouteDomain(['example.com', '*.test.com'], 'something.else')).toEqual(false);
-});
-
-// Test path matching
-tap.test('Route Utils - Path Matching - exact paths', async () => {
-  expect(routeUtils.matchPath('/api/users', '/api/users')).toEqual(true);
-});
-
-tap.test('Route Utils - Path Matching - wildcard paths', async () => {
-  expect(routeUtils.matchPath('/api/*', '/api/users')).toEqual(true);
-  expect(routeUtils.matchPath('/api/*', '/api/products')).toEqual(true);
-  expect(routeUtils.matchPath('/api/*', '/something/else')).toEqual(false);
-});
-
-tap.test('Route Utils - Path Matching - complex wildcard patterns', async () => {
-  expect(routeUtils.matchPath('/api/*/details', '/api/users/details')).toEqual(true);
-  expect(routeUtils.matchPath('/api/*/details', '/api/products/details')).toEqual(true);
-  expect(routeUtils.matchPath('/api/*/details', '/api/users/other')).toEqual(false);
-});
-
-// Test IP matching
-tap.test('Route Utils - IP Matching - exact IPs', async () => {
-  expect(routeUtils.matchIpPattern('192.168.1.1', '192.168.1.1')).toEqual(true);
-});
-
-tap.test('Route Utils - IP Matching - wildcard IPs', async () => {
-  expect(routeUtils.matchIpPattern('192.168.1.*', '192.168.1.100')).toEqual(true);
-  expect(routeUtils.matchIpPattern('192.168.1.*', '192.168.2.1')).toEqual(false);
-});
-
-tap.test('Route Utils - IP Matching - CIDR notation', async () => {
-  expect(routeUtils.matchIpPattern('192.168.1.0/24', '192.168.1.100')).toEqual(true);
-  expect(routeUtils.matchIpPattern('192.168.1.0/24', '192.168.2.1')).toEqual(false);
-});
-
-tap.test('Route Utils - IP Matching - IPv6-mapped IPv4 addresses', async () => {
-  expect(routeUtils.matchIpPattern('192.168.1.1', '::ffff:192.168.1.1')).toEqual(true);
-});
-
-tap.test('Route Utils - IP Matching - IP authorization with allow/block lists', async () => {
-  // With allow and block lists
-  expect(routeUtils.isIpAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).toEqual(true);
-  expect(routeUtils.isIpAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).toEqual(false);
-  
-  // With only allow list
-  expect(routeUtils.isIpAuthorized('192.168.1.1', ['192.168.1.*'])).toEqual(true);
-  expect(routeUtils.isIpAuthorized('192.168.2.1', ['192.168.1.*'])).toEqual(false);
-  
-  // With only block list
-  expect(routeUtils.isIpAuthorized('192.168.1.5', undefined, ['192.168.1.5'])).toEqual(false);
-  expect(routeUtils.isIpAuthorized('192.168.1.1', undefined, ['192.168.1.5'])).toEqual(true);
-  
-  // With wildcard in allow list
-  expect(routeUtils.isIpAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).toEqual(true);
-});
-
-// Test route specificity calculation
-tap.test('Route Utils - Route Specificity - calculating correctly', async () => {
-  const basicRoute = { domains: 'example.com' };
-  const pathRoute = { domains: 'example.com', path: '/api' };
-  const wildcardPathRoute = { domains: 'example.com', path: '/api/*' };
-  const headerRoute = { domains: 'example.com', headers: { 'content-type': 'application/json' } };
-  const complexRoute = { 
-    domains: 'example.com', 
-    path: '/api', 
-    headers: { 'content-type': 'application/json' },
-    clientIp: ['192.168.1.1'] 
-  };
-  
-  // Path routes should have higher specificity than domain-only routes
-  expect(routeUtils.calculateRouteSpecificity(pathRoute) > 
-         routeUtils.calculateRouteSpecificity(basicRoute)).toEqual(true);
-  
-  // Exact path routes should have higher specificity than wildcard path routes
-  expect(routeUtils.calculateRouteSpecificity(pathRoute) > 
-         routeUtils.calculateRouteSpecificity(wildcardPathRoute)).toEqual(true);
-  
-  // Routes with headers should have higher specificity than routes without
-  expect(routeUtils.calculateRouteSpecificity(headerRoute) > 
-         routeUtils.calculateRouteSpecificity(basicRoute)).toEqual(true);
-  
-  // Complex routes should have the highest specificity
-  expect(routeUtils.calculateRouteSpecificity(complexRoute) > 
-         routeUtils.calculateRouteSpecificity(pathRoute)).toEqual(true);
-  expect(routeUtils.calculateRouteSpecificity(complexRoute) > 
-         routeUtils.calculateRouteSpecificity(headerRoute)).toEqual(true);
-});
-
-export default tap.start();

test/test.acme-route-creation.ts

@@ -92,7 +92,7 @@ tap.test('should create ACME challenge route', async (tools) => {
   await proxy.start();
   
   // Verify the challenge route is in the proxy's routes
-  const proxyRoutes = proxy.routeManager.getAllRoutes();
+  const proxyRoutes = proxy.routeManager.getRoutes();
   const foundChallengeRoute = proxyRoutes.find((r: any) => r.name === 'acme-challenge');
   
   expect(foundChallengeRoute).toBeDefined();

test/test.cleanup-queue-bug.node.ts

@@ -0,0 +1,93 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('cleanup queue bug - verify queue processing handles more than batch size', async (tools) => {
+  console.log('\n=== Cleanup Queue Bug Test ===');
+  console.log('Purpose: Verify that the cleanup queue correctly processes all connections');
+  console.log('even when there are more than the batch size (100)');
+  
+  // Create proxy
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8588 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 9996 }
+      }
+    }],
+    enableDetailedLogging: false,
+  });
+  
+  await proxy.start();
+  console.log('✓ Proxy started on port 8588');
+  
+  // Access connection manager
+  const cm = (proxy as any).connectionManager;
+  
+  // Create mock connection records
+  console.log('\n--- Creating 150 mock connections ---');
+  const mockConnections: any[] = [];
+  
+  for (let i = 0; i < 150; i++) {
+    const mockRecord = {
+      id: `mock-${i}`,
+      incoming: { destroyed: true, remoteAddress: '127.0.0.1' },
+      outgoing: { destroyed: true },
+      connectionClosed: false,
+      incomingStartTime: Date.now(),
+      lastActivity: Date.now(),
+      remoteIP: '127.0.0.1',
+      remotePort: 10000 + i,
+      localPort: 8588,
+      bytesReceived: 100,
+      bytesSent: 100,
+      incomingTerminationReason: null,
+      cleanupTimer: null
+    };
+    
+    // Add to connection records
+    cm.connectionRecords.set(mockRecord.id, mockRecord);
+    mockConnections.push(mockRecord);
+  }
+  
+  console.log(`Created ${cm.getConnectionCount()} mock connections`);
+  expect(cm.getConnectionCount()).toEqual(150);
+  
+  // Queue all connections for cleanup
+  console.log('\n--- Queueing all connections for cleanup ---');
+  for (const conn of mockConnections) {
+    cm.initiateCleanupOnce(conn, 'test_cleanup');
+  }
+  
+  console.log(`Cleanup queue size: ${cm.cleanupQueue.size}`);
+  expect(cm.cleanupQueue.size).toEqual(150);
+  
+  // Wait for cleanup to complete
+  console.log('\n--- Waiting for cleanup batches to process ---');
+  
+  // The first batch should process immediately (100 connections)
+  // Then additional batches should be scheduled
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  // Check final state
+  const finalCount = cm.getConnectionCount();
+  console.log(`\nFinal connection count: ${finalCount}`);
+  console.log(`Cleanup queue size: ${cm.cleanupQueue.size}`);
+  
+  // All connections should be cleaned up
+  expect(finalCount).toEqual(0);
+  expect(cm.cleanupQueue.size).toEqual(0);
+  
+  // Verify termination stats
+  const stats = cm.getTerminationStats();
+  console.log('Termination stats:', stats);
+  expect(stats.incoming.test_cleanup).toEqual(150);
+  
+  // Cleanup
+  await proxy.stop();
+  
+  console.log('\n✓ Test complete: Cleanup queue now correctly processes all connections');
+});
+
+tap.start();

test/test.connect-disconnect-cleanup.node.ts

@@ -0,0 +1,242 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+// Import SmartProxy and configurations
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('should handle clients that connect and immediately disconnect without sending data', async () => {
+  console.log('\n=== Testing Connect-Disconnect Cleanup ===');
+  
+  // Create a SmartProxy instance
+  const proxy = new SmartProxy({
+    ports: [8560],
+    enableDetailedLogging: false,
+    initialDataTimeout: 5000, // 5 second timeout for initial data
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8560 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9999  // Non-existent port
+        }
+      }
+    }]
+  });
+  
+  // Start the proxy
+  await proxy.start();
+  console.log('✓ Proxy started on port 8560');
+  
+  // Helper to get active connection count
+  const getActiveConnections = () => {
+    const connectionManager = (proxy as any).connectionManager;
+    return connectionManager ? connectionManager.getConnectionCount() : 0;
+  };
+  
+  const initialCount = getActiveConnections();
+  console.log(`Initial connection count: ${initialCount}`);
+  
+  // Test 1: Connect and immediately disconnect without sending data
+  console.log('\n--- Test 1: Immediate disconnect ---');
+  const connectionCounts: number[] = [];
+  
+  for (let i = 0; i < 10; i++) {
+    const client = new net.Socket();
+    
+    // Connect and immediately destroy
+    client.connect(8560, 'localhost', () => {
+      // Connected - immediately destroy without sending data
+      client.destroy();
+    });
+    
+    // Wait a tiny bit
+    await new Promise(resolve => setTimeout(resolve, 10));
+    
+    const count = getActiveConnections();
+    connectionCounts.push(count);
+    if ((i + 1) % 5 === 0) {
+      console.log(`After ${i + 1} connect/disconnect cycles: ${count} active connections`);
+    }
+  }
+  
+  // Wait a bit for cleanup
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  const afterImmediateDisconnect = getActiveConnections();
+  console.log(`After immediate disconnect test: ${afterImmediateDisconnect} active connections`);
+  
+  // Test 2: Connect, wait a bit, then disconnect without sending data
+  console.log('\n--- Test 2: Delayed disconnect ---');
+  
+  for (let i = 0; i < 5; i++) {
+    const client = new net.Socket();
+    
+    client.on('error', () => {
+      // Ignore errors
+    });
+    
+    client.connect(8560, 'localhost', () => {
+      // Wait 100ms then disconnect without sending data
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+      }, 100);
+    });
+  }
+  
+  // Check count immediately
+  const duringDelayed = getActiveConnections();
+  console.log(`During delayed disconnect test: ${duringDelayed} active connections`);
+  
+  // Wait for cleanup
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  const afterDelayedDisconnect = getActiveConnections();
+  console.log(`After delayed disconnect test: ${afterDelayedDisconnect} active connections`);
+  
+  // Test 3: Mix of immediate and delayed disconnects
+  console.log('\n--- Test 3: Mixed disconnect patterns ---');
+  
+  const promises = [];
+  for (let i = 0; i < 20; i++) {
+    promises.push(new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8560, 'localhost', () => {
+        if (i % 2 === 0) {
+          // Half disconnect immediately
+          client.destroy();
+        } else {
+          // Half wait 50ms
+          setTimeout(() => {
+            if (!client.destroyed) {
+              client.destroy();
+            }
+          }, 50);
+        }
+      });
+      
+      // Failsafe timeout
+      setTimeout(() => resolve(), 200);
+    }));
+  }
+  
+  // Wait for all to complete
+  await Promise.all(promises);
+  
+  const duringMixed = getActiveConnections();
+  console.log(`During mixed test: ${duringMixed} active connections`);
+  
+  // Final cleanup wait
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  const finalCount = getActiveConnections();
+  console.log(`\nFinal connection count: ${finalCount}`);
+  
+  // Stop the proxy
+  await proxy.stop();
+  console.log('✓ Proxy stopped');
+  
+  // Verify all connections were cleaned up
+  expect(finalCount).toEqual(initialCount);
+  expect(afterImmediateDisconnect).toEqual(initialCount);
+  expect(afterDelayedDisconnect).toEqual(initialCount);
+  
+  // Check that connections didn't accumulate during the test
+  const maxCount = Math.max(...connectionCounts);
+  console.log(`\nMax connection count during immediate disconnect test: ${maxCount}`);
+  expect(maxCount).toBeLessThan(3); // Should stay very low
+  
+  console.log('\n✅ PASS: Connect-disconnect cleanup working correctly!');
+});
+
+tap.test('should handle clients that error during connection', async () => {
+  console.log('\n=== Testing Connection Error Cleanup ===');
+  
+  const proxy = new SmartProxy({
+    ports: [8561],
+    enableDetailedLogging: false,
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8561 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9999
+        }
+      }
+    }]
+  });
+  
+  await proxy.start();
+  console.log('✓ Proxy started on port 8561');
+  
+  const getActiveConnections = () => {
+    const connectionManager = (proxy as any).connectionManager;
+    return connectionManager ? connectionManager.getConnectionCount() : 0;
+  };
+  
+  const initialCount = getActiveConnections();
+  console.log(`Initial connection count: ${initialCount}`);
+  
+  // Create connections that will error
+  const promises = [];
+  for (let i = 0; i < 10; i++) {
+    promises.push(new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      // Connect to proxy
+      client.connect(8561, 'localhost', () => {
+        // Force an error by writing invalid data then destroying
+        try {
+          client.write(Buffer.alloc(1024 * 1024)); // Large write
+          client.destroy();
+        } catch (e) {
+          // Ignore
+        }
+      });
+      
+      // Timeout
+      setTimeout(() => resolve(), 500);
+    }));
+  }
+  
+  await Promise.all(promises);
+  console.log('✓ All error connections completed');
+  
+  // Wait for cleanup
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  const finalCount = getActiveConnections();
+  console.log(`Final connection count: ${finalCount}`);
+  
+  await proxy.stop();
+  console.log('✓ Proxy stopped');
+  
+  expect(finalCount).toEqual(initialCount);
+  
+  console.log('\n✅ PASS: Connection error cleanup working correctly!');
+});
+
+tap.start();

test/test.connection-cleanup-comprehensive.node.ts

@@ -0,0 +1,279 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+// Import SmartProxy and configurations
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('comprehensive connection cleanup test - all scenarios', async () => {
+  console.log('\n=== Comprehensive Connection Cleanup Test ===');
+  
+  // Create a SmartProxy instance
+  const proxy = new SmartProxy({
+    ports: [8570, 8571], // One for immediate routing, one for TLS
+    enableDetailedLogging: false,
+    initialDataTimeout: 2000,
+    socketTimeout: 5000,
+    routes: [
+      {
+        name: 'non-tls-route',
+        match: { ports: 8570 },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: 9999  // Non-existent port
+          }
+        }
+      },
+      {
+        name: 'tls-route',
+        match: { ports: 8571 },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: 9999  // Non-existent port
+          },
+          tls: {
+            mode: 'passthrough'
+          }
+        }
+      }
+    ]
+  });
+  
+  // Start the proxy
+  await proxy.start();
+  console.log('✓ Proxy started on ports 8570 (non-TLS) and 8571 (TLS)');
+  
+  // Helper to get active connection count
+  const getActiveConnections = () => {
+    const connectionManager = (proxy as any).connectionManager;
+    return connectionManager ? connectionManager.getConnectionCount() : 0;
+  };
+  
+  const initialCount = getActiveConnections();
+  console.log(`Initial connection count: ${initialCount}`);
+  
+  // Test 1: Rapid ECONNREFUSED retries (from original issue)
+  console.log('\n--- Test 1: Rapid ECONNREFUSED retries ---');
+  for (let i = 0; i < 10; i++) {
+    await new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        client.destroy();
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8570, 'localhost', () => {
+        // Send data to trigger routing
+        client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      });
+      
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 100);
+    });
+    
+    if ((i + 1) % 5 === 0) {
+      const count = getActiveConnections();
+      console.log(`After ${i + 1} ECONNREFUSED retries: ${count} active connections`);
+    }
+  }
+  
+  // Test 2: Connect without sending data (immediate disconnect)
+  console.log('\n--- Test 2: Connect without sending data ---');
+  for (let i = 0; i < 10; i++) {
+    const client = new net.Socket();
+    
+    client.on('error', () => {
+      // Ignore
+    });
+    
+    // Connect to non-TLS port and immediately disconnect
+    client.connect(8570, 'localhost', () => {
+      client.destroy();
+    });
+    
+    await new Promise(resolve => setTimeout(resolve, 10));
+  }
+  
+  const afterNoData = getActiveConnections();
+  console.log(`After connect-without-data test: ${afterNoData} active connections`);
+  
+  // Test 3: TLS connections that disconnect before handshake
+  console.log('\n--- Test 3: TLS early disconnect ---');
+  for (let i = 0; i < 10; i++) {
+    const client = new net.Socket();
+    
+    client.on('error', () => {
+      // Ignore
+    });
+    
+    // Connect to TLS port but disconnect before sending handshake
+    client.connect(8571, 'localhost', () => {
+      // Wait 50ms then disconnect (before initial data timeout)
+      setTimeout(() => {
+        client.destroy();
+      }, 50);
+    });
+    
+    await new Promise(resolve => setTimeout(resolve, 100));
+  }
+  
+  const afterTlsEarly = getActiveConnections();
+  console.log(`After TLS early disconnect test: ${afterTlsEarly} active connections`);
+  
+  // Test 4: Mixed pattern - simulating real-world chaos
+  console.log('\n--- Test 4: Mixed chaos pattern ---');
+  const promises = [];
+  
+  for (let i = 0; i < 30; i++) {
+    promises.push(new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      const port = i % 2 === 0 ? 8570 : 8571;
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(port, 'localhost', () => {
+        const scenario = i % 5;
+        
+        switch (scenario) {
+          case 0:
+            // Immediate disconnect
+            client.destroy();
+            break;
+          case 1:
+            // Send data then disconnect
+            client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+            setTimeout(() => client.destroy(), 20);
+            break;
+          case 2:
+            // Disconnect after delay
+            setTimeout(() => client.destroy(), 100);
+            break;
+          case 3:
+            // Send partial TLS handshake
+            if (port === 8571) {
+              client.write(Buffer.from([0x16, 0x03, 0x01])); // Partial TLS
+            }
+            setTimeout(() => client.destroy(), 50);
+            break;
+          case 4:
+            // Just let it timeout
+            break;
+        }
+      });
+      
+      // Failsafe
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 500);
+    }));
+    
+    // Small delay between connections
+    if (i % 5 === 0) {
+      await new Promise(resolve => setTimeout(resolve, 10));
+    }
+  }
+  
+  await Promise.all(promises);
+  console.log('✓ Chaos test completed');
+  
+  // Wait for any cleanup
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  const afterChaos = getActiveConnections();
+  console.log(`After chaos test: ${afterChaos} active connections`);
+  
+  // Test 5: NFTables route (should cleanup properly)
+  console.log('\n--- Test 5: NFTables route cleanup ---');
+  const nftProxy = new SmartProxy({
+    ports: [8572],
+    enableDetailedLogging: false,
+    routes: [{
+      name: 'nftables-route',
+      match: { ports: 8572 },
+      action: {
+        type: 'forward',
+        forwardingEngine: 'nftables',
+        target: {
+          host: 'localhost',
+          port: 9999
+        }
+      }
+    }]
+  });
+  
+  await nftProxy.start();
+  
+  const getNftConnections = () => {
+    const connectionManager = (nftProxy as any).connectionManager;
+    return connectionManager ? connectionManager.getConnectionCount() : 0;
+  };
+  
+  // Create NFTables connections
+  for (let i = 0; i < 5; i++) {
+    const client = new net.Socket();
+    
+    client.on('error', () => {
+      // Ignore
+    });
+    
+    client.connect(8572, 'localhost', () => {
+      setTimeout(() => client.destroy(), 50);
+    });
+    
+    await new Promise(resolve => setTimeout(resolve, 100));
+  }
+  
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  const nftFinal = getNftConnections();
+  console.log(`NFTables connections after test: ${nftFinal}`);
+  
+  await nftProxy.stop();
+  
+  // Final check on main proxy
+  const finalCount = getActiveConnections();
+  console.log(`\nFinal connection count: ${finalCount}`);
+  
+  // Stop the proxy
+  await proxy.stop();
+  console.log('✓ Proxy stopped');
+  
+  // Verify all connections were cleaned up
+  expect(finalCount).toEqual(initialCount);
+  expect(afterNoData).toEqual(initialCount);
+  expect(afterTlsEarly).toEqual(initialCount);
+  expect(afterChaos).toEqual(initialCount);
+  expect(nftFinal).toEqual(0);
+  
+  console.log('\n✅ PASS: Comprehensive connection cleanup test passed!');
+  console.log('All connection scenarios properly cleaned up:');
+  console.log('- ECONNREFUSED rapid retries');
+  console.log('- Connect without sending data');
+  console.log('- TLS early disconnect');
+  console.log('- Mixed chaos patterns');
+  console.log('- NFTables connections');
+});
+
+tap.start();

test/test.http-fix-verification.ts

@@ -54,7 +54,7 @@ tap.test('should detect and forward non-TLS connections on useHttpProxy ports',
     findMatchingRoute: (criteria: any) => ({
       route: mockSettings.routes[0]
     }),
-    getAllRoutes: () => mockSettings.routes,
+    getRoutes: () => mockSettings.routes,
     getRoutesForPort: (port: number) => mockSettings.routes.filter(r => {
       const ports = Array.isArray(r.match.ports) ? r.match.ports : [r.match.ports];
       return ports.some(p => {
@@ -182,7 +182,7 @@ tap.test('should handle TLS connections normally', async (tapTest) => {
     findMatchingRoute: (criteria: any) => ({
       route: mockSettings.routes[0]
     }),
-    getAllRoutes: () => mockSettings.routes,
+    getRoutes: () => mockSettings.routes,
     getRoutesForPort: (port: number) => mockSettings.routes.filter(r => {
       const ports = Array.isArray(r.match.ports) ? r.match.ports : [r.match.ports];
       return ports.some(p => {

test/test.http-forwarding-fix.ts

@@ -34,6 +34,7 @@ tap.test('should detect and forward non-TLS connections on HttpProxy ports', asy
   };
   proxy['httpProxyBridge'].stop = async () => {
     console.log('Mock: HttpProxyBridge stopped');
+    return Promise.resolve(); // Ensure it returns a resolved promise
   };
   
   await proxy.start();
@@ -44,11 +45,14 @@ tap.test('should detect and forward non-TLS connections on HttpProxy ports', asy
     forwardedToHttpProxy = true;
     connectionPath = 'httpproxy';
     console.log('Mock: Connection forwarded to HttpProxy with args:', args[0], 'on port:', args[2]?.localPort);
-    // Just close the connection for the test
-    args[1].end(); // socket.end()
+    // Properly close the connection for the test
+    const socket = args[1];
+    socket.end();
+    socket.destroy();
   };
   
-  // No need to mock getHttpProxy - the bridge already handles HttpProxy availability
+  // Mock getHttpProxy to indicate HttpProxy is available
+  (proxy as any).httpProxyBridge.getHttpProxy = () => ({ available: true });
   
   // Make a connection to port 8080
   const client = new net.Socket();
@@ -73,13 +77,16 @@ tap.test('should detect and forward non-TLS connections on HttpProxy ports', asy
   expect(connectionPath).toEqual('httpproxy');
   
   client.destroy();
+  
+  // Restore original method before stopping
+  (proxy as any).httpProxyBridge.forwardToHttpProxy = originalForward;
+  
+  console.log('About to stop proxy...');
   await proxy.stop();
+  console.log('Proxy stopped');
   
   // Wait a bit to ensure port is released
   await new Promise(resolve => setTimeout(resolve, 100));
-  
-  // Restore original method
-  (proxy as any).httpProxyBridge.forwardToHttpProxy = originalForward;
 });
 
 // Test that verifies the fix detects non-TLS connections
@@ -123,8 +130,10 @@ tap.test('should properly detect non-TLS connections on HttpProxy ports', async
   proxy['httpProxyBridge'].forwardToHttpProxy = async function(...args: any[]) {
     httpProxyForwardCalled = true;
     console.log('HttpProxy forward called with connectionId:', args[0]);
-    // Just end the connection
-    args[1].end();
+    // Properly close the connection
+    const socket = args[1];
+    socket.end();
+    socket.destroy();
   };
   
   // Mock HttpProxyBridge methods
@@ -136,6 +145,7 @@ tap.test('should properly detect non-TLS connections on HttpProxy ports', async
   };
   proxy['httpProxyBridge'].stop = async () => {
     console.log('Mock: HttpProxyBridge stopped');
+    return Promise.resolve(); // Ensure it returns a resolved promise
   };
   
   // Mock getHttpProxy to return a truthy value

test/test.http-port8080-forwarding.ts

@@ -63,9 +63,21 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
     }
   };
   
+  console.log('Making HTTP request to proxy...');
   const response = await new Promise<http.IncomingMessage>((resolve, reject) => {
-    const req = http.request(options, (res) => resolve(res));
-    req.on('error', reject);
+    const req = http.request(options, (res) => {
+      console.log('Got response from proxy:', res.statusCode);
+      resolve(res);
+    });
+    req.on('error', (err) => {
+      console.error('Request error:', err);
+      reject(err);
+    });
+    req.setTimeout(5000, () => {
+      console.error('Request timeout');
+      req.destroy();
+      reject(new Error('Request timeout'));
+    });
     req.end();
   });
   
@@ -85,6 +97,9 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
   await new Promise<void>((resolve) => {
     targetServer.close(() => resolve());
   });
+  
+  // Wait a bit to ensure port is fully released
+  await new Promise(resolve => setTimeout(resolve, 500));
 });
 
 tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
@@ -135,15 +150,30 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
     }
   };
   
+  console.log('Making HTTP request to proxy...');
   const response = await new Promise<http.IncomingMessage>((resolve, reject) => {
-    const req = http.request(options, (res) => resolve(res));
-    req.on('error', reject);
+    const req = http.request(options, (res) => {
+      console.log('Got response from proxy:', res.statusCode);
+      resolve(res);
+    });
+    req.on('error', (err) => {
+      console.error('Request error:', err);
+      reject(err);
+    });
+    req.setTimeout(5000, () => {
+      console.error('Request timeout');
+      req.destroy();
+      reject(new Error('Request timeout'));
+    });
     req.end();
   });
   
   let responseData = '';
   response.setEncoding('utf8');
-  response.on('data', chunk => responseData += chunk);
+  response.on('data', chunk => {
+    console.log('Received data chunk:', chunk);
+    responseData += chunk;
+  });
   await new Promise(resolve => response.on('end', resolve));
   
   expect(response.statusCode).toEqual(200);
@@ -154,6 +184,9 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
   await new Promise<void>((resolve) => {
     targetServer.close(() => resolve());
   });
+  
+  // Wait a bit to ensure port is fully released
+  await new Promise(resolve => setTimeout(resolve, 500));
 });
 
-tap.start();
+export default tap.start();

test/test.httpproxy.function-targets.ts

@@ -82,13 +82,16 @@ tap.test('setup HttpProxy function-based targets test environment', async (tools
 
 // Test static host/port routes
 tap.test('should support static host/port routes', async () => {
+  // Get proxy port first
+  const proxyPort = httpProxy.getListeningPort();
+  
   const routes: IRouteConfig[] = [
     {
       name: 'static-route',
       priority: 100,
       match: {
         domains: 'example.com',
-        ports: 0
+        ports: proxyPort
       },
       action: {
         type: 'forward',
@@ -102,9 +105,6 @@ tap.test('should support static host/port routes', async () => {
   
   await httpProxy.updateRouteConfigs(routes);
   
-  // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = httpProxy.getListeningPort();
-  
   // Make request to proxy
   const response = await makeRequest({
     hostname: 'localhost',
@@ -124,13 +124,14 @@ tap.test('should support static host/port routes', async () => {
 
 // Test function-based host
 tap.test('should support function-based host', async () => {
+  const proxyPort = httpProxy.getListeningPort();
   const routes: IRouteConfig[] = [
     {
       name: 'function-host-route',
       priority: 100,
       match: {
         domains: 'function.example.com',
-        ports: 0
+        ports: proxyPort
       },
       action: {
         type: 'forward',
@@ -147,9 +148,6 @@ tap.test('should support function-based host', async () => {
   
   await httpProxy.updateRouteConfigs(routes);
   
-  // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = httpProxy.getListeningPort();
-  
   // Make request to proxy
   const response = await makeRequest({
     hostname: 'localhost',
@@ -169,13 +167,14 @@ tap.test('should support function-based host', async () => {
 
 // Test function-based port
 tap.test('should support function-based port', async () => {
+  const proxyPort = httpProxy.getListeningPort();
   const routes: IRouteConfig[] = [
     {
       name: 'function-port-route',
       priority: 100,
       match: {
         domains: 'function-port.example.com',
-        ports: 0
+        ports: proxyPort
       },
       action: {
         type: 'forward',
@@ -192,9 +191,6 @@ tap.test('should support function-based port', async () => {
   
   await httpProxy.updateRouteConfigs(routes);
   
-  // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = httpProxy.getListeningPort();
-  
   // Make request to proxy
   const response = await makeRequest({
     hostname: 'localhost',
@@ -214,13 +210,14 @@ tap.test('should support function-based port', async () => {
 
 // Test function-based host AND port
 tap.test('should support function-based host AND port', async () => {
+  const proxyPort = httpProxy.getListeningPort();
   const routes: IRouteConfig[] = [
     {
       name: 'function-both-route',
       priority: 100,
       match: {
         domains: 'function-both.example.com',
-        ports: 0
+        ports: proxyPort
       },
       action: {
         type: 'forward',
@@ -238,9 +235,6 @@ tap.test('should support function-based host AND port', async () => {
   
   await httpProxy.updateRouteConfigs(routes);
   
-  // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = httpProxy.getListeningPort();
-  
   // Make request to proxy
   const response = await makeRequest({
     hostname: 'localhost',
@@ -260,13 +254,14 @@ tap.test('should support function-based host AND port', async () => {
 
 // Test context-based routing with path
 tap.test('should support context-based routing with path', async () => {
+  const proxyPort = httpProxy.getListeningPort();
   const routes: IRouteConfig[] = [
     {
       name: 'context-path-route',
       priority: 100,
       match: {
         domains: 'context.example.com',
-        ports: 0
+        ports: proxyPort
       },
       action: {
         type: 'forward',
@@ -287,9 +282,6 @@ tap.test('should support context-based routing with path', async () => {
   
   await httpProxy.updateRouteConfigs(routes);
   
-  // Get proxy port using the improved getListeningPort() method 
-  const proxyPort = httpProxy.getListeningPort();
-  
   // Make request to proxy with /api path
   const apiResponse = await makeRequest({
     hostname: 'localhost',

test/test.keepalive-support.node.ts

@@ -0,0 +1,250 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import { SmartProxy } from '../ts/index.js';
+import * as plugins from '../ts/plugins.js';
+
+tap.test('keepalive support - verify keepalive connections are properly handled', async (tools) => {
+  console.log('\n=== KeepAlive Support Test ===');
+  console.log('Purpose: Verify that keepalive connections are not prematurely cleaned up');
+  
+  // Create a simple echo backend
+  const echoBackend = net.createServer((socket) => {
+    socket.on('data', (data) => {
+      // Echo back received data
+      try {
+        socket.write(data);
+      } catch (err) {
+        // Ignore write errors during shutdown
+      }
+    });
+    
+    socket.on('error', (err) => {
+      // Ignore errors from backend sockets
+      console.log(`Backend socket error (expected during cleanup): ${err.code}`);
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    echoBackend.listen(9998, () => {
+      console.log('✓ Echo backend started on port 9998');
+      resolve();
+    });
+  });
+  
+  // Test 1: Standard keepalive treatment
+  console.log('\n--- Test 1: Standard KeepAlive Treatment ---');
+  
+  const proxy1 = new SmartProxy({
+    routes: [{
+      name: 'keepalive-route',
+      match: { ports: 8590 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 9998 }
+      }
+    }],
+    keepAlive: true,
+    keepAliveTreatment: 'standard',
+    inactivityTimeout: 5000, // 5 seconds for faster testing
+    enableDetailedLogging: false,
+  });
+  
+  await proxy1.start();
+  console.log('✓ Proxy with standard keepalive started on port 8590');
+  
+  // Create a keepalive connection
+  const client1 = net.connect(8590, 'localhost');
+  
+  // Add error handler to prevent unhandled errors
+  client1.on('error', (err) => {
+    console.log(`Client1 error (expected during cleanup): ${err.code}`);
+  });
+  
+  await new Promise<void>((resolve) => {
+    client1.on('connect', () => {
+      console.log('Client connected');
+      client1.setKeepAlive(true, 1000);
+      resolve();
+    });
+  });
+  
+  // Send initial data
+  client1.write('Hello keepalive\n');
+  
+  // Wait for echo
+  await new Promise<void>((resolve) => {
+    client1.once('data', (data) => {
+      console.log(`Received echo: ${data.toString().trim()}`);
+      resolve();
+    });
+  });
+  
+  // Check connection is marked as keepalive
+  const cm1 = (proxy1 as any).connectionManager;
+  const connections1 = cm1.getConnections();
+  let keepAliveCount = 0;
+  
+  for (const [id, record] of connections1) {
+    if (record.hasKeepAlive) {
+      keepAliveCount++;
+      console.log(`KeepAlive connection ${id}: hasKeepAlive=${record.hasKeepAlive}`);
+    }
+  }
+  
+  expect(keepAliveCount).toEqual(1);
+  
+  // Wait to ensure it's not cleaned up prematurely
+  await plugins.smartdelay.delayFor(6000);
+  
+  const afterWaitCount1 = cm1.getConnectionCount();
+  console.log(`Connections after 6s wait: ${afterWaitCount1}`);
+  expect(afterWaitCount1).toEqual(1); // Should still be connected
+  
+  // Send more data to keep it alive
+  client1.write('Still alive\n');
+  
+  // Clean up test 1
+  client1.destroy();
+  await proxy1.stop();
+  await plugins.smartdelay.delayFor(500); // Wait for port to be released
+  
+  // Test 2: Extended keepalive treatment
+  console.log('\n--- Test 2: Extended KeepAlive Treatment ---');
+  
+  const proxy2 = new SmartProxy({
+    routes: [{
+      name: 'keepalive-extended',
+      match: { ports: 8591 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 9998 }
+      }
+    }],
+    keepAlive: true,
+    keepAliveTreatment: 'extended',
+    keepAliveInactivityMultiplier: 6,
+    inactivityTimeout: 2000, // 2 seconds base, 12 seconds with multiplier
+    enableDetailedLogging: false,
+  });
+  
+  await proxy2.start();
+  console.log('✓ Proxy with extended keepalive started on port 8591');
+  
+  const client2 = net.connect(8591, 'localhost');
+  
+  // Add error handler to prevent unhandled errors
+  client2.on('error', (err) => {
+    console.log(`Client2 error (expected during cleanup): ${err.code}`);
+  });
+  
+  await new Promise<void>((resolve) => {
+    client2.on('connect', () => {
+      console.log('Client connected with extended timeout');
+      client2.setKeepAlive(true, 1000);
+      resolve();
+    });
+  });
+  
+  // Send initial data
+  client2.write('Extended keepalive\n');
+  
+  // Check connection
+  const cm2 = (proxy2 as any).connectionManager;
+  await plugins.smartdelay.delayFor(1000);
+  
+  const connections2 = cm2.getConnections();
+  for (const [id, record] of connections2) {
+    console.log(`Extended connection ${id}: hasKeepAlive=${record.hasKeepAlive}, treatment=extended`);
+  }
+  
+  // Wait 3 seconds (would timeout with standard treatment)
+  await plugins.smartdelay.delayFor(3000);
+  
+  const midWaitCount = cm2.getConnectionCount();
+  console.log(`Connections after 3s (base timeout exceeded): ${midWaitCount}`);
+  expect(midWaitCount).toEqual(1); // Should still be connected due to extended treatment
+  
+  // Clean up test 2
+  client2.destroy();
+  await proxy2.stop();
+  await plugins.smartdelay.delayFor(500); // Wait for port to be released
+  
+  // Test 3: Immortal keepalive treatment
+  console.log('\n--- Test 3: Immortal KeepAlive Treatment ---');
+  
+  const proxy3 = new SmartProxy({
+    routes: [{
+      name: 'keepalive-immortal',
+      match: { ports: 8592 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 9998 }
+      }
+    }],
+    keepAlive: true,
+    keepAliveTreatment: 'immortal',
+    inactivityTimeout: 1000, // 1 second - should be ignored for immortal
+    enableDetailedLogging: false,
+  });
+  
+  await proxy3.start();
+  console.log('✓ Proxy with immortal keepalive started on port 8592');
+  
+  const client3 = net.connect(8592, 'localhost');
+  
+  // Add error handler to prevent unhandled errors
+  client3.on('error', (err) => {
+    console.log(`Client3 error (expected during cleanup): ${err.code}`);
+  });
+  
+  await new Promise<void>((resolve) => {
+    client3.on('connect', () => {
+      console.log('Client connected with immortal treatment');
+      client3.setKeepAlive(true, 1000);
+      resolve();
+    });
+  });
+  
+  // Send initial data
+  client3.write('Immortal connection\n');
+  
+  // Wait well beyond normal timeout
+  await plugins.smartdelay.delayFor(5000);
+  
+  const cm3 = (proxy3 as any).connectionManager;
+  const immortalCount = cm3.getConnectionCount();
+  console.log(`Immortal connections after 5s inactivity: ${immortalCount}`);
+  expect(immortalCount).toEqual(1); // Should never timeout
+  
+  // Verify zombie detection doesn't affect immortal connections
+  console.log('\n--- Verifying zombie detection respects keepalive ---');
+  
+  // Manually trigger inactivity check
+  cm3.performOptimizedInactivityCheck();
+  
+  await plugins.smartdelay.delayFor(1000);
+  
+  const afterCheckCount = cm3.getConnectionCount();
+  console.log(`Connections after manual inactivity check: ${afterCheckCount}`);
+  expect(afterCheckCount).toEqual(1); // Should still be alive
+  
+  // Clean up
+  client3.destroy();
+  await proxy3.stop();
+  
+  // Close backend and wait for it to fully close
+  await new Promise<void>((resolve) => {
+    echoBackend.close(() => {
+      console.log('Echo backend closed');
+      resolve();
+    });
+  });
+  
+  console.log('\n✓ All keepalive tests passed:');
+  console.log('  - Standard treatment works correctly');
+  console.log('  - Extended treatment applies multiplier');
+  console.log('  - Immortal treatment never times out');
+  console.log('  - Zombie detection respects keepalive settings');
+});
+
+tap.start();

test/test.long-lived-connections.ts

@@ -0,0 +1,146 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as tls from 'tls';
+import { SmartProxy } from '../ts/index.js';
+
+let testProxy: SmartProxy;
+let targetServer: net.Server;
+
+// Create a simple echo server as target
+tap.test('setup test environment', async () => {
+  // Create target server that echoes data back
+  targetServer = net.createServer((socket) => {
+    console.log('Target server: client connected');
+    
+    // Echo data back
+    socket.on('data', (data) => {
+      console.log(`Target server received: ${data.toString().trim()}`);
+      socket.write(data);
+    });
+    
+    socket.on('close', () => {
+      console.log('Target server: client disconnected');
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    targetServer.listen(9876, () => {
+      console.log('Target server listening on port 9876');
+      resolve();
+    });
+  });
+  
+  // Create proxy with simple TCP forwarding (no TLS)
+  testProxy = new SmartProxy({
+    routes: [{
+      name: 'tcp-forward-test',
+      match: {
+        ports: 8888  // Plain TCP port
+      },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9876
+        }
+        // No TLS configuration - just plain TCP forwarding
+      }
+    }],
+    defaults: {
+      target: {
+        host: 'localhost',
+        port: 9876
+      }
+    },
+    enableDetailedLogging: true,
+    keepAliveTreatment: 'extended',  // Allow long-lived connections
+    inactivityTimeout: 3600000,      // 1 hour
+    socketTimeout: 3600000,          // 1 hour
+    keepAlive: true,
+    keepAliveInitialDelay: 1000
+  });
+  
+  await testProxy.start();
+});
+
+tap.test('should keep WebSocket-like connection open for extended period', async (tools) => {
+  tools.timeout(65000); // 65 second test timeout
+  
+  const client = new net.Socket();
+  let messagesReceived = 0;
+  let connectionClosed = false;
+  
+  // Connect to proxy
+  await new Promise<void>((resolve, reject) => {
+    client.connect(8888, 'localhost', () => {
+      console.log('Client connected to proxy');
+      resolve();
+    });
+    
+    client.on('error', reject);
+  });
+  
+  // Set up data handler
+  client.on('data', (data) => {
+    console.log(`Client received: ${data.toString().trim()}`);
+    messagesReceived++;
+  });
+  
+  client.on('close', () => {
+    console.log('Client connection closed');
+    connectionClosed = true;
+  });
+  
+  // Send initial handshake-like data
+  client.write('HELLO\n');
+  
+  // Wait for response
+  await new Promise(resolve => setTimeout(resolve, 100));
+  expect(messagesReceived).toEqual(1);
+  
+  // Simulate WebSocket-like keep-alive pattern
+  // Send periodic messages over 60 seconds
+  const startTime = Date.now();
+  const pingInterval = setInterval(() => {
+    if (!connectionClosed && Date.now() - startTime < 60000) {
+      console.log('Sending ping...');
+      client.write('PING\n');
+    } else {
+      clearInterval(pingInterval);
+    }
+  }, 10000); // Every 10 seconds
+  
+  // Wait for 61 seconds
+  await new Promise(resolve => setTimeout(resolve, 61000));
+  
+  // Clean up interval
+  clearInterval(pingInterval);
+  
+  // Connection should still be open
+  expect(connectionClosed).toEqual(false);
+  
+  // Should have received responses (1 hello + 6 pings)
+  expect(messagesReceived).toBeGreaterThan(5);
+  
+  // Close connection gracefully
+  client.end();
+  
+  // Wait for close
+  await new Promise(resolve => setTimeout(resolve, 100));
+  expect(connectionClosed).toEqual(true);
+});
+
+// NOTE: Half-open connections are not supported due to proxy chain architecture
+
+tap.test('cleanup', async () => {
+  await testProxy.stop();
+  
+  await new Promise<void>((resolve) => {
+    targetServer.close(() => {
+      console.log('Target server closed');
+      resolve();
+    });
+  });
+});
+
+export default tap.start();

test/test.memory-leak-check.node.ts

@@ -0,0 +1,150 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy, createHttpRoute } from '../ts/index.js';
+import * as http from 'http';
+
+tap.test('should not have memory leaks in long-running operations', async (tools) => {
+  // Get initial memory usage
+  const getMemoryUsage = () => {
+    if (global.gc) {
+      global.gc();
+    }
+    const usage = process.memoryUsage();
+    return {
+      heapUsed: Math.round(usage.heapUsed / 1024 / 1024), // MB
+      external: Math.round(usage.external / 1024 / 1024), // MB
+      rss: Math.round(usage.rss / 1024 / 1024) // MB
+    };
+  };
+
+  // Create a target server
+  const targetServer = http.createServer((req, res) => {
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('OK');
+  });
+  await new Promise<void>((resolve) => targetServer.listen(3100, resolve));
+
+  // Create the proxy - use non-privileged port
+  const routes = [
+    createHttpRoute(['test1.local', 'test2.local', 'test3.local'], { host: 'localhost', port: 3100 }),
+  ];
+  // Update route to use port 8080
+  routes[0].match.ports = 8080;
+  
+  const proxy = new SmartProxy({
+    ports: [8080], // Use non-privileged port
+    routes: routes
+  });
+  await proxy.start();
+
+  console.log('Starting memory leak test...');
+  const initialMemory = getMemoryUsage();
+  console.log('Initial memory:', initialMemory);
+
+  // Function to make requests
+  const makeRequest = (domain: string): Promise<void> => {
+    return new Promise((resolve, reject) => {
+      const req = http.request({
+        hostname: 'localhost',
+        port: 8080,
+        path: '/',
+        method: 'GET',
+        headers: {
+          'Host': domain
+        }
+      }, (res) => {
+        res.on('data', () => {});
+        res.on('end', resolve);
+      });
+      req.on('error', reject);
+      req.end();
+    });
+  };
+
+  // Test 1: Many requests to the same routes
+  console.log('Test 1: Making 1000 requests to same routes...');
+  for (let i = 0; i < 1000; i++) {
+    await makeRequest(`test${(i % 3) + 1}.local`);
+    if (i % 100 === 0) {
+      console.log(`  Progress: ${i}/1000`);
+    }
+  }
+  
+  const afterSameRoutesMemory = getMemoryUsage();
+  console.log('Memory after same routes:', afterSameRoutesMemory);
+
+  // Test 2: Many requests to different routes (tests routeContextCache)
+  console.log('Test 2: Making 1000 requests to different routes...');
+  for (let i = 0; i < 1000; i++) {
+    // Create unique domain to test cache growth
+    await makeRequest(`test${i}.local`);
+    if (i % 100 === 0) {
+      console.log(`  Progress: ${i}/1000`);
+    }
+  }
+  
+  const afterDifferentRoutesMemory = getMemoryUsage();
+  console.log('Memory after different routes:', afterDifferentRoutesMemory);
+
+  // Test 3: Check metrics collector memory
+  console.log('Test 3: Checking metrics collector...');
+  const stats = proxy.getStats();
+  console.log(`Active connections: ${stats.getActiveConnections()}`);
+  console.log(`Total connections: ${stats.getTotalConnections()}`);
+  console.log(`RPS: ${stats.getRequestsPerSecond()}`);
+  
+  // Test 4: Many rapid connections (tests requestTimestamps array)
+  console.log('Test 4: Making 10000 rapid requests...');
+  const rapidRequests = [];
+  for (let i = 0; i < 10000; i++) {
+    rapidRequests.push(makeRequest('test1.local'));
+    if (i % 1000 === 0) {
+      // Wait a bit to let some complete
+      await Promise.all(rapidRequests);
+      rapidRequests.length = 0;
+      console.log(`  Progress: ${i}/10000`);
+    }
+  }
+  await Promise.all(rapidRequests);
+  
+  const afterRapidMemory = getMemoryUsage();
+  console.log('Memory after rapid requests:', afterRapidMemory);
+
+  // Force garbage collection and check final memory
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  const finalMemory = getMemoryUsage();
+  console.log('Final memory:', finalMemory);
+
+  // Memory leak checks
+  const memoryGrowth = finalMemory.heapUsed - initialMemory.heapUsed;
+  console.log(`Total memory growth: ${memoryGrowth} MB`);
+
+  // Check for excessive memory growth
+  // Allow some growth but not excessive (e.g., more than 50MB for this test)
+  expect(memoryGrowth).toBeLessThan(50);
+  
+  // Check specific potential leaks
+  // 1. Route context cache should not grow unbounded
+  const routeHandler = proxy.routeConnectionHandler as any;
+  if (routeHandler.routeContextCache) {
+    console.log(`Route context cache size: ${routeHandler.routeContextCache.size}`);
+    // Should not have 1000 entries from different routes test
+    expect(routeHandler.routeContextCache.size).toBeLessThan(100);
+  }
+
+  // 2. Metrics collector should clean up old timestamps
+  const metricsCollector = (proxy.getStats() as any);
+  if (metricsCollector.requestTimestamps) {
+    console.log(`Request timestamps array length: ${metricsCollector.requestTimestamps.length}`);
+    // Should not exceed 10000 (the cleanup threshold)
+    expect(metricsCollector.requestTimestamps.length).toBeLessThanOrEqual(10000);
+  }
+
+  // Cleanup
+  await proxy.stop();
+  await new Promise<void>((resolve) => targetServer.close(resolve));
+
+  console.log('Memory leak test completed successfully');
+});
+
+// Run with: node --expose-gc test.memory-leak-check.node.ts
+tap.start();

