fix(security): critical security and stability fixes

.serena/project.yml

@@ -0,0 +1,68 @@
+# language of the project (csharp, python, rust, java, typescript, go, cpp, or ruby)
+#  * For C, use cpp
+#  * For JavaScript, use typescript
+# Special requirements:
+#  * csharp: Requires the presence of a .sln file in the project folder.
+language: typescript
+
+# whether to use the project's gitignore file to ignore files
+# Added on 2025-04-07
+ignore_all_files_in_gitignore: true
+# list of additional paths to ignore
+# same syntax as gitignore, so you can use * and **
+# Was previously called `ignored_dirs`, please update your config if you are using that.
+# Added (renamed)on 2025-04-07
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+
+# list of tool names to exclude. We recommend not excluding any tools, see the readme for more details.
+# Below is the complete list of tools for convenience.
+# To make sure you have the latest list of tools, and to view their descriptions, 
+# execute `uv run scripts/print_tool_overview.py`.
+#
+#  * `activate_project`: Activates a project by name.
+#  * `check_onboarding_performed`: Checks whether project onboarding was already performed.
+#  * `create_text_file`: Creates/overwrites a file in the project directory.
+#  * `delete_lines`: Deletes a range of lines within a file.
+#  * `delete_memory`: Deletes a memory from Serena's project-specific memory store.
+#  * `execute_shell_command`: Executes a shell command.
+#  * `find_referencing_code_snippets`: Finds code snippets in which the symbol at the given location is referenced.
+#  * `find_referencing_symbols`: Finds symbols that reference the symbol at the given location (optionally filtered by type).
+#  * `find_symbol`: Performs a global (or local) search for symbols with/containing a given name/substring (optionally filtered by type).
+#  * `get_current_config`: Prints the current configuration of the agent, including the active and available projects, tools, contexts, and modes.
+#  * `get_symbols_overview`: Gets an overview of the top-level symbols defined in a given file.
+#  * `initial_instructions`: Gets the initial instructions for the current project.
+#     Should only be used in settings where the system prompt cannot be set,
+#     e.g. in clients you have no control over, like Claude Desktop.
+#  * `insert_after_symbol`: Inserts content after the end of the definition of a given symbol.
+#  * `insert_at_line`: Inserts content at a given line in a file.
+#  * `insert_before_symbol`: Inserts content before the beginning of the definition of a given symbol.
+#  * `list_dir`: Lists files and directories in the given directory (optionally with recursion).
+#  * `list_memories`: Lists memories in Serena's project-specific memory store.
+#  * `onboarding`: Performs onboarding (identifying the project structure and essential tasks, e.g. for testing or building).
+#  * `prepare_for_new_conversation`: Provides instructions for preparing for a new conversation (in order to continue with the necessary context).
+#  * `read_file`: Reads a file within the project directory.
+#  * `read_memory`: Reads the memory with the given name from Serena's project-specific memory store.
+#  * `remove_project`: Removes a project from the Serena configuration.
+#  * `replace_lines`: Replaces a range of lines within a file with new content.
+#  * `replace_symbol_body`: Replaces the full definition of a symbol.
+#  * `restart_language_server`: Restarts the language server, may be necessary when edits not through Serena happen.
+#  * `search_for_pattern`: Performs a search for a pattern in the project.
+#  * `summarize_changes`: Provides instructions for summarizing the changes made to the codebase.
+#  * `switch_modes`: Activates modes by providing a list of their names
+#  * `think_about_collected_information`: Thinking tool for pondering the completeness of collected information.
+#  * `think_about_task_adherence`: Thinking tool for determining whether the agent is still on track with the current task.
+#  * `think_about_whether_you_are_done`: Thinking tool for determining whether the task is truly completed.
+#  * `write_memory`: Writes a named memory (for future reference) to Serena's project-specific memory store.
+excluded_tools: []
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: ""
+
+project_name: "smartproxy"

certs/static-route/meta.json

@@ -1,5 +1,5 @@
 {
-  "expiryDate": "2025-10-20T11:32:30.675Z",
+  "expiryDate": "2025-11-12T14:20:10.043Z",
-  "issueDate": "2025-07-22T11:32:30.675Z",
+  "issueDate": "2025-08-14T14:20:10.043Z",
-  "savedAt": "2025-07-22T11:32:30.675Z"
+  "savedAt": "2025-08-14T14:20:10.044Z"
 }

changelog.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 2025-08-14 - 21.1.4 - fix(security)
+Critical security and stability fixes
+
+- Fixed critical socket.emit override vulnerability that was breaking TLS connections
+- Implemented comprehensive socket cleanup with new socket tracker utility
+- Improved code organization by extracting RouteOrchestrator from SmartProxy
+- Fixed IPv6 loopback detection for proper IPv6 support
+- Added memory bounds to prevent unbounded collection growth
+- Fixed certificate manager race conditions with proper synchronization
+- Unreferenced long-lived timers to prevent process hanging
+- Enhanced route validation for socket-handler actions
+- Fixed header parsing when extractFullHeaders option is enabled
+
 ## 2025-07-22 - 21.1.1 - fix(detection)
 Fix SNI detection in TLS detector
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "21.1.3",
+  "version": "21.1.4",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -19,7 +19,8 @@
     "@git.zone/tsrun": "^1.2.44",
     "@git.zone/tstest": "^2.3.1",
     "@types/node": "^22.15.29",
-    "typescript": "^5.8.3"
+    "typescript": "^5.8.3",
+    "why-is-node-running": "^3.2.2"
   },
   "dependencies": {
     "@push.rocks/lik": "^6.2.2",

pnpm-lock.yaml

@@ -78,6 +78,9 @@ importers:
       typescript:
         specifier: ^5.8.3
         version: 5.8.3
+      why-is-node-running:
+        specifier: ^3.2.2
+        version: 3.2.2
 
 packages:
 
@@ -4096,6 +4099,11 @@ packages:
     engines: {node: ^18.17.0 || >=20.5.0}
     hasBin: true
 
+  why-is-node-running@3.2.2:
+    resolution: {integrity: sha512-NKUzAelcoCXhXL4dJzKIwXeR8iEVqsA0Lq6Vnd0UXvgaKbzVo4ZTHROF2Jidrv+SgxOQ03fMinnNhzZATxOD3A==}
+    engines: {node: '>=20.11'}
+    hasBin: true
+
   winston-transport@4.9.0:
     resolution: {integrity: sha512-8drMJ4rkgaPo1Me4zD/3WLfI/zPdA9o2IipKODunnGDcuqbHwjsbB79ylv04LCGGzU0xQ6vTznOMpQGaLhhm6A==}
     engines: {node: '>= 12.0.0'}
@@ -10082,6 +10090,8 @@ snapshots:
     dependencies:
       isexe: 3.1.1
 
+  why-is-node-running@3.2.2: {}
+
   winston-transport@4.9.0:
     dependencies:
       logform: 2.7.0

ts/core/models/socket-augmentation.ts

@@ -12,6 +12,11 @@ declare module 'net' {
     getTLSVersion?(): string;  // Returns the TLS version (e.g., 'TLSv1.2', 'TLSv1.3')
     getPeerCertificate?(detailed?: boolean): any;  // Returns the peer's certificate
     getSession?(): Buffer;   // Returns the TLS session data
+    
+    // Connection tracking properties (used by HttpProxy)
+    _connectionId?: string;   // Unique identifier for the connection
+    _remoteIP?: string;       // Remote IP address
+    _realRemoteIP?: string;   // Real remote IP (when proxied)
   }
 }
 

ts/core/utils/socket-tracker.ts

@@ -0,0 +1,63 @@
+/**
+ * Socket Tracker Utility
+ * Provides standardized socket cleanup with proper listener and timer management
+ */
+
+import type { Socket } from 'net';
+
+export type SocketTracked = {
+  cleanup: () => void;
+  addListener: <E extends string>(event: E, listener: (...args: any[]) => void) => void;
+  addTimer: (t: NodeJS.Timeout | null | undefined) => void;
+  safeDestroy: (reason?: Error) => void;
+};
+
+/**
+ * Create a socket tracker to manage listeners and timers
+ * Ensures proper cleanup and prevents memory leaks
+ */
+export function createSocketTracker(socket: Socket): SocketTracked {
+  const listeners: Array<{ event: string; listener: (...args: any[]) => void }> = [];
+  const timers: NodeJS.Timeout[] = [];
+  let cleaned = false;
+
+  const addListener = (event: string, listener: (...args: any[]) => void) => {
+    socket.on(event, listener);
+    listeners.push({ event, listener });
+  };
+
+  const addTimer = (t: NodeJS.Timeout | null | undefined) => {
+    if (!t) return;
+    timers.push(t);
+    // Unref timer so it doesn't keep process alive
+    if (typeof t.unref === 'function') {
+      t.unref();
+    }
+  };
+
+  const cleanup = () => {
+    if (cleaned) return;
+    cleaned = true;
+    
+    // Clear all tracked timers
+    for (const t of timers) {
+      clearTimeout(t);
+    }
+    timers.length = 0;
+    
+    // Remove all tracked listeners
+    for (const { event, listener } of listeners) {
+      socket.off(event, listener);
+    }
+    listeners.length = 0;
+  };
+
+  const safeDestroy = (reason?: Error) => {
+    cleanup();
+    if (!socket.destroyed) {
+      socket.destroy(reason);
+    }
+  };
+
+  return { cleanup, addListener, addTimer, safeDestroy };
+}

ts/detection/detectors/http-detector.ts

@@ -11,6 +11,7 @@ import type { THttpMethod } from '../../protocols/http/index.js';
 import { QuickProtocolDetector } from './quick-detector.js';
 import { RoutingExtractor } from './routing-extractor.js';
 import { DetectionFragmentManager } from '../utils/fragment-manager.js';
+import { HttpParser } from '../../protocols/http/parser.js';
 