test/test.memory-leak-simple.ts

@@ -0,0 +1,58 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy, createHttpRoute } from '../ts/index.js';
+import * as http from 'http';
+
+tap.test('memory leak fixes verification', async () => {
+  // Test 1: MetricsCollector requestTimestamps cleanup
+  console.log('\n=== Test 1: MetricsCollector requestTimestamps cleanup ===');
+  const proxy = new SmartProxy({
+    ports: [8081],
+    routes: [
+      createHttpRoute('test.local', { host: 'localhost', port: 3200 }),
+    ]
+  });
+  
+  // Override route port
+  proxy.settings.routes[0].match.ports = 8081;
+  
+  await proxy.start();
+  
+  const metricsCollector = (proxy.getStats() as any);
+  
+  // Check initial state
+  console.log('Initial timestamps:', metricsCollector.requestTimestamps.length);
+  
+  // Simulate many requests to test cleanup
+  for (let i = 0; i < 6000; i++) {
+    metricsCollector.recordRequest();
+  }
+  
+  // Should be cleaned up to MAX_TIMESTAMPS (5000)
+  console.log('After 6000 requests:', metricsCollector.requestTimestamps.length);
+  expect(metricsCollector.requestTimestamps.length).toBeLessThanOrEqual(5000);
+  
+  await proxy.stop();
+  
+  // Test 2: Verify intervals are cleaned up
+  console.log('\n=== Test 2: Verify cleanup methods exist ===');
+  
+  // Check RequestHandler has destroy method
+  const { RequestHandler } = await import('../ts/proxies/http-proxy/request-handler.js');
+  const requestHandler = new RequestHandler({}, null as any);
+  expect(typeof requestHandler.destroy).toEqual('function');
+  console.log('✓ RequestHandler has destroy method');
+  
+  // Check FunctionCache has destroy method  
+  const { FunctionCache } = await import('../ts/proxies/http-proxy/function-cache.js');
+  const functionCache = new FunctionCache({ debug: () => {}, info: () => {} } as any);
+  expect(typeof functionCache.destroy).toEqual('function');
+  console.log('✓ FunctionCache has destroy method');
+  
+  // Cleanup
+  requestHandler.destroy();
+  functionCache.destroy();
+  
+  console.log('\n✅ All memory leak fixes verified!');
+});
+
+tap.start();

test/test.memory-leak-unit.ts

@@ -0,0 +1,131 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+tap.test('memory leak fixes - unit tests', async () => {
+  console.log('\n=== Testing MetricsCollector memory management ===');
+  
+  // Import and test MetricsCollector directly
+  const { MetricsCollector } = await import('../ts/proxies/smart-proxy/metrics-collector.js');
+  
+  // Create a mock SmartProxy with minimal required properties
+  const mockProxy = {
+    connectionManager: {
+      getConnectionCount: () => 0,
+      getConnections: () => new Map(),
+      getTerminationStats: () => ({ incoming: {} })
+    },
+    routeConnectionHandler: {
+      newConnectionSubject: {
+        subscribe: () => ({ unsubscribe: () => {} })
+      }
+    },
+    settings: {}
+  };
+  
+  const collector = new MetricsCollector(mockProxy as any);
+  collector.start();
+  
+  // Test timestamp cleanup
+  console.log('Testing requestTimestamps cleanup...');
+  
+  // Add 6000 timestamps
+  for (let i = 0; i < 6000; i++) {
+    collector.recordRequest();
+  }
+  
+  // Access private property for testing
+  let timestamps = (collector as any).requestTimestamps;
+  console.log(`Timestamps after 6000 requests: ${timestamps.length}`);
+  
+  // Force one more request to trigger cleanup
+  collector.recordRequest();
+  timestamps = (collector as any).requestTimestamps;
+  console.log(`Timestamps after cleanup trigger: ${timestamps.length}`);
+  
+  // Now check the RPS window - all timestamps are within 1 minute so they won't be cleaned
+  const now = Date.now();
+  const oldestTimestamp = Math.min(...timestamps);
+  const windowAge = now - oldestTimestamp;
+  console.log(`Window age: ${windowAge}ms (should be < 60000ms for all to be kept)`);
+  
+  // Since all timestamps are recent (within RPS window), they won't be cleaned by window
+  // But the array size should still be limited
+  console.log(`MAX_TIMESTAMPS: ${(collector as any).MAX_TIMESTAMPS}`);
+  
+  // The issue is our rapid-fire test - all timestamps are within the window
+  // Let's test with older timestamps
+  console.log('\nTesting with mixed old/new timestamps...');
+  (collector as any).requestTimestamps = [];
+  
+  // Add some old timestamps (older than window)
+  const oldTime = now - 70000; // 70 seconds ago
+  for (let i = 0; i < 3000; i++) {
+    (collector as any).requestTimestamps.push(oldTime);
+  }
+  
+  // Add new timestamps to exceed limit
+  for (let i = 0; i < 3000; i++) {
+    collector.recordRequest();
+  }
+  
+  timestamps = (collector as any).requestTimestamps;
+  console.log(`After mixed timestamps: ${timestamps.length} (old ones should be cleaned)`);
+  
+  // Old timestamps should be cleaned when we exceed MAX_TIMESTAMPS
+  expect(timestamps.length).toBeLessThanOrEqual(5000);
+  
+  // Stop the collector
+  collector.stop();
+  
+  console.log('\n=== Testing FunctionCache cleanup ===');
+  
+  const { FunctionCache } = await import('../ts/proxies/http-proxy/function-cache.js');
+  
+  const mockLogger = {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {}
+  };
+  
+  const cache = new FunctionCache(mockLogger as any);
+  
+  // Check that cleanup interval was set
+  expect((cache as any).cleanupInterval).toBeTruthy();
+  
+  // Test destroy method
+  cache.destroy();
+  
+  // Cleanup interval should be cleared
+  expect((cache as any).cleanupInterval).toBeNull();
+  
+  console.log('✓ FunctionCache properly cleans up interval');
+  
+  console.log('\n=== Testing RequestHandler cleanup ===');
+  
+  const { RequestHandler } = await import('../ts/proxies/http-proxy/request-handler.js');
+  
+  const mockConnectionPool = {
+    getConnection: () => null,
+    releaseConnection: () => {}
+  };
+  
+  const handler = new RequestHandler(
+    { logLevel: 'error' },
+    mockConnectionPool as any
+  );
+  
+  // Check that cleanup interval was set
+  expect((handler as any).rateLimitCleanupInterval).toBeTruthy();
+  
+  // Test destroy method
+  handler.destroy();
+  
+  // Cleanup interval should be cleared
+  expect((handler as any).rateLimitCleanupInterval).toBeNull();
+  
+  console.log('✓ RequestHandler properly cleans up interval');
+  
+  console.log('\n✅ All memory leak fixes verified!');
+});
+
+tap.start();

test/test.metrics-collector.ts

@@ -0,0 +1,280 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+tap.test('MetricsCollector provides accurate metrics', async (tools) => {
+  console.log('\n=== MetricsCollector Test ===');
+  
+  // Create a simple echo server for testing
+  const echoServer = net.createServer((socket) => {
+    socket.on('data', (data) => {
+      socket.write(data);
+    });
+    socket.on('error', () => {}); // Ignore errors
+  });
+  
+  await new Promise<void>((resolve) => {
+    echoServer.listen(9995, () => {
+      console.log('✓ Echo server started on port 9995');
+      resolve();
+    });
+  });
+  
+  // Create SmartProxy with test routes
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        name: 'test-route-1',
+        match: { ports: 8700 },
+        action: {
+          type: 'forward',
+          target: { host: 'localhost', port: 9995 }
+        }
+      },
+      {
+        name: 'test-route-2',
+        match: { ports: 8701 },
+        action: {
+          type: 'forward',
+          target: { host: 'localhost', port: 9995 }
+        }
+      }
+    ],
+    enableDetailedLogging: true,
+  });
+  
+  await proxy.start();
+  console.log('✓ Proxy started on ports 8700 and 8701');
+  
+  // Get stats interface
+  const stats = proxy.getStats();
+  
+  // Test 1: Initial state
+  console.log('\n--- Test 1: Initial State ---');
+  expect(stats.getActiveConnections()).toEqual(0);
+  expect(stats.getTotalConnections()).toEqual(0);
+  expect(stats.getRequestsPerSecond()).toEqual(0);
+  expect(stats.getConnectionsByRoute().size).toEqual(0);
+  expect(stats.getConnectionsByIP().size).toEqual(0);
+  
+  const throughput = stats.getThroughput();
+  expect(throughput.bytesIn).toEqual(0);
+  expect(throughput.bytesOut).toEqual(0);
+  console.log('✓ Initial metrics are all zero');
+  
+  // Test 2: Create connections and verify metrics
+  console.log('\n--- Test 2: Active Connections ---');
+  const clients: net.Socket[] = [];
+  
+  // Create 3 connections to route 1
+  for (let i = 0; i < 3; i++) {
+    const client = net.connect(8700, 'localhost');
+    clients.push(client);
+    await new Promise<void>((resolve) => {
+      client.on('connect', resolve);
+      client.on('error', () => resolve());
+    });
+  }
+  
+  // Create 2 connections to route 2
+  for (let i = 0; i < 2; i++) {
+    const client = net.connect(8701, 'localhost');
+    clients.push(client);
+    await new Promise<void>((resolve) => {
+      client.on('connect', resolve);
+      client.on('error', () => resolve());
+    });
+  }
+  
+  // Wait for connections to be fully established and routed
+  await plugins.smartdelay.delayFor(300);
+  
+  // Verify connection counts
+  expect(stats.getActiveConnections()).toEqual(5);
+  expect(stats.getTotalConnections()).toEqual(5);
+  console.log(`✓ Active connections: ${stats.getActiveConnections()}`);
+  console.log(`✓ Total connections: ${stats.getTotalConnections()}`);
+  
+  // Test 3: Connections by route
+  console.log('\n--- Test 3: Connections by Route ---');
+  const routeConnections = stats.getConnectionsByRoute();
+  console.log('Route connections:', Array.from(routeConnections.entries()));
+  
+  // Check if we have the expected counts
+  let route1Count = 0;
+  let route2Count = 0;
+  for (const [routeName, count] of routeConnections) {
+    if (routeName === 'test-route-1') route1Count = count;
+    if (routeName === 'test-route-2') route2Count = count;
+  }
+  
+  expect(route1Count).toEqual(3);
+  expect(route2Count).toEqual(2);
+  console.log('✓ Route test-route-1 has 3 connections');
+  console.log('✓ Route test-route-2 has 2 connections');
+  
+  // Test 4: Connections by IP
+  console.log('\n--- Test 4: Connections by IP ---');
+  const ipConnections = stats.getConnectionsByIP();
+  // All connections are from localhost (127.0.0.1 or ::1)
+  let totalIPConnections = 0;
+  for (const [ip, count] of ipConnections) {
+    console.log(`  IP ${ip}: ${count} connections`);
+    totalIPConnections += count;
+  }
+  expect(totalIPConnections).toEqual(5);
+  console.log('✓ Total connections by IP matches active connections');
+  
+  // Test 5: RPS calculation
+  console.log('\n--- Test 5: Requests Per Second ---');
+  const rps = stats.getRequestsPerSecond();
+  console.log(`  Current RPS: ${rps.toFixed(2)}`);
+  // We created 5 connections, so RPS should be > 0
+  expect(rps).toBeGreaterThan(0);
+  console.log('✓ RPS is greater than 0');
+  
+  // Test 6: Throughput
+  console.log('\n--- Test 6: Throughput ---');
+  // Send some data through connections
+  for (const client of clients) {
+    if (!client.destroyed) {
+      client.write('Hello metrics!\n');
+    }
+  }
+  
+  // Wait for data to be transmitted
+  await plugins.smartdelay.delayFor(100);
+  
+  const throughputAfter = stats.getThroughput();
+  console.log(`  Bytes in: ${throughputAfter.bytesIn}`);
+  console.log(`  Bytes out: ${throughputAfter.bytesOut}`);
+  expect(throughputAfter.bytesIn).toBeGreaterThan(0);
+  expect(throughputAfter.bytesOut).toBeGreaterThan(0);
+  console.log('✓ Throughput shows bytes transferred');
+  
+  // Test 7: Close some connections
+  console.log('\n--- Test 7: Connection Cleanup ---');
+  // Close first 2 clients
+  clients[0].destroy();
+  clients[1].destroy();
+  
+  await plugins.smartdelay.delayFor(100);
+  
+  expect(stats.getActiveConnections()).toEqual(3);
+  expect(stats.getTotalConnections()).toEqual(5); // Total should remain the same
+  console.log(`✓ Active connections reduced to ${stats.getActiveConnections()}`);
+  console.log(`✓ Total connections still ${stats.getTotalConnections()}`);
+  
+  // Test 8: Helper methods
+  console.log('\n--- Test 8: Helper Methods ---');
+  
+  // Test getTopIPs
+  const topIPs = (stats as any).getTopIPs(5);
+  expect(topIPs.length).toBeGreaterThan(0);
+  console.log('✓ getTopIPs returns IP list');
+  
+  // Test isIPBlocked
+  const isBlocked = (stats as any).isIPBlocked('127.0.0.1', 10);
+  expect(isBlocked).toEqual(false); // Should not be blocked with limit of 10
+  console.log('✓ isIPBlocked works correctly');
+  
+  // Test throughput rate
+  const throughputRate = (stats as any).getThroughputRate();
+  console.log(`  Throughput rate: ${throughputRate.bytesInPerSec} bytes/sec in, ${throughputRate.bytesOutPerSec} bytes/sec out`);
+  console.log('✓ getThroughputRate calculates rates');
+  
+  // Cleanup
+  console.log('\n--- Cleanup ---');
+  for (const client of clients) {
+    if (!client.destroyed) {
+      client.destroy();
+    }
+  }
+  
+  await proxy.stop();
+  echoServer.close();
+  
+  console.log('\n✓ All MetricsCollector tests passed');
+});
+
+// Test with mock data for unit testing
+tap.test('MetricsCollector unit test with mock data', async () => {
+  console.log('\n=== MetricsCollector Unit Test ===');
+  
+  // Create a mock SmartProxy with mock ConnectionManager
+  const mockConnections = new Map([
+    ['conn1', { 
+      remoteIP: '192.168.1.1', 
+      routeName: 'api', 
+      bytesReceived: 1000, 
+      bytesSent: 500,
+      incomingStartTime: Date.now() - 5000
+    }],
+    ['conn2', { 
+      remoteIP: '192.168.1.1', 
+      routeName: 'web', 
+      bytesReceived: 2000, 
+      bytesSent: 1500,
+      incomingStartTime: Date.now() - 10000
+    }],
+    ['conn3', { 
+      remoteIP: '192.168.1.2', 
+      routeName: 'api', 
+      bytesReceived: 500, 
+      bytesSent: 250,
+      incomingStartTime: Date.now() - 3000
+    }]
+  ]);
+  
+  const mockSmartProxy = {
+    connectionManager: {
+      getConnectionCount: () => mockConnections.size,
+      getConnections: () => mockConnections,
+      getTerminationStats: () => ({
+        incoming: { normal: 10, timeout: 2, error: 1 }
+      })
+    }
+  };
+  
+  // Import MetricsCollector directly
+  const { MetricsCollector } = await import('../ts/proxies/smart-proxy/metrics-collector.js');
+  const metrics = new MetricsCollector(mockSmartProxy as any);
+  
+  // Test metrics calculation
+  console.log('\n--- Testing with Mock Data ---');
+  
+  expect(metrics.getActiveConnections()).toEqual(3);
+  console.log(`✓ Active connections: ${metrics.getActiveConnections()}`);
+  
+  expect(metrics.getTotalConnections()).toEqual(16); // 3 active + 13 terminated
+  console.log(`✓ Total connections: ${metrics.getTotalConnections()}`);
+  
+  const routeConns = metrics.getConnectionsByRoute();
+  expect(routeConns.get('api')).toEqual(2);
+  expect(routeConns.get('web')).toEqual(1);
+  console.log('✓ Connections by route calculated correctly');
+  
+  const ipConns = metrics.getConnectionsByIP();
+  expect(ipConns.get('192.168.1.1')).toEqual(2);
+  expect(ipConns.get('192.168.1.2')).toEqual(1);
+  console.log('✓ Connections by IP calculated correctly');
+  
+  const throughput = metrics.getThroughput();
+  expect(throughput.bytesIn).toEqual(3500);
+  expect(throughput.bytesOut).toEqual(2250);
+  console.log(`✓ Throughput: ${throughput.bytesIn} bytes in, ${throughput.bytesOut} bytes out`);
+  
+  // Test RPS tracking
+  metrics.recordRequest();
+  metrics.recordRequest();
+  metrics.recordRequest();
+  
+  const rps = metrics.getRequestsPerSecond();
+  expect(rps).toBeGreaterThan(0);
+  console.log(`✓ RPS tracking works: ${rps.toFixed(2)} req/sec`);
+  
+  console.log('\n✓ All unit tests passed');
+});
+
+export default tap.start();

test/test.proxy-chain-cleanup.node.ts

@@ -0,0 +1,182 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { SmartProxy } from '../ts/index.js';
+
+let outerProxy: SmartProxy;
+let innerProxy: SmartProxy;
+
+tap.test('setup two smartproxies in a chain configuration', async () => {
+  // Setup inner proxy (backend proxy)
+  innerProxy = new SmartProxy({
+    routes: [
+      {
+        match: {
+          ports: 8002
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'httpbin.org',
+            port: 443
+          }
+        }
+      }
+    ],
+    defaults: {
+      target: {
+        host: 'httpbin.org',
+        port: 443
+      }
+    },
+    acceptProxyProtocol: true,
+    sendProxyProtocol: false,
+    enableDetailedLogging: true,
+    connectionCleanupInterval: 5000, // More frequent cleanup for testing
+    inactivityTimeout: 10000 // Shorter timeout for testing
+  });
+  await innerProxy.start();
+
+  // Setup outer proxy (frontend proxy)
+  outerProxy = new SmartProxy({
+    routes: [
+      {
+        match: {
+          ports: 8001
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: 8002
+          },
+          sendProxyProtocol: true
+        }
+      }
+    ],
+    defaults: {
+      target: {
+        host: 'localhost',
+        port: 8002
+      }
+    },
+    sendProxyProtocol: true,
+    enableDetailedLogging: true,
+    connectionCleanupInterval: 5000, // More frequent cleanup for testing
+    inactivityTimeout: 10000 // Shorter timeout for testing
+  });
+  await outerProxy.start();
+});
+
+tap.test('should properly cleanup connections in proxy chain', async (tools) => {
+  const testDuration = 30000; // 30 seconds
+  const connectionInterval = 500; // Create new connection every 500ms
+  const connectionDuration = 2000; // Each connection lasts 2 seconds
+  
+  let connectionsCreated = 0;
+  let connectionsCompleted = 0;
+  
+  // Function to create a test connection
+  const createTestConnection = async () => {
+    connectionsCreated++;
+    const connectionId = connectionsCreated;
+    
+    try {
+      const socket = plugins.net.connect({
+        port: 8001,
+        host: 'localhost'
+      });
+      
+      await new Promise<void>((resolve, reject) => {
+        socket.on('connect', () => {
+          console.log(`Connection ${connectionId} established`);
+          
+          // Send TLS Client Hello for httpbin.org
+          const clientHello = Buffer.from([
+            0x16, 0x03, 0x01, 0x00, 0xc8, // TLS handshake header
+            0x01, 0x00, 0x00, 0xc4, // Client Hello
+            0x03, 0x03, // TLS 1.2
+            ...Array(32).fill(0), // Random bytes
+            0x00, // Session ID length
+            0x00, 0x02, 0x13, 0x01, // Cipher suites
+            0x01, 0x00, // Compression methods
+            0x00, 0x97, // Extensions length
+            0x00, 0x00, 0x00, 0x0f, 0x00, 0x0d, // SNI extension
+            0x00, 0x00, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x62, 0x69, 0x6e, 0x2e, 0x6f, 0x72, 0x67 // "httpbin.org"
+          ]);
+          
+          socket.write(clientHello);
+          
+          // Keep connection alive for specified duration
+          setTimeout(() => {
+            socket.destroy();
+            connectionsCompleted++;
+            console.log(`Connection ${connectionId} closed (completed: ${connectionsCompleted}/${connectionsCreated})`);
+            resolve();
+          }, connectionDuration);
+        });
+        
+        socket.on('error', (err) => {
+          console.log(`Connection ${connectionId} error: ${err.message}`);
+          connectionsCompleted++;
+          reject(err);
+        });
+      });
+    } catch (err) {
+      console.log(`Failed to create connection ${connectionId}: ${err.message}`);
+      connectionsCompleted++;
+    }
+  };
+  
+  // Start creating connections
+  const startTime = Date.now();
+  const connectionTimer = setInterval(() => {
+    if (Date.now() - startTime < testDuration) {
+      createTestConnection().catch(() => {});
+    } else {
+      clearInterval(connectionTimer);
+    }
+  }, connectionInterval);
+  
+  // Monitor connection counts
+  const monitorInterval = setInterval(() => {
+    const outerConnections = (outerProxy as any).connectionManager.getConnectionCount();
+    const innerConnections = (innerProxy as any).connectionManager.getConnectionCount();
+    
+    console.log(`Active connections - Outer: ${outerConnections}, Inner: ${innerConnections}, Created: ${connectionsCreated}, Completed: ${connectionsCompleted}`);
+  }, 2000);
+  
+  // Wait for test duration + cleanup time
+  await tools.delayFor(testDuration + 10000);
+  
+  clearInterval(connectionTimer);
+  clearInterval(monitorInterval);
+  
+  // Wait for all connections to complete
+  while (connectionsCompleted < connectionsCreated) {
+    await tools.delayFor(100);
+  }
+  
+  // Give some time for cleanup
+  await tools.delayFor(5000);
+  
+  // Check final connection counts
+  const finalOuterConnections = (outerProxy as any).connectionManager.getConnectionCount();
+  const finalInnerConnections = (innerProxy as any).connectionManager.getConnectionCount();
+  
+  console.log(`\nFinal connection counts:`);
+  console.log(`Outer proxy: ${finalOuterConnections}`);
+  console.log(`Inner proxy: ${finalInnerConnections}`);
+  console.log(`Total created: ${connectionsCreated}`);
+  console.log(`Total completed: ${connectionsCompleted}`);
+  
+  // Both proxies should have cleaned up all connections
+  expect(finalOuterConnections).toEqual(0);
+  expect(finalInnerConnections).toEqual(0);
+});
+
+tap.test('cleanup proxies', async () => {
+  await outerProxy.stop();
+  await innerProxy.stop();
+});
+
+export default tap.start();

test/test.proxy-chain-simple.node.ts

@@ -0,0 +1,195 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+// Import SmartProxy and configurations
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('simple proxy chain test - identify connection accumulation', async () => {
+  console.log('\n=== Simple Proxy Chain Test ===');
+  console.log('Setup: Client → SmartProxy1 (8590) → SmartProxy2 (8591) → Backend (down)');
+  
+  // Create backend server that accepts and immediately closes connections
+  const backend = net.createServer((socket) => {
+    console.log('Backend: Connection received, closing immediately');
+    socket.destroy();
+  });
+  
+  await new Promise<void>((resolve) => {
+    backend.listen(9998, () => {
+      console.log('✓ Backend server started on port 9998 (closes connections immediately)');
+      resolve();
+    });
+  });
+  
+  // Create SmartProxy2 (downstream)
+  const proxy2 = new SmartProxy({
+    ports: [8591],
+    enableDetailedLogging: true,
+    socketTimeout: 5000,
+    routes: [{
+      name: 'to-backend',
+      match: { ports: 8591 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9998  // Backend that closes immediately
+        }
+      }
+    }]
+  });
+  
+  // Create SmartProxy1 (upstream)
+  const proxy1 = new SmartProxy({
+    ports: [8590],
+    enableDetailedLogging: true,
+    socketTimeout: 5000,
+    routes: [{
+      name: 'to-proxy2',
+      match: { ports: 8590 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 8591  // Forward to proxy2
+        }
+      }
+    }]
+  });
+  
+  await proxy2.start();
+  console.log('✓ SmartProxy2 started on port 8591');
+  
+  await proxy1.start();
+  console.log('✓ SmartProxy1 started on port 8590');
+  
+  // Helper to get connection counts
+  const getConnectionCounts = () => {
+    const conn1 = (proxy1 as any).connectionManager;
+    const conn2 = (proxy2 as any).connectionManager;
+    return {
+      proxy1: conn1 ? conn1.getConnectionCount() : 0,
+      proxy2: conn2 ? conn2.getConnectionCount() : 0
+    };
+  };
+  
+  console.log('\n--- Making 5 sequential connections ---');
+  
+  for (let i = 0; i < 5; i++) {
+    console.log(`\n=== Connection ${i + 1} ===`);
+    
+    const counts = getConnectionCounts();
+    console.log(`Before: Proxy1=${counts.proxy1}, Proxy2=${counts.proxy2}`);
+    
+    await new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      let dataReceived = false;
+      
+      client.on('data', (data) => {
+        console.log(`Client received data: ${data.toString()}`);
+        dataReceived = true;
+      });
+      
+      client.on('error', (err) => {
+        console.log(`Client error: ${err.code}`);
+        resolve();
+      });
+      
+      client.on('close', () => {
+        console.log(`Client closed (data received: ${dataReceived})`);
+        resolve();
+      });
+      
+      client.connect(8590, 'localhost', () => {
+        console.log('Client connected to Proxy1');
+        // Send HTTP request
+        client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      });
+      
+      // Timeout
+      setTimeout(() => {
+        if (!client.destroyed) {
+          console.log('Client timeout, destroying');
+          client.destroy();
+        }
+        resolve();
+      }, 2000);
+    });
+    
+    // Wait a bit and check counts
+    await new Promise(resolve => setTimeout(resolve, 500));
+    
+    const afterCounts = getConnectionCounts();
+    console.log(`After: Proxy1=${afterCounts.proxy1}, Proxy2=${afterCounts.proxy2}`);
+    
+    if (afterCounts.proxy1 > 0 || afterCounts.proxy2 > 0) {
+      console.log('⚠️  WARNING: Connections not cleaned up!');
+    }
+  }
+  
+  console.log('\n--- Test with backend completely down ---');
+  
+  // Stop backend
+  backend.close();
+  await new Promise(resolve => setTimeout(resolve, 100));
+  console.log('✓ Backend stopped');
+  
+  // Make more connections with backend down
+  for (let i = 0; i < 3; i++) {
+    console.log(`\n=== Connection ${i + 6} (backend down) ===`);
+    
+    const counts = getConnectionCounts();
+    console.log(`Before: Proxy1=${counts.proxy1}, Proxy2=${counts.proxy2}`);
+    
+    await new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8590, 'localhost', () => {
+        client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      });
+      
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 1000);
+    });
+    
+    await new Promise(resolve => setTimeout(resolve, 500));
+    
+    const afterCounts = getConnectionCounts();
+    console.log(`After: Proxy1=${afterCounts.proxy1}, Proxy2=${afterCounts.proxy2}`);
+  }
+  
+  // Final check
+  console.log('\n--- Final Check ---');
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  const finalCounts = getConnectionCounts();
+  console.log(`Final counts: Proxy1=${finalCounts.proxy1}, Proxy2=${finalCounts.proxy2}`);
+  
+  await proxy1.stop();
+  await proxy2.stop();
+  
+  // Verify
+  if (finalCounts.proxy1 > 0 || finalCounts.proxy2 > 0) {
+    console.log('\n❌ FAIL: Connections accumulated!');
+  } else {
+    console.log('\n✅ PASS: No connection accumulation');
+  }
+  
+  expect(finalCounts.proxy1).toEqual(0);
+  expect(finalCounts.proxy2).toEqual(0);
+});
+
+tap.start();

test/test.proxy-chaining-accumulation.node.ts

@@ -0,0 +1,368 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+// Import SmartProxy and configurations
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('should handle proxy chaining without connection accumulation', async () => {
+  console.log('\n=== Testing Proxy Chaining Connection Accumulation ===');
+  console.log('Setup: Client → SmartProxy1 → SmartProxy2 → Backend (down)');
+  
+  // Create SmartProxy2 (downstream proxy)
+  const proxy2 = new SmartProxy({
+    ports: [8581],
+    enableDetailedLogging: false,
+    socketTimeout: 5000,
+    routes: [{
+      name: 'backend-route',
+      match: { ports: 8581 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9999  // Non-existent backend
+        }
+      }
+    }]
+  });
+  
+  // Create SmartProxy1 (upstream proxy)
+  const proxy1 = new SmartProxy({
+    ports: [8580],
+    enableDetailedLogging: false,
+    socketTimeout: 5000,
+    routes: [{
+      name: 'chain-route',
+      match: { ports: 8580 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 8581  // Forward to proxy2
+        }
+      }
+    }]
+  });
+  
+  // Start both proxies
+  await proxy2.start();
+  console.log('✓ SmartProxy2 started on port 8581');
+  
+  await proxy1.start();
+  console.log('✓ SmartProxy1 started on port 8580');
+  
+  // Helper to get connection counts
+  const getConnectionCounts = () => {
+    const conn1 = (proxy1 as any).connectionManager;
+    const conn2 = (proxy2 as any).connectionManager;
+    return {
+      proxy1: conn1 ? conn1.getConnectionCount() : 0,
+      proxy2: conn2 ? conn2.getConnectionCount() : 0
+    };
+  };
+  
+  const initialCounts = getConnectionCounts();
+  console.log(`\nInitial connection counts - Proxy1: ${initialCounts.proxy1}, Proxy2: ${initialCounts.proxy2}`);
+  
+  // Test 1: Single connection attempt
+  console.log('\n--- Test 1: Single connection through chain ---');
+  
+  await new Promise<void>((resolve) => {
+    const client = new net.Socket();
+    
+    client.on('error', (err) => {
+      console.log(`Client received error: ${err.code}`);
+      resolve();
+    });
+    
+    client.on('close', () => {
+      console.log('Client connection closed');
+      resolve();
+    });
+    
+    client.connect(8580, 'localhost', () => {
+      console.log('Client connected to Proxy1');
+      // Send data to trigger routing
+      client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+    });
+    
+    // Timeout
+    setTimeout(() => {
+      if (!client.destroyed) {
+        client.destroy();
+      }
+      resolve();
+    }, 1000);
+  });
+  
+  // Check connections after single attempt
+  await new Promise(resolve => setTimeout(resolve, 500));
+  let counts = getConnectionCounts();
+  console.log(`After single connection - Proxy1: ${counts.proxy1}, Proxy2: ${counts.proxy2}`);
+  
+  // Test 2: Multiple simultaneous connections
+  console.log('\n--- Test 2: Multiple simultaneous connections ---');
+  
+  const promises = [];
+  for (let i = 0; i < 10; i++) {
+    promises.push(new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8580, 'localhost', () => {
+        // Send data
+        client.write(`GET /test${i} HTTP/1.1\r\nHost: test.com\r\n\r\n`);
+      });
+      
+      // Timeout
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 500);
+    }));
+  }
+  
+  await Promise.all(promises);
+  console.log('✓ All simultaneous connections completed');
+  
+  // Check connections
+  counts = getConnectionCounts();
+  console.log(`After simultaneous connections - Proxy1: ${counts.proxy1}, Proxy2: ${counts.proxy2}`);
+  
+  // Test 3: Rapid serial connections (simulating retries)
+  console.log('\n--- Test 3: Rapid serial connections (retries) ---');
+  
+  for (let i = 0; i < 20; i++) {
+    await new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8580, 'localhost', () => {
+        client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+        // Quick disconnect to simulate retry behavior
+        setTimeout(() => client.destroy(), 50);
+      });
+      
+      // Timeout
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 200);
+    });
+    
+    if ((i + 1) % 5 === 0) {
+      counts = getConnectionCounts();
+      console.log(`After ${i + 1} retries - Proxy1: ${counts.proxy1}, Proxy2: ${counts.proxy2}`);
+    }
+    
+    // Small delay between retries
+    await new Promise(resolve => setTimeout(resolve, 50));
+  }
+  
+  // Test 4: Long-lived connection attempt
+  console.log('\n--- Test 4: Long-lived connection attempt ---');
+  
+  await new Promise<void>((resolve) => {
+    const client = new net.Socket();
+    
+    client.on('error', () => {
+      resolve();
+    });
+    
+    client.on('close', () => {
+      console.log('Long-lived client closed');
+      resolve();
+    });
+    
+    client.connect(8580, 'localhost', () => {
+      console.log('Long-lived client connected');
+      // Send data periodically
+      const interval = setInterval(() => {
+        if (!client.destroyed && client.writable) {
+          client.write('PING\r\n');
+        } else {
+          clearInterval(interval);
+        }
+      }, 100);
+      
+      // Close after 2 seconds
+      setTimeout(() => {
+        clearInterval(interval);
+        client.destroy();
+      }, 2000);
+    });
+    
+    // Timeout
+    setTimeout(() => {
+      if (!client.destroyed) {
+        client.destroy();
+      }
+      resolve();
+    }, 3000);
+  });
+  
+  // Final check
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  const finalCounts = getConnectionCounts();
+  console.log(`\nFinal connection counts - Proxy1: ${finalCounts.proxy1}, Proxy2: ${finalCounts.proxy2}`);
+  
+  // Monitor for a bit to see if connections are cleaned up
+  console.log('\nMonitoring connection cleanup...');
+  for (let i = 0; i < 3; i++) {
+    await new Promise(resolve => setTimeout(resolve, 500));
+    counts = getConnectionCounts();
+    console.log(`After ${(i + 1) * 0.5}s - Proxy1: ${counts.proxy1}, Proxy2: ${counts.proxy2}`);
+  }
+  
+  // Stop proxies
+  await proxy1.stop();
+  console.log('\n✓ SmartProxy1 stopped');
+  
+  await proxy2.stop();
+  console.log('✓ SmartProxy2 stopped');
+  
+  // Analysis
+  console.log('\n=== Analysis ===');
+  if (finalCounts.proxy1 > 0 || finalCounts.proxy2 > 0) {
+    console.log('❌ FAIL: Connections accumulated!');
+    console.log(`Proxy1 leaked ${finalCounts.proxy1} connections`);
+    console.log(`Proxy2 leaked ${finalCounts.proxy2} connections`);
+  } else {
+    console.log('✅ PASS: No connection accumulation detected');
+  }
+  
+  // Verify
+  expect(finalCounts.proxy1).toEqual(0);
+  expect(finalCounts.proxy2).toEqual(0);
+});
+
+tap.test('should handle proxy chain with HTTP traffic', async () => {
+  console.log('\n=== Testing Proxy Chain with HTTP Traffic ===');
+  
+  // Create SmartProxy2 with HTTP handling
+  const proxy2 = new SmartProxy({
+    ports: [8583],
+    useHttpProxy: [8583],  // Enable HTTP proxy handling
+    httpProxyPort: 8584,
+    enableDetailedLogging: false,
+    routes: [{
+      name: 'http-backend',
+      match: { ports: 8583 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9999  // Non-existent backend
+        }
+      }
+    }]
+  });
+  
+  // Create SmartProxy1 with HTTP handling
+  const proxy1 = new SmartProxy({
+    ports: [8582],
+    useHttpProxy: [8582],  // Enable HTTP proxy handling
+    httpProxyPort: 8585,
+    enableDetailedLogging: false,
+    routes: [{
+      name: 'http-chain',
+      match: { ports: 8582 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 8583  // Forward to proxy2
+        }
+      }
+    }]
+  });
+  
+  await proxy2.start();
+  console.log('✓ SmartProxy2 (HTTP) started on port 8583');
+  
+  await proxy1.start();
+  console.log('✓ SmartProxy1 (HTTP) started on port 8582');
+  
+  // Helper to get connection counts
+  const getConnectionCounts = () => {
+    const conn1 = (proxy1 as any).connectionManager;
+    const conn2 = (proxy2 as any).connectionManager;
+    return {
+      proxy1: conn1 ? conn1.getConnectionCount() : 0,
+      proxy2: conn2 ? conn2.getConnectionCount() : 0
+    };
+  };
+  
+  console.log('\nSending HTTP requests through chain...');
+  
+  // Make HTTP requests
+  for (let i = 0; i < 5; i++) {
+    await new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      let responseData = '';
+      
+      client.on('data', (data) => {
+        responseData += data.toString();
+        // Check if we got a complete HTTP response
+        if (responseData.includes('\r\n\r\n')) {
+          console.log(`Response ${i + 1}: ${responseData.split('\r\n')[0]}`);
+          client.destroy();
+        }
+      });
+      
+      client.on('error', () => {
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8582, 'localhost', () => {
+        client.write(`GET /test${i} HTTP/1.1\r\nHost: test.com\r\nConnection: close\r\n\r\n`);
+      });
+      
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 1000);
+    });
+    
+    await new Promise(resolve => setTimeout(resolve, 100));
+  }
+  
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  const finalCounts = getConnectionCounts();
+  console.log(`\nFinal HTTP proxy counts - Proxy1: ${finalCounts.proxy1}, Proxy2: ${finalCounts.proxy2}`);
+  
+  await proxy1.stop();
+  await proxy2.stop();
+  
+  expect(finalCounts.proxy1).toEqual(0);
+  expect(finalCounts.proxy2).toEqual(0);
+});
+
+export default tap.start();

test/test.proxy-protocol.ts

@@ -0,0 +1,133 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as smartproxy from '../ts/index.js';
+import { ProxyProtocolParser } from '../ts/core/utils/proxy-protocol.js';
+
+tap.test('PROXY protocol v1 parser - valid headers', async () => {
+  // Test TCP4 format
+  const tcp4Header = Buffer.from('PROXY TCP4 192.168.1.1 10.0.0.1 56324 443\r\n', 'ascii');
+  const tcp4Result = ProxyProtocolParser.parse(tcp4Header);
+  
+  expect(tcp4Result.proxyInfo).property('protocol').toEqual('TCP4');
+  expect(tcp4Result.proxyInfo).property('sourceIP').toEqual('192.168.1.1');
+  expect(tcp4Result.proxyInfo).property('sourcePort').toEqual(56324);
+  expect(tcp4Result.proxyInfo).property('destinationIP').toEqual('10.0.0.1');
+  expect(tcp4Result.proxyInfo).property('destinationPort').toEqual(443);
+  expect(tcp4Result.remainingData.length).toEqual(0);
+  
+  // Test TCP6 format
+  const tcp6Header = Buffer.from('PROXY TCP6 2001:db8::1 2001:db8::2 56324 443\r\n', 'ascii');
+  const tcp6Result = ProxyProtocolParser.parse(tcp6Header);
+  
+  expect(tcp6Result.proxyInfo).property('protocol').toEqual('TCP6');
+  expect(tcp6Result.proxyInfo).property('sourceIP').toEqual('2001:db8::1');
+  expect(tcp6Result.proxyInfo).property('sourcePort').toEqual(56324);
+  expect(tcp6Result.proxyInfo).property('destinationIP').toEqual('2001:db8::2');
+  expect(tcp6Result.proxyInfo).property('destinationPort').toEqual(443);
+  
+  // Test UNKNOWN protocol
+  const unknownHeader = Buffer.from('PROXY UNKNOWN\r\n', 'ascii');
+  const unknownResult = ProxyProtocolParser.parse(unknownHeader);
+  
+  expect(unknownResult.proxyInfo).property('protocol').toEqual('UNKNOWN');
+  expect(unknownResult.proxyInfo).property('sourceIP').toEqual('');
+  expect(unknownResult.proxyInfo).property('sourcePort').toEqual(0);
+});
+
+tap.test('PROXY protocol v1 parser - with remaining data', async () => {
+  const headerWithData = Buffer.concat([
+    Buffer.from('PROXY TCP4 192.168.1.1 10.0.0.1 56324 443\r\n', 'ascii'),
+    Buffer.from('GET / HTTP/1.1\r\n', 'ascii')
+  ]);
+  
+  const result = ProxyProtocolParser.parse(headerWithData);
+  
+  expect(result.proxyInfo).property('protocol').toEqual('TCP4');
+  expect(result.proxyInfo).property('sourceIP').toEqual('192.168.1.1');
+  expect(result.remainingData.toString()).toEqual('GET / HTTP/1.1\r\n');
+});
+
+tap.test('PROXY protocol v1 parser - invalid headers', async () => {
+  // Not a PROXY protocol header
+  const notProxy = Buffer.from('GET / HTTP/1.1\r\n', 'ascii');
+  const notProxyResult = ProxyProtocolParser.parse(notProxy);
+  expect(notProxyResult.proxyInfo).toBeNull();
+  expect(notProxyResult.remainingData).toEqual(notProxy);
+  
+  // Invalid protocol
+  expect(() => {
+    ProxyProtocolParser.parse(Buffer.from('PROXY INVALID 1.1.1.1 2.2.2.2 80 443\r\n', 'ascii'));
+  }).toThrow();
+  
+  // Wrong number of fields
+  expect(() => {
+    ProxyProtocolParser.parse(Buffer.from('PROXY TCP4 192.168.1.1 10.0.0.1 56324\r\n', 'ascii'));
+  }).toThrow();
+  
+  // Invalid port
+  expect(() => {
+    ProxyProtocolParser.parse(Buffer.from('PROXY TCP4 192.168.1.1 10.0.0.1 99999 443\r\n', 'ascii'));
+  }).toThrow();
+  
+  // Invalid IP for protocol
+  expect(() => {
+    ProxyProtocolParser.parse(Buffer.from('PROXY TCP4 2001:db8::1 10.0.0.1 56324 443\r\n', 'ascii'));
+  }).toThrow();
+});
+
+tap.test('PROXY protocol v1 parser - incomplete headers', async () => {
+  // Header without terminator
+  const incomplete = Buffer.from('PROXY TCP4 192.168.1.1 10.0.0.1 56324 443', 'ascii');
+  const result = ProxyProtocolParser.parse(incomplete);
+  
+  expect(result.proxyInfo).toBeNull();
+  expect(result.remainingData).toEqual(incomplete);
+  
+  // Header exceeding max length - create a buffer that actually starts with PROXY
+  const longHeader = Buffer.from('PROXY TCP4 ' + '1'.repeat(100), 'ascii');
+  expect(() => {
+    ProxyProtocolParser.parse(longHeader);
+  }).toThrow();
+});
+
+tap.test('PROXY protocol v1 generator', async () => {
+  // Generate TCP4 header
+  const tcp4Info = {
+    protocol: 'TCP4' as const,
+    sourceIP: '192.168.1.1',
+    sourcePort: 56324,
+    destinationIP: '10.0.0.1',
+    destinationPort: 443
+  };
+  
+  const tcp4Header = ProxyProtocolParser.generate(tcp4Info);
+  expect(tcp4Header.toString('ascii')).toEqual('PROXY TCP4 192.168.1.1 10.0.0.1 56324 443\r\n');
+  
+  // Generate TCP6 header
+  const tcp6Info = {
+    protocol: 'TCP6' as const,
+    sourceIP: '2001:db8::1',
+    sourcePort: 56324,
+    destinationIP: '2001:db8::2',
+    destinationPort: 443
+  };
+  
+  const tcp6Header = ProxyProtocolParser.generate(tcp6Info);
+  expect(tcp6Header.toString('ascii')).toEqual('PROXY TCP6 2001:db8::1 2001:db8::2 56324 443\r\n');
+  
+  // Generate UNKNOWN header
+  const unknownInfo = {
+    protocol: 'UNKNOWN' as const,
+    sourceIP: '',
+    sourcePort: 0,
+    destinationIP: '',
+    destinationPort: 0
+  };
+  
+  const unknownHeader = ProxyProtocolParser.generate(unknownInfo);
+  expect(unknownHeader.toString('ascii')).toEqual('PROXY UNKNOWN\r\n');
+});
+
+// Skipping integration tests for now - focus on unit tests
+// Integration tests would require more complex setup and teardown
+
+tap.start();

test/test.race-conditions.node.ts

@@ -1,185 +0,0 @@
-import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { SmartProxy, type IRouteConfig } from '../ts/index.js';
-
-/**
- * Test that concurrent route updates complete successfully and maintain consistency
- * This replaces the previous implementation-specific mutex tests with behavior-based tests
- */
-tap.test('should handle concurrent route updates correctly', async (tools) => {
-  tools.timeout(15000);
-  
-  const initialRoute: IRouteConfig = {
-    name: 'base-route',
-    match: { ports: 8080 },
-    action: {
-      type: 'forward',
-      target: { host: 'localhost', port: 3000 }
-    }
-  };
-  
-  const proxy = new SmartProxy({
-    routes: [initialRoute]
-  });
-  
-  await proxy.start();
-  
-  // Create many concurrent updates to stress test the system
-  const updatePromises: Promise<void>[] = [];
-  const routeNames: string[] = [];
-  
-  // Launch 20 concurrent updates
-  for (let i = 0; i < 20; i++) {
-    const routeName = `concurrent-route-${i}`;
-    routeNames.push(routeName);
-    
-    const updatePromise = proxy.updateRoutes([
-      initialRoute,
-      {
-        name: routeName,
-        match: { ports: 9000 + i },
-        action: {
-          type: 'forward',
-          target: { host: 'localhost', port: 4000 + i }
-        }
-      }
-    ]);
-    
-    updatePromises.push(updatePromise);
-  }
-  
-  // All updates should complete without errors
-  await Promise.all(updatePromises);
-  
-  // Verify the final state is consistent
-  const finalRoutes = proxy.routeManager.getAllRoutes();
-  
-  // Should have base route plus one of the concurrent routes
-  expect(finalRoutes.length).toEqual(2);
-  expect(finalRoutes.some(r => r.name === 'base-route')).toBeTrue();
-  
-  // One of the concurrent routes should have won
-  const concurrentRoute = finalRoutes.find(r => r.name?.startsWith('concurrent-route-'));
-  expect(concurrentRoute).toBeTruthy();
-  expect(routeNames).toContain(concurrentRoute!.name);
-  
-  await proxy.stop();
-});
-
-/**
- * Test rapid sequential route updates
- */
-tap.test('should handle rapid sequential route updates', async (tools) => {
-  tools.timeout(10000);
-  
-  const proxy = new SmartProxy({
-    routes: [{
-      name: 'initial',
-      match: { ports: 8081 },
-      action: {
-        type: 'forward',
-        target: { host: 'localhost', port: 3000 }
-      }
-    }]
-  });
-  
-  await proxy.start();
-  
-  // Perform rapid sequential updates
-  for (let i = 0; i < 10; i++) {
-    await proxy.updateRoutes([{
-      name: 'changing-route',
-      match: { ports: 8081 },
-      action: {
-        type: 'forward',
-        target: { host: 'localhost', port: 3000 + i }
-      }
-    }]);
-  }
-  
-  // Verify final state
-  const finalRoutes = proxy.routeManager.getAllRoutes();
-  expect(finalRoutes.length).toEqual(1);
-  expect(finalRoutes[0].name).toEqual('changing-route');
-  expect((finalRoutes[0].action as any).target.port).toEqual(3009);
-  
-  await proxy.stop();
-});
-
-/**
- * Test that port management remains consistent during concurrent updates
- */
-tap.test('should maintain port consistency during concurrent updates', async (tools) => {
-  tools.timeout(10000);
-  
-  const proxy = new SmartProxy({
-    routes: [{
-      name: 'port-test',
-      match: { ports: 8082 },
-      action: {
-        type: 'forward',
-        target: { host: 'localhost', port: 3000 }
-      }
-    }]
-  });
-  
-  await proxy.start();
-  
-  // Create updates that add and remove ports
-  const updates: Promise<void>[] = [];
-  
-  // Some updates add new ports
-  for (let i = 0; i < 5; i++) {
-    updates.push(proxy.updateRoutes([
-      {
-        name: 'port-test',
-        match: { ports: 8082 },
-        action: {
-          type: 'forward',
-          target: { host: 'localhost', port: 3000 }
-        }
-      },
-      {
-        name: `new-port-${i}`,
-        match: { ports: 9100 + i },
-        action: {
-          type: 'forward',
-          target: { host: 'localhost', port: 4000 + i }
-        }
-      }
-    ]));
-  }
-  
-  // Some updates remove ports
-  for (let i = 0; i < 5; i++) {
-    updates.push(proxy.updateRoutes([
-      {
-        name: 'port-test',
-        match: { ports: 8082 },
-        action: {
-          type: 'forward',
-          target: { host: 'localhost', port: 3000 }
-        }
-      }
-    ]));
-  }
-  
-  // Wait for all updates
-  await Promise.all(updates);
-  
-  // Give time for port cleanup
-  await new Promise(resolve => setTimeout(resolve, 100));
-  
-  // Verify final state
-  const finalRoutes = proxy.routeManager.getAllRoutes();
-  const listeningPorts = proxy['portManager'].getListeningPorts();
-  
-  // Should only have the base port listening
-  expect(listeningPorts).toContain(8082);
-  
-  // Routes should be consistent
-  expect(finalRoutes.some(r => r.name === 'port-test')).toBeTrue();
-  
-  await proxy.stop();
-});
-
-export default tap.start();

test/test.rapid-retry-cleanup.node.ts

@@ -0,0 +1,201 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+// Import SmartProxy and configurations
+import { SmartProxy } from '../ts/index.js';
+
+tap.test('should handle rapid connection retries without leaking connections', async () => {
+  console.log('\n=== Testing Rapid Connection Retry Cleanup ===');
+  
+  // Create a SmartProxy instance
+  const proxy = new SmartProxy({
+    ports: [8550],
+    enableDetailedLogging: false,
+    maxConnectionLifetime: 10000,
+    socketTimeout: 5000,
+    routes: [{
+      name: 'test-route',
+      match: { ports: 8550 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9999  // Non-existent port to force connection failures
+        }
+      }
+    }]
+  });
+  
+  // Start the proxy
+  await proxy.start();
+  console.log('✓ Proxy started on port 8550');
+  
+  // Helper to get active connection count
+  const getActiveConnections = () => {
+    const connectionManager = (proxy as any).connectionManager;
+    return connectionManager ? connectionManager.getConnectionCount() : 0;
+  };
+  
+  // Track connection counts
+  const connectionCounts: number[] = [];
+  const initialCount = getActiveConnections();
+  console.log(`Initial connection count: ${initialCount}`);
+  
+  // Simulate rapid retries
+  const retryCount = 20;
+  const retryDelay = 50; // 50ms between retries
+  let successfulConnections = 0;
+  let failedConnections = 0;
+  
+  console.log(`\nSimulating ${retryCount} rapid connection attempts...`);
+  
+  for (let i = 0; i < retryCount; i++) {
+    await new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        failedConnections++;
+        client.destroy();
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8550, 'localhost', () => {
+        // Send some data to trigger routing
+        client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+        successfulConnections++;
+      });
+      
+      // Force close after a short time
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+      }, 100);
+    });
+    
+    // Small delay between retries
+    await new Promise(resolve => setTimeout(resolve, retryDelay));
+    
+    // Check connection count after each attempt
+    const currentCount = getActiveConnections();
+    connectionCounts.push(currentCount);
+    
+    if ((i + 1) % 5 === 0) {
+      console.log(`After ${i + 1} attempts: ${currentCount} active connections`);
+    }
+  }
+  
+  console.log(`\nConnection attempts complete:`);
+  console.log(`- Successful: ${successfulConnections}`);
+  console.log(`- Failed: ${failedConnections}`);
+  
+  // Wait a bit for any pending cleanups
+  console.log('\nWaiting for cleanup...');
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  // Check final connection count
+  const finalCount = getActiveConnections();
+  console.log(`\nFinal connection count: ${finalCount}`);
+  
+  // Analyze connection count trend
+  const maxCount = Math.max(...connectionCounts);
+  const avgCount = connectionCounts.reduce((a, b) => a + b, 0) / connectionCounts.length;
+  
+  console.log(`\nConnection count statistics:`);
+  console.log(`- Maximum: ${maxCount}`);
+  console.log(`- Average: ${avgCount.toFixed(2)}`);
+  console.log(`- Initial: ${initialCount}`);
+  console.log(`- Final: ${finalCount}`);
+  
+  // Stop the proxy
+  await proxy.stop();
+  console.log('\n✓ Proxy stopped');
+  
+  // Verify results
+  expect(finalCount).toEqual(initialCount);
+  expect(maxCount).toBeLessThan(10); // Should not accumulate many connections
+  
+  console.log('\n✅ PASS: Connection cleanup working correctly under rapid retries!');
+});
+
+tap.test('should handle routing failures without leaking connections', async () => {
+  console.log('\n=== Testing Routing Failure Cleanup ===');
+  
+  // Create a SmartProxy instance with no routes
+  const proxy = new SmartProxy({
+    ports: [8551],
+    enableDetailedLogging: false,
+    maxConnectionLifetime: 10000,
+    socketTimeout: 5000,
+    routes: [] // No routes - all connections will fail routing
+  });
+  
+  // Start the proxy
+  await proxy.start();
+  console.log('✓ Proxy started on port 8551 with no routes');
+  
+  // Helper to get active connection count
+  const getActiveConnections = () => {
+    const connectionManager = (proxy as any).connectionManager;
+    return connectionManager ? connectionManager.getConnectionCount() : 0;
+  };
+  
+  const initialCount = getActiveConnections();
+  console.log(`Initial connection count: ${initialCount}`);
+  
+  // Create multiple connections that will fail routing
+  const connectionPromises = [];
+  for (let i = 0; i < 10; i++) {
+    connectionPromises.push(new Promise<void>((resolve) => {
+      const client = new net.Socket();
+      
+      client.on('error', () => {
+        client.destroy();
+        resolve();
+      });
+      
+      client.on('close', () => {
+        resolve();
+      });
+      
+      client.connect(8551, 'localhost', () => {
+        // Send data to trigger routing (which will fail)
+        client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      });
+      
+      // Force close after a short time
+      setTimeout(() => {
+        if (!client.destroyed) {
+          client.destroy();
+        }
+        resolve();
+      }, 500);
+    }));
+  }
+  
+  // Wait for all connections to complete
+  await Promise.all(connectionPromises);
+  console.log('✓ All connection attempts completed');
+  
+  // Wait for cleanup
+  await new Promise(resolve => setTimeout(resolve, 500));
+  
+  const finalCount = getActiveConnections();
+  console.log(`Final connection count: ${finalCount}`);
+  
+  // Stop the proxy
+  await proxy.stop();
+  console.log('✓ Proxy stopped');
+  
+  // Verify no connections leaked
+  expect(finalCount).toEqual(initialCount);
+  
+  console.log('\n✅ PASS: Routing failures cleaned up correctly!');
+});
+
+tap.start();

test/test.route-utils.ts

@@ -434,11 +434,12 @@ tap.test('Route Matching - routeMatchesPath', async () => {
     }
   };
   
-  const trailingSlashPathRoute: IRouteConfig = {
+  // Test prefix matching with wildcard (not trailing slash)
+  const prefixPathRoute: IRouteConfig = {
     match: {
-      domains: 'example.com',
+      domains: 'example.com', 
       ports: 80,
-      path: '/api/'
+      path: '/api/*'
     },
     action: {
       type: 'forward',
@@ -469,10 +470,10 @@ tap.test('Route Matching - routeMatchesPath', async () => {
   expect(routeMatchesPath(exactPathRoute, '/api/users')).toBeFalse();
   expect(routeMatchesPath(exactPathRoute, '/app')).toBeFalse();
   
-  // Test trailing slash path matching
-  expect(routeMatchesPath(trailingSlashPathRoute, '/api/')).toBeTrue();
-  expect(routeMatchesPath(trailingSlashPathRoute, '/api/users')).toBeTrue();
-  expect(routeMatchesPath(trailingSlashPathRoute, '/app/')).toBeFalse();
+  // Test prefix path matching with wildcard
+  expect(routeMatchesPath(prefixPathRoute, '/api/')).toBeFalse(); // Wildcard requires content after /api/
+  expect(routeMatchesPath(prefixPathRoute, '/api/users')).toBeTrue();
+  expect(routeMatchesPath(prefixPathRoute, '/app/')).toBeFalse();
   
   // Test wildcard path matching
   expect(routeMatchesPath(wildcardPathRoute, '/api/users')).toBeTrue();

test/test.router.ts

@@ -1,10 +1,10 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import * as tsclass from '@tsclass/tsclass';
 import * as http from 'http';
-import { ProxyRouter, type RouterResult } from '../ts/routing/router/proxy-router.js';
+import { HttpRouter, type RouterResult } from '../ts/routing/router/http-router.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
 // Test proxies and configurations
-let router: ProxyRouter;
+let router: HttpRouter;
 
 // Sample hostname for testing
 const TEST_DOMAIN = 'example.com';
@@ -23,33 +23,40 @@ function createMockRequest(host: string, url: string = '/'): http.IncomingMessag
   return req;
 }
 
-// Helper: Creates a test proxy configuration
-function createProxyConfig(
+// Helper: Creates a test route configuration
+function createRouteConfig(
   hostname: string, 
   destinationIp: string = '10.0.0.1',
   destinationPort: number = 8080
-): tsclass.network.IReverseProxyConfig {
+): IRouteConfig {
   return {
-    hostName: hostname,
-    publicKey: 'mock-cert',
-    privateKey: 'mock-key',
-    destinationIps: [destinationIp],
-    destinationPorts: [destinationPort],
-  } as tsclass.network.IReverseProxyConfig;
+    name: `route-${hostname}`,
+    match: {
+      domains: [hostname],
+      ports: 443
+    },
+    action: {
+      type: 'forward',
+      target: {
+        host: destinationIp,
+        port: destinationPort
+      }
+    }
+  };
 }
 
-// SETUP: Create a ProxyRouter instance
-tap.test('setup proxy router test environment', async () => {
-  router = new ProxyRouter();
+// SETUP: Create an HttpRouter instance
+tap.test('setup http router test environment', async () => {
+  router = new HttpRouter();
   
   // Initialize with empty config
-  router.setNewProxyConfigs([]);
+  router.setRoutes([]);
 });
 
 // Test basic routing by hostname
 tap.test('should route requests by hostname', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
+  const config = createRouteConfig(TEST_DOMAIN);
+  router.setRoutes([config]);
   
   const req = createMockRequest(TEST_DOMAIN);
   const result = router.routeReq(req);
@@ -60,8 +67,8 @@ tap.test('should route requests by hostname', async () => {
 
 // Test handling of hostname with port number
 tap.test('should handle hostname with port number', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
+  const config = createRouteConfig(TEST_DOMAIN);
+  router.setRoutes([config]);
   
   const req = createMockRequest(`${TEST_DOMAIN}:443`);
   const result = router.routeReq(req);
@@ -72,8 +79,8 @@ tap.test('should handle hostname with port number', async () => {
 
 // Test case-insensitive hostname matching
 tap.test('should perform case-insensitive hostname matching', async () => {
-  const config = createProxyConfig(TEST_DOMAIN.toLowerCase());
-  router.setNewProxyConfigs([config]);
+  const config = createRouteConfig(TEST_DOMAIN.toLowerCase());
+  router.setRoutes([config]);
   
   const req = createMockRequest(TEST_DOMAIN.toUpperCase());
   const result = router.routeReq(req);
@@ -84,8 +91,8 @@ tap.test('should perform case-insensitive hostname matching', async () => {
 
 // Test handling of unmatched hostnames
 tap.test('should return undefined for unmatched hostnames', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
+  const config = createRouteConfig(TEST_DOMAIN);
+  router.setRoutes([config]);
   
   const req = createMockRequest('unknown.domain.com');
   const result = router.routeReq(req);
@@ -95,18 +102,16 @@ tap.test('should return undefined for unmatched hostnames', async () => {
 
 // Test adding path patterns
 tap.test('should match requests using path patterns', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
-  
-  // Add a path pattern to the config
-  router.setPathPattern(config, '/api/users');
+  const config = createRouteConfig(TEST_DOMAIN);
+  config.match.path = '/api/users';
+  router.setRoutes([config]);
   
   // Test that path matches
   const req1 = createMockRequest(TEST_DOMAIN, '/api/users');
   const result1 = router.routeReqWithDetails(req1);
   
   expect(result1).toBeTruthy();
-  expect(result1.config).toEqual(config);
+  expect(result1.route).toEqual(config);
   expect(result1.pathMatch).toEqual('/api/users');
   
   // Test that non-matching path doesn't match
@@ -118,17 +123,16 @@ tap.test('should match requests using path patterns', async () => {
 
 // Test handling wildcard patterns
 tap.test('should support wildcard path patterns', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
-  
-  router.setPathPattern(config, '/api/*');
+  const config = createRouteConfig(TEST_DOMAIN);
+  config.match.path = '/api/*';
+  router.setRoutes([config]);
   
   // Test with path that matches the wildcard pattern
   const req = createMockRequest(TEST_DOMAIN, '/api/users/123');
   const result = router.routeReqWithDetails(req);
   
   expect(result).toBeTruthy();
-  expect(result.config).toEqual(config);
+  expect(result.route).toEqual(config);
   expect(result.pathMatch).toEqual('/api');
   
   // Print the actual value to diagnose issues
@@ -139,31 +143,31 @@ tap.test('should support wildcard path patterns', async () => {
 
 // Test extracting path parameters
 tap.test('should extract path parameters from URL', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
-  
-  router.setPathPattern(config, '/users/:id/profile');
+  const config = createRouteConfig(TEST_DOMAIN);
+  config.match.path = '/users/:id/profile';
+  router.setRoutes([config]);
   
   const req = createMockRequest(TEST_DOMAIN, '/users/123/profile');
   const result = router.routeReqWithDetails(req);
   
   expect(result).toBeTruthy();
-  expect(result.config).toEqual(config);
+  expect(result.route).toEqual(config);
   expect(result.pathParams).toBeTruthy();
   expect(result.pathParams.id).toEqual('123');
 });
 
 // Test multiple configs for same hostname with different paths
 tap.test('should support multiple configs for same hostname with different paths', async () => {
-  const apiConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
-  const webConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
+  const apiConfig = createRouteConfig(TEST_DOMAIN, '10.0.0.1', 8001);
+  apiConfig.match.path = '/api';
+  apiConfig.name = 'api-route';
+  
+  const webConfig = createRouteConfig(TEST_DOMAIN, '10.0.0.2', 8002);
+  webConfig.match.path = '/web';
+  webConfig.name = 'web-route';
   
   // Add both configs
-  router.setNewProxyConfigs([apiConfig, webConfig]);
-  
-  // Set different path patterns
-  router.setPathPattern(apiConfig, '/api');
-  router.setPathPattern(webConfig, '/web');
+  router.setRoutes([apiConfig, webConfig]);
   
   // Test API path routes to API config
   const apiReq = createMockRequest(TEST_DOMAIN, '/api/users');
@@ -186,8 +190,8 @@ tap.test('should support multiple configs for same hostname with different paths
 
 // Test wildcard subdomains
 tap.test('should match wildcard subdomains', async () => {
-  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
-  router.setNewProxyConfigs([wildcardConfig]);
+  const wildcardConfig = createRouteConfig(TEST_WILDCARD);
+  router.setRoutes([wildcardConfig]);
   
   // Test that subdomain.example.com matches *.example.com
   const req = createMockRequest('subdomain.example.com');
@@ -199,8 +203,8 @@ tap.test('should match wildcard subdomains', async () => {
 
 // Test TLD wildcards (example.*)
 tap.test('should match TLD wildcards', async () => {
-  const tldWildcardConfig = createProxyConfig('example.*');
-  router.setNewProxyConfigs([tldWildcardConfig]);
+  const tldWildcardConfig = createRouteConfig('example.*');
+  router.setRoutes([tldWildcardConfig]);
   
   // Test that example.com matches example.*
   const req1 = createMockRequest('example.com');
@@ -222,8 +226,8 @@ tap.test('should match TLD wildcards', async () => {
 
 // Test complex pattern matching (*.lossless*)
 tap.test('should match complex wildcard patterns', async () => {
-  const complexWildcardConfig = createProxyConfig('*.lossless*');
-  router.setNewProxyConfigs([complexWildcardConfig]);
+  const complexWildcardConfig = createRouteConfig('*.lossless*');
+  router.setRoutes([complexWildcardConfig]);
   
   // Test that sub.lossless.com matches *.lossless*
   const req1 = createMockRequest('sub.lossless.com');
@@ -245,10 +249,10 @@ tap.test('should match complex wildcard patterns', async () => {
 
 // Test default configuration fallback
 tap.test('should fall back to default configuration', async () => {
-  const defaultConfig = createProxyConfig('*');
-  const specificConfig = createProxyConfig(TEST_DOMAIN);
+  const defaultConfig = createRouteConfig('*');
+  const specificConfig = createRouteConfig(TEST_DOMAIN);
   
-  router.setNewProxyConfigs([defaultConfig, specificConfig]);
+  router.setRoutes([defaultConfig, specificConfig]);
   
   // Test specific domain routes to specific config
   const specificReq = createMockRequest(TEST_DOMAIN);
@@ -265,10 +269,10 @@ tap.test('should fall back to default configuration', async () => {
 
 // Test priority between exact and wildcard matches
 tap.test('should prioritize exact hostname over wildcard', async () => {
-  const wildcardConfig = createProxyConfig(TEST_WILDCARD);
-  const exactConfig = createProxyConfig(TEST_SUBDOMAIN);
+  const wildcardConfig = createRouteConfig(TEST_WILDCARD);
+  const exactConfig = createRouteConfig(TEST_SUBDOMAIN);
   
-  router.setNewProxyConfigs([wildcardConfig, exactConfig]);
+  router.setRoutes([wildcardConfig, exactConfig]);
   
   // Test that exact match takes priority
   const req = createMockRequest(TEST_SUBDOMAIN);
@@ -279,11 +283,11 @@ tap.test('should prioritize exact hostname over wildcard', async () => {
 
 // Test adding and removing configurations
 tap.test('should manage configurations correctly', async () => {
-  router.setNewProxyConfigs([]);
+  router.setRoutes([]);
   
   // Add a config
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.addProxyConfig(config);
+  const config = createRouteConfig(TEST_DOMAIN);
+  router.setRoutes([config]);
   
   // Verify routing works
   const req = createMockRequest(TEST_DOMAIN);
@@ -292,8 +296,7 @@ tap.test('should manage configurations correctly', async () => {
   expect(result).toEqual(config);
   
   // Remove the config and verify it no longer routes
-  const removed = router.removeProxyConfig(TEST_DOMAIN);
-  expect(removed).toBeTrue();
+  router.setRoutes([]);
   
   result = router.routeReq(req);
   expect(result).toBeUndefined();
@@ -301,13 +304,16 @@ tap.test('should manage configurations correctly', async () => {
 
 // Test path pattern specificity
 tap.test('should prioritize more specific path patterns', async () => {
-  const genericConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.1', 8001);
-  const specificConfig = createProxyConfig(TEST_DOMAIN, '10.0.0.2', 8002);
+  const genericConfig = createRouteConfig(TEST_DOMAIN, '10.0.0.1', 8001);
+  genericConfig.match.path = '/api/*';
+  genericConfig.name = 'generic-api';
   
-  router.setNewProxyConfigs([genericConfig, specificConfig]);
+  const specificConfig = createRouteConfig(TEST_DOMAIN, '10.0.0.2', 8002);
+  specificConfig.match.path = '/api/users';
+  specificConfig.name = 'specific-api';
+  specificConfig.priority = 10; // Higher priority
   
-  router.setPathPattern(genericConfig, '/api/*');
-  router.setPathPattern(specificConfig, '/api/users');
+  router.setRoutes([genericConfig, specificConfig]);
   
   // The more specific '/api/users' should match before the '/api/*' wildcard
   const req = createMockRequest(TEST_DOMAIN, '/api/users');
@@ -316,24 +322,29 @@ tap.test('should prioritize more specific path patterns', async () => {
   expect(result).toEqual(specificConfig);
 });
 
-// Test getHostnames method
-tap.test('should retrieve all configured hostnames', async () => {
-  router.setNewProxyConfigs([
-    createProxyConfig(TEST_DOMAIN),
-    createProxyConfig(TEST_SUBDOMAIN)
-  ]);
+// Test multiple hostnames
+tap.test('should handle multiple configured hostnames', async () => {
+  const routes = [
+    createRouteConfig(TEST_DOMAIN),
+    createRouteConfig(TEST_SUBDOMAIN)
+  ];
+  router.setRoutes(routes);
   
-  const hostnames = router.getHostnames();
+  // Test first domain routes correctly
+  const req1 = createMockRequest(TEST_DOMAIN);
+  const result1 = router.routeReq(req1);
+  expect(result1).toEqual(routes[0]);
   
-  expect(hostnames.length).toEqual(2);
-  expect(hostnames).toContain(TEST_DOMAIN.toLowerCase());
-  expect(hostnames).toContain(TEST_SUBDOMAIN.toLowerCase());
+  // Test second domain routes correctly
+  const req2 = createMockRequest(TEST_SUBDOMAIN);
+  const result2 = router.routeReq(req2);
+  expect(result2).toEqual(routes[1]);
 });
 
 // Test handling missing host header
 tap.test('should handle missing host header', async () => {
-  const defaultConfig = createProxyConfig('*');
-  router.setNewProxyConfigs([defaultConfig]);
+  const defaultConfig = createRouteConfig('*');
+  router.setRoutes([defaultConfig]);
   
   const req = createMockRequest('');
   req.headers.host = undefined;
@@ -345,16 +356,15 @@ tap.test('should handle missing host header', async () => {
 
 // Test complex path parameters
 tap.test('should handle complex path parameters', async () => {
-  const config = createProxyConfig(TEST_DOMAIN);
-  router.setNewProxyConfigs([config]);
-  
-  router.setPathPattern(config, '/api/:version/users/:userId/posts/:postId');
+  const config = createRouteConfig(TEST_DOMAIN);
+  config.match.path = '/api/:version/users/:userId/posts/:postId';
+  router.setRoutes([config]);
   
   const req = createMockRequest(TEST_DOMAIN, '/api/v1/users/123/posts/456');
   const result = router.routeReqWithDetails(req);
   
   expect(result).toBeTruthy();
-  expect(result.config).toEqual(config);
+  expect(result.route).toEqual(config);
   expect(result.pathParams).toBeTruthy();
   expect(result.pathParams.version).toEqual('v1');
   expect(result.pathParams.userId).toEqual('123');
@@ -367,10 +377,10 @@ tap.test('should handle many configurations efficiently', async () => {
   
   // Create many configs with different hostnames
   for (let i = 0; i < 100; i++) {
-    configs.push(createProxyConfig(`host-${i}.example.com`));
+    configs.push(createRouteConfig(`host-${i}.example.com`));
   }
   
-  router.setNewProxyConfigs(configs);
+  router.setRoutes(configs);
   
   // Test middle of the list to avoid best/worst case
   const req = createMockRequest('host-50.example.com');
@@ -382,11 +392,12 @@ tap.test('should handle many configurations efficiently', async () => {
 // Test cleanup
 tap.test('cleanup proxy router test environment', async () => {
   // Clear all configurations
-  router.setNewProxyConfigs([]);
+  router.setRoutes([]);
   
-  // Verify empty state
-  expect(router.getHostnames().length).toEqual(0);
-  expect(router.getProxyConfigs().length).toEqual(0);
+  // Verify empty state by testing that no routes match
+  const req = createMockRequest(TEST_DOMAIN);
+  const result = router.routeReq(req);
+  expect(result).toBeUndefined();
 });
 
 export default tap.start();

test/test.simple-acme-mock.ts

@@ -1,88 +0,0 @@
-import { tap, expect } from '@git.zone/tstest/tapbundle';
-import { SmartProxy } from '../ts/index.js';
-
-/**
- * Simple test to check route manager initialization with ACME
- */
-tap.test('should properly initialize with ACME configuration', async (tools) => {
-  const settings = {
-    routes: [
-      {
-        name: 'secure-route', 
-        match: {
-          ports: [8443],
-          domains: 'test.example.com'
-        },
-        action: {
-          type: 'forward' as const,
-          target: { host: 'localhost', port: 8080 },
-          tls: {
-            mode: 'terminate' as const,
-            certificate: 'auto' as const,
-            acme: {
-              email: 'ssl@bleu.de',
-              challengePort: 8080
-            }
-          }
-        }
-      }
-    ],
-    acme: {
-      email: 'ssl@bleu.de',
-      port: 8080,
-      useProduction: false,
-      enabled: true
-    }
-  };
-  
-  const proxy = new SmartProxy(settings);
-  
-  // Replace the certificate manager creation to avoid real ACME requests
-  (proxy as any).createCertificateManager = async () => {
-    return {
-      setUpdateRoutesCallback: () => {},
-      setHttpProxy: () => {},
-      setGlobalAcmeDefaults: () => {},
-      setAcmeStateManager: () => {},
-      initialize: async () => {
-        // Using logger would be better but in test we'll keep console.log
-        console.log('Mock certificate manager initialized');
-      },
-      provisionAllCertificates: async () => {
-        console.log('Mock certificate provisioning');
-      },
-      stop: async () => {
-        console.log('Mock certificate manager stopped');
-      }
-    };
-  };
-  
-  // Mock NFTables
-  (proxy as any).nftablesManager = {
-    provisionRoute: async () => {},
-    deprovisionRoute: async () => {},
-    updateRoute: async () => {},
-    getStatus: async () => ({}),
-    stop: async () => {}
-  };
-  
-  await proxy.start();
-  
-  // Verify proxy started successfully
-  expect(proxy).toBeDefined();
-  
-  // Verify route manager has routes
-  const routeManager = (proxy as any).routeManager;
-  expect(routeManager).toBeDefined();
-  expect(routeManager.getAllRoutes().length).toBeGreaterThan(0);
-  
-  // Verify the route exists with correct domain
-  const routes = routeManager.getAllRoutes();
-  const secureRoute = routes.find((r: any) => r.name === 'secure-route');
-  expect(secureRoute).toBeDefined();
-  expect(secureRoute.match.domains).toEqual('test.example.com');
-  
-  await proxy.stop();
-});
-
-tap.start();

test/test.stuck-connection-cleanup.node.ts

@@ -0,0 +1,144 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import { SmartProxy } from '../ts/index.js';
+import * as plugins from '../ts/plugins.js';
+
+tap.test('stuck connection cleanup - verify connections to hanging backends are cleaned up', async (tools) => {
+  console.log('\n=== Stuck Connection Cleanup Test ===');
+  console.log('Purpose: Verify that connections to backends that accept but never respond are cleaned up');
+  
+  // Create a hanging backend that accepts connections but never responds
+  let backendConnections = 0;
+  const hangingBackend = net.createServer((socket) => {
+    backendConnections++;
+    console.log(`Hanging backend: Connection ${backendConnections} received`);
+    // Accept the connection but never send any data back
+    // This simulates a hung backend service
+  });
+  
+  await new Promise<void>((resolve) => {
+    hangingBackend.listen(9997, () => {
+      console.log('✓ Hanging backend started on port 9997');
+      resolve();
+    });
+  });
+  
+  // Create proxy that forwards to hanging backend
+  const proxy = new SmartProxy({
+    routes: [{
+      name: 'to-hanging-backend',
+      match: { ports: 8589 },
+      action: {
+        type: 'forward',
+        target: { host: 'localhost', port: 9997 }
+      }
+    }],
+    keepAlive: true,
+    enableDetailedLogging: false,
+    inactivityTimeout: 5000, // 5 second inactivity check interval for faster testing
+  });
+  
+  await proxy.start();
+  console.log('✓ Proxy started on port 8589');
+  
+  // Create connections that will get stuck
+  console.log('\n--- Creating connections to hanging backend ---');
+  const clients: net.Socket[] = [];
+  
+  for (let i = 0; i < 5; i++) {
+    const client = net.connect(8589, 'localhost');
+    clients.push(client);
+    
+    await new Promise<void>((resolve) => {
+      client.on('connect', () => {
+        console.log(`Client ${i} connected`);
+        // Send data that will never get a response
+        client.write(`GET / HTTP/1.1\r\nHost: localhost\r\n\r\n`);
+        resolve();
+      });
+      
+      client.on('error', (err) => {
+        console.log(`Client ${i} error: ${err.message}`);
+        resolve();
+      });
+    });
+  }
+  
+  // Wait a moment for connections to establish
+  await plugins.smartdelay.delayFor(1000);
+  
+  // Check initial connection count
+  const initialCount = (proxy as any).connectionManager.getConnectionCount();
+  console.log(`\nInitial connection count: ${initialCount}`);
+  expect(initialCount).toEqual(5);
+  
+  // Get connection details
+  const connections = (proxy as any).connectionManager.getConnections();
+  let stuckCount = 0;
+  
+  for (const [id, record] of connections) {
+    if (record.bytesReceived > 0 && record.bytesSent === 0) {
+      stuckCount++;
+      console.log(`Stuck connection ${id}: received=${record.bytesReceived}, sent=${record.bytesSent}`);
+    }
+  }
+  
+  console.log(`Stuck connections found: ${stuckCount}`);
+  expect(stuckCount).toEqual(5);
+  
+  // Wait for inactivity check to run (it checks every 30s by default, but we set it to 5s)
+  console.log('\n--- Waiting for stuck connection detection (65 seconds) ---');
+  console.log('Note: Stuck connections are cleaned up after 60 seconds with no response');
+  
+  // Speed up time by manually triggering inactivity check after simulating time passage
+  // First, age the connections by updating their timestamps
+  const now = Date.now();
+  for (const [id, record] of connections) {
+    // Simulate that these connections are 61 seconds old
+    record.incomingStartTime = now - 61000;
+    record.lastActivity = now - 61000;
+  }
+  
+  // Manually trigger inactivity check
+  console.log('Manually triggering inactivity check...');
+  (proxy as any).connectionManager.performOptimizedInactivityCheck();
+  
+  // Wait for cleanup to complete
+  await plugins.smartdelay.delayFor(1000);
+  
+  // Check connection count after cleanup
+  const afterCleanupCount = (proxy as any).connectionManager.getConnectionCount();
+  console.log(`\nConnection count after cleanup: ${afterCleanupCount}`);
+  
+  // Verify termination stats
+  const stats = (proxy as any).connectionManager.getTerminationStats();
+  console.log('\nTermination stats:', stats);
+  
+  // All connections should be cleaned up as "stuck_no_response"
+  expect(afterCleanupCount).toEqual(0);
+  
+  // The termination reason might be under incoming or general stats
+  const stuckCleanups = (stats.incoming.stuck_no_response || 0) + 
+                       (stats.outgoing?.stuck_no_response || 0);
+  console.log(`Stuck cleanups detected: ${stuckCleanups}`);
+  expect(stuckCleanups).toBeGreaterThan(0);
+  
+  // Verify clients were disconnected
+  let closedClients = 0;
+  for (const client of clients) {
+    if (client.destroyed) {
+      closedClients++;
+    }
+  }
+  console.log(`Closed clients: ${closedClients}/5`);
+  expect(closedClients).toEqual(5);
+  
+  // Cleanup
+  console.log('\n--- Cleanup ---');
+  await proxy.stop();
+  hangingBackend.close();
+  
+  console.log('✓ Test complete: Stuck connections are properly detected and cleaned up');
+});
+
+tap.start();

test/test.wrapped-socket.ts

@@ -0,0 +1,366 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { WrappedSocket } from '../ts/core/models/wrapped-socket.js';
+import * as net from 'net';
+
+tap.test('WrappedSocket - should wrap a regular socket', async () => {
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  
+  // Wrap the socket
+  const wrappedSocket = new WrappedSocket(clientSocket);
+  
+  // Test initial state - should use underlying socket values
+  expect(wrappedSocket.remoteAddress).toEqual(clientSocket.remoteAddress);
+  expect(wrappedSocket.remotePort).toEqual(clientSocket.remotePort);
+  expect(wrappedSocket.localAddress).toEqual(clientSocket.localAddress);
+  expect(wrappedSocket.localPort).toEqual(clientSocket.localPort);
+  expect(wrappedSocket.isFromTrustedProxy).toBeFalse();
+  
+  // Clean up
+  clientSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should provide real client info when set', async () => {
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  
+  // Wrap the socket with initial proxy info
+  const wrappedSocket = new WrappedSocket(clientSocket, '192.168.1.100', 54321);
+  
+  // Test that real client info is returned
+  expect(wrappedSocket.remoteAddress).toEqual('192.168.1.100');
+  expect(wrappedSocket.remotePort).toEqual(54321);
+  expect(wrappedSocket.isFromTrustedProxy).toBeTrue();
+  
+  // Local info should still come from underlying socket
+  expect(wrappedSocket.localAddress).toEqual(clientSocket.localAddress);
+  expect(wrappedSocket.localPort).toEqual(clientSocket.localPort);
+  
+  // Clean up
+  clientSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should update proxy info via setProxyInfo', async () => {
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  
+  // Wrap the socket without initial proxy info
+  const wrappedSocket = new WrappedSocket(clientSocket);
+  
+  // Initially should use underlying socket
+  expect(wrappedSocket.isFromTrustedProxy).toBeFalse();
+  expect(wrappedSocket.remoteAddress).toEqual(clientSocket.remoteAddress);
+  
+  // Update proxy info
+  wrappedSocket.setProxyInfo('10.0.0.5', 12345);
+  
+  // Now should return proxy info
+  expect(wrappedSocket.remoteAddress).toEqual('10.0.0.5');
+  expect(wrappedSocket.remotePort).toEqual(12345);
+  expect(wrappedSocket.isFromTrustedProxy).toBeTrue();
+  
+  // Clean up
+  clientSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should correctly determine IP family', async () => {
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  
+  // Test IPv4
+  const wrappedSocketIPv4 = new WrappedSocket(clientSocket, '192.168.1.1', 80);
+  expect(wrappedSocketIPv4.remoteFamily).toEqual('IPv4');
+  
+  // Test IPv6
+  const wrappedSocketIPv6 = new WrappedSocket(clientSocket, '2001:0db8:85a3:0000:0000:8a2e:0370:7334', 443);
+  expect(wrappedSocketIPv6.remoteFamily).toEqual('IPv6');
+  
+  // Test fallback to underlying socket
+  const wrappedSocketNoProxy = new WrappedSocket(clientSocket);
+  expect(wrappedSocketNoProxy.remoteFamily).toEqual(clientSocket.remoteFamily);
+  
+  // Clean up
+  clientSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should forward events correctly', async () => {
+  // Create a simple echo server
+  let serverConnection: net.Socket;
+  const server = net.createServer((socket) => {
+    serverConnection = socket;
+    socket.on('data', (data) => {
+      socket.write(data); // Echo back
+    });
+  });
+  
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  
+  // Wrap the socket
+  const wrappedSocket = new WrappedSocket(clientSocket);
+  
+  // Set up event tracking
+  let connectReceived = false;
+  let dataReceived = false;
+  let endReceived = false;
+  let closeReceived = false;
+  
+  wrappedSocket.on('connect', () => {
+    connectReceived = true;
+  });
+  
+  wrappedSocket.on('data', (chunk) => {
+    dataReceived = true;
+    expect(chunk.toString()).toEqual('test data');
+  });
+  
+  wrappedSocket.on('end', () => {
+    endReceived = true;
+  });
+  
+  wrappedSocket.on('close', () => {
+    closeReceived = true;
+  });
+  
+  // Wait for connection
+  await new Promise<void>((resolve) => {
+    if (clientSocket.readyState === 'open') {
+      resolve();
+    } else {
+      clientSocket.once('connect', () => resolve());
+    }
+  });
+  
+  // Send data
+  wrappedSocket.write('test data');
+  
+  // Wait for echo
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Close the connection
+  serverConnection.end();
+  
+  // Wait for events
+  await new Promise(resolve => setTimeout(resolve, 100));
+  
+  // Verify all events were received
+  expect(dataReceived).toBeTrue();
+  expect(endReceived).toBeTrue();
+  expect(closeReceived).toBeTrue();
+  
+  // Clean up
+  server.close();
+});
+
+tap.test('WrappedSocket - should pass through socket methods', async () => {
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  await new Promise<void>((resolve) => {
+    clientSocket.once('connect', () => resolve());
+  });
+  
+  // Wrap the socket
+  const wrappedSocket = new WrappedSocket(clientSocket);
+  
+  // Test various pass-through methods
+  expect(wrappedSocket.readable).toEqual(clientSocket.readable);
+  expect(wrappedSocket.writable).toEqual(clientSocket.writable);
+  expect(wrappedSocket.destroyed).toEqual(clientSocket.destroyed);
+  expect(wrappedSocket.bytesRead).toEqual(clientSocket.bytesRead);
+  expect(wrappedSocket.bytesWritten).toEqual(clientSocket.bytesWritten);
+  
+  // Test method calls
+  wrappedSocket.pause();
+  expect(clientSocket.isPaused()).toBeTrue();
+  
+  wrappedSocket.resume();
+  expect(clientSocket.isPaused()).toBeFalse();
+  
+  // Test setTimeout
+  let timeoutCalled = false;
+  wrappedSocket.setTimeout(100, () => {
+    timeoutCalled = true;
+  });
+  await new Promise(resolve => setTimeout(resolve, 150));
+  expect(timeoutCalled).toBeTrue();
+  
+  // Clean up
+  wrappedSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should handle write and pipe operations', async () => {
+  // Create a simple echo server
+  const server = net.createServer((socket) => {
+    socket.pipe(socket); // Echo everything back
+  });
+  
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  await new Promise<void>((resolve) => {
+    clientSocket.once('connect', () => resolve());
+  });
+  
+  // Wrap the socket
+  const wrappedSocket = new WrappedSocket(clientSocket);
+  
+  // Test write with callback
+  const writeResult = wrappedSocket.write('test', 'utf8', () => {
+    // Write completed
+  });
+  expect(typeof writeResult).toEqual('boolean');
+  
+  // Test pipe
+  const { PassThrough } = await import('stream');
+  const passThrough = new PassThrough();
+  const piped = wrappedSocket.pipe(passThrough);
+  expect(piped).toEqual(passThrough);
+  
+  // Clean up
+  wrappedSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should handle encoding and address methods', async () => {
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  await new Promise<void>((resolve) => {
+    clientSocket.once('connect', () => resolve());
+  });
+  
+  // Wrap the socket
+  const wrappedSocket = new WrappedSocket(clientSocket);
+  
+  // Test setEncoding
+  wrappedSocket.setEncoding('utf8');
+  
+  // Test address method
+  const addr = wrappedSocket.address();
+  expect(addr).toEqual(clientSocket.address());
+  
+  // Test cork/uncork (if available)
+  wrappedSocket.cork();
+  wrappedSocket.uncork();
+  
+  // Clean up
+  wrappedSocket.destroy();
+  server.close();
+});
+
+tap.test('WrappedSocket - should work with ConnectionManager', async () => {
+  // This test verifies that WrappedSocket can be used seamlessly with ConnectionManager
+  const { ConnectionManager } = await import('../ts/proxies/smart-proxy/connection-manager.js');
+  const { SecurityManager } = await import('../ts/proxies/smart-proxy/security-manager.js');
+  const { TimeoutManager } = await import('../ts/proxies/smart-proxy/timeout-manager.js');
+  
+  // Create minimal settings
+  const settings = {
+    routes: [],
+    defaults: {
+      security: {
+        maxConnections: 100
+      }
+    }
+  };
+  
+  const securityManager = new SecurityManager(settings);
+  const timeoutManager = new TimeoutManager(settings);
+  const connectionManager = new ConnectionManager(settings, securityManager, timeoutManager);
+  
+  // Create a simple test server
+  const server = net.createServer();
+  await new Promise<void>((resolve) => {
+    server.listen(0, 'localhost', () => resolve());
+  });
+  
+  const serverPort = (server.address() as net.AddressInfo).port;
+  
+  // Create a client connection
+  const clientSocket = net.connect(serverPort, 'localhost');
+  
+  // Wait for connection to establish
+  await new Promise<void>((resolve) => {
+    clientSocket.once('connect', () => resolve());
+  });
+  
+  // Wrap with proxy info
+  const wrappedSocket = new WrappedSocket(clientSocket, '203.0.113.45', 65432);
+  
+  // Create connection using wrapped socket
+  const record = connectionManager.createConnection(wrappedSocket);
+  
+  expect(record).toBeTruthy();
+  expect(record!.remoteIP).toEqual('203.0.113.45'); // Should use the real client IP
+  expect(record!.localPort).toEqual(clientSocket.localPort);
+  
+  // Clean up
+  connectionManager.cleanupConnection(record!, 'test-complete');
+  server.close();
+});
+
+export default tap.start();

test/test.zombie-connection-cleanup.node.ts

@@ -0,0 +1,306 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as net from 'net';
+import * as plugins from '../ts/plugins.js';
+
+// Import SmartProxy
+import { SmartProxy } from '../ts/index.js';
+
+// Import types through type-only imports
+import type { ConnectionManager } from '../ts/proxies/smart-proxy/connection-manager.js';
+import type { IConnectionRecord } from '../ts/proxies/smart-proxy/models/interfaces.js';
+
+tap.test('zombie connection cleanup - verify inactivity check detects and cleans destroyed sockets', async () => {
+  console.log('\n=== Zombie Connection Cleanup Test ===');
+  console.log('Purpose: Verify that connections with destroyed sockets are detected and cleaned up');
+  console.log('Setup: Client → OuterProxy (8590) → InnerProxy (8591) → Backend (9998)');
+  
+  // Create backend server that can be controlled
+  let acceptConnections = true;
+  let destroyImmediately = false;
+  const backendConnections: net.Socket[] = [];
+  
+  const backend = net.createServer((socket) => {
+    console.log('Backend: Connection received');
+    backendConnections.push(socket);
+    
+    if (destroyImmediately) {
+      console.log('Backend: Destroying connection immediately');
+      socket.destroy();
+    } else {
+      socket.on('data', (data) => {
+        console.log('Backend: Received data, echoing back');
+        socket.write(data);
+      });
+    }
+  });
+  
+  await new Promise<void>((resolve) => {
+    backend.listen(9998, () => {
+      console.log('✓ Backend server started on port 9998');
+      resolve();
+    });
+  });
+  
+  // Create InnerProxy with faster inactivity check for testing
+  const innerProxy = new SmartProxy({
+    ports: [8591],
+    enableDetailedLogging: true,
+    inactivityTimeout: 5000, // 5 seconds for faster testing
+    inactivityCheckInterval: 1000, // Check every second
+    routes: [{
+      name: 'to-backend',
+      match: { ports: 8591 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 9998
+        }
+      }
+    }]
+  });
+  
+  // Create OuterProxy with faster inactivity check
+  const outerProxy = new SmartProxy({
+    ports: [8590],
+    enableDetailedLogging: true,
+    inactivityTimeout: 5000, // 5 seconds for faster testing
+    inactivityCheckInterval: 1000, // Check every second
+    routes: [{
+      name: 'to-inner',
+      match: { ports: 8590 },
+      action: {
+        type: 'forward',
+        target: {
+          host: 'localhost',
+          port: 8591
+        }
+      }
+    }]
+  });
+  
+  await innerProxy.start();
+  console.log('✓ InnerProxy started on port 8591');
+  
+  await outerProxy.start();
+  console.log('✓ OuterProxy started on port 8590');
+  
+  // Helper to get connection details
+  const getConnectionDetails = () => {
+    const outerConnMgr = (outerProxy as any).connectionManager as ConnectionManager;
+    const innerConnMgr = (innerProxy as any).connectionManager as ConnectionManager;
+    
+    const outerRecords = Array.from((outerConnMgr as any).connectionRecords.values()) as IConnectionRecord[];
+    const innerRecords = Array.from((innerConnMgr as any).connectionRecords.values()) as IConnectionRecord[];
+    
+    return {
+      outer: {
+        count: outerConnMgr.getConnectionCount(),
+        records: outerRecords,
+        zombies: outerRecords.filter(r => 
+          !r.connectionClosed && 
+          r.incoming?.destroyed && 
+          (r.outgoing?.destroyed ?? true)
+        ),
+        halfZombies: outerRecords.filter(r => 
+          !r.connectionClosed && 
+          (r.incoming?.destroyed || r.outgoing?.destroyed) &&
+          !(r.incoming?.destroyed && (r.outgoing?.destroyed ?? true))
+        )
+      },
+      inner: {
+        count: innerConnMgr.getConnectionCount(),
+        records: innerRecords,
+        zombies: innerRecords.filter(r => 
+          !r.connectionClosed && 
+          r.incoming?.destroyed && 
+          (r.outgoing?.destroyed ?? true)
+        ),
+        halfZombies: innerRecords.filter(r => 
+          !r.connectionClosed && 
+          (r.incoming?.destroyed || r.outgoing?.destroyed) &&
+          !(r.incoming?.destroyed && (r.outgoing?.destroyed ?? true))
+        )
+      }
+    };
+  };
+  
+  console.log('\n--- Test 1: Create zombie by destroying sockets without events ---');
+  
+  // Create a connection and forcefully destroy sockets to create zombies
+  const client1 = new net.Socket();
+  await new Promise<void>((resolve) => {
+    client1.connect(8590, 'localhost', () => {
+      console.log('Client1 connected to OuterProxy');
+      client1.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      
+      // Wait for connection to be established through the chain
+      setTimeout(() => {
+        console.log('Forcefully destroying backend connections to create zombies');
+        
+        // Get connection details before destruction
+        const beforeDetails = getConnectionDetails();
+        console.log(`Before destruction: Outer=${beforeDetails.outer.count}, Inner=${beforeDetails.inner.count}`);
+        
+        // Destroy all backend connections without proper close events
+        backendConnections.forEach(conn => {
+          if (!conn.destroyed) {
+            // Remove all listeners to prevent proper cleanup
+            conn.removeAllListeners();
+            conn.destroy();
+          }
+        });
+        
+        // Also destroy the client socket abruptly
+        client1.removeAllListeners();
+        client1.destroy();
+        
+        resolve();
+      }, 500);
+    });
+  });
+  
+  // Check immediately after destruction
+  await new Promise(resolve => setTimeout(resolve, 100));
+  let details = getConnectionDetails();
+  console.log(`\nAfter destruction:`);
+  console.log(`  Outer: ${details.outer.count} connections, ${details.outer.zombies.length} zombies, ${details.outer.halfZombies.length} half-zombies`);
+  console.log(`  Inner: ${details.inner.count} connections, ${details.inner.zombies.length} zombies, ${details.inner.halfZombies.length} half-zombies`);
+  
+  // Wait for inactivity check to run (should detect zombies)
+  console.log('\nWaiting for inactivity check to detect zombies...');
+  await new Promise(resolve => setTimeout(resolve, 2000));
+  
+  details = getConnectionDetails();
+  console.log(`\nAfter first inactivity check:`);
+  console.log(`  Outer: ${details.outer.count} connections, ${details.outer.zombies.length} zombies, ${details.outer.halfZombies.length} half-zombies`);
+  console.log(`  Inner: ${details.inner.count} connections, ${details.inner.zombies.length} zombies, ${details.inner.halfZombies.length} half-zombies`);
+  
+  console.log('\n--- Test 2: Create half-zombie by destroying only one socket ---');
+  
+  // Clear backend connections array
+  backendConnections.length = 0;
+  
+  const client2 = new net.Socket();
+  await new Promise<void>((resolve) => {
+    client2.connect(8590, 'localhost', () => {
+      console.log('Client2 connected to OuterProxy');
+      client2.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      
+      setTimeout(() => {
+        console.log('Creating half-zombie by destroying only outgoing socket on outer proxy');
+        
+        // Access the connection records directly
+        const outerConnMgr = (outerProxy as any).connectionManager as ConnectionManager;
+        const outerRecords = Array.from((outerConnMgr as any).connectionRecords.values()) as IConnectionRecord[];
+        
+        // Find the active connection and destroy only its outgoing socket
+        const activeRecord = outerRecords.find(r => !r.connectionClosed && r.outgoing && !r.outgoing.destroyed);
+        if (activeRecord && activeRecord.outgoing) {
+          console.log('Found active connection, destroying outgoing socket');
+          activeRecord.outgoing.removeAllListeners();
+          activeRecord.outgoing.destroy();
+        }
+        
+        resolve();
+      }, 500);
+    });
+  });
+  
+  // Check half-zombie state
+  await new Promise(resolve => setTimeout(resolve, 100));
+  details = getConnectionDetails();
+  console.log(`\nAfter creating half-zombie:`);
+  console.log(`  Outer: ${details.outer.count} connections, ${details.outer.zombies.length} zombies, ${details.outer.halfZombies.length} half-zombies`);
+  console.log(`  Inner: ${details.inner.count} connections, ${details.inner.zombies.length} zombies, ${details.inner.halfZombies.length} half-zombies`);
+  
+  // Wait for 30-second grace period (simulated by multiple checks)
+  console.log('\nWaiting for half-zombie grace period (30 seconds simulated)...');
+  
+  // Manually age the connection to trigger half-zombie cleanup
+  const outerConnMgr = (outerProxy as any).connectionManager as ConnectionManager;
+  const records = Array.from((outerConnMgr as any).connectionRecords.values()) as IConnectionRecord[];
+  records.forEach(record => {
+    if (!record.connectionClosed) {
+      // Age the connection by 35 seconds
+      record.incomingStartTime -= 35000;
+    }
+  });
+  
+  // Trigger inactivity check
+  await new Promise(resolve => setTimeout(resolve, 2000));
+  
+  details = getConnectionDetails();
+  console.log(`\nAfter half-zombie cleanup:`);
+  console.log(`  Outer: ${details.outer.count} connections, ${details.outer.zombies.length} zombies, ${details.outer.halfZombies.length} half-zombies`);
+  console.log(`  Inner: ${details.inner.count} connections, ${details.inner.zombies.length} zombies, ${details.inner.halfZombies.length} half-zombies`);
+  
+  // Clean up client2 properly
+  if (!client2.destroyed) {
+    client2.destroy();
+  }
+  
+  console.log('\n--- Test 3: Rapid zombie creation under load ---');
+  
+  // Create multiple connections rapidly and destroy them
+  const rapidClients: net.Socket[] = [];
+  
+  for (let i = 0; i < 5; i++) {
+    const client = new net.Socket();
+    rapidClients.push(client);
+    
+    client.connect(8590, 'localhost', () => {
+      console.log(`Rapid client ${i} connected`);
+      client.write('GET / HTTP/1.1\r\nHost: test.com\r\n\r\n');
+      
+      // Destroy after random delay
+      setTimeout(() => {
+        client.removeAllListeners();
+        client.destroy();
+      }, Math.random() * 500);
+    });
+    
+    // Small delay between connections
+    await new Promise(resolve => setTimeout(resolve, 50));
+  }
+  
+  // Wait a bit
+  await new Promise(resolve => setTimeout(resolve, 1000));
+  
+  details = getConnectionDetails();
+  console.log(`\nAfter rapid connections:`);
+  console.log(`  Outer: ${details.outer.count} connections, ${details.outer.zombies.length} zombies, ${details.outer.halfZombies.length} half-zombies`);
+  console.log(`  Inner: ${details.inner.count} connections, ${details.inner.zombies.length} zombies, ${details.inner.halfZombies.length} half-zombies`);
+  
+  // Wait for cleanup
+  console.log('\nWaiting for final cleanup...');
+  await new Promise(resolve => setTimeout(resolve, 3000));
+  
+  details = getConnectionDetails();
+  console.log(`\nFinal state:`);
+  console.log(`  Outer: ${details.outer.count} connections, ${details.outer.zombies.length} zombies, ${details.outer.halfZombies.length} half-zombies`);
+  console.log(`  Inner: ${details.inner.count} connections, ${details.inner.zombies.length} zombies, ${details.inner.halfZombies.length} half-zombies`);
+  
+  // Cleanup
+  await outerProxy.stop();
+  await innerProxy.stop();
+  backend.close();
+  
+  // Verify all connections are cleaned up
+  console.log('\n--- Verification ---');
+  
+  if (details.outer.count === 0 && details.inner.count === 0) {
+    console.log('✅ PASS: All zombie connections were cleaned up');
+  } else {
+    console.log('❌ FAIL: Some connections remain');
+  }
+  
+  expect(details.outer.count).toEqual(0);
+  expect(details.inner.count).toEqual(0);
+  expect(details.outer.zombies.length).toEqual(0);
+  expect(details.inner.zombies.length).toEqual(0);
+  expect(details.outer.halfZombies.length).toEqual(0);
+  expect(details.inner.halfZombies.length).toEqual(0);
+});
+
+tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '19.5.3',
+  version: '19.5.19',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/core/models/index.ts