 /**
  * Simplified HTTP detector
@@ -56,6 +57,17 @@ export class HttpDetector implements IProtocolDetector {
     // Extract routing information
     const routing = RoutingExtractor.extract(buffer, 'http');
     
+    // Extract headers if requested and we have complete headers
+    let headers: Record<string, string> | undefined;
+    if (options?.extractFullHeaders && isComplete) {
+      const headerSection = buffer.slice(0, headersEnd).toString();
+      const lines = headerSection.split('\r\n');
+      if (lines.length > 1) {
+        // Skip the request line and parse headers
+        headers = HttpParser.parseHeaders(lines.slice(1));
+      }
+    }
+    
     // If we don't need full headers and we have complete headers, we can return early
     if (quickResult.confidence >= 95 && !options?.extractFullHeaders && isComplete) {
       return {
@@ -76,7 +88,8 @@ export class HttpDetector implements IProtocolDetector {
         protocol: 'http',
         domain: routing?.domain,
         path: routing?.path,
-        method: quickResult.metadata?.method as THttpMethod
+        method: quickResult.metadata?.method as THttpMethod,
+        headers: headers
       },
       isComplete,
       bytesNeeded: isComplete ? undefined : buffer.length + 512 // Need more for headers

ts/detection/protocol-detector.ts

@@ -233,6 +233,7 @@ export class ProtocolDetector {
   
   private destroyInstance(): void {
     this.fragmentManager.destroy();
+    this.connectionProtocols.clear();
   }
   
   /**

ts/proxies/http-proxy/http-proxy.ts

@@ -35,7 +35,7 @@ export class HttpProxy implements IMetricsTracker {
   public routes: IRouteConfig[] = [];
 
   // Server instances (HTTP/2 with HTTP/1 fallback)
-  public httpsServer: any;
+  public httpsServer: plugins.http2.Http2SecureServer;
 
   // Core components
   private certificateManager: CertificateManager;
@@ -196,8 +196,9 @@ export class HttpProxy implements IMetricsTracker {
       this.options.keepAliveTimeout = keepAliveTimeout;
       
       if (this.httpsServer) {
-        this.httpsServer.keepAliveTimeout = keepAliveTimeout;
+        // HTTP/2 servers have setTimeout method for timeout management
-        this.logger.info(`Updated keep-alive timeout to ${keepAliveTimeout}ms`);
+        this.httpsServer.setTimeout(keepAliveTimeout);
+        this.logger.info(`Updated server timeout to ${keepAliveTimeout}ms`);
       }
     }
     
@@ -249,18 +250,19 @@ export class HttpProxy implements IMetricsTracker {
     this.setupConnectionTracking();
 
     // Handle incoming HTTP/2 streams
-    this.httpsServer.on('stream', (stream: any, headers: any) => {
+    this.httpsServer.on('stream', (stream: plugins.http2.ServerHttp2Stream, headers: plugins.http2.IncomingHttpHeaders) => {
       this.requestHandler.handleHttp2(stream, headers);
     });
     // Handle HTTP/1.x fallback requests
-    this.httpsServer.on('request', (req: any, res: any) => {
+    this.httpsServer.on('request', (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => {
       this.requestHandler.handleRequest(req, res);
     });
 
     // Share server with certificate manager for dynamic contexts
-    this.certificateManager.setHttpsServer(this.httpsServer);
+    // Cast to https.Server as Http2SecureServer is compatible for certificate contexts
+    this.certificateManager.setHttpsServer(this.httpsServer as any);
     // Setup WebSocket support on HTTP/1 fallback
-    this.webSocketHandler.initialize(this.httpsServer);
+    this.webSocketHandler.initialize(this.httpsServer as any);
     // Start metrics logging
     this.setupMetricsCollection();
     // Start periodic connection pool cleanup
@@ -275,6 +277,21 @@ export class HttpProxy implements IMetricsTracker {
     });
   }
 
+  /**
+   * Check if an address is a loopback address (IPv4 or IPv6)
+   */
+  private isLoopback(addr?: string): boolean {
+    if (!addr) return false;
+    // Check for IPv6 loopback
+    if (addr === '::1') return true;
+    // Handle IPv6-mapped IPv4 addresses
+    if (addr.startsWith('::ffff:')) {
+      addr = addr.substring(7);
+    }
+    // Check for IPv4 loopback range (127.0.0.0/8)
+    return addr.startsWith('127.');
+  }
+
   /**
    * Sets up tracking of TCP connections
    */
@@ -282,30 +299,47 @@ export class HttpProxy implements IMetricsTracker {
     this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
       let remoteIP = connection.remoteAddress || '';
       const connectionId = Math.random().toString(36).substring(2, 15);
-      const isFromSmartProxy = this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1');
+      const isFromSmartProxy = this.options.portProxyIntegration && this.isLoopback(connection.remoteAddress);
       
       // For SmartProxy connections, wait for CLIENT_IP header
       if (isFromSmartProxy) {
-        let headerBuffer = Buffer.alloc(0);
+        const MAX_PREFACE = 256; // bytes - prevent DoS
-        let headerParsed = false;
+        const HEADER_TIMEOUT_MS = 500; // timeout for header parsing
+        let headerTimer: NodeJS.Timeout | undefined;
+        let buffered = Buffer.alloc(0);
 
-        const parseHeader = (data: Buffer) => {
+        const onData = (chunk: Buffer) => {
-          if (headerParsed) return data;
+          buffered = Buffer.concat([buffered, chunk]);
           
-          headerBuffer = Buffer.concat([headerBuffer, data]);
+          // Prevent unbounded growth
-          const headerStr = headerBuffer.toString();
+          if (buffered.length > MAX_PREFACE) {
-          const headerEnd = headerStr.indexOf('\r\n');
+            connection.removeListener('data', onData);
+            if (headerTimer) clearTimeout(headerTimer);
+            this.logger.warn('Header preface too large, closing connection');
+            connection.destroy();
+            return;
+          }
           
-          if (headerEnd !== -1) {
+          const idx = buffered.indexOf('\r\n');
-            const header = headerStr.substring(0, headerEnd);
+          if (idx !== -1) {
-            if (header.startsWith('CLIENT_IP:')) {
+            const headerLine = buffered.slice(0, idx).toString('utf8');
-              remoteIP = header.substring(10); // Extract IP after "CLIENT_IP:"
+            if (headerLine.startsWith('CLIENT_IP:')) {
+              remoteIP = headerLine.substring(10).trim();
               this.logger.debug(`Extracted client IP from SmartProxy: ${remoteIP}`);
             }
-            headerParsed = true;
+            
+            // Clean up listener and timer
+            connection.removeListener('data', onData);
+            if (headerTimer) clearTimeout(headerTimer);
+            
+            // Put remaining data back onto the stream
+            const remaining = buffered.slice(idx + 2);
+            if (remaining.length > 0) {
+              connection.unshift(remaining);
+            }
             
             // Store the real IP on the connection
-            (connection as any)._realRemoteIP = remoteIP;
+            connection._realRemoteIP = remoteIP;
             
             // Validate the real IP
             const ipValidation = this.securityManager.validateIP(remoteIP);
@@ -318,35 +352,26 @@ export class HttpProxy implements IMetricsTracker {
                 remoteIP
               );
               connection.destroy();
-              return null;
+              return;
             }
             
             // Track connection by real IP
             this.securityManager.trackConnectionByIP(remoteIP, connectionId);
-            
-            // Return remaining data after header
-            return headerBuffer.slice(headerEnd + 2);
           }
-          return null;
         };
 