@@ -5,3 +5,5 @@
 export * from './common-types.js';
 export * from './socket-augmentation.js';
 export * from './route-context.js';
+export * from './wrapped-socket.js';
+export * from './socket-types.js';

ts/core/models/socket-types.ts

@@ -0,0 +1,21 @@
+import * as net from 'net';
+import { WrappedSocket } from './wrapped-socket.js';
+
+/**
+ * Type guard to check if a socket is a WrappedSocket
+ */
+export function isWrappedSocket(socket: net.Socket | WrappedSocket): socket is WrappedSocket {
+  return socket instanceof WrappedSocket || 'socket' in socket;
+}
+
+/**
+ * Helper to get the underlying socket from either a Socket or WrappedSocket
+ */
+export function getUnderlyingSocket(socket: net.Socket | WrappedSocket): net.Socket {
+  return isWrappedSocket(socket) ? socket.socket : socket;
+}
+
+/**
+ * Type that represents either a regular socket or a wrapped socket
+ */
+export type AnySocket = net.Socket | WrappedSocket;

ts/core/models/wrapped-socket.ts

@@ -0,0 +1,99 @@
+import * as plugins from '../../plugins.js';
+
+/**
+ * WrappedSocket wraps a regular net.Socket to provide transparent access
+ * to the real client IP and port when behind a proxy using PROXY protocol.
+ * 
+ * This is the FOUNDATION for all PROXY protocol support and must be implemented
+ * before any protocol parsing can occur.
+ * 
+ * This implementation uses a Proxy to delegate all properties and methods
+ * to the underlying socket while allowing override of specific properties.
+ */
+export class WrappedSocket {
+  public readonly socket: plugins.net.Socket;
+  private realClientIP?: string;
+  private realClientPort?: number;
+  
+  // Make TypeScript happy by declaring the Socket methods that will be proxied
+  [key: string]: any;
+  
+  constructor(
+    socket: plugins.net.Socket,
+    realClientIP?: string,
+    realClientPort?: number
+  ) {
+    this.socket = socket;
+    this.realClientIP = realClientIP;
+    this.realClientPort = realClientPort;
+    
+    // Create a proxy that delegates everything to the underlying socket
+    return new Proxy(this, {
+      get(target, prop, receiver) {
+        // Override specific properties
+        if (prop === 'remoteAddress') {
+          return target.remoteAddress;
+        }
+        if (prop === 'remotePort') {
+          return target.remotePort;
+        }
+        if (prop === 'socket') {
+          return target.socket;
+        }
+        if (prop === 'realClientIP') {
+          return target.realClientIP;
+        }
+        if (prop === 'realClientPort') {
+          return target.realClientPort;
+        }
+        if (prop === 'isFromTrustedProxy') {
+          return target.isFromTrustedProxy;
+        }
+        if (prop === 'setProxyInfo') {
+          return target.setProxyInfo.bind(target);
+        }
+        
+        // For all other properties/methods, delegate to the underlying socket
+        const value = target.socket[prop as keyof plugins.net.Socket];
+        if (typeof value === 'function') {
+          return value.bind(target.socket);
+        }
+        return value;
+      },
+      set(target, prop, value) {
+        // Set on the underlying socket
+        (target.socket as any)[prop] = value;
+        return true;
+      }
+    }) as any;
+  }
+  
+  /**
+   * Returns the real client IP if available, otherwise the socket's remote address
+   */
+  get remoteAddress(): string | undefined {
+    return this.realClientIP || this.socket.remoteAddress;
+  }
+  
+  /**
+   * Returns the real client port if available, otherwise the socket's remote port
+   */
+  get remotePort(): number | undefined {
+    return this.realClientPort || this.socket.remotePort;
+  }
+  
+  /**
+   * Indicates if this connection came through a trusted proxy
+   */
+  get isFromTrustedProxy(): boolean {
+    return !!this.realClientIP;
+  }
+  
+  /**
+   * Updates the real client information (called after parsing PROXY protocol)
+   */
+  setProxyInfo(ip: string, port: number): void {
+    this.realClientIP = ip;
+    this.realClientPort = port;
+  }
+}

ts/core/routing/index.ts

@@ -0,0 +1,21 @@
+/**
+ * Unified routing module
+ * Provides all routing functionality in a centralized location
+ */
+
+// Export all types
+export * from './types.js';
+
+// Export all matchers
+export * from './matchers/index.js';
+
+// Export specificity calculator
+export * from './specificity.js';
+
+// Export route management
+export * from './route-manager.js';
+export * from './route-utils.js';
+
+// Convenience re-exports
+export { matchers } from './matchers/index.js';
+export { RouteSpecificity } from './specificity.js';

ts/core/routing/matchers/domain.ts

@@ -0,0 +1,119 @@
+import type { IMatcher, IDomainMatchOptions } from '../types.js';
+
+/**
+ * DomainMatcher provides comprehensive domain matching functionality
+ * Supporting exact matches, wildcards, and case-insensitive matching
+ */
+export class DomainMatcher implements IMatcher<boolean, IDomainMatchOptions> {
+  private static wildcardToRegex(pattern: string): RegExp {
+    // Escape special regex characters except *
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+    // Replace * with regex equivalent
+    const regexPattern = escaped.replace(/\*/g, '.*');
+    return new RegExp(`^${regexPattern}$`, 'i');
+  }
+
+  /**
+   * Match a domain pattern against a hostname
+   * @param pattern The pattern to match (supports wildcards like *.example.com)
+   * @param hostname The hostname to test
+   * @param options Matching options
+   * @returns true if the hostname matches the pattern
+   */
+  static match(
+    pattern: string, 
+    hostname: string, 
+    options: IDomainMatchOptions = {}
+  ): boolean {
+    // Handle null/undefined cases
+    if (!pattern || !hostname) {
+      return false;
+    }
+
+    // Normalize inputs
+    const normalizedPattern = pattern.toLowerCase().trim();
+    const normalizedHostname = hostname.toLowerCase().trim();
+
+    // Remove trailing dots (FQDN normalization)
+    const cleanPattern = normalizedPattern.replace(/\.$/, '');
+    const cleanHostname = normalizedHostname.replace(/\.$/, '');
+
+    // Exact match (most common case)
+    if (cleanPattern === cleanHostname) {
+      return true;
+    }
+
+    // Wildcard matching
+    if (options.allowWildcards !== false && cleanPattern.includes('*')) {
+      const regex = this.wildcardToRegex(cleanPattern);
+      return regex.test(cleanHostname);
+    }
+
+    // No match
+    return false;
+  }
+
+  /**
+   * Check if a pattern contains wildcards
+   */
+  static isWildcardPattern(pattern: string): boolean {
+    return pattern.includes('*');
+  }
+
+  /**
+   * Calculate the specificity of a domain pattern
+   * Higher values mean more specific patterns
+   */
+  static calculateSpecificity(pattern: string): number {
+    if (!pattern) return 0;
+
+    let score = 0;
+    
+    // Exact domains are most specific
+    if (!pattern.includes('*')) {
+      score += 100;
+    }
+    
+    // Count domain segments
+    const segments = pattern.split('.');
+    score += segments.length * 10;
+    
+    // Penalize wildcards based on position
+    if (pattern.startsWith('*')) {
+      score -= 50; // Leading wildcard is very generic
+    } else if (pattern.includes('*')) {
+      score -= 20; // Wildcard elsewhere is less generic
+    }
+    
+    // Bonus for longer patterns
+    score += pattern.length;
+    
+    return score;
+  }
+
+  /**
+   * Find all matching patterns from a list
+   * Returns patterns sorted by specificity (most specific first)
+   */
+  static findAllMatches(
+    patterns: string[], 
+    hostname: string,
+    options: IDomainMatchOptions = {}
+  ): string[] {
+    const matches = patterns.filter(pattern => 
+      this.match(pattern, hostname, options)
+    );
+
+    // Sort by specificity (highest first)
+    return matches.sort((a, b) => 
+      this.calculateSpecificity(b) - this.calculateSpecificity(a)
+    );
+  }
+
+  /**
+   * Instance method for interface compliance
+   */
+  match(pattern: string, hostname: string, options?: IDomainMatchOptions): boolean {
+    return DomainMatcher.match(pattern, hostname, options);
+  }
+}

ts/core/routing/matchers/header.ts

@@ -0,0 +1,120 @@
+import type { IMatcher, IHeaderMatchOptions } from '../types.js';
+
+/**
+ * HeaderMatcher provides HTTP header matching functionality
+ * Supporting exact matches, patterns, and case-insensitive matching
+ */
+export class HeaderMatcher implements IMatcher<boolean, IHeaderMatchOptions> {
+  /**
+   * Match a header value against a pattern
+   * @param pattern The pattern to match
+   * @param value The header value to test
+   * @param options Matching options
+   * @returns true if the value matches the pattern
+   */
+  static match(
+    pattern: string,
+    value: string | undefined,
+    options: IHeaderMatchOptions = {}
+  ): boolean {
+    // Handle missing header
+    if (value === undefined || value === null) {
+      return pattern === '' || pattern === null || pattern === undefined;
+    }
+
+    // Convert to string and normalize
+    const normalizedPattern = String(pattern);
+    const normalizedValue = String(value);
+
+    // Apply case sensitivity
+    const comparePattern = options.caseInsensitive !== false
+      ? normalizedPattern.toLowerCase()
+      : normalizedPattern;
+    const compareValue = options.caseInsensitive !== false
+      ? normalizedValue.toLowerCase()
+      : normalizedValue;
+
+    // Exact match
+    if (options.exactMatch !== false) {
+      return comparePattern === compareValue;
+    }
+
+    // Pattern matching (simple wildcard support)
+    if (comparePattern.includes('*')) {
+      const regex = new RegExp(
+        '^' + comparePattern.replace(/\*/g, '.*') + '$',
+        options.caseInsensitive !== false ? 'i' : ''
+      );
+      return regex.test(normalizedValue);
+    }
+
+    // Contains match (if not exact match mode)
+    return compareValue.includes(comparePattern);
+  }
+
+  /**
+   * Match multiple headers against a set of required headers
+   * @param requiredHeaders Headers that must match
+   * @param actualHeaders Actual request headers
+   * @param options Matching options
+   * @returns true if all required headers match
+   */
+  static matchAll(
+    requiredHeaders: Record<string, string>,
+    actualHeaders: Record<string, string | string[] | undefined>,
+    options: IHeaderMatchOptions = {}
+  ): boolean {
+    for (const [name, pattern] of Object.entries(requiredHeaders)) {
+      const headerName = options.caseInsensitive !== false
+        ? name.toLowerCase()
+        : name;
+
+      // Find the actual header (case-insensitive search if needed)
+      let actualValue: string | undefined;
+      if (options.caseInsensitive !== false) {
+        const actualKey = Object.keys(actualHeaders).find(
+          key => key.toLowerCase() === headerName
+        );
+        const rawValue = actualKey ? actualHeaders[actualKey] : undefined;
+        // Handle array values (multiple headers with same name)
+        actualValue = Array.isArray(rawValue) ? rawValue.join(', ') : rawValue;
+      } else {
+        const rawValue = actualHeaders[name];
+        // Handle array values (multiple headers with same name)
+        actualValue = Array.isArray(rawValue) ? rawValue.join(', ') : rawValue;
+      }
+
+      // Check if this header matches
+      if (!this.match(pattern, actualValue, options)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  /**
+   * Calculate the specificity of header requirements
+   * More headers = more specific
+   */
+  static calculateSpecificity(headers: Record<string, string>): number {
+    const count = Object.keys(headers).length;
+    let score = count * 10;
+
+    // Bonus for headers without wildcards (more specific)
+    for (const value of Object.values(headers)) {
+      if (!value.includes('*')) {
+        score += 5;
+      }
+    }
+
+    return score;
+  }
+
+  /**
+   * Instance method for interface compliance
+   */
+  match(pattern: string, value: string, options?: IHeaderMatchOptions): boolean {
+    return HeaderMatcher.match(pattern, value, options);
+  }
+}

ts/core/routing/matchers/index.ts

@@ -0,0 +1,22 @@
+/**
+ * Unified matching utilities for the routing system
+ * All route matching logic should use these matchers for consistency
+ */
+
+export * from './domain.js';
+export * from './path.js';
+export * from './ip.js';
+export * from './header.js';
+
+// Re-export for convenience
+import { DomainMatcher } from './domain.js';
+import { PathMatcher } from './path.js';
+import { IpMatcher } from './ip.js';
+import { HeaderMatcher } from './header.js';
+
+export const matchers = {
+  domain: DomainMatcher,
+  path: PathMatcher,
+  ip: IpMatcher,
+  header: HeaderMatcher
+} as const;

ts/core/routing/matchers/ip.ts

@@ -0,0 +1,207 @@
+import type { IMatcher, IIpMatchOptions } from '../types.js';
+
+/**
+ * IpMatcher provides comprehensive IP address matching functionality
+ * Supporting exact matches, CIDR notation, ranges, and wildcards
+ */
+export class IpMatcher implements IMatcher<boolean, IIpMatchOptions> {
+  /**
+   * Check if a value is a valid IPv4 address
+   */
+  static isValidIpv4(ip: string): boolean {
+    const parts = ip.split('.');
+    if (parts.length !== 4) return false;
+    
+    return parts.every(part => {
+      const num = parseInt(part, 10);
+      return !isNaN(num) && num >= 0 && num <= 255 && part === num.toString();
+    });
+  }
+
+  /**
+   * Check if a value is a valid IPv6 address (simplified check)
+   */
+  static isValidIpv6(ip: string): boolean {
+    // Basic IPv6 validation - can be enhanced
+    const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){1,7}|:):|(([0-9a-fA-F]{1,4}:){1,6}|::):[0-9a-fA-F]{1,4})$/;
+    return ipv6Regex.test(ip);
+  }
+
+  /**
+   * Convert IP address to numeric value for comparison
+   */
+  private static ipToNumber(ip: string): number {
+    const parts = ip.split('.');
+    return parts.reduce((acc, part, index) => {
+      return acc + (parseInt(part, 10) << (8 * (3 - index)));
+    }, 0);
+  }
+
+  /**
+   * Match an IP against a CIDR notation pattern
+   */
+  static matchCidr(cidr: string, ip: string): boolean {
+    const [range, bits] = cidr.split('/');
+    if (!bits || !this.isValidIpv4(range) || !this.isValidIpv4(ip)) {
+      return false;
+    }
+
+    const rangeMask = parseInt(bits, 10);
+    if (isNaN(rangeMask) || rangeMask < 0 || rangeMask > 32) {
+      return false;
+    }
+
+    const rangeNum = this.ipToNumber(range);
+    const ipNum = this.ipToNumber(ip);
+    const mask = (-1 << (32 - rangeMask)) >>> 0;
+
+    return (rangeNum & mask) === (ipNum & mask);
+  }
+
+  /**
+   * Match an IP against a wildcard pattern
+   */
+  static matchWildcard(pattern: string, ip: string): boolean {
+    if (!this.isValidIpv4(ip)) return false;
+
+    const patternParts = pattern.split('.');
+    const ipParts = ip.split('.');
+
+    if (patternParts.length !== 4) return false;
+
+    return patternParts.every((part, index) => {
+      if (part === '*') return true;
+      return part === ipParts[index];
+    });
+  }
+
+  /**
+   * Match an IP against a range (e.g., "192.168.1.1-192.168.1.100")
+   */
+  static matchRange(range: string, ip: string): boolean {
+    const [start, end] = range.split('-').map(s => s.trim());
+    
+    if (!start || !end || !this.isValidIpv4(start) || !this.isValidIpv4(end) || !this.isValidIpv4(ip)) {
+      return false;
+    }
+
+    const startNum = this.ipToNumber(start);
+    const endNum = this.ipToNumber(end);
+    const ipNum = this.ipToNumber(ip);
+
+    return ipNum >= startNum && ipNum <= endNum;
+  }
+
+  /**
+   * Match an IP pattern against an IP address
+   * Supports multiple formats:
+   * - Exact match: "192.168.1.1"
+   * - CIDR: "192.168.1.0/24"
+   * - Wildcard: "192.168.1.*"
+   * - Range: "192.168.1.1-192.168.1.100"
+   */
+  static match(
+    pattern: string, 
+    ip: string, 
+    options: IIpMatchOptions = {}
+  ): boolean {
+    // Handle null/undefined cases
+    if (!pattern || !ip) {
+      return false;
+    }
+
+    // Normalize inputs
+    const normalizedPattern = pattern.trim();
+    const normalizedIp = ip.trim();
+
+    // Extract IPv4 from IPv6-mapped addresses (::ffff:192.168.1.1)
+    const ipv4Match = normalizedIp.match(/::ffff:(\d+\.\d+\.\d+\.\d+)/i);
+    const testIp = ipv4Match ? ipv4Match[1] : normalizedIp;
+
+    // Exact match
+    if (normalizedPattern === testIp) {
+      return true;
+    }
+
+    // CIDR notation
+    if (options.allowCidr !== false && normalizedPattern.includes('/')) {
+      return this.matchCidr(normalizedPattern, testIp);
+    }
+
+    // Wildcard matching
+    if (normalizedPattern.includes('*')) {
+      return this.matchWildcard(normalizedPattern, testIp);
+    }
+
+    // Range matching
+    if (options.allowRanges !== false && normalizedPattern.includes('-')) {
+      return this.matchRange(normalizedPattern, testIp);
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if an IP is authorized based on allow and block lists
+   */
+  static isAuthorized(
+    ip: string,
+    allowList: string[] = [],
+    blockList: string[] = []
+  ): boolean {
+    // If IP is in block list, deny
+    if (blockList.some(pattern => this.match(pattern, ip))) {
+      return false;
+    }
+
+    // If allow list is empty, allow all (except blocked)
+    if (allowList.length === 0) {
+      return true;
+    }
+
+    // If allow list exists, IP must match
+    return allowList.some(pattern => this.match(pattern, ip));
+  }
+
+  /**
+   * Calculate the specificity of an IP pattern
+   * Higher values mean more specific patterns
+   */
+  static calculateSpecificity(pattern: string): number {
+    if (!pattern) return 0;
+
+    let score = 0;
+    
+    // Exact IPs are most specific
+    if (this.isValidIpv4(pattern) || this.isValidIpv6(pattern)) {
+      score += 100;
+    }
+    
+    // CIDR notation
+    if (pattern.includes('/')) {
+      const [, bits] = pattern.split('/');
+      const maskBits = parseInt(bits, 10);
+      if (!isNaN(maskBits)) {
+        score += maskBits; // Higher mask = more specific
+      }
+    }
+    
+    // Wildcard patterns
+    const wildcards = (pattern.match(/\*/g) || []).length;
+    score -= wildcards * 20; // More wildcards = less specific
+    
+    // Range patterns are somewhat specific
+    if (pattern.includes('-')) {
+      score += 30;
+    }
+    
+    return score;
+  }
+
+  /**
+   * Instance method for interface compliance
+   */
+  match(pattern: string, ip: string, options?: IIpMatchOptions): boolean {
+    return IpMatcher.match(pattern, ip, options);
+  }
+}

ts/core/routing/matchers/path.ts

@@ -0,0 +1,184 @@
+import type { IMatcher, IPathMatchResult } from '../types.js';
+
+/**
+ * PathMatcher provides comprehensive path matching functionality
+ * Supporting exact matches, wildcards, and parameter extraction
+ */
+export class PathMatcher implements IMatcher<IPathMatchResult> {
+  /**
+   * Convert a path pattern to a regex and extract parameter names
+   * Supports:
+   * - Exact paths: /api/users
+   * - Wildcards: /api/*
+   * - Parameters: /api/users/:id
+   * - Mixed: /api/users/:id/*
+   */
+  private static patternToRegex(pattern: string): { 
+    regex: RegExp; 
+    paramNames: string[] 
+  } {
+    const paramNames: string[] = [];
+    let regexPattern = pattern;
+
+    // Escape special regex characters except : and *
+    regexPattern = regexPattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+
+    // Handle path parameters (:param)
+    regexPattern = regexPattern.replace(/:(\w+)/g, (match, paramName) => {
+      paramNames.push(paramName);
+      return '([^/]+)'; // Match any non-slash characters
+    });
+
+    // Handle wildcards
+    regexPattern = regexPattern.replace(/\*/g, '(.*)');
+
+    // Ensure the pattern matches from start
+    regexPattern = `^${regexPattern}`;
+    
+    // If pattern doesn't end with wildcard, ensure it matches to end
+    // But only for patterns that don't have parameters or wildcards
+    if (!pattern.includes('*') && !pattern.includes(':') && !pattern.endsWith('/')) {
+      regexPattern = `${regexPattern}$`;
+    }
+
+    return {
+      regex: new RegExp(regexPattern),
+      paramNames
+    };
+  }
+
+  /**
+   * Match a path pattern against a request path
+   * @param pattern The pattern to match
+   * @param path The request path to test
+   * @returns Match result with params and remainder
+   */
+  static match(pattern: string, path: string): IPathMatchResult {
+    // Handle null/undefined cases
+    if (!pattern || !path) {
+      return { matches: false };
+    }
+
+    // Normalize paths (remove trailing slashes unless it's just "/")
+    const normalizedPattern = pattern === '/' ? '/' : pattern.replace(/\/$/, '');
+    const normalizedPath = path === '/' ? '/' : path.replace(/\/$/, '');
+
+    // Exact match (most common case)
+    if (normalizedPattern === normalizedPath) {
+      return {
+        matches: true,
+        pathMatch: normalizedPath,
+        pathRemainder: '',
+        params: {}
+      };
+    }
+
+    // Pattern matching (wildcards and parameters)
+    const { regex, paramNames } = this.patternToRegex(normalizedPattern);
+    const match = normalizedPath.match(regex);
+
+    if (!match) {
+      return { matches: false };
+    }
+
+    // Extract parameters
+    const params: Record<string, string> = {};
+    paramNames.forEach((name, index) => {
+      params[name] = match[index + 1];
+    });
+
+    // Calculate path match and remainder
+    let pathMatch = match[0];
+    let pathRemainder = normalizedPath.substring(pathMatch.length);
+
+    // Handle wildcard captures
+    if (normalizedPattern.includes('*') && match.length > paramNames.length + 1) {
+      const wildcardCapture = match[match.length - 1];
+      if (wildcardCapture) {
+        pathRemainder = wildcardCapture;
+        pathMatch = normalizedPath.substring(0, normalizedPath.length - wildcardCapture.length);
+      }
+    }
+
+    // Clean up path match (remove trailing slash if present)
+    if (pathMatch !== '/' && pathMatch.endsWith('/')) {
+      pathMatch = pathMatch.slice(0, -1);
+    }
+
+    return {
+      matches: true,
+      pathMatch,
+      pathRemainder,
+      params
+    };
+  }
+
+  /**
+   * Check if a pattern contains parameters or wildcards
+   */
+  static isDynamicPattern(pattern: string): boolean {
+    return pattern.includes(':') || pattern.includes('*');
+  }
+
+  /**
+   * Calculate the specificity of a path pattern
+   * Higher values mean more specific patterns
+   */
+  static calculateSpecificity(pattern: string): number {
+    if (!pattern) return 0;
+
+    let score = 0;
+    
+    // Exact paths are most specific
+    if (!this.isDynamicPattern(pattern)) {
+      score += 100;
+    }
+    
+    // Count path segments
+    const segments = pattern.split('/').filter(s => s.length > 0);
+    score += segments.length * 10;
+    
+    // Count static segments (more static = more specific)
+    const staticSegments = segments.filter(s => !s.startsWith(':') && s !== '*');
+    score += staticSegments.length * 20;
+    
+    // Penalize wildcards and parameters
+    const wildcards = (pattern.match(/\*/g) || []).length;
+    const params = (pattern.match(/:/g) || []).length;
+    score -= wildcards * 30; // Wildcards are very generic
+    score -= params * 10;    // Parameters are somewhat generic
+    
+    // Bonus for longer patterns
+    score += pattern.length;
+    
+    return score;
+  }
+
+  /**
+   * Find all matching patterns from a list
+   * Returns patterns sorted by specificity (most specific first)
+   */
+  static findAllMatches(patterns: string[], path: string): Array<{
+    pattern: string;
+    result: IPathMatchResult;
+  }> {
+    const matches = patterns
+      .map(pattern => ({
+        pattern,
+        result: this.match(pattern, path)
+      }))
+      .filter(({ result }) => result.matches);
+
+    // Sort by specificity (highest first)
+    return matches.sort((a, b) => 
+      this.calculateSpecificity(b.pattern) - this.calculateSpecificity(a.pattern)
+    );
+  }
+
+  /**
+   * Instance method for interface compliance
+   */
+  match(pattern: string, path: string): IPathMatchResult {
+    return PathMatcher.match(pattern, path);
+  }
+}

ts/core/routing/route-manager.ts

@@ -7,20 +7,15 @@ import type {
   IRouteContext
 } from '../../proxies/smart-proxy/models/route-types.js';
 import {
-  matchDomain,
   matchRouteDomain,
-  matchPath,
-  matchIpPattern,
-  matchIpCidr,
-  ipToNumber,
-  isIpAuthorized,
   calculateRouteSpecificity
 } from './route-utils.js';
+import { DomainMatcher, PathMatcher, IpMatcher } from './matchers/index.js';
 
 /**
- * Result of route matching
+ * Result of route lookup
  */
-export interface IRouteMatchResult {
+export interface IRouteLookupResult {
   route: IRouteConfig;
   // Additional match parameters (path, query, etc.)
   params?: Record<string, string>;
@@ -219,7 +214,7 @@ export class SharedRouteManager extends plugins.EventEmitter {
   /**
    * Find the matching route for a connection
    */
-  public findMatchingRoute(context: IRouteContext): IRouteMatchResult | null {
+  public findMatchingRoute(context: IRouteContext): IRouteLookupResult | null {
     // Get routes for this port if using port-based filtering
     const routesToCheck = context.port 
       ? (this.portMap.get(context.port) || []) 
@@ -258,21 +253,21 @@ export class SharedRouteManager extends plugins.EventEmitter {
         ? route.match.domains
         : [route.match.domains];
 
-      if (!domains.some(domainPattern => this.matchDomain(domainPattern, context.domain!))) {
+      if (!domains.some(domainPattern => DomainMatcher.match(domainPattern, context.domain!))) {
         return false;
       }
     }
 
     // Check path match if specified
     if (route.match.path && context.path) {
-      if (!this.matchPath(route.match.path, context.path)) {
+      if (!PathMatcher.match(route.match.path, context.path).matches) {
         return false;
       }
     }
 
     // Check client IP match if specified
     if (route.match.clientIp && context.clientIp) {
-      if (!route.match.clientIp.some(ip => this.matchIpPattern(ip, context.clientIp))) {
+      if (!route.match.clientIp.some(ip => IpMatcher.match(ip, context.clientIp))) {
         return false;
       }
     }
@@ -311,45 +306,7 @@ export class SharedRouteManager extends plugins.EventEmitter {
     return true;
   }
   
-  /**
-   * Match a domain pattern against a domain
-   * @deprecated Use the matchDomain function from route-utils.js instead
-   */
-  public matchDomain(pattern: string, domain: string): boolean {
-    return matchDomain(pattern, domain);
-  }
   
-  /**
-   * Match a path pattern against a path
-   * @deprecated Use the matchPath function from route-utils.js instead
-   */
-  public matchPath(pattern: string, path: string): boolean {
-    return matchPath(pattern, path);
-  }
-
-  /**
-   * Match an IP pattern against a pattern
-   * @deprecated Use the matchIpPattern function from route-utils.js instead
-   */
-  public matchIpPattern(pattern: string, ip: string): boolean {
-    return matchIpPattern(pattern, ip);
-  }
-  
-  /**
-   * Match an IP against a CIDR pattern
-   * @deprecated Use the matchIpCidr function from route-utils.js instead
-   */
-  public matchIpCidr(cidr: string, ip: string): boolean {
-    return matchIpCidr(cidr, ip);
-  }
-  
-  /**
-   * Convert an IP address to a numeric value
-   * @deprecated Use the ipToNumber function from route-utils.js instead
-   */
-  private ipToNumber(ip: string): number {
-    return ipToNumber(ip);
-  }
   
   /**
    * Validate the route configuration and return any warnings
@@ -479,11 +436,4 @@ export class SharedRouteManager extends plugins.EventEmitter {
     return true;
   }
   
-  /**
-   * Check if route1 is more specific than route2
-   * @deprecated Use the calculateRouteSpecificity function from route-utils.js instead
-   */
-  private isRouteMoreSpecific(match1: IRouteMatch, match2: IRouteMatch): boolean {
-    return calculateRouteSpecificity(match1) > calculateRouteSpecificity(match2);
-  }
 }

ts/core/routing/route-utils.ts

@@ -0,0 +1,88 @@
+/**
+ * Route matching utilities for SmartProxy components
+ * 
+ * This file provides utility functions that use the unified matchers
+ * and additional route-specific utilities.
+ */
+
+import { DomainMatcher, PathMatcher, IpMatcher, HeaderMatcher } from './matchers/index.js';
+import { RouteSpecificity } from './specificity.js';
+import type { IRouteSpecificity } from './types.js';
+import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
+
+
+/**
+ * Match domains from a route against a given domain
+ * 
+ * @param domains Array or single domain pattern to match against
+ * @param domain Domain to match
+ * @returns Whether the domain matches any of the patterns
+ */
+export function matchRouteDomain(domains: string | string[] | undefined, domain: string | undefined): boolean {
+  // If no domains specified in the route, match all domains
+  if (!domains) {
+    return true;
+  }
+
+  // If no domain in the request, can't match domain-specific routes
+  if (!domain) {
+    return false;
+  }
+  
+  const patterns = Array.isArray(domains) ? domains : [domains];
+  return patterns.some(pattern => DomainMatcher.match(pattern, domain));
+}
+
+
+
+/**
+ * Calculate route specificity score
+ * Higher score means more specific matching criteria
+ * 
+ * @param match Match criteria to evaluate
+ * @returns Numeric specificity score
+ */
+export function calculateRouteSpecificity(match: {
+  domains?: string | string[];
+  path?: string;
+  clientIp?: string[];
+  tlsVersion?: string[];
+  headers?: Record<string, string | RegExp>;
+}): number {
+  let score = 0;
+  
+  // Path specificity using PathMatcher
+  if (match.path) {
+    score += PathMatcher.calculateSpecificity(match.path);
+  }
+  
+  // Domain specificity using DomainMatcher
+  if (match.domains) {
+    const domains = Array.isArray(match.domains) ? match.domains : [match.domains];
+    // Use the highest specificity among all domains
+    const domainScore = Math.max(...domains.map(d => DomainMatcher.calculateSpecificity(d)));
+    score += domainScore;
+  }
+  
+  // Headers specificity using HeaderMatcher
+  if (match.headers) {
+    const stringHeaders: Record<string, string> = {};
+    for (const [key, value] of Object.entries(match.headers)) {
+      stringHeaders[key] = value instanceof RegExp ? value.source : value;
+    }
+    score += HeaderMatcher.calculateSpecificity(stringHeaders);
+  }
+  
+  // Client IP adds some specificity
+  if (match.clientIp && match.clientIp.length > 0) {
+    // Use the first IP pattern for specificity
+    score += IpMatcher.calculateSpecificity(match.clientIp[0]);
+  }
+  
+  // TLS version adds minimal specificity
+  if (match.tlsVersion && match.tlsVersion.length > 0) {
+    score += match.tlsVersion.length * 10;
+  }
+  
+  return score;
+}

ts/core/routing/specificity.ts

@@ -0,0 +1,141 @@
+import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
+import type { IRouteSpecificity } from './types.js';
+import { DomainMatcher, PathMatcher, IpMatcher, HeaderMatcher } from './matchers/index.js';
+
+/**
+ * Unified route specificity calculator
+ * Provides consistent specificity scoring across all routing components
+ */
+export class RouteSpecificity {
+  /**
+   * Calculate the total specificity score for a route
+   * Higher scores indicate more specific routes that should match first
+   */
+  static calculate(route: IRouteConfig): IRouteSpecificity {
+    const specificity: IRouteSpecificity = {
+      pathSpecificity: 0,
+      domainSpecificity: 0,
+      ipSpecificity: 0,
+      headerSpecificity: 0,
+      tlsSpecificity: 0,
+      totalScore: 0
+    };
+
+    // Path specificity
+    if (route.match.path) {
+      specificity.pathSpecificity = PathMatcher.calculateSpecificity(route.match.path);
+    }
+
+    // Domain specificity
+    if (route.match.domains) {
+      const domains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : [route.match.domains];
+      
+      // Use the highest specificity among all domains
+      specificity.domainSpecificity = Math.max(
+        ...domains.map(d => DomainMatcher.calculateSpecificity(d))
+      );
+    }
+
+    // IP specificity (clientIp is an array of IPs)
+    if (route.match.clientIp && route.match.clientIp.length > 0) {
+      // Use the first IP pattern for specificity calculation
+      specificity.ipSpecificity = IpMatcher.calculateSpecificity(route.match.clientIp[0]);
+    }
+
+    // Header specificity (convert RegExp values to strings)
+    if (route.match.headers) {
+      const stringHeaders: Record<string, string> = {};
+      for (const [key, value] of Object.entries(route.match.headers)) {
+        stringHeaders[key] = value instanceof RegExp ? value.source : value;
+      }
+      specificity.headerSpecificity = HeaderMatcher.calculateSpecificity(stringHeaders);
+    }
+
+    // TLS version specificity
+    if (route.match.tlsVersion && route.match.tlsVersion.length > 0) {
+      specificity.tlsSpecificity = route.match.tlsVersion.length * 10;
+    }
+
+    // Calculate total score with weights
+    specificity.totalScore = 
+      specificity.pathSpecificity * 3 +      // Path is most important
+      specificity.domainSpecificity * 2 +    // Domain is second
+      specificity.ipSpecificity * 1.5 +      // IP is moderately important
+      specificity.headerSpecificity * 1 +    // Headers are less important
+      specificity.tlsSpecificity * 0.5;     // TLS is least important
+
+    return specificity;
+  }
+
+  /**
+   * Compare two routes and determine which is more specific
+   * @returns positive if route1 is more specific, negative if route2 is more specific, 0 if equal
+   */
+  static compare(route1: IRouteConfig, route2: IRouteConfig): number {
+    const spec1 = this.calculate(route1);
+    const spec2 = this.calculate(route2);
+
+    // First compare by total score
+    if (spec1.totalScore !== spec2.totalScore) {
+      return spec1.totalScore - spec2.totalScore;
+    }
+
+    // If total scores are equal, compare by individual components
+    // Path is most important tiebreaker
+    if (spec1.pathSpecificity !== spec2.pathSpecificity) {
+      return spec1.pathSpecificity - spec2.pathSpecificity;
+    }
+
+    // Then domain
+    if (spec1.domainSpecificity !== spec2.domainSpecificity) {
+      return spec1.domainSpecificity - spec2.domainSpecificity;
+    }
+
+    // Then IP
+    if (spec1.ipSpecificity !== spec2.ipSpecificity) {
+      return spec1.ipSpecificity - spec2.ipSpecificity;
+    }
+
+    // Then headers
+    if (spec1.headerSpecificity !== spec2.headerSpecificity) {
+      return spec1.headerSpecificity - spec2.headerSpecificity;
+    }
+
+    // Finally TLS
+    return spec1.tlsSpecificity - spec2.tlsSpecificity;
+  }
+
+  /**
+   * Sort routes by specificity (most specific first)
+   */
+  static sort(routes: IRouteConfig[]): IRouteConfig[] {
+    return [...routes].sort((a, b) => this.compare(b, a));
+  }
+
+  /**
+   * Find the most specific route from a list
+   */
+  static findMostSpecific(routes: IRouteConfig[]): IRouteConfig | null {
+    if (routes.length === 0) return null;
+    
+    return routes.reduce((most, current) => 
+      this.compare(current, most) > 0 ? current : most
+    );
+  }
+
+  /**
+   * Check if a route has any matching criteria
+   */
+  static hasMatchCriteria(route: IRouteConfig): boolean {
+    const match = route.match;
+    return !!(
+      match.domains ||
+      match.path ||
+      match.clientIp?.length ||
+      match.headers ||
+      match.tlsVersion?.length
+    );
+  }
+}

ts/core/routing/types.ts

@@ -0,0 +1,49 @@
+/**
+ * Core routing types used throughout the routing system
+ */
+
+export interface IPathMatchResult {
+  matches: boolean;
+  params?: Record<string, string>;
+  pathMatch?: string;
+  pathRemainder?: string;
+}
+
+export interface IRouteMatchResult {
+  matches: boolean;
+  score: number;
+  specificity: number;
+  matchedCriteria: string[];
+}
+
+export interface IDomainMatchOptions {
+  allowWildcards?: boolean;
+  caseInsensitive?: boolean;
+}
+
+export interface IIpMatchOptions {
+  allowCidr?: boolean;
+  allowRanges?: boolean;
+}
+
+export interface IHeaderMatchOptions {
+  caseInsensitive?: boolean;
+  exactMatch?: boolean;
+}
+
+export interface IRouteSpecificity {
+  pathSpecificity: number;
+  domainSpecificity: number;
+  ipSpecificity: number;
+  headerSpecificity: number;
+  tlsSpecificity: number;
+  totalScore: number;
+}
+
+export interface IMatcher<T = any, O = any> {
+  match(pattern: string, value: string, options?: O): T | boolean;
+}
+
+export interface IAsyncMatcher<T = any, O = any> {
+  match(pattern: string, value: string, options?: O): Promise<T | boolean>;
+}

ts/core/utils/index.ts

@@ -5,8 +5,6 @@
 export * from './validation-utils.js';
 export * from './ip-utils.js';
 export * from './template-utils.js';
-export * from './route-manager.js';
-export * from './route-utils.js';
 export * from './security-utils.js';
 export * from './shared-security-manager.js';
 export * from './websocket-utils.js';
@@ -17,3 +15,4 @@ export * from './lifecycle-component.js';
 export * from './binary-heap.js';
 export * from './enhanced-connection-pool.js';
 export * from './socket-utils.js';
+export * from './proxy-protocol.js';

ts/core/utils/proxy-protocol.ts

@@ -0,0 +1,246 @@
+import * as plugins from '../../plugins.js';
+import { logger } from './logger.js';
+
+/**
+ * Interface representing parsed PROXY protocol information
+ */
+export interface IProxyInfo {
+  protocol: 'TCP4' | 'TCP6' | 'UNKNOWN';
+  sourceIP: string;
+  sourcePort: number;
+  destinationIP: string;
+  destinationPort: number;
+}
+
+/**
+ * Interface for parse result including remaining data
+ */
+export interface IProxyParseResult {
+  proxyInfo: IProxyInfo | null;
+  remainingData: Buffer;
+}
+
+/**
+ * Parser for PROXY protocol v1 (text format)
+ * Spec: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+ */
+export class ProxyProtocolParser {
+  static readonly PROXY_V1_SIGNATURE = 'PROXY ';
+  static readonly MAX_HEADER_LENGTH = 107; // Max length for v1 header
+  static readonly HEADER_TERMINATOR = '\r\n';
+  
+  /**
+   * Parse PROXY protocol v1 header from buffer
+   * Returns proxy info and remaining data after header
+   */
+  static parse(data: Buffer): IProxyParseResult {
+    // Check if buffer starts with PROXY signature
+    if (!data.toString('ascii', 0, 6).startsWith(this.PROXY_V1_SIGNATURE)) {
+      return {
+        proxyInfo: null,
+        remainingData: data
+      };
+    }
+    
+    // Find header terminator
+    const headerEndIndex = data.indexOf(this.HEADER_TERMINATOR);
+    if (headerEndIndex === -1) {
+      // Header incomplete, need more data
+      if (data.length > this.MAX_HEADER_LENGTH) {
+        // Header too long, invalid
+        throw new Error('PROXY protocol header exceeds maximum length');
+      }
+      return {
+        proxyInfo: null,
+        remainingData: data
+      };
+    }
+    
+    // Extract header line
+    const headerLine = data.toString('ascii', 0, headerEndIndex);
+    const remainingData = data.slice(headerEndIndex + 2); // Skip \r\n
+    
+    // Parse header
+    const parts = headerLine.split(' ');
+    
+    if (parts.length < 2) {
+      throw new Error(`Invalid PROXY protocol header format: ${headerLine}`);
+    }
+    
+    const [signature, protocol] = parts;
+    
+    // Validate protocol
+    if (!['TCP4', 'TCP6', 'UNKNOWN'].includes(protocol)) {
+      throw new Error(`Invalid PROXY protocol: ${protocol}`);
+    }
+    
+    // For UNKNOWN protocol, ignore addresses
+    if (protocol === 'UNKNOWN') {
+      return {
+        proxyInfo: {
+          protocol: 'UNKNOWN',
+          sourceIP: '',
+          sourcePort: 0,
+          destinationIP: '',
+          destinationPort: 0
+        },
+        remainingData
+      };
+    }
+    
+    // For TCP4/TCP6, we need all 6 parts
+    if (parts.length !== 6) {
+      throw new Error(`Invalid PROXY protocol header format: ${headerLine}`);
+    }
+    
+    const [, , srcIP, dstIP, srcPort, dstPort] = parts;
+    
+    // Validate and parse ports
+    const sourcePort = parseInt(srcPort, 10);
+    const destinationPort = parseInt(dstPort, 10);
+    
+    if (isNaN(sourcePort) || sourcePort < 0 || sourcePort > 65535) {
+      throw new Error(`Invalid source port: ${srcPort}`);
+    }
+    
+    if (isNaN(destinationPort) || destinationPort < 0 || destinationPort > 65535) {
+      throw new Error(`Invalid destination port: ${dstPort}`);
+    }
+    
+    // Validate IP addresses
+    const protocolType = protocol as 'TCP4' | 'TCP6' | 'UNKNOWN';
+    if (!this.isValidIP(srcIP, protocolType)) {
+      throw new Error(`Invalid source IP for ${protocol}: ${srcIP}`);
+    }
+    
+    if (!this.isValidIP(dstIP, protocolType)) {
+      throw new Error(`Invalid destination IP for ${protocol}: ${dstIP}`);
+    }
+    
+    return {
+      proxyInfo: {
+        protocol: protocol as 'TCP4' | 'TCP6',
+        sourceIP: srcIP,
+        sourcePort,
+        destinationIP: dstIP,
+        destinationPort
+      },
+      remainingData
+    };
+  }
+  
+  /**
+   * Generate PROXY protocol v1 header
+   */
+  static generate(info: IProxyInfo): Buffer {
+    if (info.protocol === 'UNKNOWN') {
+      return Buffer.from(`PROXY UNKNOWN\r\n`, 'ascii');
+    }
+    
+    const header = `PROXY ${info.protocol} ${info.sourceIP} ${info.destinationIP} ${info.sourcePort} ${info.destinationPort}\r\n`;
+    
+    if (header.length > this.MAX_HEADER_LENGTH) {
+      throw new Error('Generated PROXY protocol header exceeds maximum length');
+    }
+    
+    return Buffer.from(header, 'ascii');
+  }
+  
+  /**
+   * Validate IP address format
+   */
+  private static isValidIP(ip: string, protocol: 'TCP4' | 'TCP6' | 'UNKNOWN'): boolean {
+    if (protocol === 'TCP4') {
+      return plugins.net.isIPv4(ip);
+    } else if (protocol === 'TCP6') {
+      return plugins.net.isIPv6(ip);
+    }
+    return false;
+  }
+  
+  /**
+   * Attempt to read a complete PROXY protocol header from a socket
+   * Returns null if no PROXY protocol detected or incomplete
+   */
+  static async readFromSocket(socket: plugins.net.Socket, timeout: number = 5000): Promise<IProxyParseResult | null> {
+    return new Promise((resolve) => {
+      let buffer = Buffer.alloc(0);
+      let resolved = false;
+      
+      const cleanup = () => {
+        socket.removeListener('data', onData);
+        socket.removeListener('error', onError);
+        clearTimeout(timer);
+      };
+      
+      const timer = setTimeout(() => {
+        if (!resolved) {
+          resolved = true;
+          cleanup();
+          resolve({
+            proxyInfo: null,
+            remainingData: buffer
+          });
+        }
+      }, timeout);
+      
+      const onData = (chunk: Buffer) => {
+        buffer = Buffer.concat([buffer, chunk]);
+        
+        // Check if we have enough data
+        if (!buffer.toString('ascii', 0, Math.min(6, buffer.length)).startsWith(this.PROXY_V1_SIGNATURE)) {
+          // Not PROXY protocol
+          resolved = true;
+          cleanup();
+          resolve({
+            proxyInfo: null,
+            remainingData: buffer
+          });
+          return;
+        }
+        
+        // Try to parse
+        try {
+          const result = this.parse(buffer);
+          if (result.proxyInfo) {
+            // Successfully parsed
+            resolved = true;
+            cleanup();
+            resolve(result);
+          } else if (buffer.length > this.MAX_HEADER_LENGTH) {
+            // Header too long
+            resolved = true;
+            cleanup();
+            resolve({
+              proxyInfo: null,
+              remainingData: buffer
+            });
+          }
+          // Otherwise continue reading
+        } catch (error) {
+          // Parse error
+          logger.log('error', `PROXY protocol parse error: ${error.message}`);
+          resolved = true;
+          cleanup();
+          resolve({
+            proxyInfo: null,
+            remainingData: buffer
+          });
+        }
+      };
+      
+      const onError = (error: Error) => {
+        logger.log('error', `Socket error while reading PROXY protocol: ${error.message}`);
+        resolved = true;
+        cleanup();
+        resolve({
+          proxyInfo: null,
+          remainingData: buffer
+        });
+      };
+      
+      socket.on('data', onData);
+      socket.on('error', onError);
+    });
+  }
+}