-        // Override the first data handler to parse header
+        // Set timeout for header parsing
-        const originalEmit = connection.emit;
+        headerTimer = setTimeout(() => {
-        connection.emit = function(event: string, ...args: any[]) {
+          connection.removeListener('data', onData);
-          if (event === 'data' && !headerParsed) {
+          this.logger.warn('Header parsing timeout, closing connection');
-            const remaining = parseHeader(args[0]);
+          connection.destroy();
-            if (remaining && remaining.length > 0) {
+        }, HEADER_TIMEOUT_MS);
-              // Call original emit with remaining data
+        
-              return originalEmit.apply(connection, ['data', remaining]);
+        // Unref the timer so it doesn't keep the process alive
-            } else if (headerParsed) {
+        if (headerTimer.unref) headerTimer.unref();
-              // Header parsed but no remaining data
+
-              return true;
+        // Use prependListener to get data first
-            }
+        connection.prependListener('data', onData);
-            // Header not complete yet, suppress this data event
-            return true;
-          }
-          return originalEmit.apply(connection, [event, ...args]);
-        } as any;
       } else {
         // Direct connection - validate immediately
         const ipValidation = this.securityManager.validateIP(remoteIP);
@@ -385,8 +410,8 @@ export class HttpProxy implements IMetricsTracker {
       }
       
       // Add connection to tracking with metadata
-      (connection as any)._connectionId = connectionId;
+      connection._connectionId = connectionId;
-      (connection as any)._remoteIP = remoteIP;
+      connection._remoteIP = remoteIP;
       this.socketMap.add(connection);
       this.connectedClients = this.socketMap.getArray().length;
       
@@ -409,8 +434,8 @@ export class HttpProxy implements IMetricsTracker {
           this.connectedClients = this.socketMap.getArray().length;
           
           // Remove IP tracking
-          const connId = (connection as any)._connectionId;
+          const connId = connection._connectionId;
-          const connIP = (connection as any)._realRemoteIP || (connection as any)._remoteIP;
+          const connIP = connection._realRemoteIP || connection._remoteIP;
           if (connId && connIP) {
             this.securityManager.removeConnectionByIP(connIP, connId);
           }

ts/proxies/smart-proxy/certificate-manager.ts

@@ -110,6 +110,14 @@ export class SmartCertManager {
     this.certProvisionFallbackToAcme = fallback;
   }
   
+  /**
+   * Update the routes array to keep it in sync with SmartProxy
+   * This prevents stale route data when adding/removing challenge routes
+   */
+  public setRoutes(routes: IRouteConfig[]): void {
+    this.routes = routes;
+  }
+  
   /**
    * Set callback for updating routes (used for challenge routes)
    */
@@ -391,15 +399,14 @@ export class SmartCertManager {
       }
       
       // Parse certificate to get dates
-      // Parse certificate to get dates - for now just use defaults
+      const expiryDate = this.extractExpiryDate(cert);
-      // TODO: Implement actual certificate parsing if needed
+      const issueDate = new Date(); // Current date as issue date
-      const certInfo = { validTo: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000), validFrom: new Date() };
       
       const certData: ICertificateData = {
         cert,
         key,
-        expiryDate: certInfo.validTo,
+        expiryDate,
-        issueDate: certInfo.validFrom,
+        issueDate,
         source: 'static'
       };
       
@@ -573,6 +580,8 @@ export class SmartCertManager {
       // With the re-ordering of start(), port binding should already be done
       // This updateRoutes call should just add the route without binding again
       await this.updateRoutesCallback(updatedRoutes);
+      // Keep local routes in sync after updating
+      this.routes = updatedRoutes;
       this.challengeRouteActive = true;
       
       // Register with state manager
@@ -662,6 +671,8 @@ export class SmartCertManager {
     try {
       const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
       await this.updateRoutesCallback(filteredRoutes);
+      // Keep local routes in sync after updating
+      this.routes = filteredRoutes;
       this.challengeRouteActive = false;
       
       // Remove from state manager
@@ -697,6 +708,11 @@ export class SmartCertManager {
       this.checkAndRenewCertificates();
     }, 12 * 60 * 60 * 1000);
     
+    // Unref the timer so it doesn't keep the process alive
+    if (this.renewalTimer.unref) {
+      this.renewalTimer.unref();
+    }
+    
     // Also do an immediate check
     this.checkAndRenewCertificates();
   }

ts/proxies/smart-proxy/index.ts

@@ -20,6 +20,7 @@ export { HttpProxyBridge } from './http-proxy-bridge.js';
 export { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 export { RouteConnectionHandler } from './route-connection-handler.js';
 export { NFTablesManager } from './nftables-manager.js';
+export { RouteOrchestrator } from './route-orchestrator.js';
 
 // Export certificate management
 export { SmartCertManager } from './certificate-manager.js';

ts/proxies/smart-proxy/metrics-collector.ts

@@ -33,6 +33,11 @@ export class MetricsCollector implements IMetrics {
   private readonly sampleIntervalMs: number;
   private readonly retentionSeconds: number;
   
+  // Track connection durations for percentile calculations
+  private connectionDurations: number[] = [];
+  private bytesInArray: number[] = [];
+  private bytesOutArray: number[] = [];
+  
   constructor(
     private smartProxy: SmartProxy,
     config?: {
@@ -211,21 +216,39 @@ export class MetricsCollector implements IMetrics {
     }
   };
   
-  // Percentiles implementation (placeholder for now)
+  // Helper to calculate percentiles from an array
+  private calculatePercentile(arr: number[], percentile: number): number {
+    if (arr.length === 0) return 0;
+    const sorted = [...arr].sort((a, b) => a - b);
+    const index = Math.floor((sorted.length - 1) * percentile);
+    return sorted[index];
+  }
+  
+  // Percentiles implementation
   public percentiles = {
     connectionDuration: (): { p50: number; p95: number; p99: number } => {
-      // TODO: Implement percentile calculations
+      return {
-      return { p50: 0, p95: 0, p99: 0 };
+        p50: this.calculatePercentile(this.connectionDurations, 0.5),
+        p95: this.calculatePercentile(this.connectionDurations, 0.95),
+        p99: this.calculatePercentile(this.connectionDurations, 0.99)
+      };
     },
     
     bytesTransferred: (): { 
       in: { p50: number; p95: number; p99: number };
       out: { p50: number; p95: number; p99: number };
     } => {
-      // TODO: Implement percentile calculations
       return {
-        in: { p50: 0, p95: 0, p99: 0 },
+        in: {
-        out: { p50: 0, p95: 0, p99: 0 }
+          p50: this.calculatePercentile(this.bytesInArray, 0.5),
+          p95: this.calculatePercentile(this.bytesInArray, 0.95),
+          p99: this.calculatePercentile(this.bytesInArray, 0.99)
+        },
+        out: {
+          p50: this.calculatePercentile(this.bytesOutArray, 0.5),
+          p95: this.calculatePercentile(this.bytesOutArray, 0.95),
+          p99: this.calculatePercentile(this.bytesOutArray, 0.99)
+        }
       };
     }
   };
@@ -298,6 +321,30 @@ export class MetricsCollector implements IMetrics {
    * Clean up tracking for a closed connection
    */
   public removeConnection(connectionId: string): void {
+    const tracker = this.connectionByteTrackers.get(connectionId);
+    if (tracker) {
+      // Calculate connection duration
+      const duration = Date.now() - tracker.startTime;
+      
+      // Add to arrays for percentile calculations (bounded to prevent memory growth)
+      const MAX_SAMPLES = 5000;
+      
+      this.connectionDurations.push(duration);
+      if (this.connectionDurations.length > MAX_SAMPLES) {
+        this.connectionDurations.shift();
+      }
+      
+      this.bytesInArray.push(tracker.bytesIn);
+      if (this.bytesInArray.length > MAX_SAMPLES) {
+        this.bytesInArray.shift();
+      }
+      
+      this.bytesOutArray.push(tracker.bytesOut);
+      if (this.bytesOutArray.length > MAX_SAMPLES) {
+        this.bytesOutArray.shift();
+      }
+    }
+    
     this.connectionByteTrackers.delete(connectionId);
   }
   
@@ -349,6 +396,11 @@ export class MetricsCollector implements IMetrics {
       }
     }, this.sampleIntervalMs);
     
+    // Unref the interval so it doesn't keep the process alive
+    if (this.samplingInterval.unref) {
+      this.samplingInterval.unref();
+    }
+    
     // Subscribe to new connections
     this.connectionSubscription = this.smartProxy.routeConnectionHandler.newConnectionSubject.subscribe({
       next: (record) => {

ts/proxies/smart-proxy/route-orchestrator.ts

@@ -0,0 +1,297 @@
+import { logger } from '../../core/utils/logger.js';
+import type { IRouteConfig } from './models/route-types.js';
+import type { ILogger } from '../http-proxy/models/types.js';
+import { RouteValidator } from './utils/route-validator.js';
+import { Mutex } from './utils/mutex.js';
+import type { PortManager } from './port-manager.js';
+import type { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
+import type { HttpProxyBridge } from './http-proxy-bridge.js';
+import type { NFTablesManager } from './nftables-manager.js';
+import type { SmartCertManager } from './certificate-manager.js';
+
+/**
+ * Orchestrates route updates and coordination between components
+ * Extracted from SmartProxy to reduce class complexity
+ */
+export class RouteOrchestrator {
+  private routeUpdateLock: Mutex;
+  private portManager: PortManager;
+  private routeManager: RouteManager;
+  private httpProxyBridge: HttpProxyBridge;
+  private nftablesManager: NFTablesManager;
+  private certManager: SmartCertManager | null = null;
+  private logger: ILogger;
+  
+  constructor(
+    portManager: PortManager,
+    routeManager: RouteManager,
+    httpProxyBridge: HttpProxyBridge,
+    nftablesManager: NFTablesManager,
+    certManager: SmartCertManager | null,
+    logger: ILogger
+  ) {
+    this.portManager = portManager;
+    this.routeManager = routeManager;
+    this.httpProxyBridge = httpProxyBridge;
+    this.nftablesManager = nftablesManager;
+    this.certManager = certManager;
+    this.logger = logger;
+    this.routeUpdateLock = new Mutex();
+  }
+  
+  /**
+   * Set or update certificate manager reference
+   */
+  public setCertManager(certManager: SmartCertManager | null): void {
+    this.certManager = certManager;
+  }
+  
+  /**
+   * Get certificate manager reference
+   */
+  public getCertManager(): SmartCertManager | null {
+    return this.certManager;
+  }
+  
+  /**
+   * Update routes with validation and coordination
+   */
+  public async updateRoutes(
+    oldRoutes: IRouteConfig[],
+    newRoutes: IRouteConfig[],
+    options: {
+      acmePort?: number;
+      acmeOptions?: any;
+      acmeState?: any;
+      globalChallengeRouteActive?: boolean;
+      createCertificateManager?: (
+        routes: IRouteConfig[],
+        certStore: string,
+        acmeOptions?: any,
+        initialState?: any
+      ) => Promise<SmartCertManager>;
+      verifyChallengeRouteRemoved?: () => Promise<void>;
+    } = {}
+  ): Promise<{
+    portUsageMap: Map<number, Set<string>>;
+    newChallengeRouteActive: boolean;
+    newCertManager?: SmartCertManager;
+  }> {
+    return this.routeUpdateLock.runExclusive(async () => {
+      // Validate route configurations
+      const validation = RouteValidator.validateRoutes(newRoutes);
+      if (!validation.valid) {
+        RouteValidator.logValidationErrors(validation.errors);
+        throw new Error(`Route validation failed: ${validation.errors.size} route(s) have errors`);
+      }
+      
+      // Track port usage before and after updates
+      const oldPortUsage = this.updatePortUsageMap(oldRoutes);
+      const newPortUsage = this.updatePortUsageMap(newRoutes);
+      
+      // Get the lists of currently listening ports and new ports needed
+      const currentPorts = new Set(this.portManager.getListeningPorts());
+      const newPortsSet = new Set(newPortUsage.keys());
+      
+      // Log the port usage for debugging
+      this.logger.debug(`Current listening ports: ${Array.from(currentPorts).join(', ')}`);
+      this.logger.debug(`Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`);
+      
+      // Find orphaned ports - ports that no longer have any routes
+      const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
+      
+      // Find new ports that need binding (only ports that we aren't already listening on)
+      const newBindingPorts = Array.from(newPortsSet).filter(p => !currentPorts.has(p));
+      
+      // Check for ACME challenge port to give it special handling
+      const acmePort = options.acmePort || 80;
+      const acmePortNeeded = newPortsSet.has(acmePort);
+      const acmePortListed = newBindingPorts.includes(acmePort);
+      
+      if (acmePortNeeded && acmePortListed) {
+        this.logger.info(`Adding ACME challenge port ${acmePort} to routes`);
+      }
+      
+      // Update NFTables routes
+      await this.updateNfTablesRoutes(oldRoutes, newRoutes);
+      
+      // Update routes in RouteManager
+      this.routeManager.updateRoutes(newRoutes);
+      
+      // Release orphaned ports first to free resources
+      if (orphanedPorts.length > 0) {
+        this.logger.info(`Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`);
+        await this.portManager.removePorts(orphanedPorts);
+      }
+      
+      // Add new ports if needed
+      if (newBindingPorts.length > 0) {
+        this.logger.info(`Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`);
+        
+        // Handle port binding with improved error recovery
+        try {
+          await this.portManager.addPorts(newBindingPorts);
+        } catch (error) {
+          // Special handling for port binding errors
+          if ((error as any).code === 'EADDRINUSE') {
+            const port = (error as any).port || newBindingPorts[0];
+            const isAcmePort = port === acmePort;
+            
+            if (isAcmePort) {
+              this.logger.warn(`Could not bind to ACME challenge port ${port}. It may be in use by another application.`);
+              
+              // Re-throw with more helpful message
+              throw new Error(
+                `ACME challenge port ${port} is already in use by another application. ` +
+                `Configure a different port in settings.acme.port (e.g., 8080) or free up port ${port}.`
+              );
+            }
+          }
+          
+          // Re-throw the original error for other cases
+          throw error;
+        }
+      }
+      
+      // If HttpProxy is initialized, resync the configurations
+      if (this.httpProxyBridge.getHttpProxy()) {
+        await this.httpProxyBridge.syncRoutesToHttpProxy(newRoutes);
+      }
+      
+      // Update certificate manager if needed
+      let newCertManager: SmartCertManager | undefined;
+      let newChallengeRouteActive = options.globalChallengeRouteActive || false;
+      
+      if (this.certManager && options.createCertificateManager) {
+        const existingAcmeOptions = this.certManager.getAcmeOptions();
+        const existingState = this.certManager.getState();
+        
+        // Store global state before stopping
+        newChallengeRouteActive = existingState.challengeRouteActive;
+        
+        // Keep certificate manager routes in sync before stopping
+        this.certManager.setRoutes(newRoutes);
+        
+        await this.certManager.stop();
+        
+        // Verify the challenge route has been properly removed
+        if (options.verifyChallengeRouteRemoved) {
+          await options.verifyChallengeRouteRemoved();
+        }
+        
+        // Create new certificate manager with preserved state
+        newCertManager = await options.createCertificateManager(
+          newRoutes,
+          './certs',
+          existingAcmeOptions,
+          { challengeRouteActive: newChallengeRouteActive }
+        );
+        
+        this.certManager = newCertManager;
+      }
+      
+      return {
+        portUsageMap: newPortUsage,
+        newChallengeRouteActive,
+        newCertManager
+      };
+    });
+  }
+  
+  /**
+   * Update port usage map based on the provided routes
+   */
+  public updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
+    const portUsage = new Map<number, Set<string>>();
+    
+    for (const route of routes) {
+      // Get the ports for this route
+      const portsConfig = Array.isArray(route.match.ports) 
+        ? route.match.ports 
+        : [route.match.ports];
+      
+      // Expand port range objects to individual port numbers
+      const expandedPorts: number[] = [];
+      for (const portConfig of portsConfig) {
+        if (typeof portConfig === 'number') {
+          expandedPorts.push(portConfig);
+        } else if (typeof portConfig === 'object' && 'from' in portConfig && 'to' in portConfig) {
+          // Expand the port range
+          for (let p = portConfig.from; p <= portConfig.to; p++) {
+            expandedPorts.push(p);
+          }
+        }
+      }
+      
+      // Use route name if available, otherwise generate a unique ID
+      const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
+      
+      // Add each port to the usage map
+      for (const port of expandedPorts) {
+        if (!portUsage.has(port)) {
+          portUsage.set(port, new Set());
+        }
+        portUsage.get(port)!.add(routeName);
+      }
+    }
+    
+    // Log port usage for debugging
+    for (const [port, routes] of portUsage.entries()) {
+      this.logger.debug(`Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`);
+    }
+    
+    return portUsage;
+  }
+  
+  /**
+   * Find ports that have no routes in the new configuration
+   */
+  private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
+    const orphanedPorts: number[] = [];
+    
+    for (const [port, routes] of oldUsage.entries()) {
+      if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
+        orphanedPorts.push(port);
+      }
+    }
+    
+    return orphanedPorts;
+  }
+  
+  /**
+   * Update NFTables routes
+   */
+  private async updateNfTablesRoutes(oldRoutes: IRouteConfig[], newRoutes: IRouteConfig[]): Promise<void> {
+    // Get existing routes that use NFTables and update them
+    const oldNfTablesRoutes = oldRoutes.filter(
+      r => r.action.forwardingEngine === 'nftables'
+    );
+    
+    const newNfTablesRoutes = newRoutes.filter(
+      r => r.action.forwardingEngine === 'nftables'
+    );
+    
+    // Update existing NFTables routes
+    for (const oldRoute of oldNfTablesRoutes) {
+      const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
+      
+      if (!newRoute) {
+        // Route was removed
+        await this.nftablesManager.deprovisionRoute(oldRoute);
+      } else {
+        // Route was updated
+        await this.nftablesManager.updateRoute(oldRoute, newRoute);
+      }
+    }
+    
+    // Add new NFTables routes
+    for (const newRoute of newNfTablesRoutes) {
+      const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
+      
+      if (!oldRoute) {
+        // New route
+        await this.nftablesManager.provisionRoute(newRoute);
+      }
+    }
+  }
+}

ts/proxies/smart-proxy/smart-proxy.ts

@@ -25,6 +25,12 @@ import type { IRouteConfig } from './models/route-types.js';
 // Import mutex for route update synchronization
 import { Mutex } from './utils/mutex.js';
 