ts/core/utils/route-utils.ts

@@ -1,312 +0,0 @@
-/**
- * Route matching utilities for SmartProxy components
- * 
- * Contains shared logic for domain matching, path matching, and IP matching
- * to be used by different proxy components throughout the system.
- */
-
-/**
- * Match a domain pattern against a domain
- * 
- * @param pattern Domain pattern with optional wildcards (e.g., "*.example.com")
- * @param domain Domain to match against the pattern
- * @returns Whether the domain matches the pattern
- */
-export function matchDomain(pattern: string, domain: string): boolean {
-  // Handle exact match (case-insensitive)
-  if (pattern.toLowerCase() === domain.toLowerCase()) {
-    return true;
-  }
-
-  // Handle wildcard pattern
-  if (pattern.includes('*')) {
-    const regexPattern = pattern
-      .replace(/\./g, '\\.')  // Escape dots
-      .replace(/\*/g, '.*');  // Convert * to .*
-
-    const regex = new RegExp(`^${regexPattern}$`, 'i');
-    return regex.test(domain);
-  }
-
-  return false;
-}
-
-/**
- * Match domains from a route against a given domain
- * 
- * @param domains Array or single domain pattern to match against
- * @param domain Domain to match
- * @returns Whether the domain matches any of the patterns
- */
-export function matchRouteDomain(domains: string | string[] | undefined, domain: string | undefined): boolean {
-  // If no domains specified in the route, match all domains
-  if (!domains) {
-    return true;
-  }
-
-  // If no domain in the request, can't match domain-specific routes
-  if (!domain) {
-    return false;
-  }
-  
-  const patterns = Array.isArray(domains) ? domains : [domains];
-  return patterns.some(pattern => matchDomain(pattern, domain));
-}
-
-/**
- * Match a path pattern against a path
- * 
- * @param pattern Path pattern with optional wildcards
- * @param path Path to match against the pattern
- * @returns Whether the path matches the pattern
- */
-export function matchPath(pattern: string, path: string): boolean {
-  // Handle exact match
-  if (pattern === path) {
-    return true;
-  }
-
-  // Handle simple wildcard at the end (like /api/*)
-  if (pattern.endsWith('*')) {
-    const prefix = pattern.slice(0, -1);
-    return path.startsWith(prefix);
-  }
-
-  // Handle more complex wildcard patterns
-  if (pattern.includes('*')) {
-    const regexPattern = pattern
-      .replace(/\./g, '\\.')   // Escape dots
-      .replace(/\*/g, '.*')    // Convert * to .*
-      .replace(/\//g, '\\/');  // Escape slashes
-    
-    const regex = new RegExp(`^${regexPattern}$`);
-    return regex.test(path);
-  }
-
-  return false;
-}
-
-/**
- * Parse CIDR notation into subnet and mask bits
- * 
- * @param cidr CIDR string (e.g., "192.168.1.0/24")
- * @returns Object with subnet and bits, or null if invalid
- */
-export function parseCidr(cidr: string): { subnet: string; bits: number } | null {
-  try {
-    const [subnet, bitsStr] = cidr.split('/');
-    const bits = parseInt(bitsStr, 10);
-    
-    if (isNaN(bits) || bits < 0 || bits > 32) {
-      return null;
-    }
-    
-    return { subnet, bits };
-  } catch (e) {
-    return null;
-  }
-}
-
-/**
- * Convert an IP address to a numeric value
- * 
- * @param ip IPv4 address string (e.g., "192.168.1.1")
- * @returns Numeric representation of the IP
- */
-export function ipToNumber(ip: string): number {
-  // Handle IPv6-mapped IPv4 addresses (::ffff:192.168.1.1)
-  if (ip.startsWith('::ffff:')) {
-    ip = ip.slice(7);
-  }
-  
-  const parts = ip.split('.').map(part => parseInt(part, 10));
-  return (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
-}
-
-/**
- * Match an IP against a CIDR pattern
- * 
- * @param cidr CIDR pattern (e.g., "192.168.1.0/24")
- * @param ip IP to match against the pattern
- * @returns Whether the IP is in the CIDR range
- */
-export function matchIpCidr(cidr: string, ip: string): boolean {
-  const parsed = parseCidr(cidr);
-  if (!parsed) {
-    return false;
-  }
-  
-  try {
-    const { subnet, bits } = parsed;
-    
-    // Normalize IPv6-mapped IPv4 addresses
-    const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
-    const normalizedSubnet = subnet.startsWith('::ffff:') ? subnet.substring(7) : subnet;
-    
-    // Convert IP addresses to numeric values
-    const ipNum = ipToNumber(normalizedIp);
-    const subnetNum = ipToNumber(normalizedSubnet);
-    
-    // Calculate subnet mask
-    const maskNum = ~(2 ** (32 - bits) - 1);
-    
-    // Check if IP is in subnet
-    return (ipNum & maskNum) === (subnetNum & maskNum);
-  } catch (e) {
-    return false;
-  }
-}
-
-/**
- * Match an IP pattern against an IP
- * 
- * @param pattern IP pattern (exact, CIDR, or with wildcards)
- * @param ip IP to match against the pattern
- * @returns Whether the IP matches the pattern
- */
-export function matchIpPattern(pattern: string, ip: string): boolean {
-  // Normalize IPv6-mapped IPv4 addresses
-  const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
-  const normalizedPattern = pattern.startsWith('::ffff:') ? pattern.substring(7) : pattern;
-  
-  // Handle exact match with all variations
-  if (pattern === ip || normalizedPattern === normalizedIp || 
-      pattern === normalizedIp || normalizedPattern === ip) {
-    return true;
-  }
-  
-  // Handle "all" wildcard
-  if (pattern === '*' || normalizedPattern === '*') {
-    return true;
-  }
-  
-  // Handle CIDR notation (e.g., 192.168.1.0/24)
-  if (pattern.includes('/')) {
-    return matchIpCidr(pattern, normalizedIp) || 
-           (normalizedPattern !== pattern && matchIpCidr(normalizedPattern, normalizedIp));
-  }
-  
-  // Handle glob pattern (e.g., 192.168.1.*)
-  if (pattern.includes('*')) {
-    const regexPattern = pattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
-    const regex = new RegExp(`^${regexPattern}$`);
-    if (regex.test(ip) || regex.test(normalizedIp)) {
-      return true;
-    }
-    
-    // If pattern was normalized, also test with normalized pattern
-    if (normalizedPattern !== pattern) {
-      const normalizedRegexPattern = normalizedPattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
-      const normalizedRegex = new RegExp(`^${normalizedRegexPattern}$`);
-      return normalizedRegex.test(ip) || normalizedRegex.test(normalizedIp);
-    }
-  }
-  
-  return false;
-}
-
-/**
- * Match an IP against allowed and blocked IP patterns
- * 
- * @param ip IP to check
- * @param ipAllowList Array of allowed IP patterns
- * @param ipBlockList Array of blocked IP patterns
- * @returns Whether the IP is allowed
- */
-export function isIpAuthorized(
-  ip: string, 
-  ipAllowList: string[] = ['*'], 
-  ipBlockList: string[] = []
-): boolean {
-  // Check blocked IPs first
-  if (ipBlockList.length > 0) {
-    for (const pattern of ipBlockList) {
-      if (matchIpPattern(pattern, ip)) {
-        return false; // IP is blocked
-      }
-    }
-  }
-  
-  // If there are allowed IPs, check them
-  if (ipAllowList.length > 0) {
-    // Special case: if '*' is in allowed IPs, all non-blocked IPs are allowed
-    if (ipAllowList.includes('*')) {
-      return true;
-    }
-    
-    for (const pattern of ipAllowList) {
-      if (matchIpPattern(pattern, ip)) {
-        return true; // IP is allowed
-      }
-    }
-    return false; // IP not in allowed list
-  }
-  
-  // No allowed IPs specified, so IP is allowed by default
-  return true;
-}
-
-/**
- * Match an HTTP header pattern against a header value
- * 
- * @param pattern Expected header value (string or RegExp)
- * @param value Actual header value
- * @returns Whether the header matches the pattern
- */
-export function matchHeader(pattern: string | RegExp, value: string): boolean {
-  if (typeof pattern === 'string') {
-    return pattern === value;
-  } else if (pattern instanceof RegExp) {
-    return pattern.test(value);
-  }
-  return false;
-}
-
-/**
- * Calculate route specificity score
- * Higher score means more specific matching criteria
- * 
- * @param match Match criteria to evaluate
- * @returns Numeric specificity score
- */
-export function calculateRouteSpecificity(match: {
-  domains?: string | string[];
-  path?: string;
-  clientIp?: string[];
-  tlsVersion?: string[];
-  headers?: Record<string, string | RegExp>;
-}): number {
-  let score = 0;
-  
-  // Path is very specific
-  if (match.path) {
-    // More specific if it doesn't use wildcards
-    score += match.path.includes('*') ? 3 : 4;
-  }
-  
-  // Domain is next most specific
-  if (match.domains) {
-    const domains = Array.isArray(match.domains) ? match.domains : [match.domains];
-    // More domains or more specific domains (without wildcards) increase specificity
-    score += domains.length;
-    // Add bonus for exact domains (without wildcards)
-    score += domains.some(d => !d.includes('*')) ? 1 : 0;
-  }
-  
-  // Headers are quite specific
-  if (match.headers) {
-    score += Object.keys(match.headers).length * 2;
-  }
-  
-  // Client IP adds some specificity
-  if (match.clientIp && match.clientIp.length > 0) {
-    score += 1;
-  }
-  
-  // TLS version adds minimal specificity
-  if (match.tlsVersion && match.tlsVersion.length > 0) {
-    score += 1;
-  }
-  
-  return score;
-}

ts/core/utils/security-utils.ts

@@ -1,9 +1,5 @@
 import * as plugins from '../../plugins.js';
-import { 
-  matchIpPattern, 
-  ipToNumber,
-  matchIpCidr
-} from './route-utils.js';
+import { IpMatcher } from '../routing/matchers/ip.js';
 
 /**
  * Security utilities for IP validation, rate limiting, 
@@ -90,7 +86,7 @@ export function isIPAuthorized(
   // First check if IP is blocked - blocked IPs take precedence
   if (blockedIPs.length > 0) {
     for (const pattern of blockedIPs) {
-      if (matchIpPattern(pattern, ip)) {
+      if (IpMatcher.match(pattern, ip)) {
         return false;
       }
     }
@@ -104,7 +100,7 @@ export function isIPAuthorized(
   // Then check if IP is allowed in the explicit allow list
   if (allowedIPs.length > 0) {
     for (const pattern of allowedIPs) {
-      if (matchIpPattern(pattern, ip)) {
+      if (IpMatcher.match(pattern, ip)) {
         return true;
       }
     }

ts/core/utils/socket-utils.ts

@@ -1,69 +1,157 @@
 import * as plugins from '../../plugins.js';
 
+export interface CleanupOptions {
+  immediate?: boolean;      // Force immediate destruction
+  allowDrain?: boolean;     // Allow write buffer to drain
+  gracePeriod?: number;     // Ms to wait before force close
+}
+
+export interface SafeSocketOptions {
+  port: number;
+  host: string;
+  onError?: (error: Error) => void;
+  onConnect?: () => void;
+  timeout?: number;
+}
+
 /**
  * Safely cleanup a socket by removing all listeners and destroying it
  * @param socket The socket to cleanup
  * @param socketName Optional name for logging
+ * @param options Cleanup options
  */
-export function cleanupSocket(socket: plugins.net.Socket | plugins.tls.TLSSocket | null, socketName?: string): void {
-  if (!socket) return;
+export function cleanupSocket(
+  socket: plugins.net.Socket | plugins.tls.TLSSocket | null, 
+  socketName?: string,
+  options: CleanupOptions = {}
+): Promise<void> {
+  if (!socket || socket.destroyed) return Promise.resolve();
   
-  try {
-    // Remove all event listeners
-    socket.removeAllListeners();
+  return new Promise<void>((resolve) => {
+    const cleanup = () => {
+      try {
+        // Remove all event listeners
+        socket.removeAllListeners();
+        
+        // Destroy if not already destroyed
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
+      } catch (err) {
+        console.error(`Error cleaning up socket${socketName ? ` (${socketName})` : ''}: ${err}`);
+      }
+      resolve();
+    };
     
-    // Unpipe any streams
-    socket.unpipe();
-    
-    // Destroy if not already destroyed
-    if (!socket.destroyed) {
-      socket.destroy();
+    if (options.immediate) {
+      // Immediate cleanup (old behavior)
+      socket.unpipe();
+      cleanup();
+    } else if (options.allowDrain && socket.writable) {
+      // Allow pending writes to complete
+      socket.end(() => cleanup());
+      
+      // Force cleanup after grace period
+      if (options.gracePeriod) {
+        setTimeout(() => {
+          if (!socket.destroyed) {
+            cleanup();
+          }
+        }, options.gracePeriod);
+      }
+    } else {
+      // Default: immediate cleanup
+      socket.unpipe();
+      cleanup();
     }
-  } catch (err) {
-    console.error(`Error cleaning up socket${socketName ? ` (${socketName})` : ''}: ${err}`);
-  }
+  });
 }
 
+
 /**
- * Create a cleanup handler for paired sockets (client and server)
+ * Create independent cleanup handlers for paired sockets that support half-open connections
  * @param clientSocket The client socket
- * @param serverSocket The server socket (optional)
- * @param onCleanup Optional callback when cleanup is done
- * @returns A cleanup function that can be called multiple times safely
+ * @param serverSocket The server socket
+ * @param onBothClosed Callback when both sockets are closed
+ * @returns Independent cleanup functions for each socket
  */
-export function createSocketCleanupHandler(
+export function createIndependentSocketHandlers(
   clientSocket: plugins.net.Socket | plugins.tls.TLSSocket,
-  serverSocket?: plugins.net.Socket | plugins.tls.TLSSocket | null,
-  onCleanup?: (reason: string) => void
-): (reason: string) => void {
-  let cleanedUp = false;
+  serverSocket: plugins.net.Socket | plugins.tls.TLSSocket,
+  onBothClosed: (reason: string) => void,
+  options: { enableHalfOpen?: boolean } = {}
+): { cleanupClient: (reason: string) => Promise<void>, cleanupServer: (reason: string) => Promise<void> } {
+  let clientClosed = false;
+  let serverClosed = false;
+  let clientReason = '';
+  let serverReason = '';
   
-  return (reason: string) => {
-    if (cleanedUp) return;
-    cleanedUp = true;
-    
-    // Cleanup both sockets
-    cleanupSocket(clientSocket, 'client');
-    if (serverSocket) {
-      cleanupSocket(serverSocket, 'server');
-    }
-    
-    // Call cleanup callback if provided
-    if (onCleanup) {
-      onCleanup(reason);
+  const checkBothClosed = () => {
+    if (clientClosed && serverClosed) {
+      onBothClosed(`client: ${clientReason}, server: ${serverReason}`);
     }
   };
+  
+  const cleanupClient = async (reason: string) => {
+    if (clientClosed) return;
+    clientClosed = true;
+    clientReason = reason;
+    
+    // Default behavior: close both sockets when one closes (required for proxy chains)
+    if (!serverClosed && !options.enableHalfOpen) {
+      serverSocket.destroy();
+    }
+    
+    // Half-open support (opt-in only)
+    if (!serverClosed && serverSocket.writable && options.enableHalfOpen) {
+      // Half-close: stop reading from client, let server finish
+      clientSocket.pause();
+      clientSocket.unpipe(serverSocket);
+      await cleanupSocket(clientSocket, 'client', { allowDrain: true, gracePeriod: 5000 });
+    } else {
+      await cleanupSocket(clientSocket, 'client', { immediate: true });
+    }
+    
+    checkBothClosed();
+  };
+  
+  const cleanupServer = async (reason: string) => {
+    if (serverClosed) return;
+    serverClosed = true;
+    serverReason = reason;
+    
+    // Default behavior: close both sockets when one closes (required for proxy chains)
+    if (!clientClosed && !options.enableHalfOpen) {
+      clientSocket.destroy();
+    }
+    
+    // Half-open support (opt-in only)
+    if (!clientClosed && clientSocket.writable && options.enableHalfOpen) {
+      // Half-close: stop reading from server, let client finish
+      serverSocket.pause();
+      serverSocket.unpipe(clientSocket);
+      await cleanupSocket(serverSocket, 'server', { allowDrain: true, gracePeriod: 5000 });
+    } else {
+      await cleanupSocket(serverSocket, 'server', { immediate: true });
+    }
+    
+    checkBothClosed();
+  };
+  
+  return { cleanupClient, cleanupServer };
 }
 
 /**
  * Setup socket error and close handlers with proper cleanup
  * @param socket The socket to setup handlers for
  * @param handleClose The cleanup function to call
+ * @param handleTimeout Optional custom timeout handler
  * @param errorPrefix Optional prefix for error messages
  */
 export function setupSocketHandlers(
   socket: plugins.net.Socket | plugins.tls.TLSSocket,
   handleClose: (reason: string) => void,
+  handleTimeout?: (socket: plugins.net.Socket | plugins.tls.TLSSocket) => void,
   errorPrefix?: string
 ): void {
   socket.on('error', (error) => {
@@ -77,20 +165,158 @@ export function setupSocketHandlers(
   });
   
   socket.on('timeout', () => {
-    const prefix = errorPrefix || 'socket';
-    handleClose(`${prefix}_timeout`);
+    if (handleTimeout) {
+      handleTimeout(socket);  // Custom timeout handling
+    } else {
+      // Default: just log, don't close
+      console.warn(`Socket timeout: ${errorPrefix || 'socket'}`);
+    }
   });
 }
 
 /**
- * Pipe two sockets together with proper cleanup on either end
- * @param socket1 First socket
- * @param socket2 Second socket
+ * Setup bidirectional data forwarding between two sockets with proper cleanup
+ * @param clientSocket The client/incoming socket
+ * @param serverSocket The server/outgoing socket
+ * @param handlers Object containing optional handlers for data and cleanup
+ * @returns Cleanup functions for both sockets
  */
-export function pipeSockets(
-  socket1: plugins.net.Socket | plugins.tls.TLSSocket,
-  socket2: plugins.net.Socket | plugins.tls.TLSSocket
-): void {
-  socket1.pipe(socket2);
-  socket2.pipe(socket1);
+export function setupBidirectionalForwarding(
+  clientSocket: plugins.net.Socket | plugins.tls.TLSSocket,
+  serverSocket: plugins.net.Socket | plugins.tls.TLSSocket,
+  handlers: {
+    onClientData?: (chunk: Buffer) => void;
+    onServerData?: (chunk: Buffer) => void;
+    onCleanup: (reason: string) => void;
+    enableHalfOpen?: boolean;
+  }
+): { cleanupClient: (reason: string) => Promise<void>, cleanupServer: (reason: string) => Promise<void> } {
+  // Set up cleanup handlers
+  const { cleanupClient, cleanupServer } = createIndependentSocketHandlers(
+    clientSocket,
+    serverSocket,
+    handlers.onCleanup,
+    { enableHalfOpen: handlers.enableHalfOpen }
+  );
+  
+  // Set up error and close handlers
+  setupSocketHandlers(clientSocket, cleanupClient, undefined, 'client');
+  setupSocketHandlers(serverSocket, cleanupServer, undefined, 'server');
+  
+  // Set up data forwarding with backpressure handling
+  clientSocket.on('data', (chunk: Buffer) => {
+    if (handlers.onClientData) {
+      handlers.onClientData(chunk);
+    }
+    
+    if (serverSocket.writable) {
+      const flushed = serverSocket.write(chunk);
+      
+      // Handle backpressure
+      if (!flushed) {
+        clientSocket.pause();
+        serverSocket.once('drain', () => {
+          if (!clientSocket.destroyed) {
+            clientSocket.resume();
+          }
+        });
+      }
+    }
+  });
+  
+  serverSocket.on('data', (chunk: Buffer) => {
+    if (handlers.onServerData) {
+      handlers.onServerData(chunk);
+    }
+    
+    if (clientSocket.writable) {
+      const flushed = clientSocket.write(chunk);
+      
+      // Handle backpressure
+      if (!flushed) {
+        serverSocket.pause();
+        clientSocket.once('drain', () => {
+          if (!serverSocket.destroyed) {
+            serverSocket.resume();
+          }
+        });
+      }
+    }
+  });
+  
+  return { cleanupClient, cleanupServer };
+}
+
+/**
+ * Create a socket with immediate error handling to prevent crashes
+ * @param options Socket creation options
+ * @returns The created socket
+ */
+export function createSocketWithErrorHandler(options: SafeSocketOptions): plugins.net.Socket {
+  const { port, host, onError, onConnect, timeout } = options;
+  
+  // Create socket with immediate error handler attachment
+  const socket = new plugins.net.Socket();
+  
+  // Track if connected
+  let connected = false;
+  let connectionTimeout: NodeJS.Timeout | null = null;
+  
+  // Attach error handler BEFORE connecting to catch immediate errors
+  socket.on('error', (error) => {
+    console.error(`Socket connection error to ${host}:${port}: ${error.message}`);
+    // Clear the connection timeout if it exists
+    if (connectionTimeout) {
+      clearTimeout(connectionTimeout);
+      connectionTimeout = null;
+    }
+    if (onError) {
+      onError(error);
+    }
+  });
+  
+  // Attach connect handler
+  const handleConnect = () => {
+    connected = true;
+    // Clear the connection timeout
+    if (connectionTimeout) {
+      clearTimeout(connectionTimeout);
+      connectionTimeout = null;
+    }
+    // Set inactivity timeout if provided (after connection is established)
+    if (timeout) {
+      socket.setTimeout(timeout);
+    }
+    if (onConnect) {
+      onConnect();
+    }
+  };
+  
+  socket.on('connect', handleConnect);
+  
+  // Implement connection establishment timeout
+  if (timeout) {
+    connectionTimeout = setTimeout(() => {
+      if (!connected && !socket.destroyed) {
+        // Connection timed out - destroy the socket
+        const error = new Error(`Connection timeout after ${timeout}ms to ${host}:${port}`);
+        (error as any).code = 'ETIMEDOUT';
+        
+        console.error(`Socket connection timeout to ${host}:${port} after ${timeout}ms`);
+        
+        // Destroy the socket
+        socket.destroy();
+        
+        // Call error handler
+        if (onError) {
+          onError(error);
+        }
+      }
+    }, timeout);
+  }
+  
+  // Now attempt to connect - any immediate errors will be caught
+  socket.connect(port, host);
+  
+  return socket;
 }

ts/forwarding/handlers/http-handler.ts

@@ -49,7 +49,12 @@ export class HttpForwardingHandler extends ForwardingHandler {
       });
     };
     
-    setupSocketHandlers(socket, handleClose, 'http');
+    // Use custom timeout handler that doesn't close the socket
+    setupSocketHandlers(socket, handleClose, () => {
+      // For HTTP, we can be more aggressive with timeouts since connections are shorter
+      // But still don't close immediately - let the connection finish naturally
+      console.warn(`HTTP socket timeout from ${remoteAddress}`);
+    }, 'http');
     
     socket.on('error', (error) => {
       this.emit(ForwardingHandlerEvents.ERROR, {

ts/forwarding/handlers/https-passthrough-handler.ts

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { createSocketCleanupHandler, setupSocketHandlers, pipeSockets } from '../../core/utils/socket-utils.js';
+import { createIndependentSocketHandlers, setupSocketHandlers, createSocketWithErrorHandler } from '../../core/utils/socket-utils.js';
 
 /**
  * Handler for HTTPS passthrough (SNI forwarding without termination)
@@ -48,79 +48,122 @@ export class HttpsPassthroughHandler extends ForwardingHandler {
       target: `${target.host}:${target.port}`
     });
     
-    // Create a connection to the target server
-    const serverSocket = plugins.net.connect(target.port, target.host);
-    
     // Track data transfer for logging
     let bytesSent = 0;
     let bytesReceived = 0;
+    let serverSocket: plugins.net.Socket | null = null;
+    let cleanupClient: ((reason: string) => Promise<void>) | null = null;
+    let cleanupServer: ((reason: string) => Promise<void>) | null = null;
     
-    // Create cleanup handler with our utility
-    const handleClose = createSocketCleanupHandler(clientSocket, serverSocket, (reason) => {
-      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-        remoteAddress,
-        bytesSent,
-        bytesReceived,
-        reason
-      });
-    });
-    
-    // Setup error and close handlers for both sockets
-    setupSocketHandlers(serverSocket, handleClose, 'server');
-    setupSocketHandlers(clientSocket, handleClose, 'client');
-    
-    // Forward data from client to server
-    clientSocket.on('data', (data) => {
-      bytesSent += data.length;
-      
-      // Check if server socket is writable
-      if (serverSocket.writable) {
-        const flushed = serverSocket.write(data);
+    // Create a connection to the target server with immediate error handling
+    serverSocket = createSocketWithErrorHandler({
+      port: target.port,
+      host: target.host,
+      onError: async (error) => {
+        // Server connection failed - clean up client socket immediately
+        this.emit(ForwardingHandlerEvents.ERROR, {
+          error: error.message,
+          code: (error as any).code || 'UNKNOWN',
+          remoteAddress,
+          target: `${target.host}:${target.port}`
+        });
         
-        // Handle backpressure
-        if (!flushed) {
-          clientSocket.pause();
-          serverSocket.once('drain', () => {
-            clientSocket.resume();
-          });
+        // Clean up the client socket since we can't forward
+        if (!clientSocket.destroyed) {
+          clientSocket.destroy();
         }
-      }
-      
-      this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
-        direction: 'outbound',
-        bytes: data.length,
-        total: bytesSent
-      });
-    });
-    
-    // Forward data from server to client
-    serverSocket.on('data', (data) => {
-      bytesReceived += data.length;
-      
-      // Check if client socket is writable
-      if (clientSocket.writable) {
-        const flushed = clientSocket.write(data);
         
-        // Handle backpressure
-        if (!flushed) {
-          serverSocket.pause();
-          clientSocket.once('drain', () => {
-            serverSocket.resume();
+        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+          remoteAddress,
+          bytesSent: 0,
+          bytesReceived: 0,
+          reason: `server_connection_failed: ${error.message}`
+        });
+      },
+      onConnect: () => {
+        // Connection successful - set up forwarding handlers
+        const handlers = createIndependentSocketHandlers(
+          clientSocket,
+          serverSocket!,
+          (reason) => {
+            this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+              remoteAddress,
+              bytesSent,
+              bytesReceived,
+              reason
+            });
+          }
+        );
+        
+        cleanupClient = handlers.cleanupClient;
+        cleanupServer = handlers.cleanupServer;
+        
+        // Setup handlers with custom timeout handling that doesn't close connections
+        const timeout = this.getTimeout();
+        
+        setupSocketHandlers(clientSocket, cleanupClient, (socket) => {
+          // Just reset timeout, don't close
+          socket.setTimeout(timeout);
+        }, 'client');
+        
+        setupSocketHandlers(serverSocket!, cleanupServer, (socket) => {
+          // Just reset timeout, don't close  
+          socket.setTimeout(timeout);
+        }, 'server');
+        
+        // Forward data from client to server
+        clientSocket.on('data', (data) => {
+          bytesSent += data.length;
+          
+          // Check if server socket is writable
+          if (serverSocket && serverSocket.writable) {
+            const flushed = serverSocket.write(data);
+            
+            // Handle backpressure
+            if (!flushed) {
+              clientSocket.pause();
+              serverSocket.once('drain', () => {
+                clientSocket.resume();
+              });
+            }
+          }
+          
+          this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
+            direction: 'outbound',
+            bytes: data.length,
+            total: bytesSent
           });
-        }
+        });
+        
+        // Forward data from server to client
+        serverSocket!.on('data', (data) => {
+          bytesReceived += data.length;
+          
+          // Check if client socket is writable
+          if (clientSocket.writable) {
+            const flushed = clientSocket.write(data);
+            
+            // Handle backpressure
+            if (!flushed) {
+              serverSocket!.pause();
+              clientSocket.once('drain', () => {
+                serverSocket!.resume();
+              });
+            }
+          }
+          
+          this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
+            direction: 'inbound',
+            bytes: data.length,
+            total: bytesReceived
+          });
+        });
+        
+        // Set initial timeouts - they will be reset on each timeout event  
+        clientSocket.setTimeout(timeout);
+        serverSocket!.setTimeout(timeout);
       }
-      
-      this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
-        direction: 'inbound',
-        bytes: data.length,
-        total: bytesReceived
-      });
     });
-    
-    // Set timeouts
-    const timeout = this.getTimeout();
-    clientSocket.setTimeout(timeout);
-    serverSocket.setTimeout(timeout);
   }
   
   /**
@@ -128,7 +171,7 @@ export class HttpsPassthroughHandler extends ForwardingHandler {
    * @param req The HTTP request
    * @param res The HTTP response
    */
-  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
+  public handleHttpRequest(_req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
     // HTTPS passthrough doesn't support HTTP requests
     res.writeHead(404, { 'Content-Type': 'text/plain' });
     res.end('HTTP not supported for this domain');

ts/forwarding/handlers/https-terminate-to-http-handler.ts

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { createSocketCleanupHandler, setupSocketHandlers } from '../../core/utils/socket-utils.js';
+import { setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
 
 /**
  * Handler for HTTPS termination with HTTP backend
@@ -100,19 +100,30 @@ export class HttpsTerminateToHttpHandler extends ForwardingHandler {
     let backendSocket: plugins.net.Socket | null = null;
     let dataBuffer = Buffer.alloc(0);
     let connectionEstablished = false;
+    let forwardingSetup = false;
     
-    // Create cleanup handler for all sockets
-    const handleClose = createSocketCleanupHandler(tlsSocket, backendSocket, (reason) => {
-      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-        remoteAddress,
-        reason
-      });
-      dataBuffer = Buffer.alloc(0);
-      connectionEstablished = false;
-    });
+    // Set up initial error handling for TLS socket
+    const tlsCleanupHandler = (reason: string) => {
+      if (!forwardingSetup) {
+        // If forwarding not set up yet, emit disconnected and cleanup
+        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+          remoteAddress,
+          reason
+        });
+        dataBuffer = Buffer.alloc(0);
+        connectionEstablished = false;
+        
+        if (!tlsSocket.destroyed) {
+          tlsSocket.destroy();
+        }
+        if (backendSocket && !backendSocket.destroyed) {
+          backendSocket.destroy();
+        }
+      }
+      // If forwarding is setup, setupBidirectionalForwarding will handle cleanup
+    };
     
-    // Set up error handling with our cleanup utility
-    setupSocketHandlers(tlsSocket, handleClose, 'tls');
+    setupSocketHandlers(tlsSocket, tlsCleanupHandler, undefined, 'tls');
     
     // Set timeout
     const timeout = this.getTimeout();
@@ -123,7 +134,7 @@ export class HttpsTerminateToHttpHandler extends ForwardingHandler {
         remoteAddress,
         error: 'TLS connection timeout'
       });
-      handleClose('timeout');
+      tlsCleanupHandler('timeout');
     });
     
     // Handle TLS data
@@ -141,39 +152,64 @@ export class HttpsTerminateToHttpHandler extends ForwardingHandler {
       if (dataBuffer.includes(Buffer.from('\r\n\r\n')) && !connectionEstablished) {
         const target = this.getTargetFromConfig();
         
-        // Create backend connection
-        backendSocket = plugins.net.connect(target.port, target.host, () => {
-          connectionEstablished = true;
-          
-          // Send buffered data
-          if (dataBuffer.length > 0) {
-            backendSocket!.write(dataBuffer);
-            dataBuffer = Buffer.alloc(0);
+        // Create backend connection with immediate error handling
+        backendSocket = createSocketWithErrorHandler({
+          port: target.port,
+          host: target.host,
+          onError: (error) => {
+            this.emit(ForwardingHandlerEvents.ERROR, {
+              error: error.message,
+              code: (error as any).code || 'UNKNOWN',
+              remoteAddress,
+              target: `${target.host}:${target.port}`
+            });
+            
+            // Clean up the TLS socket since we can't forward
+            if (!tlsSocket.destroyed) {
+              tlsSocket.destroy();
+            }
+            
+            this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+              remoteAddress,
+              reason: `backend_connection_failed: ${error.message}`
+            });
+          },
+          onConnect: () => {
+            connectionEstablished = true;
+            
+            // Send buffered data
+            if (dataBuffer.length > 0) {
+              backendSocket!.write(dataBuffer);
+              dataBuffer = Buffer.alloc(0);
+            }
+            
+            // Now set up bidirectional forwarding with proper cleanup
+            forwardingSetup = true;
+            setupBidirectionalForwarding(tlsSocket, backendSocket!, {
+              onCleanup: (reason) => {
+                this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+                  remoteAddress,
+                  reason
+                });
+                dataBuffer = Buffer.alloc(0);
+                connectionEstablished = false;
+                forwardingSetup = false;
+              },
+              enableHalfOpen: false // Close both when one closes
+            });
           }
-          
-          // Set up bidirectional data flow
-          tlsSocket.pipe(backendSocket!);
-          backendSocket!.pipe(tlsSocket);
         });
         
-        // Update the cleanup handler with the backend socket
-        const newHandleClose = createSocketCleanupHandler(tlsSocket, backendSocket, (reason) => {
-          this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-            remoteAddress,
-            reason
-          });
-          dataBuffer = Buffer.alloc(0);
-          connectionEstablished = false;
-        });
-        
-        // Set up handlers for backend socket
-        setupSocketHandlers(backendSocket, newHandleClose, 'backend');
-        
+        // Additional error logging for backend socket
         backendSocket.on('error', (error) => {
-          this.emit(ForwardingHandlerEvents.ERROR, {
-            remoteAddress,
-            error: `Target connection error: ${error.message}`
-          });
+          if (!connectionEstablished) {
+            // Connection failed during setup
+            this.emit(ForwardingHandlerEvents.ERROR, {
+              remoteAddress,
+              error: `Target connection error: ${error.message}`
+            });
+          }
+          // If connected, setupBidirectionalForwarding handles cleanup
         });
       }
     });

ts/forwarding/handlers/https-terminate-to-https-handler.ts

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.js';
 import { ForwardingHandler } from './base-handler.js';
 import type { IForwardConfig } from '../config/forwarding-types.js';
 import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { createSocketCleanupHandler, setupSocketHandlers } from '../../core/utils/socket-utils.js';
+import { setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
 
 /**
  * Handler for HTTPS termination with HTTPS backend
@@ -96,17 +96,26 @@ export class HttpsTerminateToHttpsHandler extends ForwardingHandler {
     
     // Variable to track backend socket
     let backendSocket: plugins.tls.TLSSocket | null = null;
+    let isConnectedToBackend = false;
     
-    // Create cleanup handler for both sockets
-    const handleClose = createSocketCleanupHandler(tlsSocket, backendSocket, (reason) => {
-      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-        remoteAddress,
-        reason
-      });
-    });
+    // Set up initial error handling for TLS socket
+    const tlsCleanupHandler = (reason: string) => {
+      if (!isConnectedToBackend) {
+        // If backend not connected yet, just emit disconnected event
+        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+          remoteAddress,
+          reason
+        });
+        
+        // Cleanup TLS socket if needed
+        if (!tlsSocket.destroyed) {
+          tlsSocket.destroy();
+        }
+      }
+      // If connected to backend, setupBidirectionalForwarding will handle cleanup
+    };
     
-    // Set up error handling with our cleanup utility
-    setupSocketHandlers(tlsSocket, handleClose, 'tls');
+    setupSocketHandlers(tlsSocket, tlsCleanupHandler, undefined, 'tls');
     
     // Set timeout
     const timeout = this.getTimeout();
@@ -117,7 +126,7 @@ export class HttpsTerminateToHttpsHandler extends ForwardingHandler {
         remoteAddress,
         error: 'TLS connection timeout'
       });
-      handleClose('timeout');
+      tlsCleanupHandler('timeout');
     });
     
     // Get the target from configuration
@@ -131,44 +140,55 @@ export class HttpsTerminateToHttpsHandler extends ForwardingHandler {
         // In a real implementation, we would configure TLS options
         rejectUnauthorized: false // For testing only, never use in production
       }, () => {
+        isConnectedToBackend = true;
+        
         this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
           direction: 'outbound',
           target: `${target.host}:${target.port}`,
           tls: true
         });
         
-        // Set up bidirectional data flow
-        tlsSocket.pipe(backendSocket!);
-        backendSocket!.pipe(tlsSocket);
-      });
-      
-      // Update the cleanup handler with the backend socket
-      const newHandleClose = createSocketCleanupHandler(tlsSocket, backendSocket, (reason) => {
-        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-          remoteAddress,
-          reason
+        // Set up bidirectional forwarding with proper cleanup
+        setupBidirectionalForwarding(tlsSocket, backendSocket!, {
+          onCleanup: (reason) => {
+            this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+              remoteAddress,
+              reason
+            });
+          },
+          enableHalfOpen: false // Close both when one closes
+        });
+        
+        // Set timeout for backend socket
+        backendSocket!.setTimeout(timeout);
+        
+        backendSocket!.on('timeout', () => {
+          this.emit(ForwardingHandlerEvents.ERROR, {
+            remoteAddress,
+            error: 'Backend connection timeout'
+          });
+          // Let setupBidirectionalForwarding handle the cleanup
         });
       });
       
-      // Set up handlers for backend socket
-      setupSocketHandlers(backendSocket, newHandleClose, 'backend');
-      
+      // Handle backend connection errors
       backendSocket.on('error', (error) => {
         this.emit(ForwardingHandlerEvents.ERROR, {
           remoteAddress,
           error: `Backend connection error: ${error.message}`
         });
-      });
-      
-      // Set timeout for backend socket
-      backendSocket.setTimeout(timeout);
-      
-      backendSocket.on('timeout', () => {
-        this.emit(ForwardingHandlerEvents.ERROR, {
-          remoteAddress,
-          error: 'Backend connection timeout'
-        });
-        newHandleClose('backend_timeout');
+        
+        if (!isConnectedToBackend) {
+          // Connection failed, clean up TLS socket
+          if (!tlsSocket.destroyed) {
+            tlsSocket.destroy();
+          }
+          this.emit(ForwardingHandlerEvents.DISCONNECTED, {
+            remoteAddress,
+            reason: `backend_connection_failed: ${error.message}`
+          });
+        }
+        // If connected, let setupBidirectionalForwarding handle cleanup
       });
     };
     

ts/index.ts

@@ -2,28 +2,18 @@
  * SmartProxy main module exports
  */
 
-// Legacy exports (to maintain backward compatibility)
-// Migrated to the new proxies structure
+// NFTables proxy exports
 export * from './proxies/nftables-proxy/index.js';
 
-// Export HttpProxy elements selectively to avoid RouteManager ambiguity
+// Export HttpProxy elements
 export { HttpProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './proxies/http-proxy/index.js';
 export type { IMetricsTracker, MetricsTracker } from './proxies/http-proxy/index.js';
-// Export models except IAcmeOptions to avoid conflict
 export type { IHttpProxyOptions, ICertificateEntry, ILogger } from './proxies/http-proxy/models/types.js';
-export { RouteManager as HttpProxyRouteManager } from './proxies/http-proxy/models/types.js';
-
-// Backward compatibility exports (deprecated)
-export { HttpProxy as NetworkProxy } from './proxies/http-proxy/index.js';
-export type { IHttpProxyOptions as INetworkProxyOptions } from './proxies/http-proxy/models/types.js';
-export { HttpProxyBridge as NetworkProxyBridge } from './proxies/smart-proxy/index.js';
-
-// Certificate and Port80 modules have been removed - use SmartCertManager instead
-// Redirect module has been removed - use route-based redirects instead
+export { SharedRouteManager as HttpProxyRouteManager } from './core/routing/route-manager.js';
 
 // Export SmartProxy elements selectively to avoid RouteManager ambiguity
 export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, HttpProxyBridge, RouteConnectionHandler, SmartCertManager } from './proxies/smart-proxy/index.js';
-export { RouteManager } from './proxies/smart-proxy/route-manager.js';
+export { SharedRouteManager as RouteManager } from './core/routing/route-manager.js';
 // Export smart-proxy models
 export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './proxies/smart-proxy/models/index.js';
 export type { TSmartProxyCertProvisionObject } from './proxies/smart-proxy/models/interfaces.js';

ts/plugins.ts

@@ -30,6 +30,7 @@ import * as smartacmeHandlers from '@push.rocks/smartacme/dist_ts/handlers/index
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
 import * as taskbuffer from '@push.rocks/taskbuffer';
+import * as smartrx from '@push.rocks/smartrx';
 
 export {
   lik,
@@ -45,6 +46,7 @@ export {
   smartlog,
   smartlogDestinationLocal,
   taskbuffer,
+  smartrx,
 };
 
 // third party scope

ts/proxies/http-proxy/connection-pool.ts

@@ -134,7 +134,7 @@ export class ConnectionPool {
         if ((connection.isIdle && now - connection.lastUsed > idleTimeout) ||
             connections.length > (this.options.connectionPoolSize || 50)) {
           
-          cleanupSocket(connection.socket, `pool-${host}-idle`);
+          cleanupSocket(connection.socket, `pool-${host}-idle`, { immediate: true }).catch(() => {});
           
           connections.shift(); // Remove from pool
           removed++;
@@ -164,7 +164,7 @@ export class ConnectionPool {
       this.logger.debug(`Closing ${connections.length} connections to ${host}`);
       
       for (const connection of connections) {
-        cleanupSocket(connection.socket, `pool-${host}-close`);
+        cleanupSocket(connection.socket, `pool-${host}-close`, { immediate: true }).catch(() => {});
       }
     }
     

ts/proxies/http-proxy/function-cache.ts

@@ -30,6 +30,9 @@ export class FunctionCache {
   // Logger
   private logger: ILogger;
   
+  // Cleanup interval timer
+  private cleanupInterval: NodeJS.Timeout | null = null;
+  
   /**
    * Creates a new function cache
    * 
@@ -48,7 +51,12 @@ export class FunctionCache {
     this.defaultTtl = options.defaultTtl || 5000; // 5 seconds default
     
     // Start the cache cleanup timer
-    setInterval(() => this.cleanupCache(), 30000); // Cleanup every 30 seconds
+    this.cleanupInterval = setInterval(() => this.cleanupCache(), 30000); // Cleanup every 30 seconds
+    
+    // Make sure the interval doesn't keep the process alive
+    if (this.cleanupInterval.unref) {
+      this.cleanupInterval.unref();
+    }
   }
   
   /**
@@ -256,4 +264,16 @@ export class FunctionCache {
     this.portCache.clear();
     this.logger.info('Function cache cleared');
   }
+  
+  /**
+   * Destroy the cache and cleanup resources
+   */
+  public destroy(): void {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+    this.clearCache();
+    this.logger.debug('Function cache destroyed');
+  }
 }

ts/proxies/http-proxy/http-proxy.ts

@@ -1,13 +1,11 @@
 import * as plugins from '../../plugins.js';
 import {
   createLogger,
-  RouteManager,
-  convertLegacyConfigToRouteConfig
 } from './models/types.js';
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import type {
   IHttpProxyOptions,
-  ILogger,
-  IReverseProxyConfig
+  ILogger
 } from './models/types.js';
 import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
 import type { IRouteContext, IHttpRouteContext } from '../../core/models/route-context.js';
@@ -16,8 +14,7 @@ import { CertificateManager } from './certificate-manager.js';
 import { ConnectionPool } from './connection-pool.js';
 import { RequestHandler, type IMetricsTracker } from './request-handler.js';
 import { WebSocketHandler } from './websocket-handler.js';
-import { ProxyRouter } from '../../routing/router/index.js';
-import { RouteRouter } from '../../routing/router/route-router.js';
+import { HttpRouter } from '../../routing/router/index.js';
 import { cleanupSocket } from '../../core/utils/socket-utils.js';
 import { FunctionCache } from './function-cache.js';
 
@@ -43,8 +40,7 @@ export class HttpProxy implements IMetricsTracker {
   private connectionPool: ConnectionPool;
   private requestHandler: RequestHandler;
   private webSocketHandler: WebSocketHandler;
-  private legacyRouter = new ProxyRouter(); // Legacy router for backward compatibility
-  private router = new RouteRouter(); // New modern router
+  private router = new HttpRouter(); // Unified HTTP router
   private routeManager: RouteManager;
   private functionCache: FunctionCache;
   
@@ -87,7 +83,6 @@ export class HttpProxy implements IMetricsTracker {
       // Defaults for SmartProxy integration
       connectionPoolSize: optionsArg.connectionPoolSize || 50,
       portProxyIntegration: optionsArg.portProxyIntegration || false,
-      useExternalPort80Handler: optionsArg.useExternalPort80Handler || false,
       // Backend protocol (http1 or http2)
       backendProtocol: optionsArg.backendProtocol || 'http1',
       // Default ACME options
@@ -107,7 +102,11 @@ export class HttpProxy implements IMetricsTracker {
     this.logger = createLogger(this.options.logLevel);
 
     // Initialize route manager
-    this.routeManager = new RouteManager(this.logger);
+    this.routeManager = new RouteManager({
+      logger: this.logger,
+      enableDetailedLogging: this.options.logLevel === 'debug',
+      routes: []
+    });
 
     // Initialize function cache
     this.functionCache = new FunctionCache(this.logger, {
@@ -121,15 +120,13 @@ export class HttpProxy implements IMetricsTracker {
     this.requestHandler = new RequestHandler(
       this.options,
       this.connectionPool,
-      this.legacyRouter, // Still use legacy router for backward compatibility
       this.routeManager,
       this.functionCache,
-      this.router // Pass the new modern router as well
+      this.router
     );
     this.webSocketHandler = new WebSocketHandler(
       this.options,
       this.connectionPool,
-      this.legacyRouter,
       this.routes // Pass current routes to WebSocketHandler
     );
 
@@ -429,65 +426,13 @@ export class HttpProxy implements IMetricsTracker {
       }
     }
 
-    // Create legacy proxy configs for the router
-    // This is only needed for backward compatibility with ProxyRouter
-    
-    const defaultPort = 443; // Default port for HTTPS when using 'preserve'
-    // and will be removed in the future
-    const legacyConfigs: IReverseProxyConfig[] = [];
-
-    for (const domain of currentHostnames) {
-      // Find route for this domain
-      const route = routes.find(r => {
-        const domains = Array.isArray(r.match.domains) ? r.match.domains : [r.match.domains];
-        return domains.includes(domain);
-      });
-
-      if (!route || route.action.type !== 'forward' || !route.action.target) {
-        continue;
-      }
-
-      // Skip routes with function-based targets - we'll handle them during request processing
-      if (typeof route.action.target.host === 'function' || typeof route.action.target.port === 'function') {
-        this.logger.info(`Domain ${domain} uses function-based targets - will be handled at request time`);
-        continue;
-      }
-
-      // Extract static target information
-      const targetHosts = Array.isArray(route.action.target.host)
-        ? route.action.target.host
-        : [route.action.target.host];
-
-      // Handle 'preserve' port value
-      const targetPort = route.action.target.port === 'preserve' ? defaultPort : route.action.target.port;
-
-      // Get certificate information
-      const certData = certificateUpdates.get(domain);
-      const defaultCerts = this.certificateManager.getDefaultCertificates();
-
-      legacyConfigs.push({
-        hostName: domain,
-        destinationIps: targetHosts,
-        destinationPorts: [targetPort],
-        privateKey: certData?.key || defaultCerts.key,
-        publicKey: certData?.cert || defaultCerts.cert
-      });
-    }
-
-    // Update the router with legacy configs
-    // Handle both old and new router interfaces
-    if (typeof this.router.setRoutes === 'function') {
-      this.router.setRoutes(routes);
-    } else if (typeof this.router.setNewProxyConfigs === 'function') {
-      this.router.setNewProxyConfigs(legacyConfigs);
-    } else {
-      this.logger.warn('Router has no recognized configuration method');
-    }
+    // Update the router with new routes
+    this.router.setRoutes(routes);
 
     // Update WebSocket handler with new routes
     this.webSocketHandler.setRoutes(routes);
 
-    this.logger.info(`Route configuration updated with ${routes.length} routes and ${legacyConfigs.length} proxy configs`);
+    this.logger.info(`Route configuration updated with ${routes.length} routes`);
   }
 