+// Import route validator
+import { RouteValidator } from './utils/route-validator.js';
+
+// Import route orchestrator for route management
+import { RouteOrchestrator } from './route-orchestrator.js';
+
 // Import ACME state manager
 import { AcmeStateManager } from './acme-state-manager.js';
 
@@ -66,12 +72,15 @@ export class SmartProxy extends plugins.EventEmitter {
   
   // Global challenge route tracking
   private globalChallengeRouteActive: boolean = false;
-  private routeUpdateLock: any = null; // Will be initialized as AsyncMutex
+  private routeUpdateLock: Mutex;
   public acmeStateManager: AcmeStateManager;
   
   // Metrics collector
   public metricsCollector: MetricsCollector;
   
+  // Route orchestrator for managing route updates
+  private routeOrchestrator: RouteOrchestrator;
+  
   // Track port usage across route updates
   private portUsageMap: Map<number, Set<string>> = new Map();
   
@@ -175,6 +184,15 @@ export class SmartProxy extends plugins.EventEmitter {
       error: (message: string, data?: any) => logger.log('error', message, data)
     };
     
+    // Validate initial routes
+    if (this.settings.routes && this.settings.routes.length > 0) {
+      const validation = RouteValidator.validateRoutes(this.settings.routes);
+      if (!validation.valid) {
+        RouteValidator.logValidationErrors(validation.errors);
+        throw new Error(`Initial route validation failed: ${validation.errors.size} route(s) have errors`);
+      }
+    }
+    
     this.routeManager = new RouteManager({
       logger: loggerAdapter,
       enableDetailedLogging: this.settings.enableDetailedLogging,
@@ -206,6 +224,16 @@ export class SmartProxy extends plugins.EventEmitter {
       sampleIntervalMs: this.settings.metrics?.sampleIntervalMs,
       retentionSeconds: this.settings.metrics?.retentionSeconds
     });
+    
+    // Initialize route orchestrator for managing route updates
+    this.routeOrchestrator = new RouteOrchestrator(
+      this.portManager,
+      this.routeManager,
+      this.httpProxyBridge,
+      this.nftablesManager,
+      null, // certManager will be set later
+      loggerAdapter
+    );
   }
   
   /**
@@ -354,8 +382,8 @@ export class SmartProxy extends plugins.EventEmitter {
     // Get listening ports from RouteManager
     const listeningPorts = this.routeManager.getListeningPorts();
 
-    // Initialize port usage tracking
+    // Initialize port usage tracking using RouteOrchestrator
-    this.portUsageMap = this.updatePortUsageMap(this.settings.routes);
+    this.portUsageMap = this.routeOrchestrator.updatePortUsageMap(this.settings.routes);
     
     // Log port usage for startup
     logger.log('info', `SmartProxy starting with ${listeningPorts.length} ports: ${listeningPorts.join(', ')}`, {
@@ -516,7 +544,7 @@ export class SmartProxy extends plugins.EventEmitter {
     logger.log('info', 'All servers closed. Cleaning up active connections...');
 
     // Clean up all active connections
-    this.connectionManager.clearConnections();
+    await this.connectionManager.clearConnections();
 
     // Stop HttpProxy
     await this.httpProxyBridge.stop();
@@ -527,6 +555,10 @@ export class SmartProxy extends plugins.EventEmitter {
     // Stop metrics collector
     this.metricsCollector.stop();
     
+    // Clean up ProtocolDetector singleton
+    const detection = await import('../../detection/index.js');
+    detection.ProtocolDetector.destroy();
+    
     // Flush any pending deduplicated logs
     connectionLogDeduplicator.flushAll();
 
@@ -606,202 +638,46 @@ export class SmartProxy extends plugins.EventEmitter {
       try {
         logger.log('info', `Updating routes (${newRoutes.length} routes)`, { 
           routeCount: newRoutes.length, 
-          component: 'route-manager' 
+          component: 'smart-proxy' 
         });
       } catch (error) {
         // Silently handle logging errors
         console.log(`[INFO] Updating routes (${newRoutes.length} routes)`);
       }
 
-      // Track port usage before and after updates
+      // Update route orchestrator dependencies if cert manager changed
-      const oldPortUsage = this.updatePortUsageMap(this.settings.routes);
+      if (this.certManager && !this.routeOrchestrator.getCertManager()) {
-      const newPortUsage = this.updatePortUsageMap(newRoutes);
+        this.routeOrchestrator.setCertManager(this.certManager);
-      
-      // Get the lists of currently listening ports and new ports needed
-      const currentPorts = new Set(this.portManager.getListeningPorts());
-      const newPortsSet = new Set(newPortUsage.keys());
-      
-      // Log the port usage for debugging
-      try {
-        logger.log('debug', `Current listening ports: ${Array.from(currentPorts).join(', ')}`, {
-          ports: Array.from(currentPorts),
-          component: 'smart-proxy'
-        });
-        
-        logger.log('debug', `Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`, {
-          ports: Array.from(newPortsSet),
-          component: 'smart-proxy'
-        });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log(`[DEBUG] Current listening ports: ${Array.from(currentPorts).join(', ')}`);
-        console.log(`[DEBUG] Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`);
       }
       
-      // Find orphaned ports - ports that no longer have any routes
+      // Delegate the complex route update logic to RouteOrchestrator
-      const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
+      const updateResult = await this.routeOrchestrator.updateRoutes(
-      
+        this.settings.routes,
-      // Find new ports that need binding (only ports that we aren't already listening on)
+        newRoutes,
-      const newBindingPorts = Array.from(newPortsSet).filter(p => !currentPorts.has(p));
+        {
-      
+          acmePort: this.settings.acme?.port || 80,
-      // Check for ACME challenge port to give it special handling
+          acmeOptions: this.certManager?.getAcmeOptions(),
-      const acmePort = this.settings.acme?.port || 80;
+          acmeState: this.certManager?.getState(),
-      const acmePortNeeded = newPortsSet.has(acmePort);
+          globalChallengeRouteActive: this.globalChallengeRouteActive,
-      const acmePortListed = newBindingPorts.includes(acmePort);
+          createCertificateManager: this.createCertificateManager.bind(this),
-      
+          verifyChallengeRouteRemoved: this.verifyChallengeRouteRemoved.bind(this)
-      if (acmePortNeeded && acmePortListed) {
-        try {
-          logger.log('info', `Adding ACME challenge port ${acmePort} to routes`, { 
-            port: acmePort,
-            component: 'smart-proxy'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[INFO] Adding ACME challenge port ${acmePort} to routes`);
         }
-      }
-
-      // Get existing routes that use NFTables and update them
-      const oldNfTablesRoutes = this.settings.routes.filter(
-        r => r.action.forwardingEngine === 'nftables'
       );
       
-      const newNfTablesRoutes = newRoutes.filter(
-        r => r.action.forwardingEngine === 'nftables'
-      );
-      
-      // Update existing NFTables routes
-      for (const oldRoute of oldNfTablesRoutes) {
-        const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
-        
-        if (!newRoute) {
-          // Route was removed
-          await this.nftablesManager.deprovisionRoute(oldRoute);
-        } else {
-          // Route was updated
-          await this.nftablesManager.updateRoute(oldRoute, newRoute);
-        }
-      }
-      
-      // Add new NFTables routes
-      for (const newRoute of newNfTablesRoutes) {
-        const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
-        
-        if (!oldRoute) {
-          // New route
-          await this.nftablesManager.provisionRoute(newRoute);
-        }
-      }
-
-      // Update routes in RouteManager
-      this.routeManager.updateRoutes(newRoutes);
-
-      // Release orphaned ports first to free resources
-      if (orphanedPorts.length > 0) {
-        try {
-          logger.log('info', `Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`, { 
-            ports: orphanedPorts,
-            component: 'smart-proxy'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[INFO] Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`);
-        }
-        await this.portManager.removePorts(orphanedPorts);
-      }
-      
-      // Add new ports if needed
-      if (newBindingPorts.length > 0) {
-        try {
-          logger.log('info', `Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`, { 
-            ports: newBindingPorts,
-            component: 'smart-proxy'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[INFO] Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`);
-        }
-        
-        // Handle port binding with improved error recovery
-        try {
-          await this.portManager.addPorts(newBindingPorts);
-        } catch (error) {
-          // Special handling for port binding errors
-          // This provides better diagnostics for ACME challenge port conflicts
-          if ((error as any).code === 'EADDRINUSE') {
-            const port = (error as any).port || newBindingPorts[0];
-            const isAcmePort = port === acmePort;
-            
-            if (isAcmePort) {
-              try {
-                logger.log('warn', `Could not bind to ACME challenge port ${port}. It may be in use by another application.`, {
-                  port,
-                  component: 'smart-proxy'
-                });
-              } catch (logError) {
-                console.log(`[WARN] Could not bind to ACME challenge port ${port}. It may be in use by another application.`);
-              }
-              
-              // Re-throw with more helpful message
-              throw new Error(
-                `ACME challenge port ${port} is already in use by another application. ` +
-                `Configure a different port in settings.acme.port (e.g., 8080) or free up port ${port}.`
-              );
-            }
-          }
-          
-          // Re-throw the original error for other cases
-          throw error;
-        }
-      }
-      
       // Update settings with the new routes
       this.settings.routes = newRoutes;
       
-      // Save the new port usage map for future reference
+      // Update global state from orchestrator results
-      this.portUsageMap = newPortUsage;
+      this.globalChallengeRouteActive = updateResult.newChallengeRouteActive;
       
-      // If HttpProxy is initialized, resync the configurations
+      // Update port usage map from orchestrator
-      if (this.httpProxyBridge.getHttpProxy()) {
+      this.portUsageMap = updateResult.portUsageMap;
-        await this.httpProxyBridge.syncRoutesToHttpProxy(newRoutes);
-      }
       
-      // Update certificate manager with new routes
+      // If certificate manager was recreated, update our reference
-      if (this.certManager) {
+      if (updateResult.newCertManager) {
-        const existingAcmeOptions = this.certManager.getAcmeOptions();
+        this.certManager = updateResult.newCertManager;
-        const existingState = this.certManager.getState();
+        // Update the orchestrator's reference too
-        
+        this.routeOrchestrator.setCertManager(this.certManager);
-        // Store global state before stopping
-        this.globalChallengeRouteActive = existingState.challengeRouteActive;
-        
-        // Only stop the cert manager if absolutely necessary
-        // First check if there's an ACME route on the same port already
-        const acmePort = existingAcmeOptions?.port || 80;
-        const acmePortInUse = newPortUsage.has(acmePort) && newPortUsage.get(acmePort)!.size > 0;
-        
-        try {
-          logger.log('debug', `ACME port ${acmePort} ${acmePortInUse ? 'is' : 'is not'} already in use by other routes`, {
-            port: acmePort,
-            inUse: acmePortInUse,
-            component: 'smart-proxy'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[DEBUG] ACME port ${acmePort} ${acmePortInUse ? 'is' : 'is not'} already in use by other routes`);
-        }
-        
-        await this.certManager.stop();
-        
-        // Verify the challenge route has been properly removed
-        await this.verifyChallengeRouteRemoved();
-        
-        // Create new certificate manager with preserved state
-        this.certManager = await this.createCertificateManager(
-          newRoutes,
-          './certs',
-          existingAcmeOptions,
-          { challengeRouteActive: this.globalChallengeRouteActive }
-        );
       }
     });
   }
@@ -822,87 +698,7 @@ export class SmartProxy extends plugins.EventEmitter {
     await this.certManager.provisionCertificate(route);
   }
 
-  /**
+  // Port usage tracking methods moved to RouteOrchestrator
-   * Update the port usage map based on the provided routes
-   * 
-   * This tracks which ports are used by which routes, allowing us to
-   * detect when a port is no longer needed and can be released.
-   */
-  private updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
-    // Reset the usage map
-    const portUsage = new Map<number, Set<string>>();
-    
-    for (const route of routes) {
-      // Get the ports for this route
-      const portsConfig = Array.isArray(route.match.ports) 
-        ? route.match.ports 
-        : [route.match.ports];
-      
-      // Expand port range objects to individual port numbers
-      const expandedPorts: number[] = [];
-      for (const portConfig of portsConfig) {
-        if (typeof portConfig === 'number') {
-          expandedPorts.push(portConfig);
-        } else if (typeof portConfig === 'object' && 'from' in portConfig && 'to' in portConfig) {
-          // Expand the port range
-          for (let p = portConfig.from; p <= portConfig.to; p++) {
-            expandedPorts.push(p);
-          }
-        }
-      }
-      
-      // Use route name if available, otherwise generate a unique ID
-      const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
-      
-      // Add each port to the usage map
-      for (const port of expandedPorts) {
-        if (!portUsage.has(port)) {
-          portUsage.set(port, new Set());
-        }
-        portUsage.get(port)!.add(routeName);
-      }
-    }
-    
-    // Log port usage for debugging
-    for (const [port, routes] of portUsage.entries()) {
-      try {
-        logger.log('debug', `Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`, {
-          port,
-          routeCount: routes.size,
-          component: 'smart-proxy'
-        });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log(`[DEBUG] Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`);
-      }
-    }
-    
-    return portUsage;
-  }
-  
-  /**
-   * Find ports that have no routes in the new configuration
-   */
-  private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
-    const orphanedPorts: number[] = [];
-    
-    for (const [port, routes] of oldUsage.entries()) {
-      if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
-        orphanedPorts.push(port);
-        try {
-          logger.log('info', `Port ${port} no longer has any associated routes, will be released`, {
-            port,
-            component: 'smart-proxy'
-          });
-        } catch (error) {
-          // Silently handle logging errors
-          console.log(`[INFO] Port ${port} no longer has any associated routes, will be released`);
-        }
-      }
-    }
-    
-    return orphanedPorts;
-  }
   
   /**
    * Force renewal of a certificate
@@ -1024,9 +820,9 @@ export class SmartProxy extends plugins.EventEmitter {
       terminationStats,
       acmeEnabled: !!this.certManager,
       port80HandlerPort: this.certManager ? 80 : null,
-      routes: this.routeManager.getListeningPorts().length,
+      routeCount: this.settings.routes.length,
-      listeningPorts: this.portManager.getListeningPorts(),
+      activePorts: this.portManager.getListeningPorts().length,
-      activePorts: this.portManager.getListeningPorts().length
+      listeningPorts: this.portManager.getListeningPorts()
     };
   }
   

ts/proxies/smart-proxy/utils/route-helpers.ts

@@ -22,6 +22,7 @@ import * as plugins from '../../../plugins.js';
 import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget, TPortRange, IRouteContext } from '../models/route-types.js';
 import { mergeRouteConfigs } from './route-utils.js';
 import { ProtocolDetector, HttpDetector } from '../../../detection/index.js';
+import { createSocketTracker } from '../../../core/utils/socket-tracker.js';
 
 /**
  * Create an HTTP-only route configuration
@@ -960,11 +961,12 @@ export const SocketHandlers = {
    * Now uses the centralized detection module for HTTP parsing
    */
   httpRedirect: (locationTemplate: string, statusCode: number = 301) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const tracker = createSocketTracker(socket);
     const connectionId = ProtocolDetector.createConnectionId({
       socketId: context.connectionId || `${Date.now()}-${Math.random()}`
     });
     
-    socket.once('data', async (data) => {
+    const handleData = async (data: Buffer) => {
       // Use detection module for parsing
       const detectionResult = await ProtocolDetector.detectWithConnectionTracking(
         data,
@@ -1005,6 +1007,19 @@ export const SocketHandlers = {
       socket.end();
       // Clean up detection state
       ProtocolDetector.cleanupConnections();
+      // Clean up all tracked resources
+      tracker.cleanup();
+    };
+    
+    // Use tracker to manage the listener
+    socket.once('data', handleData);
+    
+    tracker.addListener('error', (err) => {
+      tracker.safeDestroy(err);
+    });
+    
+    tracker.addListener('close', () => {
+      tracker.cleanup();
     });
   },
   