   // Legacy methods have been removed.
@@ -519,11 +464,17 @@ export class HttpProxy implements IMetricsTracker {
     // Stop WebSocket handler
     this.webSocketHandler.shutdown();
     
-    // Close all tracked sockets
-    for (const socket of this.socketMap.getArray()) {
-      cleanupSocket(socket, 'http-proxy-stop');
+    // Destroy request handler (cleans up intervals and caches)
+    if (this.requestHandler && typeof this.requestHandler.destroy === 'function') {
+      this.requestHandler.destroy();
     }
     
+    // Close all tracked sockets
+    const socketCleanupPromises = this.socketMap.getArray().map(socket => 
+      cleanupSocket(socket, 'http-proxy-stop', { immediate: true })
+    );
+    await Promise.all(socketCleanupPromises);
+    
     // Close all connection pool connections
     this.connectionPool.closeAllConnections();
     

ts/proxies/http-proxy/models/types.ts

@@ -13,7 +13,6 @@ export interface IAcmeOptions {
   skipConfiguredCerts?: boolean;
 }
 import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
-import type { IRouteContext } from '../../../core/models/route-context.js';
 
 /**
  * Configuration options for HttpProxy
@@ -34,7 +33,6 @@ export interface IHttpProxyOptions {
   // Settings for SmartProxy integration
   connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
   portProxyIntegration?: boolean; // Flag to indicate this proxy is used by SmartProxy
-  useExternalPort80Handler?: boolean; // @deprecated - use SmartCertManager instead
   // Protocol to use when proxying to backends: HTTP/1.x or HTTP/2
   backendProtocol?: 'http1' | 'http2';
 
@@ -58,329 +56,7 @@ export interface ICertificateEntry {
   expires?: Date;
 }
 
-/**
- * @deprecated Use IRouteConfig instead. This interface will be removed in a future release.
- *
- * IMPORTANT: This is a legacy interface maintained only for backward compatibility.
- * New code should use IRouteConfig for all configuration purposes.
- *
- * @see IRouteConfig for the modern, recommended configuration format
- */
-export interface IReverseProxyConfig {
-  /** Target hostnames/IPs to proxy requests to */
-  destinationIps: string[];
 
-  /** Target ports to proxy requests to */
-  destinationPorts: number[];
-
-  /** Hostname to match for routing */
-  hostName: string;
-
-  /** SSL private key for this host (PEM format) */
-  privateKey: string;
-
-  /** SSL public key/certificate for this host (PEM format) */
-  publicKey: string;
-
-  /** Basic authentication configuration */
-  authentication?: {
-    type: 'Basic';
-    user: string;
-    pass: string;
-  };
-
-  /** Whether to rewrite the Host header to match the target */
-  rewriteHostHeader?: boolean;
-
-  /**
-   * Protocol to use when proxying to this backend: 'http1' or 'http2'.
-   * Overrides the global backendProtocol option if set.
-   */
-  backendProtocol?: 'http1' | 'http2';
-}
-
-/**
- * Convert a legacy IReverseProxyConfig to the modern IRouteConfig format
- *
- * @deprecated This function is maintained for backward compatibility.
- * New code should create IRouteConfig objects directly.
- *
- * @param legacyConfig The legacy configuration to convert
- * @param proxyPort The port the proxy listens on
- * @returns A modern route configuration equivalent to the legacy config
- */
-export function convertLegacyConfigToRouteConfig(
-  legacyConfig: IReverseProxyConfig,
-  proxyPort: number
-): IRouteConfig {
-  // Create basic route configuration
-  const routeConfig: IRouteConfig = {
-    // Match properties
-    match: {
-      ports: proxyPort,
-      domains: legacyConfig.hostName
-    },
-
-    // Action properties
-    action: {
-      type: 'forward',
-      target: {
-        host: legacyConfig.destinationIps,
-        port: legacyConfig.destinationPorts[0]
-      },
-
-      // TLS mode is always 'terminate' for legacy configs
-      tls: {
-        mode: 'terminate',
-        certificate: {
-          key: legacyConfig.privateKey,
-          cert: legacyConfig.publicKey
-        }
-      },
-
-      // Advanced options
-      advanced: {
-        // Rewrite host header if specified
-        headers: legacyConfig.rewriteHostHeader ? { 'host': '{domain}' } : {}
-      }
-    },
-
-    // Metadata
-    name: `Legacy Config - ${legacyConfig.hostName}`,
-    priority: 0, // Default priority
-    enabled: true
-  };
-
-  // Add authentication if present
-  if (legacyConfig.authentication) {
-    routeConfig.security = {
-      authentication: {
-        type: 'basic',
-        credentials: [{
-          username: legacyConfig.authentication.user,
-          password: legacyConfig.authentication.pass
-        }]
-      }
-    };
-  }
-
-  // Add backend protocol if specified
-  if (legacyConfig.backendProtocol) {
-    if (!routeConfig.action.options) {
-      routeConfig.action.options = {};
-    }
-    routeConfig.action.options.backendProtocol = legacyConfig.backendProtocol;
-  }
-
-  return routeConfig;
-}
-
-/**
- * Route manager for NetworkProxy
- * Handles route matching and configuration
- */
-export class RouteManager {
-  private routes: IRouteConfig[] = [];
-  private logger: ILogger;
-
-  constructor(logger: ILogger) {
-    this.logger = logger;
-  }
-
-  /**
-   * Update the routes configuration
-   */
-  public updateRoutes(routes: IRouteConfig[]): void {
-    // Sort routes by priority (higher first)
-    this.routes = [...routes].sort((a, b) => {
-      const priorityA = a.priority ?? 0;
-      const priorityB = b.priority ?? 0;
-      return priorityB - priorityA;
-    });
-
-    this.logger.info(`Updated RouteManager with ${this.routes.length} routes`);
-  }
-
-  /**
-   * Get all routes
-   */
-  public getRoutes(): IRouteConfig[] {
-    return [...this.routes];
-  }
-
-  /**
-   * Find the first matching route for a context
-   */
-  public findMatchingRoute(context: IRouteContext): IRouteConfig | null {
-    for (const route of this.routes) {
-      if (this.matchesRoute(route, context)) {
-        return route;
-      }
-    }
-    return null;
-  }
-
-  /**
-   * Check if a route matches the given context
-   */
-  private matchesRoute(route: IRouteConfig, context: IRouteContext): boolean {
-    // Skip disabled routes
-    if (route.enabled === false) {
-      return false;
-    }
-
-    // Check domain match if specified
-    if (route.match.domains && context.domain) {
-      const domains = Array.isArray(route.match.domains)
-        ? route.match.domains
-        : [route.match.domains];
-
-      if (!domains.some(domainPattern => this.matchDomain(domainPattern, context.domain!))) {
-        return false;
-      }
-    }
-
-    // Check path match if specified
-    if (route.match.path && context.path) {
-      if (!this.matchPath(route.match.path, context.path)) {
-        return false;
-      }
-    }
-
-    // Check client IP match if specified
-    if (route.match.clientIp && context.clientIp) {
-      if (!route.match.clientIp.some(ip => this.matchIp(ip, context.clientIp))) {
-        return false;
-      }
-    }
-
-    // Check TLS version match if specified
-    if (route.match.tlsVersion && context.tlsVersion) {
-      if (!route.match.tlsVersion.includes(context.tlsVersion)) {
-        return false;
-      }
-    }
-
-    // All criteria matched
-    return true;
-  }
-
-  /**
-   * Match a domain pattern against a domain
-   */
-  private matchDomain(pattern: string, domain: string): boolean {
-    if (pattern === domain) {
-      return true;
-    }
-
-    if (pattern.includes('*')) {
-      const regexPattern = pattern
-        .replace(/\./g, '\\.')
-        .replace(/\*/g, '.*');
-
-      const regex = new RegExp(`^${regexPattern}$`, 'i');
-      return regex.test(domain);
-    }
-
-    return false;
-  }
-
-  /**
-   * Match a path pattern against a path
-   */
-  private matchPath(pattern: string, path: string): boolean {
-    if (pattern === path) {
-      return true;
-    }
-
-    if (pattern.endsWith('*')) {
-      const prefix = pattern.slice(0, -1);
-      return path.startsWith(prefix);
-    }
-
-    return false;
-  }
-
-  /**
-   * Match an IP pattern against an IP
-   * Supports exact matches, wildcard patterns, and CIDR notation
-   */
-  private matchIp(pattern: string, ip: string): boolean {
-    // Exact match
-    if (pattern === ip) {
-      return true;
-    }
-
-    // Wildcard matching (e.g., 192.168.0.*)
-    if (pattern.includes('*')) {
-      const regexPattern = pattern
-        .replace(/\./g, '\\.')
-        .replace(/\*/g, '.*');
-
-      const regex = new RegExp(`^${regexPattern}$`);
-      return regex.test(ip);
-    }
-
-    // CIDR matching (e.g., 192.168.0.0/24)
-    if (pattern.includes('/')) {
-      try {
-        const [subnet, bits] = pattern.split('/');
-        
-        // Convert IP addresses to numeric format for comparison
-        const ipBinary = this.ipToBinary(ip);
-        const subnetBinary = this.ipToBinary(subnet);
-        
-        if (!ipBinary || !subnetBinary) {
-          return false;
-        }
-        
-        // Get the subnet mask from CIDR notation
-        const mask = parseInt(bits, 10);
-        if (isNaN(mask) || mask < 0 || mask > 32) {
-          return false;
-        }
-        
-        // Check if the first 'mask' bits match between IP and subnet
-        return ipBinary.slice(0, mask) === subnetBinary.slice(0, mask);
-      } catch (error) {
-        // If we encounter any error during CIDR matching, return false
-        return false;
-      }
-    }
-
-    return false;
-  }
-  
-  /**
-   * Convert an IP address to its binary representation
-   * @param ip The IP address to convert
-   * @returns Binary string representation or null if invalid
-   */
-  private ipToBinary(ip: string): string | null {
-    // Handle IPv4 addresses only for now
-    const parts = ip.split('.');
-    
-    // Validate IP format
-    if (parts.length !== 4) {
-      return null;
-    }
-    
-    // Convert each octet to 8-bit binary and concatenate
-    try {
-      return parts
-        .map(part => {
-          const num = parseInt(part, 10);
-          if (isNaN(num) || num < 0 || num > 255) {
-            throw new Error('Invalid IP octet');
-          }
-          return num.toString(2).padStart(8, '0');
-        })
-        .join('');
-    } catch (error) {
-      return null;
-    }
-  }
-}
 
 /**
  * Interface for connection tracking in the pool

ts/proxies/http-proxy/request-handler.ts

@@ -4,11 +4,9 @@ import {
   type IHttpProxyOptions,
   type ILogger,
   createLogger,
-  type IReverseProxyConfig,
-  RouteManager
 } from './models/types.js';
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { ConnectionPool } from './connection-pool.js';
-import { ProxyRouter } from '../../routing/router/index.js';
 import { ContextCreator } from './context-creator.js';
 import { HttpRequestHandler } from './http-request-handler.js';
 import { Http2RequestHandler } from './http2-request-handler.js';
@@ -44,22 +42,29 @@ export class RequestHandler {
 
   // Security manager for IP filtering, rate limiting, etc.
   public securityManager: SecurityManager;
+  
+  // Rate limit cleanup interval
+  private rateLimitCleanupInterval: NodeJS.Timeout | null = null;
 
   constructor(
     private options: IHttpProxyOptions,
     private connectionPool: ConnectionPool,
-    private legacyRouter: ProxyRouter, // Legacy router for backward compatibility
     private routeManager?: RouteManager,
     private functionCache?: any, // FunctionCache - using any to avoid circular dependency
-    private router?: any // RouteRouter - using any to avoid circular dependency
+    private router?: any // HttpRouter - using any to avoid circular dependency
   ) {
     this.logger = createLogger(options.logLevel || 'info');
     this.securityManager = new SecurityManager(this.logger);
 
     // Schedule rate limit cleanup every minute
-    setInterval(() => {
+    this.rateLimitCleanupInterval = setInterval(() => {
       this.securityManager.cleanupExpiredRateLimits();
     }, 60000);
+    
+    // Make sure the interval doesn't keep the process alive
+    if (this.rateLimitCleanupInterval.unref) {
+      this.rateLimitCleanupInterval.unref();
+    }
   }
 
   /**
@@ -373,7 +378,8 @@ export class RequestHandler {
           tlsVersion: req.socket.getTLSVersion?.() || undefined
         });
 
-        matchingRoute = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
+        const matchResult = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
+        matchingRoute = matchResult?.route || null;
       } catch (err) {
         this.logger.error('Error finding matching route', err);
       }
@@ -581,86 +587,11 @@ export class RequestHandler {
       }
     }
 
-    // Try modern router first, then fall back to legacy routing if needed
-    if (this.router) {
-      try {
-        // Try to find a matching route using the modern router
-        const route = this.router.routeReq(req);
-        if (route && route.action.type === 'forward' && route.action.target) {
-          // Handle this route similarly to RouteManager logic
-          this.logger.debug(`Found matching route via modern router: ${route.name || 'unnamed'}`);
-
-          // No need to do anything here, we'll continue with legacy routing
-          // The routeManager would have already found this route if applicable
-        }
-      } catch (err) {
-        this.logger.error('Error using modern router', err);
-        // Continue with legacy routing
-      }
-    }
-
-    // Fall back to legacy routing if no matching route found via RouteManager
-    let proxyConfig: IReverseProxyConfig | undefined;
-    try {
-      proxyConfig = this.legacyRouter.routeReq(req);
-    } catch (err) {
-      this.logger.error('Error routing request with legacy router', err);
-      res.statusCode = 500;
-      res.end('Internal Server Error');
-      if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
-      return;
-    }
-    if (!proxyConfig) {
-      this.logger.warn(`No proxy configuration for host: ${req.headers.host}`);
-      res.statusCode = 404;
-      res.end('Not Found: No proxy configuration for this host');
-      if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
-      return;
-    }
-    // Determine protocol to backend (per-domain override or global)
-    const backendProto = proxyConfig.backendProtocol || this.options.backendProtocol;
-    if (backendProto === 'http2') {
-      const destination = this.connectionPool.getNextTarget(
-        proxyConfig.destinationIps,
-        proxyConfig.destinationPorts[0]
-      );
-      const key = `${destination.host}:${destination.port}`;
-      let session = this.h2Sessions.get(key);
-      if (!session || session.closed || (session as any).destroyed) {
-        session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
-        this.h2Sessions.set(key, session);
-        session.on('error', () => this.h2Sessions.delete(key));
-        session.on('close', () => this.h2Sessions.delete(key));
-      }
-      // Build headers for HTTP/2 request
-      const hdrs: Record<string, any> = {
-        ':method': req.method,
-        ':path': req.url,
-        ':authority': `${destination.host}:${destination.port}`
-      };
-      for (const [hk, hv] of Object.entries(req.headers)) {
-        if (typeof hv === 'string') hdrs[hk] = hv;
-      }
-      const h2Stream = session.request(hdrs);
-      req.pipe(h2Stream);
-      h2Stream.on('response', (hdrs2: any) => {
-        const status = (hdrs2[':status'] as number) || 502;
-        res.statusCode = status;
-        // Copy headers from HTTP/2 response to HTTP/1 response
-        for (const [hk, hv] of Object.entries(hdrs2)) {
-          if (!hk.startsWith(':') && hv != null) {
-            res.setHeader(hk, hv as string | string[]);
-          }
-        }
-        h2Stream.pipe(res);
-      });
-      h2Stream.on('error', (err) => {
-        res.statusCode = 502;
-        res.end(`Bad Gateway: ${err.message}`);
-        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
-      });
-      return;
-    }
+    // If no route was found, return 404
+    this.logger.warn(`No route configuration for host: ${req.headers.host}`);
+    res.statusCode = 404;
+    res.end('Not Found: No route configuration for this host');
+    if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
   }
 
   /**
@@ -688,7 +619,8 @@ export class RequestHandler {
     let matchingRoute: IRouteConfig | null = null;
     if (this.routeManager) {
       try {
-        matchingRoute = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
+        const matchResult = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
+        matchingRoute = matchResult?.route || null;
       } catch (err) {
         this.logger.error('Error finding matching route for HTTP/2 request', err);
       }
@@ -812,104 +744,32 @@ export class RequestHandler {
     const method = headers[':method'] || 'GET';
     const path = headers[':path'] || '/';
 
-    // If configured to proxy to backends over HTTP/2, use HTTP/2 client sessions
-    if (this.options.backendProtocol === 'http2') {
-      const authority = headers[':authority'] as string || '';
-      const host = authority.split(':')[0];
-      const fakeReq: any = {
-        headers: { host },
-        method: headers[':method'],
-        url: headers[':path'],
-        socket: (stream.session as any).socket
-      };
-      // Try modern router first if available
-      let route;
-      if (this.router) {
-        try {
-          route = this.router.routeReq(fakeReq);
-          if (route && route.action.type === 'forward' && route.action.target) {
-            this.logger.debug(`Found matching HTTP/2 route via modern router: ${route.name || 'unnamed'}`);
-            // The routeManager would have already found this route if applicable
-          }
-        } catch (err) {
-          this.logger.error('Error using modern router for HTTP/2', err);
-        }
-      }
-
-      // Fall back to legacy routing
-      const proxyConfig = this.legacyRouter.routeReq(fakeReq);
-      if (!proxyConfig) {
-        stream.respond({ ':status': 404 });
-        stream.end('Not Found');
-        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
-        return;
-      }
-      const destination = this.connectionPool.getNextTarget(proxyConfig.destinationIps, proxyConfig.destinationPorts[0]);
-
-      // Use the helper for HTTP/2 to HTTP/2 routing
-      return Http2RequestHandler.handleHttp2WithHttp2Destination(
-        stream,
-        headers,
-        destination,
-        routeContext,
-        this.h2Sessions,
-        this.logger,
-        this.metricsTracker
-      );
+    // No route was found
+    stream.respond({ ':status': 404 });
+    stream.end('Not Found: No route configuration for this request');
+    if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
+  }
+  
+  /**
+   * Cleanup resources and stop intervals
+   */
+  public destroy(): void {
+    if (this.rateLimitCleanupInterval) {
+      clearInterval(this.rateLimitCleanupInterval);
+      this.rateLimitCleanupInterval = null;
     }
-
-    try {
-      // Determine host for routing
-      const authority = headers[':authority'] as string || '';
-      const host = authority.split(':')[0];
-      // Fake request object for routing
-      const fakeReq: any = {
-        headers: { host },
-        method,
-        url: path,
-        socket: (stream.session as any).socket
-      };
-      // Try modern router first if available
-      if (this.router) {
-        try {
-          const route = this.router.routeReq(fakeReq);
-          if (route && route.action.type === 'forward' && route.action.target) {
-            this.logger.debug(`Found matching HTTP/2 route via modern router: ${route.name || 'unnamed'}`);
-            // The routeManager would have already found this route if applicable
-          }
-        } catch (err) {
-          this.logger.error('Error using modern router for HTTP/2', err);
-        }
-      }
-
-      // Fall back to legacy routing
-      const proxyConfig = this.legacyRouter.routeReq(fakeReq as any);
-      if (!proxyConfig) {
-        stream.respond({ ':status': 404 });
-        stream.end('Not Found');
-        if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
-        return;
-      }
-
-      // Select backend target
-      const destination = this.connectionPool.getNextTarget(
-        proxyConfig.destinationIps,
-        proxyConfig.destinationPorts[0]
-      );
-
-      // Use the helper for HTTP/2 to HTTP/1 routing
-      return Http2RequestHandler.handleHttp2WithHttp1Destination(
-        stream,
-        headers,
-        destination,
-        routeContext,
-        this.logger,
-        this.metricsTracker
-      );
-    } catch (err: any) {
-      stream.respond({ ':status': 500 });
-      stream.end('Internal Server Error');
-      if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
+    
+    // Close all HTTP/2 sessions
+    for (const [key, session] of this.h2Sessions) {
+      session.close();
     }
+    this.h2Sessions.clear();
+    
+    // Clear function cache if it has a destroy method
+    if (this.functionCache && typeof this.functionCache.destroy === 'function') {
+      this.functionCache.destroy();
+    }
+    
+    this.logger.debug('RequestHandler destroyed');
   }
 }

ts/proxies/http-proxy/websocket-handler.ts

@@ -1,8 +1,8 @@
 import * as plugins from '../../plugins.js';
 import '../../core/models/socket-augmentation.js';
-import { type IHttpProxyOptions, type IWebSocketWithHeartbeat, type ILogger, createLogger, type IReverseProxyConfig } from './models/types.js';
+import { type IHttpProxyOptions, type IWebSocketWithHeartbeat, type ILogger, createLogger } from './models/types.js';
 import { ConnectionPool } from './connection-pool.js';
-import { ProxyRouter, RouteRouter } from '../../routing/router/index.js';
+import { HttpRouter } from '../../routing/router/index.js';
 import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
 import type { IRouteContext } from '../../core/models/route-context.js';
 import { toBaseContext } from '../../core/models/route-context.js';
@@ -19,21 +19,20 @@ export class WebSocketHandler {
   private wsServer: plugins.ws.WebSocketServer | null = null;
   private logger: ILogger;
   private contextCreator: ContextCreator = new ContextCreator();
-  private routeRouter: RouteRouter | null = null;
+  private router: HttpRouter | null = null;
   private securityManager: SecurityManager;
 
   constructor(
     private options: IHttpProxyOptions,
     private connectionPool: ConnectionPool,
-    private legacyRouter: ProxyRouter, // Legacy router for backward compatibility
-    private routes: IRouteConfig[] = [] // Routes for modern router
+    private routes: IRouteConfig[] = []
   ) {
     this.logger = createLogger(options.logLevel || 'info');
     this.securityManager = new SecurityManager(this.logger, routes);
 
-    // Initialize modern router if we have routes
+    // Initialize router if we have routes
     if (routes.length > 0) {
-      this.routeRouter = new RouteRouter(routes, this.logger);
+      this.router = new HttpRouter(routes, this.logger);
     }
   }
 
@@ -44,10 +43,10 @@ export class WebSocketHandler {
     this.routes = routes;
 
     // Initialize or update the route router
-    if (!this.routeRouter) {
-      this.routeRouter = new RouteRouter(routes, this.logger);
+    if (!this.router) {
+      this.router = new HttpRouter(routes, this.logger);
     } else {
-      this.routeRouter.setRoutes(routes);
+      this.router.setRoutes(routes);
     }
 
     // Update the security manager
@@ -139,8 +138,8 @@ export class WebSocketHandler {
 
       // Try modern router first if available
       let route: IRouteConfig | undefined;
-      if (this.routeRouter) {
-        route = this.routeRouter.routeReq(req);
+      if (this.router) {
+        route = this.router.routeReq(req);
       }
 
       // Define destination variables
@@ -227,20 +226,10 @@ export class WebSocketHandler {
           return;
         }
       } else {
-        // Fall back to legacy routing if no matching route found via modern router
-        const proxyConfig = this.legacyRouter.routeReq(req);
-
-        if (!proxyConfig) {
-          this.logger.warn(`No proxy configuration for WebSocket host: ${req.headers.host}`);
-          wsIncoming.close(1008, 'No proxy configuration for this host');
-          return;
-        }
-
-        // Get destination target using round-robin if multiple targets
-        destination = this.connectionPool.getNextTarget(
-          proxyConfig.destinationIps,
-          proxyConfig.destinationPorts[0]
-        );
+        // No route found
+        this.logger.warn(`No route configuration for WebSocket host: ${req.headers.host}`);
+        wsIncoming.close(1008, 'No route configuration for this host');
+        return;
       }
       
       // Build target URL with potential path rewriting

ts/proxies/index.ts

@@ -7,11 +7,12 @@ export { HttpProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocke
 export type { IMetricsTracker, MetricsTracker } from './http-proxy/index.js';
 // Export http-proxy models except IAcmeOptions
 export type { IHttpProxyOptions, ICertificateEntry, ILogger } from './http-proxy/models/types.js';
-export { RouteManager as HttpProxyRouteManager } from './http-proxy/models/types.js';
+// RouteManager has been unified - use SharedRouteManager from core/routing
+export { SharedRouteManager as HttpProxyRouteManager } from '../core/routing/route-manager.js';
 
 // Export SmartProxy with selective imports to avoid conflicts
 export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, HttpProxyBridge, RouteConnectionHandler } from './smart-proxy/index.js';
-export { RouteManager as SmartProxyRouteManager } from './smart-proxy/route-manager.js';
+export { SharedRouteManager as SmartProxyRouteManager } from '../core/routing/route-manager.js';
 export * from './smart-proxy/utils/index.js';
 // Export smart-proxy models except IAcmeOptions
 export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './smart-proxy/models/index.js';

ts/proxies/smart-proxy/connection-manager.ts

@@ -5,6 +5,7 @@ import { TimeoutManager } from './timeout-manager.js';
 import { logger } from '../../core/utils/logger.js';
 import { LifecycleComponent } from '../../core/utils/lifecycle-component.js';
 import { cleanupSocket } from '../../core/utils/socket-utils.js';
+import { WrappedSocket } from '../../core/models/wrapped-socket.js';
 
 /**
  * Manages connection lifecycle, tracking, and cleanup with performance optimizations
@@ -53,8 +54,9 @@ export class ConnectionManager extends LifecycleComponent {
   
   /**
    * Create and track a new connection
+   * Accepts either a regular net.Socket or a WrappedSocket for transparent PROXY protocol support
    */
-  public createConnection(socket: plugins.net.Socket): IConnectionRecord | null {
+  public createConnection(socket: plugins.net.Socket | WrappedSocket): IConnectionRecord | null {
     // Enforce connection limit
     if (this.connectionRecords.size >= this.maxConnections) {
       logger.log('warn', `Connection limit reached (${this.maxConnections}). Rejecting new connection.`, {
@@ -68,6 +70,7 @@ export class ConnectionManager extends LifecycleComponent {
     
     const connectionId = this.generateConnectionId();
     const remoteIP = socket.remoteAddress || '';
+    const remotePort = socket.remotePort || 0;
     const localPort = socket.localPort || 0;
     const now = Date.now();
 
@@ -83,6 +86,7 @@ export class ConnectionManager extends LifecycleComponent {
       bytesReceived: 0,
       bytesSent: 0,
       remoteIP,
+      remotePort,
       localPort,
       isTLS: false,
       tlsHandshakeComplete: false,
@@ -136,10 +140,10 @@ export class ConnectionManager extends LifecycleComponent {
    * Start the inactivity check timer
    */
   private startInactivityCheckTimer(): void {
-    // Check every 30 seconds for connections that need inactivity check
+    // Check more frequently (every 10 seconds) to catch zombies and stuck connections faster
     this.setInterval(() => {
       this.performOptimizedInactivityCheck();
-    }, 30000);
+    }, 10000);
     // Note: LifecycleComponent's setInterval already calls unref()
   }
 
@@ -190,6 +194,13 @@ export class ConnectionManager extends LifecycleComponent {
    * Queue a connection for cleanup
    */
   private queueCleanup(connectionId: string): void {
+    // Check if connection is already being processed
+    const record = this.connectionRecords.get(connectionId);
+    if (!record || record.connectionClosed) {
+      // Already cleaned up or doesn't exist, skip
+      return;
+    }
+    
     this.cleanupQueue.add(connectionId);
     
     // Process immediately if queue is getting large
@@ -213,9 +224,10 @@ export class ConnectionManager extends LifecycleComponent {
     }
     
     const toCleanup = Array.from(this.cleanupQueue).slice(0, this.cleanupBatchSize);
-    this.cleanupQueue.clear();
     
+    // Remove only the items we're processing, not the entire queue!
     for (const connectionId of toCleanup) {
+      this.cleanupQueue.delete(connectionId);
       const record = this.connectionRecords.get(connectionId);
       if (record) {
         this.cleanupConnection(record, record.incomingTerminationReason || 'normal');
@@ -278,12 +290,41 @@ export class ConnectionManager extends LifecycleComponent {
         }
       }
 
-      // Handle socket cleanup without delay
-      cleanupSocket(record.incoming, `${record.id}-incoming`);
+      // Handle socket cleanup - check if sockets are still active
+      const cleanupPromises: Promise<void>[] = [];
+      
+      if (record.incoming) {
+        // Extract underlying socket if it's a WrappedSocket
+        const incomingSocket = record.incoming instanceof WrappedSocket ? record.incoming.socket : record.incoming;
+        if (!record.incoming.writable || record.incoming.destroyed) {
+          // Socket is not active, clean up immediately
+          cleanupPromises.push(cleanupSocket(incomingSocket, `${record.id}-incoming`, { immediate: true }));
+        } else {
+          // Socket is still active, allow graceful cleanup
+          cleanupPromises.push(cleanupSocket(incomingSocket, `${record.id}-incoming`, { allowDrain: true, gracePeriod: 5000 }));
+        }
+      }
       
       if (record.outgoing) {
-        cleanupSocket(record.outgoing, `${record.id}-outgoing`);
+        // Extract underlying socket if it's a WrappedSocket
+        const outgoingSocket = record.outgoing instanceof WrappedSocket ? record.outgoing.socket : record.outgoing;
+        if (!record.outgoing.writable || record.outgoing.destroyed) {
+          // Socket is not active, clean up immediately
+          cleanupPromises.push(cleanupSocket(outgoingSocket, `${record.id}-outgoing`, { immediate: true }));
+        } else {
+          // Socket is still active, allow graceful cleanup
+          cleanupPromises.push(cleanupSocket(outgoingSocket, `${record.id}-outgoing`, { allowDrain: true, gracePeriod: 5000 }));
+        }
       }
+      
+      // Wait for cleanup to complete
+      Promise.all(cleanupPromises).catch(err => {
+        logger.log('error', `Error during socket cleanup: ${err}`, {
+          connectionId: record.id,
+          error: err,
+          component: 'connection-manager'
+        });
+      });
 
       // Clear pendingData to avoid memory leaks
       record.pendingData = [];
@@ -423,6 +464,74 @@ export class ConnectionManager extends LifecycleComponent {
       }
     }
     
+    // Also check ALL connections for zombie state (destroyed sockets but not cleaned up)
+    // This is critical for proxy chains where sockets can be destroyed without events
+    for (const [connectionId, record] of this.connectionRecords) {
+      if (!record.connectionClosed) {
+        const incomingDestroyed = record.incoming?.destroyed || false;
+        const outgoingDestroyed = record.outgoing?.destroyed || false;
+        
+        // Check for zombie connections: both sockets destroyed but connection not cleaned up
+        if (incomingDestroyed && outgoingDestroyed) {
+          logger.log('warn', `Zombie connection detected: ${connectionId} - both sockets destroyed but not cleaned up`, {
+            connectionId,
+            remoteIP: record.remoteIP,
+            age: plugins.prettyMs(now - record.incomingStartTime),
+            component: 'connection-manager'
+          });
+          
+          // Clean up immediately
+          this.cleanupConnection(record, 'zombie_cleanup');
+          continue;
+        }
+        
+        // Check for half-zombie: one socket destroyed
+        if (incomingDestroyed || outgoingDestroyed) {
+          const age = now - record.incomingStartTime;
+          // Give it 30 seconds grace period for normal cleanup
+          if (age > 30000) {
+            logger.log('warn', `Half-zombie connection detected: ${connectionId} - ${incomingDestroyed ? 'incoming' : 'outgoing'} destroyed`, {
+              connectionId,
+              remoteIP: record.remoteIP,
+              age: plugins.prettyMs(age),
+              incomingDestroyed,
+              outgoingDestroyed,
+              component: 'connection-manager'
+            });
+            
+            // Clean up
+            this.cleanupConnection(record, 'half_zombie_cleanup');
+          }
+        }
+        
+        // Check for stuck connections: no data sent back to client
+        if (!record.connectionClosed && record.outgoing && record.bytesReceived > 0 && record.bytesSent === 0) {
+          const age = now - record.incomingStartTime;
+          // If connection is older than 60 seconds and no data sent back, likely stuck
+          if (age > 60000) {
+            logger.log('warn', `Stuck connection detected: ${connectionId} - received ${record.bytesReceived} bytes but sent 0 bytes`, {
+              connectionId,
+              remoteIP: record.remoteIP,
+              age: plugins.prettyMs(age),
+              bytesReceived: record.bytesReceived,
+              targetHost: record.targetHost,
+              targetPort: record.targetPort,
+              component: 'connection-manager'
+            });
+            
+            // Set termination reason and increment stats
+            if (record.incomingTerminationReason == null) {
+              record.incomingTerminationReason = 'stuck_no_response';
+              this.incrementTerminationStat('incoming', 'stuck_no_response');
+            }
+            
+            // Clean up
+            this.cleanupConnection(record, 'stuck_no_response');
+          }
+        }
+      }
+    }
+    
     // Process only connections that need checking
     for (const connectionId of connectionsToCheck) {
       const record = this.connectionRecords.get(connectionId);
@@ -484,19 +593,24 @@ export class ConnectionManager extends LifecycleComponent {
       }
       
       // Parity check: if outgoing socket closed and incoming remains active
+      // Increased from 2 minutes to 30 minutes for long-lived connections
       if (
         record.outgoingClosedTime &&
         !record.incoming.destroyed &&
         !record.connectionClosed &&
-        now - record.outgoingClosedTime > 120000
+        now - record.outgoingClosedTime > 1800000  // 30 minutes
       ) {
-        logger.log('warn', `Parity check failed: ${record.remoteIP}`, {
-          connectionId,
-          remoteIP: record.remoteIP,
-          timeElapsed: plugins.prettyMs(now - record.outgoingClosedTime),
-          component: 'connection-manager'
-        });
-        this.cleanupConnection(record, 'parity_check');
+        // Only close if no data activity for 10 minutes
+        if (now - record.lastActivity > 600000) {
+          logger.log('warn', `Parity check failed after extended timeout: ${record.remoteIP}`, {
+            connectionId,
+            remoteIP: record.remoteIP,
+            timeElapsed: plugins.prettyMs(now - record.outgoingClosedTime),
+            inactiveFor: plugins.prettyMs(now - record.lastActivity),
+            component: 'connection-manager'
+          });
+          this.cleanupConnection(record, 'parity_check');
+        }
       }
     }
   }
@@ -537,13 +651,20 @@ export class ConnectionManager extends LifecycleComponent {
           }
 
           // Immediate destruction using socket-utils
+          const shutdownPromises: Promise<void>[] = [];
+          
           if (record.incoming) {
-            cleanupSocket(record.incoming, `${record.id}-incoming-shutdown`);
+            const incomingSocket = record.incoming instanceof WrappedSocket ? record.incoming.socket : record.incoming;
+            shutdownPromises.push(cleanupSocket(incomingSocket, `${record.id}-incoming-shutdown`, { immediate: true }));
           }
 
           if (record.outgoing) {
-            cleanupSocket(record.outgoing, `${record.id}-outgoing-shutdown`);
+            const outgoingSocket = record.outgoing instanceof WrappedSocket ? record.outgoing.socket : record.outgoing;
+            shutdownPromises.push(cleanupSocket(outgoingSocket, `${record.id}-outgoing-shutdown`, { immediate: true }));
           }
+          
+          // Don't wait for shutdown cleanup in this batch processing
+          Promise.all(shutdownPromises).catch(() => {});
         } catch (err) {
           logger.log('error', `Error during connection cleanup: ${err}`, { 
             connectionId: record.id, 

ts/proxies/smart-proxy/http-proxy-bridge.ts

@@ -1,7 +1,9 @@
 import * as plugins from '../../plugins.js';
 import { HttpProxy } from '../http-proxy/index.js';
+import { setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import type { IRouteConfig } from './models/route-types.js';
+import { WrappedSocket } from '../../core/models/wrapped-socket.js';
 
 export class HttpProxyBridge {
   private httpProxy: HttpProxy | null = null;
@@ -97,7 +99,7 @@ export class HttpProxyBridge {
    */
   public async forwardToHttpProxy(
     connectionId: string,
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     initialChunk: Buffer,
     httpProxyPort: number,
@@ -123,36 +125,28 @@ export class HttpProxyBridge {
       proxySocket.write(initialChunk);
     }
     
-    // Pipe the sockets together
-    socket.pipe(proxySocket);
-    proxySocket.pipe(socket);
+    // Use centralized bidirectional forwarding
+    // Extract underlying socket if it's a WrappedSocket
+    const underlyingSocket = socket instanceof WrappedSocket ? socket.socket : socket;
     
-    // Handle cleanup
-    let cleanedUp = false;
-    const cleanup = (reason: string) => {
-      if (cleanedUp) return;
-      cleanedUp = true;
-      
-      // Remove all event listeners to prevent memory leaks
-      socket.removeAllListeners('end');
-      socket.removeAllListeners('error');
-      proxySocket.removeAllListeners('end');
-      proxySocket.removeAllListeners('error');
-      
-      socket.unpipe(proxySocket);
-      proxySocket.unpipe(socket);
-      
-      if (!proxySocket.destroyed) {
-        proxySocket.destroy();
-      }
-      
-      cleanupCallback(reason);
-    };
-    
-    socket.on('end', () => cleanup('socket_end'));
-    socket.on('error', () => cleanup('socket_error'));
-    proxySocket.on('end', () => cleanup('proxy_end'));
-    proxySocket.on('error', () => cleanup('proxy_error'));
+    setupBidirectionalForwarding(underlyingSocket, proxySocket, {
+      onClientData: (chunk) => {
+        // Update stats if needed
+        if (record) {
+          record.bytesReceived += chunk.length;
+        }
+      },
+      onServerData: (chunk) => {
+        // Update stats if needed
+        if (record) {
+          record.bytesSent += chunk.length;
+        }
+      },
+      onCleanup: (reason) => {
+        cleanupCallback(reason);
+      },
+      enableHalfOpen: false // Close both when one closes (required for proxy chains)
+    });
   }
   
   /**

ts/proxies/smart-proxy/index.ts

@@ -17,7 +17,7 @@ export { TlsManager } from './tls-manager.js';
 export { HttpProxyBridge } from './http-proxy-bridge.js';
 
 // Export route-based components
-export { RouteManager } from './route-manager.js';
+export { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 export { RouteConnectionHandler } from './route-connection-handler.js';
 export { NFTablesManager } from './nftables-manager.js';
 

ts/proxies/smart-proxy/metrics-collector.ts

@@ -0,0 +1,289 @@
+import * as plugins from '../../plugins.js';
+import type { SmartProxy } from './smart-proxy.js';
+import type { IProxyStats, IProxyStatsExtended } from './models/metrics-types.js';
+import { logger } from '../../core/utils/logger.js';
+
+/**
+ * Collects and computes metrics for SmartProxy on-demand
+ */
+export class MetricsCollector implements IProxyStatsExtended {
+  // RPS tracking (the only state we need to maintain)
+  private requestTimestamps: number[] = [];
+  private readonly RPS_WINDOW_SIZE = 60000; // 1 minute window
+  private readonly MAX_TIMESTAMPS = 5000; // Maximum timestamps to keep
+  
+  // Optional caching for performance
+  private cachedMetrics: {
+    timestamp: number;
+    connectionsByRoute?: Map<string, number>;
+    connectionsByIP?: Map<string, number>;
+  } = { timestamp: 0 };
+  
+  private readonly CACHE_TTL = 1000; // 1 second cache
+  
+  // RxJS subscription for connection events
+  private connectionSubscription?: plugins.smartrx.rxjs.Subscription;
+  
+  constructor(
+    private smartProxy: SmartProxy
+  ) {
+    // Subscription will be set up in start() method
+  }
+  
+  /**
+   * Get the current number of active connections
+   */
+  public getActiveConnections(): number {
+    return this.smartProxy.connectionManager.getConnectionCount();
+  }
+  
+  /**
+   * Get connection counts grouped by route name
+   */
+  public getConnectionsByRoute(): Map<string, number> {
+    const now = Date.now();
+    
+    // Return cached value if fresh
+    if (this.cachedMetrics.connectionsByRoute && 
+        now - this.cachedMetrics.timestamp < this.CACHE_TTL) {
+      return new Map(this.cachedMetrics.connectionsByRoute);
+    }
+    
+    // Compute fresh value
+    const routeCounts = new Map<string, number>();
+    const connections = this.smartProxy.connectionManager.getConnections();
+    
+    if (this.smartProxy.settings?.enableDetailedLogging) {
+      logger.log('debug', `MetricsCollector: Computing route connections`, {
+        totalConnections: connections.size,
+        component: 'metrics'
+      });
+    }
+    
+    for (const [_, record] of connections) {
+      // Try different ways to get the route name
+      const routeName = (record as any).routeName || 
+                       record.routeConfig?.name || 
+                       (record.routeConfig as any)?.routeName ||
+                       'unknown';
+      
+      if (this.smartProxy.settings?.enableDetailedLogging) {
+        logger.log('debug', `MetricsCollector: Connection route info`, {
+          connectionId: record.id,
+          routeName,
+          hasRouteConfig: !!record.routeConfig,
+          routeConfigName: record.routeConfig?.name,
+          routeConfigKeys: record.routeConfig ? Object.keys(record.routeConfig) : [],
+          component: 'metrics'
+        });
+      }
+      
+      const current = routeCounts.get(routeName) || 0;
+      routeCounts.set(routeName, current + 1);
+    }
+    
+    // Cache and return
+    this.cachedMetrics.connectionsByRoute = routeCounts;
+    this.cachedMetrics.timestamp = now;
+    return new Map(routeCounts);
+  }
+  
+  /**
+   * Get connection counts grouped by IP address
+   */
+  public getConnectionsByIP(): Map<string, number> {
+    const now = Date.now();
+    
+    // Return cached value if fresh
+    if (this.cachedMetrics.connectionsByIP && 
+        now - this.cachedMetrics.timestamp < this.CACHE_TTL) {
+      return new Map(this.cachedMetrics.connectionsByIP);
+    }
+    
+    // Compute fresh value
+    const ipCounts = new Map<string, number>();
+    for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+      const ip = record.remoteIP;
+      const current = ipCounts.get(ip) || 0;
+      ipCounts.set(ip, current + 1);
+    }
+    
+    // Cache and return
+    this.cachedMetrics.connectionsByIP = ipCounts;
+    this.cachedMetrics.timestamp = now;
+    return new Map(ipCounts);
+  }
+  
+  /**
+   * Get the total number of connections since proxy start
+   */
+  public getTotalConnections(): number {
+    // Get from termination stats
+    const stats = this.smartProxy.connectionManager.getTerminationStats();
+    let total = this.smartProxy.connectionManager.getConnectionCount(); // Add active connections
+    
+    // Add all terminated connections
+    for (const reason in stats.incoming) {
+      total += stats.incoming[reason];
+    }
+    
+    return total;
+  }
+  
+  /**
+   * Get the current requests per second rate
+   */
+  public getRequestsPerSecond(): number {
+    const now = Date.now();
+    const windowStart = now - this.RPS_WINDOW_SIZE;
+    
+    // Clean old timestamps
+    this.requestTimestamps = this.requestTimestamps.filter(ts => ts > windowStart);
+    
+    // Calculate RPS based on window
+    const requestsInWindow = this.requestTimestamps.length;
+    return requestsInWindow / (this.RPS_WINDOW_SIZE / 1000);
+  }
+  
+  /**
+   * Record a new request for RPS tracking
+   */
+  public recordRequest(): void {
+    const now = Date.now();
+    this.requestTimestamps.push(now);
+    
+    // Prevent unbounded growth - clean up more aggressively
+    if (this.requestTimestamps.length > this.MAX_TIMESTAMPS) {
+      // Keep only timestamps within the window
+      const cutoff = now - this.RPS_WINDOW_SIZE;
+      this.requestTimestamps = this.requestTimestamps.filter(ts => ts > cutoff);
+    }
+  }
+  
+  /**
+   * Get total throughput (bytes transferred)
+   */
+  public getThroughput(): { bytesIn: number; bytesOut: number } {
+    let bytesIn = 0;
+    let bytesOut = 0;
+    
+    // Sum bytes from all active connections
+    for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+      bytesIn += record.bytesReceived;
+      bytesOut += record.bytesSent;
+    }
+    
+    return { bytesIn, bytesOut };
+  }
+  
+  /**
+   * Get throughput rate (bytes per second) for last minute
+   */
+  public getThroughputRate(): { bytesInPerSec: number; bytesOutPerSec: number } {
+    const now = Date.now();
+    let recentBytesIn = 0;
+    let recentBytesOut = 0;
+    
+    // Calculate bytes transferred in last minute from active connections
+    for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
+      const connectionAge = now - record.incomingStartTime;
+      if (connectionAge < 60000) { // Connection started within last minute
+        recentBytesIn += record.bytesReceived;
+        recentBytesOut += record.bytesSent;
+      } else {
+        // For older connections, estimate rate based on average
+        const rate = connectionAge / 60000;
+        recentBytesIn += record.bytesReceived / rate;
+        recentBytesOut += record.bytesSent / rate;
+      }
+    }
+    
+    return {
+      bytesInPerSec: Math.round(recentBytesIn / 60),
+      bytesOutPerSec: Math.round(recentBytesOut / 60)
+    };
+  }
+  
+  /**
+   * Get top IPs by connection count
+   */
+  public getTopIPs(limit: number = 10): Array<{ ip: string; connections: number }> {
+    const ipCounts = this.getConnectionsByIP();
+    const sorted = Array.from(ipCounts.entries())
+      .sort((a, b) => b[1] - a[1])
+      .slice(0, limit)
+      .map(([ip, connections]) => ({ ip, connections }));
+    
+    return sorted;
+  }
+  
+  /**
+   * Check if an IP has reached the connection limit
+   */
+  public isIPBlocked(ip: string, maxConnectionsPerIP: number): boolean {
+    const ipCounts = this.getConnectionsByIP();
+    const currentConnections = ipCounts.get(ip) || 0;
+    return currentConnections >= maxConnectionsPerIP;
+  }
+  
+  /**
+   * Clean up old request timestamps
+   */
+  private cleanupOldRequests(): void {
+    const cutoff = Date.now() - this.RPS_WINDOW_SIZE;
+    this.requestTimestamps = this.requestTimestamps.filter(ts => ts > cutoff);
+  }
+  
+  /**
+   * Start the metrics collector and set up subscriptions
+   */
+  public start(): void {
+    if (!this.smartProxy.routeConnectionHandler) {
+      throw new Error('MetricsCollector: RouteConnectionHandler not available');
+    }
+    
+    // Subscribe to the newConnectionSubject from RouteConnectionHandler
+    this.connectionSubscription = this.smartProxy.routeConnectionHandler.newConnectionSubject.subscribe({
+      next: (record) => {
+        this.recordRequest();
+        
+        // Optional: Log connection details
+        if (this.smartProxy.settings?.enableDetailedLogging) {
+          logger.log('debug', `MetricsCollector: New connection recorded`, {
+            connectionId: record.id,
+            remoteIP: record.remoteIP,
+            routeName: record.routeConfig?.name || 'unknown',
+            component: 'metrics'
+          });
+        }
+      },
+      error: (err) => {
+        logger.log('error', `MetricsCollector: Error in connection subscription`, {
+          error: err.message,
+          component: 'metrics'
+        });
+      }
+    });
+    
+    logger.log('debug', 'MetricsCollector started', { component: 'metrics' });
+  }
+  
+  /**
+   * Stop the metrics collector and clean up resources
+   */
+  public stop(): void {
+    if (this.connectionSubscription) {
+      this.connectionSubscription.unsubscribe();
+      this.connectionSubscription = undefined;
+    }
+    
+    logger.log('debug', 'MetricsCollector stopped', { component: 'metrics' });
+  }
+  
+  /**
+   * Alias for stop() for backward compatibility
+   */
+  public destroy(): void {
+    this.stop();
+  }
+}

ts/proxies/smart-proxy/models/index.ts

@@ -4,3 +4,4 @@
 // Export everything except IAcmeOptions from interfaces
 export type { ISmartProxyOptions, IConnectionRecord, TSmartProxyCertProvisionObject } from './interfaces.js';
 export * from './route-types.js';
+export * from './metrics-types.js';

ts/proxies/smart-proxy/models/interfaces.ts

@@ -1,4 +1,5 @@
 import * as plugins from '../../../plugins.js';
+import type { WrappedSocket } from '../../../core/models/wrapped-socket.js';
 // Certificate types removed - define IAcmeOptions locally
 export interface IAcmeOptions {
   enabled?: boolean;
@@ -34,6 +35,11 @@ export interface ISmartProxyOptions {
   // Port configuration
   preserveSourceIP?: boolean;  // Preserve client IP when forwarding
 