@@ -1013,7 +1028,9 @@ export const SocketHandlers = {
    * Now uses the centralized detection module for HTTP parsing
    */
   httpServer: (handler: (req: { method: string; url: string; headers: Record<string, string>; body?: string }, res: { status: (code: number) => void; header: (name: string, value: string) => void; send: (data: string) => void; end: () => void }) => void) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const tracker = createSocketTracker(socket);
     let requestParsed = false;
+    let responseTimer: NodeJS.Timeout | null = null;
     const connectionId = ProtocolDetector.createConnectionId({
       socketId: context.connectionId || `${Date.now()}-${Math.random()}`
     });
@@ -1034,6 +1051,8 @@ export const SocketHandlers = {
       }
       
       requestParsed = true;
+      // Remove data listener after parsing request
+      socket.removeListener('data', processData);
       const connInfo = detectionResult.connectionInfo;
       
       // Create request object from detection result
@@ -1060,6 +1079,12 @@ export const SocketHandlers = {
           if (ended) return;
           ended = true;
           
+          // Clear response timer since we're sending now
+          if (responseTimer) {
+            clearTimeout(responseTimer);
+            responseTimer = null;
+          }
+          
           if (!responseHeaders['content-type']) {
             responseHeaders['content-type'] = 'text/plain';
           }
@@ -1091,30 +1116,44 @@ export const SocketHandlers = {
       try {
         handler(req, res);
         // Ensure response is sent even if handler doesn't call send()
-        setTimeout(() => {
+        responseTimer = setTimeout(() => {
           if (!ended) {
             res.send('');
           }
+          responseTimer = null;
         }, 1000);
+        // Track and unref the timer
+        tracker.addTimer(responseTimer);
       } catch (error) {
         if (!ended) {
           res.status(500);
           res.send('Internal Server Error');
         }
+        // Use safeDestroy for error cases
+        tracker.safeDestroy(error instanceof Error ? error : new Error('Handler error'));
       }
     };
     
-    socket.on('data', processData);
+    // Use tracker to manage listeners
+    tracker.addListener('data', processData);
     
-    socket.on('error', () => {
+    tracker.addListener('error', (err) => {
       if (!requestParsed) {
-        socket.end();
+        tracker.safeDestroy(err);
       }
     });
     
-    socket.on('close', () => {
+    tracker.addListener('close', () => {
+      // Cleanup is handled by tracker
+      // Clear any pending response timer
+      if (responseTimer) {
+        clearTimeout(responseTimer);
+        responseTimer = null;
+      }
       // Clean up detection state
       ProtocolDetector.cleanupConnections();
+      // Clean up all tracked resources
+      tracker.cleanup();
     });
   }
 };

ts/proxies/smart-proxy/utils/route-validator.ts

@@ -0,0 +1,453 @@
+import { logger } from '../../../core/utils/logger.js';
+import type { IRouteConfig } from '../models/route-types.js';
+
+/**
+ * Validates route configurations for correctness and safety
+ */
+export class RouteValidator {
+  private static readonly VALID_TLS_MODES = ['terminate', 'passthrough', 'terminate-and-reencrypt'];
+  private static readonly VALID_ACTION_TYPES = ['forward', 'socket-handler'];
+  private static readonly VALID_PROTOCOLS = ['tcp', 'http', 'https', 'ws', 'wss'];
+  private static readonly MAX_PORTS = 100;
+  private static readonly MAX_DOMAINS = 1000;
+  private static readonly MAX_HEADER_SIZE = 8192;
+
+  /**
+   * Validate a single route configuration
+   */
+  public static validateRoute(route: IRouteConfig): { valid: boolean; errors: string[] } {
+    const errors: string[] = [];
+
+    // Validate route has a name
+    if (!route.name || typeof route.name !== 'string') {
+      errors.push('Route must have a valid name');
+    }
+
+    // Validate match criteria
+    if (!route.match) {
+      errors.push('Route must have match criteria');
+    } else {
+      // Validate ports
+      if (route.match.ports) {
+        const ports = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
+        
+        if (ports.length > this.MAX_PORTS) {
+          errors.push(`Too many ports specified (max ${this.MAX_PORTS})`);
+        }
+        
+        for (const port of ports) {
+          if (typeof port === 'number') {
+            if (!this.isValidPort(port)) {
+              errors.push(`Invalid port: ${port}. Must be between 1 and 65535`);
+            }
+          } else if (typeof port === 'object' && 'from' in port && 'to' in port) {
+            if (!this.isValidPort(port.from)) {
+              errors.push(`Invalid port range start: ${port.from}. Must be between 1 and 65535`);
+            }
+            if (!this.isValidPort(port.to)) {
+              errors.push(`Invalid port range end: ${port.to}. Must be between 1 and 65535`);
+            }
+            if (port.from > port.to) {
+              errors.push(`Invalid port range: ${port.from}-${port.to} (start > end)`);
+            }
+          } else {
+            errors.push(`Invalid port configuration: ${JSON.stringify(port)}`);
+          }
+        }
+      }
+
+      // Validate domains
+      if (route.match.domains) {
+        const domains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+        
+        if (domains.length > this.MAX_DOMAINS) {
+          errors.push(`Too many domains specified (max ${this.MAX_DOMAINS})`);
+        }
+        
+        for (const domain of domains) {
+          if (!this.isValidDomain(domain)) {
+            errors.push(`Invalid domain pattern: ${domain}`);
+          }
+        }
+      }
+
+      // Validate paths
+      if (route.match.path) {
+        const paths = Array.isArray(route.match.path) ? route.match.path : [route.match.path];
+        
+        for (const path of paths) {
+          if (!this.isValidPath(path)) {
+            errors.push(`Invalid path pattern: ${path}`);
+          }
+        }
+      }
+
+      // Validate client IPs
+      if (route.match.clientIp) {
+        const ips = Array.isArray(route.match.clientIp) ? route.match.clientIp : [route.match.clientIp];
+        
+        for (const ip of ips) {
+          if (!this.isValidIPPattern(ip)) {
+            errors.push(`Invalid IP pattern: ${ip}`);
+          }
+        }
+      }
+
+      // Validate headers
+      if (route.match.headers) {
+        for (const [key, value] of Object.entries(route.match.headers)) {
+          if (key.length > 256) {
+            errors.push(`Header name too long: ${key}`);
+          }
+          
+          const headerValue = String(value);
+          if (headerValue.length > this.MAX_HEADER_SIZE) {
+            errors.push(`Header value too long for ${key} (max ${this.MAX_HEADER_SIZE} bytes)`);
+          }
+          
+          if (!/^[\x20-\x7E]+$/.test(key)) {
+            errors.push(`Invalid header name: ${key} (must be printable ASCII)`);
+          }
+        }
+      }
+
+      // Protocol validation removed - not part of IRouteMatch interface
+    }
+
+    // Validate action
+    if (!route.action) {
+      errors.push('Route must have an action');
+    } else {
+      // Validate action type
+      if (!route.action.type || !this.VALID_ACTION_TYPES.includes(route.action.type)) {
+        errors.push(`Invalid action type: ${route.action.type}. Must be one of: ${this.VALID_ACTION_TYPES.join(', ')}`);
+      }
+
+      // Validate socket-handler
+      if (route.action.type === 'socket-handler') {
+        if (typeof route.action.socketHandler !== 'function') {
+          errors.push('socket-handler action requires a socketHandler function');
+        }
+      }
+
+      // Validate forward target
+      if (route.action.type === 'forward') {
+        if (!route.action.targets || route.action.targets.length === 0) {
+          errors.push('Forward action must have at least one target');
+        } else {
+          for (const target of route.action.targets) {
+            if (!target.host) {
+              errors.push('Target must have a host');
+            } else if (typeof target.host !== 'string' && !Array.isArray(target.host) && typeof target.host !== 'function') {
+              errors.push('Target host must be a string, array of strings, or function');
+            }
+            
+            if (target.port) {
+              if (typeof target.port === 'number' && !this.isValidPort(target.port)) {
+                errors.push(`Invalid target port: ${target.port}`);
+              } else if (target.port !== 'preserve' && typeof target.port !== 'function' && typeof target.port !== 'number') {
+                errors.push(`Invalid target port configuration: ${target.port}`);
+              }
+            }
+          }
+        }
+      }
+
+      // Validate TLS settings
+      if (route.action.tls) {
+        if (route.action.tls.mode && !this.VALID_TLS_MODES.includes(route.action.tls.mode)) {
+          errors.push(`Invalid TLS mode: ${route.action.tls.mode}. Must be one of: ${this.VALID_TLS_MODES.join(', ')}`);
+        }
+
+        if (route.action.tls.certificate) {
+          if (route.action.tls.certificate !== 'auto' && typeof route.action.tls.certificate !== 'object') {
+            errors.push('TLS certificate must be "auto" or a certificate configuration object');
+          }
+        }
+
+        if (route.action.tls.versions) {
+          for (const version of route.action.tls.versions) {
+            if (!['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'].includes(version)) {
+              errors.push(`Invalid TLS version: ${version}`);
+            }
+          }
+        }
+      }
+    }
+
+    // Validate security settings
+    if (route.security) {
+      // Validate IP allow/block lists
+      if (route.security.ipAllowList) {
+        const allowList = Array.isArray(route.security.ipAllowList) ? route.security.ipAllowList : [route.security.ipAllowList];
+        
+        for (const ip of allowList) {
+          if (!this.isValidIPPattern(ip)) {
+            errors.push(`Invalid IP pattern in allow list: ${ip}`);
+          }
+        }
+      }
+
+      if (route.security.ipBlockList) {
+        const blockList = Array.isArray(route.security.ipBlockList) ? route.security.ipBlockList : [route.security.ipBlockList];
+        
+        for (const ip of blockList) {
+          if (!this.isValidIPPattern(ip)) {
+            errors.push(`Invalid IP pattern in block list: ${ip}`);
+          }
+        }
+      }
+
+      // Validate rate limits
+      if (route.security.rateLimit) {
+        if (route.security.rateLimit.maxRequests && route.security.rateLimit.maxRequests < 0) {
+          errors.push('Rate limit maxRequests must be positive');
+        }
+        
+        if (route.security.rateLimit.window && route.security.rateLimit.window < 0) {
+          errors.push('Rate limit window must be positive');
+        }
+      }
+
+      // Validate connection limits
+      if (route.security.maxConnections && route.security.maxConnections < 0) {
+        errors.push('Max connections must be positive');
+      }
+    }
+
+    // Validate priority
+    if (route.priority !== undefined && (route.priority < 0 || route.priority > 10000)) {
+      errors.push('Priority must be between 0 and 10000');
+    }
+
+    return {
+      valid: errors.length === 0,
+      errors
+    };
+  }
+
+  /**
+   * Validate multiple route configurations
+   */
+  public static validateRoutes(routes: IRouteConfig[]): { valid: boolean; errors: Map<string, string[]> } {
+    const errorMap = new Map<string, string[]>();
+    let valid = true;
+
+    // Check for duplicate route names
+    const routeNames = new Set<string>();
+    for (const route of routes) {
+      if (route.name && routeNames.has(route.name)) {
+        const existingErrors = errorMap.get(route.name) || [];
+        existingErrors.push('Duplicate route name');
+        errorMap.set(route.name, existingErrors);
+        valid = false;
+      }
+      routeNames.add(route.name);
+    }
+
+    // Validate each route
+    for (const route of routes) {
+      const result = this.validateRoute(route);
+      if (!result.valid) {
+        errorMap.set(route.name || 'unnamed', result.errors);
+        valid = false;
+      }
+    }
+
+    // Check for conflicting routes
+    const conflicts = this.findRouteConflicts(routes);
+    if (conflicts.length > 0) {
+      for (const conflict of conflicts) {
+        const existingErrors = errorMap.get(conflict.route) || [];
+        existingErrors.push(conflict.message);
+        errorMap.set(conflict.route, existingErrors);
+      }
+      valid = false;
+    }
+
+    return { valid, errors: errorMap };
+  }
+
+  /**
+   * Find potential conflicts between routes
+   */
+  private static findRouteConflicts(routes: IRouteConfig[]): Array<{ route: string; message: string }> {
+    const conflicts: Array<{ route: string; message: string }> = [];
+    
+    // Group routes by port
+    const portMap = new Map<number, IRouteConfig[]>();
+    
+    for (const route of routes) {
+      if (route.match?.ports) {
+        const ports = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
+        
+        // Expand port ranges to individual ports
+        const expandedPorts: number[] = [];
+        for (const port of ports) {
+          if (typeof port === 'number') {
+            expandedPorts.push(port);
+          } else if (typeof port === 'object' && 'from' in port && 'to' in port) {
+            for (let p = port.from; p <= port.to; p++) {
+              expandedPorts.push(p);
+            }
+          }
+        }
+        
+        for (const port of expandedPorts) {
+          const routesOnPort = portMap.get(port) || [];
+          routesOnPort.push(route);
+          portMap.set(port, routesOnPort);
+        }
+      }
+    }
+
+    // Check for conflicting catch-all routes on the same port
+    for (const [port, routesOnPort] of portMap) {
+      const catchAllRoutes = routesOnPort.filter(r => 
+        !r.match.domains || 
+        (Array.isArray(r.match.domains) && r.match.domains.includes('*')) ||
+        r.match.domains === '*'
+      );
+      
+      if (catchAllRoutes.length > 1) {
+        for (const route of catchAllRoutes) {
+          conflicts.push({
+            route: route.name,
+            message: `Multiple catch-all routes on port ${port}`
+          });
+        }
+      }
+    }
+
+    return conflicts;
+  }
+
+  /**
+   * Validate port number
+   */
+  private static isValidPort(port: number): boolean {
+    return Number.isInteger(port) && port >= 1 && port <= 65535;
+  }
+
+  /**
+   * Validate domain pattern
+   */
+  private static isValidDomain(domain: string): boolean {
+    if (!domain || typeof domain !== 'string') return false;
+    if (domain === '*') return true;
+    
+    // Basic domain pattern validation
+    const domainPattern = /^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/;
+    return domainPattern.test(domain) || domain === 'localhost';
+  }
+
+  /**
+   * Validate path pattern
+   */
+  private static isValidPath(path: string): boolean {
+    if (!path || typeof path !== 'string') return false;
+    if (!path.startsWith('/')) return false;
+    
+    // Check for invalid characters
+    if (!/^[a-zA-Z0-9/_*:{}.-]+$/.test(path)) return false;
+    
+    // Validate parameter syntax
+    const paramPattern = /\{[a-zA-Z_][a-zA-Z0-9_]*\}/g;
+    const params = path.match(paramPattern) || [];
+    
+    for (const param of params) {
+      if (param.length > 32) return false;
+    }
+    
+    return true;
+  }
+
+  /**
+   * Validate IP pattern
+   */
+  private static isValidIPPattern(ip: string): boolean {
+    if (!ip || typeof ip !== 'string') return false;
+    if (ip === '*') return true;
+    
+    // Check for CIDR notation
+    if (ip.includes('/')) {
+      const [addr, prefix] = ip.split('/');
+      const prefixNum = parseInt(prefix, 10);
+      
+      if (addr.includes(':')) {
+        // IPv6 CIDR
+        return this.isValidIPv6(addr) && prefixNum >= 0 && prefixNum <= 128;
+      } else {
+        // IPv4 CIDR
+        return this.isValidIPv4(addr) && prefixNum >= 0 && prefixNum <= 32;
+      }
+    }
+    
+    // Check for range
+    if (ip.includes('-')) {
+      const [start, end] = ip.split('-');
+      return (this.isValidIPv4(start) && this.isValidIPv4(end)) ||
+             (this.isValidIPv6(start) && this.isValidIPv6(end));
+    }
+    
+    // Check for wildcards in IPv4
+    if (ip.includes('*') && !ip.includes(':')) {
+      const parts = ip.split('.');
+      if (parts.length !== 4) return false;
+      
+      for (const part of parts) {
+        if (part !== '*' && !/^\d{1,3}$/.test(part)) return false;
+        if (part !== '*' && parseInt(part, 10) > 255) return false;
+      }
+      
+      return true;
+    }
+    
+    // Regular IP address
+    return this.isValidIPv4(ip) || this.isValidIPv6(ip);
+  }
+
+  /**
+   * Validate IPv4 address
+   */
+  private static isValidIPv4(ip: string): boolean {
+    const parts = ip.split('.');
+    if (parts.length !== 4) return false;
+    
+    for (const part of parts) {
+      const num = parseInt(part, 10);
+      if (isNaN(num) || num < 0 || num > 255) return false;
+    }
+    
+    return true;
+  }
+
+  /**
+   * Validate IPv6 address
+   */
+  private static isValidIPv6(ip: string): boolean {
+    // Simple IPv6 validation
+    const ipv6Pattern = /^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|::[0-9a-fA-F]{0,4}(:[0-9a-fA-F]{1,4}){0,6}|::1|::)$/;
+    return ipv6Pattern.test(ip);
+  }
+
+  /**
+   * Log validation errors
+   */
+  public static logValidationErrors(errors: Map<string, string[]>): void {
+    for (const [routeName, routeErrors] of errors) {
+      logger.log('error', `Route validation failed for ${routeName}:`, {
+        route: routeName,
+        errors: routeErrors,
+        component: 'route-validator'
+      });
+      
+      for (const error of routeErrors) {
+        logger.log('error', `  - ${error}`, {
+          route: routeName,
+          component: 'route-validator'
+        });
+      }
+    }
+  }
+}