+  // PROXY protocol configuration
+  proxyIPs?: string[];  // List of trusted proxy IPs that can send PROXY protocol
+  acceptProxyProtocol?: boolean;  // Global option to accept PROXY protocol (defaults based on proxyIPs)
+  sendProxyProtocol?: boolean;  // Global option to send PROXY protocol to all targets
+
   // Global/default settings
   defaults?: {
     target?: {
@@ -63,6 +69,7 @@ export interface ISmartProxyOptions {
   maxVersion?: string;
 
   // Timeout settings
+  connectionTimeout?: number; // Timeout for establishing connection to backend (ms), default: 30000 (30s)
   initialDataTimeout?: number; // Timeout for initial data/SNI (ms), default: 60000 (60s)
   socketTimeout?: number; // Socket inactivity timeout (ms), default: 3600000 (1h)
   inactivityCheckInterval?: number; // How often to check for inactive connections (ms), default: 60000 (60s)
@@ -128,8 +135,8 @@ export interface ISmartProxyOptions {
  */
 export interface IConnectionRecord {
   id: string; // Unique connection identifier
-  incoming: plugins.net.Socket;
-  outgoing: plugins.net.Socket | null;
+  incoming: plugins.net.Socket | WrappedSocket;
+  outgoing: plugins.net.Socket | WrappedSocket | null;
   incomingStartTime: number;
   outgoingStartTime?: number;
   outgoingClosedTime?: number;
@@ -145,6 +152,7 @@ export interface IConnectionRecord {
   bytesReceived: number; // Total bytes received
   bytesSent: number; // Total bytes sent
   remoteIP: string; // Remote IP (cached for logging after socket close)
+  remotePort: number; // Remote port (cached for logging after socket close)
   localPort: number; // Local port (cached for logging)
   isTLS: boolean; // Whether this connection is a TLS connection
   tlsHandshakeComplete: boolean; // Whether the TLS handshake is complete

ts/proxies/smart-proxy/models/metrics-types.ts

@@ -0,0 +1,54 @@
+/**
+ * Interface for proxy statistics and metrics
+ */
+export interface IProxyStats {
+  /**
+   * Get the current number of active connections
+   */
+  getActiveConnections(): number;
+  
+  /**
+   * Get connection counts grouped by route name
+   */
+  getConnectionsByRoute(): Map<string, number>;
+  
+  /**
+   * Get connection counts grouped by IP address
+   */
+  getConnectionsByIP(): Map<string, number>;
+  
+  /**
+   * Get the total number of connections since proxy start
+   */
+  getTotalConnections(): number;
+  
+  /**
+   * Get the current requests per second rate
+   */
+  getRequestsPerSecond(): number;
+  
+  /**
+   * Get total throughput (bytes transferred)
+   */
+  getThroughput(): { bytesIn: number; bytesOut: number };
+}
+
+/**
+ * Extended interface for additional metrics helpers
+ */
+export interface IProxyStatsExtended extends IProxyStats {
+  /**
+   * Get throughput rate (bytes per second) for last minute
+   */
+  getThroughputRate(): { bytesInPerSec: number; bytesOutPerSec: number };
+  
+  /**
+   * Get top IPs by connection count
+   */
+  getTopIPs(limit?: number): Array<{ ip: string; connections: number }>;
+  
+  /**
+   * Check if an IP has reached the connection limit
+   */
+  isIPBlocked(ip: string, maxConnectionsPerIP: number): boolean;
+}

ts/proxies/smart-proxy/models/route-types.ts

@@ -250,6 +250,9 @@ export interface IRouteAction {
 
   // Socket handler function (when type is 'socket-handler')
   socketHandler?: TSocketHandler;
+  
+  // PROXY protocol support
+  sendProxyProtocol?: boolean;
 }
 
 /**

ts/proxies/smart-proxy/port-manager.ts

@@ -65,7 +65,7 @@ export class PortManager {
     const server = plugins.net.createServer((socket) => {
       // Check if shutting down
       if (this.isShuttingDown) {
-        cleanupSocket(socket, 'port-manager-shutdown');
+        cleanupSocket(socket, 'port-manager-shutdown', { immediate: true });
         return;
       }
       

ts/proxies/smart-proxy/route-connection-handler.ts

@@ -2,14 +2,18 @@ import * as plugins from '../../plugins.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import { logger } from '../../core/utils/logger.js';
 // Route checking functions have been removed
-import type { IRouteConfig, IRouteAction, IRouteContext } from './models/route-types.js';
+import type { IRouteConfig, IRouteAction } from './models/route-types.js';
+import type { IRouteContext } from '../../core/models/route-context.js';
 import { ConnectionManager } from './connection-manager.js';
 import { SecurityManager } from './security-manager.js';
 import { TlsManager } from './tls-manager.js';
 import { HttpProxyBridge } from './http-proxy-bridge.js';
 import { TimeoutManager } from './timeout-manager.js';
-import { RouteManager } from './route-manager.js';
-import { cleanupSocket } from '../../core/utils/socket-utils.js';
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
+import { cleanupSocket, setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
+import { WrappedSocket } from '../../core/models/wrapped-socket.js';
+import { getUnderlyingSocket } from '../../core/models/socket-types.js';
+import { ProxyProtocolParser } from '../../core/utils/proxy-protocol.js';
 
 /**
  * Handles new connection processing and setup logic with support for route-based configuration
@@ -17,8 +21,12 @@ import { cleanupSocket } from '../../core/utils/socket-utils.js';
 export class RouteConnectionHandler {
   private settings: ISmartProxyOptions;
 
-  // Cache for route contexts to avoid recreation
-  private routeContextCache: Map<string, IRouteContext> = new Map();
+  // Note: Route context caching was considered but not implemented
+  // as route contexts are lightweight and should be created fresh
+  // for each connection to ensure accurate context data
+  
+  // RxJS Subject for new connections
+  public newConnectionSubject = new plugins.smartrx.rxjs.Subject<IConnectionRecord>();
 
   constructor(
     settings: ISmartProxyOptions,
@@ -31,6 +39,7 @@ export class RouteConnectionHandler {
   ) {
     this.settings = settings;
   }
+  
 
   /**
    * Create a route context object for port and host mapping functions
@@ -80,35 +89,55 @@ export class RouteConnectionHandler {
     const remoteIP = socket.remoteAddress || '';
     const localPort = socket.localPort || 0;
 
+    // Always wrap the socket to prepare for potential PROXY protocol
+    const wrappedSocket = new WrappedSocket(socket);
+    
+    // If this is from a trusted proxy, log it
+    if (this.settings.proxyIPs?.includes(remoteIP)) {
+      logger.log('debug', `Connection from trusted proxy ${remoteIP}, PROXY protocol parsing will be enabled`, {
+        remoteIP,
+        component: 'route-handler'
+      });
+    }
+
     // Validate IP against rate limits and connection limits
-    const ipValidation = this.securityManager.validateIP(remoteIP);
+    // Note: For wrapped sockets, this will use the underlying socket IP until PROXY protocol is parsed
+    const ipValidation = this.securityManager.validateIP(wrappedSocket.remoteAddress || '');
     if (!ipValidation.allowed) {
-      logger.log('warn', `Connection rejected`, { remoteIP, reason: ipValidation.reason, component: 'route-handler' });
-      cleanupSocket(socket, `rejected-${ipValidation.reason}`);
+      logger.log('warn', `Connection rejected`, { remoteIP: wrappedSocket.remoteAddress, reason: ipValidation.reason, component: 'route-handler' });
+      cleanupSocket(wrappedSocket.socket, `rejected-${ipValidation.reason}`, { immediate: true });
       return;
     }
 
-    // Create a new connection record
-    const record = this.connectionManager.createConnection(socket);
+    // Create a new connection record with the wrapped socket
+    const record = this.connectionManager.createConnection(wrappedSocket);
+    if (!record) {
+      // Connection was rejected due to limit - socket already destroyed by connection manager
+      return;
+    }
+    
+    // Emit new connection event
+    this.newConnectionSubject.next(record);
     const connectionId = record.id;
 
-    // Apply socket optimizations
-    socket.setNoDelay(this.settings.noDelay);
+    // Apply socket optimizations (apply to underlying socket)
+    const underlyingSocket = wrappedSocket.socket;
+    underlyingSocket.setNoDelay(this.settings.noDelay);
 
     // Apply keep-alive settings if enabled
     if (this.settings.keepAlive) {
-      socket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
+      underlyingSocket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
       record.hasKeepAlive = true;
 
       // Apply enhanced TCP keep-alive options if enabled
       if (this.settings.enableKeepAliveProbes) {
         try {
           // These are platform-specific and may not be available
-          if ('setKeepAliveProbes' in socket) {
-            (socket as any).setKeepAliveProbes(10);
+          if ('setKeepAliveProbes' in underlyingSocket) {
+            (underlyingSocket as any).setKeepAliveProbes(10);
           }
-          if ('setKeepAliveInterval' in socket) {
-            (socket as any).setKeepAliveInterval(1000);
+          if ('setKeepAliveInterval' in underlyingSocket) {
+            (underlyingSocket as any).setKeepAliveInterval(1000);
           }
         } catch (err) {
           // Ignore errors - these are optional enhancements
@@ -146,19 +175,19 @@ export class RouteConnectionHandler {
     }
 
     // Handle the connection - wait for initial data to determine if it's TLS
-    this.handleInitialData(socket, record);
+    this.handleInitialData(wrappedSocket, record);
   }
 
   /**
    * Handle initial data from a connection to determine routing
    */
-  private handleInitialData(socket: plugins.net.Socket, record: IConnectionRecord): void {
+  private handleInitialData(socket: plugins.net.Socket | WrappedSocket, record: IConnectionRecord): void {
     const connectionId = record.id;
     const localPort = record.localPort;
     let initialDataReceived = false;
 
     // Check if any routes on this port require TLS handling
-    const allRoutes = this.routeManager.getAllRoutes();
+    const allRoutes = this.routeManager.getRoutes();
     const needsTlsHandling = allRoutes.some(route => {
       // Check if route matches this port
       const matchesPort = this.routeManager.getRoutesForPort(localPort).includes(route);
@@ -172,8 +201,39 @@ export class RouteConnectionHandler {
 
     // If no routes require TLS handling and it's not port 443, route immediately
     if (!needsTlsHandling && localPort !== 443) {
-      // Set up error handler
-      socket.on('error', this.connectionManager.handleError('incoming', record));
+      // Extract underlying socket for socket-utils functions
+      const underlyingSocket = getUnderlyingSocket(socket);
+      // Set up proper socket handlers for immediate routing
+      setupSocketHandlers(
+        underlyingSocket,
+        (reason) => {
+          // Always cleanup when incoming socket closes
+          // This prevents connection accumulation in proxy chains
+          logger.log('debug', `Connection ${connectionId} closed during immediate routing: ${reason}`, {
+            connectionId,
+            remoteIP: record.remoteIP,
+            reason,
+            hasOutgoing: !!record.outgoing,
+            outgoingState: record.outgoing?.readyState,
+            component: 'route-handler'
+          });
+          
+          // If there's a pending or established outgoing connection, destroy it
+          if (record.outgoing && !record.outgoing.destroyed) {
+            logger.log('debug', `Destroying outgoing connection for ${connectionId}`, {
+              connectionId,
+              outgoingState: record.outgoing.readyState,
+              component: 'route-handler'
+            });
+            record.outgoing.destroy();
+          }
+          
+          // Always cleanup the connection record
+          this.connectionManager.cleanupConnection(record, reason);
+        },
+        undefined, // Use default timeout handler
+        'immediate-route-client'
+      );
       
       // Route immediately for non-TLS connections
       this.routeConnection(socket, record, '', undefined);
@@ -217,17 +277,39 @@ export class RouteConnectionHandler {
     // Set up error handler
     socket.on('error', this.connectionManager.handleError('incoming', record));
 
-    // First data handler to capture initial TLS handshake
-    socket.once('data', (chunk: Buffer) => {
-      // Clear the initial timeout since we've received data
-      if (initialTimeout) {
-        clearTimeout(initialTimeout);
-        initialTimeout = null;
+    // Add close/end handlers to catch immediate disconnections
+    socket.once('close', () => {
+      if (!initialDataReceived) {
+        logger.log('warn', `Connection ${connectionId} closed before sending initial data`, {
+          connectionId,
+          remoteIP: record.remoteIP,
+          component: 'route-handler'
+        });
+        if (initialTimeout) {
+          clearTimeout(initialTimeout);
+          initialTimeout = null;
+        }
+        this.connectionManager.cleanupConnection(record, 'closed_before_data');
       }
+    });
 
-      initialDataReceived = true;
-      record.hasReceivedInitialData = true;
+    socket.once('end', () => {
+      if (!initialDataReceived) {
+        logger.log('debug', `Connection ${connectionId} ended before sending initial data`, {
+          connectionId,
+          remoteIP: record.remoteIP,
+          component: 'route-handler'
+        });
+        if (initialTimeout) {
+          clearTimeout(initialTimeout);
+          initialTimeout = null;
+        }
+        // Don't cleanup on 'end' - wait for 'close'
+      }
+    });
 
+    // Handler for processing initial data (after potential PROXY protocol)
+    const processInitialData = (chunk: Buffer) => {
       // Block non-TLS connections on port 443
       if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
         logger.log('warn', `Non-TLS connection ${connectionId} detected on port 443. Terminating connection - only TLS traffic is allowed on standard HTTPS port.`, {
@@ -303,6 +385,67 @@ export class RouteConnectionHandler {
 
       // Find the appropriate route for this connection
       this.routeConnection(socket, record, serverName, chunk);
+    };
+
+    // First data handler to capture initial TLS handshake or PROXY protocol
+    socket.once('data', async (chunk: Buffer) => {
+      // Clear the initial timeout since we've received data
+      if (initialTimeout) {
+        clearTimeout(initialTimeout);
+        initialTimeout = null;
+      }
+
+      initialDataReceived = true;
+      record.hasReceivedInitialData = true;
+
+      // Check if this is from a trusted proxy and might have PROXY protocol
+      if (this.settings.proxyIPs?.includes(socket.remoteAddress || '') && this.settings.acceptProxyProtocol !== false) {
+        // Check if this starts with PROXY protocol
+        if (chunk.toString('ascii', 0, Math.min(6, chunk.length)).startsWith('PROXY ')) {
+          try {
+            const parseResult = ProxyProtocolParser.parse(chunk);
+            
+            if (parseResult.proxyInfo) {
+              // Update the wrapped socket with real client info (if it's a WrappedSocket)
+              if (socket instanceof WrappedSocket) {
+                socket.setProxyInfo(parseResult.proxyInfo.sourceIP, parseResult.proxyInfo.sourcePort);
+              }
+              
+              // Update connection record with real client info
+              record.remoteIP = parseResult.proxyInfo.sourceIP;
+              record.remotePort = parseResult.proxyInfo.sourcePort;
+              
+              logger.log('info', `PROXY protocol parsed successfully`, {
+                connectionId,
+                realClientIP: parseResult.proxyInfo.sourceIP,
+                realClientPort: parseResult.proxyInfo.sourcePort,
+                proxyIP: socket.remoteAddress,
+                component: 'route-handler'
+              });
+              
+              // Process remaining data if any
+              if (parseResult.remainingData.length > 0) {
+                processInitialData(parseResult.remainingData);
+              } else {
+                // Wait for more data
+                socket.once('data', processInitialData);
+              }
+              return;
+            }
+          } catch (error) {
+            logger.log('error', `Failed to parse PROXY protocol from trusted proxy`, {
+              connectionId,
+              error: error.message,
+              proxyIP: socket.remoteAddress,
+              component: 'route-handler'
+            });
+            // Continue processing as normal data
+          }
+        }
+      }
+
+      // Process as normal data (no PROXY protocol)
+      processInitialData(chunk);
     });
   }
 
@@ -310,7 +453,7 @@ export class RouteConnectionHandler {
    * Route the connection based on match criteria
    */
   private routeConnection(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     serverName: string,
     initialChunk?: Buffer
@@ -325,15 +468,21 @@ export class RouteConnectionHandler {
     // For HTTP proxy ports without TLS, skip domain check since domain info comes from HTTP headers
     const skipDomainCheck = isHttpProxyPort && !record.isTLS;
 
-    // Find matching route
-    const routeMatch = this.routeManager.findMatchingRoute({
+    // Create route context for matching
+    const routeContext: IRouteContext = {
       port: localPort,
-      domain: serverName,
+      domain: skipDomainCheck ? undefined : serverName, // Skip domain if HTTP proxy without TLS
       clientIp: remoteIP,
+      serverIp: socket.localAddress || '',
       path: undefined, // We don't have path info at this point
+      isTls: record.isTLS,
       tlsVersion: undefined, // We don't extract TLS version yet
-      skipDomainCheck: skipDomainCheck,
-    });
+      timestamp: Date.now(),
+      connectionId: record.id
+    };
+
+    // Find matching route
+    const routeMatch = this.routeManager.findMatchingRoute(routeContext);
 
     if (!routeMatch) {
       logger.log('warn', `No route found for ${serverName || 'connection'} on port ${localPort} (connection: ${connectionId})`, {
@@ -492,13 +641,16 @@ export class RouteConnectionHandler {
    * Handle a forward action for a route
    */
   private handleForwardAction(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     route: IRouteConfig,
     initialChunk?: Buffer
   ): void {
     const connectionId = record.id;
     const action = route.action as IRouteAction;
+    
+    // Store the route config in the connection record for metrics and other uses
+    record.routeConfig = route;
 
     // Check if this route uses NFTables for forwarding
     if (action.forwardingEngine === 'nftables') {
@@ -546,6 +698,12 @@ export class RouteConnectionHandler {
       
       // We don't close the socket - just let it remain open
       // The kernel-level NFTables rules will handle the actual forwarding
+      
+      // Set up cleanup when the socket eventually closes
+      socket.once('close', () => {
+        this.connectionManager.cleanupConnection(record, 'nftables_closed');
+      });
+      
       return;
     }
 
@@ -573,8 +731,7 @@ export class RouteConnectionHandler {
       routeId: route.id,
     });
 
-    // Cache the context for potential reuse
-    this.routeContextCache.set(connectionId, routeContext);
+    // Note: Route contexts are not cached to ensure fresh data for each connection
 
     // Determine host using function or static value
     let targetHost: string | string[];
@@ -687,7 +844,7 @@ export class RouteConnectionHandler {
                 record,
                 initialChunk,
                 this.settings.httpProxyPort || 8443,
-                (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
+                (reason) => this.connectionManager.cleanupConnection(record, reason)
               );
               return;
             }
@@ -742,7 +899,7 @@ export class RouteConnectionHandler {
           record,
           initialChunk,
           this.settings.httpProxyPort || 8443,
-          (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
+          (reason) => this.connectionManager.cleanupConnection(record, reason)
         );
         return;
       } else {
@@ -803,13 +960,16 @@ export class RouteConnectionHandler {
    * Handle a socket-handler action for a route
    */
   private async handleSocketHandlerAction(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     route: IRouteConfig,
     initialChunk?: Buffer
   ): Promise<void> {
     const connectionId = record.id;
     
+    // Store the route config in the connection record for metrics and other uses
+    record.routeConfig = route;
+    
     if (!route.action.socketHandler) {
       logger.log('error', 'socket-handler action missing socketHandler function', {
         connectionId,
@@ -867,8 +1027,9 @@ export class RouteConnectionHandler {
     });
     
     try {
-      // Call the handler with socket AND context
-      const result = route.action.socketHandler(socket, routeContext);
+      // Call the handler with the appropriate socket (extract underlying if needed)
+      const handlerSocket = getUnderlyingSocket(socket);
+      const result = route.action.socketHandler(handlerSocket, routeContext);
       
       // Handle async handlers properly
       if (result instanceof Promise) {
@@ -917,112 +1078,12 @@ export class RouteConnectionHandler {
     }
   }
 
-  /**
-   * Setup improved error handling for the outgoing connection
-   */
-  private setupOutgoingErrorHandler(
-    connectionId: string,
-    targetSocket: plugins.net.Socket, 
-    record: IConnectionRecord,
-    socket: plugins.net.Socket,
-    finalTargetHost: string,
-    finalTargetPort: number
-  ): void {
-    targetSocket.once('error', (err) => {
-      // This handler runs only once during the initial connection phase
-      const code = (err as any).code;
-      logger.log('error', 
-        `Connection setup error for ${connectionId} to ${finalTargetHost}:${finalTargetPort}: ${err.message} (${code})`, 
-        {
-          connectionId,
-          targetHost: finalTargetHost,
-          targetPort: finalTargetPort,
-          errorMessage: err.message,
-          errorCode: code,
-          component: 'route-handler'
-        }
-      );
-
-      // Resume the incoming socket to prevent it from hanging
-      socket.resume();
-
-      // Log specific error types for easier debugging
-      if (code === 'ECONNREFUSED') {
-        logger.log('error', 
-          `Connection ${connectionId}: Target ${finalTargetHost}:${finalTargetPort} refused connection. Check if the target service is running and listening on that port.`, 
-          {
-            connectionId,
-            targetHost: finalTargetHost,
-            targetPort: finalTargetPort,
-            recommendation: 'Check if the target service is running and listening on that port.',
-            component: 'route-handler'
-          }
-        );
-      } else if (code === 'ETIMEDOUT') {
-        logger.log('error', 
-          `Connection ${connectionId} to ${finalTargetHost}:${finalTargetPort} timed out. Check network conditions, firewall rules, or if the target is too far away.`, 
-          {
-            connectionId,
-            targetHost: finalTargetHost,
-            targetPort: finalTargetPort,
-            recommendation: 'Check network conditions, firewall rules, or if the target is too far away.',
-            component: 'route-handler'
-          }
-        );
-      } else if (code === 'ECONNRESET') {
-        logger.log('error', 
-          `Connection ${connectionId} to ${finalTargetHost}:${finalTargetPort} was reset. The target might have closed the connection abruptly.`, 
-          {
-            connectionId,
-            targetHost: finalTargetHost,
-            targetPort: finalTargetPort,
-            recommendation: 'The target might have closed the connection abruptly.',
-            component: 'route-handler'
-          }
-        );
-      } else if (code === 'EHOSTUNREACH') {
-        logger.log('error', 
-          `Connection ${connectionId}: Host ${finalTargetHost} is unreachable. Check DNS settings, network routing, or firewall rules.`, 
-          {
-            connectionId,
-            targetHost: finalTargetHost,
-            recommendation: 'Check DNS settings, network routing, or firewall rules.',
-            component: 'route-handler'
-          }
-        );
-      } else if (code === 'ENOTFOUND') {
-        logger.log('error', 
-          `Connection ${connectionId}: DNS lookup failed for ${finalTargetHost}. Check your DNS settings or if the hostname is correct.`, 
-          {
-            connectionId,
-            targetHost: finalTargetHost,
-            recommendation: 'Check your DNS settings or if the hostname is correct.',
-            component: 'route-handler'
-          }
-        );
-      }
-
-      // Clear any existing error handler after connection phase
-      targetSocket.removeAllListeners('error');
-
-      // Re-add the normal error handler for established connections
-      targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
-
-      if (record.outgoingTerminationReason === null) {
-        record.outgoingTerminationReason = 'connection_failed';
-        this.connectionManager.incrementTerminationStat('outgoing', 'connection_failed');
-      }
-
-      // Clean up the connection
-      this.connectionManager.initiateCleanupOnce(record, `connection_failed_${code}`);
-    });
-  }
 
   /**
    * Sets up a direct connection to the target
    */
   private setupDirectConnection(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     serverName?: string,
     initialChunk?: Buffer,
@@ -1073,8 +1134,245 @@ export class RouteConnectionHandler {
       record.pendingDataSize = initialChunk.length;
     }
 
-    // Create the target socket
-    const targetSocket = plugins.net.connect(connectionOptions);
+    // Create the target socket with immediate error handling
+    const targetSocket = createSocketWithErrorHandler({
+      port: finalTargetPort,
+      host: finalTargetHost,
+      timeout: this.settings.connectionTimeout || 30000, // Connection timeout (default: 30s)
+      onError: (error) => {
+        // Connection failed - clean up everything immediately
+        // Check if connection record is still valid (client might have disconnected)
+        if (record.connectionClosed) {
+          logger.log('debug', `Backend connection failed but client already disconnected for ${connectionId}`, {
+            connectionId,
+            errorCode: (error as any).code,
+            component: 'route-handler'
+          });
+          return;
+        }
+        
+        logger.log('error', 
+          `Connection setup error for ${connectionId} to ${finalTargetHost}:${finalTargetPort}: ${error.message} (${(error as any).code})`, 
+          {
+            connectionId,
+            targetHost: finalTargetHost,
+            targetPort: finalTargetPort,
+            errorMessage: error.message,
+            errorCode: (error as any).code,
+            component: 'route-handler'
+          }
+        );
+        
+        // Log specific error types for easier debugging
+        if ((error as any).code === 'ECONNREFUSED') {
+          logger.log('error', 
+            `Connection ${connectionId}: Target ${finalTargetHost}:${finalTargetPort} refused connection. Check if the target service is running and listening on that port.`, 
+            {
+              connectionId,
+              targetHost: finalTargetHost,
+              targetPort: finalTargetPort,
+              recommendation: 'Check if the target service is running and listening on that port.',
+              component: 'route-handler'
+            }
+          );
+        }
+        
+        // Resume the incoming socket to prevent it from hanging
+        if (socket && !socket.destroyed) {
+          socket.resume();
+        }
+        
+        // Clean up the incoming socket
+        if (socket && !socket.destroyed) {
+          socket.destroy();
+        }
+        
+        // Clean up the connection record - this is critical!
+        this.connectionManager.cleanupConnection(record, `connection_failed_${(error as any).code || 'unknown'}`);
+      },
+      onConnect: async () => {
+        if (this.settings.enableDetailedLogging) {
+          logger.log('info', `Connection ${connectionId} established to target ${finalTargetHost}:${finalTargetPort}`, {
+            connectionId,
+            targetHost: finalTargetHost,
+            targetPort: finalTargetPort,
+            component: 'route-handler'
+          });
+        }
+        
+        // Clear any error listeners added by createSocketWithErrorHandler
+        targetSocket.removeAllListeners('error');
+        
+        // Add the normal error handler for established connections
+        targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
+        
+        // Check if we should send PROXY protocol header
+        const shouldSendProxyProtocol = record.routeConfig?.action?.sendProxyProtocol || 
+                                       this.settings.sendProxyProtocol;
+        
+        if (shouldSendProxyProtocol) {
+          try {
+            // Generate PROXY protocol header
+            const proxyInfo = {
+              protocol: (record.remoteIP.includes(':') ? 'TCP6' : 'TCP4') as 'TCP4' | 'TCP6',
+              sourceIP: record.remoteIP,
+              sourcePort: record.remotePort || socket.remotePort || 0,
+              destinationIP: socket.localAddress || '',
+              destinationPort: socket.localPort || 0
+            };
+            
+            const proxyHeader = ProxyProtocolParser.generate(proxyInfo);
+            
+            // Send PROXY protocol header first
+            await new Promise<void>((resolve, reject) => {
+              targetSocket.write(proxyHeader, (err) => {
+                if (err) {
+                  logger.log('error', `Failed to send PROXY protocol header`, {
+                    connectionId,
+                    error: err.message,
+                    component: 'route-handler'
+                  });
+                  reject(err);
+                } else {
+                  logger.log('info', `PROXY protocol header sent to backend`, {
+                    connectionId,
+                    targetHost: finalTargetHost,
+                    targetPort: finalTargetPort,
+                    sourceIP: proxyInfo.sourceIP,
+                    sourcePort: proxyInfo.sourcePort,
+                    component: 'route-handler'
+                  });
+                  resolve();
+                }
+              });
+            });
+          } catch (error) {
+            logger.log('error', `Error sending PROXY protocol header`, {
+              connectionId,
+              error: error.message,
+              component: 'route-handler'
+            });
+            // Continue anyway - don't break the connection
+          }
+        }
+        
+        // Flush any pending data to target
+        if (record.pendingData.length > 0) {
+          const combinedData = Buffer.concat(record.pendingData);
+
+          if (this.settings.enableDetailedLogging) {
+            console.log(
+              `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
+            );
+          }
+
+          // Write pending data immediately
+          targetSocket.write(combinedData, (err) => {
+            if (err) {
+              logger.log('error', `Error writing pending data to target for connection ${connectionId}: ${err.message}`, {
+                connectionId,
+                error: err.message,
+                component: 'route-handler'
+              });
+              return this.connectionManager.cleanupConnection(record, 'write_error');
+            }
+          });
+
+          // Clear the buffer now that we've processed it
+          record.pendingData = [];
+          record.pendingDataSize = 0;
+        }
+
+        // Use centralized bidirectional forwarding setup
+        // Extract underlying sockets for socket-utils functions
+        const incomingSocket = getUnderlyingSocket(socket);
+        
+        setupBidirectionalForwarding(incomingSocket, targetSocket, {
+          onClientData: (chunk) => {
+            record.bytesReceived += chunk.length;
+            this.timeoutManager.updateActivity(record);
+          },
+          onServerData: (chunk) => {
+            record.bytesSent += chunk.length;
+            this.timeoutManager.updateActivity(record);
+          },
+          onCleanup: (reason) => {
+            this.connectionManager.cleanupConnection(record, reason);
+          },
+          enableHalfOpen: false // Default: close both when one closes (required for proxy chains)
+        });
+        
+        // Apply timeouts if keep-alive is enabled
+        if (record.hasKeepAlive) {
+          socket.setTimeout(this.settings.socketTimeout || 3600000);
+          targetSocket.setTimeout(this.settings.socketTimeout || 3600000);
+        }
+
+        // Log successful connection
+        logger.log('info', 
+          `Connection established: ${record.remoteIP} -> ${finalTargetHost}:${finalTargetPort}` +
+          `${serverName ? ` (SNI: ${serverName})` : record.lockedDomain ? ` (Domain: ${record.lockedDomain})` : ''}`, 
+          {
+            remoteIP: record.remoteIP,
+            targetHost: finalTargetHost,
+            targetPort: finalTargetPort,
+            sni: serverName || undefined,
+            domain: !serverName && record.lockedDomain ? record.lockedDomain : undefined,
+            component: 'route-handler'
+          }
+        );
+
+        // Add TLS renegotiation handler if needed
+        if (serverName) {
+          // Create connection info object for the existing connection
+          const connInfo = {
+            sourceIp: record.remoteIP,
+            sourcePort: record.incoming.remotePort || 0,
+            destIp: record.incoming.localAddress || '',
+            destPort: record.incoming.localPort || 0,
+          };
+
+          // Create a renegotiation handler function
+          const renegotiationHandler = this.tlsManager.createRenegotiationHandler(
+            connectionId,
+            serverName,
+            connInfo,
+            (_connectionId, reason) => this.connectionManager.cleanupConnection(record, reason)
+          );
+
+          // Store the handler in the connection record so we can remove it during cleanup
+          record.renegotiationHandler = renegotiationHandler;
+
+          // Add the handler to the socket
+          socket.on('data', renegotiationHandler);
+
+          if (this.settings.enableDetailedLogging) {
+            logger.log('info', `TLS renegotiation handler installed for connection ${connectionId} with SNI ${serverName}`, {
+              connectionId,
+              serverName,
+              component: 'route-handler'
+            });
+          }
+        }
+
+        // Set connection timeout
+        record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
+          logger.log('warn', `Connection ${connectionId} from ${record.remoteIP} exceeded max lifetime, forcing cleanup`, {
+            connectionId,
+            remoteIP: record.remoteIP,
+            component: 'route-handler'
+          });
+          this.connectionManager.cleanupConnection(record, reason);
+        });
+
+        // Mark TLS handshake as complete for TLS connections
+        if (record.isTLS) {
+          record.tlsHandshakeComplete = true;
+        }
+      }
+    });
+    
+    // Set outgoing socket immediately so it can be cleaned up if client disconnects
     record.outgoing = targetSocket;
     record.outgoingStartTime = Date.now();
 
@@ -1107,13 +1405,6 @@ export class RouteConnectionHandler {
       }
     }
 
-    // Setup improved error handling for outgoing connection
-    this.setupOutgoingErrorHandler(connectionId, targetSocket, record, socket, finalTargetHost, finalTargetPort);
-
-    // Setup close handlers
-    targetSocket.on('close', this.connectionManager.handleClose('outgoing', record));
-    socket.on('close', this.connectionManager.handleClose('incoming', record));
-    
     // Setup error handlers for incoming socket
     socket.on('error', this.connectionManager.handleError('incoming', record));
 
@@ -1142,7 +1433,7 @@ export class RouteConnectionHandler {
         record.incomingTerminationReason = 'timeout';
         this.connectionManager.incrementTerminationStat('incoming', 'timeout');
       }
-      this.connectionManager.initiateCleanupOnce(record, 'timeout_incoming');
+      this.connectionManager.cleanupConnection(record, 'timeout_incoming');
     });
 
     targetSocket.on('timeout', () => {
@@ -1169,133 +1460,10 @@ export class RouteConnectionHandler {
         record.outgoingTerminationReason = 'timeout';
         this.connectionManager.incrementTerminationStat('outgoing', 'timeout');
       }
-      this.connectionManager.initiateCleanupOnce(record, 'timeout_outgoing');
+      this.connectionManager.cleanupConnection(record, 'timeout_outgoing');
     });
 
     // Apply socket timeouts
     this.timeoutManager.applySocketTimeouts(record);
-
-    // Track outgoing data for bytes counting
-    targetSocket.on('data', (chunk: Buffer) => {
-      record.bytesSent += chunk.length;
-      this.timeoutManager.updateActivity(record);
-    });
-
-    // Wait for the outgoing connection to be ready before setting up piping
-    targetSocket.once('connect', () => {
-      if (this.settings.enableDetailedLogging) {
-        logger.log('info', `Connection ${connectionId} established to target ${finalTargetHost}:${finalTargetPort}`, {
-          connectionId,
-          targetHost: finalTargetHost,
-          targetPort: finalTargetPort,
-          component: 'route-handler'
-        });
-      }
-
-      // Clear the initial connection error handler
-      targetSocket.removeAllListeners('error');
-
-      // Add the normal error handler for established connections
-      targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
-
-      // Flush any pending data to target
-      if (record.pendingData.length > 0) {
-        const combinedData = Buffer.concat(record.pendingData);
-
-        if (this.settings.enableDetailedLogging) {
-          console.log(
-            `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
-          );
-        }
-
-        // Write pending data immediately
-        targetSocket.write(combinedData, (err) => {
-          if (err) {
-            logger.log('error', `Error writing pending data to target for connection ${connectionId}: ${err.message}`, {
-              connectionId,
-              error: err.message,
-              component: 'route-handler'
-            });
-            return this.connectionManager.initiateCleanupOnce(record, 'write_error');
-          }
-        });
-
-        // Clear the buffer now that we've processed it
-        record.pendingData = [];
-        record.pendingDataSize = 0;
-      }
-
-      // Immediately setup bidirectional piping - much simpler than manual data management
-      socket.pipe(targetSocket);
-      targetSocket.pipe(socket);
-
-      // Track incoming data for bytes counting - do this after piping is set up
-      socket.on('data', (chunk: Buffer) => {
-        record.bytesReceived += chunk.length;
-        this.timeoutManager.updateActivity(record);
-      });
-
-      // Log successful connection
-      logger.log('info', 
-        `Connection established: ${record.remoteIP} -> ${finalTargetHost}:${finalTargetPort}` +
-        `${serverName ? ` (SNI: ${serverName})` : record.lockedDomain ? ` (Domain: ${record.lockedDomain})` : ''}`, 
-        {
-          remoteIP: record.remoteIP,
-          targetHost: finalTargetHost,
-          targetPort: finalTargetPort,
-          sni: serverName || undefined,
-          domain: !serverName && record.lockedDomain ? record.lockedDomain : undefined,
-          component: 'route-handler'
-        }
-      );
-
-      // Add TLS renegotiation handler if needed
-      if (serverName) {
-        // Create connection info object for the existing connection
-        const connInfo = {
-          sourceIp: record.remoteIP,
-          sourcePort: record.incoming.remotePort || 0,
-          destIp: record.incoming.localAddress || '',
-          destPort: record.incoming.localPort || 0,
-        };
-
-        // Create a renegotiation handler function
-        const renegotiationHandler = this.tlsManager.createRenegotiationHandler(
-          connectionId,
-          serverName,
-          connInfo,
-          (_connectionId, reason) => this.connectionManager.initiateCleanupOnce(record, reason)
-        );
-
-        // Store the handler in the connection record so we can remove it during cleanup
-        record.renegotiationHandler = renegotiationHandler;
-
-        // Add the handler to the socket
-        socket.on('data', renegotiationHandler);
-
-        if (this.settings.enableDetailedLogging) {
-          logger.log('info', `TLS renegotiation handler installed for connection ${connectionId} with SNI ${serverName}`, {
-            connectionId,
-            serverName,
-            component: 'route-handler'
-          });
-        }
-      }
-
-      // Set connection timeout
-      record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
-        logger.log('warn', `Connection ${connectionId} from ${record.remoteIP} exceeded max lifetime, forcing cleanup`, {
-          connectionId,
-          remoteIP: record.remoteIP,
-          component: 'route-handler'
-        });
-        this.connectionManager.initiateCleanupOnce(record, reason);
-      });
-
-      // Mark TLS handshake as complete for TLS connections
-      if (record.isTLS) {
-        record.tlsHandshakeComplete = true;
-      }
-    });
   }
 }

ts/proxies/smart-proxy/route-manager.ts

@@ -1,554 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type {
-  IRouteConfig,
-  IRouteMatch,
-  IRouteAction,
-  TPortRange
-} from './models/route-types.js';
-import type {
-  ISmartProxyOptions
-} from './models/interfaces.js';
-
-/**
- * Result of route matching
- */
-export interface IRouteMatchResult {
-  route: IRouteConfig;
-  // Additional match parameters (path, query, etc.)
-  params?: Record<string, string>;
-}
-
-/**
- * The RouteManager handles all routing decisions based on connections and attributes
- */
-export class RouteManager extends plugins.EventEmitter {
-  private routes: IRouteConfig[] = [];
-  private portMap: Map<number, IRouteConfig[]> = new Map();
-  private options: ISmartProxyOptions;
-  
-  constructor(options: ISmartProxyOptions) {
-    super();
-    
-    // Store options
-    this.options = options;
-    
-    // Initialize routes from either source
-    this.updateRoutes(this.options.routes);
-  }
-  
-  /**
-   * Update routes with new configuration
-   */
-  public updateRoutes(routes: IRouteConfig[] = []): void {
-    // Sort routes by priority (higher first)
-    this.routes = [...(routes || [])].sort((a, b) => {
-      const priorityA = a.priority ?? 0;
-      const priorityB = b.priority ?? 0;
-      return priorityB - priorityA;
-    });
-    
-    // Rebuild port mapping for fast lookups
-    this.rebuildPortMap();
-  }
-  
-  /**
-   * Rebuild the port mapping for fast lookups
-   * Also logs information about the ports being listened on
-   */
-  private rebuildPortMap(): void {
-    this.portMap.clear();
-    this.portRangeCache.clear(); // Clear cache when rebuilding
-
-    // Track ports for logging
-    const portToRoutesMap = new Map<number, string[]>();
-
-    for (const route of this.routes) {
-      const ports = this.expandPortRange(route.match.ports);
-
-      // Skip if no ports were found
-      if (ports.length === 0) {
-        console.warn(`Route ${route.name || 'unnamed'} has no valid ports to listen on`);
-        continue;
-      }
-
-      for (const port of ports) {
-        // Add to portMap for routing
-        if (!this.portMap.has(port)) {
-          this.portMap.set(port, []);
-        }
-        this.portMap.get(port)!.push(route);
-
-        // Add to tracking for logging
-        if (!portToRoutesMap.has(port)) {
-          portToRoutesMap.set(port, []);
-        }
-        portToRoutesMap.get(port)!.push(route.name || 'unnamed');
-      }
-    }
-
-    // Log summary of ports and routes
-    const totalPorts = this.portMap.size;
-    const totalRoutes = this.routes.length;
-    console.log(`Route manager configured with ${totalRoutes} routes across ${totalPorts} ports`);
-
-    // Log port details if detailed logging is enabled
-    const enableDetailedLogging = this.options.enableDetailedLogging;
-    if (enableDetailedLogging) {
-      for (const [port, routes] of this.portMap.entries()) {
-        console.log(`Port ${port}: ${routes.length} routes (${portToRoutesMap.get(port)!.join(', ')})`);
-      }
-    }
-  }
-  
-  /**
-   * Expand a port range specification into an array of individual ports
-   * Uses caching to improve performance for frequently used port ranges
-   *
-   * @public - Made public to allow external code to interpret port ranges
-   */
-  public expandPortRange(portRange: TPortRange): number[] {
-    // For simple number, return immediately
-    if (typeof portRange === 'number') {
-      return [portRange];
-    }
-
-    // Create a cache key for this port range
-    const cacheKey = JSON.stringify(portRange);
-
-    // Check if we have a cached result
-    if (this.portRangeCache.has(cacheKey)) {
-      return this.portRangeCache.get(cacheKey)!;
-    }
-
-    // Process the port range
-    let result: number[] = [];
-
-    if (Array.isArray(portRange)) {
-      // Handle array of port objects or numbers
-      result = portRange.flatMap(item => {
-        if (typeof item === 'number') {
-          return [item];
-        } else if (typeof item === 'object' && 'from' in item && 'to' in item) {
-          // Handle port range object - check valid range
-          if (item.from > item.to) {
-            console.warn(`Invalid port range: from (${item.from}) > to (${item.to})`);
-            return [];
-          }
-
-          // Handle port range object
-          const ports: number[] = [];
-          for (let p = item.from; p <= item.to; p++) {
-            ports.push(p);
-          }
-          return ports;
-        }
-        return [];
-      });
-    }
-
-    // Cache the result
-    this.portRangeCache.set(cacheKey, result);
-
-    return result;
-  }
-  
-  /**
-   * Memoization cache for expanded port ranges
-   */
-  private portRangeCache: Map<string, number[]> = new Map();
-
-  /**
-   * Get all ports that should be listened on
-   * This method automatically infers all required ports from route configurations
-   */
-  public getListeningPorts(): number[] {
-    // Return the unique set of ports from all routes
-    return Array.from(this.portMap.keys());
-  }
-  
-  /**
-   * Get all routes for a given port
-   */
-  public getRoutesForPort(port: number): IRouteConfig[] {
-    return this.portMap.get(port) || [];
-  }
-  
-  /**
-   * Get all routes
-   */
-  public getAllRoutes(): IRouteConfig[] {
-    return [...this.routes];
-  }
-  
-  /**
-   * Test if a pattern matches a domain using glob matching
-   */
-  private matchDomain(pattern: string, domain: string): boolean {
-    // Convert glob pattern to regex
-    const regexPattern = pattern
-      .replace(/\./g, '\\.')    // Escape dots
-      .replace(/\*/g, '.*');    // Convert * to .*
-    
-    const regex = new RegExp(`^${regexPattern}$`, 'i');
-    return regex.test(domain);
-  }
-  
-  /**
-   * Match a domain against all patterns in a route
-   */
-  private matchRouteDomain(route: IRouteConfig, domain: string): boolean {
-    if (!route.match.domains) {
-      // If no domains specified, match all domains
-      return true;
-    }
-    
-    const patterns = Array.isArray(route.match.domains) 
-      ? route.match.domains 
-      : [route.match.domains];
-    
-    return patterns.some(pattern => this.matchDomain(pattern, domain));
-  }
-  
-  /**
-   * Check if a client IP is allowed by a route's security settings
-   * @deprecated Security is now checked in route-connection-handler.ts after route matching
-   */
-  private isClientIpAllowed(route: IRouteConfig, clientIp: string): boolean {
-    const security = route.security;
-    
-    if (!security) {
-      return true; // No security settings means allowed
-    }
-    
-    // Check blocked IPs first
-    if (security.ipBlockList && security.ipBlockList.length > 0) {
-      for (const pattern of security.ipBlockList) {
-        if (this.matchIpPattern(pattern, clientIp)) {
-          return false; // IP is blocked
-        }
-      }
-    }
-    
-    // If there are allowed IPs, check them
-    if (security.ipAllowList && security.ipAllowList.length > 0) {
-      for (const pattern of security.ipAllowList) {
-        if (this.matchIpPattern(pattern, clientIp)) {
-          return true; // IP is allowed
-        }
-      }
-      return false; // IP not in allowed list
-    }
-    
-    // No allowed IPs specified, so IP is allowed
-    return true;
-  }
-  
-  /**
-   * Match an IP against a pattern
-   */
-  private matchIpPattern(pattern: string, ip: string): boolean {
-    // Normalize IPv6-mapped IPv4 addresses
-    const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
-    const normalizedPattern = pattern.startsWith('::ffff:') ? pattern.substring(7) : pattern;
-    
-    // Handle exact match with normalized addresses
-    if (pattern === ip || normalizedPattern === normalizedIp || 
-        pattern === normalizedIp || normalizedPattern === ip) {
-      return true;
-    }
-    
-    // Handle CIDR notation (e.g., 192.168.1.0/24)
-    if (pattern.includes('/')) {
-      return this.matchIpCidr(pattern, normalizedIp) || 
-             (normalizedPattern !== pattern && this.matchIpCidr(normalizedPattern, normalizedIp));
-    }
-    
-    // Handle glob pattern (e.g., 192.168.1.*)
-    if (pattern.includes('*')) {
-      const regexPattern = pattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
-      const regex = new RegExp(`^${regexPattern}$`);
-      if (regex.test(ip) || regex.test(normalizedIp)) {
-        return true;
-      }
-      
-      // If pattern was normalized, also test with normalized pattern
-      if (normalizedPattern !== pattern) {
-        const normalizedRegexPattern = normalizedPattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
-        const normalizedRegex = new RegExp(`^${normalizedRegexPattern}$`);
-        return normalizedRegex.test(ip) || normalizedRegex.test(normalizedIp);
-      }
-    }
-    
-    return false;
-  }
-  
-  /**
-   * Match an IP against a CIDR pattern
-   */
-  private matchIpCidr(cidr: string, ip: string): boolean {
-    try {
-      // In a real implementation, you'd use a proper IP library
-      // This is a simplified implementation
-      const [subnet, bits] = cidr.split('/');
-      const mask = parseInt(bits, 10);
-      
-      // Normalize IPv6-mapped IPv4 addresses
-      const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
-      const normalizedSubnet = subnet.startsWith('::ffff:') ? subnet.substring(7) : subnet;
-      
-      // Convert IP addresses to numeric values
-      const ipNum = this.ipToNumber(normalizedIp);
-      const subnetNum = this.ipToNumber(normalizedSubnet);
-      
-      // Calculate subnet mask
-      const maskNum = ~(2 ** (32 - mask) - 1);
-      
-      // Check if IP is in subnet
-      return (ipNum & maskNum) === (subnetNum & maskNum);
-    } catch (e) {
-      console.error(`Error matching IP ${ip} against CIDR ${cidr}:`, e);
-      return false;
-    }
-  }
-  
-  /**
-   * Convert an IP address to a numeric value
-   */
-  private ipToNumber(ip: string): number {
-    // Normalize IPv6-mapped IPv4 addresses
-    const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
-    
-    const parts = normalizedIp.split('.').map(part => parseInt(part, 10));
-    return (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
-  }
-  
-  /**
-   * Find the matching route for a connection
-   */
-  public findMatchingRoute(options: {
-    port: number;
-    domain?: string;
-    clientIp: string;
-    path?: string;
-    tlsVersion?: string;
-    skipDomainCheck?: boolean;
-  }): IRouteMatchResult | null {
-    const { port, domain, clientIp, path, tlsVersion, skipDomainCheck } = options;
-    
-    // Get all routes for this port
-    const routesForPort = this.getRoutesForPort(port);
-    
-    // Find the first matching route based on priority order
-    for (const route of routesForPort) {
-      // Check domain match
-      // If the route has domain restrictions and we have a domain to check
-      if (route.match.domains && !skipDomainCheck) {
-        // If no domain was provided (non-TLS or no SNI), this route doesn't match
-        if (!domain) {
-          continue;
-        }
-        // If domain is provided but doesn't match the route's domains, skip
-        if (!this.matchRouteDomain(route, domain)) {
-          continue;
-        }
-      }
-      // If route has no domain restrictions, it matches all domains
-      // If skipDomainCheck is true, we skip domain validation for HTTP connections
-      
-      // Check path match if specified in both route and request
-      if (path && route.match.path) {
-        if (!this.matchPath(route.match.path, path)) {
-          continue;
-        }
-      }
-      
-      // Check client IP match
-      if (route.match.clientIp && !route.match.clientIp.some(pattern => 
-        this.matchIpPattern(pattern, clientIp))) {
-        continue;
-      }
-      
-      // Check TLS version match
-      if (tlsVersion && route.match.tlsVersion && 
-          !route.match.tlsVersion.includes(tlsVersion)) {
-        continue;
-      }
-      
-      // All checks passed, this route matches
-      // NOTE: Security is checked AFTER route matching in route-connection-handler.ts
-      return { route };
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Match a path against a pattern
-   */
-  private matchPath(pattern: string, path: string): boolean {
-    // Convert the glob pattern to a regex
-    const regexPattern = pattern
-      .replace(/\./g, '\\.')    // Escape dots
-      .replace(/\*/g, '.*')     // Convert * to .*
-      .replace(/\//g, '\\/');   // Escape slashes
-    
-    const regex = new RegExp(`^${regexPattern}$`);
-    return regex.test(path);
-  }
-  
-  /**
-   * Domain-based configuration methods have been removed
-   * as part of the migration to pure route-based configuration
-   */
-  
-  /**
-   * Validate the route configuration and return any warnings
-   */
-  public validateConfiguration(): string[] {
-    const warnings: string[] = [];
-    const duplicatePorts = new Map<number, number>();
-    
-    // Check for routes with the same exact match criteria
-    for (let i = 0; i < this.routes.length; i++) {
-      for (let j = i + 1; j < this.routes.length; j++) {
-        const route1 = this.routes[i];
-        const route2 = this.routes[j];
-        
-        // Check if route match criteria are the same
-        if (this.areMatchesSimilar(route1.match, route2.match)) {
-          warnings.push(
-            `Routes "${route1.name || i}" and "${route2.name || j}" have similar match criteria. ` +
-            `The route with higher priority (${Math.max(route1.priority || 0, route2.priority || 0)}) will be used.`
-          );
-        }
-      }
-    }
-    
-    // Check for routes that may never be matched due to priority
-    for (let i = 0; i < this.routes.length; i++) {
-      const route = this.routes[i];
-      const higherPriorityRoutes = this.routes.filter(r => 
-        (r.priority || 0) > (route.priority || 0));
-      
-      for (const higherRoute of higherPriorityRoutes) {
-        if (this.isRouteShadowed(route, higherRoute)) {
-          warnings.push(
-            `Route "${route.name || i}" may never be matched because it is shadowed by ` +
-            `higher priority route "${higherRoute.name || 'unnamed'}"`
-          );
-          break;
-        }
-      }
-    }
-    
-    return warnings;
-  }
-  
-  /**
-   * Check if two route matches are similar (potential conflict)
-   */
-  private areMatchesSimilar(match1: IRouteMatch, match2: IRouteMatch): boolean {
-    // Check port overlap
-    const ports1 = new Set(this.expandPortRange(match1.ports));
-    const ports2 = new Set(this.expandPortRange(match2.ports));
-    
-    let havePortOverlap = false;
-    for (const port of ports1) {
-      if (ports2.has(port)) {
-        havePortOverlap = true;
-        break;
-      }
-    }
-    
-    if (!havePortOverlap) {
-      return false;
-    }
-    
-    // Check domain overlap
-    if (match1.domains && match2.domains) {
-      const domains1 = Array.isArray(match1.domains) ? match1.domains : [match1.domains];
-      const domains2 = Array.isArray(match2.domains) ? match2.domains : [match2.domains];
-      
-      // Check if any domain pattern from match1 could match any from match2
-      let haveDomainOverlap = false;
-      for (const domain1 of domains1) {
-        for (const domain2 of domains2) {
-          if (domain1 === domain2 || 
-              (domain1.includes('*') || domain2.includes('*'))) {
-            haveDomainOverlap = true;
-            break;
-          }
-        }
-        if (haveDomainOverlap) break;
-      }
-      
-      if (!haveDomainOverlap) {
-        return false;
-      }
-    } else if (match1.domains || match2.domains) {
-      // One has domains, the other doesn't - they could overlap
-      // The one with domains is more specific, so it's not exactly a conflict
-      return false;
-    }
-    
-    // Check path overlap
-    if (match1.path && match2.path) {
-      // This is a simplified check - in a real implementation,
-      // you'd need to check if the path patterns could match the same paths
-      return match1.path === match2.path || 
-             match1.path.includes('*') || 
-             match2.path.includes('*');
-    } else if (match1.path || match2.path) {
-      // One has a path, the other doesn't
-      return false;
-    }
-    
-    // If we get here, the matches have significant overlap
-    return true;
-  }
-  
-  /**
-   * Check if a route is completely shadowed by a higher priority route
-   */
-  private isRouteShadowed(route: IRouteConfig, higherPriorityRoute: IRouteConfig): boolean {
-    // If they don't have similar match criteria, no shadowing occurs
-    if (!this.areMatchesSimilar(route.match, higherPriorityRoute.match)) {
-      return false;
-    }
-    
-    // If higher priority route has more specific criteria, no shadowing
-    if (this.isRouteMoreSpecific(higherPriorityRoute.match, route.match)) {
-      return false;
-    }
-    
-    // If higher priority route is equally or less specific but has higher priority,
-    // it shadows the lower priority route
-    return true;
-  }
-  
-  /**
-   * Check if route1 is more specific than route2
-   */
-  private isRouteMoreSpecific(match1: IRouteMatch, match2: IRouteMatch): boolean {
-    // Check if match1 has more specific criteria
-    let match1Points = 0;
-    let match2Points = 0;
-    
-    // Path is the most specific
-    if (match1.path) match1Points += 3;
-    if (match2.path) match2Points += 3;
-    
-    // Domain is next most specific
-    if (match1.domains) match1Points += 2;
-    if (match2.domains) match2Points += 2;
-    
-    // Client IP and TLS version are least specific
-    if (match1.clientIp) match1Points += 1;
-    if (match2.clientIp) match2Points += 1;
-    
-    if (match1.tlsVersion) match1Points += 1;
-    if (match2.tlsVersion) match2Points += 1;
-    
-    return match1Points > match2Points;
-  }
-}

ts/proxies/smart-proxy/smart-proxy.ts

@@ -8,7 +8,7 @@ import { TlsManager } from './tls-manager.js';
 import { HttpProxyBridge } from './http-proxy-bridge.js';
 import { TimeoutManager } from './timeout-manager.js';
 import { PortManager } from './port-manager.js';
-import { RouteManager } from './route-manager.js';
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { RouteConnectionHandler } from './route-connection-handler.js';
 import { NFTablesManager } from './nftables-manager.js';
 
@@ -27,6 +27,10 @@ import { Mutex } from './utils/mutex.js';
 // Import ACME state manager
 import { AcmeStateManager } from './acme-state-manager.js';
 
+// Import metrics collector
+import { MetricsCollector } from './metrics-collector.js';
+import type { IProxyStats } from './models/metrics-types.js';
+
 /**
  * SmartProxy - Pure route-based API
  *
@@ -47,13 +51,13 @@ export class SmartProxy extends plugins.EventEmitter {
   private isShuttingDown: boolean = false;
   
   // Component managers
-  private connectionManager: ConnectionManager;
+  public connectionManager: ConnectionManager;
   private securityManager: SecurityManager;
   private tlsManager: TlsManager;
   private httpProxyBridge: HttpProxyBridge;
   private timeoutManager: TimeoutManager;
   public routeManager: RouteManager; // Made public for route management
-  private routeConnectionHandler: RouteConnectionHandler;
+  public routeConnectionHandler: RouteConnectionHandler; // Made public for metrics
   private nftablesManager: NFTablesManager;
   
   // Certificate manager for ACME and static certificates
@@ -64,6 +68,9 @@ export class SmartProxy extends plugins.EventEmitter {
   private routeUpdateLock: any = null; // Will be initialized as AsyncMutex
   private acmeStateManager: AcmeStateManager;
   
+  // Metrics collector
+  private metricsCollector: MetricsCollector;
+  
   // Track port usage across route updates
   private portUsageMap: Map<number, Set<string>> = new Map();
   
@@ -162,8 +169,20 @@ export class SmartProxy extends plugins.EventEmitter {
       this.timeoutManager
     );
     
-    // Create the route manager
-    this.routeManager = new RouteManager(this.settings);
+    // Create the route manager with SharedRouteManager API
+    // Create a logger adapter to match ILogger interface
+    const loggerAdapter = {
+      debug: (message: string, data?: any) => logger.log('debug', message, data),
+      info: (message: string, data?: any) => logger.log('info', message, data),
+      warn: (message: string, data?: any) => logger.log('warn', message, data),
+      error: (message: string, data?: any) => logger.log('error', message, data)
+    };
+    
+    this.routeManager = new RouteManager({
+      logger: loggerAdapter,
+      enableDetailedLogging: this.settings.enableDetailedLogging,
+      routes: this.settings.routes
+    });
 
     
     // Create other required components
@@ -192,6 +211,9 @@ export class SmartProxy extends plugins.EventEmitter {
     
     // Initialize ACME state manager
     this.acmeStateManager = new AcmeStateManager();
+    
+    // Initialize metrics collector with reference to this SmartProxy instance
+    this.metricsCollector = new MetricsCollector(this);
   }
   
   /**
@@ -371,6 +393,9 @@ export class SmartProxy extends plugins.EventEmitter {
       logger.log('info', 'Starting certificate provisioning now that ports are ready', { component: 'certificate-manager' });
       await this.certManager.provisionAllCertificates();
     }
+    
+    // Start the metrics collector now that all components are initialized
+    this.metricsCollector.start();
 
     // Set up periodic connection logging and inactivity checks
     this.connectionLogger = setInterval(() => {
@@ -496,6 +521,9 @@ export class SmartProxy extends plugins.EventEmitter {
     
     // Clear ACME state manager
     this.acmeStateManager.clear();
+    
+    // Stop metrics collector
+    this.metricsCollector.stop();
 
     logger.log('info', 'SmartProxy shutdown complete.');
   }
@@ -893,6 +921,15 @@ export class SmartProxy extends plugins.EventEmitter {
     return this.certManager.getCertificateStatus(routeName);
   }
   
+  /**
+   * Get proxy statistics and metrics
+   * 
+   * @returns IProxyStats interface with various metrics methods
+   */
+  public getStats(): IProxyStats {
+    return this.metricsCollector;
+  }
+  
   /**
    * Validates if a domain name is valid for certificate issuance
    */

ts/proxies/smart-proxy/utils/route-utils.ts

@@ -92,6 +92,8 @@ export function mergeRouteConfigs(
   return mergedRoute;
 }
 
+import { DomainMatcher, PathMatcher, HeaderMatcher } from '../../../core/routing/matchers/index.js';
+
 /**
  * Check if a route matches a domain
  * @param route The route to check
@@ -107,14 +109,7 @@ export function routeMatchesDomain(route: IRouteConfig, domain: string): boolean
     ? route.match.domains 
     : [route.match.domains];
   
-  return domains.some(d => {
-    // Handle wildcard domains
-    if (d.startsWith('*.')) {
-      const suffix = d.substring(2);
-      return domain.endsWith(suffix) && domain.split('.').length > suffix.split('.').length;
-    }
-    return d.toLowerCase() === domain.toLowerCase();
-  });
+  return domains.some(d => DomainMatcher.match(d, domain));
 }
 
 /**
@@ -160,28 +155,7 @@ export function routeMatchesPath(route: IRouteConfig, path: string): boolean {
     return true; // No path specified means it matches any path
   }
   
-  // Handle exact path
-  if (route.match.path === path) {
-    return true;
-  }
-  
-  // Handle path prefix with trailing slash (e.g., /api/)
-  if (route.match.path.endsWith('/') && path.startsWith(route.match.path)) {
-    return true;
-  }
-  
-  // Handle exact path match without trailing slash
-  if (!route.match.path.endsWith('/') && path === route.match.path) {
-    return true;
-  }
-  
-  // Handle wildcard paths (e.g., /api/*)
-  if (route.match.path.endsWith('*')) {
-    const prefix = route.match.path.slice(0, -1);
-    return path.startsWith(prefix);
-  }
-  
-  return false;
+  return PathMatcher.match(route.match.path, path).matches;
 }
 
 /**
@@ -198,25 +172,13 @@ export function routeMatchesHeaders(
     return true; // No headers specified means it matches any headers
   }
   
-  // Check each header in the route's match criteria
-  return Object.entries(route.match.headers).every(([key, value]) => {
-    // If the header isn't present in the request, it doesn't match
-    if (!headers[key]) {
-      return false;
-    }
-    
-    // Handle exact match
-    if (typeof value === 'string') {
-      return headers[key] === value;
-    }
-    
-    // Handle regex match
-    if (value instanceof RegExp) {
-      return value.test(headers[key]);
-    }
-    
-    return false;
-  });
+  // Convert RegExp patterns to strings for HeaderMatcher
+  const stringHeaders: Record<string, string> = {};
+  for (const [key, value] of Object.entries(route.match.headers)) {
+    stringHeaders[key] = value instanceof RegExp ? value.source : value;
+  }
+  
+  return HeaderMatcher.matchAll(stringHeaders, headers);
 }
 
 /**

ts/routing/router/http-router.ts

@@ -0,0 +1,266 @@
+import * as plugins from '../../plugins.js';
+import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
+import { DomainMatcher, PathMatcher } from '../../core/routing/matchers/index.js';
+
+/**
+ * Interface for router result with additional metadata
+ */
+export interface RouterResult {
+  route: IRouteConfig;
+  pathMatch?: string;
+  pathParams?: Record<string, string>;
+  pathRemainder?: string;
+}
+
+
+/**
+ * Logger interface for HttpRouter
+ */
+export interface ILogger {
+  debug?: (message: string, data?: any) => void;
+  info: (message: string, data?: any) => void;
+  warn: (message: string, data?: any) => void;
+  error: (message: string, data?: any) => void;
+}
+
+/**
+ * Unified HTTP Router for reverse proxy requests
+ * 
+ * Domain matching patterns:
+ * - Exact matches: "example.com"
+ * - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
+ * - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
+ * - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
+ * - Default fallback: "*" (matches any unmatched domain)
+ * 
+ * Path pattern matching:
+ * - Exact path: "/api/users"
+ * - Wildcard paths: "/api/*" 
+ * - Path parameters: "/users/:id/profile"
+ */
+export class HttpRouter {
+  // Store routes sorted by priority
+  private routes: IRouteConfig[] = [];
+  // Default route to use when no match is found (optional)
+  private defaultRoute?: IRouteConfig;
+  // Logger interface
+  private logger: ILogger;
+
+  constructor(
+    routes?: IRouteConfig[],
+    logger?: ILogger
+  ) {
+    this.logger = logger || {
+      error: console.error.bind(console),
+      warn: console.warn.bind(console),
+      info: console.info.bind(console),
+      debug: console.debug?.bind(console)
+    };
+    
+    if (routes) {
+      this.setRoutes(routes);
+    }
+  }
+
+  /**
+   * Sets a new set of routes
+   * @param routes Array of route configurations
+   */
+  public setRoutes(routes: IRouteConfig[]): void {
+    this.routes = [...routes];
+
+    // Sort routes by priority (higher priority first)
+    this.routes.sort((a, b) => {
+      const priorityA = a.priority ?? 0;
+      const priorityB = b.priority ?? 0;
+      return priorityB - priorityA;
+    });
+
+    // Find default route if any (route with "*" as domain)
+    this.defaultRoute = this.routes.find(route => {
+      const domains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : route.match.domains ? [route.match.domains] : [];
+      return domains.includes('*');
+    });
+
+    const uniqueDomains = this.getHostnames();
+    this.logger.info(`HttpRouter initialized with ${this.routes.length} routes (${uniqueDomains.length} unique hosts)`);
+  }
+
+  /**
+   * Routes a request based on hostname and path
+   * @param req The incoming HTTP request
+   * @returns The matching route or undefined if no match found
+   */
+  public routeReq(req: plugins.http.IncomingMessage): IRouteConfig | undefined {
+    const result = this.routeReqWithDetails(req);
+    return result ? result.route : undefined;
+  }
+
+  /**
+   * Routes a request with detailed matching information
+   * @param req The incoming HTTP request
+   * @returns Detailed routing result including matched route and path information
+   */
+  public routeReqWithDetails(req: plugins.http.IncomingMessage): RouterResult | undefined {
+    // Extract and validate host header
+    const originalHost = req.headers.host;
+    if (!originalHost) {
+      this.logger.error('No host header found in request');
+      return this.defaultRoute ? { route: this.defaultRoute } : undefined;
+    }
+    
+    // Parse URL for path matching
+    const parsedUrl = plugins.url.parse(req.url || '/');
+    const urlPath = parsedUrl.pathname || '/';
+    
+    // Extract hostname without port
+    const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
+    
+    // Find matching route
+    const matchingRoute = this.findMatchingRoute(hostWithoutPort, urlPath);
+    
+    if (matchingRoute) {
+      return matchingRoute;
+    }
+    
+    // Fall back to default route if available
+    if (this.defaultRoute) {
+      this.logger.warn(`No specific route found for host: ${hostWithoutPort}, using default`);
+      return { route: this.defaultRoute };
+    }
+    
+    this.logger.error(`No route found for host: ${hostWithoutPort}`);
+    return undefined;
+  }
+
+  /**
+   * Find the best matching route for a given hostname and path
+   */
+  private findMatchingRoute(hostname: string, path: string): RouterResult | undefined {
+    // Try each route in priority order
+    for (const route of this.routes) {
+      // Skip disabled routes
+      if (route.enabled === false) {
+        continue;
+      }
+
+      // Check domain match
+      if (route.match.domains) {
+        const domains = Array.isArray(route.match.domains) 
+          ? route.match.domains 
+          : [route.match.domains];
+        
+        // Check if any domain pattern matches
+        const domainMatches = domains.some(domain => 
+          DomainMatcher.match(domain, hostname)
+        );
+        
+        if (!domainMatches) {
+          continue;
+        }
+      }
+
+      // Check path match if specified
+      if (route.match.path) {
+        const pathResult = PathMatcher.match(route.match.path, path);
+        if (pathResult.matches) {
+          return {
+            route,
+            pathMatch: path,
+            pathParams: pathResult.params,
+            pathRemainder: pathResult.pathRemainder
+          };
+        }
+      } else {
+        // No path specified, so domain match is sufficient
+        return { route };
+      }
+    }
+    
+    return undefined;
+  }
+
+  /**
+   * Gets all currently active route configurations
+   * @returns Array of all active routes
+   */
+  public getRoutes(): IRouteConfig[] {
+    return [...this.routes];
+  }
+
+  /**
+   * Gets all hostnames that this router is configured to handle
+   * @returns Array of unique hostnames
+   */
+  public getHostnames(): string[] {
+    const hostnames = new Set<string>();
+    for (const route of this.routes) {
+      if (!route.match.domains) continue;
+      
+      const domains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : [route.match.domains];
+      
+      for (const domain of domains) {
+        if (domain !== '*') {
+          hostnames.add(domain.toLowerCase());
+        }
+      }
+    }
+    return Array.from(hostnames);
+  }
+
+  /**
+   * Adds a single new route configuration
+   * @param route The route configuration to add
+   */
+  public addRoute(route: IRouteConfig): void {
+    this.routes.push(route);
+    
+    // Re-sort routes by priority
+    this.routes.sort((a, b) => {
+      const priorityA = a.priority ?? 0;
+      const priorityB = b.priority ?? 0;
+      return priorityB - priorityA;
+    });
+  }
+
+  /**
+   * Removes routes by domain pattern
+   * @param domain The domain pattern to remove routes for
+   * @returns Boolean indicating whether any routes were removed
+   */
+  public removeRoutesByDomain(domain: string): boolean {
+    const initialCount = this.routes.length;
+    
+    // Filter out routes that match the domain
+    this.routes = this.routes.filter(route => {
+      if (!route.match.domains) return true;
+      
+      const domains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : [route.match.domains];
+      
+      return !domains.includes(domain);
+    });
+    
+    return this.routes.length !== initialCount;
+  }
+
+  /**
+   * Remove a specific route by reference
+   * @param route The route to remove
+   * @returns Boolean indicating if the route was found and removed
+   */
+  public removeRoute(route: IRouteConfig): boolean {
+    const index = this.routes.indexOf(route);
+    if (index !== -1) {
+      this.routes.splice(index, 1);
+      return true;
+    }
+    return false;
+  }
+
+}

ts/routing/router/index.ts

@@ -2,11 +2,6 @@
  * HTTP routing
  */
 
-// Export selectively to avoid ambiguity between duplicate type names
-export { ProxyRouter } from './proxy-router.js';
-export type { IPathPatternConfig } from './proxy-router.js';
-// Re-export the RouterResult and PathPatternConfig from proxy-router.js (legacy names maintained for compatibility)
-export type { PathPatternConfig as ProxyPathPatternConfig, RouterResult as ProxyRouterResult } from './proxy-router.js';
-
-export { RouteRouter } from './route-router.js';
-export type { PathPatternConfig as RoutePathPatternConfig, RouterResult as RouteRouterResult } from './route-router.js';
+// Export the unified HttpRouter
+export { HttpRouter } from './http-router.js';
+export type { RouterResult, ILogger } from './http-router.js';

ts/routing/router/proxy-router.ts

@@ -1,437 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IReverseProxyConfig } from '../../proxies/http-proxy/models/types.js';
-
-/**
- * Optional path pattern configuration that can be added to proxy configs
- */
-export interface PathPatternConfig {
-  pathPattern?: string;
-}
-
-// Backward compatibility
-export type IPathPatternConfig = PathPatternConfig;
-
-/**
- * Interface for router result with additional metadata
- */
-export interface RouterResult {
-  config: IReverseProxyConfig;
-  pathMatch?: string;
-  pathParams?: Record<string, string>;
-  pathRemainder?: string;
-}
-
-// Backward compatibility
-export type IRouterResult = RouterResult;
-
-/**
- * Router for HTTP reverse proxy requests
- * 
- * Supports the following domain matching patterns:
- * - Exact matches: "example.com"
- * - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
- * - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
- * - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
- * - Default fallback: "*" (matches any unmatched domain)
- * 
- * Also supports path pattern matching for each domain:
- * - Exact path: "/api/users"
- * - Wildcard paths: "/api/*" 
- * - Path parameters: "/users/:id/profile"
- */
-export class ProxyRouter {
-  // Store original configs for reference
-  private reverseProxyConfigs: IReverseProxyConfig[] = [];
-  // Default config to use when no match is found (optional)
-  private defaultConfig?: IReverseProxyConfig;
-  // Store path patterns separately since they're not in the original interface
-  private pathPatterns: Map<IReverseProxyConfig, string> = new Map();
-  // Logger interface
-  private logger: {
-    error: (message: string, data?: any) => void;
-    warn: (message: string, data?: any) => void;
-    info: (message: string, data?: any) => void;
-    debug: (message: string, data?: any) => void;
-  };
-
-  constructor(
-    configs?: IReverseProxyConfig[],
-    logger?: {
-      error: (message: string, data?: any) => void;
-      warn: (message: string, data?: any) => void;
-      info: (message: string, data?: any) => void;
-      debug: (message: string, data?: any) => void;
-    }
-  ) {
-    this.logger = logger || console;
-    if (configs) {
-      this.setNewProxyConfigs(configs);
-    }
-  }
-
-  /**
-   * Sets a new set of reverse configs to be routed to
-   * @param reverseCandidatesArg Array of reverse proxy configurations
-   */
-  public setNewProxyConfigs(reverseCandidatesArg: IReverseProxyConfig[]): void {
-    this.reverseProxyConfigs = [...reverseCandidatesArg];
-
-    // Find default config if any (config with "*" as hostname)
-    this.defaultConfig = this.reverseProxyConfigs.find(config => config.hostName === '*');
-
-    this.logger.info(`Router initialized with ${this.reverseProxyConfigs.length} configs (${this.getHostnames().length} unique hosts)`);
-  }
-
-  /**
-   * Routes a request based on hostname and path
-   * @param req The incoming HTTP request
-   * @returns The matching proxy config or undefined if no match found
-   */
-  public routeReq(req: plugins.http.IncomingMessage): IReverseProxyConfig {
-    const result = this.routeReqWithDetails(req);
-    return result ? result.config : undefined;
-  }
-
-  /**
-   * Routes a request with detailed matching information
-   * @param req The incoming HTTP request
-   * @returns Detailed routing result including matched config and path information
-   */
-  public routeReqWithDetails(req: plugins.http.IncomingMessage): RouterResult | undefined {
-    // Extract and validate host header
-    const originalHost = req.headers.host;
-    if (!originalHost) {
-      this.logger.error('No host header found in request');
-      return this.defaultConfig ? { config: this.defaultConfig } : undefined;
-    }
-    
-    // Parse URL for path matching
-    const parsedUrl = plugins.url.parse(req.url || '/');
-    const urlPath = parsedUrl.pathname || '/';
-    
-    // Extract hostname without port
-    const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
-    
-    // First try exact hostname match
-    const exactConfig = this.findConfigForHost(hostWithoutPort, urlPath);
-    if (exactConfig) {
-      return exactConfig;
-    }
-    
-    // Try various wildcard patterns
-    if (hostWithoutPort.includes('.')) {
-      const domainParts = hostWithoutPort.split('.');
-      
-      // Try wildcard subdomain (*.example.com)
-      if (domainParts.length > 2) {
-        const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
-        const wildcardConfig = this.findConfigForHost(wildcardDomain, urlPath);
-        if (wildcardConfig) {
-          return wildcardConfig;
-        }
-      }
-      
-      // Try TLD wildcard (example.*)
-      const baseDomain = domainParts.slice(0, -1).join('.');
-      const tldWildcardDomain = `${baseDomain}.*`;
-      const tldWildcardConfig = this.findConfigForHost(tldWildcardDomain, urlPath);
-      if (tldWildcardConfig) {
-        return tldWildcardConfig;
-      }
-
-      // Try complex wildcard patterns
-      const wildcardPatterns = this.findWildcardMatches(hostWithoutPort);
-      for (const pattern of wildcardPatterns) {
-        const wildcardConfig = this.findConfigForHost(pattern, urlPath);
-        if (wildcardConfig) {
-          return wildcardConfig;
-        }
-      }
-    }
-    
-    // Fall back to default config if available
-    if (this.defaultConfig) {
-      this.logger.warn(`No specific config found for host: ${hostWithoutPort}, using default`);
-      return { config: this.defaultConfig };
-    }
-    
-    this.logger.error(`No config found for host: ${hostWithoutPort}`);
-    return undefined;
-  }
-  
-  /**
-   * Find potential wildcard patterns that could match a given hostname
-   * Handles complex patterns like "*.lossless*" or other partial matches
-   * @param hostname The hostname to find wildcard matches for
-   * @returns Array of potential wildcard patterns that could match
-   */
-  private findWildcardMatches(hostname: string): string[] {
-    const patterns: string[] = [];
-    const hostnameParts = hostname.split('.');
-    
-    // Find all configured hostnames that contain wildcards
-    const wildcardConfigs = this.reverseProxyConfigs.filter(
-      config => config.hostName.includes('*')
-    );
-    
-    // Extract unique wildcard patterns
-    const wildcardPatterns = [...new Set(
-      wildcardConfigs.map(config => config.hostName.toLowerCase())
-    )];
-    
-    // For each wildcard pattern, check if it could match the hostname
-    // using simplified regex pattern matching
-    for (const pattern of wildcardPatterns) {
-      // Skip the default wildcard '*'
-      if (pattern === '*') continue;
-      
-      // Skip already checked patterns (*.domain.com and domain.*)
-      if (pattern.startsWith('*.') && pattern.indexOf('*', 2) === -1) continue;
-      if (pattern.endsWith('.*') && pattern.indexOf('*') === pattern.length - 1) continue;
-      
-      // Convert wildcard pattern to regex
-      const regexPattern = pattern
-        .replace(/\./g, '\\.')  // Escape dots
-        .replace(/\*/g, '.*');  // Convert * to .* for regex
-      
-      // Create regex object with case insensitive flag
-      const regex = new RegExp(`^${regexPattern}$`, 'i');
-      
-      // If hostname matches this complex pattern, add it to the list
-      if (regex.test(hostname)) {
-        patterns.push(pattern);
-      }
-    }
-    
-    return patterns;
-  }
-
-  /**
-   * Find a config for a specific host and path
-   */
-  private findConfigForHost(hostname: string, path: string): RouterResult | undefined {
-    // Find all configs for this hostname
-    const configs = this.reverseProxyConfigs.filter(
-      config => config.hostName.toLowerCase() === hostname.toLowerCase()
-    );
-    
-    if (configs.length === 0) {
-      return undefined;
-    }
-    
-    // First try configs with path patterns
-    const configsWithPaths = configs.filter(config => this.pathPatterns.has(config));
-    
-    // Sort by path pattern specificity - more specific first
-    configsWithPaths.sort((a, b) => {
-      const aPattern = this.pathPatterns.get(a) || '';
-      const bPattern = this.pathPatterns.get(b) || '';
-      
-      // Exact patterns come before wildcard patterns
-      const aHasWildcard = aPattern.includes('*');
-      const bHasWildcard = bPattern.includes('*');
-      
-      if (aHasWildcard && !bHasWildcard) return 1;
-      if (!aHasWildcard && bHasWildcard) return -1;
-      
-      // Longer patterns are considered more specific
-      return bPattern.length - aPattern.length;
-    });
-    
-    // Check each config with path pattern
-    for (const config of configsWithPaths) {
-      const pathPattern = this.pathPatterns.get(config);
-      if (pathPattern) {
-        const pathMatch = this.matchPath(path, pathPattern);
-        if (pathMatch) {
-          return {
-            config,
-            pathMatch: pathMatch.matched,
-            pathParams: pathMatch.params,
-            pathRemainder: pathMatch.remainder
-          };
-        }
-      }
-    }
-    
-    // If no path pattern matched, use the first config without a path pattern
-    const configWithoutPath = configs.find(config => !this.pathPatterns.has(config));
-    if (configWithoutPath) {
-      return { config: configWithoutPath };
-    }
-    
-    return undefined;
-  }
-  
-  /**
-   * Matches a URL path against a pattern
-   * Supports:
-   * - Exact matches: /users/profile
-   * - Wildcards: /api/* (matches any path starting with /api/)
-   * - Path parameters: /users/:id (captures id as a parameter)
-   * 
-   * @param path The URL path to match
-   * @param pattern The pattern to match against
-   * @returns Match result with params and remainder, or null if no match
-   */
-  private matchPath(path: string, pattern: string): { 
-    matched: string; 
-    params: Record<string, string>; 
-    remainder: string;
-  } | null {
-    // Handle exact match
-    if (path === pattern) {
-      return {
-        matched: pattern,
-        params: {},
-        remainder: ''
-      };
-    }
-    
-    // Handle wildcard match
-    if (pattern.endsWith('/*')) {
-      const prefix = pattern.slice(0, -2);
-      if (path === prefix || path.startsWith(`${prefix}/`)) {
-        return {
-          matched: prefix,
-          params: {},
-          remainder: path.slice(prefix.length)
-        };
-      }
-      return null;
-    }
-    
-    // Handle path parameters
-    const patternParts = pattern.split('/').filter(p => p);
-    const pathParts = path.split('/').filter(p => p);
-    
-    // Too few path parts to match
-    if (pathParts.length < patternParts.length) {
-      return null;
-    }
-    
-    const params: Record<string, string> = {};
-    
-    // Compare each part
-    for (let i = 0; i < patternParts.length; i++) {
-      const patternPart = patternParts[i];
-      const pathPart = pathParts[i];
-      
-      // Handle parameter
-      if (patternPart.startsWith(':')) {
-        const paramName = patternPart.slice(1);
-        params[paramName] = pathPart;
-        continue;
-      }
-      
-      // Handle wildcard at the end
-      if (patternPart === '*' && i === patternParts.length - 1) {
-        break;
-      }
-      
-      // Handle exact match for this part
-      if (patternPart !== pathPart) {
-        return null;
-      }
-    }
-    
-    // Calculate the remainder - the unmatched path parts
-    const remainderParts = pathParts.slice(patternParts.length);
-    const remainder = remainderParts.length ? '/' + remainderParts.join('/') : '';
-    
-    // Calculate the matched path
-    const matchedParts = patternParts.map((part, i) => {
-      return part.startsWith(':') ? pathParts[i] : part;
-    });
-    const matched = '/' + matchedParts.join('/');
-    
-    return {
-      matched,
-      params,
-      remainder
-    };
-  }
-  
-  /**
-   * Gets all currently active proxy configurations
-   * @returns Array of all active configurations
-   */
-  public getProxyConfigs(): IReverseProxyConfig[] {
-    return [...this.reverseProxyConfigs];
-  }
-  
-  /**
-   * Gets all hostnames that this router is configured to handle
-   * @returns Array of hostnames
-   */
-  public getHostnames(): string[] {
-    const hostnames = new Set<string>();
-    for (const config of this.reverseProxyConfigs) {
-      if (config.hostName !== '*') {
-        hostnames.add(config.hostName.toLowerCase());
-      }
-    }
-    return Array.from(hostnames);
-  }
-  
-  /**
-   * Adds a single new proxy configuration
-   * @param config The configuration to add
-   * @param pathPattern Optional path pattern for route matching
-   */
-  public addProxyConfig(
-    config: IReverseProxyConfig,
-    pathPattern?: string
-  ): void {
-    this.reverseProxyConfigs.push(config);
-    
-    // Store path pattern if provided
-    if (pathPattern) {
-      this.pathPatterns.set(config, pathPattern);
-    }
-  }
-  
-  /**
-   * Sets a path pattern for an existing config
-   * @param config The existing configuration
-   * @param pathPattern The path pattern to set
-   * @returns Boolean indicating if the config was found and updated
-   */
-  public setPathPattern(
-    config: IReverseProxyConfig,
-    pathPattern: string
-  ): boolean {
-    const exists = this.reverseProxyConfigs.includes(config);
-    if (exists) {
-      this.pathPatterns.set(config, pathPattern);
-      return true;
-    }
-    return false;
-  }
-  
-  /**
-   * Removes a proxy configuration by hostname
-   * @param hostname The hostname to remove
-   * @returns Boolean indicating whether any configs were removed
-   */
-  public removeProxyConfig(hostname: string): boolean {
-    const initialCount = this.reverseProxyConfigs.length;
-    
-    // Find configs to remove
-    const configsToRemove = this.reverseProxyConfigs.filter(
-      config => config.hostName === hostname
-    );
-    
-    // Remove them from the patterns map
-    for (const config of configsToRemove) {
-      this.pathPatterns.delete(config);
-    }
-    
-    // Filter them out of the configs array
-    this.reverseProxyConfigs = this.reverseProxyConfigs.filter(
-      config => config.hostName !== hostname
-    );
-    
-    return this.reverseProxyConfigs.length !== initialCount;
-  }
-}

ts/routing/router/route-router.ts

@@ -1,482 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-import type { ILogger } from '../../proxies/http-proxy/models/types.js';
-
-/**
- * Optional path pattern configuration that can be added to proxy configs
- */
-export interface PathPatternConfig {
-  pathPattern?: string;
-}
-
-/**
- * Interface for router result with additional metadata
- */
-export interface RouterResult {
-  route: IRouteConfig;
-  pathMatch?: string;
-  pathParams?: Record<string, string>;
-  pathRemainder?: string;
-}
-
-/**
- * Router for HTTP reverse proxy requests based on route configurations
- * 
- * Supports the following domain matching patterns:
- * - Exact matches: "example.com"
- * - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
- * - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
- * - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
- * - Default fallback: "*" (matches any unmatched domain)
- * 
- * Also supports path pattern matching for each domain:
- * - Exact path: "/api/users"
- * - Wildcard paths: "/api/*" 
- * - Path parameters: "/users/:id/profile"
- */
-export class RouteRouter {
-  // Store original routes for reference
-  private routes: IRouteConfig[] = [];
-  // Default route to use when no match is found (optional)
-  private defaultRoute?: IRouteConfig;
-  // Store path patterns separately since they're not in the original interface
-  private pathPatterns: Map<IRouteConfig, string> = new Map();
-  // Logger interface
-  private logger: ILogger;
-
-  constructor(
-    routes?: IRouteConfig[],
-    logger?: ILogger
-  ) {
-    this.logger = logger || {
-      error: console.error,
-      warn: console.warn,
-      info: console.info,
-      debug: console.debug
-    };
-    
-    if (routes) {
-      this.setRoutes(routes);
-    }
-  }
-
-  /**
-   * Sets a new set of routes to be routed to
-   * @param routes Array of route configurations
-   */
-  public setRoutes(routes: IRouteConfig[]): void {
-    this.routes = [...routes];
-
-    // Sort routes by priority
-    this.routes.sort((a, b) => {
-      const priorityA = a.priority ?? 0;
-      const priorityB = b.priority ?? 0;
-      return priorityB - priorityA;
-    });
-
-    // Find default route if any (route with "*" as domain)
-    this.defaultRoute = this.routes.find(route => {
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      return domains.includes('*');
-    });
-
-    // Extract path patterns from route match.path
-    for (const route of this.routes) {
-      if (route.match.path) {
-        this.pathPatterns.set(route, route.match.path);
-      }
-    }
-
-    const uniqueDomains = this.getHostnames();
-    this.logger.info(`Router initialized with ${this.routes.length} routes (${uniqueDomains.length} unique hosts)`);
-  }
-
-  /**
-   * Routes a request based on hostname and path
-   * @param req The incoming HTTP request
-   * @returns The matching route or undefined if no match found
-   */
-  public routeReq(req: plugins.http.IncomingMessage): IRouteConfig | undefined {
-    const result = this.routeReqWithDetails(req);
-    return result ? result.route : undefined;
-  }
-
-  /**
-   * Routes a request with detailed matching information
-   * @param req The incoming HTTP request
-   * @returns Detailed routing result including matched route and path information
-   */
-  public routeReqWithDetails(req: plugins.http.IncomingMessage): RouterResult | undefined {
-    // Extract and validate host header
-    const originalHost = req.headers.host;
-    if (!originalHost) {
-      this.logger.error('No host header found in request');
-      return this.defaultRoute ? { route: this.defaultRoute } : undefined;
-    }
-    
-    // Parse URL for path matching
-    const parsedUrl = plugins.url.parse(req.url || '/');
-    const urlPath = parsedUrl.pathname || '/';
-    
-    // Extract hostname without port
-    const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
-    
-    // First try exact hostname match
-    const exactRoute = this.findRouteForHost(hostWithoutPort, urlPath);
-    if (exactRoute) {
-      return exactRoute;
-    }
-    
-    // Try various wildcard patterns
-    if (hostWithoutPort.includes('.')) {
-      const domainParts = hostWithoutPort.split('.');
-      
-      // Try wildcard subdomain (*.example.com)
-      if (domainParts.length > 2) {
-        const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
-        const wildcardRoute = this.findRouteForHost(wildcardDomain, urlPath);
-        if (wildcardRoute) {
-          return wildcardRoute;
-        }
-      }
-      
-      // Try TLD wildcard (example.*)
-      const baseDomain = domainParts.slice(0, -1).join('.');
-      const tldWildcardDomain = `${baseDomain}.*`;
-      const tldWildcardRoute = this.findRouteForHost(tldWildcardDomain, urlPath);
-      if (tldWildcardRoute) {
-        return tldWildcardRoute;
-      }
-
-      // Try complex wildcard patterns
-      const wildcardPatterns = this.findWildcardMatches(hostWithoutPort);
-      for (const pattern of wildcardPatterns) {
-        const wildcardRoute = this.findRouteForHost(pattern, urlPath);
-        if (wildcardRoute) {
-          return wildcardRoute;
-        }
-      }
-    }
-    
-    // Fall back to default route if available
-    if (this.defaultRoute) {
-      this.logger.warn(`No specific route found for host: ${hostWithoutPort}, using default`);
-      return { route: this.defaultRoute };
-    }
-    
-    this.logger.error(`No route found for host: ${hostWithoutPort}`);
-    return undefined;
-  }
-  
-  /**
-   * Find potential wildcard patterns that could match a given hostname
-   * Handles complex patterns like "*.lossless*" or other partial matches
-   * @param hostname The hostname to find wildcard matches for
-   * @returns Array of potential wildcard patterns that could match
-   */
-  private findWildcardMatches(hostname: string): string[] {
-    const patterns: string[] = [];
-    
-    // Find all routes with wildcard domains
-    for (const route of this.routes) {
-      if (!route.match.domains) continue;
-      
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      // Filter to only wildcard domains
-      const wildcardDomains = domains.filter(domain => domain.includes('*'));
-      
-      // Convert each wildcard domain to a regex pattern and check if it matches
-      for (const domain of wildcardDomains) {
-        // Skip the default wildcard '*'
-        if (domain === '*') continue;
-        
-        // Skip already checked patterns (*.domain.com and domain.*)
-        if (domain.startsWith('*.') && domain.indexOf('*', 2) === -1) continue;
-        if (domain.endsWith('.*') && domain.indexOf('*') === domain.length - 1) continue;
-        
-        // Convert wildcard pattern to regex
-        const regexPattern = domain
-          .replace(/\./g, '\\.')  // Escape dots
-          .replace(/\*/g, '.*');  // Convert * to .* for regex
-        
-        // Create regex object with case insensitive flag
-        const regex = new RegExp(`^${regexPattern}$`, 'i');
-        
-        // If hostname matches this complex pattern, add it to the list
-        if (regex.test(hostname)) {
-          patterns.push(domain);
-        }
-      }
-    }
-    
-    return patterns;
-  }
-
-  /**
-   * Find a route for a specific host and path
-   */
-  private findRouteForHost(hostname: string, path: string): RouterResult | undefined {
-    // Find all routes for this hostname
-    const matchingRoutes = this.routes.filter(route => {
-      if (!route.match.domains) return false;
-      
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      return domains.some(domain => domain.toLowerCase() === hostname.toLowerCase());
-    });
-    
-    if (matchingRoutes.length === 0) {
-      return undefined;
-    }
-    
-    // First try routes with path patterns
-    const routesWithPaths = matchingRoutes.filter(route => this.pathPatterns.has(route));
-    
-    // Already sorted by priority during setRoutes
-    
-    // Check each route with path pattern
-    for (const route of routesWithPaths) {
-      const pathPattern = this.pathPatterns.get(route);
-      if (pathPattern) {
-        const pathMatch = this.matchPath(path, pathPattern);
-        if (pathMatch) {
-          return {
-            route,
-            pathMatch: pathMatch.matched,
-            pathParams: pathMatch.params,
-            pathRemainder: pathMatch.remainder
-          };
-        }
-      }
-    }
-    
-    // If no path pattern matched, use the first route without a path pattern
-    const routeWithoutPath = matchingRoutes.find(route => !this.pathPatterns.has(route));
-    if (routeWithoutPath) {
-      return { route: routeWithoutPath };
-    }
-    
-    return undefined;
-  }
-  
-  /**
-   * Matches a URL path against a pattern
-   * Supports:
-   * - Exact matches: /users/profile
-   * - Wildcards: /api/* (matches any path starting with /api/)
-   * - Path parameters: /users/:id (captures id as a parameter)
-   * 
-   * @param path The URL path to match
-   * @param pattern The pattern to match against
-   * @returns Match result with params and remainder, or null if no match
-   */
-  private matchPath(path: string, pattern: string): { 
-    matched: string; 
-    params: Record<string, string>; 
-    remainder: string;
-  } | null {
-    // Handle exact match
-    if (path === pattern) {
-      return {
-        matched: pattern,
-        params: {},
-        remainder: ''
-      };
-    }
-    
-    // Handle wildcard match
-    if (pattern.endsWith('/*')) {
-      const prefix = pattern.slice(0, -2);
-      if (path === prefix || path.startsWith(`${prefix}/`)) {
-        return {
-          matched: prefix,
-          params: {},
-          remainder: path.slice(prefix.length)
-        };
-      }
-      return null;
-    }
-    
-    // Handle path parameters
-    const patternParts = pattern.split('/').filter(p => p);
-    const pathParts = path.split('/').filter(p => p);
-    
-    // Too few path parts to match
-    if (pathParts.length < patternParts.length) {
-      return null;
-    }
-    
-    const params: Record<string, string> = {};
-    
-    // Compare each part
-    for (let i = 0; i < patternParts.length; i++) {
-      const patternPart = patternParts[i];
-      const pathPart = pathParts[i];
-      
-      // Handle parameter
-      if (patternPart.startsWith(':')) {
-        const paramName = patternPart.slice(1);
-        params[paramName] = pathPart;
-        continue;
-      }
-      
-      // Handle wildcard at the end
-      if (patternPart === '*' && i === patternParts.length - 1) {
-        break;
-      }
-      
-      // Handle exact match for this part
-      if (patternPart !== pathPart) {
-        return null;
-      }
-    }
-    
-    // Calculate the remainder - the unmatched path parts
-    const remainderParts = pathParts.slice(patternParts.length);
-    const remainder = remainderParts.length ? '/' + remainderParts.join('/') : '';
-    
-    // Calculate the matched path
-    const matchedParts = patternParts.map((part, i) => {
-      return part.startsWith(':') ? pathParts[i] : part;
-    });
-    const matched = '/' + matchedParts.join('/');
-    
-    return {
-      matched,
-      params,
-      remainder
-    };
-  }
-  
-  /**
-   * Gets all currently active route configurations
-   * @returns Array of all active routes
-   */
-  public getRoutes(): IRouteConfig[] {
-    return [...this.routes];
-  }
-  
-  /**
-   * Gets all hostnames that this router is configured to handle
-   * @returns Array of hostnames
-   */
-  public getHostnames(): string[] {
-    const hostnames = new Set<string>();
-    for (const route of this.routes) {
-      if (!route.match.domains) continue;
-      
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      for (const domain of domains) {
-        if (domain !== '*') {
-          hostnames.add(domain.toLowerCase());
-        }
-      }
-    }
-    return Array.from(hostnames);
-  }
-  
-  /**
-   * Adds a single new route configuration
-   * @param route The route configuration to add
-   */
-  public addRoute(route: IRouteConfig): void {
-    this.routes.push(route);
-    
-    // Store path pattern if present
-    if (route.match.path) {
-      this.pathPatterns.set(route, route.match.path);
-    }
-    
-    // Re-sort routes by priority
-    this.routes.sort((a, b) => {
-      const priorityA = a.priority ?? 0;
-      const priorityB = b.priority ?? 0;
-      return priorityB - priorityA;
-    });
-  }
-  
-  /**
-   * Removes routes by domain pattern
-   * @param domain The domain pattern to remove routes for
-   * @returns Boolean indicating whether any routes were removed
-   */
-  public removeRoutesByDomain(domain: string): boolean {
-    const initialCount = this.routes.length;
-    
-    // Find routes to remove
-    const routesToRemove = this.routes.filter(route => {
-      if (!route.match.domains) return false;
-      
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      return domains.includes(domain);
-    });
-    
-    // Remove them from the patterns map
-    for (const route of routesToRemove) {
-      this.pathPatterns.delete(route);
-    }
-    
-    // Filter them out of the routes array
-    this.routes = this.routes.filter(route => {
-      if (!route.match.domains) return true;
-      
-      const domains = Array.isArray(route.match.domains) 
-        ? route.match.domains 
-        : [route.match.domains];
-      
-      return !domains.includes(domain);
-    });
-    
-    return this.routes.length !== initialCount;
-  }
-  
-  /**
-   * Legacy method for compatibility with ProxyRouter
-   * Converts IReverseProxyConfig to IRouteConfig and calls setRoutes
-   * 
-   * @param configs Array of legacy proxy configurations
-   */
-  public setNewProxyConfigs(configs: any[]): void {
-    // Convert legacy configs to routes and add them
-    const routes: IRouteConfig[] = configs.map(config => {
-      // Create a basic route configuration from the legacy config
-      return {
-        match: {
-          ports: config.destinationPorts[0], // Just use the first port
-          domains: config.hostName
-        },
-        action: {
-          type: 'forward',
-          target: {
-            host: config.destinationIps,
-            port: config.destinationPorts[0]
-          },
-          tls: {
-            mode: 'terminate',
-            certificate: {
-              key: config.privateKey,
-              cert: config.publicKey
-            }
-          }
-        },
-        name: `Legacy Config - ${config.hostName}`,
-        enabled: true
-      };
-    });
-    
-    this.setRoutes(routes);
-  }
-}